44th Parl. 1st Sess.
November 28, 2022 11:00AM
Mr. Speaker, the member raises a fascinating issue, which is the capturing of images and how one would protect the privacy of the individual, especially when it is in a public setting. I think that could be applied in many different ways. It would be interesting to see how that sort of a discussion would, in fact, take place at a standing committee.
The member is right in the sense that the legislation is not that far off. I do not know all of the details of it, obviously, but I am led to believe that Quebec has done some fabulous work on this issue. I wonder if he could provide any insights into how the Quebec legislature dealt with the capturing of images and the public versus privacy issue.
130 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, that is a very important question.
The Quebec legislation does not go quite that far, but the issue remains. The jurisprudence dates back to 1987, after all.
When my colleague refers to photos taken in public, the definition of the words “public” and “private” is not clear. I might be in the street kissing my mistress. That is my private life, but at a location that, within the meaning of the current federal legislation, is a public place.
There is a host of concepts of the kind that ought to be delineated and more precisely defined in order to bring some much-needed clarity to the whole issue. It is really too bad that Mr. Duclos is still burdened by this jurisprudence.
128 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, would the member agree that the creation of two new categories of data exempt from privacy measures is a worrisome gesture by the Liberals and could be a gift to the very technology giants to which they have such close ties?
43 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, our colleague is always full of surprises.
Basically, I think this bill is relevant. Overall, it is relevant. In this day and age and in light of the current context, this bill is pretty much a necessity.
I am concerned about how the bill will be dealt with in committee. When it comes to bills like this one, the committee has an extremely important role to play. Beyond the wording of the bill, it is the work that is done in committee that will be critical for the future.
91 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I would like to call the attention of the House and the member to subclause 15(6) of the bill, which states, “It is not appropriate to rely on an individual’s implied consent if their personal information is collected or used for an activity described in subsection 18(2) or (3).”
If we look at clause 18, it states that one can use a person's implied consent when collecting information. It is fascinating to me that this bill says, on the one hand, that one cannot use implied consent, but then the exemptions part says one can rely on implied consent. What are we trying to do with this bill? It is really muddying the waters for me, and I am wondering if my hon. colleague has a comment about that.
138 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, there will be more to come on that.
In the case of photographs, it is not easy to define what implied consent involves. In some situations, implied consent from the subject may be a look that says that they consent. It may also involve asking the subject if they agree to be photographed. In other cases, it may involve written consent.
That is why I think it is extremely important and relevant for the committee to do an exemplary job, and not just with regard to photography, which is part of who I am. In order to do that, the committee needs to invite all kinds of experts.
110 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I am pleased to speak to this bill after my colleague from Rivière‑des‑Mille‑Îles, whom I would like to congratulate. I am also pleased to be following my colleague from Trois‑Rivières, an ethics expert who enlightened us on the potential impact of this bill and the dangers involved.
Unfortunately, very few people are interested in this type of bill, and yet, in the digital age, we cannot afford not to regulate the use of personal information. We cannot deny the fact that the digital shift has exploded in Quebec and elsewhere over the last decade, and it has greatly changed our lifestyles.
It is impressive to see which path companies have chosen during the pandemic, and I think it is a timely discussion to have today. However, I would like to draw attention to the new part of the bill that deals with artificial intelligence. I think it deserves serious consideration.
Part 3 of the bill raises many questions, and opinions from experts in the field of artificial intelligence are mixed. The use of artificial intelligence is a rapidly growing field that risks expanding beyond our control and jurisdiction if we do not begin to regulate the practice and define certain concepts.
Recent developments in AI in general and deep learning in particular have led to the creation of autonomous intelligent agents, which are essentially robots capable of deciding what to do without third-party intervention. These agents' autonomy raises new questions about civil liability, so we have to think about criminal provisions that would apply if someone were put in a dangerous situation, for example.
How should we approach this, and what legal status are we granting them? What legislative framework is the best fit for these autonomous agents?
At this point, we think some important definitions are missing. The law clerks who are examining the bill's provisions from a legal standpoint told us that again today. What is a high-risk intelligence system? What is a high-impact system?
The algorithms produced in applications that use artificial intelligence enable artificial beings to create goods or services or to generate predictions or results. If we compare them to human beings and use the existing framework, how will we interpret the notions of independence and unpredictability attributable to these artificial beings? The experts will help us understand all that.
Quite a few goods already exist that have a layer of artificial intelligence built into them, and 90% of those goods should not pose a problem. Experts at Meta have even said that this technology has reached its limits, because the data to train an algorithm is insufficient in quantity and lacks depth.
Let us get back to the main problem we have with Bill C‑27. Until the department clarifies its thinking on what constitutes a high-impact system, it will be difficult to assess the scope of part 3. Let us assume that everything can be considered high risk. This would mean that many companies would be accountable. If we had greater accountability, the Googles of this world might be the only ones that could risk using artificial intelligence.
The bill does not need to cover everything a machine can do for us or everything software can do once it is developed and generates predictions and results like a calculator.
If we compare it to the European legislation, we note that the latter is currently targeting employment discrimination systems, systems that would determine whether or not a permit to study there can be granted. That is essentially the limit of what the machine can do in our place.
Although the law in this document concerning artificial intelligence is far from being exhaustive, I believe it is important that we start somewhere. By starting here, with a framework, we can lay the groundwork for a more comprehensive law.
My speech this evening will help my colleagues better understand what needs to be clarified as soon as possible so we can have an important discussion about how to regulate the applications that use artificial intelligence and how to process these systems' data.
First, we will have to implement regulations for international and interprovincial exchanges for artificial intelligence systems by establishing Canada-wide requirements for the design, development and use of AI systems. Next, we must prohibit certain uses of AI that may adversely affect individuals.
The legislation is very clear on many other aspects, including on the fact that there would be a requirement to name a person responsible for artificial intelligence within organizations that use this technology. The responsibilities are fairly extensive.
In addition to the artificial intelligence and data act, which is in part 3, Bill C‑27 also includes, in part 1, the consumer privacy protection act, as well as the amendments to the former legislation. Part 2 of the bill enacts the personal information and data protection tribunal act, while part 4 includes the coming into force provisions of the bill.
As my colleagues explained, the other sections of the bill contain a lot of useful elements, such as the creation of a tribunal and penalties. One of the acts enacted by Bill C‑27 establishes a tribunal to process complaints under litigation when it comes to the use of private data. In case of non-compliance, the legislation provides for heavy penalties of up to 3% of a multinational's gross global revenue. There are provisions that are more in favour of citizens when a company misuses digital data.
Yes, this bill does have its weaknesses. I believe those weaknesses can be addressed in committee, but they may require the introduction of new legislative measures. Public services, however, are not covered by this bill. Data in the public sector requires a greater degree of protection; this bill covers only the private sector. Take, for example, CERB fraud and the CRA. In 2020, hackers fraudulently claimed $2,000 monthly payments and altered the direct deposit information for nearly 13,000 accounts.
The government can do more to tackle fraud. Unfortunately, this bill offers no relief or recourse to those whose information has already been compromised. There are digital records of nearly every important detail about our lives—financial, medical and education information, for example—all of which are easy targets for those who want to take advantage. It has been this way for a while, and it is only going to get worse when quantum computers arrive in the very near future.
This means that we must find and develop better means of online identity verification. We must have more rigorous methods, whether we are changing our requirements for passwords, for biometrics or for voice recognition.
Recently, at the sectoral committee, we heard about how easy it is for fraudsters to call telecommunication centres and pass themselves off as someone else to access their information. We must improve identity verification methods, and we must find a way to help those who are already victims of fraud. We must do so by amending Bill C-27 or introducing an additional legislative measure.
Since this is a fairly complex bill, it will be referred to the Standing Committee on Industry and Technology, where we will have the opportunity to hear from experts in the field. At this step, I would like to recognize the leadership of the Minister of Innovation, Science and Industry and his team. We have been reassured by the answers we have received.
Since Quebec already has data protection legislation—Bill 64, which became law 25—we want to understand when the federal act will apply and whether the changes we requested to Bill C-11, introduced in the previous Parliament, were incorporated into this bill. I want to say that we are satisfied with the answers we have received so far.
We will do our due diligence because this bill includes a number of amendments. Obviously, the devil is in the details. During the technical briefings held by the department since Bill C-27 was published, we asked how much time businesses would have to adjust their ways of doing things and comply with the legislation.
We expect that there will be a significant transition period between the time when Bill C-27 is passed and when it comes into force. Since the bill provides for a lot more penalties, the government will likely hold consultations and hearings to get input from stakeholders.
In closing, I would like to say that I have just come back from Tokyo, where I accompanied the Minister of Innovation, Science and Industry to the Global Partnership on Artificial Intelligence Summit, where Quebec and France took the lead. The first summit was held in 2020. I would like to list some important values that were mentioned at this summit that deserve consideration and action: responsible development, ethics, the fight against misinformation and propaganda, trust, education, control, consent, transparency, portability, interoperability, strict enforcement and accountability. These are all values that must accompany open data and ecosystems.
1524 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I would concur with the member and the many others who are, in essence, saying that Bill C-27 is a substantive piece of legislation that is ultimately designed to ensure privacy for Canadians.
As I made reference to earlier, I think we could look at how effective the legislation of the Quebec legislation has been, which was passed just over a year ago, and what the response has been to it. I understand that was what the member was saying. Taking into consideration AI, the tribunal, digital and just how much the digital economy has grown, 20 years ago is the last time we have seen any sort of substantive changes to our privacy legislation.
I am wondering if the member could provide his thoughts in regard to why it is important that we update and modernize. After all, 20 years ago, we did not even have iPhones.
151 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I thank my colleague from Winnipeg North for his remarks.
Indeed, I think such a bill was urgently needed. I commend the government's leadership and congratulate it on having understood the errors in Bill C-11 and making some improvements.
I met with the Minister of Innovation, Science and Industry in January, when it was time to think about developing this bill. I emphasized the importance of the Quebec legislation and of ensuring its primacy. I thank him for listening to me and for the respect evident in Bill C-27.
With respect to the urgent need to take action, Europe is putting a lot of pressure on us. Indeed, Europe has set guidelines and is currently threatening to withdraw its confidence in our artificial intelligence systems in Canada, particularly in the banking sector. It was necessary to act; better late than never.
I hope the principle will be adopted quickly, but more importantly, I hope that the committee work will be thorough and that the experts will be heard. This will be more than welcome.
179 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I have concerns around the fact that we are expecting the government to do a good job.
The member mentioned CERB, which was, in many ways, abused. We are aware that the government, in an effort to roll it out quickly, removed all the checks and balances on the system. How does that build confidence for him and other Canadians to put their trust in its ability to do this correctly?
73 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, trust is a major issue. Far too often, we are negligent. How many times do we just click “I accept” in an app without reading the consequences of what we are accepting? Our data is being sent all over the world.
Artificial intelligence is something that scares me, truth be told. A guest speaker came to Parliament, to a room in the House of Commons, and this is what he told us. What does AI say is the fastest way to get to Toronto? Just simulate an accident or a speed trap so that people get off the road. That will allow us—
108 words
- Hear!
- Rabble!
- add
- star_border
- share
- Nov/28/22 6:06:12 p.m.
- Watch
Order. I believe there is no interpretation.
It is working now.
The hon. member for Abitibi—Témiscamingue can restart his answer.
24 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is not easy. What I was talking about was trust.
Artificial intelligence is something that scares me, on the whole. A guest speaker came to a meeting held on Parliament Hill, and he told us about the risks.
Say we want to drive to Toronto and there is a lot of traffic. What can we do? We can ask AI to tell us the fastest way to get to Toronto. One option is to simulate an accident, which will ensure that the road is cleared. Another is to say that police have set up a speed trap or something. AI can be used to generate very realistic photos, such as a Parliament building on fire. Fighting disinformation is a major challenge.
Everyone has an individual responsibility. All too often, when using an app, we quickly click “accept” rather than doing our due diligence. That has consequences.
As I was saying earlier, we send a lot of data abroad. With the arrival of quantum computing, we may suffer the consequences of sending all this data to the cloud.
I do not think it is too late to have a law that sets out a framework, to improve the legislation and especially to ask experts to tell us how this bill can be improved. I am thinking about the people at the International Centre of Expertise in Montréal on Artificial Intelligence, those at the Quebec Artificial Intelligence Institute, or Mila, and those at the University of Montreal. These people work in this field every day and have a contribution to make. I look forward to hearing from them at the Standing Committee on Industry and Technology.
281 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I want to thank my colleague.
Bill C‑27 does not explicitly apply to political parties. As we have seen in the past, the potential for invasion of privacy and misuse exists in the political arena. I was wondering if my colleague would agree that the bill should be amended to specifically include political parties.
58 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I thank my colleague from Nanaimo—Ladysmith for her question. Indeed, political parties have responsibilities. They have people's personal data. We need to act. If we can include it in the bill, I am all for it. We have a responsibility as parliamentarians.
47 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is always a privilege to rise on behalf of the residents of Kelowna—Lake Country. Today we are debating Bill C-27, an act that would enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act.
Canadians know we no longer live in the year 2000, but unfortunately much of our digital regulation still does. We have come a long way since Canadians' primary online concern was Y2K. The last time Parliament passed a digital privacy framework was PIPEDA, or the Personal Information Protection and Electronic Documents Act, on April 13, 2000. The most popular website in Canada that month was AOL.
When Parliament last wrote these regulations, millions of homes did not have dial-up, let alone Wi-Fi. Cellular phones lacked apps or facial recognition, and people still went continually to libraries to get information, and did not have the Alexas of the world as an alternative. They also called restaurants directly for delivery. Digital advertising amounted to flashing banners and pop-up ads.
In only 22 years, we have experienced a paradigm shift in how we treat privacy online. Personal data collection is the main engine driving the digital economy. A Facebook account is now effectively required to use certain types of websites and help those websites; a laptop can create a biometric password for one's bank account, and Canadians are more concerned about privacy than ever before.
One of the most common videos I share with residents in my community of Kelowna—Lake Country is one relating to privacy concerns during my questioning at the industry committee in 2020, as many people reached out to me about privacy concerns. It was to a Google Canada representative regarding cellphone tracking. This was in the immediate aftermath of reports of Canadians' cellphone data being used to track people's locations during the pandemic.
Cellphone tracking is something I continue to receive correspondence about, and I am sure other members in the House do as well. As traditionally defined, our right to privacy has meant limiting the information others can get about us. The privacy of one's digital life should be no different from the physical right to privacy on one's property. Canadians must have the right to access and control the collection, use, monitoring, retention and disclosure of their personal data.
Privacy as a fundamental right is not stipulated in the legislation we are discussing today, Bill C-27. It is mentioned in the preamble, which is the narrative at the beginning, but that is not binding. It is not in the legislation itself. While the degree to which someone wishes to use this right is ultimately up to the individual, Parliament should still seek to update the rules using detailed definitions and explicit protections. Canadians are anxious to see action on this, and I have many concerns about this legislation, which I will outline here today.
As drafted, Bill C-27 offers definitions surrounding consent rules to collect or preserve personal information. It would mandate that when personal information is collected, tech companies must protect the identity of the original user if it is used for research or commercial purposes. The legislation outlines severe penalties for those who do not comply and would provide real powers of investigation and enforcement. It presents Canada's first regulations surrounding the development of artificial intelligence systems.
Even though Bill C-27 presents welcome first steps in digital information protection, there is still a long way to go if we are to secure digital rights to the standard of privacy regulation Canadians expect, and most importantly, the protection of personal privacy rights. As is mentioned in Bill C-27, digital privacy rights are in serious need of updating. However, they are not in this legislation.
I agree with the purpose of the legislation, but many of my concerns are about inefficient, regulatory bureaucracy being created and the list of exemptions. Also, the artificial intelligence legislation included in this bill has huge gaps and should really be its own legislation.
From a purely operational perspective, while the legislation would empower the Privacy Commissioner's office with regard to compliance, it also constructs a parallel bureaucracy in the creation of a digital tribunal. If Bill C-27 is enacted, Canada's Privacy Commissioner can recommend that the tribunal impose a fine after finding that a company has violated our privacy laws. However, the final decision to pursue monetary penalties would ultimately rest with the new tribunal. Will this result in a duplicate investigation undertaken by the tribunal to confirm the commissioner's investigation?
As someone who has operated a small business, I am all too aware of the delays and repetitiveness of government bureaucracy. While it is important to have an appeal function, it is evident in this legislation that the Liberals would be creating a costly, bureaucratic, regulatory merry-go-round for decisions.
Canadians looking to see privacy offenders held accountable need to see justice done in a reasonable time frame. That is a reasonable expectation. Why not give Canada's Privacy Commissioner more authority? Of course, Canadian courts stand available. The EU, the U.K., New Zealand and Australia do not have similar tribunals to mediate their fines.
In addition to concerns about duplications of process, I am worried that we may be leaving the definitions of offending activity too broad.
While a fairly clear definition in Bill C-27, which we are debating here today, has the consent requirement for personal data collection, there is also a lengthy list of exemptions from this requirement. Some of these exemptions are also enormously broad. For example, under exemptions for business activities, the legislation states:
18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of a business activity described in subsection (2) and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
On plain reading, this exemption deals more with the field of human psychology than with business regulation.
Also in the legislation is this:
(3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use
There is also an exemption to consent that would allow an organization to disclose personal information without the individual's knowledge or consent for a “socially beneficial purpose”. This is defined as “a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.” Who determines what constitutes a socially beneficial purpose? This sounds incredibly subjective, and I have a lot of concerns when legislation is this vague.
Let me give a very simple example. Suppose a person using a coffee company app occasionally adds flavourings to their coffee while doing a mobile order. That company could recommend a new product with those flavourings already in it while a person is not physically in their business. Is this not personal information that is collected and used for the purpose of influencing an individual's decision, as in this legislation?
This example is not hypothetical. In an investigation from actions in 2020, Tim Hortons was caught tracking the locations of consumers who had the app installed on their phones even when they were not using the company's app. Tim Hortons argued that this was for a business activity: targeted advertising. However, the report from the federal Privacy Commissioner found that the company never used it for that purpose. Instead, it was vacuuming up data for an undefined future purpose. Would Tim Hortons have been cleared if the current regulations in Bill C-27 were in place and if it had argued that the data was going to be used for future business activity or for some socially beneficial purpose, which is an exemption in the legislation?
While I worry about the loopholes this legislation, Bill C-27, may create for large corporations, I am equally concerned about the potential burden it may place on start-ups as well. This legislation calls for companies to have a privacy watchdog and to maintain a public data storage code of conduct. This is vital for companies like Google, Facebook or Amazon, which have become so integral to our everyday lives and oversee our financial details and private information. Having an officer internally to advocate for the privacy of users is likely long overdue. However, while that requirement would not put much financial burden on these Fortune 500 companies, it could undermine the ability of Canadian digital innovators to get started.
Canada has seen a boom in small-scale technology companies for everything from video game and animation studios to wellness or shopping sites for almost every good or service one could imagine. Digital privacy laws should be strong enough to not require a start-up with just a few staff to have to be mandated to have such a position internally. We should ensure that a concept of scale is appropriately applied in regulating the giants of today without crushing the future digital entrepreneurial spirit of tomorrow.
I would like to address the presence of Canada's first artificial intelligence, or AI, regulations in this bill. While I do welcome the progress on recognizing this growing innovation need for a regulatory framework, I question whether it is a topic too large to be properly studied and included in this bill. In just the last few months, we have seen the rapid evolution of the ability of AI to create an online demand digital artwork, for example, thanks to the self-evolving abilities of machine learning.
The impact of AI on everything from our foreign policies to agriculture production is evident. Computer scientists observed a phenomenon known as Moore's law, which showed that the processing power of a computer would exponentially double every two years, and in the 57 years since this was proposed, this law has apparently not been broken.
I am concerned that most of the rules around AI will be in regulation and not in legislation. We have seen the Liberals do this many times. They do not want to do the hard work to put policies into legislation that will be brought to Parliament and committees to be debated and voted on. They prefer to do the work behind closed doors and bring forth whatever regulations they want to impose without transparency and scrutiny. We have seen the Liberals conduct themselves many times in this way.
Experts in the field have already made the case that Bill C-27 falls seriously short of the global gold standard, the EU's 2016 General Data Protection Regulation. Canadians deserve nothing less.
Though Conservatives agree with the premise of strengthening our digital privacy protection, this bill has many concerns and gaps. Clause 6 outlines that privacy protections do not apply with respect to personal information that has been anonymized. To anonymize is defined in the legislation as “irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
There are a lot of risks around this. Under this legislation, information could be disclosed in numerous ways, and that is very concerning. This goes back to what I mentioned at the beginning of my speech with respect to my questioning of Google Canada early in the pandemic about tracing the locations of people through their phones and sending it to the government.
The legislation creates more costly bureaucracy. It does not protect personal privacy as a fundamental right. It has questionable exemptions to protect the privacy of people based on ideologies. It allows the government to create large areas of regulations with no oversight or transparency and it is far from the gold standard that other countries have.
2054 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, the member made reference to some things that were mentioned previously. I am forming the opinion that the Conservative Party does not support having a tribunal. I guess I am looking for clarification on that point.
Is it the Conservative Party's approach to say that, once the commission has made a decision, a tribunal would not be warranted and that the only recourse would be to take it to a federal court? What would it replace the tribunal with, or would it replace it with anything?
89 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I appreciate the comment from the member opposite. One thing in this legislation is to create a whole new bureaucracy. When we look at the gold standard that exists in other countries around the world, and I mentioned them in my speech, they do not have a need for such an organization or department to exist. It is questionable where this came from.
Why not give more authority to the Privacy Commission and its commissioner? This is really not the gold standard that other countries have, and they already have a lot of regulations that are further along than what we have. The questions are, where did this idea come from and why do we feel we need this in Canada when a lot of our allies do not have this type of requirement?
136 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, this piece of legislation is intended primarily for the private sector. It is virtually silent on the subject of the public sector's duties and obligations. As things stand, it is up to victims to fight tooth and nail to prove that fraudulent activity occurred and that they themselves are not new fraudsters. This applies to all levels of government.
I would like my colleague to comment on public sector accountability for cleaning up fraud victims' records when the fraud was caused by the public sector's weak identity verification methods.
93 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, there is different legislation that is covered for the government, but philosophically, absolutely the government should be held accountable for keeping Canadians' information safe. We know there have been breaches over time. We had a recent one with the ArriveCAN app. There was information that was sent out to 10,000 people that was not accurate. We know there have been other breaches over time.
It is imperative that Canadians know that the government is also held to account for the information it holds in all the different departments a Canadian citizen might correspond with.
97 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
