moved that bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), be read the second time and referred to a committee.
Mr. Speaker, it is with deep conviction that I initiate the first hour of debate on my Bill C-475, the purpose of which is to bring the Personal Information Protection and Electronic Documents Act into the digital age.
I would like to begin by reading from a statement by the Privacy Commissioner, Jennifer Stoddart, released this morning:
“PIPEDA is not up to the task of meeting the challenges of today--and certainly not those of tomorrow”.
It is therefore no surprise that she should have said this, because this legislation has not been updated since the arrival of the first-generation iPod. Matters evolve very quickly in the digital age, and the law is no longer relevant.
Millions of Canadians have never known a world without smart devices. It is an eternity in a modern society undergoing constant change, as ours is.
The Internet is central to our lives, because we use it daily. It is not surprising, therefore, to learn that Quebeckers and Canadians will spend about 45 hours a week online in 2013, that over 70% of Canadians use the Internet daily, and that our fellow citizens have more than 18 million Facebook accounts.
Canada as a country is firmly plugged in. For a few years now, laptops and devices like tablets have been used both recreationally and as working tools. They occupy an increasingly crucial place in our lives. We are moving more and more towards digital management of our lives. This major change means that new rules must be put in place and that they must reflect the new risks associated with these developments in the digital world.
Since the beginning of this year alone, we have witnessed serious losses of data, including data on 52,000 Canadian investors in February and more than 50 million clients of LivingSocial in April.
The Privacy Commissioner of Canada recently stated that breaches of personal data have been steadily increasing in recent years. In that connection, a study by Telus and the Rotman School of Management at the University of Toronto, published in 2011, showed that each public company experienced an average of 18 data breaches a year.
Unfortunately, the current legislation designed to protect Canadians’ privacy has not been updated to address these risks and put appropriate measures in place to protect society. The current legislation does not provide for Canadians to be notified of a breach of their personal information. Organizations are not in fact required to notify them, regardless of the seriousness of the breach. This means that our fellow citizens cannot take appropriate action to protect their identity or their credit in order to reduce any harm they might suffer.
I am referring in particular to our passwords, social insurance numbers, personal emails or even the bank account numbers needed to make online purchases. The sharing of personal information with third parties, without consent, is a major problem in Canada.
In September 2011, the Privacy Commissioner noted that a quarter of the most-visited websites in Canada do not comply with Canadian law; they disclose our data without our consent. This bothers me a great deal, particularly when I think of children, the elderly and people who have not had the good fortune to learn how the Internet works and what the risks are. What is much worse is that companies that decide to do this do not currently suffer any consequences.
For more than 10 years, Canadians have been waiting for a better regulatory framework. They are rightly expecting results along those lines, and it is in that spirit that I decided to introduce Bill C-475. The bill proposes two simple and effective mechanisms to improve protection of Canadians’ personal information.
First, it requires that the commissioner be notified by any organization having personal information under its control when there is a possible risk of harm to users.
Experts in the commissioner’s office will assess the seriousness of the situation against a criterion for harm that sets a high standard. They will also recommend whether or not the organization should notify the users affected.
This mechanism allows for an objective analysis of the risk and better management of the risk through an expectation of a high level of security, rather than a subjective analysis based on the interests of the organization, which may differ from the interests of users.
The process will restore to Canadians the power to take steps to protect themselves much more quickly, in addition to reducing the harm done to them.
The second mechanism provided for in Bill C-475 is based on the Alberta model. It is designed to give the Privacy Commissioner order-making power when an organization fails to obey the law. The Federal Court would have legislated authority to penalize organizations that fail to carry out an order issued by the commissioner.
These mechanisms are straightforward and clarify the commissioner’s powers. In short, the Office of the Commissioner will now have the power to enforce the law, which unfortunately is not now the case.
By providing better oversight of organizations and the use of personal information to which they have access, Bill C-475 gives Canadians an assurance of acceptable risk management and the right to protection of their information. This bill was drafted to address the concerns of Canadians, people in the digital industry, civil liberties organizations, Internet experts and specialists in the protection of privacy.
I had the opportunity to hear a great deal of evidence from experts during a study the Standing Committee on Access to Information, Privacy and Ethics conducted on social media and privacy from May to December 2012.
Bill C-475 is a direct response to requests from the community to adapt the law to suit our digital age by providing some flexibility for people in the industry and clarifying the ombudsman’s role of the Office of the Commissioner.
Moreover, during many consultations specifically discussing the bill, the same conclusions emerged. The bill therefore takes a very balanced approach. It is balanced with regard to Canadians, since objective risk analysis will ensure that they are not bombarded with notifications of data breaches that do not affect them at all or present a minimal risk. The bill is also balanced with regard to companies, since clear roles and processes enable them to plan their policies and response.
It will be clear for organizations that they are required to report a breach to the Office of the Commissioner, but they will not be responsible for deciding what the ultimate risk is. Companies that are law-abiding will no longer have to compete with companies that are not.
Lastly, the bill makes it possible to bring our privacy protection legislation up to the same level as countries like Germany, Great Britain, Australia and France, or indeed to the level of provinces such as Quebec and Alberta.
As a world leader in technology, Canada should be adopting international standards.
Bill C-475 offers a different vision from that proposed by my colleagues opposite, who in 2007 introduced Bill C-12, which is no longer supported by the Privacy Commissioner. They will probably tell me they have already introduced a bill to modernize the Privacy Act, but I would like to remind them that it dates from 2007 and is absolutely not representative of our day and age, particularly when you consider that technology changes extremely quickly.
Bill C-12 was introduced in the House, but there has been no debate for six years, and its content has therefore become outdated. It certainly no longer represents a serious attempt by the government to modernize the legislation in order to better protect the public. Moreover, a problem with the mechanisms proposed in Bill C-12 to deal with a breach shows that it is completely inadequate.
The risk threshold for notifying the Office of the Commissioner is very low and subjective. This poses two major problems. The first is that because the threshold is low, users and the Office of the Commissioner will be notified less often in the event of a breach.
Organizations could avoid notifying those concerned, which poses a major problem with regard to their security. Nor will they have the power to protect themselves and reduce the potential harm to which they are exposed.
The second problem is that experts testifying before the Standing Committee on Access to Information, Privacy and Ethics explained the need to obtain better data in order to gain a better understanding of the cybersecurity risks Canadians face every day. A low, subjective threshold reduces the data to which they will have access, which makes them less able to advise the government and companies on the risks associated with their practices.
My bill establishes an objective threshold, and the Office of the Privacy Commissioner will be mandated to assess the risk associated with a breach. The interests of Canadians, which we in this House have the responsibility to protect, will be paramount.
Quebeckers and Canadians support the measures and principles in my bill. In April the Office of the Privacy Commissioner published a cross-Canada survey showing that 97% of Canadians would want to be notified by an organization if their personal information was compromised. Note that this is the overwhelming majority. In addition, 80% of respondents would also grant more powers to the Office of the Privacy Commissioner. Again, a large majority of Canadians supported these measures.
My bill has garnered support from all classes of stakeholders affected by these changes, including industry representatives, civil liberties organizations, consumer protection agencies and academics specializing in law, communications, cybercrime and political science. I could go on, but there are too many to name them all.
The Union des consommateurs has stated that:
[it] believes that the implementation of the principles proposed by the NDP, through their private member’s bill amending the Personal Information Protection and Electronic Documents Act, constitutes a real advancement to better protect the privacy of consumers.
Michael Geist, chair of Internet and e-commerce law at the University of Ottawa and renowned public affairs pundit, has said about my bill that:
Bill C-475 is a far better proposal.... Those provisions would do far to ensure a greater respect for Canadian privacy law and give Canadians the assurance of notifications in the event of security breaches.
Steve Anderson, executive director at OpenMedia.ca, stated that:
We welcome...[this] online privacy bill because we think it's a tool that can later be applied to protect our privacy against reckless warrantless access to our private information by government authorities. This bill is a useful stepping stone to safeguard our privacy.
Canadians trust us to act in their best interests. They clearly want us to give them better protection. By voting for Bill C-475, my hon. colleagues will be giving them the reassurance of stronger support for their rights and the power to protect their privacy.
