The following is an exchange from an April 19 House of Commons debate on Bill C-11 and the data privacy of Canadians under the Digital Charter Implementation Act, 2020. MP Zimmer speaks to the need for stringent protocols and his concerns over "huge exceptions" in the legislation for uses of data.
MP ZIMMER: Many in Parliament know of the previous work that has been done by the access to information, privacy and ethics committee. We dealt with this in 2018 around Facebook and Cambridge Analytica. We came together in London for the first meeting of the International Grand Committee, which represented nine nations and close to half a billion people. We have all seen how data manipulation can be misused by big tech, and our efforts in the International Grand Committee were really to set the stage for what we can do together to push back on some of big tech's practices and hopefully reform those practices. As chair of that committee, I was especially pleased with the efforts of all the parties in the room. In their speeches, the member for Beaches—East York, the member for Timmins—James Bay, my own colleague from Thornhill and many others took this on, as we care about all Canadians' data and privacy.
It is laudable that Bill C-11 attempts to combat some of the concerns that we have and crack down on some of those practices that have been concerning for many years. It deals with things like algorithm accountability, which has been mentioned by some colleagues today, personal access to data, de-identification of information, and certification programs for big tech so that there is a certain set of standards to be followed. Some of these moves have already been taken up by some in big tech who are doing this on their own to some extent. Stiffer penalties are recognized in Bill C-11, as well as private right of action.
However, there are many other things I am concerned about that are simply not in the bill, or there are huge exemptions that a freight train could run through, which would neutralize the bill in many respects.
First, privacy as a human right is the number one thing that I do not see in the bill. Many have said, from our efforts, that privacy as a human right needs to be foundational to any legislation. Conservatives recently passed a policy that deals with this exact principle:
“The CPC believes digital data privacy is a fundamental right that urgently requires strengthened legislation, protections, and enforcement. Canadians must have the right to access and control collection, use, monitoring, retention, and disclosure of their personal data. International violations should receive enforcement assistance from the Canadian Government.”
Clearly, this is a concern of many. We have heard from countless witnesses and experts. Jim Balsillie, who has been mentioned already this morning, warned us of what can happen if we do not take this seriously.
I will talk about the exemptions in the bill that concern me, and my copy of the bill is very well highlighted for some of the errors that are in it.
There is “Exceptions to Requirement for Consent.” A meaningful consent is another principle that we really need to address in the bill, and it has been mentioned already. If children have an app they like to play games on, all that has to be done to basically hand over their data is just a little check box in order to play the game, and we call that “meaningful consent”. Bill C-11 says that it attempts to fix that, but I will go over the exemptions.
“Exceptions to Requirement for Consent” states:
An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2)”
This is the list of activities in subsection (2) that are exempt from meaningful consent:
(a) an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
(b) an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
(c) an activity that is necessary for the organization’s information, system or network security;
(d) an activity that is necessary for the safety of a product or service that the organization provides or delivers;
(e) an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
This is the big one:
(f) any other prescribed activity.
I appreciate the Liberal members stating that this bill is an effort to get us to a better place around data privacy in Canada, but exemptions like that in the legislation need to be addressed. That is why our party talked about getting Bill C-11 to the industry committee to have a fulsome discussion of its good parts and of what needs to be fixed and strengthened. Sadly, the current government has decided to send it to the ethics committee instead of where it should go. Some of the audience today might understand why. Because of the government's many ethical lapses and failures, it would like to use up all of the time it possibly can with other legislation, such as Bill C-11. Only ethics violations should really be discussed at the ethics committee. It is unfortunate that this is going to be pushed to the ethics committee. My hope for legitimate changes to the legislation may be muted by a rush to get through it, and it may not be given due diligence, as many Canadians are expecting it should.
I want to thank the Canadians who have come to me over the years to talk about their concerns around the way our data is collected. Many years ago I coined the phrase that our online data is essentially our digital DNA. It is who we are online, and we need to do all we can to protect the information and data of Canadians. In this new era of social media being in the public square, we need to do our due diligence as legislators to make sure that it is protected as much as possible. Unfortunately, although the effort is laudable, this legislation simply falls short. That is why, from our perspective, we want to see it go to committee and hopefully changes can be made there.
There is an old saying: “Don't let the perfect be the enemy of the good.” I do not think we can call this legislation good quite yet.
I wanted to thank some of the guests we had before us. There has been some discussion that not enough has been heard regarding privacy and digital issues online, but we had countless experts from Canada and heard from experts around the world. We heard from Shoshana Zuboff and many witnesses at our International Grand Committee who really set the blueprint for what can be done with digital and data privacy. We have a way to make it better.
Our Privacy Commissioner made many suggestions. We see some of those in this legislation regarding increased fines and stiffer penalties for big tech if they misuse people's data or have lapses with that. However, the legislation still falls short. My hope is that it gets to committee so the committee can get a really good eye on it and have the chance to propose some fixes to those exemptions and other holes in the legislation.
I look forward to any questions.
MP ELIZABETH MAY: Mr. Speaker, the hon. member for Prince George—Peace River—Northern Rockies and I may be known around this place to rarely agree with each other, but I want to salute him for his leadership on this work. We are 100% aligned in that we need to do much more to, in his words, deal with the appropriation without consent of our digital DNA. I agree with him: It is unfortunate this is going to the ethics committee instead of industry, but it is one of those files that has feet in both committees.
What does he think would be the most important amendment to make to this legislation, or should we scrap it and start over as some critics are suggesting?
MP ZIMMER: Mr. Speaker, I would like to thank the member for her comments and kind words.
The most important thing would be to recognize privacy as a fundamental right or a property right. It needs to be recognized with that significance. The rest comes from that being at the top of the pyramid, because if that fundamental ideal is not there many other reasons can be made not to legislate appropriately. However, if that is the foundation we have a great place to go with the recognition of how serious data is. It really is our digital DNA. We need to protect it as such, and apply rules to big tech and other companies so they use it appropriately.
MP JENNY KWAN: Mr. Speaker, regarding Bill C-11, the Privacy Commissioner has stated that he is concerned with the government's new definitions of commercial activity and consent rules. The current bill actually has much less protection of privacy than the previous definition.
I wonder whether the member could comment on that. Does he share those concerns? Should the government be making amendments in this regard?
MP ZIMMER: Mr. Speaker, I do share those concerns. In my work as the former ethics chair, I have gotten to know our Privacy Commissioner professionally, and I really heard the case for having stringent protocols around data. Again, this bill is supposed to deal with those concerns, and I listed the exceptions, even for the requirement to consent. Members can use the analogies they want, but a truck could drive through it. When there are huge exceptions for uses of data this bill should tighten them up, not open them more widely and broadly. I think this is what needs to be addressed in committee, and my hope is that it will be at ethics.
MP TED FALK: Mr. Speaker, I want to thank the honorable member for Prince George—Peace River—Northern Rockies for bringing to the attention of the House some of the errancy of Bill C-11. In particular he noted that this bill should be heading to the industry committee, and it has found its way back here because the Liberals are trying to prevent the ethics committee from doing its work on other very important issues, such as scandals. I acknowledge that.
The member also talked about some exceptions in the bill that would make it less effective than it should be, and I am wondering this: Are there any exceptions in particular that he finds particularly grievous?
MP ZIMMER: Mr. Speaker, there are many provisions that might be legitimate, given that, between a bank and a person who deals with that bank, there are agreed-upon arrangements. However, there is an exception in place, where it says the organization may collect or use an individual's personal information without their knowledge or consent, if the collection or use is made for business activity described in subsection 2, and that description is for “any other prescribed activity.”
That essentially means the door is wide open for however that corporation wants to use that person's data. “Any other prescribed activity” means that if it decides it wants to use the data for x, y or z, that is up to the corporation. It does not appear to be up to the individual. Things like this need to be tightened up in the extreme. We also need to allow consumers, who want to have their data used, to give corporations their data for a good reason. It must have high fences, so that a corporation cannot use it for anything else and cannot sell it. The biggest concern I have, with all our understanding of data, is of people being manipulated by their data, and our kids being manipulated by their data. People's ever-increasing time spent on smart devices is concerning to everybody in Canada, and we need to make sure that corporations are only using data they are allowed to, in ways they are allowed to.
Email Managing Editor Matt Preprost at editor@ahnfsj.ca
