SoVote

Decentralized Democracy

Member of Parliament

James Bezan

  • Member of Parliament
  • Conservative
  • Selkirk—Interlake—Eastman
  • Manitoba
  • Voting Attendance: 67%
  • Expenses Last Quarter: $140,796.07

  • Government Page
Context: House Hansard - 164 - Mar/6/23
Mr. James Bezan (Selkirk—Interlake—Eastman, CPC)
  • Mar/6/23 1:02:49 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I am pleased to be able to rise in this place today and speak to Bill C-26, a bill that we as Conservatives are supporting to get to committee. I have a lot of concerns around the bill itself, in terms of making sure that the government did not make a number of errors in judgment in putting it together. These concerns are based on the feedback we have received from Canadians and from organizations, especially on the issues surrounding privacy and the costs that have been offloaded to the private sector. I also have to raise my concerns. Here we are, eight long years under the Liberal government, and we know that, when it has come down to cybersecurity, it has been slow in responding. A good case in point was banning Huawei from our critical infrastructure, our 5G network. We know that the Liberals sat on their hands and tried to do nothing for most of the past seven years, before they were finally forced to act after a great deal of pressure was brought upon them by our allies, especially within the Five Eyes. Cybersecurity and national defence go hand in hand. When we talk about our national defence and national security, we know that hybrid warfare has evolved. It is now about more than just targeting military assets; it is about targeting the entire government as it is at play. All we have to do is look at what is happening in Ukraine today, as well as what has happened to a number of other allies we have, through NATO, in eastern Europe. We see the troll farms in St. Petersburg constantly attacking, on Facebook and on Twitter, the military individuals, the soldiers and troops, serving there. They also attack things like critical infrastructure in countries where Canadians are currently deployed, like Latvia. As we have witnessed in Ukraine and Estonia, they have not just gone after them through direct kinetic means to take out critical infrastructure, but they have also gone through cyberwarfare as well. The Russians have done this very effectively in knocking down financial systems, knocking down transportation systems, and taking out power and water infrastructure in places like Estonia. As a prelude to the war in Ukraine, before they had actually started bombing these civilian targets in Ukraine, they were attacking them on cyber. It is part of hybrid warfare and it is the evolution of war. There is a responsibility upon the Government of Canada to ensure that we are protecting not just our national infrastructure and the Government of Canada, that we are not just using CSE, or Communications Security Establishment, to protect national defence, but that we are also using a plethora of capabilities to ensure that our infrastructure here in Canada is protected. That includes preventing our adversaries from going after our soft targets. That is what I think Bill C-26 is trying to accomplish, to ensure that telecommunications companies in Canada are stepping up to do their share to protect Canadians from cyber-attacks. We know that cyber-attackers have gone after things like our health care systems. They have gone after the medical records of Canadians. They have gone after the education records of students at schools and at universities. They go after retailers. They can go in through a retailer's back door, harvest all sorts of personal data, especially credit card information, and then use that for raising money, for transnational criminal gangs or for ransomware, as we have witnessed as well. We must remember that we have a number of a maligned foreign actors at play here in Canada now and against our allies. It was just reported, again, that the People's Liberation Army was found guilty of hacking into U.S. critical infrastructure. We know that the People's Liberation Army, under the control of the communist regime in Beijing, continues to attack cybersecurity assets around the world, including trying to break through the Canadian cybersecurity walls of our government and national defence on a daily basis. As I mentioned, Russia has become very good at this. That does not mean that it is concentrating only on its near sphere of influence, NATO members in eastern Europe like Estonia, Latvia and Lithuania, but it is also targeting Ukraine. We know that it is targeting Moldova. We know that it has gone after countries like Romania, but it also does cyber-attacks here in Canada and in the United States. Russia continues to be an adversary and we have to stand on guard to protect Canadians from those attacks. We know that Iran, the regime in Tehran, is continuing to be a government that attacks its neighbours and attacks Israel and Canada through cyber-means. North Korea has developed an entire cybersecurity and cyberwarfare unit and continues not to just wreak havoc with the democratically elected, peaceful South Korea, but has also gone after Japan and the Phillippines, and is going after U.S. infrastructure as well. Therefore, we have to take the necessary steps to make sure we can deal with transnational criminal organizations, with nefarious foreign states and with those who are trying to get rich through ransomware. Here in Canada just a couple of years ago, we saw a situation in regard to the Royal Military College in Kingston, which the member for Kingston and the Islands is certainly aware of. The Department of National Defence stated that RMC had been a target. It originally called it a mass phishing campaign, but a month after the incident, it was established that the phishing campaign was actually a cyber-attack going after financial information and personal data of cadets. These had been compromised and published on the dark web, and were made available to a lot of people who participate on the dark web to profiteer from that information. According to several observers who looked at the hack of RMC Kingston, it was attributed to a cybercriminal group called DoppelPaymer that did not seem to be connected to a nation-state actor. There are criminal organizations out there that are going about their criminal activities in such a way as to extract dollars from governments, retailers and private citizens, as well as from other corporations, to line their pockets and continue doing other nefarious things that sometimes go beyond the cyberworld. I have said in the past, when we have talked about other legislation here dealing with cybersecurity, that we not only need the ability to defend, but also that the government has the responsibility, especially under national defence, to attack using cybersecurity. We cannot just be here deflecting the arrows; sometimes we have to be able to shoot down the archer. The way we do that is by having a very robust cybersecurity system. We need the best capabilities and the best personnel who are able not only to sit here and defend, that is to put up shields and fight off the attacks, but also are able to go out there and take out the adversaries, to knock out their systems, so that we are safer here at home. With regard to some of the criticisms that have come out, I know that letters have come in from the Canadian Civil Liberties Association, and the Business Council of Canada wrote a very detailed brief, as did the Citizen Lab in looking at the bill. When we read through the documentation, we see that one of the concerns that has been raised, especially by the Business Council of Canada, is that there seems to be an imbalance. We are telling members of corporate Canada to go out there and make sure they have the proper cybersecurity systems in place, but at the same time we realize that it is not just up to them to do the defending. What we see is that the corporations are saying that either they have to do it or we are going to fine them up to $15 million or five years of jail time, and that the individuals who work for them could also be held criminally responsible for not doing enough. Sometimes resources are not available. Sometimes there are new companies that may not have the ability to put in place the proper security systems. I look at a lot of the Internet service providers that we have, for example. They are covered under the Telecommunications Act, yet, as new start-ups, they may not have the personnel or the equipment to properly defend their networks. Would we go ahead and fine these companies up to $15 million? Then what would we do in regard to jail time and fines for those criminal organizations that are profiteering through cyber-attacks? Where is the balance in this? That is one of the concerns we have and one of the things we have to look at through our study at the industry committee when it brings this forward. A huge concern has been raised, especially by the Canadian Civil Liberties Association, on how this would be implemented and how it may affect the privacy rights of Canadians at the individual level. Corporations have broader responsibilities and do not necessarily fall under the charter, but their clients who they are going to protect and the information they are going to be required to share with the Government of Canada could very well be violations of their clients' privacy rights. When we look at section 7 of the Charter of Rights, we have to balance the right to life, liberty and security of a person with section 8 of the charter which says that we have freedom from search and seizure. When we drill down on section 8 and go to some of the legal analysis of our charter, as all the rights and freedoms are laid out, it tells us that the underlying values of freedom from search and seizure when it comes to individual privacy is the value of dignity, integrity and autonomy. Again, I think we are all concerned that when we look at Bill C-26 at committee, we ensure the bill balances those rights of the individual to be both secure and safe from cyber attacks, but do it without compromising privacy rights and charter rights as described in freedom from search and seizure. The way we do that is through warrants. We know that through National Defence, the Communications Security Establishment, or CSE, which has a long-standing history of defending the Canadian Armed Forces, has to comply with the charter. It has to comply with all Canadian legislation and it cannot do indirectly what it is prohibited doing directly. Therefore, CSE cannot go to the National Security Agency, or NSA, of the United States, say that it is concerned that a Canadian maybe talking to a terrorist organization offshore and ask the agency to spy on that individual because CSE is prohibited from spying on the person and listening in through the Communications Security Establishment. CSE cannot go to the NSA and ask it to violate Canadian law on its behalf to find out what is happening in the same way CSIS cannot go to the FBI or the CIA and ask it to spy on Canadians. It cannot do indirectly what it is prohibited from doing directly under Canadian law. The way to get around that is to apply for warrants. Judicial appointments are made to have supernumerary justices over these organizations to ensure that charter rights are protected, even when conversations take place inadvertently. In the past, CSE has listened in on people who may have been in Afghanistan funding the Taliban or al Qaeda. They may have family in Canada and were talking back and forth about something that had nothing to do with operations on al Qaeda or the Taliban. However, because it involved a Canadian citizen, it had to go through the proper processes to ensure that his or her charter rights were protected by getting a warrant to listen to those conversations. Whether they were listening electronically or through wire taps, it is all mandated to watch that we do not trip over the rights of Canadians under legislation. Bill C-26 would not address this like we have under the National Defence Act, under the Criminal Code and under the whole gamut of cybersecurity that has been in place up to date. The privacy rights are paramount. To come back to Bill C-26, the Supreme Court of Canada said in 1984, as well as in 1988, that privacy was paramount and was “at the heart of liberty in a modern state”. Again, did the Liberal government ensure the bill was tested first to ensure those privacy rights were protected? This is what we will have to find out when we get Bill C-26 in front of committee. We can look at information that has come from places like the Business Council of Canada. One of the concerns it raises goes back to this whole issue of huge fines on Canadian corporations, as well as the employees of those corporations, if they are found to have been not responsible enough to put in place proper security protocols to protect their clients from cyber attacks. Because it goes against individual employee as well, we will create another brain drain from Canada. We are unfairly targeting Canadian employees who are going to be working for these cybersecurity firms, working in the telecommunications sector and in our financial institutions. If they are found to have erred, which a lot of times it is by error or by a lack of resources, then they are held criminally responsible and they are fined. The question becomes why they would want to work in Canada when they are afforded better protections in places like the United States, the European Union, the United Kingdom or Australia, which was held up by the Business Council of Canada as the gold standard we should be striving to achieve, and what it has done through their own cybersecurity protocols. We want to ensure that we protect critical infrastructure, but we do not want to chase away very good Canadian employees and force them, with their skills, to go offshore where they have better protection and probably better pay. We want to ensure we keep the best of the best here. We want to ensure we do not go through a brain drain, as we have witnessed before when the Liberals have targeted professionals in Canada, such as lawyers, accountants, doctors or anyone who set up a private corporation. Now I fear the Liberals are going after individuals again who we need in Canada to protect us here at home, that they are creating a toxic work environment and those individuals will want to leave. The Citizen Lab wrote a report entitled “Cybersecurity Will Not Thrive in Darkness”. It brought forward a ton of recommendations on how bad this bill was. It suggested that there needed to be 30 changes made to the act itself. We realize that the government has not done its homework on this. We need to ensure we get experts in front of us who are going to look at everything, such as there is responsibility upon government to help corporate Canada ensure we have the proper security mechanisms in place to prevent cyber attacks. We have to ensure that those corporations are not being coerced into sharing private information with the Government of Canada that could be a violation of private rights, which may be a violation of the Personal Information Protection and Electronic Documents Act, PIPEDA. We want to ensure that privacy rights will be cohesive, but, at the same time, collectively, we need to balance all federal legislation that is in contravention of each other. We need to bring in the legal experts. The Canadian Civil Liberties Association needs to be before committee. The Citizen Lab, which is very concerned about individual privacy rights, has to be front and centre in the discussion. We need to ensure the Business Council of Canada, the Canadian Chamber of Commerce and others are brought forward, along with the department officials who were responsible for drafting this bill at the direction of the Liberal government. I will reiterate that I will be voting in favour of the bill to ensure it goes to committee and the committee can do its homework. I would hope that the government will allow the committee to do a thorough investigation, as well as a constructive report with recommendations on how to change and amend the legislation. Finally, I would remind everyone that the Supreme Court of Canada said, “privacy is at the heart of liberty in a modern society”, and we have to take that to heart to ensure we protect Canadians from cyber attacks, as well as to ensure they have their privacy, dignity, integrity and autonomy respected.
2837 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 136 - Nov/28/22
Mr. James Bezan
  • Nov/28/22 4:59:30 p.m.
  • Watch
  • Re: Bill C-27 
Madam Speaker, I do not believe that the bill lives up to the gold standard of European Union law. The European Parliament has been very good at having general data protection regulation. That is the gold standard. The bill does not provide the types of safeguards that protect the interests of Canadians. We need an ongoing discussion on how the personal information of Canadians is protected. Bill C-27 does not provide all the guardrails required for the protection of individual Canadians. A task should be given to the industry committee or the ethics committee to dive deeper to make sure we have an opportunity to hear from more witnesses and to provide the amendments that are so desperately needed to the bill. I think it actually needs to go back to be redrafted.
134 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 136 - Nov/28/22
Mr. James Bezan (Selkirk—Interlake—Eastman, CPC)
  • Nov/28/22 4:36:10 p.m.
  • Watch
  • Re: Bill C-27 
Madam Speaker, it is indeed a pleasure to rise to discuss Bill C-27, an act to enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act. There is a lot happening in Bill C-27. I have a lot of concerns about this bill, and that is why I will be voting against Bill C-27. It would not do the things we need to do to protect the privacy of Canadians. I would first flag, in looking at this legislation, that the first act it would create is the consumer privacy protection act. Why is it not the Canadians' privacy protection act? Why are we talking about consumers and giving more ability to corporations to collect the privacy data of Canadians? That, to me, is very disconcerting and one of the things I want to talk about during my presentation. The Personal Information Protection and Electronic Documents Act, PIPEDA, was the very first piece of legislation we had back in 2000, so it has been 22 years since we have updated legislation related to the issue of the privacy protection of data that has been shared online. Of course, technology has evolved significantly over the last 20 years. If we look at PIPEDA, it all rolls back to 34 years ago when the Supreme Court of Canada said, “that privacy is...the heart of liberty in a modern state”. It said “privacy is...the heart of liberty”, and that completely falls back on the Charter of Rights and Freedoms. Concerning fundamental freedoms, subsection 2(b) of the charter says, “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication” while subsection 2(d) refers to, “freedom of association.” We know very well that people's privacy has to be protected on anything they do online, what they do through mobile apps, what they do in their email communications and the collection of that data by service providers because, ultimately, anything we do online goes through a service provider on the Internet, and we have to ensure that our charter freedoms are protected to ensure our liberty. We already know that under freedom of association, a lot of people who gather in Facebook groups and other fora on the Internet have already been violated by the Emergencies Act. We know that during the “freedom convoy” in the city, the government was harvesting data and that data was then shared by some means. With GiveSendGo, the data was mined off of it, shared on Google Maps and distributed across the country. People's individual financial information, the ultimate piece of privacy that should be protected, went across this country and the government failed to intervene. Bill C-27 falls short on what needs to happen to protect privacy, recognizing how people are using the Internet and modern technologies, especially with mobile apps and everything that is happening on our phones. However, the protection of individuals is worth it and the privacy rights are worthy of constitutional protection, which Bill C-27 fails to recognize. We do not have a definition of privacy rights or a guarantee of privacy rights in Bill C-27, and that is why it fails. I am the shadow minister of national defence, but earlier this year I served for a number of months as the shadow minister of ethics and digital information. I can say that, during my time serving on the ethics committee, it dealt with a number of issues. One of them, of course, was the use of Clearview AI, the facial recognition software that the RCMP and other police agencies use across this country. The ethics committee dug in deep and provided a report. The Liberals let the RCMP make use of this technology under their tenure and did not say anything until it became public. Clearview AI, an American company, was scraping images off of Facebook and other social media such as Instagram to populate its database. That information was then used, using artificial intelligence, to profile and identify people using mass surveillance techniques. We found through testimony that, not only was this done illegally, and the Privacy Commissioner ruled that Clearview AI had broken the law and that the RCMP had used it illegally, but also it was racially discriminatory as well, and it was a huge problem that people of colour and women were unfairly treated by this AI. Bill C-27 would not regulate the use of facial recognition technology such as Clearview AI. Right now, we know the RCMP disagrees with the ruling of the Privacy Commissioner, so the question is whether CSIS, the Department of National Defence or the Communications Security Establishment are making use of similar types of technology. I will get into some of the recommendations from that report if I have time later on, but we did call as a committee, and it was adopted by the majority of members on our committee, for a federal moratorium on the use of facial recognition technology. We called for new laws, guardrails and safeguards to be built into legislation through PIPEDA and through the Privacy Act. Bill C-27 would not provide that protection to Canadians. It would not ban or install a moratorium on the use of FRT, so that is absent. Also, we asked that all companies be prohibited from scraping the images of Canadians off the Internet, whether it be through Facebook, Instagram, TikTok or whatever the app might be. We know that this causes potential harm to Canadians, yet Bill C-27 fails again to recognize this harm. The Liberals failed to incorporate recommendations coming from a standing committee of the House into this legislation. One of the other things we heard about was that Tim Hortons was caught mass tracking Canadians who were using their app. If anyone who had the Tim Hortons app went to a Tim Hortons location and bought a coffee and a donut, that app was then used to track the behaviours of consumers of Tim Hortons as they were travelling for the next 30 minutes. Again, this shows how the sharing of personal information and the mass data violation with the tracking of individual Canadians violated their privacy rights. Although Tim Hortons assures us they are not doing it now, we are not sure what happened with that data. Was it shared or sold to other corporations? Again, Bill C-27 would give companies, under clause 55 of the bill, a litany of exceptions to consent to sharing that personal information they collected through the use of their app. That would violate our privacy rights. Although the Liberals have built in here words about consent and the ability for individuals to write in with consent or get removed, when it comes to terms and conditions, most Canadians, when they download an app and check the box to say “yes”, they have not read those terms and conditions. They do not know that some of these apps, as Tim Hortons was doing, were actually undermining their own privacy rights as they apply to the use of mobility data information, and because those terms and conditions are long, legalistic and cumbersome, people refuse to actually take the time to read it. Just because someone checks the box to say “Yes, I consent to using this app”, does not give those companies the right to violate the privacy of those individuals' outside of the commercial transaction that takes place between them and, in this situation, Tim Hortons. The exemptions that are allowed under the bill for corporations need to be changed in the bill. There is no we can support it as Conservatives because they would be huge violation of privacy and of mobility, which are all things that are provided under our charter rights. Under the government, we also saw the Liberal Minister of Health stand up and defend the Public Health Agency of Canada, which was caught red-handed having companies such as TELUS track the movement of Canadians via their cellphones. It said that it de-identified all the data it collected, but it wanted to know how Canadians were moving around the country underneath the auspices of the COVID pandemic and how transmission was occurring. That was a violation of privacy. At committee, we made a bunch of recommendations, which the government has failed to implement in Bill C-27. Bill C-27 gives companies, such as TELUS and other mobile service providers, the ability to track the movement of Canadians across this country. It may want to call it “meta data” or say it has been de-identified, but we also know from testimony at committee that it can re-identify the meta data that has been turned over to the government. We have to make sure that it is done in the public interest and under the auspices of national security, public health and national defence. If that type of data is being collected, then there has to be a way to dump that data and ensure it disappears forever. One of the other studies we undertook was of the Pegasus software system, which is very insidious. It is being used for national security. A similar type of technology is being used right now by the RCMP, CSIS and others. It has the ability to turn people's cellphones into video cameras and listening devices. It is a very cryptic, insidious spyware, or malware, that people can get on their phones by accidentally clicking on a piece of information, like opening up an email, and it will download. Then they can listen to the individuals in that place. They do not have to bug people's houses anymore. They do not have to use high-grade technology to listen to the interests of individuals because it gives them the ability to turn cameras on to watch what they are doing, and turn microphones on to hear what they are discussing without them ever knowing it. We want to make sure charter rights are protected. There are times we have to use this in the collection of data. There was definitely the admission by members of the RCMP that they have used it over a dozen times. They have their own system, not Pegasus, but one similar to it. We know that to use that type of technology, to protect the rights of Canadians, there should be a warrant issued to ensure there is judicial oversight, even if it is being used by the Department of National Defence and CSE, we have to make sure it is not being used against Canadians and only deals with those national threats they refer to as threats that are foreign entities. That is something that Bill C-27 fails to recognize. I should say this as well. We heard at committee that this type of technology is being used against politicians, that there is foreign interference out there. As we have come to learn on different occasions, there are countries out there and other agencies that are interested in what we are saying as politicians, not just here in the House, but the private conversations we have in caucus, among colleagues, when we get together at committees, at pre–committee meetings, and the discussions we have in our offices. Our phones have become listening devices, so we have to be aware of that. One of the things we have always talked about is what the gold level standard is to protect individuals, the citizens of our country, and to ensure their privacy rights are paramount in all the discussions we have. At the same time, we know there are going to be advances in technology, and the need at times to have police agencies, the Department of National Defence and the military use technology that could violate the rights of some people, but always with that judicial oversight that is provided underneath the charter. That gold standard is the European Union’s General Data Protection Regulation. We see that the gold standard goes well above and beyond what Bill C-27 is trying to do. Bill C-27 falls way short. We heard at committee that with the data collection taking place on apps, online surveillance measures have to provide the right for data to be forgotten, or the right to data disposal or erasure, another terminology that is used. It is about making sure that data collected, even if it is for the public good or even if it is metadata, is disposed of at the end of the day. It should not be that I consent to have my data removed from a database by checking something off or having to write in an app being used to buy coffee at the neighbourhood store, for example. It should be that it is our right to be forgotten and that after a certain time frame, data is erased forever from the database where it is being held and is not used again for commercial purposes, nor used, sold or traded among commercial entities. The gold standard that the European Union has is not included in Bill C-27. Again, that is why we have so many concerns. When we look at clause 55, which has already been mentioned by a number of my colleagues, it has a boatload of exemptions built in for corporations to get around the removal of privacy data. These exemptions allow them to write in, make changes and share data. We have to make sure the onus is not on Canadians to get their privacy information back or to get their privacy information removed. The onus should be on corporations to prove why they need it. The onus also has to be on the government. This is about transparency and accountability. There needs to be a realization that Canadians deserve an explanation as to why some of their data may be used, even if it is de-identified, and why it would be used for the buildup of public policy or to deal with issues like a pandemic. Just to move forward a bit, I note that given some of things we saw at committee when we were looking at facial recognition technology, the power of artificial intelligence and the growing power of AI, we made a number of recommendations. They included that whenever the government looks at using artificial intelligence or FRT for military, defence or public safety, it needs to be referred to the National Security and Intelligence Committee of Parliamentarians for study, review and recommendation, and it needs to be reported publicly. There also needs to be a public artificial intelligence registry for the algorithmic tools being used. However, we do not see that registry for artificial intelligence companies in Bill C-27. I have already talked about the right to be forgotten and said there needs to be a set period of time. I have talked about the prohibition on the practice of capturing images of Canadians from public platforms such as Facebook, Instagram and Twitter. We also need to make sure there is a federal moratorium on using FRT until we have proven it is needed by police agencies, the justice system has proven that it works and we are sure it is not racializing Canadians in its use. Ultimately, the Privacy Commissioner and judicial authorization have to override that. As Daniel Therrien, the Privacy Commissioner, said about the RCMP: [It] did not take measures to verify the legality of Clearview’s collection of personal information, and lacked any system to ensure that new technologies were deployed lawfully. Ultimately, we determined the RCMP’s use of Clearview to be unlawful, since it relied on the illegal collection and use of facial images by its business partner. Its business partner was Clearview AI. There is an ongoing need to ensure that charter rights and international human rights are brought together in a collaborative way in how we all form our opinions on Bill C-27. I hope the bill is taken back and redrafted, and if not, I hope there is an opportunity to make massive amendments to it so that it actually takes into consideration the privacy rights of all Canadians.
2743 words
All Topics
  • Hear!
  • Rabble!
  • star_border