Bill C-11 (Historical)

Mr. Speaker, I rise today to join my colleagues in speaking to the digital charter implementation act, 2020.

In today's ever-changing digital environment, Canadians have demanded better protection of their personal information. They have also demanded that organizations be held accountable for misusing their information. Stakeholders have told us that they want flexibility to innovate responsibly and want consistency with privacy rules everywhere else in other jurisdictions.

I am proud to say that the digital charter implementation act, which would enact the consumer privacy protection act, or CPPA, represents the most ambitious overhaul of Canada's private sector privacy regime since PIPEDA was first introduced, in 2000. CPPA would introduce significant changes to better protect the personal information of Canadians in the way they have been demanding, including, of course, with strong financial consequences for those who do not follow the law.

Prior to PIPEDA, in the 1990s, other countries around the globe introduced new laws to ensure that privacy was protected and that the opportunities afforded by e-commerce and the flow of information around the globe flourished. In particular, the EU introduced a privacy directive for its member countries to implement into their national laws.

Inspired by the EU law, Quebec introduced the first private sector privacy law in Canada in 1994. This was an important step forward, but it also raised the potential and, of course, the prospect for a patchwork of provincial privacy laws. With the prospect of multiple, possibly conflicting, rules and gaps in privacy protection that could harm Canadians, the federal government needed to act. Canada required a national privacy standard to ensure consumer confidence and regulatory certainty for businesses.

At the outset of the new millennium, PIPEDA was created to address the privacy concerns arising from a period of technological disruption fuelled by the rise of the Internet. It provided a framework with robust privacy protections and the flexibility to support the legitimate needs of businesses to use personal information. It also provided a mechanism by which the provincial private sector privacy laws could be considered substantially similar. This meant that where such a law is accorded that designation, PIPEDA does not apply to an organization's activities within a province.

In 2004, Alberta and British Columbia passed private sector privacy laws that are considered substantially similar, as is Quebec's law. A number of newer provincial health information laws have also passed, since 2005, that have been appropriately designated as substantially similar.

PIPEDA would continue, however, to apply to the federally regulated sector in a province and to any personal information collected, used or disclosed in the course of commercial activities across provincial borders. This provided a stable regulatory environment and flexibility for the provinces, and supported Canada's trade interests for many years.

However, today we are faced with a changed environment. Today, in many ways, history is repeating itself, but the risks have evolved. The role of digital technologies is considerably more central to our lives than it was 20 years ago. Just consider our experience in recent months with the pandemic. To harness all that the modern digital world has to offer, we clearly needed to modernize our federal private sector privacy law.

In a globally connected economy, our laws needed to be consistent with those of other jurisdictions. Internationally agreed privacy rules, such as the OECD privacy guidelines, first introduced in 1980, were updated in 2013. So too, I might add, more recently, was the APEC privacy framework. Indeed, privacy laws based on these international norms have been changing and advancing in Europe, Japan, South America and New Zealand.

What have these changes entailed? Core privacy principles have remained, though some have been expanded, such as accountability and breach reporting. New elements, such as enhancing rights of erasure and mobility rights, a greater emphasis on transparency, more certainty for businesses and consumers through codes certification and stronger consequences for non-compliance, have been the principal hallmarks of many of these evolving changes.

Closer to home, this summer, Quebec introduced amendments to its private sector privacy law, and B.C. recently conducted a study on its own laws. Ontario too is considering introducing a new private sector privacy law. Stakeholders have told us they are worried about the burden of multiple laws with different requirements. They demanded harmonization here at home.

There is a clear need for the progress and reforms included in the digital charter implementation act, 2020. If we do not act, there is a risk of further fragmentation of privacy rules across the country. We need to keep up with changing technology and business practices, and incorporate the best international practices, protocols and safeguards in our own domestic laws. We also need to set a common standard for privacy protection for the private sector across Canada.

Like the current PIPEDA, the new CPPA would be grounded in the federal trade and commerce powers. It recognizes the very importance of doing business on a national basis and in an economy that must work across provincial boundaries. Also, like PIPEDA, it would provide for a mechanism to recognize provincial laws that are substantially similar. These regulations would set out the criteria and process for such recognition or for reconsideration of it, and would continue to provide the provincial flexibility that has been important to PIPEDA's success. CPPA, like its predecessor, would maintain the Privacy Commissioner's ability to collaborate and co-operate with his or her provincial counterparts, an important tool to ensure consistency.

As the minister emphasized earlier today, the focus should always be on compliance. Some ask why we cannot have just one national law. The answer, of course, is that Canada is a federation; there is a division of powers. Indeed, the provinces provide important coverage that a national law cannot, under our Constitution.

I would be remiss if I did not also acknowledge the international context.

We live in an interconnected world. Data are constantly flowing across borders. In 2002, the European Commission recognized PIPEDA as providing adequate protection relative to EU law, allowing for the free flow of personal information between Canadian and European businesses. However, in 2018, a new EU regulation came into effect: the General Data Protection Regulation. It updated many of the existing requirements and added strong financial penalties for contraventions. The EU is currently reviewing its existing adequacy decisions, including the one applying to Canada.

That is why the government launched Canada's digital charter in 2019. Its 10 guiding principles offer a firm foundation on which to build an innovative and inclusive digital and data economy. The principles of ensuring interoperability, a level playing field, strong enforcement and real accountability are clearly reflected in the digital charter implementation act.

I want to thank members for their attention today, and I can assure them that our approach to privacy protection respects the privacy rights of Canadians. It is pragmatic, principled, meets our trading needs and provides a consistent, coherent framework that Canadians and stakeholders can rely on.

With Bill C-11, we will continue to encourage trade and investment and grow an economy that extends across provincial and international borders alike.

Mr. Speaker, I am looking forward to getting back to the ethics committee to work with the member for Timmins—James Bay on these issues.

When we look at the use of algorithms and the use of algorithms combined with just the scale of data collection that we see today, we can narrowly focus in on consumer privacy on the one hand, but on the other hand there are bigger conversations about how that information is used to target messages to us and the implications for our democracy. There is a reason, when we hosted that meeting in Ottawa for the IGC, that it was on big data, privacy and democracy.

In terms of algorithmic accountability specifically, I would say I am not certain yet what the perfect solution looks like, but I have always been interested in the work of the Treasury Board in respect of algorithmic impact assessments. It is clear enough, and I am glad to see in Bill C-11 that there is a commitment to algorithmic transparency.

Going further and having some body, potentially the Privacy Commissioner, able to look under the hood and audit algorithms and their potential positive and negative impacts is important. We need to figure out a way to do just that.

Mr. Speaker, I will be splitting my time with the member for Willowdale.

We increasingly live our lives online and our laws need to reflect that reality. Privacy is a human right and it is inextricably connected to our personal autonomy.

The Council of Europe's Convention 108 states, “The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” The GDPR states, “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

The incredible scale of data collection can be a powerful force, both for good and bad, so we need strong privacy and digital rights and a strong regulator to enforce them.

There is much in our government's Bill C-11, which is a serious reform of PIPEDA and certainly long overdue. I remember in June 2018, I introduced legislation simply to give the Privacy Commissioner new powers, which our privacy committee had twice unanimously recommended. We have come a long way since then with this substantive bill. OpenMedia said, “Bill C-11 is a big win for privacy in Canada.”

While I have heard some reflections from experts and certainly from some parliamentary colleagues already about how the bill can potentially be improved, or some open questions about what might need to be fixed, it is certainly deserving of our support at second reading. I look forward to working with colleagues across party lines to improve the legislation at committee where we can.

At this point, to work at committee across party lines something of a detour is required. I want to specifically commend my Conservative Party colleagues from Prince George and Thornhill, my NDP colleague from Timmins—James Bay and my Liberal colleague from Kitchener Centre. We worked very long and hard on privacy issues in the last Parliament. We helped found the International Grand Committee, comprised of over 10 countries, to discuss these issues. We hosted the second meeting of the IGC in Ottawa. We tabled the report “Towards Privacy by Design” in February of 2018.

When we as parliamentarians talk about committee work and often the overlooked nature of the committee work, we do not always see that committee work turn into legislation. In this instance we have.

We recommended stronger consent rules and we see stronger rules in Bill C-11. We recommended algorithmic transparency and we see in Bill C-11 a commitment on transparency where systems are used to make predictions, recommendations or decisions about consumers. We recommended data portability and interoperability. We see those commitments in Bill C-11.

We see stronger powers for the Privacy Commissioner. I mentioned that need for a strong regulator, including order-making, auditing and the ability to levy fines. We see order-making powers. We see the ability to audit. We see a new tribunal, and while I understand some of the caution or questions members are raising in respect of this design, it is consistent with the competition commissioner and tribunal operations and worth looking at more seriously to see if it can be approved. However, through the tribunal, we see the ability to levy significant fines, in the magnitude of $10 million to a maximum of $25 million for more serious fines.

In terms of the course of that committee work, I want to reflect on a couple of stories about why this kind of legislation is so important and critical.

I think it was in the fall of 2017, when we were in the midst of the study on PIPEDA reform, that the member for Thornhill, the former member for Skeena—Bulkley Valley, I believe I am getting that right, and I went down to Washington and met with other elected representatives there. We witnessed some of the hearings in relation to the Equifax breach, but we also met with Facebook officials. At that time, when a question was put by I think the member for Thornhill as to what Facebook's views were on the potential new regulations, they said absolutely no new regulations were required in Canada due to the strong framework through PIPEDA and, if there were new rules, that might affect Facebook's willingness and interest in investing in Canada. Certainly, we have come a long way since those kinds of conversations and push-back by big tech companies against stronger privacy rules.

We saw that Mark Zuckerberg unfortunately did not attend before the IGC, though he said he would like to work with parliamentarians around the world, but we can certainly say that the days of self-regulation are over and asking for regulation. Here is that kind of regulation in Canada.

On consent, I have to tell one other story that happened at committee. Again, we had Facebook officials there. We were in the midst of going down the rabbit hole of the Cambridge Analytica scandal and the Canadian context of that third-party app, which had shared so much information. I think it was under 300 Canadians who had used the app, but thousands of Canadians had their information shared. I put to Facebook at the time, “How is it that on the basis of meaningful consent thousands of Canadians could have agreed that their friends share their information through this third-party app and then share it with Cambridge Analytica?” With a straight face somehow, a Facebook representative said to me that it was in their terms and conditions.

That speaks to the problematic nature of consent in the existing law and the lack of meaningful consent. Thankfully, our Privacy Commissioner, despite his current lack of meaningful powers, pursued that line of inquiry and found that Facebook violated our current laws and took the matter to court. We know that with stronger consent rules, there would have been no ability for a Facebook representative to say with a straight face that there was meaningful consent.

Plain language is important. I would go further, though, and say that as we think about consent, particularly in a consumer context, I think we ought to be more wary of privacy by default. We have to be more concerned about privacy by default. Where there is a reasonable expectation of the consumer that information is going to be shared and used in a particular way, then explicit consent, obviously, ought not need to be required, but where there are secondary uses, where there are uses beyond a reasonable expectation of that consumer then, certainly, we need explicit opt-in consent. It needs to be very clear to consumers how their information is to be used, if at all.

I want to emphasize the consumer context because it is a curiosity of privacy legislation and a curiosity of consumer protection legislation that when I purchase my phone I do not have to read the terms and conditions. There is no expectation by government that I read the terms and conditions, yet I am protected. There are implied warranties pursuant to consumer protection legislation. I do not need to read those terms and conditions in order for my rights to be protected as a consumer, yet there is an expectation when I download any app on my phone that I read the terms and conditions. That cannot be a tenable state of affairs if we want to protect consumers. We cannot expect consumers to read every term and condition, and every consumer contract in the course of downloading applications, and in the course of living their lives, as I said, increasingly online. Our laws need to reflect that reality.

There are obviously some straightforward fixes for this legislation. The membership of the tribunal should obviously have greater privacy expertise. I think that is a no-brainer. We do have to think more deeply through some of these consent rules and how we can strengthen them potentially further. I would like to see us go beyond algorithmic explainability to some kind of algorithmic accountability.

I know that others have mentioned political parties being left out. I do not know that political parties need to be subject to PIPEDA specifically, but they ought to be subject to privacy legislation. If there is no further effort under way by the government, then I think PIPEDA may well be the place to do that.

Lastly, I think we have to focus on children, in particular, when we look at consent rules and protecting kids on the Internet. Previously, I have written and spoken publicly about my support for our right to be forgotten, but I do think we have to be more focused on our rules and protection for kids as they grow up with the Internet and live their entire lives online.

I will close by simply saying that this is a big bill. This is second reading and, certainly, all of us ought to support this in principle. I look forward to working with experts and colleagues to strengthen the bill at committee and get into the details.

Mr. Speaker, I thank my hon. colleague from Windsor West for his detailed assessment of Bill C-11. It is the first opportunity for me to speak to the bill. I certainly plan to vote for it at second reading to get to committee.

An amendment I hope to pursue at committee is an issue that the hon. member discussed. That is getting the PIPEDA framework in Canada to apply to political parties. Here in British Columbia at the provincial level, political parties have to meet privacy requirements. I commend the member for raising it early in debate, and ask if the New Democratic Party will also support amendments in committee?

Madam Speaker, since there are no other questions and comments, I believe that shows that my colleague was very clear. I will try to be clear as well. The bar is high, but I will try to meet it.

Generally speaking, as my colleague said, this bill represents a step forward and addresses several of the Privacy Commissioner of Canada's requests. Quebeckers were profoundly shocked by the Desjardins data breach. It was a very significant event. However, it was not the only one. Similar incidents occurred in 2017 and 2018, and there have probably been dozens more that we are not aware of. In fact, when a bank's data is stolen, the bank is required to inform the police and the Privacy Commissioner of Canada, but it is not required to inform the public or even its customers.

We like this bill because it sets out a series of principles relating to the collection and sharing of personal information by companies: free and informed consent for the collection and use of data; the ability to allow or deny the transfer of data to another company, such as between two financial institutions; the ability to withdraw consent or request that data be deleted; transparency about the use of algorithms that use personal data; and stricter criteria for the use of de-identified data. This bill also gives real powers to Canada's Privacy Commissioner, sets out significant penalties for non-compliance, and creates the personal information and data protection tribunal. All of that is great.

Unfortunately, the problem is that the bill omits one extremely important element, and that is protecting people's identity online to prevent fraud due to identity theft, especially during financial transactions. We know that Europe has brought in a whole suite of regulations to force financial institutions to verify a person's identity before authorizing a transaction. There is nothing like that in Canada, and this bill does not have anything of the kind either.

The federal government is not properly verifying individuals' identity before authorizing electronic transactions. We know that the challenge is to prevent data from being stolen and used to commit fraud. Having personal data stolen is unpleasant enough, so all measures must be taken to ensure that the data are not then used for fraud.

The debate in Ottawa over the massive data breach at Desjardins mainly revolved around social insurance numbers. We know that several people would like to change their social insurance numbers, but under the current system, they cannot do so unless they become a victim of fraud resulting from identity theft.

In addition, the federal government has received a number of requests to redesign the social insurance card to make it harder to counterfeit, similar to what Ottawa did with passports after the September 11, 2001, attacks, at the request of the United States.

These two requests are perfectly reasonable. The Bloc fully agrees and is asking Ottawa to follow up. However, that alone will not stop fraud.

The best way to prevent identity theft is to make sure that the person who is making the transaction is indeed who they claim to be. This goes without saying. There are three ways to verify a person's identity.

First, a person can be identified based on what they know, namely personal information such as their name, address or social insurance number. However, as cases of identity theft are on the rise, it is getting harder and harder to accurately identify someone. In other words, our private information is no longer private when everyone can find out almost everything about us. Fraudsters can simply use this information to create a fake ID, and they are set.

Second, a person can be identified based on what they have, such as their computer's IP address, which the institution can recognize if the transaction is being conducted from the person's home, or their cell phone, to which the institution can send a secret code via text message.

Third, a person can be identified based on who they are. The institution can use technologies that recognize a person's physical characteristics, such as their voice, their facial features, through the use of facial recognition, their digital fingerprints, which are increasingly being used by cell phones, or their handwritten signature.

Europe adopted regulations in 2016 requiring financial institutions to use at least two of these three ways to identify someone before authorizing a transaction. Banks in Canada are under no such obligation. If they believe that the control mechanisms will cost more than the losses they are currently incurring in fraud, they are better off doing nothing. The banks will not pay for controls that would be more costly than the fraud. That is simply profit-driven logic.

Many members have probably had the experience of having a store issue a credit card on the spot, based solely on the personal information we provide. We just have to give our phone number, address, and so on, and that is all it takes. This practice really opens the door to fraud, and it has to stop.

We believe that the banks must be forced to tackle fraud. That is the solution that we are advocating. We are going to propose possible approaches. As my colleague was saying, we are going to support the bill, but we will be bringing forward amendments. We will have concrete, constructive and coherent proposals when the time comes to study the bill in detail.

We will propose ways to combat identity theft, such as by drawing on the European regulations I was talking about, in order to force the banks to bring in robust processes to verify people’s identity before authorizing a financial transaction. We will also propose to increase fines in order to encourage banks to better protect their customers’ personal information. We will propose that banks be required to submit a detailed report, as part of their annual reporting, on the number of identity thefts and the resulting losses.

We will also propose a requirement to contact any person whose identity has been fraudulently used within the organization, regardless of whether an account was opened or not. As I said earlier, there is no such obligation in place and it must be brought in. There is also an obligation to cover the costs paid by victims to recover their identity. These costs must be covered by the banks, which are rolling in a lot more money than individuals and most of their customers.

There also need to be anonymous tip lines for employees who are aware of unreported identity theft, as well as protection for whistleblowers. There is currently a void when it comes to whistleblower protection, as in virtually all areas. I am getting a little off topic, but the House will have to deal with this issue as well.

Ottawa also has to look in its own backyard. Beyond the banks, the same anti-fraud controls need to be imposed on the federal government itself. Bill C-11 applies only to private businesses. It does not apply to the federal government. Currently, Ottawa’s online identity controls are clearly inadequate. Before authorizing a transaction, the government does not take all the necessary steps to ensure that a claimant is who they say they are.

Since last spring, there have been numerous cases of identity theft. These include Canada emergency response benefit claims made in other people’s names and tax refunds being redirected to other accounts. Some people will not find out that they have been victims of identity theft until they file their income tax returns. It has not yet happened yet, but it will soon. In a few months, many people will discover that they have been victims of fraud. Right now, they have no idea. This is absurd, and it is unacceptable.

Again this fall, thousands of taxpayers lost access to their Service Canada account, which prevented them from applying for employment insurance even though they lost their jobs because their region was going back into the red zone.

It is all well and good to introduce a bill on the management of personal data by private companies. I want to stress that we agree on this bill and that we will vote in favour of it. That part is settled.

However, Ottawa needs to clean up its own backyard as soon as possible and take immediate action to combat identity theft. We are saying yes to regulating private businesses, but we are also saying yes to regulating Ottawa and the banking industry.

We are focused on connectivity. Access is the first principle in the digital charter. Today, as you indicated, in the House I also talked about the digital charter implementation act, which talks about the other aspects and principles in that. It's important that we move forward with these projects. That is why we had to have that public-private partnership to enable us to connect with those communities.

As I've indicated, projects are well under way. We've also supplemented that program with the universal broadband fund, as well as investments in low-earth orbit satellites to provide additional support for communities so they can get access to high-speed Internet connectivity.

Thank you, Madam Chair, and to both ministers, thank you for appearing here today.

Minister Bains, I'm sorry I missed your Bill C-11 announcement in the House, given the conflict with this committee, but we'll see you this afternoon.

I want to start with you. It's a simple question.

In your opinion, has the LEEFF program been successful?

I understand. Thank you.

That means ensuring front-line workers receive the equipment they need to do their jobs, as professionals work tirelessly to find a safe and effective vaccine for COVID-19.

We started the year with virtually no Canadian production of personal protective equipment and a precarious international marketplace, but after launching our “made in Canada” project and seeing industry step up to the plate, I am proud to say that we are now sourcing close to 50% of our personal protective equipment from Canadian companies.

More than 6,500 companies responded to our call to action to rapidly scale up domestic production of PPE. These firms are helping to keep front-line health care workers safe while also providing key manufacturing jobs through these difficult times.

On the vaccine front, we're seeing great progress on development projects right here in Canada. Through our investments in companies such as VBI Vaccines, Medicago and IMV, our government is growing Canada's capacity to find and produce a domestic vaccine for COVID-19.

Overall, this pandemic has made it clear that Canadian industries and its workers are strong, adaptive and resilient.

As we set out on the long road of economic recovery, we must also tap into the strength to build back a better, equitable and greener Canada. Our industries and entrepreneurs will have a crucial role to play and are already rising to the occasion. Our government is there to support them with strategic investments that spur innovation and help create good-quality Canadian jobs.

The innovation superclusters initiative, for example, has been an integral part of our “made in Canada” response, supporting projects ranging from large-scale disinfecting robots to personalized digital mental health care for front-line workers.

Moving forward, we're going to need to be strategic. With global industries moving towards sustainability, developing domestic manufacturing in electric vehicles and batteries will position Canada's auto industry as a global leader in a growing market and help us achieve our climate ambitions.

Similarly, the aerospace sector has always been especially adept at innovating and adapting. We must prioritize support for the supply chain, R and D in aviation and a procurement policy that benefits the entire country. That will position Canada's aerospace industry and workforce for continued success in a changing marketplace.

The increase in Canadians' online activity since March has also reinforced our government's commitment to addressing the concerns that Canadians have about their digital privacy.

This last week, I introduced Bill C-11 to enact the consumer privacy protection act. This legislation would give Canadians more control and greater transparency over the way companies handle their personal information.

I will be giving the Privacy Commissioner tangible authority to issue orders, and I will ensure Canadians have access to world-class privacy and data protection by imposing the highest fines set out in any G7 nation's privacy legislation.

Madam Speaker, today I am rising on Bill C-11, an act to implement a digital charter for government. This is an auspicious moment for Canada, because we are well under way in the digital age, and the need for clarity and concrete action to protect Canadians' privacy is a paramount need. While it is critically important, we also have to remember the need to protect small and medium-sized enterprises and to ensure that Canada can remain globally competitive as a jurisdiction for technology, data and innovation. I am concerned by some of the trends we have seen over the past few years, with Canada falling behind our global competitors, and I am concerned that some parts of this legislation could put us behind.

I am also concerned that we are falling behind when it comes to security. It is great to talk about protecting Canadians' privacy and putting in consent-based rules, but in an age of quantum decryption and computers that can break 120-bit encryption, if our security cannot be protected, then all the consent laws and privacy protections in the world are not going to mean much.

I want to break down this bill into simple terms. They talk about plain language in the bill, and so I am going to try to speak in as plain a language as I can, when dealing with a matter of this technical nature. I want to talk about some of the challenges and, I will grant the government, some of the opportunities that we foresee with this legislation. I want to also thank and recognize the work of the ethics and privacy committee in the previous Parliament, under the able chairmanship of my colleague from Prince George—Peace River—Northern Rockies. Many of the recommendations we have seen in this legislation come from the committee's report, so I think that shows Canadians that committees really do matter in the House, and that they can make a positive impact.

As I said, one of my chief concerns with this bill is its impact on small and medium-sized enterprises. It has been said for a number of years that data is the new oil. For many emerging enterprises, access to data and the ability to use this data will be the determining factor in whether they are successful or not. I do not need to say, but I will, that small and medium-sized enterprises are the lifeblood of our communities, and increasingly we are seeing how vulnerable they are, especially during the pandemic.

We have to consider the context of this legislation within the economy and the economic structures that the Liberal government has created over the past five years. We have seen an unrelenting attack on small and medium-sized enterprises, starting with hikes to Canada pension plan premiums. These hikes will continue even this January, in the midst of a pandemic. When companies are closing their doors and laying off workers, the government is looking at increasing costs even further for employers and employees. It is just not acceptable.

The Liberals in the past accused business people of being tax cheats when they utilized exemptions under the tax code. They decided to take it one step further by hiking taxes and removing these exemptions for many family-owned businesses, including for a lot of businesses and farm families in my riding. With this legislation, they are adding yet another layer of red tape that will force many onerous requirements on small businesses. I recognize that many of these requirements will be very helpful when we are talking about large businesses, and they have the resources to maintain these privacy requirements. I found it interesting that the minister was talking about the right to delete oneself. On many social media platforms that has been the case for a number of years, so it feels like with this legislation the government is trying to catch up to what businesses are already largely doing. However, we see that small enterprises are increasingly reliant on technology and data.

In this legislation, there are a number of new requirements. There is a certification requirement and a requirement for businesses to designate somebody in their business to be the privacy watchdog. Businesses have to maintain databases and be ready to respond to customer requests or investigations. When we talk about very small businesses, which could have only two or three staff or maybe a sole proprietor, to add this new layer of red tape is really going to create a lot of challenges for them.

Ironically, it would actually benefit big businesses because when small businesses have more red tape, they might decide to no longer stay in business. Therefore, we will see even more consolidation among the big players: the Amazons, the Walmarts and companies that are large collectors of personal data. Our thriving, innovative start-up economy will start to be strangled under this legislation.

I hope that when the government is considering amendments at committee, it consults with small businesses. I encourage it to consult with the CFIB to look at the challenges small businesses are going to face, and to try to come up with some sort of threshold to ensure that small businesses are not unduly burdened.

I appreciate that this bill is largely targeted at major corporations and tech giants that use massive amounts of personal data for everyday business. We know that these companies have the capacity to do better in protecting our privacy. I hope that this legislation can spur further commitments to protect Canadians' privacy. However, as I said, it concerns me that these large corporations largely have already implemented a lot of the things that the government is talking about. They have the human resources, legal departments and the endless ability to tap debt markets, bond markets and stock markets to finance these changes. Frankly, small businesses do not.

I asked the minister a question, which he really did not answer, about data portability and the impact on small and medium-sized enterprises. The minister couches it in terms of consumers having the right to ask for their data to be moved from one organization to another. It seems like a really great thing, but I cannot think of too many situations in which a regular Canadian would be the person initiating that conversation. However, I can see where a bank would, for example, when dealing with its insurance arm. Many large Canadian banks also have insurance companies.

There has been a fence put around these companies to ensure they do not become too big and anti-competitive. Information cannot currently be shared between insurance companies and banks owned by the same company, but through this legislation, the insurance company just needs to provide a plain-language document asking clients if they want their information to be shared with its banking arm. With the massive amount of data that insurance companies and banks have on Canadians, we can see how quickly they could possibly use this as a predatory practice to increase, consolidate and suck customers away from small and medium-sized insurance companies.

When I drive through my riding of Sturgeon River—Parkland, I am proud to see about a dozen small and medium-sized insurance businesses for auto, home and life insurance. There are tens of thousands of Canadians employed in this important industry, and they are not all working for the big banks. I really am concerned that this legislation could make our marketplace much less competitive, so I hope the government considers that impact as well.

My next point is about enforcement. I am really skeptical about the government's ability to deliver for Canadians. We see, in spam legislation and other legislation, that a lot of words are not being put into action and there are consequences for actions that are not being followed through on.

Similarly, this legislation packs a lot of firepower. It talks about threatening $10 million in fines, or up to 3% of global revenues. It is the toughest in the G7, as the government has said, but I wonder what power the government really has to compel payment. When we talk about potential serial abusers of our private data, we are talking about massive multinational corporations with billions in revenues.

I wonder if we can anticipate similar challenges as those faced by France when it attempted to collect taxes on digital giants from the United States. These included a challenge at the World Trade Organization and retaliatory tariffs on French products.

I wonder if the Liberals have given any thought to the potential consequences of trying to collect large fines from these companies. Does the government anticipate that our trade competitors are going to let these challenges go unanswered when we try to collect? Have the Liberals considered the consequences that this could have on the Canadian economy, and are they ready to be open about this very real threat? I am not saying that this is not something they should pursue, but we need to know what the potential consequences are before moving too quickly on this.

Canadian innovators are at the forefront of technological advancement, and I think that is something we can all be proud of. However, a concern that has been brought to my attention is the protection of proprietary algorithms by start-up tech companies that rely on data. Some of the provisions in the bill would enforce algorithmic transparency, which sounds great for consumers, but I see that it could be used by business competitors to expose sensitive, confidential and proprietary information.

Has the government considered the consequence of what these actions would do to our start-up companies that want to keep their algorithms proprietary and confidential? A company may be in a situation where it is looking for a buyout at a later date and needs to build up to the point where it can really get the value it believes the company is worth, but if this algorithmic transparency could be used by its competitors to investigate the use of its algorithms, it could possibly be used to steal things that are patent-pending or as leverage in a negotiation for a buyout. I would like to see more stringent protections for our nascent technological sector, to prevent their algorithms from being exposed.

Next, in the bill, the minister sort of alluded to the exemption for socially beneficial purposes. We need to drill down and explore the idea. The minister provided some examples: government, health care agencies and education. I do not think many Canadians could really object to these organizations being exempted, but one point named organizations that exist to promote environmental protection.

We believe in strong environmental protection, but are we possibly talking about environmental charities that may have a political arm or an agenda in an election? Are they going to be exempted to use Canadians' data in any way they see fit? What potential consequences could this have on keeping our elections free from foreign influence or ensuring transparency in political communications? I would really like to get a clearer idea of what the government means when it is talking about socially beneficial purposes, because we are living in an age, as the member for Timmins—James Bay said, when there are data wars. If organizations are misappropriating this data, using it to influence our elections and our democratic process and being provided an exemption, we really need to explore that.

Next I want to talk about the 10 pillars of the digital charter that the government has brought forward. We know that a charter, as any statement of values, is really only as good as the resources and enforcement behind it, so I want to highlight a few of these pillars and address some concerns that I have.

Pillar 1 talks about universal access: “All Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills.” As my colleague for Haldimand—Norfolk was saying, too many Canadians, the fourth coast as some would say, even in relatively urban areas, say that we are far from accessing high-speed and reliable broadband services.

For years, successive governments have pocketed billions and billions of dollars from spectrum auctions. They have been announcing and reannouncing, and in some cases reannouncing a reannouncement, on enhanced rural broadband. The Liberals have promised the universal broadband fund as their solution. They even claimed that they topped it up by another $750 million a few weeks ago, but communities in my riding who recently applied for the universal broadband fund were told that they did not qualify.

I come from a fairly rural riding, and people were basically told that, according to the data, the Internet in their communities is fast enough. That is not acceptable. They should try explaining that to farming families in Sturgeon or Parkland County, or try telling that to people living in Stony Plain, Gibbons and Morinville.

We still have movie rental stores in my riding. I asked somebody how these movie rental stores stay in business, and the fact is, the Internet is so bad, the only way for people to watch movies is to go to their local movie store because they cannot access Netflix and all these other great things.

We are talking about a pandemic right now, and increasingly parents are wanting to supplement their children's education at home. They cannot access their education. A principal of my local high school, Onoway Junior/Senior High School, lives less than one mile away from the high school. The high school has high-speed Internet that is connected by the Alberta SuperNet, but less than a mile away the principal cannot get any Internet services.

The government is saying their Internet is fast enough, and that they do not qualify for the universal broadband fund, but, if we do not qualify, then I do not know who qualifies. This is unacceptable. It is time for the Liberals to put real funds behind real action to deliver broadband access to Canadians in rural and remote areas.

Pillar two of the digital charter is safety and security. It reads, “Canadians will be able to rely on the integrity, authenticity and security of the services they use and should feel safe online”. This is yet another great promise that the Liberals have failed to deliver upon.

I remember over the summer, when scammers used Canadians' personal information on the Canada Revenue Agency website to access CERB payments. These were not foreign actors we were talking about. These were private actors using information that they could get their hands on to breach Canadians' accounts, and this breach was so bad that it even forced the CRA and the Service Canada websites to shut down.

Thousands of Canadians who wanted to were unable to access the CERB, and all the useful services on those websites, because the government has not put security as a priority. Security must be central to digital government and to our digital economy. I appreciate that the government wanted to get those programs out quickly, but we are increasingly seeing the consequences of not building in security from the foundation up.

It was not just the CERB program that was hacked. In February, news broke that the National Research Council systems were hacked, mainly the health research databases. This cyber-attack was caused by ransomware. The hackers used the ransomware to try to extract payment from the government. Every year the National Research Council collects information on more than 25 million health care consumers across the U.S. and Canada. The National Research Council was also hacked in 2017 by state actors.

This continues to be quite a substantial threat. Hospitals and other information technology services are increasingly being targeted by these kinds of crimes. Since 2016, according to a cyber-threat assessment, there have been 172 attacks on individual health care organizations with costs topping $160 million. Those are just the attacks that are known about. It causes one to wonder how many attacks have not even been discovered yet.

It gets worse. Despite the multiple data breaches, the protection on critical infrastructure plan has not been updated in this country since 2009, despite major technological advancements. I alluded earlier to the Manhattan project of data decryption and quantum computing, which we are seeing out of countries like China. They threaten to blow open all of our current encryption technologies. It shows us that the plan is even more critical.

Madam Speaker, Bill C-11 will not protect personal data under the federal government's own jurisdiction. We saw what happened at the Canada Revenue Agency and how easy it is to steal a person's identity for all sorts of reasons. These are outdated tools when it comes to identity and security.

Why are there no rigorous standards set out for government agencies?

moved that Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, be read the second time and referred to a committee.

Mr. Speaker, it is with great pleasure that I rise today to discuss Bill C-11, the digital charter implementation act, 2020.

As members know, data and digital transformation is completely changing the way we access information, buy goods and services, connect with each other and live in our communities and cities. This digital transformation has been accelerated by the pandemic, and we are seeing more Canadians moving their activities online. Canadians are using more digital services and sharing more data online than ever before. They want to know that their personal information will be safe and that they are protected.

Recently, the Privacy Commissioner surveyed Canadians and found that the vast majority of Canadians, 92% of them, are concerned about the protection of their privacy, so this is an important issue to many Canadians. That is one of the reasons why last year I launched the digital charter, a set of 10 principles that lay down the foundation that will allow us to build an innovative, digital economy that is inclusive, people-centric and built on trust.

The principles of Canada's digital charter give Canadians more control over their data while helping Canadian companies innovate, grow and create quality jobs for middle-class Canadians across the country.

I would like to take this opportunity to remind members that the principles of the digital charter were very clear, and they focused on control and consent. Canadians will have control over what data they are sharing and who is using their personal data and for what purposes, and will know that their privacy is protected. This is one of the key principles we laid out in the digital charter.

Transparency, portability and interoperability will enable Canadians to easily manage access to their personal data and to transfer it without undue burden.

Data and digital for good is another principle that was laid out in the digital charter. The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people at home and around the world. How can we harness data to solve problems?

Another key element was strong enforcement and real accountability. There will be clear, meaningful penalties for violations of the law and regulations that support these principles so that Canadians can rest assured that their privacy will be protected.

As members will see, the principles of the digital charter are firmly embedded in the legislation before us today. On top of this foundation sits three pillars: consumer control, responsible innovation and a strong enforcement and oversight mechanism.

Let me begin with outlining how Bill C-11 would give Canadians more control and greater transparency in the manner in which companies handle their information. It would do this by introducing important rules for consent, the right to delete information, data mobility and algorithmic transparency.

With regard to consent, Bill C-11 would enhance consumer control by requiring organizations to get meaningful consent from Canadians. This means individuals would get specific information in plain, simple language, not the 30-page legal document that no one reads. This, in turn, would allow individuals to make meaningful choices about the use of their personal information.

To make consent more meaningful and move away from lengthy agreements that, as I said, no one reads, we are introducing a new exception to consent for the collection and use of information for standard business activities that would be reasonably anticipated by individuals.

Here is an example in plain language. When a customer buys something from a company and gives that company their address, the company can give that address to a delivery company so the customer can get the product they paid for.

Under the law, that company would need to be transparent about how it uses personal information so that consumers are made aware of this and that the Office of the Privacy Commissioner can review these practices.

The second element I want to talk about is the right to delete information. Bill C-11 would allow Canadians to withdraw their consent and demand that data be deleted. When individuals no longer want to do business with an organization, that organization must stop using their information and must delete it permanently if it is asked by individuals. This would, for example, allow a Canadian to demand that a social media site delete their profile. It is very simple, but very powerful.

The next area the bill highlights is data mobility. To improve their control further, individuals would also have the right to direct and transfer their data and information from one organization or entity to another organization or entity in a very secure manner. Bill C-11 would do this by enabling regulations that establish frameworks for secure transfer and interoperability. This approach would support innovation in areas like open banking, where a common technical approach could allow Canadians to take advantage of the consumer-directed financial marketplace in a more secure way.

Another area the bill touches on, which was highlighted through extensive consultations, is algorithmic transparency. In the area of consumer control, Bill C-11 would improve transparency around the use of automated decision-making systems, such as algorithms and AI technologies, which are becoming more pervasive in the digital economy.

Under Bill C-11, organizations must be transparent that they are using automated systems to make significant decisions or predictions about someone. It would also give individuals the right to an explanation of a prediction or decision made by these systems: How is the data collected and how is the data used?

This is a brief summary of what is found in the first pillar of this legislation under more consumer control.

The second pillar of Bill C-11 is enabling responsible innovation.

The digital economy creates significant opportunities for Canadian businesses. Digital activity accounts for 4.8% of Canada's GDP, and when it comes to research and development in this country, no other private sector industry outperforms Canada's information and communications technology sector.

Investment and data has climbed as high as $40 billion. Across the economy, Canadian companies' data is worth as much as all other intangible assets, such as software, research and development, and mineral exploration rights combined. Therefore, we can see the potential of data not only today, but going forward.

Globally, we are seeing unprecedented growth in the technology sector, growth that is only going to pick up as artificial intelligence continues to grow and have a more meaningful impact in our lives. According to some estimates, AI is going to contribute an additional $13.7 trillion to the global economy by 2030.

The government also understands the importance of giving companies clear rules that enable them to innovate while still protecting Canadians' privacy.

Trust is the cornerstone of economic growth and innovation. When Canadians are assured that their data and privacy are safe and protected, it creates space for the kind of innovation that benefits everyone.

Our government believes that greater trust and certainty in the digital marketplace will empower small businesses and entrepreneurs to create news jobs and opportunities, expand their operations and better access the global marketplace.

It is also important to note that the new legislation would help small businesses prosper as well by ensuring that rules for data and privacy are fair, clear, enforced and flexible enough to meet the needs of smaller organizations.

One area that does that is the codes of practice and certification systems. To enable responsible innovation, Bill C-11 would create a framework to recognize the use of codes of practice and certification systems. This would help organizations both comply with the law and demonstrate their compliance, which, in turn, would support innovation and provide an important balance to a strengthened enforcement regime.

Organizations would be able to apply to the Privacy Commissioner to approve a code of practice outlining how the act's general requirements apply in a particular sector or activity. This would give businesses some certainty that if they are following the code they are in compliance.

I also want to highlight de-identified information. Bill C-11 would also clarify how organizations are to handle de-identified personal information. This would enable an important mechanism for both privacy protection and innovative uses of data, which would benefit many small businesses.

Lastly is data for good. In this area, it is important to note that under the second pillar of enabling responsible innovation, Bill C-11 would recognize an exception to consent for socially beneficial purposes in order to clearly allow organizations to support innovative data initiatives such as data trust, which is pursued by a range of public institutions, including hospitals, universities and libraries. There is so much potential with data trust because it can enable us to unlock some of the opportunities that exist to solve some problems across our society.

The next element I want to talk about is strong enforcement. Perhaps more importantly, the proposal would significantly strengthen the enforcement and oversight regime. This is critical.

With this proposal, we will have some of the toughest financial penalties in the world for violating our laws.

Currently, the Privacy Commissioner has little ability to enforce his recommendations on organizations that are non-compliant, other than seeking a hearing by the federal court. Under Bill C-11 this would change. The legislation would introduce a strengthened privacy regime that would be overseen by a more powerful Privacy Commissioner, with appropriate checks and balances in place.

The Office of the Privacy Commissioner would have broad order-making power, including the power to force an organization to stop collecting or using information and delete it. If the Office of the Privacy Commissioner found out that data was collected without appropriate consent, he would have the ability to do this.

As well, the Privacy Commissioner would make sure there is strong and meaningful consequences for organizations that do not comply with the law. The Privacy Commissioner would have the power to recommend administrative monetary penalties of up to $10 million, or 3% of global revenues, whichever is higher. The range of serious criminal offences would also be expanded, with a new maximum fine of up to $25 million, or 5% of global revenues, whichever is higher.

The legislation would introduce the new personal information and data protection tribunal, which would review appeals of the commissioner's orders and levy penalties.

This new administrative tribunal will help ensure procedural fairness in how the commissioner applies the new and enhanced enforcement powers. It will provide individuals and organizations with easier access to justice through a less formal mechanism for appealing decisions.

This enforcement regime would recognize that early compliance with the act remains critical and that is the key part. Early compliance will remain critical for the protection of Canadian privacy. We need to build on the commissioner's existing abilities to secure early resolution through compliance agreements. We want to make sure that Canadian companies actually comply with the legislation.

This new regime would see stronger collaboration between the Privacy Commissioner, stakeholders and implicated institutions, including federal organizations. When the commissioner is developing that guidance, it is important to have that level of collaboration. This will ensure there is a strong alignment between the law and how it is explained and enforced, and help avoid confusion for those trying to follow it. Again, this will provide further clarity.

To summarize, the third pillar of Bill C-11, strong enforcement and oversight, would introduce an escalating model that provides incentives for organizations to comply early. The focus is on compliance. Strong penalties will exist if they do not follow through. There will be a new tribunal to ensure the process will be fair, transparent and accessible for businesses of all sizes.

The three pillars of Bill C-11 work together to provide what Canadians need to engage in the digital economy: strong and enforceable protections for personal information, along with clear rules for businesses to follow as they innovate and deliver new products and services.

It is also important to note that the legislation would help protect the privacy of Canadians, while strengthening the ability of Canadian businesses to compete globally. This positions Canada to succeed internationally.

When PIPEDA was introduced in 2000, it was considered a global leader among data protection laws. In 2002, the European Commission found that PIPEDA provided adequate protection relative to EU law. The finding of adequacy gave us an international edge by allowing us to have free flow of data between Canadian and EU companies.

More recently in 2018, the EU brought into force its GDPR, the general data protection regulation. Since then, the EU has been reviewing Canada's adequacy against the GDPR. They have made it clear that we must reform our privacy regimes in order to maintain our advantage when it comes to this status. I believe the legislation would achieve GDPR adequacy while maintaining the made in Canada approach.

Lastly, I want to conclude by mentioning stakeholder reactions. This approach reflects years of public study, consultations and collaboration. It builds upon the fundamental work of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, as well as important deliberations in the other place.

I can tell members the legislation has gained support from a wide range of stakeholders. Goldy Hyder, the president and CEO of the Business Council of Canada, spoke positively about this. Michael Geist, who is well recognized in this area of expertise, said this is “Canada's Biggest Privacy Overhaul in Decades”. OpenMedia calls Bill C-11 “a big win for privacy in Canada.”

We know that Canadians will continue to use digital services that require the use of their personal data, and we know there is no turning back.

I will conclude with this last remark.

As the COVID-19 pandemic continues to increase our reliance on the digital economy, Bill C-11 will help Canadians embrace this new world, knowing that their personal information is protected and safe.

Mr. Speaker, I thank my kind colleague for the extremely important and very useful question he repeats every week on the status of parliamentary business.

This afternoon we will continue debate at second reading of Bill C-10, an act to amend the Broadcasting Act. Tomorrow we will resume debate at third reading of Bill C-3, an act to amend the Judges Act. Monday of next week will be devoted to the study of Bill C-8, on the Truth and Reconciliation Commission's call to action number 94. On Tuesday, we will begin our study of Bill C-11, an act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, which was introduced earlier this week by my colleague, the Minister of Innovation, Science and Industry.

Pursuant to Standing Order 81(4), I would like to designate Tuesday, November 24 for consideration in committee of the whole of the main estimates for the Department of Fisheries and Oceans, and Thursday, November 26 for the Department of Health.

Lastly, there have been discussions among the parties, and I believe you will find unanimous consent for the following motion:

That a take-note debate on the status of the French language in Montreal be held, pursuant to Standing Order 53.1, on Wednesday, November 25, 2020, and that, notwithstanding any Standing Order or usual practice of the House: (a) any member rising to speak during the debate may indicate to the Chair that he or she will be dividing his or her time with another member; and (b) no quorum calls, dilatory motions or requests for unanimous consent shall be received by the Chair.

moved for leave to introduce Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.

(Motions deemed adopted, bill read the first time and printed)

I'm really trying to follow Madam Shanahan. She has explained all the things she's learning about electric cars. I don't know if she wants to make that part of the study, but if the Liberals ae going to talk the clock into the coming weeks about the U.S. electoral system, I think that's very problematic.

Is the United States and what's happening in the States something the Liberals are trying to drag into our committee when we are the ethics and privacy committee? I'm not surprised. It's probably a step up from Mr. Sorbara's digressions into underwear, but this has nothing to do with the issues before our committee.