44th Parl. 1st Sess.
March 7, 2023 10:00AM
Madam Speaker, I would like to thank my friend from Hamilton Centre. I see him all the time in our town, and we serve together on the Standing Committee for Access to Information, Privacy and Ethics.
I would ask whether he thinks there is urgency to this legislation, given the fast pace that this technology develops and that companies are using it to develop what can sometimes be invasive and can violate the privacy of Canadians.
76 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I find it interesting that the Canadian Conservative Party has become such a champion for big tech companies. Since the member opposite brought this up even though it is not related to this legislation, does he think it is okay that Google blocked news access to hundreds of thousands of Canadians in order to strong-arm the government? Does he think Google is a paragon of virtue that will, on its own, protect Canadians' privacy rights?
78 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, if my colleague opposite does not trust the government, does he trust Google to make the rules, follow its own rules and protect Canadians' privacy that way?
29 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am so pleased to rise today to speak to the digital charter implementation act, 2022. With Bill C-27, our government is showing leadership in a new digital world. Privacy is important to the residents of my riding of Hamilton Mountain. It is important to all Canadians. This legislation would not only benefit consumers, it would allow companies to innovate, compete and thrive.
The world I grew up in is significantly different from the world in which my son is growing up. This bill gives me confidence that we will be able to take advantage of the latest technologies, while at the same time be assured that our personal information is safe and secure.
I want to specifically talk about the consumer privacy protection act and how it sets out a balanced approach to compliance and enforcement.
Canadians clearly want their personal information to be handled responsibly, and they want meaningful consequences for organizations that break rules to gain some advantage. Canadians want fair punishment for truly bad actors.
According to a survey published by the Office of the Privacy Commissioner, 71% of Canadians have refused to provide their personal information to an organization because of privacy concerns. In an earlier survey, this same percentage of Canadians said that their willingness to share their personal information would increase if they knew the organization would face financial consequences should their information be mishandled. Such consequences are clearly an important tool for enhancing privacy protection for Canadians and also for helping organizations comply with the law right from the start.
The consumer privacy protection act, or CPPA, will assist companies to get privacy right and the escalating enforcement approach will correct problems as they arise.
The new privacy law incentivizes organizations to step up and improve their privacy practices at the outset. The CPPA will also provide the Privacy Commissioner with a key role in helping them do so.
Under the CPPA, businesses will be able to ask the Privacy Commissioner to review the policies and practices that make up their privacy management program, which will assist them in complying with the law. The commissioner can also ask to review such programs. This is a very important step in the early detection and serves to correct problems at the outset.
Privacy management programs cover a wide range of privacy considerations: how companies manage service providers; how they respond to breaches; when to undertake privacy risk assessment; employee training; complaint handling; and so on. Under the CPPA, the Privacy Commissioner will be able to examine these policies and practices outside of an investigation. The goal is for the commissioner to give advice and make recommendations.
The CPPA will prevent the commissioner from using what he or she has learned in these reviews in any enforcement action unless the organization willfully disregards recommendations. We think this would be very rare, but if it happens, action can be taken.
The approach provides an appropriate space in which the commissioner can provide advice and companies can take proper action. At the same time, the commissioner will be able to gain insights on how the law is implemented in real-world situations, thereby being able to better advise organizations on the challenges they may face in the privacy space.
Essentially this approach builds on the Office of the Privacy Commissioner's current business advisory function, which has proven successful in encouraging compliance through engagement rather than enforcement. By allowing for the review of privacy management programs, the CPPA provides businesses with a safe place to seek and obtain advice and implement compliance solutions at the onset. We believe this will help prevent privacy issues before they have an impact on individuals.
We know Canadian companies will be very interested in this part of the new law, particularly smaller companies and start-ups, and I can probably think of a few in Hamilton Mountain.
The CPPA recognizes that a one-size-fits-all approach does not work for privacy. Some organizations deal with minimal amounts of personal information; for others, it is central to their business model. That is why the CPPA allows organizations to develop their privacy management programs according to the volume and sensitivity of the personal information that they handle, and why the commissioner must also take this and a company's revenues into consideration during the exercise of the role under the law.
Another important protection under the new act is the ability of the Privacy Commissioner to review the risk assessments and mitigation measures that organizations must do if they rely on a brand new exception to consent for activities in which they have legitimate interest.
Under the CPPA, the Privacy Commissioner will continue to undertake research and publish guidance. It is a long-standing role and important in helping organizations meet their compliance obligations. It is a role that we wholeheartedly support.
The bill would ensure that organizations build privacy considerations into their products and services from the beginning. Working with organizations, giving guidance, this is a fundamental role of the Privacy Commissioner. We want to be proactive here. We want to prevent problems before they have a harmful impact on individuals.
However, there will be organizations that do not have the right practices. There will be others that have the right practices but still make mistakes. This law provides individuals with the right to complain about an organization's privacy policies when they appear to be offside with the law. The right to complain is considered to be a fundamental principle in all privacy statutes.
Under the CPPA, like PIPEDA, the Privacy Commissioner also retains the ability to initiate a complaint investigation when there are reasonable grounds to do so. This is an important role because filing a formal complaint is not always obvious. Maybe some people will not know there is a problem; maybe they do not have time to make a complaint. This is where the Privacy Commissioner should be able to take action when intelligence gathering from media reports and their own research indicate that there could be potential trouble.
CPPA encourages the early resolution of problems and provides for dispute resolution. Over the years, through its active early resolution approach, the Office of the Privacy Commissioner has successfully been able to resolve many complaints with limited formality.
The CPPA maintains such tools for the commissioner. For example, compliance agreements, introduced relatively recently under PIPEDA, remain in the CPPA. Pursuing these agreements allows companies to work out an acceptable resolution with the commissioner, without the commissioner resorting to more formal measures, like orders. However, resolution will not always be possible or desirable. Sometimes the commissioner will need or want to consider stronger measures.
Under CPPA, the commissioner will have the power to issue orders to compel an organization to take necessary actions to bring the organization into compliance. This is a new power and a key improvement over PIPEDA.
Prior to issuing such orders and to ensure fairness, the Privacy Commissioner's office will need to go through a new process, called an inquiry. Once the inquiry is completed, the commissioner will issue findings and a decision, and will make orders as necessary to an organization to change its privacy practices.
As part of this process, the Privacy Commissioner may also recommend administrative monetary penalties to a new tribunal for certain contraventions of the law. The possibility of significant fines for non-compliant organizations, fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences, is another key improvement over PIPEDA.
A key part of the new enforcement regime, the personal information and data protection tribunal is being established to hear appeals of the commissioner's decisions. If required, it will also decide whether to issue a monetary penalty and, if so, the amount.
Industry stakeholders say that we need impartiality in enforcement decisions, given the different roles of the Privacy Commissioner. This was particularly the case for any proposals involving monetary penalties, which have the potential to significantly affect an organization.
The new privacy law will support additional due diligence in decisions to impose monetary penalties by introducing an inquiry phase before issuing orders, and by separating the imposition of penalties from the commissioner's other responsibilities.
We know that some organizations will challenge the commissioner's orders and recommendations, and we do not want to burden the courts. This is another reason for introducing a new tribunal. It is intended to be more accessible than the courts. It will ease access to justice for the individual and the organization.
After the previous version of this bill was tabled, stakeholders told us it needed more privacy expertise. We listened and this version of the CPPA has the necessary privacy expertise to ensure credibility.
1467 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, this legislation needs to be flexible. As I mentioned in my speech, it applies not only to big corporations but to smaller companies and companies that use a lot of personal data as well as companies that use very little personal data. It has to be flexible. It has to be able to work in different situations. It has to be able to work in the future because, as we have seen, technology advances very quickly. We need legislation to be able to adapt regardless of the changes in technology that are happening before we can change the laws to accommodate.
103 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I do not think this bill is going to create any issues for the other bill that we are going to look at in committee. I think there are a number of measures that need to be put in place to deal with the problems of the digital world that we face today.
55 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/7/23 1:42:02 p.m.
- Watch
Madam Speaker, I have forgotten the question.
7 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I think this government takes privacy very seriously. That is why we have been working on this legislation since the last government and why we have improved this legislation, bringing it before the government a second time to include things like artificial intelligence and improve security for the privacy of young people on the Internet.
57 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
