44th Parl. 1st Sess.
November 28, 2022 11:00AM
Madam Speaker, I did not touch on the issue of seniors, and I really appreciate the member's raising it.
We do not even have consistency right now in the decision-making process about privacy. People currently agree to a number of different things by clicking boxes, and there is no standardization. For seniors, we have seen, for example with the ArriveCAN app, the confusion as they have complex technology thrust at them during times of stress and times of highly important decisions.
As we move toward this, the member raises a good point in the sense that seniors and other people will need some type of support, education and coaching that go along with this, and shown in plain language. We are dealing with a highly technical bill here that we have had to scrub through the system several times, and the complications it has are unbelievable.
We know we have a very good, educated population, but this is a big change, and I hope that there will be a program of education as part of this. It is a good point that seniors have been left out of this debate, and I am glad the member raised that.
200 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate the complexity with which the bill has been introduced and that it presents to my hon. colleague, and the work involved in going through it. He mentioned the problems in terms of the tribunal process. I know the Privacy Commissioner has raised a lot of concerns.
Could the member perhaps go into a little more detail about the insistence, which our party certainly has, that the Privacy Commissioner has raised, in terms of ensuring that consumers have far more access to fairness within the legislation than organizations typically would have, because they have more monetary resources to pursue things under legal precedence?
106 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member for London—Fanshawe's question is something I did not touch on. Again, there is so much in the bill. She is quite right with regard to the fact that if an individual wants to take a legal right of action against an abuse, it is going to be more cumbersome for them, and a company would have a better chance at that.
The tribunal and the division of power with the Privacy Commissioner are going to be very interesting. What I do not want to do is anything that would undermine the Privacy Commissioner. I suppose I am biased in the sense that from my experience, the Privacy Commission has been an excellent model, has done some excellent work and needs more support. That is the other thing we have to do. If we are going to give it more responsibilities, it will need more support. What is worrisome to me is that the tribunal would be a bit disenfranchised from that consistency, and that is one of the reasons we want to see this legislation debated thoroughly.
184 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I commend my colleague. I sat with her on the Standing Committee on Access to Information, Privacy and Ethics for a few months.
We had concerns about privacy. Several recommendations were made, and that is why Bill C‑11 became Bill C‑27. I acknowledge that the bill has been improved. That being said, I wonder about two things.
First, in 2022, I do not think it is right that banking institutions are taking the lead on showing us how important it is to protect privacy. Second, this bill is important, but I would like to know if we should refer it to a committee to study it properly because it is really two bills in one. The first is on artificial intelligence, and the second is on privacy protection. What does the member think?
139 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker and hon. colleagues, I rise today to speak about the digital charter implementation act, 2022, also known as Bill C-27.
I thank the member for Châteauguay—Lacolle for sharing her time with me today.
It is an important discussion that is happening among Canadians about what our digital environment looks like. As we know, over the past few years, we have witnessed the constant evolution of our digital environment. Canadians have been successfully navigating through this changing environment, but they have also made it clear to us that they want better protection of their privacy. They want to be able to benefit from the latest emerging technologies with the confidence that they can be used safely. Canadians also believe that organizations need to be fully accountable for how they manage personal information and how they go about developing powerful technologies, such as artificial intelligence, or AI.
From the beginning of our consultations on digital and data, stakeholders have stressed the importance of maintaining flexibility to innovate responsibly and maintain access to markets at home and abroad. I am proud to say that the digital charter implementation act, 2022, which would enact the consumer privacy protection act, or CPPA, and the artificial intelligence and data act, or AIDA, would do just that.
The CPPA represents a complete transformation of Canada's private sector privacy regime, the Personal Information Protection and Electronic Documents Act, or PIPEDA, which came into force in 2001. That was 20 or so years ago. CPPA would introduce significant changes to better protect Canadians' personal information, including strong fiscal and financial consequences for those who seek to benefit from curtailing their legal obligations. This new framework would also ensure that all Canadians could enjoy the same privacy protections as individuals have in other countries.
The AIDA, for its part, is being proposed to build confidence in a key part of the data-driven economy. This part of the bill would introduce common standards for responsible design, development and deployment of AI systems. It would also provide businesses with much-needed guardrails for AI innovation and would ensure that Canadians can trust the AI systems that underpin the data economy.
PIPEDA was passed at the start of the century when other countries and some provinces were moving forward with privacy laws governing the private sector. Recognizing the potential for a patchwork of provincial privacy laws to emerge and the need to align internationally, Canada put in place PIPEDA as a national privacy standard. It drew on best practices to provide robust privacy protections for increased consumer confidence and a consistent and flexible regulatory environment for businesses that allowed for legitimate use of personal information.
The key element for alignment was the recognition of provincial private sector privacy laws as substantially similar. This meant that, where such a law is given that designation, PIPEDA did not apply to an organization's activities within that province. PIPEDA would continue, however, to apply to the federally regulated sector in that province and to any personal information collected, used or disclosed in the course of commercial activities across borders. This has provided a stable regulatory environment and flexibility for provinces, and it has supported Canada's trade interests well for many years.
Today, history is repeating itself, but the stakes are much higher. The role of the digital economy is far more central to our lives than it was 20 years ago. To harness all that the modern digital world has to offer, we clearly need to modernize our federal private sector privacy law. The provinces are moving in that direction and, again, the risk of fragmentation looms.
Quebec has amended its private sector privacy law, and B.C. and Alberta are examining their private sector privacy laws as well. Ontario too is considering introducing a new private sector privacy law. Therefore, the federal government must act now to ensure that all Canadians benefit from a substantially equivalent degree of protection and facilitate compliance for organizations that do business across the country.
Like PIPEDA, the CPPA is grounded in the federal trade and commerce powers. It builds on the best practices developed internationally and by Canadian provinces, and it foregrounds the importance of the ease of doing business across boundaries. The CPPA replicates the approach under PIPEDA, and it updates the mechanism in regulations for recognizing provincial laws as substantially similar. The regulations will set out the criteria and process for such recognition and will continue to provide the flexibility that has been important to PIPEDA's success.
CPPA, like its predecessor, would also maintain the Privacy Commissioner's ability to collaborate and co-operate with his or her provincial counterparts. This is an important tool to ensure consistency, guidance and enforcement, and one that has enabled our commissioners to lead the world in privacy collaboration and co-operation.
Canada also needs to move proactively to regulate in the AI space, given that the operation of these systems transcends national and provincial borders in the digital environment. AIDA would create a common standard that all organizations involved in international and inter-provincial trade and commerce would have to meet. AIDA would place Canada at the forefront of international regulation in the AI space and would provide clear rules across the country. This would spur innovation and build confidence in the safety of AI systems used or developed in Canada.
We live in an interconnected world. Data is constantly flowing across borders. In 2001, the European Commission recognized PIPEDA as providing adequate protection relative to EU law, allowing for the free flow of personal information between Canadian and European businesses.
In 2018, a new EU regulation came into effect that was known as the general data protection regulation. It updated many of the existing requirements and added strong financial penalties for contraventions. The EU is currently reviewing its existing adequacy decisions, including the one that applies to Canada. We expect to hear more on the outcome of this review soon.
The CPPA would make a positive contribution to maintaining Canada's adequacy with the EU privacy regime. It would enable personal data from EU businesses to continue to flow to Canada without additional protections. Beyond the EU, the changes proposed in the CPPA would represent important updates that would bring us in line with other international jurisdictions that have updated their laws. It would ensure interoperability with consistent rules, rights and consequences.
Other jurisdictions internationally are also moving ahead on their AI regulation, and strong action is needed to maintain Canada's leadership position internationally. Interoperability with international partners remains a key priority. The EU in particular has advanced a framework for regulating AI that would set standards for any AI systems being deployed in the EU market.
AIDA would propose a risk-based approach that would ensure interoperability with the EU while keeping in mind that Canadian context is unique. For example, AIDA would include flexible compliance options in order to ensure that our many small to medium-sized businesses would not be left behind. The proposed AIDA would represent an opportunity for Canada to lead internationally, would ensure market access for Canadian companies and would uphold Canadian values.
The government launched Canada's digital charter in 2019. Its 10 guiding principles offer a foundation on which to build an innovative and inclusive digital and data-driven economy. Ensuring interoperability, a level playing field, strong enforcement and real accountability are clearly reflected in the digital charter implementation act, 2022.
I can assure colleagues that our approach is pragmatic, principled and meets our trading needs. The bill would provide a consistent, coherent framework that Canadians and stakeholders could rely on. With Bill C-27 we would continue to encourage trade and investment and to grow an economy that would extend across provincial and international borders alike.
1308 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as part of the ethics committee team, I have already begun these deep-dive discussions on the impact of AI on privacy. We have looked at the mobility data of movement as it pertained to the pandemic. I can rest assured that I have an interest in this at committee, whether it is at ethics, at justice or wherever this lands, to make sure that we get those answers. Consumers and Canadians have a right to know how their data is used and to understand when it is used and the purpose for it.
I am deeply encouraged by our work at committee and what we have done, and I look forward to the discussions that will be ahead.
121 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, privacy rights are so critical. When they are violated, consumers deserve to be compensated. There have been numerous examples in the United States where consumers have been compensated in the realm of hundreds of millions of dollars. For the same breach here in Canada, consumers have not been compensated.
I am wondering if the member would support amendments that would ensure that, in Bill C-27, there is parity, and for the same breach, Canadians and Americans would be getting fair compensation.
84 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as I mentioned in my speech, part of the act and its contemplation is financial consequences for misuse of the act, in terms of privacy and data breaches, so it is certainly something that would come up.
I heed warning. The member and I have talked about this in terms of the Volkswagen case in the U.S. and Canada. We need to compare apples to apples. It is a bit of apples to oranges when it comes to the litigious nature of the United States in terms of compensation and the guardrails that are here in Canada. We should always be mindful of that. While in principle we want to make sure that there is accountability and transparency in the use of this, and that with accountability comes financial penalties, I would like to make sure that it is a made-in-Canada approach.
147 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, data is used for good and data is used for evil. Data is money, data is power and data is knowledge. Data can improve our lives. Data can also harm our lives. Data tells the story of our lives, and our personal data flows globally. The amount of data in the world has doubled since 2020 and is expected to triple by 2025 according to Statista, 2022.
To understand why we need modern privacy rights in the digital world, it is important to understand that businesses have evolved from providing a specific service, like a social network such as Facebook and Twitter or a search engines such as Google or Microsoft to find things, to using data to gather information on individuals and groups, to manage and deploy people's data and to sell their information to others and sell them goods and services.
We have evolved from businesses providing these services for interest to businesses using these services for surveillance on us and making enormous amounts of money on our personal information. As legislators, we must balance the uses of data collection with an individual's right to privacy. It is a delicate balance that Bill C-27 aims to address by modernizing our privacy laws.
At the heart of this long overdue revision to our privacy laws must be the rights of the individual. In my view, commercial usage of data under privacy law should be secondary to personal privacy, and should only be focused on how business interests enhance personal needs and how commercial entities protect individual privacy rights. My remarks today will focus on why this legislation falls far short of what individuals, groups and businesses need for a clear legislative framework of data collection and management of personal information in this digital age.
First, Bill C-27 is really three bills in one omnibus bill. The first bill would update privacy law. The second bill contains a new semi-judicial body and would potentially duplicate what the Privacy Commissioner could do while removing the right to go to the courts. The third is a rushed bolt-on bill on artificial intelligence that does not, in my mind, have much intelligence in it. The Liberal legislation manages to weaken privacy and put up barriers to innovation at the same time.
Bill C-27 fails Canadians right up front in its preamble. Despite demands from privacy advocates over the last few years, the government has failed to recognize privacy as a fundamental right in the preamble. The bill states that individuals' personal information should have the “full enjoyment of fundamental rights”. This is clever language that avoids giving personal privacy the recognition that it is a fundamental right or a fundamental human right.
The wording “full enjoyment of fundamental rights” in the preamble needs to be amended from “of fundamental rights” to “as a fundamental right”. Furthermore, leaving this strictly in the preamble reduces if not eliminates any real legal impact. If privacy is a fundamental right, for it to have true force in this bill it needs to be included as well in clause 5, which notes the purpose of the bill.
Why is privacy a fundamental right? Freedom of thought, freedom of speech and freedom to be left alone are derived from privacy. The legal protections of privacy limit government's intrusion into our lives. In free and democratic societies, we consider these freedoms as essential rights. The rights to think what I want, to say what I want and to be free to choose what I do, what I am interested in and whom I interact with and where I do that in our digital world are data points. To me they are personal information and therefore are part of a fundamental right to privacy.
What does this mean? It means privacy rights under law are prioritized over commercial rights. A rights-based approach serves as an effective check on technology's potential dangers while ensuring businesses can function and thrive.
Government officials have told me this cannot be recognized in the bill the way it needs to be to have true meaning under law and force because it would intrude on provincial jurisdiction. I do not agree, and neither does the Privacy Commissioner of Canada. Both levels of government can regulate privacy and do. The federal government's role is to regulate aspects under its control, including the fact that commerce does not follow provincial boundaries and therefore requires federal oversight.
I believe that most Canadians accept and expect their data to be used to enhance their experiences and needs in our modern society. I also believe that for organizations to obtain the data of Canadians, Canadians must first consent to it, and that if these same organizations find new uses of our data, they need to get express consent as well. Canadians want their data safely protected and not used for things they did not give permission for, and if they choose to end a relationship with a service provider, they want their personal data to be destroyed.
I do not believe Canadians want their personal data sold to other entities without their express consent, and how does Bill C-27 deal with these expectations of Canadians? I think poorly. The legislation, in the summary section, states that the dual purpose of the bill is to “govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities.” What it would not do is place personal privacy rights above commercial interests.
The bill would require express consent in clause 15, and that is true, but a great deal of the bill goes on to describe the many ways in which consent would not be required and how it would be left up to the discretion of the organization that has collected the data if it needs consent for its usage. The bill is also weak in terms of making sure individuals understand consent when given. For consent to be meaningful, the usages proposed must be understood. The lack of definition and the placement of burden of interpretation on businesses expose those same businesses to legal action and penalties if they get it wrong. This lack of clarity may stifle innovation in Canada as a result. The bill needs to ensure that individuals understand the nature, purpose and consequences of the collection, use and disclosure of the information to which they are consenting.
In addition, the bill would give organizations the right to use information in new ways and would require businesses to get an update to consent for this information. That is good and necessary, but the bill would also enable organizations to use the implied consent in subclause 15(5). When combined with paragraph 18(2)(d), this would give businesses carte blanche to use implied consent rather than express consent.
An organization can decide on its own that the original consent implies consent for a new purpose, and they do not need to seek the individual's views. This is a version of the old negative option marketing that was outlawed in the 1990s. Either someone gives consent, or they do not. There is no such thing as implied consent, in my view, and this needs to be removed from the bill.
Additionally, the bill uses the term “sensitive information”, which companies and organizations must determine to protect data, but it does not anywhere in the more than 100 pages define what “sensitive information” is. It needs to be defined in the bill to include information revealing racial and ethnic origin, gender identity, sexual orientation and religious and other affiliations. These are just a few examples.
However, that is not the worst of it. Bill C-27 would introduce a concept called “legitimate interest”. This is a new rule that would rank an individual's interests and fundamental rights below those of the organization that gathered the information, the exact opposite of what a personal privacy bill should do. To do this, subclause 18(3) would allow an organization or business to use information if it has a legitimate interest in doing so. However, here is where it really gets goofy: To try to reduce businesses using our data under the legitimate interest clause for their own needs over ours, the Liberals have decided to limit the power under paragraph 18(3)(b). This clause could prohibit the business or organization from using our information for the purpose of influencing behaviour.
For more than 20 years, since the invention of loyalty and rewards programs, retailers have used people's data to offer products they might enjoy based on their purchasing patterns. Have members ever bought wine online or in store because it said, “If you like this, you might enjoy this alternative”? Have members ever watched a show on Netflix because it was recommended? Have members ever listened to a song on Spotify because it was recommended based on what else they had listened to? Well, guess what. Paragraph 18(3)(b) could now make this service illegal.
The Liberals cannot get express consent right, and they are allowing companies to use people's data with implied consent or no consent at all. The Liberals are also putting the business use of people's personal data above their privacy rights. That is why it is really the no privacy bill. At the same time, the Liberals are making illegal the good parts of what businesses do in enhancing the customer experience by removing the ability to study purchasing patterns and offering products that we might enjoy because of paragraph 18(3)(b). This bill makes influencing people's decisions illegal.
The minister said to me and mentioned in the House in his opening speech on the bill, as have other members today, that he is proud to be protecting children from harm in this digital bill. This 100-page legislation has only one clause related to children. Subclause 2(2), under “Definitions”, states that “information of minors is considered to be sensitive”, but the bill does not define “sensitive” nor does it define what a minor is. Officials tell me that the definition of a minor is determined by provincial law, so each province would have different rules, and companies would have to comply with the different rules in every province.
If the protection of children were really a major purpose, this legislation would devote some space to defining both what a minor is and what sensitive information is. During COVID, minors used many online apps and programs to continue their formal education. There were then and still are no protections under law as to what is done with their data. This technology would be a new normal for our education system. The online surveillance of children resulting from the COVID experience is huge and protections are zero, even with this bill.
This bill needs to define in law, not regulation, age-appropriate consent for minors, and comprehensive rules to prevent the collection, manipulation and use of any minor's data. This bill leaves it up to businesses to decide what is sensitive and appropriate for minors. It is a colossal failure on the minister's main selling point for this no privacy bill.
The bill is silent on the selling of personal data. It needs provisions on the limits and obligations of data brokers. The bill is silent on the use of facial recognition technology. The bill also prohibits using data in a way that produces significant harm and defines it inadequately. For example, psychological harm caused by a data breach and embarrassment caused by privacy loss are not included. The damages role needs to be expanded to include moral damages, since most contraventions of privacy do not involve provable, quantifiable damages.
Creating more government bureaucracy and growth is the true legacy of the Liberals in government. This bill is no exception, with the creation of a body to appeal the Privacy Commissioner's rulings to. The appointed new body of non-lawyers is called the personal protection and data tribunal, and it is the second part of the bill. Frankly, these powers, if they really are important, should be given to the Privacy Commissioner to eliminate the middle man of bureaucracy. There is no need for this tribunal.
Finally, let us turn to the ill-conceived, poorly structured and ill-defined artificial intelligence part of Bill C-27. It really needs to be removed from this legislation and puts this bill's passage into question. AI is a valid area to legislate, but only with a bill that has a legislative goal. That is why I am hopeful that the Speaker will rule in favour of the NDP's point of order, reiterated by our Conservative House leader, which would ensure that part 3 of the bill is voted on separately from part 1 and part 2.
Essentially, this part of Bill C-27 would drive all work on AI out of Canada to countries with clearer government legislation. It tells me the government has not done its homework, does not really know what AI is or will become, and has no idea how it will impact people in our country.
The bill asks parliamentarians to pass a law that defines no goals or oversight and would give all future law-making power to the minister through regulation, not even to the Governor in Council but to the minister. The minister can make law, investigate violations, determine guilt and impose penalties without ever going to Parliament, cabinet or any third party.
It is a massive overreach and is anti-democratic in an area critical to Canada's innovation agenda. Promises of consultation in the process of crafting regulations is too little, too late. It puts too much power in the hands of unelected officials and the minister.
The definition in the bill of what AI is, and therefore what it wants total regulatory power over, is a system that autonomously processes date related to human activities using a genetic algorithm, a neural network, machine learning or other networks to make recommendations or predictions. If we think this is futuristic, it is not. It is already happening in warfare to determine and execute bombings.
Without parliamentary oversight, the bill introduces the concept of “high-impact systems”. It does not define what that is, but it will be defined in regulation and managed in regulation. No regulatory power should ever be given to the minister or the Governor in Council for anything that is not defined in law.
The only thing the bill defines is the unprecedented power to rule all over this industry and the fines to those who breach the unwritten regulations. The massive financial and jail penalties that extend down to the developers and the university researchers for undefined breaches of law as part of the statute are huge.
Unless this portion of the bill is separated when members vote, this AI section is reason alone that the bill should be defeated. AI is a significant need, but it needs a proper legislative framework, one that is actually developed with consultation.
I urge all members to read the bill carefully. Current privacy laws need amendment, but the current law is preferable to this ill-defined proposal. The AI bill would drive innovation and business out of Canada's economy, making us less competitive.
It is hard to believe anyone could get this legislation so wrong, especially since this is the second time the Liberals have proposed updating our privacy laws. Without splitting the bill, without having separate votes and without considerable amendments in committee in the first two parts, the bill should be defeated.
I urge all members to consider this seriously in their deliberations as we go on to the many speeches that we will hear. While this is a critical point of updating our personal privacy, the bill, in its current state, does not do it and it gives equal if not greater rights to businesses and organizations than it does to individuals.
2723 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member for Mirabel and I have some spirited discussions as seatmates.
With respect to the first point, if there is not a separate vote, as has been requested in the point of order, for the artificial intelligence in the third part of the bill, then, yes, we agree that this needs to be defeated because it would really hurt our economy.
In terms of the issue of personal privacy versus companies, in my remarks I made it very clear that the bill is inadequate in dealing with the personal protection of privacy and data of the individual and it places the interest of business over that. We are opposed to this.
114 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour today to rise to speak to Bill C-27, the digital charter implementation act.
I think it is important to reflect on how long it has been since we last had an update to legislation regarding the privacy laws that exist around data. The last time was over 20 years ago. Twenty years might not seem like a long time, but when we think about it, 20 years ago Facebook was probably just a program Mark Zuckerberg was working on in his dorm room.
If we think of iPhones, they were pretty much non-existent 20 years ago. Smart phones were out, but they certainly did not have anywhere near the capabilities they do today. So many other technologies we have come to rely on now have been getting smarter over the years. They are acting in different manners and are able to do the work they do because of the data being collected from individual users.
Another great example would be Google. Twenty years ago it was nothing more than literally a search engine. One had to type into the Google form what one was looking for. Sometimes one had to put weird characters or a plus symbol between words in the search terms. It literally was just a table of contents accessing information for people. However, now it is so much more than that. How many of us have, at some point, said to somebody that we would love to get a new air fryer, and then suddenly, the next day or later that day, we see in Google, on Facebook, or whatever it might be, advertisements for air fryers that keep popping up. I am sure that sometimes it is a coincidence, but I know in my experience it seems it happens way too often to be a coincidence.
These are the results of new technologies that are coming along, and in particular AI, that are able to work algorithms and build new ones based on the information being fed into the system. Of course the more information that gets fed in, the smarter the technologies get and the more they are looking to feed off new data that can give them even further precision with respect to advertising and targeting tools at people.
This is not just about selling advertising. AI can also lead to incredible advancements in technology that we otherwise would not have been able to get to, such as advancements in health and the automotive industry. If we think of our vehicles, the big thing now in new cars is the lane-assist feature, which uses technology such as lidar to read signals in the road.
There is technology that, when we enter our passwords to confirm we are human beings, sometimes requires us to pick different things from pictures. When we do that, we are feeding information back into helping those images be properly placed. We are not just confirming that we are human beings; there is an incredible amount of data being used to give better evaluations to various different formulas and equations based on the things we do.
When we think of things like intelligent and autonomous vehicles, which basically drive themselves, 20 years ago would we ever have thought a car could actually drive itself? We are pretty much halfway there. We are at a point where vehicles are able to see and identify roads and know where they need to be, what the hazards are, and what the possible threats are that exist with respect to that drive.
What is more important is that, when I get into my vehicle, drive it around and engage with other vehicles, it is analyzing all of this data and sending that information back to help develop that AI system for intelligent vehicles to make it even better and more predictive. It is not just the data that goes into the AI, but also the data that it can generate and then further feed to the algorithms to make it even better.
It is very obvious that things have changed quite a bit in 20 years. We are nowhere near where we were 20 years ago. We are so much further ahead, but we have to be conscious of what is happening to that data we are submitting. Sometimes, as I mentioned in a previous question, it can be data that is submitted anonymously for the purposes of being used to help algorithms around lidar and self-driving vehicles, for example. At other times it can be data that can be used for commercial, marketing and advertising purposes.
I think of my children. My six-year-old, who is in grade one, is developing his reading quite quickly. Two years ago, even at the age of four, when he would be playing a video game and would not be able to figure out how to get past a certain level, he would walk up to my wife's iPad and basically say, “Hey, Siri, how do I do this?”
Just saying that, I probably set off a bunch of phones to listen to what I am saying, but the point is that we have children who, already at such a young age, are using this technology. I did not grow up being able to say, “Hey, Siri, how do I do this or that?”
What we have to be really concerned about is the development of children and the development of minors, what they are doing and how that can impact them and their privacy. I am very relieved to see there is a big component of this that, in my opinion, aims to ensure the privacy of minors is maintained, even though I have heard the concern or the criticism from some members today that the definition of “minor” needs to be better reflected in the legislation.
I feel as though if it is not known what a minor is, in terms of how it relates to this legislation, then I believe this is something that can be worked out in committee. It is something to which the governing members would be more than welcome, in terms of listening to the discussion around that and why or why not further clarifying the definition is important.
I would like to just back up a second and talk more specifically about the three parts of this bill and what they would do. The summary reads as follows:
Part 1 enacts the Consumer Privacy Protection Act to govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities.
A consequence of this first part would be to repeal other older pieces of legislation. I think this is absolutely critical, because this goes back to what I have been talking about in terms of how things have changed over the last 20 years. We are now at a place where we really do not know what information we are giving or is being used from us. I realize, as some other colleagues have indicated, 99.9% of the time, we always click that “yes, I accept the terms” without reading the terms and conditions, not knowing exactly how our information is being used and what is actually being linked directly back to us.
Through the consumer privacy protection act, there would be protections in place for the personal information of individuals while, at the same time, really respecting the need to ensure companies can still innovate, because it is important to innovate. It is important to see these technologies do better.
Quite frankly, it is important for me personally, and this will be very selfish of me, that, when I am watching on Netflix a show that I really like, I get recommendations of other shows I might really like. As the member for South Shore—St. Margarets mentioned earlier, when it comes to Spotify, it is important to me also that, when I start listening to certain music, other music gets suggested to me based on what other people who share similar interests to mine have liked, and how these algorithms end up generating that content for me.
It is important to ensure that companies, if we want them to continue to innovate on these incredible technologies we have, can have access to data. However, it is even more important that they be responsible with respect to that innovation. There has to be the proper balance between privacy and innovation, how people are innovating and how that data is being used.
We have seen examples in recent years, whether in the United States or in Canada, where data that has been collected has been used in a manner not in keeping with how that data was supposed to be used. There has to be a comprehensive act in place that properly identifies how that data is going to be used, because, quite frankly, the last time this legislation was updated, 20 years ago, we had no idea how that data would be used today.
By encouraging responsible innovation and ensuring we have the proper terminology in the legislation, companies would know exactly what they should and should not be doing, how they should be engaging with that data, what they need to do with that data at various times, how to keep it secure and safe and, most importantly, how to maintain the privacy of individuals. It is to the benefit not just of individuals in 2022, or 2023 almost, to have data that is being properly secured. It is also very important and to the benefit of the businesses, so that they know what the rules are and what the playing field is like when it comes to accessing that data.
The second part of this bill, as has been mentioned:
...enacts the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and to impose penalties for the contravention of certain provisions of that Act.
This is absolutely critical, because there has to be somewhere people can go to ensure that, if they have a concern from a consumer perspective over the way their data is used and they are not happy with the result from the commissioner, they have an avenue to appeal those decisions. If we do not do that, and we put too much power in the hands of a few individuals, or in this case the Privacy Commissioner under the consumer protection act, if we give all that power and do not have the ability for an appeal mechanism, then we will certainly run into problems down the road. This legislation would help ensure that the commissioner is kept in check, and it would also help consumers have the faith they need to have in terms of accountability when it comes to their data and whether it is being used and maintained in a safe way.
The third part of the bill is the more controversial in terms of whether or not it should be part of this particular legislation or in a separate vote. The summary reads:
Part 3 enacts the Artificial Intelligence and Data Act to regulate international and interprovincial trade and commerce in artificial intelligence systems by requiring that certain persons adopt measures to mitigate the risks of harm and biased output related to high-impact artificial intelligence systems.
That act would provide for public reporting and authorizes the minister to order the production of records related to artificial intelligence systems. The act also would establish prohibitions related to the possession or use of illegally obtained personal information for the purpose of designing, developing, using or making available for use an artificial intelligence system in an intentional or reckless way that causes material harm to individuals.
One of the consequences of artificial intelligence, quite frankly, is that if we allow all of this biased information to be fed into the artificial intelligence systems and be used to create and produce results for important algorithms, then we run the risk of those results being biased as well if the inputs are going to be that way. Therefore, ensuring that there are proper measures in place to ensure individuals are not going to be treated in a biased manner is going to require true accountability.
The reality is that artificial intelligence, even in its current form, is very hard to predict. It is very hard to understand exactly when a person is being impacted by something being generated from an artificially intelligent form. Quite often, a lot of the interactions we already have on a day-to-day basis are based on these artificial intelligence features that are using various different inputs in order to determine what we should be doing or how we should be engaging with something.
The reality is that if this is done in a biased manner or in a manner that is intentionally reckless, people might not be aware of that until it is well past the point, so it is important to ensure that we have all of the proper measures in place to protect individuals against those who would try to use artificial intelligence in a manner that would intentionally harm them.
As I come to the conclusion of my remarks, I will go back to what I talked about in the beginning, that artificial intelligence, quite frankly, has a lot of benefits to it. It is going to transform just about everything in our lives: how we interact with individuals, how we interact with technologies, how we are cared for, how we move around by transportation, how we make decisions, as we already know, on what to listen to or what to watch.
It is incredibly important that as this technology develops and artificial intelligence becomes more and more common, we ensure that we are in the driver's seat in terms of understanding what is going into that and making sure we are fully aware of anybody who might be breaking rules as they relate to the use of artificial intelligence. It will become more difficult, quite frankly, as the artificial intelligence forms take on new responsibilities and meanings to create new decisions and outputs, and we must ensure that we are in a position to always be in the driver's seat and have the proper oversight that is required.
I recognize that some concerns have been brought forward today by different members. At first glance, when the member for South Shore—St. Margarets and others brought forward the concern around the definition of a “minor”, which is not something I thought of when I originally looked at this bill, I can appreciate, especially after hearing his response to my question, why it is necessary to put a proper definition in there. I hope the bill gets to committee and the committee can study some of those important questions so we can keep moving this along.
I certainly do not feel as though we should just be abandoning this bill altogether because we might have concerns about one thing or another. The reality, and what we know for certain, is that things have changed quite a bit in the last 20 years since the legislation was last updated. We need to start working on this now. We need to get it to committee, and the proper studies need to occur at this point so we can properly ensure that individuals' privacy and protection are taken care of as they relate to the three particular parts I talked about today.
2637 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, one of the things that concern me in this bill is the proposed personal information and data protection tribunal. The way it is formulated and the vagueness of the membership, especially since many members will be appointed by the government, gives rise to a concern that it might be used as a political tool by the government of the day to overturn rulings it does not like. No other jurisdiction in the world has a tribunal like this. No other privacy regime has a tribunal like this.
I am curious as to whether the member thinks it might be better just to empower the Privacy Commissioner.
108 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I do not understand exactly what the member means by just empowering the Privacy Commissioner. My understanding was that the intent of the tribunal was to oversee decisions that were made by the commissioner. That being the case, I think it is important that there be a body in place to bring complaints about the commissioner to.
Having said that, again, if the concern is not about the structure of the bodies but more about the composition and how that is determined, then I think this is a great conversation that can be had at committee, and the committee can bring forward its suggestions on this.
The government that introduced the bill certainly is not in a majority, as we know, and the NDP have been there to work with the government quite a bit. If these are suggestions that need to be brought forward, in a minority Parliament there is going to have to be at least a majority of the members on the committee that make recommendations back. I guess we will see what comes back from the committee.
183 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member talked about being in the driver's seat, about AI and privacy.
The bill is really a balance between business interests and privacy, but one thing that we have seen is missing from the bill is its failure to mention privacy as a fundamental human right. That is not included in the purpose clause. We look at other provinces, like Quebec, and Quebec has privacy listed as a fundamental human right in its privacy legislation.
To be in control, to be in the driver's seat, to protect our minors, to ensure that businesses do not have something like legitimate interests that take control of this bill, does the member agree that having privacy listed as a fundamental human right is imperative to this bill going forward in the purpose statement?
135 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member indicated that it is not in the preamble. Could it be in the preamble? Maybe it should be. I am not sure.
What I did learn very quickly from my days on municipal council is that the preamble really does not matter; it is the resolve clauses in the motion, or in this case the bill, that really matter. Do I believe that privacy is of the utmost importance? Absolutely. It is talked about throughout this bill. Should that be in the preamble? I am sure that is another matter that could be discussed at committee to determine if it is appropriate.
106 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, for the average citizen in the digital age, we have entered uncertain times. To almost everyone, at face value, the convenience of our time is remarkable. Access to any piece of information is available at our fingertips. Any item imaginable can seamlessly be ordered and delivered to our doors. Many government services can be processed online instead of in person. Canadians have taken these conveniences for granted for many years now.
The pandemic accelerated our ascent, or descent, depending on who you ask, into the digital age. The inability to leave our homes and the necessity to maintain some rhythm of everyday life played a significant part in that, but around the world, we saw governments taking advantage of the plight of their citizens. Public health was used as a catalyst for implementing methods of tracking and control, and social media platforms, which have been putting a friendly face on exploiting our likes, dislikes and movements for years, continue to develop and implement that technology with little input or say from their millions of users.
Canadians no longer can be sure that their personal information will not be outed, or doxed, to the public if doing so would achieve some certain political objective. We saw that unfold earlier this year with the users of the GiveSendGo platform.
The long-term ramifications of our relationship with the digital economy is something Canadians are beginning to understand. They are now alert to the fact that organizations, companies and government departments operating in Canada today do not face notable consequences for breaking our privacy laws. As lawmakers, it is our responsibility to ensure that Canadians’ privacy is protected and that this protection continues to evolve as threats to our information and anonymity as consumers unrelentingly expands both within and beyond our borders.
That brings me to the bill we are discussing today, Bill C-27. It is another attempt to introduce a digital charter after the previous iteration of the bill, Bill C-11, died on the Order Paper in the last Parliament. My colleagues and I believe that striking the right balance is at the core of the debate on this bill. On the one hand, it seeks to update privacy laws and regulations that have not been modernized since the year 2000 and implemented in 2005. It would be hard to describe the scale of expansion in the digital world over the last 22-year period in a mere 20-minute speech. It is therefore appropriate that a bill in any form, particularly one as long-awaited as Bill C-27, is considered by Parliament to fill the privacy gaps we see in Canada’s modern-day digital economy.
Parliament must also balance the need for modernization of privacy protection with the imperative that our small and medium-sized businesses remain competitive. Many of these businesses sustain themselves through the hard work of two or three employees, or perhaps even just a sole proprietor. We must be sensitive to their concerns, as Canada improves its image as a friendly destination for technology, data and innovation. This is especially true as our economic growth continues to recover from the damaging impact of pandemic lockdowns, crippling taxes that continue to rise and ever-increasing red tape.
That extra layer of red tape may very well be the catalyst for many small businesses to close their operations. No one in the House would like to see a further consolidation of Canadians’ purchasing power in big players such as Amazon and Walmart, which have the infrastructure already in place for these new privacy requirements.
In a digital age, Canadians expect businesses to operate online and invest a certain amount of trust in the receiving end of a transaction to protect their personal information. They expect that it will be used only in ways that are necessary for a transaction to be completed, and nothing more.
In exchange for convenience and expediency, consumers have been willing to compromise their anonymity to a degree, but they expect their government and businesses to match this free flow of information with appropriate safeguards. This is why Bill C-27, and every other bill similar to it, must be carefully scrutinized.
As many of my colleagues have already indicated, this is a large and complex bill, and we believe that its individual components are too important for them to be considered as one part of an omnibus bill.
There are three—
747 words
- Hear!
- Rabble!
- add
- star_border
- share
I am now prepared to rule on the point of order raised on November 22, 2022, by the member for New Westminster—Burnaby concerning the application of Standing Order 69.1 to Bill C-27, an act to enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act and to make consequential and related amendments to other acts.
The member for New Westminster—Burnaby stated that there is a clear link between the first two parts of Bill C‑27, which respectively enact the consumer privacy protection act and the personal information and data protection tribunal act. He further noted that these elements were both part of the previous Bill C-11, which was introduced in the House during the 43rd Parliament.
However, the member argued that part 3, which enacts the artificial intelligence and data act, should be considered separately, because it does not directly concern privacy protection or the analysis, circulation and exchange of personal information. Accordingly, he asked the Chair to divide Bill C‑27 for the purposes of voting, as Standing Order 69.1 permits.
The official opposition House leader concurred. He added that, outside of clause 39 of the bill, which mentions the new consumer privacy protection act in the definition of the term “personal information”, part 3 of Bill C-27 does not refer to parts 1 or 2. Furthermore, the member for South Shore—St. Margarets stated that parts 1 and 2 of Bill C-27 deal with privacy protection, which has nothing to do with the subject of part 3, the regulation of the new industry of artificial intelligence.
On November 23, the parliamentary secretary to the government House Leader pointed out that privacy protection is the common theme that links every part of Bill C-27. In his view, the bill’s three parts constitute a framework for protecting the privacy of Canadians from the risks posed by artificial intelligence systems. He argued that dividing the bill would prevent members from considering all the risks and impacts that new artificial intelligence technologies may create for the security of personal information. He also noted that privacy laws do not adequately protect the public from new artificial intelligence systems and that, as a result, Bill C-27 should be considered as a whole.
Standing Order 69.1 gives the Chair the authority to divide the questions, for the purposes of voting, on the motions for second or third reading of a bill. The objective here is not to divide the bill for consideration purposes, but to enable the House to decide questions that are not closely related separately.
The Chair has carefully reviewed the provisions of Bill C‑27 and taken into account members' statements on the issue of dividing it for voting purposes. The Chair agrees that the bill's three parts are connected by a broad theme, namely, the use and protection of personal information. While parts 1 and 2 of the bill are closely related, this is not true of part 3.
The Chair is of the view that, given the lack of cross-references between part 3 and the preceding parts of the bill, with the sole exception being one reference to the new consumer privacy protection act—which serves to propose a common definition of the term “personal information”—dividing the bill for voting at second reading is justified.
In his intervention, the parliamentary secretary to the government House leader emphasized the common theme that links the three acts enacted by Bill C-27. In a decision on a similar matter, delivered on March 1, 2018, which can be found at pages 17550 to 17552 of the Debates, Speaker Regan said the following, at page 17551:
…the question the Chair must ask itself is whether the purpose of the standing order was to deal only with matters that were obviously unrelated or whether it was to provide members with the opportunity to pronounce themselves on specific initiatives when a bill contains a variety of different measures.
In the absence of a clear link between the three parts of Bill C-27, other than the theme of privacy protection, the Chair is willing to divide the question. Accordingly, two votes will take place at the second reading stage for Bill C-27. The first will be on parts 1 and 2, including the schedule to clause 2. The second will deal with part 3 of the bill. The Chair will remind members of this division before the voting begins.
If any part of this bill is negatived, the Chair will order the bill reprinted for reconsideration at committee.
I thank the hon. members for their attention.
807 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, as many of my colleagues already indicated, this is a large and complex bill, and we believe that its individual components are too important for them to be considered as one part of an omnibus bill. I am pleased with the ruling of the Speaker.
There are three separate pieces of legislation to this bill. In part 1, the consumer privacy protection act would repeal and replace decades-old measures concerning personal information protection. In part 2, the personal information and data protection tribunal act would strike a tribunal to administer penalties for violations of the CPPA. In part 3, the artificial intelligence and data act is brand new to the bill and sets up a framework for design and use of AI in Canada, which is almost entirely unregulated.
Long before the widespread use of the Internet, our Supreme Court was clear that privacy is at the heart of liberty in a modern state. The government should be taking every opportunity possible to enshrine privacy in our laws as essential to the exercise of our rights and freedoms in Canada. As Daniel Therrien stated in the Toronto Star earlier this month, “democracies must adopt robust solutions anchored in values, not laws that pretend to protect citizens but preserve the conditions that created the digital Wild West.”
The value of privacy should anchor the bill. Instead, the bill fails right out of the gate. The preamble states:
the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada
Placing this value in the preamble of the bill where it has no teeth raises distrust rather than confidence that the government truly respects Canadians' privacy rights. The CPPA would require organizations, companies or government departments affected by the bill to develop their own codes of practice for the protection of personal information. While these codes must be approved and certified by the Privacy Commissioner, one can only imagine the variation of protection that would result. This requirement would add significant red tape and would be yet another onerous task borne on the backs of small and medium-sized businesses, which employ most Canadians. It would also create more work for the Privacy Commissioner in parsing through complicated codes created by larger, wealthier, powerful corporations, companies or government departments that have legal teams whose sole purpose is to find creative ways to perhaps game the system.
Although it would take more time and investment up front, the better option, in my mind, would be to create a standard code of practice that all entities have to follow. This could certainly be taken on as one of the first responsibilities of the expanded Office of the Privacy Commissioner in defining the universal code of practices, where confidence in the process would be greatest and where the greatest level of concern for individual privacy actually exists.
This bill states that personal information can be transferred without Canadians' consent for purposes ranging from research to analysis to business purposes, but it must be de-identified before this can take place. At first glance, this is a positive measure until it is compared with anonymization as an alternative. According to the bill, de-identify means “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” That leaves much to be desired when compared to the anonymization of personal information. In the bill, anonymize means “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
Any attempt to identify individuals from de-identified information is prohibited, except in approved circumstances. While many of these approved circumstances relate to the ability of an entity to test the effectiveness of its de-identification system, the potential for abuse still exists. This bill would be improved by eliminating those chances for abuse. We should examine replacing de-identification with anonymization wherever possible.
In comparing Bill C-27 to the EU regulations, we see there are several ways in which the CPPA does not live up to what is widely considered to be the international gold standard of privacy protection, which is the European Union's 2016 General Data Protection Regulation, or GDPR. There is a glaring example of Bill C-27's inferior protections: The GDPR processes personal data in such a manner that it can no longer be attributed to a specific individual without the use of additional information kept separately, subject to technical and organizational measures. This is a security and privacy-by-design measure of the GDPR.
Regarding what Bill C-27 considers to be sensitive information, there is nothing to indicate what sensitive information actually entails. It is also limited in its application. Only the personal information of minors is considered to be sensitive. All information Canadians surrender to any entity should be considered sensitive. On the other hand, the GDPR possesses a particular regime for special categories of personal data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health, sex life and sexual orientation.
We are happy to see that consent is better defined in Bill C-27. However, exceptions for activities not requiring consent would remain in place. Some of them are so broad that an entity could interpret them as never requiring consent. These are loopholes that Canadians should not have to endure when they are required to check the box that they have read and accept terms before they are able to interact with a digital site.
For example, legitimate interests in a given situation may be used by companies to disregard consent. There is a danger that these interests will outweigh potential adverse effects on the individual. Attempting to define legitimate interests allows for too much interpretation, and interpretation is not something that lends itself to privacy laws. The use of personal information could also be exempt from consent if a reasonable person would expect the use of their information for business activities. There is no definition as to what a reasonable person is.
The bottom line is that there are far too many loopholes and vague terms. For the savvy, wealthy or well-lawyered, the potential for abuse exists. The GDPR, conversely, is unequivocal on consent. It must be freely given, specific, informed, unambiguous and in an intelligible and accessible form, and is only valid for specific purposes. Canada should have followed that example. Canadians cannot help but wonder why Bill C-27 does not.
Under the proposed CPPA, there is no minimum age for minor consent, nor is “minor” defined. In the EU, the GDPR sets out a minimum age for a minor's consent at 16 years of age. Member states also have the flexibility to allow for a lower age, provided the age is not below 13 years.
If a breach of personal information does take place, Bill C-27 would make Canada slower to respond than its international counterparts. This bill mandates that a notification be made to the Privacy Commissioner of any breach that creates a real risk of significant harm as soon as it is feasible. The individual affected would also need to be informed, but, again, as soon as feasible.
The GDPR sets out that a mandatory notification must be made to the supervisory authority without undue delay, or 72 hours after having become aware of the incident in certain circumstances. Prior to the introduction of this bill, Canada was lagging behind internationally, and it still is, even after. The GDPR is already six years old. That is six years of extra time during which the Liberals have failed to develop this legislation to meet the robust international standard.
In Bill C-27, the Privacy Commissioner would be empowered to investigate any certified organization for contravening the act. The commissioner has been rightly asking for increased powers and responsibilities for some time, and this goes beyond a mere recommendation to violators to stop their actions. The commissioner would be able to recommend greater penalties of no more than $20 million or 4% gross global revenue for a summary offence, and no more than $25 million or 5% gross global revenue for an indictable offence.
These penalties should add more bite to what the Privacy Commissioner can do and impact how Canadians’ personal information will ultimately be treated. The penalties would also apply to a greater number of provisions, such as actions that contravene the establishment and implementation of a privacy management program and failure to ensure equivalent protection for personal information transferred to a service provider.
However, these new powers for the Privacy Commissioner hit a dead end when taken in context with the second part of this bill, which establishes a tribunal. The personal information and data protection tribunal would consist of no more than six members, and only half of those members must have experience in information and privacy law. The Privacy Commissioner would have order-making authority and the ability to make recommendations to this tribunal regarding penalties. However, the tribunal would have the power to apply its own decision instead, which would be final and binding. Except for judicial review under the Federal Courts Act, the tribunal's decisions would not be subject to appeal or to review by any court. These are powers equivalent to a superior court of record.
The existence of this tribunal would dull the new teeth given to the Privacy Commissioner. While the commissioner could recommend that a penalty be levied for violations of the CPPA, it is the tribunal that would have the power to set the amount owed by these organizations.
The cost associated with striking this tribunal is also a concern. Despite the fact that its work would likely be limited to a handful of times per year to determine penalties, it would apparently require a full-time and permanent staff of 20. I am deeply concerned as the government also has a bad habit of striking advisory councils, or so-called arm's-length regulatory bodies, in advance of bills being debated and passed in the House, long before the ink on the legislation is dry.
My memory is drawn to when a bill was being debated in the House, and I inquired about the details of the proposed environmental council. I was told with great zeal that it had already been established, and the members had been appointed before the bill was even debated in the House.
Can the current Prime Minister tell us if this tribunal would be struck only after Parliament has dealt fully with this bill? Will the Liberals be transparent with Canadians on how the appointment process would be undertaken? Can they assure Canadians that a full-time and permanent staff of 20 has not already been determined? After seven years of Liberal power, the level of patronage in this place run deep.
Part 2, which is the personal information and data protection tribunal act, should be removed as it is a bureaucratic middleman with power that would conflict and create redundancy with the Privacy Commissioner's new powers. The new powers would mean little if they were not coupled with quick and effective consequences for violators. It would prolong decisions on fines and harm Canada's reputation of holding violators accountable.
It would also not align with our friends in the EU, U.K., New Zealand and Australia that do not use a tribunal system for issuing fines. It goes to show Canadians that when it comes to making big government needlessly bigger, the Liberals do it well.
The third and final part of this bill is the only entirely new component. The artificial intelligence and data act seeks to regulate an entity, artificial intelligence, that has not been regulated before in this country.
It would set standards for the creation and use of AI systems in Canada by both domestic and international entities. More specifically, international and interprovincial trade and commerce in artificial intelligence systems would be regulated through common requirements for the design and use of those systems.
It would prohibit certain conduct pertaining to AI systems that could lead to harmful results for individuals and their personal data. There is that mention of personal data. This is a massive undertaking, attempting to regulate something that, up to this point, has been almost entirely unregulated.
I also understand that consultations on this were only initiated in June. Logic would dictate that such a bill requires careful scrutiny and time to get it right.
Requiring record keeping and human oversight are positive developments. What we find difficulty with is getting a clear picture of what the final framework would look like, as the minister alone would be empowered to establish these regulations. The minister would be able to act independently of Parliament in making rulings and imposing fines. In an age of uncertainty and new horizons for our relationship with AI, this is unacceptable. Parliament, at the very least, and independent experts and watchdogs should be central to the creation and enforcement of these rules.
It appears that once again the government has chosen to simply tack on a crucial area of concern to Canadians to an already complicated bill, and it wishes to again entrust sweeping powers to a minister to act independently of parliamentary oversight.
My final thoughts today on Bill C-27 are as follows. The Conservatives are considering this bill through a reasoned approach, and appreciate that stakeholders who have been calling for this legislation for years are watching today's debate closely.
It is absolutely clear that modern-day protection for the personal information of Canadians is required. They must have the ability to access and control its collection, use, monitoring and disclosure, and the right to delete it or the right to vanish.
How can we ensure that data is protected through watertight regulations and strict fines for abuse while also realizing that not every business affected by this bill would have the resources of Walmart or Amazon? Small and medium-sized businesses should be shielded from onerous regulation that stifles their growth. This is not to say that business interests should weigh equally with personal privacy, but there is a balance to be had, and I believe the Liberals do not have it right here.
Furthermore, in a cynical attempt to move their legislative agenda forward, the Liberals have bundled changes to privacy laws with a first-of-its-kind framework for artificial intelligence that once again intends to govern through top-down regulation and not through legislation.
The Liberals should commit today to splitting this bill up to allow Canadians a clear view of its intended impact. With that commitment, the Conservatives will be looking to do the hard work at committee to improve the long-awaited but flawed elements of this legislation. Even in an age of convenience, the world in which we live grows even more complicated by the day. Canadians deserve privacy protection worthy of 2022 realities and beyond.
2558 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, this is very progressive legislation that deals with an area of concern that Canadians have, and it is something the government is concerned about. That is why we have the legislation. It is for safety and privacy, which are of critical importance.
We are moving into a significant digital economy with databases. The issue is there, and I am interested in knowing where the Conservatives are going to fall on this legislation. When I listened to the member, she seemed to express concerns about this area, but there was no indication of whether the Conservative Party would be supporting the legislation. We just heard from the Speaker in terms of voting on the three parts.
Does the member have any suggested amendments that she is thinking about? I believe that Canadians need this legislation. Would it not be nice to have legislation of this nature pass second reading before the end of the year?
156 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I do not know if, throughout my speech, members heard my concerns around the fact that this falls short of what our international colleagues have created. It is so much stronger in the European Union's 2016 general data protection regulation, or GDPR.
Obviously, we have indicated on this side of the House that we have a lot of concerns, especially with the lack of definition of so many terms that are included in this legislation. They need to be clarified. Otherwise, it is going to create all kinds of additional problems. What we need more than anything is clarity so that Canadians can have confidence that their privacy is being protected.
114 words
- Hear!
- Rabble!
- add
- star_border
- share
