Bill C-11 (Historical)

Mr. Speaker, we live in a country where the right to privacy is fundamental.

Today's youth are vulnerable, and some are victims of traffickers who post content online without consent. Bill C-11 could be amended to protect personal information.

Is the Liberal government prepared to protect these vulnerable members of our society?

Thanks, Madam Chair.

Anthony, you probably recall that, when you attended our privacy committee before, we had a conversation about data portability. It hadn't been in the competition commissioner's early reports, but I know that you have taken data and privacy issues much more seriously now. I think as a consequence of that, we now see it in Bill C-11. I just want to thank your office for that.

When it comes to the Facebook agreement, which I think is also good news, that consent agreement and a $9-million fine with $500,000 also to reimburse the commissioner for costs.... When we look at the States and the fine of $5 billion, even when you adjust for population here in Canada, it would still be significantly more in terms of a fine in the United States than we saw in Canada.

Can you speak to the capacity of the competition commissioner to levy those fines and why it was one-fifth of what we saw when you adjust for population?

I'm finding this very informative. Thank you for being here today.

I want to come back to the discussion related to the dominant tech players, particularly the giants—we're seeing organizations like Amazon, particularly, coming into the market—and the use of data. I know you said you will be reviewing Bill C-11, but I wonder, with that kind of dominance and that control and use of data, if we should be concerned that there aren't enough teeth in your act or in Bill C-11 to deal with things like customer lists. This is stuff that's proprietary and that could really put at risk smaller Canadian companies, small businesses that are using what they think is a service provider but actually could quite likely be a competitor.

Okay. Thank you.

The federal government, as you know, recently introduced Bill C-11 for the protection against commercial exploitation of personal information and the establishment of a data protection tribunal. Clause 14 of this bill would notably amend the Competition Act to facilitate co-operation between the Competition Bureau and the Privacy Commissioner.

How does this bill affect your activities, if Parliament enacts it in the near future in its current form?

I completely agree with you. It's a significant issue, and actually made far worse with the pandemic. Given that market dominance, it has increased significantly.

Has your department spent much time reviewing the provisions within Bill C-11 on data privacy and some of the data regulations? Are the definitions strong enough? Have you done a thorough review? Can you share with us any opinions you might have, either right now or by following up with something in writing?

Mr. Speaker, that question was really well put, probably the best question today.

This afternoon, we will continue debate at second reading of Bill C-12 on net-zero emissions. This evening, the committee of the whole will study the votes under Department of Health. Tomorrow and Monday, we will be debating Bill C-7 on medical assistance in dying.

We hope to complete third reading of Bill C-7 on Monday to give the Senate enough time to pass the bill before the court-imposed deadline of December 18.

On Monday afternoon, at 4 p.m., the Deputy Prime Minister and Minister of Finance will deliver the fall economic statement in the House of Commons.

Tuesday and Thursday shall be allotted days.

On Wednesday, we will resume debate on Bill C-12, the net-zero legislation.

Lastly, next Friday we will resume debate on Bill C-10, concerning the Broadcasting Act, and Bill C-11, concerning personal information protection.

Madam Speaker, it is a great pleasure to speak to Bill C-11 today.

This is an extremely important subject that concerns the security and protection of all citizens' personal information. As my colleague already clearly stated, over the past 10 years and during the current pandemic, there have been a multitude of phishing scams via telephone, the Internet and online shopping platforms, which are increasingly popular.

I believe that Bill C-11 is timely and will correct major problems that we have been seeing for some time in different areas. For example, there have been cases of bank fraud, notably at Desjardins, and the federal government has also been affected. I know that the bill does not apply to the federal government, but this issue remains a very serious concern.

Take, for example, a situation that has occurred in my riding of Terrebonne. For the past month or so, we have been seeing a whole host of complaints related to the Canada Revenue Agency, from people whose identities were stolen by fraudsters who claimed CERB cheques in their name. This shows that there is a gap at the government level, which is very interesting.

I understand that we need to look at what requirements should be established for banks and e-commerce, but I think that there may be some aspects of the bill that we could rework. We are only at debate at second reading for this bill, which means that the bill could be amended and improved to give it more teeth, make it more robust and ensure that it is more responsive to the various threats that could arise in the future. Since we are essentially talking about technology here, the new law should be able to adapt its mechanisms to the changes in technology that will occur in the coming years.

However, there are a number of troubling issues that the bill does not address. For instance, metadata is not included in the bill. I am not an IT expert, but metadata is something that we see regularly. For example, if we spend a few minutes on the Internet searching for a camp chair, it is not unusual to then see ads for various types of camping equipment.

That is worrisome because metadata can be used to target specific individuals. When a group of individuals is targeted, there is a risk of more targeted threats or cyber-attacks. That is why I think it would be a good idea to improve the bill by addressing the issue of metadata.

The federal government, and the Canada Revenue Agency in particular, has quite a lot of work to do on matters of identity theft. The CRA's mandate is to manage revenues on behalf of the Canadian government.

However, what happens in the case of computer fraud as a result of identity theft? In that case, it becomes more a matter of public safety and national security. In many cases, fraud and identity theft, particularly in the banking sector, are committed from abroad using fairly sophisticated electronic means.

Once again, I am not familiar with the mechanisms used to investigate these predominantly computer-based threats or to protect us from them.

I am also referring to the recent debate we had—and I do think this is related—on 5G networks in Canada, in terms of the technological means that will be deployed over the next few years to protect the IT infrastructure itself from all threats and foreign influences.

In some cases, the threat might involve political or public influence. In other cases, it could literally be individual hackers from around the world who use technology, including 5G networks, to circumvent security mechanisms and break into various systems to steal identities and the personal data of the various citizens that we are meant to protect.

It seems to me that the general intent behind Bill C-11 is a worthwhile one, crucial even, as I said in my opening remarks. However, we also need to tackle the technical side. I get the sense that some issues were not considered from all angles so as to ensure that the bill reinforces the back door as much as it does the front door.

Once again, protecting online identity is the most tenuous aspect, and we are trying to rectify that here. I am concerned about a number of aspects of the authentication mechanisms, because that is really what this is about. Currently, many banks, institutions and businesses use a variety of platforms to secure and protect the identity of online customers and consumers.

As a few minutes on the Internet will show, private online commerce companies use many different authentication platforms and mechanisms. It might be a good idea to consider using the bill to standardize those online transaction authentication mechanisms, but the government seems unwilling to do that in the current version of Bill C-11.

The government wants to have companies and financial institutions take on more of the control, responsibility and obligations of protecting personal information. The government should, however, set out some very specific measures in the bill to ensure that all companies can shoulder this responsibility. Not every company has the financial means to set up robust data protection mechanisms. I therefore think that the government needs to set some statutory requirements.

As my colleague from Abitibi—Témiscamingue pointed out earlier, a lot of small merchants and businesses do not have the financial means to improve or modernize their technology infrastructure. This issue may also need to be addressed in the comprehensive approach we are advocating today.

There is the whole issue of jurisdictions. Quebec's jurisdiction over civil law and consumer protection plays an extremely important role. We know that the laws are confined to the jurisdictions for which they were written. This is not just a Quebec and Canadian problem, but also an international one. By the way, I think it will be necessary for the government to define very clearly these famous control mechanisms and make solid political and governmental choices in connection with the new information technologies that will crop up here at home.

That is essentially where this will play out. We cannot give a foreign government control over telecommunications and computer infrastructure. It is extremely important. We are wading into another field, but to be able to protect our constituents we have to ensure that our infrastructure is not threatened by other countries or by foreign nationals, such as the hackers I mentioned earlier.

Then we have to find some form of standardization to help ensure that clients or consumers are protected during online transactions. Let's not forget the entire issue of metadata, which are a formidable tool for any bad actor wanting to target and attack groups that are more privileged or more vulnerable.

In conclusion, the federal government must ensure that Canadians can be guaranteed, in all circumstances, that a consistent international standard will be rigorously applied, and that it will be possible to efficiently identify any and all fraudsters. Identifying fraudsters has always been a problem, and the Canada Revenue Agency could speak at length about this in committee.

Madam Speaker, I am honoured to be sharing my time with the member for Terrebonne.

I am pleased to rise to speak to the fundamental issue of the protection of privacy.

Since March 2020, Quebec business owners have been hard hit by the negative economic impacts of the COVID-19 crisis, namely the lockdown, the closures, the health measures, the labour shortage and the drop in consumption.

SMEs in Quebec have received assistance in the form of tax credits from the Government of Quebec and the Government of Canada to help mitigate these negative economic impacts. Now more than ever, SMEs are struggling under a burden of debt and many of them may never recover. At this difficult time for Quebec's social and economic life, I am worried about Quebec's SMEs, and particularly the small business owners who do not have the time or money to get bogged down in a data protection program that, in some cases, will have to take into account a number of Quebec and Canada laws.

By amending the Privacy Act, the Government of Canada is creating a number of problems for Quebec's SMEs because of legislation adopted by two governments, the Government of Quebec and the Government of Canada. Depending on whether their economic activities extend beyond Quebec's borders, it is very likely that Quebec's SMEs will not know which law governs their data protection plan.

The new federal law proposed in Bill C-11 will have real teeth, which means that Quebec's SMEs are likely to suffer, unfortunately. I am scared to think how this bill will affect Quebec's SMEs.

The pandemic is forcing many retailers to shift to online sales, the kind of electronic commerce referred to in the bill. In his speech to the House this morning, the Minister of Industry acknowledged that the protection of personal information is essentially a provincial responsibility and a matter of civil law. He said his bill respects provincial jurisdiction, but a closer look at the text reveals that to be not quite the case.

It is true that Bill C-11 applies to all federally regulated businesses. However, businesses that are not federally regulated, which describes the vast majority of companies and virtually all SMEs, are not really excluded from the scope of the bill.

The minister can exclude them if the province has substantially similar legislation, as is the case in Quebec, but he cannot exclude them entirely. In fact, he can exclude them only “in respect of the collection, use or disclosure of personal information that occurs within that province”.

Imagine the mess: a Quebec SME will have to comply with the Quebec law if the information does not leave Quebec, but it will have to comply with the federal law if the information does leave Quebec. Information collected from one customer will be subject to two different laws.

Which law do Visa card payments fall under? Does it depends on which territory the Visa server is located in? This seems unenforceable to me. If a business is covered by the Quebec legislation on data protection, that should apply to all its activities, not just half of them, as it would under the bill as currently worded.

Furthermore, Quebec laws are also adapting to the reality. We must recognize that the federal government's bill represents a step forward, because the current legislation has no teeth. Under Bill C-11, a privacy commissioner could establish the specific practices to be adopted in accordance with the principles set out in the legislation. A privacy commissioner would have order-making powers to force organizations to comply with those principles.

Under Bill C-11, a citizen could file a complaint with a tribunal. The privacy tribunal will also be able to impose significant penalties of up to 3% of a multinational's global revenue for non-compliance. In short, the major difference between the law and the bill we are debating, is that the bill's mechanisms are more favourable to citizens when faced with an organization that misuses digital data.

This bill fails to address the important issue of online identity protection to prevent fraud through identity theft, especially when Canadians engage in financial transactions. Bill C-11 does nothing to ensure that financial institutions in Canada verify someone's identity before authorizing a transaction, which exposes Canadians to fraud. Even the federal government has failed to properly verify a person's identity before authorizing an electronic transaction.

I would like to share an unfortunate incident that happened to one of my constituents. This summer, a young man was a victim of identity theft and wound up having to defend his reputation to the Canada Revenue Agency and another financial institution. It was my own office manager who, while talking to a federal official on the phone, realized that fraud had taken place. My office manager took charge of the case and helped my young constituent navigate the unpleasant process that lasted weeks. There was a police investigation and all kinds of documentation. There were numerous discussions with a financial institution and government officials. He had to go to great lengths just to prove that a fraudster had stolen his identity and to defend his reputation to a financial institution and the Canada Revenue Agency.

It was weeks before this young man was able to access the Canada emergency student benefit he very much needed. That is not exactly the kind of introduction a young adult should have to dealing with banks and governments. This whole situation happened because the government did not take the time to verify the identity of the CERB applicant.

The government needs to set an example and take immediate action to combat identity theft. This is a serious problem. Bill C-11 contains some privacy mechanisms, but there is no mechanism to verify the identity of users or consumers to protect their personal information.

I remind members that private information falls under the umbrella of property and civil rights, which is a provincial jurisdiction, as set out in the Constitution. Quebec is in the process of modernizing its act. Unfortunately, it is difficult to assess right now how the federal act and the Quebec act will interface.

However, the Bloc Québécois foresees some problems, and we do not want these problems to affect small businesses in Quebec, which, I remind members, are struggling as a result of the economic issues associated with the COVID-19 crisis.

SMEs carry a heavy debt load at times. Any additional weight on the shoulders of Quebec entrepreneurs is becoming harder and harder to bear. Considering the potential administrative nightmare that could result from how the federal legislation intersects with the Quebec legislation, I would ask that Quebec SMEs be exempt from Bill C-11.

Simon Marchand, chief fraud prevention officer at Nuance Communications, is a certified fraud examiner, a certified administrator and an expert in biometrics and security. He appeared before the Standing Committee on Industry, Science and Technology on May 20. We were discussing fraud-related topics. He mentioned that in the context of COVID-19, telework was a risk factor. This is especially true when it comes to customer service.

All customer service agents who normally work in call centres now work from home, in an unsupervised environment. These agents have limited resources, but now have the opportunity to access sensitive consumer information, whether it is data on their assets or information that could be used by anyone to impersonate someone else.

A second factor is the socio-economic reality, which will no doubt put pressure on many households. When it comes to internal fraud, we know that pressure and opportunity are the two basic factors that drive an employee to go against their employer’s interests and commit fraud.

Some areas have seen a 600% increase in the number of phishing scams involving COVID-19; attachments, links to websites and other methods are being used to lure victims. Fraudsters will be able to get their hands on vast amounts of consumer information, which they will not use in the next few weeks. Rather, they will wait six to 18 months before opening up accounts, taking out financial products and acquiring products from telecommunications carriers. That is what this bill is all about. It provides a modicum of protection, which is a good thing.

In terms of accountability, Simon Marchand said:

I think, though, the focus should be on accountability and the responsibility companies have in relation to the information they use to deliver services.... it calls into question the bank’s responsibility, which is protecting that information.

The first benefit of accountability will be to give the government a clear picture of the situation. It will know exactly how many victims there are, and it will be able to direct measures accordingly to strengthen security, particularly in banks and telecommunications companies.

This will put a burden on businesses, which will have to file reports, but this burden is not unreasonable, since the data they have is already known. All they will have to do is provide them to lawmakers or to a government-supervised body that can present these data more broadly and anonymously so that members of Parliament can access that information and know exactly what is going on in Canada.

This is an important step, because if there is a leak, companies must tell individuals what information was exposed and the risk of harm from the leak. That is what the bill does, and it is absolutely fundamental, because that is a risk that we run.

In conclusion, the lack of accountability for federally regulated businesses is a problem with the current legislation. There is currently no overall picture of how many people are actually victimized by having their identity used once it has been stolen. I am therefore pleased that the federal government is taking greater responsibility and beginning to act by introducing this legislation.

Madam Speaker, I want to thank my colleague for all his clarifications on Bill C-11.

However, I would like to take him in another direction. Quebec is also currently studying proposed legislation, Bill 64, which would provide increased protection for personal information and is heavily based on European law.

I am wondering if the government considered how these two laws will work together, to avoid the confusion that any overlap would cause for the consumer.

Madam Speaker, it is a pleasure for me to stand and resume debate on Bill C-11, now at second reading, on the consumer privacy protection act.

This act, which replaces private sector privacy protections under the Personal Information Protection and Electronic Documents Act, PIPEDA, places consumer protection at the forefront in order to ensure Canadians have confidence in the digital marketplace and can trust that businesses are handling their personal data responsibly.

It is important in an era of global online commerce for Canada to put in place a privacy standard that offers consumers increased control over their personal information as they participate in a modern digital marketplace. The act also includes important changes to enable and support innovation in an increasingly digital marketplace.

Today I will be speaking about how our government is supporting business and protecting Canadians' privacy as they actively participate in the digital economy. Our government is working to establish an enhanced privacy framework where consumer protection is strong and where businesses are supported in their efforts to innovate in a rapidly changing digital landscape.

Bill C-11 makes important changes to the privacy framework for Canadians. It sets out enhanced measures for Canadians to ensure their personal information is protected and it enables new rules and mechanisms for industry in a way that promotes innovation in a digital world.

We understand the need to ensure the privacy of Canadians is protected. There is also a need to ensure that Canadian businesses have the supports they need to grow and prosper in a global marketplace that runs on digital technologies and data. These changes come at a time of great change, not only in terms of rapid advances in digital technologies, but also at a time that is critical for business to adopt and innovate in a digital world.

The need for digital solutions in our daily lives has become essential in the current pandemic environment. In a time when physical distancing has been so important, consumers want solutions that give them access to the products and services they need and firms need to keep doing business and set themselves up to grow.

For many, digital solutions have been the answer. However, we all recognize that new technologies are providing companies with vast amounts of personal information, data that is essential to making business decisions and offering new services to customers.

Innovation and growth are critical, but we must stand up for Canadians and ensure that this innovation happens in a responsible way. Today, I will be outlining the key elements of Bill C-11 that enable responsible innovation done right in the Canadian way.

One of the goals of PIPEDA, our current law, has been to ensure companies are able to handle personal information to meet their legitimate business needs and do this in a privacy-protected way. To achieve this dual objective, PIPEDA's framework is principles-based and technology neutral. This framework ensures that the law continues to apply even as technology has undergone rapid change. The CPPA retains this approach, continuing the success of a flexible and adaptable privacy law in the Canadian private sector context. We all recognize that times are changing rapidly.

To better reflect the realities of the digital economy and to continue the emergence of the new big data technologies and artificial intelligence, the CPPA has a number of provisions that support industry moving forward. The bill would create a level playing field for companies of all sizes. It does this by reducing administrative burdens, critical for the vast number of small and medium-sized enterprises in Canada so essential to our economy.

It introduces a new framework for personal information that is de-identified. It establishes new mechanisms likes codes of practice and certification with independent oversight by the Office of the Privacy Commissioner. It addresses data for research purposes or purposes deemed to be socially beneficial.

I will outline how the bill would do it all. The bill before us today includes a new exception which is consent to cover specified business activities. The goal here is to allow Canadians to provide meaningful consent by focusing on specific activities that involve real choice. This is critical to avoid blanket consent agreements or the long, multi-page contracts that no one reads.

It would also reduce the administrative burden on the business in situations where an individual's consent may be less relevant, such as a company's choice of a third party service provider for shipping goods. The customer wants goods shipped and the company should have the ability to make this happen. The law should not add extra burden to fulfilling the service.

Therefore, the bill provides for new regulations to be developed for prescribed business activities, and that introduces the concept of legitimate interest in Canada's privacy framework. This is something that industry has asked for and the government has answered in Bill C-11.

Second, we are better defining and clarifying how companies are to handle de-identified personal information, that is, personal information that has been processed and altered to prevent any identification of a particular individual. The bill would allow organizations to de-identify personal information and use it for new research and development purposes. Businesses must undertake R and D to improve their products and to offer customers the new and leading-edge services that they are looking for. This provision would give businesses the flexibility to use de-identified data for those purposes, adding value for customers and firms alike.

The law would also allow organizations to use data for purposes of the public good, specifically by allowing companies to disclose de-identified data to public entities. Such disclosures are only allowed where the personal information cannot be traced back to a particular individual and there is a socially beneficial purpose, that is, a purpose related to health, public infrastructure or even environmental protections. This kind of provision would protect individuals while ensuring that we use all the tools at our disposal to address the biggest challenges of our time.

Included in the bill is a clear set of parameters for institutions, such as hospitals, universities and even libraries, that would seek to receive personal information for a socially beneficial purpose. These parameters would help to clarify the rules of the road in a new and important field.

These new provisions would also permit organizations to share more data in a trustworthy manner. This would allow the private sector to work with different levels of government and public institutions to carry out data-based initiatives in a privacy-protecting manner. By taking this approach, the bill accommodates emerging situations where collaboration between public and private sectors can provide broad public benefits, while at the same time retaining the trust and accountability we demand and deserve.

Third, the bill would provide a framework for codes of practice so that businesses, especially those in specific industries or sectors of the economy, can proactively demonstrate their compliance with the law. The bill would do this by introducing coregulatory mechanisms into Canada's privacy landscape that would have businesses and the Privacy Commissioner working together. For example, companies operating a specific type of business could develop a code of practice that demonstrates compliance with a specific part of the law, and the Privacy Commissioner could formally recognize the code. For instance, there could be a code for de-identification.

Lastly, the bill provides for certification and certification bodies. Such bodies could use codes of practice to certify businesses compliance with some or all of the law. This is a useful tool for companies, especially small and medium-sized identities, and would be backed up by oversight by the Privacy Commissioner. This means that the Privacy Commissioner would have the option to decline to investigate a privacy complaint when a company has obtained a certification related to the complaint. This is not only efficient, but also provides an additional layer of certainty for business and consumers alike.

Recognized practices, codes and certifications would make it easier for business to comply with the law and for individuals to understand how they are protected. Bill C-11 would not only help keep the personal information of Canadians safe, but enable tomorrow's innovators by supporting Canadian businesses in every corner of the digital economy.

With the bill, the government has made innovation and economic growth a top priority. It is a major step forward.

Madam Speaker, I did have the opportunity to rise on the Conservative motion with respect to Huawei. As I made clear at that time, there are no providers in Canada at the moment that are using Huawei's 5G infrastructure.

I would also take issue, perhaps, with the word “scheme”. What is presented here in the bill before the House is a very serious framework for the protection of personal information and data on behalf of all Canadians. It is certainly something that I am looking forward to debating more fully today and in the future. If there are specific amendments, as I said, I think we are open to them, but at its core, we have a very sound structure that we presenting in Bill C-11.