Elizabeth May Report Stage Speech on Bill S-4

Mr. Speaker, I want to start by expressing my sincere thanks to my colleague from Terrebonne—Blainville, who just delivered a very important speech. She worked very hard on her own bill on this topic, and I think her bill should have been passed. In my opinion, her bill was far superior to Bill S-4.

I share the sentiments of the hon. member for Winnipeg North. He, like the member for Terrebonne—Blainville, said that all the opposition parties thought that in light of the work that went into the current bill and all the others, such as Bill C-12, the government might make the effort to take a collaborative approach with the other parties. Unfortunately, that was not the case.

Here we are, looking at Bill S-4, a bill that comes to us after, as we have heard from other members, a convoluted process, a bill that died on the order paper, a superior private member’s bill that failed when the Conservatives did not support it. It is an effort to bring up to date the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA.

This is, of course, a very significant area of citizen and consumer concern. PIPEDA was passed in 2000, and a lot has changed in the world of digital information, privacy concerns, and information held by Internet providers, banks, and a great number of organizations to which Canadians trust their private information online.

Bill S-4 should have been an attempt, and may in fact have been an attempt that failed, to adequately balance the privacy rights of Canadians and the important facilitation of commerce in Canada. That would certainly be the expectation.

The larger context around which the bill comes to us is one in which we have had some rather spectacular accidental breaches of the privacy of Canadians through the release, through various errors, human errors, of health information, consumer information, and banking information because of breaches in the system.

One would have thought, especially in the specific context of the last year, that in drafting the bill, the government would have been very cognizant of the decision of the Supreme Court of Canada in June 2014 in the Spencer decision. That was a decision written by Mr. Justice Tom Cromwell, one of my former friends and professors from my time at Dalhousie Law School, a brilliant legal mind and someone who has, within the Supreme Court of Canada, written a number of critical and important decisions. The Spencer decision is one of them.

The Supreme Court of Canada, in Spencer, came down very clearly on the side of the privacy rights of Canadians. Mr. Justice Tom Cromwell wrote in his decision:

…the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information….

He went on to note that users would never really know when their information was forming some sort of pattern that resulted in a review, and users, consumers, would not know when their information might be becoming accessed. However, in entering into agreements with ISP providers, the Supreme Court of Canada, through Mr. Justice Cromwell, noted that there is a “reasonable expectation of privacy in subscriber information”.

There is no denying that Bill S-4 would do some things that are fairly universally approved of by those who are leading critics in this area. The Privacy Commissioner for the Government of Canada, and of course, the Privacy Commissioner is an officer of Parliament, saw a number of significant improvements.

The Privacy Commissioner started his review by turning his attention to the purpose of PIPEDA in the beginning, back in the year 2000, noting:

The purpose…is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Given the fast-changing world of digital communications, with the Internet, the cloud, and all the various ways in which we now store information online, fortunately Parliament saw fit in the year 2000 to include a five-year mandatory review of PIPEDA so that we could keep up with the ways in which technology moves so rapidly.

Generally speaking, some of what is being done here has met with universal support. The risk-based approach that would allow organizations to assess each incident on a case-by-case basis was supported by the Privacy Commissioner, at least. The Privacy Commissioner would have an opportunity to enter into compliance agreements, but while the Privacy Commissioner found this acceptable, numerous other commentators did not. They did not feel it went far enough or actually protect privacy information adequately.

The things that met universal approval I will list briefly. The improvements in Bill S-4 include the additional qualification and clarification of what is meant by the standard of consent, the extension of a deadline to take cases to the Federal Court, and of course, the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings. These were things the Privacy Commissioner liked.

Leading critics include, and my friend from Terrebonne—Blainville has already pointed to one of the leading critics in this area, Professor Michael Geist, advisers, and a very exceptional group of lawyers who now work a lot on information privacy law at the Public Interest Advocacy Centre, where, in the 1980s, I was also associate general counsel. However, in those days, believe me, we did not have open files on Internet data and privacy, because we were mostly dealing with trying to advocate in areas of technology that now seem very outdated. In any case, the Public Interest Advocacy Centre has stayed on top of the technology.

We had from the Canadian Bar Association, the Public Interest Advocacy Centre, Professor Michael Geist, and of course, members of opposition parties a rich group of substantive and helpful amendments that would have led to universal support for this bill at that moment. Unfortunately, those amendments were all rejected.

I want to look at three aspects in the time I have left this afternoon: compliance agreements, the expansion of voluntary disclosure, and transparency reporting.

Compliance agreements are a source of concern. The way in which they are drafted in Bill S-4 would have been acceptable had they been strengthened and had penalties or had an order-making power been available to the Privacy Commissioner, but they have none of those things. The Canadian Bar Association brief made this point about it:

Our principal concern is that while entering into such an agreement with the Privacy Commissioner stays any court enforcement by the Commissioner, it does not have any effect on any affected individual’s right to go to court against the organization for the same matter under investigation. This omission means that there is a much lower incentive for organizations to enter into such agreements. Also, it is not consistent with the regime in other similar schemes.

Despite recommendations to improve this, no improvements were made.

Second, the expansion of voluntary disclosure is probably for me the most significant failure of Bill S-4 and is quite inexplicable in that it runs directly counter to the Spencer decision I referenced earlier. This needed to have much more rigour to ensure that there was no warrantless access. This is the key issue. The task force should have come down harder for privacy rights.

Last, in transparency reporting, there should have been reforms to require organizations to publicly report on the number of disclosures they make without knowledge or consent and without a judicial warrant.

This information should have been disclosed on a regular basis for transparency, and organizations should have been required to notify affected individuals within a reasonable time of any accidental disclosure.

With that, I regretfully conclude that Bill S-4 does not meet the standard this Parliament should expect of an update to PIPEDA.