Ed Holder

Mr. Speaker, I would ask you to let me know when I am down to my last 19 seconds, since my time seems to be eaten away by the moment.

Today had to be one of the most bizarre days I have seen in the House of Commons. I say this because, as all members of this House who know me relatively well know, when I make comments, I speak from my heart and I speak with passionate conviction about doing the right thing.

Today we did not have an opportunity to give our statements in the House because of what I would respectfully call “nonsense”. We had slow votes on the other side, and somehow that was going to progress and would give us an opportunity to have more democracy in this House.

I would suggest that was one of the most embarrassing things I have witnessed. I think colleagues around this whole House must have been embarrassed, including some of the members who participated, because we did not have an opportunity, with all of these slow votes, to give our statements in the House.

We did not get unanimous consent, and I did not get the opportunity today to honour a great Londoner, a 93-year-young veteran who was, in 1948, a member of the Canadian Olympic hockey team. His name is Andy Gilpin.

These last few seconds give me the chance to at least mention his name and to suggest that all members of the House, if we have any respect for what we are trying to do as members of Parliament, stop this nonsense and not embarrass ourselves in this House. I would ask all of our colleagues to be respectful parliamentarians.

Mr. Speaker, I have had many occasions in my years in Parliament to speak in this House, but never at such an auspicious time. Oh my gosh, when I hear that Nelson Mandela just passed away, I want to share a personal experience, if I might.

My family used in live in South Africa, and much of it still does. They are white South Africans, and they lived there through Nelson Mandela's rise to power. He could have been many things, but he was a great humanitarian. He was forgiving when many might not have been. He was compassionate and understanding when others might not have been. As I make my other comments, they almost seem subdued compared to the very real experience of Nelson Mandela's impact on the world. Others will say things more articulately than I, but I will say that if the world could be measured by the quality of what Nelson Mandela brought to humanity, this would be a much better world.

I will speak now to Bill C-475 and its impact on organizations and the public. Of course, I am referring to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA, which the bill looks to amend.

PIPEDA was developed with an important objective in mind, and that is balance. The act is designed to balance an individual's right to privacy with an organization's need to collect, use, or disclose personal information for legitimate business purposes.

I was president of a large company in London, Ontario, when PIPEDA was first introduced. For those who do not know, that is the tenth-largest city in Canada. I would say we invested considerable funds, as did corporations across Canada, to ensure compliance and to do the right thing, because a corporation must be measured in terms of being honourable and doing the right thing. The costs associated with PIPEDA then and now are very real and ongoing, but in a corporation's business it is important to comply, for the sake of the public, which is what we are talking about in terms of this legislation today.

When PIPEDA was first introduced, the government stated that in order for Canada to become a leader in the knowledge-based economy and in electronic commerce, consumers and businesses had to be comfortable with new technologies and the impact that these technologies would have on their lives. I believe that policy objective still stands. However, in order to maintain that important balance in PIPEDA, we must consider the burden imposed by the proposed requirements of this act and always weigh that burden against the corresponding benefit to society.

We all agree that requiring organizations to report certain data breaches is necessary. Data breaches can pose a serious threat to the protection of our personal information and to the security of organizations and individuals. Reporting certain data breaches publicly would allow individuals to protect themselves, and it would also encourage better data security practices by organizations. That is laudable, yet it must said that there are ways to achieve these goals without creating an undue burden on organizations and the Privacy Commissioner.

Data breach notification has the potential to be cost-prohibitive while not providing the kind of information the public requires. For example, in the United States, where this process is tracked closely, the average cost to an organization of a single notification is estimated at $188 per record, and when this figure is multiplied by the number of those potentially affected, any data breach notification could result in substantial cost to companies that must deal with that breach. Based on this data, the total average cost of a data breach to an organization is approximately $5.4 million.

As most states have mandatory reporting of data breaches, there are hundreds of breaches reported every year. According to the Privacy Rights Clearinghouse, an organization that tracks this, there were 592 breaches reported by the private sector in the United States last year. These incidents involved the information of more than 11 million individuals. That number is extraordinary. As organizations south of the border are required to notify so often, notification fatigue among the public can be a serious result.

When notification processes become simply a matter of sending out a form letter to individuals, there is always a deep concern that these letters become increasingly perceived by recipients as junk mail. We have learned from the experience of other jurisdictions. That is why this government believes the best approach to notification is one based on risk, where notification should be required only for those breaches that represent the potential for significant harm to individuals. In this way, consumers would only receive notifications when necessary and would accord them the attention they deserve, instead of seeing these messages as unwanted spam. What we are talking about here is modernization, not overhaul, as proposed Bill C-475 suggests.

The Privacy Commissioner has been a strong advocate for data breach notification. I would like to point out, however, that even she has not asked to be informed of all breaches, nor has she asked for the responsibility to determine the need for notification of when there is a breach. In fact, in her paper on the reform of PIPEDA published earlier this year, the commissioner proposed that organizations be required to report breaches “where warranted”. This suggests that the commissioner understands the burden of overnotification and supports an approach that would minimize that burden. That is modernization, not overhaul.

Unfortunately, this is not the approach taken in Bill C-475. The bill would require organizations to report to the Privacy Commissioner every data breach posing a possible risk of harm. The average organization is risk-averse, and will err on the side of caution. I know that from my own business experience. As a result, it is likely that all breaches would be reported under these circumstances, undoubtedly resulting in notification fatigue among consumers. Under Bill C-475, the commissioner would have to assess each incident reported to her and determine whether it poses an appreciable risk of harm, warranting notification to individuals. This would impose a financial and administrative burden on the commissioner's office and would likely limit its ability to deal with other complaints under the act.

In the province of Alberta, where the data breach reporting has been in place for two years, the office of the Alberta privacy commissioner has estimated that the average time to process a reported breach and determine whether notification is required is 76 days. In the case of more complex data breaches, this could be much longer. This indicates that the risk assessment process is complex, difficult, and ultimately costly.

My colleague, the hon. member for Terrebonne—Blainville, has provided us with much to consider, including some statistics on data breach incidencts. According to my hon. friend, there are 18 privacy breaches every year for every publicly traded company in Canada. We know there are over 3,000 companies traded on the Canadian-based stock exchanges. That would amount to a minimum of 54,000 data breach incidents every year. Given the number of days to assess a single data breach incident, it does not serve the public interest to process each of these 50,000 incidents each year.

Let us remember that the intent is to provide Canadians with timely information about a breach of their personal information so that they can take steps to avoid fraud, identity theft, and misuse of their personal information. I sense the intent of my colleague opposite, but it is not clear to me that my hon. friend has fully considered the administrative and resource implications of dumping this requirement on the Privacy Commissioner's office, and whether it is in the public interest of Canadians to receive so many notifications.

The government is committed to an approach that would require the organization experiencing a breach to conduct the risk assessment based on the sensitivity of the data and the probability that they have been or will be misused. The organization is in the best position to quickly assess the circumstances surrounding a breach of its security safeguards and to determine the risks involved. The government believes that organizations should notify the commissioner and affected individuals of certain breaches, those posing a real risk of significant harm. This allows the commissioner to retain oversight of how organizations are handling the process of risk assessment and notifications to individuals. The commissioner would have the option of initiating an investigation if it were believed that notification did not occur when it was required.

In closing, with appropriate oversight and guidance by the Privacy Commissioner of Canada, the responsibility for determining risk and the need for the notification of individuals should ultimately rest with the organization. I hope I have clarified for members the benefits of a more balanced approach to data breach notification. Again, it is modernization, not overhaul.

I hope colleagues will agree that the approach taken by Bill C-475 would impose unnecessary costs and has the real risk to potentially undermine the primary objective for data breach notification, which is that of providing timely information to individuals when there is truly a risk of harm.

Mr. Speaker, one of the privileges we get as members of Parliament is to stand in this House and pay tribute to amazing Canadians. Today I honour Senator Donald Oliver, representing the great province of Nova Scotia, who is retiring from the Canadian Senate. He served our country with singular distinction, and I am proud to consider him a friend.

Senator Oliver, a barrister, professor, entrepreneur, statesman, and advocate, has served the people of Canada with honour for more than 40 years. Since his elevation to the upper chamber in 1990, Don Oliver has chaired several key committees in the Senate and has served as Speaker pro tempore.

Senator Oliver is an accomplished businessperson and an expert on corporate governance. Yet for all of these achievements, we are most proud of Senator Oliver for his work in advancing equal opportunities for black Canadians and other visible minorities in our country. Early in his career, he was instrumental in bringing about provincial legislation to end racial discrimination in Nova Scotia. What an outstanding legacy.

Today we thank him for what he has done for all Canadians. We also thank his partner, Linda. We know Don could not serve in his role without her equal commitment. We thank Don Oliver for what he means to Canada. His wise counsel will be greatly missed.

Mr. Speaker, I stand today to recognize the outstanding work of London's own Let's Talk Science, a national science education outreach organization, and Amgen Canada, a leading biotechnology company. I commend them on the recent release of their report, “Spotlight on Science Learning: The High Cost of Dropping Science and Math”.

Science technology and innovation are critically important to Canada's economic well-being. This report underscores the significant economic impact to Canada when students choose not to pursue science and math.

Let me say as strongly as I can that I encourage Canada's students to embrace science and math. It will serve them in so many ways that they may not currently appreciate.

I invite all members of the House to join me this afternoon at 5:30 p.m. in room 256-S in the Centre Block to learn more about the work of Let's Talk Science and Amgen. Let us congratulate them for the significant work they are doing to shine a spotlight on the importance of science and learning by our young people.

Mr. Speaker, pursuant to Standing Order 34(1), I have the honour to present, in both official languages, the report of the Canada-United Kingdom Inter-Parliamentary Association, respecting its participation in the bilateral visit to Scotland and London, United Kingdom.

Mr. Speaker, as the member of Parliament for London West, I was terribly saddened to hear of the tragic events surrounding the Walji family. It was a shock to our whole community.

Some media reports and even opposition politicians have implied that the immigration system has somehow failed the Walji family.

Would the Minister of Citizenship and Immigration please advise the House on what measures were taken to help the Walji family?

Mr. Speaker, Sir Frederick Banting has been recognized as a great humanitarian, a Nobel Prize winner, a gifted artist, the discoverer of the formula for insulin, and if I may say with huge pride, a great Londoner.

It was on October 31, 1920 that Frederick Banting woke up in his home in London, Ontario, and wrote out the formula for insulin, which has given hope and quality of life to millions of people around the world. On November 9, we celebrate world Banting day to mark the discovery by this amazing man.

It is also appropriate during Veterans' Week that we honour Sir Frederick Banting the soldier. I was personally privileged, along with my dear friend Darrel Skidmore and Banting House museum curator Grant Maltman, to raise $80,000 in a matter of days to patriate Banting's Memorial Cross from public auction. This is a medal his family received when he died in the service of our country. I am proud that it is now properly displayed in Banting House in London, Ontario.

I would ask that colleagues join me in honouring a great Canadian and humanitarian who gave so much in the service of mankind, Sir Frederick Banting. Lest we forget.

Mr. Speaker, our government is properly focused on the priorities of Canadians: creating new jobs and new opportunities. That is why we continue to open new markets for Canadian exporters around the world.

Just this morning, as a member of the Standing Committee on International Trade, I was honoured to witness the Canada-Honduras free trade agreement signing. With this agreement, Canadian exporters, service providers, and investors will benefit from enhanced market access, which will create new sources of prosperity for businesses in London, Canadian businesses of all sizes, and all their workers.

Can the Minister of International Trade please update the House on this very important agreement?

Mr. Speaker, I was very touched by the comments of the member for Mississauga South when she talked in terms of growing up in a family business and what that meant to her.

It made me think about the opportunities I had, not so much in a family business. My dad was a pretty poor truck driver from Holderville, New Brunswick, and my mum was from Cape Breton. Our family was born out there, so we never had quite the same opportunities, not that opportunities are not there on the east coast, but my parents moved to Upper Canada and some things happened from there, so we have carried on in this family business tradition.

Appreciating the importance of family business, and I am thinking of how small business can survive, what does the member feel this budget would do to help small businesses to grow, because those folks are the real job creators in this country?