Joe Daniel

Mr. Speaker, there are several categories of people who are vulnerable: children who are now doing a lot more work online than many adults, and seniors who are also online and are likely to be subject to financial fraud, et cetera. The bill would allow for somebody to identify that there was a potential fraud taking place and would allow communication with somebody responsible for those people to analyze and see if these could be fixed. The bill ensures we make that provision for those people.

Mr. Speaker, that was an interesting question.

Of course there is some merit in all of these things. This bill was specifically designed to fix some of the issues in PIPEDA. It would provide that oversight with the Privacy Commissioner. It would do everything that we need to do to fix the issues for now. Some of the changes that were proposed were not accepted for those various reasons. They were looked at and therefore rejected.

Mr. Speaker, while we look at what the question is about, we already have this information in the system. This is information that people have put online with businesses they are working with to ensure that information is used for legitimate businesses. There is no need for a warrant for those sorts of information unless some criminal activity is going on, in which case there would be a warrant. I do not think there is any relevance to that question, to be quite frank.

Mr. Speaker, our government understands the need for businesses to conduct normal, everyday activities, and not be inundated with red tape, while at the same time maintaining the privacy of Canadians.

The digital privacy act proposes common sense changes that recognize that companies need access to and the use of personal information to conduct legitimate business activities, for example, taking a merger and acquisition process, an insurance claim, or sharing an employee's email address and fax number with another company in those circumstances. These important fixes were introduced in response to unanimous recommendations made during the first parliamentary review.

The digital privacy act would reduce the unnecessary red tape for businesses, while also maintaining and protecting privacy rights for Canadians.

Mr. Speaker, on any bill that comes through the House, the question can be asked whether it is the best bill. We believe this is the best bill we have for this time, for this place, for now, in protecting the privacy of Canadians who are working in this digital economy. We believe these things will strengthen PIPEDA and close the gaps. That is why we have submitted it.

Clearly, Mr. Speaker, when the committee looked at the amendments, they were not considered suitable or applicable at that stage. There is a lot of confidence in the companies that we are working with and that are working on these. The recommendations in this bill came from the companies, as well as all the industries, et cetera. Therefore, I do not think there was any need for those changes to be admitted in.

Mr. Speaker, I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act.

Last year our government launched digital Canada 150, an ambitious plan for Canadians to take advantage of the opportunities of this digital age. It is a broad-based ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and to connect Canadians to each other. As the digital economy grows, individual Canadians must have confidence that their personal information will be protected. That is why under digital Canada 150, one of the five pillars is known as “protecting Canadians”.

The digital privacy act would provide important and long awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities while also setting guidelines for the collection, use and disclosure of personal information.

These rules are based on a set of principles developed jointly by government, industry groups and consumer representatives. The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, the amendments would clarify rules for businesses and reduce red tape.

These guidelines would ensure that vital information is available to Canadian businesses so that they have the necessary tools to thrive in a global economy. Balancing individual expectations for privacy and the need for businesses to access and use personal information in their day-to-day operations is important. Bill S-4 gets this right. It assures individuals that no matter the transaction, their personal information will continue to be protected under Canadian law.

The need to update the rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements. The bill before us does exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The Privacy Commissioner will also be notified.

An organization that deliberately covers up a data breach or intentionally fails to notify individuals and report to the commissioner could face significant fines as a result.

Let me now take a minute to point out some of the ways in which the bill before us creates an effective streamlined regime for reporting data breaches. The digital privacy act establishes a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach.

If a business determines that the data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and the Privacy Commissioner.

If the organization determines that the data breach does not pose a risk of significant harm, that is, its data security safeguards were compromised but it avoided a situation where the customers are exposed to a threat, like identity theft, fraud or humiliation, then that organization must keep a record of that breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, serves two purposes. First and most important, it requires companies to keep track of when their data security safeguards failed, so that they can determine whether or not they have a systemic problem that needs to be corrected.

An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individual affected may not be so lucky. Keeping track of these breaches will help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the Privacy Commissioner to hold organizations accountable for their obligations to report serious data breaches. At any time, the Privacy Commissioner may request companies to provide these records which will allow the commissioner to make sure that organizations are following the rules.

If companies choose to deliberately ignore these rules, the consequences as set out under the digital privacy act are serious. Bill S-4 would make it an offence to deliberately cover up a data breach or intentionally fail to notify individuals and report it to the commissioner.

In these cases, organizations could face a fine of up to $100,000 for every individual they fail to notify. These penalties represent one way that the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee:

I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill. Proposals such as the breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I have been discussing the data breach rules which are a very important element of the bill before us. I would like now to turn my attention to four ways that Bill S-4 would strengthen Canada's privacy rules.

First, the bill establishes strong consent requirements to protect vulnerable individuals online, particularly children. These enhanced consent provisions were introduced as a result of recommendations made by Parliament during the first statutory review of PIPEDA.

Under PIPEDA, organizations need to obtain an individual's consent to collect, use, or disclose their personal information. Under the bill before us, an individual's consent would not be considered valid unless the way the information will be used is clearly communicated in language appropriate to the target audience.

For example, some businesses operate online playgrounds or educational websites that target children and collect personal information of children that is used for marketing and other purposes. Bill S-4 requires that the language used to obtain consent must be such that a child could reasonably be expected to understand the nature, purpose and consequence of sharing his or her personal information. If the consent request is too complicated for the child to understand, the consent would not be valid.

Again, the Privacy Commissioner of Canada supports this amendment. He told the committee:

I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of various clientele from whom they are collecting information so that consent is as meaningful as possible.

Second, Bill S-4 seeks to harmonize federal laws with provincial privacy protection laws when it comes to a sharing of personal information without consent in narrow, limited circumstances.

PIPEDA already provides for a number of circumstances where personal information can be shared without consent when it is clearly in the public interest to do so. The amendments in Bill S-4 would add to this by allowing information to be shared in order to protect seniors and other vulnerable individuals from financial abuse or neglect, communicate with the family of an injured or deceased individual, or identify a victim of an accident or a natural disaster.

In his testimony before the standing committee, Mr. Marc-André Pigeon, director of financial sector policy at Credit Union Central of Canada expressed his strong support for Bill S-4 and the financial abuse amendment. He said:

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.

The third way that Bill S-4 would strengthen PIPEDA would be through changes that would support day-to-day business operations. The digital privacy act would remove unnecessary red tape for businesses by allowing for the collection, use and disclosure of personal information without consent in the context of specific legitimate business activities. For example, Bill S-4 would allow information to be more readily available in order to conduct due diligence in the context of mergers and acquisitions.

Similarly, the digital privacy act would allow businesses to share any type of business contact information in order to carry out normal business activities. It is simply ridiculous that PIPEDA allows an employee to share an office phone or fax number, but not an email address. Bill S-4 would fix this problem, a solution supported by the Retail Council of Canada. It told the committee:

—we support the clarification on the exclusion of business contact information...This section 4 clarification will better equip businesses to conduct their ongoing operations.

Finally, the digital privacy act would make existing compliance tools stronger and more effective. PIPEDA is enforced by the Privacy Commissioner of Canada who can turn to the Federal Court when an organization is found to break the rules. Bill S-4 would also give Canadians the option of taking an organization to Federal Court to order an organization to change its practices or to seek damages.

While the digital privacy act would keep those options open, it would also provide an alternative to court action such as voluntary compliance agreements. Under a compliance agreement, organizations would voluntarily commit to take action to comply with the law to avoid costly legal action. The agreements would be legally binding and would allow the commissioner to hold organizations accountable to follow through on their commitments to private privacy protection.

Again, the Privacy Commissioner expressed his strong support for this tool when he appeared before the standing committee. He said that the compliance agreement amendment was “very necessary” and “helpful for us to implement and apply”.

Canadian organizations care about their reputation and they know that sound privacy practices will have a lasting impact on the legitimacy of their brand. They also know that the reverse is true, that if their customers find out about shoddy privacy practices, their businesses will suffer. This is why the digital privacy act would give the Privacy Commissioner broader powers to name and shame a non-compliant organization to encourage it to take corrective action.

If either of these measures fail to provide the right incentives for businesses to fix their privacy problems, Bill S-4 would give the Privacy Commissioner more time to take them to court. Under the current law, the commissioner only has 45 days after he finishes the investigation to take the organization to court.

The Privacy Commissioner told the standing committee that it was simply not enough time, given the high complexity of issues with which his office dealt. Quite often, the Privacy Commissioner will work with organizations for several months, if not a year, to ensure they follow through on their commitments to fix any problems he has identified. The problem, of course, is that organizations can simply delay taking action for a couple of weeks, knowing that after 45 days, the commissioner will no longer have the option to take them to court. Bill S-4 would fix this problem and would provide the commissioner with a year to take an organization to court for non-compliance.

I have just outlined the five major provisions in Bill S-4, which include: new data breach rules; clear requirements when obtaining consent from individuals, including from minors; changes to support other public interest objectives, like fighting financial abuse; reducing the red tape for day-to-day operations; and new compliance tools for the Privacy Commissioner of Canada.

It is clear that Bill S-4 would deliver a balanced approach to protect the personal information of Canadians, while still allowing the information to be available to the growing, innovative digital economy.

Karl Littler, vice-president of Public Affairs at the Retail Council of Canada, summed it up best when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

We have it right with this digital privacy act. Both businesses and consumers have been empowered in this digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting personal information, and that is essential to conduct business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians. I urge hon. members to join me in supporting this bill.

Mr. Speaker, our government has consistently lowered taxes and created new voluntary options for Canadians to save, like the tax-free savings account.

In contrast, the Liberal leader revealed a risky spending scheme that would force Canadians to take a $1,000 pay cut. It is clear that the Liberal leader has only one plan for our economy, and that is to raise taxes.

Could the Minister of Finance please tell the House what our government is doing to help Canadians save?

Mr. Speaker, my constituents of Don Valley East are astonished that the leader of the Liberal Party wants to introduce a job-killing payroll tax hike on every worker in Canada. For someone earning $60,000 a year, the Liberal leader's plan would cost $1,000. He wants to bring “...a mandatory expansion of the CPP, of the type that Kathleen Wynne put forward in Ontario”.

We reject that. Our approach is a low-tax plan to secure retirement. We want to keep more money in the pockets of hard-working Canadians.