So V ote

Context: House Hansard - 125 - Nov/4/22

Apr/20/23 3:46:22 p.m.
Watch
Re: Bill C-27

Madam Speaker, I thank my colleague for her speech. Obviously, artificial intelligence can be put to good or bad use. One thing puzzles me, though. Generative AI, which describes ChatGPT, has recently displayed truly superior ability. It managed to gather a trove of data that would have been unimaginable even a few months ago. However, the legality of how this trove of data was obtained is unclear. In relation to the part of Bill C‑27 that deals with personal information and privacy, I would like to ask my colleague if she is concerned about how ChatGPT obtains data.

101 words

All Topics

Nov/4/22 1:01:12 p.m.
Watch
Re: Bill C-27

Mr. Speaker, I would like to begin by giving a shout out to my constituents in Trois-Rivières, whom I will be visiting all next week in my riding. When I talk to people on the street, privacy is a topic that comes up a lot. They know that I sit on the Standing Committee on Access to Information, Privacy and Ethics, and privacy comes up often. People tell me that it is important, that we must do our best to rise to the challenge. Today, we have the opportunity to debate that very subject. Society is a human construct. It is a reflection of how we organize our lives together. It reflects our vision of the world, the role of a citizen, the role of the state. In a democratic society where elected officials are chosen by the people to represent them, our laws must reflect our desires and the desires of our fellow citizens, as well as the way in which their visions can be realized. In other words, a society and its laws are eminently cultural constructs. When we compare the legislation passed in the House of Commons with that of the Quebec National Assembly, the difference is striking. Ottawa tends to emphasize the enforcement mechanism, whereas in Quebec, the emphasis is on the legislator's intent. Ottawa wants to arbitrate, while Quebec wants to prescribe and guide. When it comes to privacy, this is especially true in the digital age: the difference is dramatic. At one end of the spectrum, so to speak, is the United States. In the United States, laws are primarily intended to arbitrate disputes rather than to shape how the digital economy operates. Laws are based on the good faith of the players and on voluntary codes. As one might imagine, this has its limits. Ultimately, if someone is wronged, they can get redress through the common law. At the other end of the spectrum is the European Union. The legislation there prescribes clear obligations. I am referring to the General Data Protection Regulation, better known by the acronym GDPR. In between is Canada, a hybrid creature whose intentions on privacy oscillate between the European and American extremes. This may seem like an academic debate, but there are practical implications that bring us to Bill C-27. When it comes to privacy, European law is the most prescriptive in the world. It is based on a clear principle, namely that our personal information belongs to us and us alone, and no one can use it or benefit from it without our free, informed and explicit consent. Once the government set out that principle or objective, it then provided a mechanism for achieving it. That mechanism is the GDPR. The GDPR is becoming the standard to follow when it comes to privacy, because it is the legal standard with the clearest objectives and the most binding application. Simply put, the GDPR does a good job of protecting privacy. That is one reason why it is the standard we should be emulating; the other is that the EU is projecting its standard-making power beyond its borders. In order to protect the personal information of European citizens, the European Union will soon prohibit European businesses from sharing this information with foreign businesses that do not offer comparable protection. This does not affect us yet, but next year, the EU will be reviewing Canada's laws to see if they offer sufficient protection. The existing legislation on personal electronic information protection dates back to 2000. That was 22 years ago. We were in the dinosaur era, the pre-digital era, an era we barely remember now. Also, it is far from clear whether Canada passes the comparable protection test required under the GDPR. Information exchanges between Canadian businesses and their European partners could become more complicated. This is particularly true in areas that deal with more sensitive information, such as the financial sector. It is therefore absolutely necessary to redraft the Personal Information Protection and Electronic Documents Act, which is completely outdated. It has not kept pace with technological change and the data economy, where we are both the consumer and the product. It has not kept pace with the legal environment, where Canada is a dinosaur compared to Europe, as I was just saying. Nevertheless, my colleagues will have figured out that the Bloc Québécois is in favour of the principle of Bill C‑27. Nevertheless, I would like to make a general comment about Bill C‑27. For some reason, the government has put into one bill two laws with completely different objectives. The bill would enact the consumer privacy protection act and also the artificial intelligence and data act. Although there is a logical link between these two acts, they could be stand-alone bills. Their objectives are different, their logic is different and they could be studied separately. I have a suggestion for the government. It should split Bill C‑27 into two bills. We could create what I would call the traditional Bill C‑27, which would deal with personal information and the tribunal. Then, what I would call Bill C‑27 B would address artificial intelligence. As I was saying, there are logical reasons for that, but there are also practical reasons. Let me be frank and say that the artificial intelligence act being proposed is more of a draft than a law. The government has a clear idea about the mechanism for applying it, but, clearly, it has not yet wrapped its head around the objectives to be achieved and the requirements to be codified. The mechanism is there, the bureaucratic framework is there, but the requirements to be complied with are not. Apart from a few generalities, the law relies essentially on self-regulation and the good faith of the industry. I have often faced these situations, and I can say that the industry's good faith is not the first thing I would count on. Apart from a few generalities, this relies on good faith, but that is not a good way to protect rights. I am not convinced that this bill should be passed as written; I think it needs to be amended. Bill C‑27 probably deserves the same fate that Bill C‑11, its predecessor, encountered in the last Parliament. The government introduced it, debate got under way, criticism was fierce, and the government let it die on the Order Paper so it could keep working on it and come back with a better version. I think that is exactly what should happen to the artificial intelligence act. The government has launched a healthy discussion, but this is not a finished product. If we decide that the government needs to keep working on it and come back with a new version, we will also be delaying the modernization of privacy and personal information legislation. Given the European legislation, which I talked about earlier, that is not what the government wants to do. That is why I would cordially advise the government to split Bill C‑27. I am going to focus primarily on personal information protection because that is the part of Bill C‑27 that is ready to go and has the most practical applications. As I said before, Bill C‑27 is an improved version of Bill C‑11, which was introduced in the fall of 2020. However, Bill C-27 still does not establish privacy as a fundamental right. Bill C-11 was strong on mechanics, but weak on protection. The principles were also weak and consent was unclear. It was tough on large corporations and much less so on small businesses. When it comes to privacy, however, it is the sensitivity of the data that should dictate the level of protection, not the size of the company. A new start-up that develops an app that aggregates all of our banking data, for example, may have only two employees, but it still possesses and handles extraordinarily sensitive information that must be protected as much as possible. I cannot help but think of the ArriveCAN app, which was developed by just a few people but has a large impact on the data that is stored. Finally, Bill C-11 did not provide for any harmonization with provincial legislation, such as Quebec's privacy legislation. The Bloc Québécois was quite insistent on that. A Quebec company subject to Quebec law would also have been subject to federal law as soon as the data left Quebec. It would have been subject to two laws that do not say the same thing and have two different rationales. This would mean duplication and uncertainty. It was quite a mess. Passing Bill C-11 would have diminished, in Quebec at least, the legal clarity that is needed to ensure that personal information is protected. Here is what Daniel Therrien, the then privacy commissioner, told the Standing Committee on Access to Information, Privacy and Ethics, of which I am honoured to be a member. He said, and I quote, “I believe that C-11 represents a step back overall from our current law and needs significant changes if confidence in the digital economy is to be restored.” He proposed a series of amendments that would make major changes to the bill. I want to commend the government here. It listened to the criticism. It is rare for this government to listen, but it did so in this case. It buried Bill C-11. We never debated it again in the House and it died on the Order Paper. It reappeared only after being improved. Bill C-27 shows more respect for the various jurisdictions and avoids the legal mess I was talking about earlier. Our personal information is private and it belongs to us. However, property and civil rights fall exclusively under provincial jurisdiction under subsection 92(13) of the Constitution of 1867. What is more, privacy basically falls under provincial jurisdiction. That is particularly important in the case of Quebec, where our civil law tradition leads us to pass laws that are much more prescriptive. Last spring, Quebec's National Assembly passed Bill 25, an in-depth reform of Quebec's privacy legislation. Our law, largely inspired by European laws, given that we share a legal tradition, is the most advanced in North America. As we speak, it is clear that Quebec has exceeded the European requirements and that our companies are protected from any hiccups in data circulation. Our principles are clear: Our personal information belongs to us. It does not belong to the party who collected it or the party who stores it. The implication is clear. No one can dispose of, use, disclose or resell our personal information without our free, informed and express consent. Bill C-11 challenged this legal clarity but Bill C-27, at the very least, corrects that. Under clause 122(2) of Bill C‑27, the government may, by order, “if satisfied that legislation of a province that is substantially similar to this Act applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Act in respect of the collection, use or disclosure of personal information that occurs within that province;”. In other words, if Quebec's legislation is superior, then Quebec's legislation will apply in Quebec. When I met with the minister's office earlier this week, I asked for some clarification just in case. Will a Quebec business be fully exempt from Bill C‑27, even if the information leaves Quebec? The answer is yes. Will it be exempt for all of its activities? The answer is yes. There is still some grey area, though. I am thinking about businesses outside Quebec that collect personal information in Quebec. In Europe, it is clear. It is the citizen's place of residence that determines the applicable legislation. The same is true under Quebec's legislation. It is not as clear in Bill C‑27. Since the bill relies on the general regulation powers for trade and commerce as granted by the Constitution, it focuses more on overseeing the industry than on protecting citizens. That is the sort of thing we will have to examine and fix in committee. I look forward to Bill C‑27 being studied in committee so we can debate the substance of the bill. I have to say that I sense the openness and good faith of the government. In that regard, I would like to tell the member for Kingston and the Islands to take note that, for once, I feel he is working in good faith. Bill C‑27 will have a much greater impact outside Quebec than within it, because it is better drafted than Bill C-11. That is not the only aspect that was improved. The fundamental principles of the bill are clearer. Consent is more clearly stated. The more sensitive data must be handled in a more rigorous manner, no matter the size of the entity holding them. That is also more clear. If the principles are clear, the act will better stand the test of time and adjust to the evolving technologies without becoming meaningless. We will support it at second reading after a serious debate, but without unnecessary delays. However, we believe and insist that the real work must be done in committee. Bill C-27 is complex. Good principles do not necessarily make good laws. Before we can judge whether Bill C-27 is indeed a good law, we will need to hear from witnesses from all walks of life. When it comes to privacy, it only takes one tiny flaw to bring down the whole structure. This requires attention to detail and surgical precision. The stakes are high and involve the most intimate part of our lives: our privacy. For a long time, all we had to do to maintain our privacy was buy curtains. That is how it used to be. It kept us safe from swindlers. Then organizations started collecting data for their records. Bankers collected financial information, the government collected tax information and doctors collected medical records. This sensitive information had to be protected, but it was fairly simple, since it was written on paper. Today, we live in a different world. Whereas personal information used to be a prerequisite for another activity, such as caring for a patient or getting a loan from a bank, it has become the core business of many companies. Information has become the core business of many companies, which are also large companies. Computerization enables the storage and processing of astronomical volumes of data, also known as big data. Networking that data on the Internet increases the amount of available data exponentially and circulates it around the globe constantly, sometimes in perpetuity, unfortunately. For many corporations, including web giants, personal data is crucial to the business model. Citizen-consumers are now the product they are marketing. To quote Daniel Therrien once again, we are now in the era of surveillance capitalism. Speaking of which, The Great Hack on Netflix is worth seeing. This is troubling. Furthermore, for our youngest citizens, the virtual world and the real world have merged. Their lives are an open book on Instagram, Facebook and TikTok. They think they are communicating with the people who matter to them, but they are in fact feeding the databases that transform them into a marketable, marketed product. We absolutely have to protect them. We need to give them back control over their personal information, which is why it is so important to amend and modernize our laws. I would like to close my speech with an appeal to the government. Bill C‑27 does a lot, but there are also many things it does not do, or does not do properly. Consent is all well and good, but what happens when our data is compromised, when it has been stolen, when it is in the hands of criminals? These people operate outside the law and therefore are not governed by the law. All the consent-related protocols we can think of go out the window. To avoid fraud and identity theft, we will have to clarify the measures to be taken to ensure that anyone requesting a transaction is who they say they are. This really is a new dynamic. In that respect, we are somewhat in the dark, even though, curiously, this is a growing problem. There is another gap to fill. Bill C‑27 provides a framework for the handling of personal information in the private sector, but not in the public sector. The government is still governed by the same old legislation, which dates back to the pre-digital era. The legislation is outdated, as we saw with the fraud related to the Canada emergency response benefit. The controls are also outdated. I therefore call on the government to get to work and to do so quickly. We will collaborate. Finally, there is another thing the government needs to work on and fast. We addressed this issue in committee when we were looking at the geolocation of data. Bill C‑27 indicates what we need to do with personal data, nominative data. However, with artificial intelligence and cross-tabulation of data, it is possible to recreate an individual based on anonymous information. As no personal information was collected at the outset, Bill C‑27 is ineffective in these cases. However, we started by recreating the profile of a person with all their personal information. It is not science fiction. It is already happening. Nevertheless, this is missing from Bill C‑27, both in the part on information and the part on artificial intelligence. I am not bringing this up as a way of opposing Bill C‑27. As I said, we will support it. However, we have to be aware of the fact that it is incomplete. As legislators, we still have some work to do. The time has come to treat privacy as a fundamental right.

3083 words

All Topics

Feb/7/22 6:06:39 p.m.
Watch

Mr. Speaker, dialogue, in which two parties discuss an issue to find a way forward, is a fundamental tool when considering ethics. Based on what I have heard today from the other side of the House, this is unfortunately a one-sided conversation in response to the committee members' attempt to reach out. We reached out and have gotten nothing in return. Does my colleague think that our colleagues on the other side will vote in favour of this motion?

80 words

Feb/7/22 5:48:14 p.m.
Watch

Mr. Speaker, I thank my colleague, the chair of the Standing Committee on Access to Information, Privacy and Ethics, for raising very important points. Indeed, this was done unanimously. Again, unanimity is not a flower worn on a lapel. It is a clear message that is sent to the House to say that all the parties agreed. The House should pay attention to that, especially when we say that it is very important and there can be no delay. Dr. Tam told us that so far, the information that has been extracted from the data in question has not been spectacular, and she also said that delaying the RFP would not be so bad. That is Canada's expert telling us that. Could my colleague remind us of some of Dr. Tam's messages?

134 words

All Topics

Feb/7/22 5:28:52 p.m.
Watch

Madam Speaker, I thank the member for Winnipeg North for treating us to the pizza story. As an aside, I would like to acknowledge his unwavering loyalty to the Liberal Party. I am half sorry. I know the member would have preferred to discuss Bill C-8, but the motion was moved and, like it or not, privacy is an important concern. Public and private companies should indeed be subject to the Privacy Commissioner of Canada. That much is certain. I am not sure whether my colleague has had the chance to see the film The Social Dilemma on Netflix. The film explains a bit about the ins and outs of possible perversions of privacy. Shoshana Zuboff, the main subject in the film, is going to appear before the committee to talk about this. If the member for Winnipeg North has not seen the film, I invite him to attend the meeting. With Nobel Prize-worthy experts testifying, I think it is worth listening. Is my hon. colleague asking whether Telus and the Public Health Agency of Canada are too big to fail?

183 words

All Topics

Feb/7/22 4:57:58 p.m.
Watch

Madam Speaker, I thank my colleague for demonstrating that our work at the Standing Committee on Access to Information, Privacy and Ethics is about much more than just this matter in connection with the Public Health Agency of Canada. We need to establish exemplary standards, as other countries have done, so that Canadians are well protected. Does my colleague believe that we could draw on the General Data Protection Regulation currently in effect in the European Union to quickly implement certain provisions on consent?

84 words

All Topics

Feb/7/22 4:41:17 p.m.
Watch

Madam Speaker, I thank my colleague for his enlightening remarks. Two problems have been identified. The first is related to consent, the second to data anonymization. I will focus on the first. We have been told over and over that anyone could consult the data on COVIDTrends. Telus users could opt out anytime because there was an opt-out function. Did users know they were supposed to check COVIDTrends, and did they know they could opt out? Is it reasonable to believe that COVIDTrends was known to the public given that the Prime Minister mentioned its existence just one single time, back in March 2020?

105 words

All Topics

Feb/7/22 4:17:26 p.m.
Watch

Madam Speaker, I spent 25 years advising governments around the world, and this is the first time I have been called a conspiracy theorist. That is unacceptable. The parliamentary secretary keeps telling us there is no problem, but denying the existence of a problem does not make it go away. Earlier, he said that all the information gathered was obtained on the basis of consent. This morning, the commissioner told us it was impossible to obtain consent from 33 million people. Being impossible, it is actually not even desirable. Was this information obtained on the basis of consent or not?

101 words

All Topics

Feb/7/22 4:10:29 p.m.
Watch

Madam Speaker, the parliamentary secretary has listed all the benefits of using data, and I have to admit that they are compelling. However, even if the end goal is commendable, part of the problem is that the parliamentary secretary is trivializing the issue. The committee members were unanimous in expressing concerns, and they are now confused. Why did the government not want to work with the Privacy Commissioner of Canada?

70 words

All Topics

Feb/7/22 4:00:26 p.m.
Watch

Madam Speaker, I thank my colleague for his question. Once again, I am not presuming that the government would misuse the data, but it is showing a lack of transparency and a desire to maintain that lack of transparency. As an ethicist, that concerns me.

45 words

All Topics

Feb/7/22 3:59:20 p.m.
Watch

Madam Speaker, I thank my colleague for her question. Opaqueness and transparency are two things that we talk a lot about in ethics. It is said that if something has to be opaque to succeed, it is probably less ethical than something that can stand up to transparency and light. I do not know why the government is dragging things out because, honestly, in its place, I would follow the unanimous recommendation of the committee and shed some light on the situation and, if necessary, prove that everything was done properly. I want to reiterate that I am not presuming that a mistake was made. I would just like confirmation that everything was done properly.

115 words

All Topics

Feb/7/22 3:57:49 p.m.
Watch

Madam Speaker, I thank my colleague for her comments. Like her, I am not presuming that a mistake has been made. I am simply saying that it is important to shed some light on this issue. What happened is that the government had to make a very tough decision and find a balance between two difficult situations: protecting public health, which is very important, and protecting people's privacy. Those are both very important things. What we want to know is how the government reconciled these two needs. Like my hon. colleague, I am definitely not presuming that a mistake was made, but we need to ask these questions. We are here to shed some light on the situation.

119 words

All Topics

Feb/7/22 3:55:37 p.m.
Watch

Madam Speaker, I thank my hon. colleague for his question. As he said, just because something is legal does not necessarily make it right. What may be considered legal is not always ethical. I tend to say that legality is the bare minimum. In this case, is the bare minimum enough? Since there are many other places with harsher and more comprehensive privacy regulations, I felt concerned in light of the commissioner's response and the use of this data. I think this is a real problem. Data use is something that happens; it is not a major crime. However, we do need to reflect on this because this issue will come up again. In previous reports, like his latest annual report, the commissioner said that the federal legislation was inadequate and called for it to be updated to reflect the new reality of big data, for example. For these reasons, I remain concerned, since it seems as though the bare minimum is being done here.

166 words

All Topics

Feb/7/22 3:53:54 p.m.
Watch

Madam Speaker, outside of being consulted, the commissioner was uncomfortable. He obviously could not comment on a large part of how the data was handled because of an ongoing investigation. However, I will say that he showed concern throughout his testimony. I asked him whether other countries had more effective protections than Canada does, and his answer was a sharp “yes”. I knew this already, having worked on these types of protections with the European community in the past. The commissioner was concerned about how the data was disaggregated and reaggregated. A lot of technical terms were used, but in essence, he was saying that he was concerned and could not comment on some things because of the ongoing investigation.

122 words

All Topics

Feb/7/22 3:50:51 p.m.
Watch

Madam Speaker, I thank my hon. colleague for the question. Those are very valid points, and my concerns are twofold. I am referring to the source and the end of the process. First, at the source, there is not a modicum of user consent. Then, the point my colleague raises is very important. A number of experts have told us that once data has been de-identified, which is a new word I learned recently that means anonymized, the de-identified data can easily be re-identified, emphasis on the word easily. I am not making this up, it comes from a witness who will be testifying at committee shortly. If de-identified data can be re-identified, then honestly, we are in trouble when it comes to privacy, because there is no longer any protection. Of course we want to ensure that the process has been done properly and that if it has, the data cannot be used for other purposes. For example, we want to ensure that it cannot be used after the pandemic. I am not feeling at all reassured at this time. In fact, I am concerned. The origin of the data, the processing of the data and the manner in which the data will be used have me concerned.

214 words

All Topics