44th Parl. 1st Sess.
March 7, 2023 10:00AM
Madam Speaker, as it stands now, federal laws do not require federal political parties to follow the same privacy laws that apply to others across the country. This is an issue that could have been identified and addressed in Bill C-27, but it has not been. I wonder if the member for Edmonton Manning has a position on this and would he like to comment on it.
68 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I did actually edge on where the federal and provincial responsibilities come on certain aspects of privacy and privacy protection. Again, the definitions come into play in understanding the legislation. That is why the government could have done much better in bringing more clarity to the bill, so we could at least study it better.
57 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, we are here today to talk about Bill C-27. It has got a big fancy name: an act to enact the consumer privacy and protection act. I worked on this extensively as former chair of the Standing Committee on Access to Information, Privacy and Ethics. A big part of what we talked about was Canadians' privacy.
I want to lead off with a question that I think all who are watching here will want an answer to by the end of what I have said, and I hope I get there. Can we trust this government when it comes to privacy?
We have heard many accounts. We have heard of foreign interference. We have seen evidence that that has been happening under the government. We cannot even keep track of all the ethics breaches.
There was a recent article in the National Post about Canadians' data, and many folks out there would remember this, called “Canada's public health agency admits it tracked 33 million mobile devices during lockdown” and it read, “The Public Health Agency of Canada accessed data such as cell-tower location to monitor people’s activity during lockdown, it said”.
Can we trust this government? I think the answer is becoming more and more clear.
What have we done to protect consumer privacy? I was, again, part of that ethics committee. We formed an international grand committee of nine countries, representing half a billion people, where we really tried to tackle this and get to some better practices for big tech.
Cambridge Analytica was a scandal where big tech was getting our information. Many points are being collected, and 53,000 points of information is what we heard was the Facebook average amount they are collecting on us, and that is being sold to the highest bidder. It is being used to not only give us a choice on what cereal we should buy in the morning but also surveil us to make predictive behaviour so we will kind of go in the direction they want us to go.
We Conservatives saw a need to have a better, more robust policy, so I will read from our constitution, our policy, which I was part of drafting, along with many other EDAs from across the country. This is from the Conservative Party:
The Conservative Party believes digital data privacy is a fundamental right that urgently requires strengthened legislation, protections, and enforcement. Canadians must have the right to access and control collection, use, monitoring, retention, and disclosure of their personal data. International violations should receive enforcement assistance from the Canadian Government.
That is just a little snapshot of what we have been doing over here. We would hope that legislation like this would address some of those privacy concerns. What we learned and what many are hearing from this debate is that there are huge exemptions for big tech, huge ways to use consumer data in ways that, first of all, consumers do not want their information being used for, and they do not even know how their information is being used.
I am going to get into some of the critics of Bill C-27. I will read from an article today by a young man, Bryan Short, who has some concerns around Bill C-27. Referring to Bill C-27, the article says:
...this change opens the door for companies to begin describing their data collection and surveillance practices in a highly simplified manner, leaving out important details about how this information could be used to harm and discriminate against a person or group of people, and ensuring that the data broker economy continues to thrive while people in Canada’s privacy rights are pushed to the side.
Well, according to the Liberals, this is what this bill is supposed to be addressing. Here, we see simplified consent. That is something that we have supported too. It should be something that we can understand, but not to be abused in this manner, where the fine print is down here and we just check that little box to make ourselves feel good that we have done it. We feel like our data or our privacy is protected, but it really is not.
I will read on: “But with deceptive design practices already being regularly used to encourage people to click 'agree' without really understanding what they’re signing up for, Bill C-27’s weakening of consent could be a big step backwards in terms of privacy.”
I will keep reading, as I have a little bit more from this particular author. We talk about the right to request deletion, and that is part of one's data that is online.
In reference to Bill C-27, the article says, “What’s lacking is a mechanism for when people change their mind about consenting to the collection and use of their personal information, or if they’re opposed to the use of their data and consent wasn’t required at all”.
We have seen the exemptions. They are a big haul. My colleague from Edmonton just referred to those exemptions. We want some better pieces of legislation. I applaud the effort. The previous privacy commissioner Therrien was excellent in caring about Canadians' data and really pursuing a solution for it and defending Canadians. I applaud him for that.
However, I am going to go on to another critic whom I have gotten to know very well from being on the committee, and from his work in Canadian information and how important that is to protect. He is a man named Jim Balsillie, a stranger to none of us in this place and former part owner of BlackBerry. I will read from the article from the Globe and Mail called, “Privacy is central to human well-being, democracy, and a vibrant economy. So why won’t the Trudeau government take it seriously?” The article, written by Mr. Balsillie, states:
Privacy is a fundamental human right that serves as a gateway to other rights and freedoms such as freedom of expression, individual and collective autonomy, and freedom from harassment or invasion. Privacy is critical for the healthy development of the human brain, identity, close relationships and social existence.... “True realization of freedom, that is a life led autonomously, is only possible in conditions where privacy is protected.”
We absolutely agree that privacy is a fundamental human right. I will go on, as this helps explain what Mr. Balsillie is referring to in that paragraph. The article continues:
Behavioural monitoring, analysis and targeting are no longer restricted to unscrupulous social-media companies, but have spread across all sectors of the economy, including retail, finance, telecommunications, health care, entertainment, education, transportation and others.
I have told many high school classes an example of this. We learned that people's data is being monitored in real time, so when standing in front of a display at a big box store, it is known that one happens to be standing in front of a certain brand of headphones, so people should not be surprised if they get an ad for these particular headphones, and why they should buy them, before they leave the store. In a good way, it is incredible, but it is scary in other ways too with the predictive nature of having all that information.
Mr. Balsillie goes on to criticize the current Liberal government. He says:
Yet, Canada's federal government has repeatedly failed to take privacy seriously and construct a legal and regulatory framework that protects the rights of Canadians in the digital age...the Digital Charter Implementation Act, normalizes and expands surveillance and treats privacy as an obstacle to corporate profits, not as a fundamental right or even a right to effective consumer protection. After years of cozying up to Big Tech and meeting with its lobbyists as often as twice a week, the Canadian [Liberal] government is finally coming to terms with the fact that the digital economy needs to be regulated.
The act expands surveillance. It does not reduce it.
I asked initially this question: Can Canadians trust the Liberal government? The Liberals are pretty close to big tech guys. I will use the example that many have been talking about, which are smart cities. That conversation was brought up many years ago and as recently as just a few years ago. Our efforts at the ethics committee were to really push back on this invasion of privacy and that a particular smart city in Toronto, Sidewalk Labs, would have been an invasion of Canadians' information. The Sidewalk Labs project would monitor data on many levels, and it has connections to the current Liberal government. I will read from an article, which states, “Sidewalk Labs project gained support from Trudeau in 2017 call ahead of bid process”.
The Assistant Deputy Speaker (Mrs. Alexandra Mendès): The member knows we cannot use the names of current members.
Mr. Bob Zimmer: My apologies, Madam Speaker. It is a title, but that was my mistake.
What is concerning about this particular article is not just that the Prime Minister supports an invasive smart city kind of concept of monitoring everything, but that it was really done in secret. The people who wanted to get to the bottom of the Prime Minister's conversation with Google and Alphabet Inc. had to get a freedom of information request to find out that the government was having secret negotiations behind the scenes.
I started off by asking a question: Can we trust the Liberal government when it comes to privacy? I think the answer is a clear no.
1633 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, if my colleague opposite does not trust the government, does he trust Google to make the rules, follow its own rules and protect Canadians' privacy that way?
29 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is a very interesting question from a Liberal member across the way. No, I do not. That is the reason we are tackling big tech, such as Facebook and Google. The invasiveness of big tech on our privacy and data is a huge concern.
Google was so linked to the current Liberal government and the former member for Vaughan was carrying the water for Sidewalk Labs. It was really something else. There were secret conversations happening to usher a Google project through. Absolutely, I do not trust it.
91 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as the member is aware, this bill is actually three bills packaged into one. It was the NDP that asked for a division to vote on artificial intelligence. The previous manifestations of Bill C-11 were enhanced with this bill.
What are his thoughts on the fact that this is the first time we are debating how to regulate artificial intelligence? Would it have been more appropriate to have an entirely separate process, as opposed to packing it in with two other pieces of legislation that we have done before? We have at least had some review in the chamber on one them, and they are less controversial in many respects. I would appreciate his comments on that.
I thank him for referencing Jim Balsillie, who has done a tremendous amount of work on this issue in protecting Canadians' privacy rights, which is the same as what the NDP has done. Physical rights and digital rights should be equal.
161 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, yes, we absolutely support it being separated out. It is such a big issue to tackle, and we should tackle these things individually. They are huge issues.
As a testament to when we worked in ethics, often, across the aisle, we do not agree on things in this place, but the one thing we agreed on in our ethics committee was that we all cared about our privacy and Canadians' data. Among the Liberals across the way, there were a couple of members who were supportive of where we were going. I think, in the efforts of supporting all Canadians' right to privacy by not having our data sold and farmed out to the highest bidder, it is in our best interest to defend all Canadians' privacy in this place.
132 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I agree with some of the points my colleague made regarding concerns about privacy violations.
It really gets on my nerves too when I am looking at something and suddenly get bombarded with ads. We need laws to deal with that.
Here is my question for my colleague. We need a digital charter and better protection for our private data. Does my colleague think this ought to go to committee for an in-depth study so we can hear from all the relevant experts, make top-to-bottom improvements to the bill and make sure it is airtight?
100 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour to rise once again in this place as we resume debate on Bill C-27, the digital charter implementation act.
During discussion of this bill and related issues, we are not going to get anywhere if we do not start to recognize that privacy is a fundamental right. This is what Conservatives believe and is where we are coming from when we talk about the positive or negative aspects of this piece of legislation. Not only is it true, but it has to be a priority. That is what Canadians expect from us and that is the message we are delivering to the current government. It is also what has been echoed by many of our constituents as we get emails or phone calls from people who are concerned about this bill and about this issue in general.
The world we live in is rapidly changing and the pace of change seems to be getting faster as we go. It is really amazing what people can achieve with digital technology, yet it has also left us in a more vulnerable and insecure position. There are many ways to intrude upon and violate our privacy that did not exist before, and it is safe to say that this trend will continue in the coming years.
If it was not clear already, it is easy to see now that we have to do more than respond to the changes simply as they come. Instead, we need to do our absolute best to think ahead and make sure that our efforts to protect privacy will not become outdated shortly after we pass any kind of bill into law. It is the least we can do if we are serious about preparing our country for the future, but it is true that, before we can do that, we first have some catching up to do.
Our current privacy legislation is long overdue for an update. It has been 22 years since Canada updated its privacy legislation. Twenty-two years ago, the Internet was basically a new phenomenon, and only about half of Canadians were online. Back then, I think Joe Sakic was the MVP of the NHL, and I was only 13 years old, so a lot has changed in that time.
Today, the Internet is a valuable tool used daily by the majority of Canadians. Generally speaking, people basically are living online. We use social media to connect with family, friends and professional networks. We use a GPS to get directions to move from place to place and navigate around our cities and towns. We have online banking to manage our finances. However, at the beginning of the new millennium, pretty much the majority of this was unheard of. In fact, I think we can all remember what we thought was going to potentially happen on Y2K and the implications it was possibly going to have on technology, which thankfully never came to fruition.
It has been years since the Liberals announced a new data strategy for Canada, which also has not become a reality. The promise also came four years after they formed government. It has now been about as long from then until now. After such a long time, Canadians are still waiting for someone to provide higher standards for the use and collection of their personal data.
So much of what we do these days involves an exchange of our data. Facial and fingerprint recognition are used for security, along with our passwords. Digital maps and search functions track our locations in real time. Many of us upload and share an overwhelming amount of personal information on social media accounts and platforms. We are constantly giving our data to different online companies in order to use their services. People feel comfortable enough to do all this because there is a voluntary loss of privacy for the sake of convenience, but this arrangement also requires a deep level of trust. It could not exist otherwise.
Whenever there has been a breach or loss of that trust, the problem of privacy becomes more obvious. There have been organizations exploiting the trust of people to sell their personal information without authorization. In some cases, the data has gone to places that are not working in their best interests.
I am sure, Madam Speaker, like many people in the House, when you go to a website it asks you if you accept the cookies, for example. Obviously, people just accept and go on there because they want to read the articles. What they do not realize is what they are agreeing to when it talks about what is going to happen with their search history or different aspects that might be invaded by those cookies. Therefore, we have to get serious about privacy. We have to mean it when we say that we recognize that privacy is a fundamental right.
The first draft of Bill C-27 says in the preamble, “the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada”.
Of course, I am not going to disagree with that. I believe it is good for a law to make a statement like this. However, it is also true that we can and should take it a step further in the same direction. Why not have this type of statement included in the text of the bill instead of only in the preamble? That way, it would more likely be stronger for enforcement and interpretation by the courts. With the situation we are in today, it is worth making our privacy law as strong as possible, and this would be a simple way for us to set the right tone. That is something we are calling for.
This is one example, among many, of how Bill C-27 could be improved with some amendments. Conservatives want to make sure we update our legislation in the right way. After all, in this area of privacy, we should not settle for less.
There is more that can be done to fill the gaps in our privacy law. If the government does not accept stronger legislation, it will simply be insufficient. The law must ensure that the privacy of our citizens would be respected by the activities of government and business. Canadians are the owners of their data, and corporations should ask for consent if ever they hope to collect, use or disclose a client's information.
Instead, the Liberal government still has loopholes with respect to privacy. Corporations can still operate with implied consent instead of express consent, which is freely given, specific, informed and unambiguous consent. What happened with Home Depot and Facebook shows how relying on implied consent can go wrong. In this case, a person could ask for email receipts from Home Depot. Their email address, as well as details of their purchase, were given to Meta, which then matched the person with a Facebook or Instagram account.
When brought to court, Home Depot claimed that it had the implied consent of customers to share their emails with whomever it pleased. When I shopped at Home Depot, I never gave my email address to it, but it never once asked me if I was okay with sharing that data with somebody other than for its own transactional purposes.
We have a lack of clarity, which is not protecting the consumer as much it should be. Implied consent has been losing relevance over time. In our context, it creates headaches for customers who are going about their regular business. They expect one thing and later find out that something much different is going on with their personal data. Even if they agreed or simply went along with something, they rightly feel misled by what happened. That is not informed consent. Our peer countries have been moving away from this. Europe's general data protection regulation has been heralded as the gold standard for privacy laws, and it has done away with implied consent.
Going back to discussing Home Depot, it also said that anything people bought there would be classified as “non-sensitive”, which is something this bill fails to define. Vague language will not favour our citizens in the end. With the Home Depot case, we can see that the law could be interpreted by larger organizations to allow them to do what the law actually intended to restrict. We should clearly define “sensitive information”, and it needs to apply to everyone.
Another vague part of this bill is the implementation of the right to disposal. Bill C-27 would allow the user to request that their data be destroyed, but clarification is needed regarding anonymization and the right to delete or the right to vanish.
At the end of the day, this bill is like many announcements the Liberal government likes to make. It sounds good, but the incompetence, the vague language and failure to close loopholes mean that it would not do what it says it would do. However, it should not surprise anybody if a Liberal bill has significant weaknesses and gaps on the issue of privacy. It is hard for Canadians to take the government seriously based on its own record. It has not shown respect for privacy.
We have seen a government agency use location data from cellphones for tracking purposes. We have seen law enforcement access Clearview AI's illegally created facial recognition database, and, of course, last year we saw the public doxing of online donors. While that was happening, the Liberals decided to mess with the bank accounts of Canadians, and some of those people had not even made donations themselves and certainly had not committed crimes.
It is easy for things to go wrong when there is government overreach, but today the federal government has an opportunity to modernize and protect our country for the problems we face in the 2lst century. If it does not listen to us and fails to make the right decisions, it would be truly shameful.
1703 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I think one of the things we have really benefited from in Canada is the Privacy Commissioner and the office. There is no doubt that the United States not having this position has created an issue for that country. For ourselves, the commission having appropriate resources and reformation to enforce the decisions, as well as having independence from Parliament in many respects, is crucial for the NDP.
I am just wondering where the Conservatives stand on this, with regard to the Privacy Commission, because there would potentially be a tribunal created with Bill C-27, and then there would be far more regulation and oversight necessary from the Privacy Commissioner in the age of artificial intelligence.
118 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, having the Privacy Commissioner is fantastic, and it is interesting to see provinces that have their own privacy commissioners as well. For a number of meetings, I substituted in on the ethics committee, and we heard from some of the provincial privacy commissioners who did fantastic and important work. I think, generally speaking, Canadians would like to see them continue to be able to do their work. They play an important role. I am only going to talk about what is happening here in Canada, but I would like to see their offices continue to function, and I appreciate the valuable work they do.
106 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, privacy is important, and I think nearly all Canadians agree on this. I presume that all members of the House agree on that as well. A generation ago, the Supreme Court also agreed; it said that privacy was something upon which our most basic and ancient expectations of liberty depend. The security of the person depends on privacy, and without a basic expectation of privacy, it is difficult to imagine how any freedoms and security can exist.
What about privacy in the digital age? There is a growing awareness of how both businesses and governments threaten people's privacy and their expectation of privacy. Over the last few years, Canadians have seen high-profile examples of gross violations of this basic expectation of privacy, from both the private sector and government.
Users of the Tim Hortons app were rightly appalled when they learned that a private business was tracking their movements without their knowledge or consent, well after they had ordered and purchased their products. We also heard about Home Depot and the sharing of emails without the knowledge or consent of its customers.
We have seen where Telus Mobility gave the Public Health Agency the mobility data of not only its own customers but any customers whose signals passed through its infrastructure. It did this without following Canada's existing privacy laws, which required the Public Health Agency to consult the Privacy Commissioner before obtaining or using that data.
There is a private corporation, Clearview AI, which is a business that scrapes billions of images of people's faces from across the Internet. It identifies these images however it can from whatever sources, public or whatnot, that it has and then sells these identified images to law enforcement agencies without the consent of the people whose faces and identities it sells.
These are examples of how both public and private institutions flout existing laws.
On the public side, we have seen how the Privacy Commissioner has been ignored by both PHAC and the RCMP. When knowledge of what they had done became available, it was clear that they had not followed the existing laws or consulted with the Privacy Commissioner. The RCMP even disputed the finding of the Privacy Commissioner that it had violated the act, treating it like some kind of matter of opinion with which it could disagree. It repeated that refusal to accept the Privacy Commissioner's finding at a parliamentary committee. The RCMP also used sophisticated spyware to hack cellphones. Again, it did so without consulting the Privacy Commissioner about the use of new technology and new investigative tools, which is required under existing law.
Therefore, we have a real problem with both businesses and the government, which does not take its obligations to Canadians' privacy seriously enough. The government has a problem with respecting Canadians' privacy, and it has a credibility problem around privacy-related issues.
In addition to these well-known breaches by law enforcement and law enforcement's casual attitude towards compliance with privacy law, there are enormous commercial incentives for businesses to use new technologies like facial recognition with artificial intelligence. We have studied these concerns at parliamentary committees, and we have heard experts testify about the dangers to Canadians from the potential misuse of artificial intelligence, both by businesses and law enforcement.
What happens when artificial intelligence goes wrong? Facial recognition technology has built-in biases. We have heard expert testimony about how the efficacy of facial recognition under existing software is best with middle-aged, white male faces. When an individual is a child, a senior, a woman or a person with a darker skin tone, these applications are far less likely to correctly match people. This may have life-changing consequences when we are talking about law enforcement, never mind all the potential commercial applications of AI for retail and other potential users.
In facial recognition, the images are often scraped from the Internet without the consent of the consumer. Consent and the system of consent are completely broken with privacy. This needs to be updated. I know that this bill tries to address this.
We all have these devices that are connected to the Internet. I think everybody in this chamber and most Canadians have had the experience of trying to obtain access to a new application or use a new device. One is confronted with an incomprehensible set of policies and disclosures with an “agree” button at the bottom. Even people who would actually undertake the painstaking process of reading through one of these enormous statements would generally get to the bottom and conclude they do not really understand what they are getting into. However, they need to proceed with whatever task is at hand, and they click “agree”. That is a very small number of people.
Most people just get to the bottom and hit the “agree” button. Nobody has any idea what they have agreed to. I think that a lot of Canadians are sadly resigned to the belief that clicking “agree” means giving up a part of their privacy. They know they are giving something up, but they do not really know what. They just shrug their shoulders and think there is just no way around it; there is no other alternative other than to hit the button.
There is no doubt that the consent model is thoroughly broken or that Canada's privacy laws need to be modernized. Does this bill cut it? I would say no. This bill is too vague. It has too few details and leaves too many unanswered questions to warrant support, even so far as a committee study. This bill is a missed opportunity to get something right that has long been wrong. The failures of the existing privacy laws have been known for a very long time. The government has had a long time to get it right, and it has not done so.
What we are debating is a bill that is consistently vague and leaves too many questions about what it does and what it fails to do. Furthermore, the concern is that if this bill passes, a number of these questions will simply be settled by the minister and departmental bureaucrats rather than through parliamentary oversight.
This bill still does not definitively answer questions about when and how consent for the use of personal information is collected. It talks about the need for plain language, which of course I agree with, but it offers significant exceptions and no details. The bill does not clearly define a series of new terms, including “sensitive information” as being distinct from other types of information.
Will this bill be compatible with the European Union's GDPR? Some call the GDPR the gold standard. I do not know if it is really golden, but there is a consensus that it is the best balance between commercial expediency and consumer privacy. We do not know if this bill is even going to meet up with it.
I wanted to get into a number of shortcomings that this bill has, but I am going to have to get to them in questions. However, I am not going to support it. It is not strong enough to warrant approval even as far as a committee study, although I understand the need for a bill that will address privacy.
With that I will let the questions follow.
1247 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, 20 years after the need to see changes was shown, Bill C-27 is here.
The last time we saw changes, Facebook and iPhones did not exist. This is important legislation. Within it, to use a couple of examples, there are frameworks that allow for substantial fines and protection of Canadian privacy.
What we are hearing from the Conservative Party is that Conservatives do not want any of it. They are going to vote against the bill. The Conservatives are ultimately arguing that the bill is not amendable.
Does the member not see any value in the substance that is actually there to protect Canadians and empower things such as substantial fines?
114 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is an interesting question, and the member may well be right. The bill certainly has a lot to catch up with. It has been, as has been pointed out, a long time since the existing law was updated. It seems to me that so many questions remain unanswered about problems that have been well identified by all sides in this chamber, yet they are not clearly and definitively solved by the bill. The emergence of new technologies, while we are not even coping with some that have existed for years, is a problem. We are in the third decade of the Internet age. A lot of this stuff is not new, and we are still catching up with decades of issues around privacy.
126 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I rise today to address the House with respect to Bill C-27, the digital charter implementation act, 2022. It is just a year or so behind.
Thirty-four years ago, the Supreme Court of Canada recognized that privacy was at the heart of liberty. Much has changed since 1989 and little more drastically than the continuous transfer of the private information of Canadians to other organizations. The questions we need to ask are these: What are the costs of and what are the benefits of the availability of Canadians' private information for the use of others?
Many organizations see themselves as supplying useful value to Canadians by being provided, whether by contract or by capture, private information that is not knowingly provided by citizens. Examples include service companies that recognize when a consumer might be able to save a percentage of their fees by bundling certain services. In such a case, the benefit of this information availability is shared by the consumer and the service provider.
Let us make no mistake. What drives the action by the service provider is profit, which is known as the greater share of wallet. Nevertheless, in such cases, the consumer sees the benefit of being included in the information sharing, whether they know it has occurred or they do not.
This apparently benign approach to gathering information has now stretched to our daily lives, where our computers, our phones and our in-home private intelligent assistants, like Siri and Alexa, are gathering information on us. When my sons are at their homes and use Siri, they say, “Siri, turn on”. They have figured out that Siri was listening the whole time. A lot of information is being culled. Do we know that our information, in that case, when we have not actually disclosed it willingly, is being used in a benign or creditable way? Which of that has become public information to be monetized by somebody else? That is what is occurring.
Large corporations are gathering data that is being sold to others for their own purposes. That supposedly benign relationship is now being passed to another organization, in that case, that is paying the information gatherer, and so on. There is no accountability mechanism to the individual for the benefit of the supply of one's information to flow.
There is only one measurement at play, and that is profit. One need only look at the incredible financial returns associated with these technological information-gathering companies, including the Googles, the Metas, the Amazons, etc. None of those are Canadian, by the way, and realize that the value-extraction industry is lopsided in their favour. At no time in human history have start-up companies, many without a tangible product, achieved such lofty valuations so quickly. Billionaires are created out of computer code, which provides what, exactly. It provides our information.
Value is created and destroyed in commercial markets. That is the economic engine that has led the western world to prosperity, but value is only traded in financial markets. Let us ask this: Is the culling and selling of private information, however obtained, creating value or transferring value?
In that respect, the intent of this bill is good. It is designed to modernize the protection of Canadians' digital privacy rights. It is past due, and it is important. It cannot be delayed by another prorogued Parliament or another unnecessary election call, as happened to the prior bill that was introduced to advance this issue in the last Parliament. The aim of this bill is good. The execution, I would say, is way off. I see a bureaucratic solution, designed by bureaucrats, for use by bureaucrats, with what would be a minor effect for the Canadian population in general. As we say, if you are a hammer, everything looks like a nail.
The design outcomes of this bill are increasing bureaucratic oversight. The personal information and data protection tribunal act would have six members and would be put together in a tribunal, three of whom would have experience in information and privacy law. Only three out of six, which is half, are going to have experience in the very laws that they would be overseeing.
This is going to be responsible for determining the severity of financial penalties. It would have a staff of 20 with a budget, along with a larger budget for the Privacy Commissioner, which already exists. Does anybody see any redundancy in this solution?
There is a litany of financial penalties listed through this bill and a host of requirements of all businesses, even small businesses, which are going to find the requirements of this bill onerous in the extreme. Joe's Garage is going to be treated with the same expectations as the Royal Bank and face the same potential penalties.
I will read from this legislation something that would scare any small-business person. This is about privacy management programs, as required under the legislation. It states that, “Every organization must implement...a privacy management program that includes the [organization's] policies, practices and procedures....”
It further states that, “...the organization must take into account the volume and sensitivity of the personal information under its control.” What does that mean, and how do we interpret that?
It also states, “...the organization must ensure, by contract or otherwise, that the service provider provides [substantially the same] protection....” Therefore, a businessman is going to need to ensure that something nebulous is not being provided by their service provider when forwarding information. Clearly, no one involved in this bill's design has even considered what this means for Canada's small-business community.
Here is the issue for Canadians. Who has the most information on Canadians? Governments, first of all. Who is likely to get information hacked? Those same governments.
This bill shows a complete lack of accountability by the government regarding how it might misplace or misuse Canadians' data. Is the government going to fine itself in such an instance? I doubt it. That would be a round-trip anyway, at that point in time.
Banks, secondly, have a lot of information about Canadians, and they use that information to increase their returns. They have large bureaucracies, large legal departments and government relations departments to stick-handle these fines. I should note, in this legislation, many exemptions are included. Therefore, we are building more bureaucracy. That is just what Canadians have elected us to do, I say very sarcastically.
On top of the 30% increase in federal government employees over the past six years, we are going to build more bureaucracy. What this bill should be doing is trying to strike a balance between business use of data and the fundamental protection of our privacy.
Let us quickly discuss some of the nefarious uses of digital information gathering. Let us go back to the pandemic, when CERB payments were given out to Canadians, and how many criminal organizations misused that government information to pilfer the pockets of Canadian taxpayers and get undeserved CERB payments into the wrong accounts. This is what happens when government information is pilfered, and this is the main problem with the privacy of Canadians' information.
My advice to the government is to get this bill moving. It is way behind other jurisdictions on this very important issue. Look at how the absence of privacy protection has affected Canadians, and take a look at where the value of Canadians' information has gone: to all the large American tech companies.
The government must listen to that input and the alternatives that are going to be put before it when it puts together this bill. Hopefully, the government amends this bill so it actually addresses the privacy of Canadians in a more complete manner. Listen to that input and to those alternatives. As the Supreme Court of Canada reiterated 34 years ago, Canada needs to recognize privacy as a right, so let us get to work in providing an outcome that actually safeguards Canadian's privacy.
1348 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I was hoping the hon. member could just elaborate a bit on some of the concerns around the personal information and data protection tribunal. It seems there is no justification for this tribunal. No privacy regime in the world has this tribunal. It introduces unprecedented levels of complexity, potential delays and uncertainty, so I am curious about the member's thoughts on this.
65 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, never in all my speeches have the questions been so astute as this. That is exactly the case. We have a tribunal now being created, with a whole bunch of people, six people, three of whom are going to have to know something about what they are talking about, which is ridiculous, quite frankly. It is actually six new people, when we already have a Privacy Commissioner who can do all of this work and, supposedly, accomplish something.
In addition, all the details of this are going to be in the regulations. There is nothing we are looking at here in Parliament that deals with the details, which are very important for us to look at, as well.
120 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I rise today to speak about Bill C-27. I will focus on the artificial intelligence and data act, but before that, I would like to briefly talk about the overall digital charter implementation act.
Canadians have never been more reliant on the digital economy, yet the current privacy law was last updated over 20 years ago, before iPhones or Facebook even existed. In the new digital economy, enhanced privacy would not only benefit consumers but allow companies to innovate, compete and thrive. We are now at a juncture where, over the next few years, the rules of the road for digital privacy and AI are being written and entrenched. That is why it is crucial to have clear rules when it comes to this sector. For Canadians to prosper and benefit from the digital economy, they need to have confidence that their data is safe and trust that their privacy is being respected.
That is why the government has introduced this legislation, which would ensure that Canada has critical protections in place. Bill C-27 would ensure that Canadians have first-class privacy and data protection and that companies that break the rules face severe consequences, some of the steepest fines in the world. It would also hold organizations to a higher standard, in particular when it comes to protecting the personal information of minors by giving them and their parents more power over their information, including the ability to have it deleted. With Bill C-27, we are moving beyond traditional privacy protection to ensuring data control for all Canadians. Canadians can be reassured that we will never compromise on the trust and safety of their privacy.
Over the last decade, artificial intelligence technologies have been expanding rapidly and have been benefiting Canadians in a variety of ways. These technologies are evolving rapidly and with that, there is an increase in risk and harms due to the use of AI systems, whether intentional or unintentional. The artificial intelligence and data act, or AIDA, would establish rules to promote the responsible use of AI and the related governance practices. The framework would ensure that the development of AI systems has to include plans to mitigate bias and harm and that organizations are accountable for their practices.
The AIDA seeks to regulate international and interprovincial trade and commerce in artificial intelligence systems by requiring that certain persons adopt measures to mitigate risks of harm and biased output related to high-impact artificial intelligence systems. The act would provide for public reporting and would authorize the minister to order the production of records related to artificial intelligence systems. The act would also establish prohibitions related to the possession or use of illegally obtained personal information for the purpose of designing, developing, using or making available for use an artificial intelligence system in an intentional or reckless way that causes material harm to individuals. This would ensure that Canadians have strong privacy protections and clear rules of the road for business, as well as guardrails to govern the responsible use of artificial intelligence.
This bill would provide Canada with adequacy within the European Union's GDPR framework and international interoperability on privacy. Further, it would enable Canada to remain on the cutting edge of artificial intelligence development. This bill would help us to build a Canada where citizens have confidence that their data is safe and their privacy is respected, while unlocking innovation that promotes a strong economy.
The University of Toronto’s Schwartz Reisman Institute for Technology and Society studied this bill, and I would like to quote from an article written by policy researcher Maggie Arai:
As technology continues to advance and permeate almost all aspects of modern life, it has become necessary for regulators to grapple with how to best regulate it. New ways of collecting and processing personal information necessitate new regulations to protect those whose information is being collected, analyzed, and sold—often whenever they visit a new website or sign up to a new app like Facebook or TikTok. Advances in artificial intelligence (AI) are also top of mind for many regulators, posing unique risks and challenges that must be addressed. The recently tabled Bill C-27 represents Canadian regulators’ efforts on both fronts.
She goes on to say:
The Artificial Intelligence and Data Act (AIDA) is the federal government’s first attempt to comprehensively regulate artificial intelligence. Canada is not alone in this: AIDA comes in the wake of similar initial attempts at AI regulation by other governments around the world, such as the European Union’s 2021 AI Act and the United States’ 2022 Algorithmic Accountability Act. AIDA, like the EU’s AI Act, takes a risk-based approach to regulating AI. However, it is worth noting that Canada proposes categorizing AI based on whether it is “high-impact,” while the EU uses the language of “high-risk.” AIDA is also far less prescriptive than the EU AI Act. The draft Act is quite short, with much room left for the enactment of provincial AI laws as well as further federal regulation....
She continues:
A person becomes a “person responsible” for an AI system if they design, develop, make available for use, or manage the operation of an AI system in the course of international or interprovincial trade and commerce.
The major requirements contained in AIDA for “persons responsible” for AI systems include ensuring the anonymization of data, conducting assessments to determine whether an AI system is “high-impact,” establishing measures related to risks, monitoring and keeping records on risk mitigation, and requirements for organizations to publish a plain-language description of all high-impact AI systems on a public website. If at any time the Minister has reasonable grounds to believe that a person may be in contravention of these requirements, the Minister may order that person to conduct an audit into the possible contravention, or engage an independent auditor to conduct the audit.
She goes on to say:
The tabling of Bill C-27 represents an exciting step forward for Canada as it attempts to forge a path towards regulating AI that will promote innovation of this advanced technology, while simultaneously offering consumers assurance and protection from the unique risks this new technology...poses.
She also states:
There are also sections of C-27 that could be improved, including areas where policymakers could benefit from the insights of researchers with domain expertise in areas such as data privacy, trusted computing, platform governance, and the social impacts of new technologies.
She goes on to say:
To ensure that the powerful new technologies that shape our world today benefit everyone, it’s essential that our policies are well-informed—especially when it comes to how technical systems work, how they interact with our legal infrastructure, and how they impact society. As we approach the implementation of this landmark regulation, it’s critical that Canadians are engaged and informed on these topics and ready to make their voices heard.
I will now quote from an article written by the law firm of McCarthy Tetrault, which states:
Bill C-27, if adopted into law, is set to have a significant impact on businesses by creating new requirements for those who make, use, or work with AI. The bill imposes several new obligations on the AI sector which are backed by serious penalties for non-compliance.
1251 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank my colleague. I would simply like him to answer the following question.
Since Quebec already has its own privacy legislation and it works very well, does my colleague not think that Bill C‑27 should clearly state that it will not contravene Quebec's legislation?
This should be stated in the bill.
57 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, we are here today to debate Bill C-27, the digital charter implementation act. With this bill, the government seeks to bring Canada's consumer privacy protections up to date, to create a tribunal to impose penalties on those who violate those protections and to create a new framework on artificial intelligence and data.
For my constituents, I think the most important question is this: Why are consumer privacy rights important? Our personal information has become a commodity in the modern world. Businesses and organizations regularly buy, sell and transfer our personal data, such as our names, genders, addresses, religions, what we do on the Internet, our browsing history, our viewing and purchasing habits, and more. This happens so often that it is almost impossible to know who has access to our sensitive data and what they do with those personal details. Unfortunately, this bill fails to adequately protect the privacy of Canadians and puts commercial interests ahead of privacy rights.
The first part of this bill is the consumer privacy protection act, and I will note, as many others have during this debate, that it is really three bills in one. It is the largest part of this bill and brings in new regulations on the collection, use and sale of the private data of Canadians. I will cover three issues that I have found in this act in the first part of this bill.
The first issue relates to how organizations may collect or use our information without our consent. Subclause 18(3) states:
(3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use
Without defining what a “legitimate interest” is, this subclause risks giving organizations free rein to define “legitimate interest” in whatever way suits their own commercial interests.
The second issue I will cover relates to how the bill would protect the privacy rights of children. Subclause 2(2) states:
(2) For the purposes of this Act, the personal information of minors is considered to be sensitive information.
However, nowhere in this bill are the terms “minor” or “sensitive information” defined. This will lead to confusion about how the personal information of children should be handled, and will ultimately lead, in my opinion, to weak protection of that information. There is also no other provision in this legislation that regulates the collection and use of children's personal data.
Every parent in the House of Commons is very concerned about their child going on Minecraft and about their interactions with other people and other gaming sites. This bill does not do enough to protect children in the context of online gaming.
The last issue I will raise in this act relates to when organizations can rely on implied consent to collect and use personal data. Subclause 15(5) states:
(5) Consent must be expressly obtained unless, subject to subsection (6), it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.
This subclause highlights that the bill lacks a clear definition of “sensitive information”. This means that organizations will have free rein to determine when they can rely on implied consent, and they will be free to decide what information is or is not deemed sensitive according to their interpretations and not the legislation's interpretation.
The second part of the bill relates to the creation of the new personal information and data protection tribunal act. The bill would create a new semi-judicial body with the power to levy financial penalties against those who violate the CPPA, the first part of the act. I question whether this tribunal would be able to enforce the penalties outlined in clause 128, which are tied to global revenue and a proportion of profit in the previous fiscal year.
How does the government plan on ensuring accurate figures? Does the government really believe that it will go after Google in a global context, hold Google accountable and collect up to 4% or 5% of Google's global revenue? It is farcical.
We need very clear and very big amendments to this section. We need to question whether we even need a tribunal, because if it is in charge of enforcing clause 128 of the bill, I already know it is going to fail.
Under the third section of the bill, the artificial intelligence and data act, new provisions would be created that apply to the private sector. However, this bill does nothing to address the relationship between government and artificial intelligence.
Right now in Parliament, we are debating Bill C-11, which talks about the government's use of algorithms in the context of the CRTC. This bill has rightly infuriated Canadians across the country who are concerned about how the government would determine what people say and do on the Internet and where they would be directed. Why is the government not trying to apply the same standards upon itself as it is trying to apply on private corporations?
I want to address some other key oversights in the bill.
First, in the U.K., EU and even Quebec, certain personal details, such as race, sexuality and religion, are given special protection in comparison with other personal information. Why does the government believe the most identifiable aspects of our personal information are not worthy of being defined as sensitive information in the context of privacy law?
Second, the bill does nothing to regulate the sale of personal data. I am reiterating this point. In a world where the sale of personal data has become an integral part of our economy, why is the government not concerned with setting clear rules on how data and what kinds of data can be bought and sold, especially in the context of children?
Third, the bill fails to regulate the use of facial recognition technology. The RCMP used Clearview Al's facial recognition database, which was illegally created. Why does the government not think it is appropriate to ensure this never happens again?
Fourth, the consumer privacy protection act and the personal information and data protection tribunal act proposed in this bill are nearly identical to the acts proposed under last Parliament's Bill C-11. The consequence is that Canada's consumer privacy laws will be out of date by the time they come into force.
This bill was an opportunity to put forward strong regulations on the collection and use of personal data, but it failed to meet some basic criteria and thresholds. While the increased penalties for violating the act are welcome, they are watered down by the implementation of a tribunal that would take months or potentially even years to make a decision and levy fines. It is even questionable whether such a tribunal could actually do what it is purported to be responsible for.
Do we really need privacy legislation that fails to protect the privacy of Canadians? Do we really want privacy legislation that fails to put consumer interests ahead of corporate interests? Do we really want privacy legislation that fails to protect the personal information of children? Do we really want Al regulations that do not apply to government? Frankly, the government needs to withdraw Bill C-27, break it up into different parts and come back to Parliament after it has looked at the drawing board again and done something a little more comprehensive.
1301 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
