44th Parl. 1st Sess.
March 7, 2023 10:00AM
Madam Speaker, I appreciated hearing the member for Hamilton Centre's speech on Bill C-27. I would like to hear more from him, in particular on subclause 18(3). This section talks about a legitimate interest for an organization to collect a person's private information without consent.
There have been concerns shared here with respect to how open-ended this legitimate interest could be. I wonder if the member would reflect and share more about his concerns, if any, with the way the bill is currently written.
89 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I agree with some of the points my colleague made regarding concerns about privacy violations.
It really gets on my nerves too when I am looking at something and suddenly get bombarded with ads. We need laws to deal with that.
Here is my question for my colleague. We need a digital charter and better protection for our private data. Does my colleague think this ought to go to committee for an in-depth study so we can hear from all the relevant experts, make top-to-bottom improvements to the bill and make sure it is airtight?
100 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, privacy is important, and I think nearly all Canadians agree on this. I presume that all members of the House agree on that as well. A generation ago, the Supreme Court also agreed; it said that privacy was something upon which our most basic and ancient expectations of liberty depend. The security of the person depends on privacy, and without a basic expectation of privacy, it is difficult to imagine how any freedoms and security can exist.
What about privacy in the digital age? There is a growing awareness of how both businesses and governments threaten people's privacy and their expectation of privacy. Over the last few years, Canadians have seen high-profile examples of gross violations of this basic expectation of privacy, from both the private sector and government.
Users of the Tim Hortons app were rightly appalled when they learned that a private business was tracking their movements without their knowledge or consent, well after they had ordered and purchased their products. We also heard about Home Depot and the sharing of emails without the knowledge or consent of its customers.
We have seen where Telus Mobility gave the Public Health Agency the mobility data of not only its own customers but any customers whose signals passed through its infrastructure. It did this without following Canada's existing privacy laws, which required the Public Health Agency to consult the Privacy Commissioner before obtaining or using that data.
There is a private corporation, Clearview AI, which is a business that scrapes billions of images of people's faces from across the Internet. It identifies these images however it can from whatever sources, public or whatnot, that it has and then sells these identified images to law enforcement agencies without the consent of the people whose faces and identities it sells.
These are examples of how both public and private institutions flout existing laws.
On the public side, we have seen how the Privacy Commissioner has been ignored by both PHAC and the RCMP. When knowledge of what they had done became available, it was clear that they had not followed the existing laws or consulted with the Privacy Commissioner. The RCMP even disputed the finding of the Privacy Commissioner that it had violated the act, treating it like some kind of matter of opinion with which it could disagree. It repeated that refusal to accept the Privacy Commissioner's finding at a parliamentary committee. The RCMP also used sophisticated spyware to hack cellphones. Again, it did so without consulting the Privacy Commissioner about the use of new technology and new investigative tools, which is required under existing law.
Therefore, we have a real problem with both businesses and the government, which does not take its obligations to Canadians' privacy seriously enough. The government has a problem with respecting Canadians' privacy, and it has a credibility problem around privacy-related issues.
In addition to these well-known breaches by law enforcement and law enforcement's casual attitude towards compliance with privacy law, there are enormous commercial incentives for businesses to use new technologies like facial recognition with artificial intelligence. We have studied these concerns at parliamentary committees, and we have heard experts testify about the dangers to Canadians from the potential misuse of artificial intelligence, both by businesses and law enforcement.
What happens when artificial intelligence goes wrong? Facial recognition technology has built-in biases. We have heard expert testimony about how the efficacy of facial recognition under existing software is best with middle-aged, white male faces. When an individual is a child, a senior, a woman or a person with a darker skin tone, these applications are far less likely to correctly match people. This may have life-changing consequences when we are talking about law enforcement, never mind all the potential commercial applications of AI for retail and other potential users.
In facial recognition, the images are often scraped from the Internet without the consent of the consumer. Consent and the system of consent are completely broken with privacy. This needs to be updated. I know that this bill tries to address this.
We all have these devices that are connected to the Internet. I think everybody in this chamber and most Canadians have had the experience of trying to obtain access to a new application or use a new device. One is confronted with an incomprehensible set of policies and disclosures with an “agree” button at the bottom. Even people who would actually undertake the painstaking process of reading through one of these enormous statements would generally get to the bottom and conclude they do not really understand what they are getting into. However, they need to proceed with whatever task is at hand, and they click “agree”. That is a very small number of people.
Most people just get to the bottom and hit the “agree” button. Nobody has any idea what they have agreed to. I think that a lot of Canadians are sadly resigned to the belief that clicking “agree” means giving up a part of their privacy. They know they are giving something up, but they do not really know what. They just shrug their shoulders and think there is just no way around it; there is no other alternative other than to hit the button.
There is no doubt that the consent model is thoroughly broken or that Canada's privacy laws need to be modernized. Does this bill cut it? I would say no. This bill is too vague. It has too few details and leaves too many unanswered questions to warrant support, even so far as a committee study. This bill is a missed opportunity to get something right that has long been wrong. The failures of the existing privacy laws have been known for a very long time. The government has had a long time to get it right, and it has not done so.
What we are debating is a bill that is consistently vague and leaves too many questions about what it does and what it fails to do. Furthermore, the concern is that if this bill passes, a number of these questions will simply be settled by the minister and departmental bureaucrats rather than through parliamentary oversight.
This bill still does not definitively answer questions about when and how consent for the use of personal information is collected. It talks about the need for plain language, which of course I agree with, but it offers significant exceptions and no details. The bill does not clearly define a series of new terms, including “sensitive information” as being distinct from other types of information.
Will this bill be compatible with the European Union's GDPR? Some call the GDPR the gold standard. I do not know if it is really golden, but there is a consensus that it is the best balance between commercial expediency and consumer privacy. We do not know if this bill is even going to meet up with it.
I wanted to get into a number of shortcomings that this bill has, but I am going to have to get to them in questions. However, I am not going to support it. It is not strong enough to warrant approval even as far as a committee study, although I understand the need for a bill that will address privacy.
With that I will let the questions follow.
1247 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
