Mr. Speaker, I am pleased to rise to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.
Last year, our government launched digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a broad-based, ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and connect Canadians to each other.
As the digital economy grows, individual Canadians must have confidence that their personal information is being protected. That is why, under digital Canada 150, one of the five pillars is known as “protecting Canadians”. The digital privacy act would provide important and long-awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.
PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities, while also setting guidelines for the collection, use, and disclosure of personal information. These rules are based on a set of principles developed jointly by government, industry groups, and consumer representatives.
The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, amendments would clarify rules for businesses and reduce red tape. These guidelines would also ensure that vital information is available to Canadian businesses, so they have the necessary tools to thrive in the global digital economy.
Balancing the individual expectations for privacy and the needs of businesses to access and use personal information in their day-to-day operations is important, and Bill S-4 gets it right. It would ensure individuals that, no matter the transaction, their personal information would continue to be protected under Canadian law.
The need to update rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements.
The bill before us would do exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The privacy commissioner must also be notified. An organization that deliberately covers up a data breach, or intentionally fails to notify individuals and report to the commissioner, could face significant fines as a result.
Let me now take a minute and point out some of the ways in which the bill before us would create an effective and streamlined regime for reporting data breaches. The digital privacy act would establish a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach. If a business determines that a data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and to the privacy commissioner. If the organization determines that a data breach does not pose a risk of significant harm—that is, their data security safeguards were compromised but they avoided a situation where their customers are exposed to threats like identity theft, fraud, or humiliation—then that organization must keep a record of the breach.
The requirement to maintain these records, even if the breach is determined not to be serious at the time, would serve two purposes. First and most important, it would require companies to keep track of when their data security safeguards fail, so that they can determine whether or not they have a systemic problem that needs to be corrected. An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individuals affected may not be so lucky. Keeping track of all breaches would help companies identify potential problems before individual privacy is seriously harmed.
Second, these records provide a mechanism for the privacy commissioner to hold organizations accountable for their obligations to report serious data breaches.
At any time, the privacy commissioner might request companies to provide these records, which would allow him to make sure organizations are following the rules. If companies chose to deliberately ignore these rules, the consequences, as set out under the digital privacy act, would be serious.
Bill S-4 would make it an offence to deliberately cover up data breaches or intentionally fail to notify individuals and report to the commissioner. In these cases, organizations could face fines of up to $100,000 for every individual whom they fail to notify. These penalties represent just one way in which the digital privacy act would safeguard the personal information of Canadians.
The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee that:
...I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.
Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....
Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:
The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm.... We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.
I think it is clear that Bill S-4 would deliver a balanced approach to protecting the personal information of Canadians, while still allowing for information to be available in a growing, innovative digital economy.
Mr. Karl Littler, vice-president, public affairs, Retail Council of Canada, summed it up best, when he told the standing committee:
Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.
I think we have it right with the digital privacy act. Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.
Bill S-4, the digital privacy act, would strengthen the rules protecting the personal information that is essential to the conduct of business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians.
I urge hon. colleagues to join me in supporting this bill.