[Recorded by Electronic Apparatus]
Tuesday, November 26, 1996
.1112 
[English]
The Chair: Good morning. This is the Standing Committee on Human Rights and the Status of Persons with Disabilities. I call the meeting to order.
We're very pleased to have with us as witnesses Mr. René Laperrière, who comes from my riding, and Mr. Ian Lawson, who I will introduce in a few moments. It's important to set the stage for those who are watching for the first time and for those have tuned in to this second meeting of the committee, following a series of round tables, to find out where we would like to go with respect to the right to privacy as a human right and the implications of technology.
The right to privacy does not stem from any one source here in Canada. It's drawn from international law, constitutional law, federal and provincial legislation, judge-made law, professional codes of honour, ethics and guidelines. The result is often referred to as a patchwork of privacy protections in this country.
At the international level, several very important human rights documents contain guarantees of the right to privacy.
The Universal Declaration of Human Rights was created, as you know, in 1948, with the founding of the United Nations. As an aside, it's important to remember Canada's unique contribution. John Humphrey had a very significant role to play, along with Eleanor Roosevelt, in the drafting of the Universal Declaration of Human Rights.
It states in article 12:
- No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or
correspondence, nor to attacks on his honour and reputation.
In terms of data protection, which is one of the areas we are going to be addressing, in 1984 Canada joined 23 other industrialized countries to adhere to the code of fair information practices. It was developed by the OECD, the Organization for Economic Cooperation and Development. The guideline for the protection of privacy in flows of personal data seeks to harmonize data protection laws and practices among OECD member countries, and it establishes minimum standards for handling personal information.
Now 22 countries have enacted data protection legislation. They all have either licensing or registration. Canada is one of the few countries that does not have any really specific privacy legislation. It does, however, use the privacy commissioner as its principal mechanism for safeguarding personal information. This covers the federal public sector, but not federally regulated agencies.
We've had the pleasure of hearing Mr. Bruce Phillips, the privacy commissioner, on several occasions, and I must say some of his observations give us cause for concern.
Worthy of note as well, because it has business implications - and as we are a country of international trade, it's a very serious concern - is that the European Union has drafted what they call the Data Protection Directive. It sets out the rules of protection for European personal data, and all European member nations must sign that accord by 1998.
.1115
Article 25 prohibits member nations and those doing business with those nations from transferring personal data or information to a non-member country. With the exception of Quebec, Canada would be found in a very difficult position.
It's important to remember that we don't have personal data protection within our Constitution. We have this very uneven patchwork across our provinces and in the federal government. This is exactly what we're looking at: Canada's obligations and Canada's best interests with respect to privacy as a fundamental human right and just how far it can go. Where are the constraints on privacy?
[Translation]
I would like to say a few words in French. I think it is very important that people understand the difficulty we are facing.
Federal and provincial privacy legislation in this country tend to focus on the protection of personal information, primarily in the public sector. There is little in the way of more general sources of privacy protection in Canada, except for measures protecting privacy interests in specific contexts. These measures primarily protect intellectual property. They're contained in the Criminal Code, judge-made law in the area of the protection of property interests. The diversity of these sources contributes to the patchwork nature of privacy protection in this country. Moreover, it has been argued that current privacy protection regimes tend to suffer from an inability to deal effectively with new information technologies and tactics.
More specifically, I think that all our rights and our laws protect economic interests, but they do not cover nor do they adequately protect the privacy of the ordinary citizen in our society.
[English]
Later on I would be pleased to note some of the remarks and observations made by Mr. Phillips that were rather of serious concern to us, but there's just one I would like to bring to your attention, because in a sense it summarizes some of the concerns.
Mr. Phillips told us about how you can invade our privacy right through the walls and bricks of our homes and listen to our conversations. He told the story of the Charles and Diana ongoing saga, which was a total invasion of privacy, but it's out in the public domain and it's impacted now on their lives.
Mr. Phillips says there are constraints, yes, and a lot of the matters we deal with are in the best interest of the public, but the question on values and human rights is just how far is too far? Where do we stop? And where is our best interest? I quote him:
- You can have perfect safety and perfect order and perfect control if that's what you want, but
what you give away and what you give up is any vestige of your rights as a free and autonomous
person, a unique human being. We really have to take a hard look at how far we're going to go.
I think we accept the necessity for such a technology if it's aimed at terrorists, but is it acceptable for everyone? That's the question we're all looking at.
I'd like you to meet the members of our committee, who have been very conscientious in their duties and are helping us try to analyse just where we're at.
I'll start with Mr. Godfrey, please.
Mr. Godfrey (Don Valley West): I'm John Godfrey. I'm the parliamentary secretary to the Minister for International Cooperation et pour le ministre responsable de la Francophonie, and I'm the member of Parliament for Don Valley West in Toronto.
.1120
[Translation]
The Chair: Mr. Tremblay, a member of the Bloc québécois.
Mr. Tremblay (Rosemont): My name is Benoît Tremblay and I am the member for Rosemont. I'm replacing Mr. Maurice Bernier, the member for Mégantic - Compton - Stanstead, who unfortunately is absent this morning, but who normally always attends the meetings of this committee, which he feels is very important.
[English]
Mr. Scott (Fredericton - York - Sunbury): I'm Andy Scott, the member of Parliament for Fredericton in New Brunswick and vice-chair of the committee.
The Chair: Thank you.
Mr. Assadourian (Don Valley North): I'm Sarkis Assadourian, member of Parliament for Don Valley North, Liberal Party member, unlike my colleague from the Reform here.
The Chair: Thank you for noting that.
Mr. MacLellan (Cape Breton - The Sydneys): I'm Russell MacLellan, from Cape Breton - The Sydneys in Nova Scotia.
The Chair: Thank you.
Mr. Allmand (Notre-Dame-de-Grâce): I'm Warren Allmand, from Montreal, Liberal. There was no room to sit on that side, Madam Chair. There was a camera in my place.
The Chair: I see. I just want to note that the Honourable Warren Allmand -
Mr. Allmand: There are no Reform members here.
Mr. Godfrey: We're not allowed to mention that.
Mr. Allmand: I mention it anyway.
The Chair: Oh, excuse me, Robert.
[Translation]
Mr. Bertrand (Pontiac - Gatineau - Labelle): My name is Robert Bertrand and I am the member for the riding of Pontiac - Gatineau - Labelle.
The Chair: Thank you, Mr. Bertrand. We will operate as a full committee because the interests of each and everyone of us are at stake here. I do not think that there is any partisanship around this table as far as this topic is concerned.
[English]
I would like now to introduce to you Mr. Ian Lawson, who is a practising lawyer in British Columbia who has explored issues of privacy protection for both The Public Interest Advocacy Centre here in Ottawa and for Industry Canada. He too has done a comparative analysis of data protection legislation around the world and he has studied regulatory options for safeguarding personal privacy in this country. His publications include Privacy and Free Enterprise: Legal Protection of Personal Information in the Private Sector, 1993, and, most timely, Privacy and the Information Highway: Regulatory Options for Canada, 1995.
We also have with us
[Translation]
Mr. René Laperrière, who is a professor with the Department of legal sciences at the University of Quebec in Montreal. He is a member of a research group that is studying informatics and the law. This group works out of Quebec under the name GRID and it is composed of individuals who are conducting research into the sectors of information and technology. Mr. Laperrière could specify what this group is about. His work in the field of privacy law
[English]
include Private Sector Privacy, which was commissioned by Justice Canada in 1994; Privacy Under Surveillance: A Detailed Analysis of Quebec's Private Sector Data Protection Legislation in 1994; and Crossing the Borders of Privacy: Transborder Flows of Personal Data From Canada. I think that's going to very key - how much you can block what's flowing in here. His works also include A Technological Democracy of 1998 and The Pirated Identity: A Comparative Analysis of Data Protection Legislation, 1988.
We are very much looking forward to your guidance and advice, gentlemen. We've had a broad stroke painted for us in terms of biotechnology, personal privacy and the actual content of the new technologies available. Without further ado, I would invite you to make your presentation.
Have you determined which one of you would care to go first?
Mr. Ian Lawson (Individual Presentation): Thank you. I think Professor Laperrière has agreed I will start this morning.
I'm going to be very careful not to exceed ten minutes of time in my remarks at the beginning. I was very pleased in speaking with one of your research assistants, Ms Holmes, to learn that you already had started with looking at some of the international documents. What I'm going to do is start by talking briefly about the Second World War, but before I do that I want to comment a little on how I became involved in this area and my thinking. What I'm going to say is a bit relevant, because I think you are just discovering some of these issues, if not necessarily the first time. When I looked at these issues for the first time it was somewhat daunting, and it still is.
.1125
When I first became exposed to privacy issues it was as a consumer issue. People were complaining about what banks, credit bureaus, and retailers were doing with their personal information. So that was how I started my journey into privacy. Also, at the time I started, which was about 1990-91, automatic number identification was happening, caller ID, another controversial issue for consumers. Given that I have a legal training, I started by looking at what is the law on privacy. And as you are well aware, I noted that our Privacy Act applies only to the federal public sector. That wasn't much help at all. It was no help on the issues that were happening in the 1990s. I found there were some privacy acts at the provincial level, some very interesting ones, but certainly nothing that really seemed easily to solve some of the problems that were coming out in the early 1990s.
On top of it, in some meetings I had with many people at the time I learned that the approach at the time of the Government of Canada was simply that volunteerism was the way to go. There was no prospect of legislation at that time. So as a lawyer looking for what I could do for people who were concerned about these issues there wasn't much choice but to look at the common law, and that's how I started. I ended up doing quite a bit of work in looking at what could be done short of having a statute enacted. I did find there were some very interesting and hopefully very helpful things that could be done in common law as far as suing people for privacy invasion.
I have to be very realistic. Going to court is hardly a reasonable solution; it's expensive, slow and very difficult, and the chance of success on many of these types of issues is low. It's hardly high on my list as a solution, but at that time it was about all we had. I'm going to say that five years later we're not too far ahead. Unless we live in Quebec, we're pretty well left with the same situation we had when we first looked at these issues in 1990.
Just last year, I had an opportunity to look at how some of these same issues can be dealt with on the information highway. We now have a whole new converged telecommunications network and a very important agenda coming as far as our information infrastructure is concerned. I then looked at what could be done in terms of legislation, hoping at the time I started work that this would be on the forefront. I'm very happy and pleased to hear the Minister of Justice just recently announcing that legislation is on the list of things to be done by the year 2000.
The other thing I wanted to mention is that when I started in this area there was, as Madam Chair has mentioned, the European directive. So there was a sense of panic at the time. Some of you may remember that 1993 was a deadline for a time. There was a point when for example information on German citizens was prevented from being given to Air Canada. It was a very dramatic event that now has resolved itself; the current directive has been softened somewhat to require simply an adequate level of protection. At the time, it was an equivalent level of protection of privacy in Canada, and we had nothing like that. So when I first took this up, again, it was with a sense of urgency that I would like to think should still be there, but which now is a bit lessened because of the latest directive from Europe.
I started from a consumer perspective looking at the international. I said we'd better find out what's happening in Europe. There's a tremendous amount of information and progress that's been made in Europe. It takes a lot of time to digest and to understand it. Since I took a look at that, I've come full circle so to speak and I've realized we're dealing with a human rights issue. This is not a consumer issue; it's a human rights issues that affects consumers and individuals. I've really seriously come to the realization that it is a matter of human rights.
.1130
I confess that maybe it's been obvious to everyone that it was about human rights from the beginning, but when I looked at these issues it was purely as what can be done about who's using your information. Now I'm very confident that it's a human rights issue we are looking at.
As Madam Chair has pointed out, for the last 40 or 50 years Canada has been a signatory to many international documents that have recognized privacy as a human right. So how did I miss that? I think it's an interesting point in translating all the European efforts on the data protection front into Canada. We tend to think this is privacy legislation and so on, so our approach to it has been that this is what the Europeans are doing about privacy. But there's more to what the Europeans have been doing. It's data protection and it's human rights.
This is where I would like to talk for a couple of minutes about the Second World War, because there are some interesting analogies to what's happening today. I need only point out that in Nazi Germany there were some very insidious and extensive uses made of personal information. This was in the late 1930s and 1940s. These uses included rudimentary surveillance techniques, eavesdropping, intercepting mail, and first and foremost the raiding and collecting of information in government and whatever data banks on paper there were.
I wasn't really aware of this when I started to look at this, but the techniques we're complaining about today aren't new, except that they involve computers; they were experienced in Europe during the Second World War. One of the first things the Nazis did when they took over a country was to find out everything they could about individuals in the country. They also did it domestically, using everything they could find out about German citizens to squelch dissenters and control invaded populations and of course to identify people who were deemed not suitable citizens of whatever state they were creating.
The people in Europe experienced these things, and many of us who weren't there can only imagine what it was like to experience information about yourself in the hands of a very frightening regime. That's why we see a succession of international documents, which Madam Chair has already referred to, consistently referring to privacy, which includes home life, correspondence, and so on, as a very important human right. It has now been substantively protected in 100% of European OEC members, so there's a very high proportion of all countries in Europe that have actually put this into effect.
To save time, I won't talk about exactly what the contents of the 1980 convention were, but 16 years ago the heart of data protection legislation was enacted in the European Convention. That convention was a revisitation of the 1950 convention, which simply included the right to private life and so on, and the reason for it was that computers arose in the 1960s and 1970s. The Europeans realized there was a huge potential for massive abuses like what they'd seen already in the war by use of computerized information. So the European Convention came about to address the automatic processing of this information.
If the Nazis had had computers and this was all computerized, there would have been a tremendous impact on citizens back in the war. Fortunately, that didn't happen. There are some very concrete and universally agreed principles for fair information practice that have been around for a long time.
Mention was made of the OECD guidelines. I wanted to point out that, as I think this committee is well aware, there's always a balancing between the rights and what we want to have enforced in the legislation and then how to make it work. Specifically, how do we trade internationally when we have such rigid expectations about domestic legislation for privacy?
The OECD guidelines were created specifically to avoid international trade being hampered by the very carefully created and proposed requirements for privacy protection, data protection, in domestic legislation. So the guidelines were really that: they were created to help member states in Europe draft domestic laws in such a way that they wouldn't unduly interfere with other values, such as... And that mainly was international trade in Europe.
.1135
It is the guidelines, then, that we have adopted in our Privacy Act, and it's universally... There really hasn't been much change actually. To the credit of the people who created these principles back in 1980, there hasn't been a lot of change and development in the content of these basic principles of data protection.
Also, we may talk later about something that Canada should be very proud of, the Consumers' Association model code, and that again adopts...
The Chair: Do you mean the Canada Standards Act?
Mr. Lawson: Yes, the model code that has been created by the Canadian Standards Association. It's not a hugely revamped, but a very carefully updated version of the 1980 principles that have been around for a long time.
Canada is a member of the OECD, it's no secret, so we're way behind the pack as far as implementing even the guidelines. In Europe the guidelines apply to the private and public sectors, and we're nowhere close to that in Canada, except for in Quebec. Quebec is the only place that's come close, as you've said, Madam Chair.
I wanted to mention some of these international documents because it really is important, in my view, looking back on how I approach these problems, to accept that there must be things done to protect individuals from a consumer perspective, but the human rights background is very important to be aware of as well.
Data protection legislation: I wanted to point out why are we so slow about doing this. There's a political culture difference, I think. We've never been invaded. We've never experienced the things that Europe experienced, and we can only imagine what that was like. I think that is a factor in North America and Australia and New Zealand being a bit slower than Europe in implementing the guidelines.
Because of that political culture difference, when we look at the European international documents we tend to see those as being about privacy, but it's not about privacy, it's about human rights. Data protection is a subset of human rights.
We, because we have never really experienced what happened in Europe, tend to say ``Well, that's about privacy; that's interesting.'' We categorize it in our own political culture. When we look at Europe, it's a much deeper, much more important thing.
So that begs the question: Should it be any different here? The Europeans experienced this. They were ahead of us as far as political culture and human rights. Does that mean we don't need it? I'll leave it to you to decide. It's certainly not evident to me that because the Europeans experienced something, it's not something we want to follow up in Canada. We're slow to do it, and I suggest it's because we don't have that experience and that history that Europe has.
I'm very happy then that your committee is able to approach these issues on a broader level - at the human rights level - as opposed to on the level of privacy or data protection, which are subsets of human rights. I think a broader approach is welcome. It's important, to be a beginning to your studies.
I wanted to assure you that the technologies you're looking at today - we'll talk about it a bit later - are very daunting and very difficult things to figure out, but they're not new. In the 1940s there was rudimentary matching of information about people, but it was all manuals, on paper. There was surveillance and eavesdropping during the Second World War. They're not new things.
In the 1880s - the very beginning of privacy work in law in the United States - the concern was photography, instantaneous photography. No longer did you have to sit still for five minutes; suddenly your picture could be taken without you even knowing about it. It was a big issue back then. Then there is the microphone and the development of tape-recording. So it's not as if we're all taken by surprise by these issues. For a hundred years there have been these types of technologies that have posed problems to human rights, to privacy.
Our advantage today, thanks to the Second World War in a way, is that we have the language of rights. A hundred years ago human rights wasn't a developed concept, and the whole history of American privacy protection is in the realm of tort law, civil action - suing people. That's how it began in the 1880s. And now we have the advantage of the assistance of the Europeans to look at this as a human rights issue as well, and take advantage also of the history of suing about privacy. I want to say that because of that, there's no correct approach to privacy.
.1140
I think I'll end my remarks right there. I'd be happy to answer whatever questions you may have.
The Chair: Thank you. I know it's not easy to put everything into a short, ten-minute presentation, but I hope you'll get the opportunity... I know you will -
Mr. Lawson: I am sure.
The Chair: - from very curious members of Parliament who are surrounding you.
[Translation]
Mr. Laperrière, you have approximately 10 minutes.
Mr. René Laperrière (professor, Department of legal sciences, University of Quebec in Montreal): Thank you for inviting me here.
I'm going to set aside the generalities for the time being and focus on a few of the issues that were suggested by your researchers with respect to the identification of individuals, genetic testing, video surveillance and security on the Internet.
Obviously, we could discuss a whole range of legal considerations about the way to deal with things, however, I would simply like to give a brief description of the problem and see what avenues we could take in order to come up with some solutions.
As far as identification methods are concerned, everyone knows that there are several means available to us; identification can be made through cards, passwords, etc. We can also use an individual's personal characteristics; fingerprints, retina prints, hand shapes and genetic testing fall under this category of identification methods.
The general public is, however, always bothered by two aspects of these identification methods. First of all, people don't have to have their fingerprints taken because they feel like they're being viewed as a criminal. As for genetic testing, people are afraid that information will be revealed about their own health. Accordingly, these interventions are sometimes very difficult for the general public to accept.
Moreover, if the individual identification information is kept in centralized data banks, which is easily done in this day and age, we find ourselves creating a type of national personal identification file, with all the many dangers that Ian referred to earlier.
We may resolve problems related to the identification of individuals in several different ways. We should probably explore the idea of establishing decentralized and anonymous authorization systems; namely, we should not have a centralized data bank containing the fingerprints of every Canadian. This would be relatively dangerous. In France, for example, fingerprints are taken at the police department where you have applied for an identification card. These prints are not centralized and are accessible only under certain conditions, such as in the case of very special police investigations.
There is also the option of promoting individual identification through coded systems, in krypton systems, where, at the end of the process, the data that comes out of the machine is recoded to some extent so that your fingerprint cannot be recognized. With the system, you pass your thumb over a machine and the result in fingerprint cannot be identified as yours. However, the system can recognize that the authorization that you gave by printing your thumb is valid, because it is really you who were present and who inserted your fingerprint into the computer, which in turn managed an entire data system validating your authorization.
I sincerely believe that the mandatory use of technical solutions, through regulations, for example, is preferable to the current system, namely the legal or court system whereby one has to go to court if a complaint is filed, etc. This system is extremely time consuming and costly and has no preventive value. It merely resolves drastic situations once the damage has been done.
.1145
Accordingly, we should be looking for technical solutions and we should be trying to ensure that transactions are kept anonymous, because one of the greatest threats to privacy right now stems from the fact that we can find out everything about an individual; by cross-referencing data banks we can find out information about ourselves that we didn't even know.
There is also, obviously, a debate going on about the identification card. Should we have a national identification card? Should we have provincial identification cards? You know that in Quebec, for instance, we have had photos on our two main cards for some years now, namely the health insurance card and the driver's licence. These are not real universal identification cards, but they are commonly used. The same thing applies in many other provinces.
I would like to talk very briefly about genetic testing. Genetic testing, which is not yet very widespread in Canada, is a way to assess the risk involved with an individual's state of health. Such tests are used primarily in the employment and insurance sectors, where they may be used to determine an individual's genetic predisposition, namely, their future state of health. Such tests are used primarily in the health sector, not to find out whether someone is predisposed to commit a crime or anything of that nature.
The main problem with these genetic tests is that they reveal an individual's predisposition only. They do not reveal an individual state of health. In many cases, these tests predict the future health of a person very poorly. Someone may be predisposed to something and never develop the disease or the disorder for which he has a predisposition. Accordingly, these tests do not enable you to measure the risk accurately.
There are other problems which add to these difficulties. For instance, certain genetic risks are totally underrated because they are not the subject of any medical or genetic research. Hence some people - me, for instance, - present all kinds of health risks, but they cannot be analysed because the science has not yet been done. These are unknown risks. It would therefore be possible to discriminate against people who have been studied more than others, and whose genetics are better understood.
Moreover, there may be some family problems that result as well because genetic research is always done on the members of the family, on the ancestors, cousins and even the children. Such research may rapidly become an infringement on privacy, not only for individuals, but also for families or even, under certain circumstances, for the members of an entire population.
Perhaps we should also give some thought to some stop gap measures such as, for example, establishing the right not to know. For example, perhaps I would be better off if I didn't know that I was predisposed to certain things, that I stood out one in a million chance of being struck by such and such an illness, etc. Science makes progress, however, perhaps people aren't interested in knowing what problems they may have to live with, potential problems, which are only risks.
Now I would like to say a few words about video surveillance. I apologize for going through this rather quickly, however...
The Chair: We will go back to all of points.
Mr. Laperrière: I'm trying to cover all of the questions. Surveillance systems are becoming a common place thing. Surveillance has become systematic. There is surveillance as you enter the Parliament Buildings and this is a good thing. We have surveillance in the convenience stores. We have it here.
Obviously, we want to limit video surveillance to specific situations where there is truly a risk, either for employers - because in all likelihood they are the ones that use video surveillance the most - , or for the population in general in public places.
Obviously, we must strike a balance between the interests of the businesses or organizations and those of the individuals under surveillance. The difficulty lies in determining which sectors or places legitimately need surveillance and what criteria must be met during surveillance of this type.
.1150
For instance, the criteria developed by judge-made law deal with situations where an objective security risk exists, either in industry, or elsewhere. For example, an employee can justify keeping his employees under closer surveillance if he has been hit with an outbreak of theft.
When dealing with an individual in particular, we have to have a very specific reason why we suspect him. are a bit like the same criteria which must be met in order to obtain a search warrant, for example, because surveillance is a type of search.
We must also follow another rule, that is, we must try to infringe upon an individual's privacy as little as possible. Certain techniques are more aggressive than others, certain techniques reveal more about the details of someone's privacy, details which had not normally become public knowledge. Employees must be informed about these surveillance methods, to avoid the situation where they discover one day that they have been under surveillance systematically without their knowledge and therefore begin to implement self protection and self defence systems because they feel that they are living in a society where everything is really under surveillance, somewhat akin to the world described in George Orwell's 1984.
The issue of security on the Internet is a new one. Internet is used to mean all kinds of things, either the sites that you can visit via certain communication software packages such as Netscape Navigator, for instance, or any computer interconnection space, namely cyberspace in general or, as the French from France say, cyberespace.
We must realize that there is very little security on the current network and that there is not much concern for security except, of course, in the case of certain banking transactions, whose databanks are closed, designated, coded, and also in the case of individuals who use certain coding software, encryption systems such as PGP, Pretty Good Privacy, which are currently being challenged in the United States because they make police surveillance impossible.
Two realities must be recognized: surveillance of the content of messages and access to transmission data, to the logs, which make it possible to infringe on someone's privacy without decoding the messages, by simply knowing that such and such a person had contacted someone else on the Internet.
The problem that any legislator will obviously have to deal with, is to determine whether in fact we can legislate in Canada, where our constitutional problems... In addition, can we try to control Internet, which is global, international? As far as I'm concerned, I feel that it is possible. We will probably have an opportunity to discuss this.
It's possible because we can draft legislation, as other countries do, that extends beyond our borders. We can, in a fashion, monitor confidential information crossing borders. We can have a certain amount of control over what happens within Canadian territory. These are complicated questions. What I do think is absolutely essential, if we want to solve these kinds of problems, is that there be inter-governmental cooperation with the provinces.
The Chair: This is difficult when we're dealing with a topic that conflicts with human rights as well as social rights.
According to procedure, we will begin with the Bloc Québécois, Mr. Tremblay. I already have a list of the members of the government who would like to speak. These are Mr. Allmand,Mr. Assadourian, Mr. Godfrey and Mr. MacLellan.
Go ahead, Mr. Tremblay.
Mr. Tremblay: Mr. Laperrière, you emphasized monitoring by using certain techniques. It is my impression that we may still be behind. Is this instead of legal proceedings or respecting people's privileges? Can you explain to us more clearly the two choices that you mentioned and the reasons for your choice?
.1155
Mr. Laperrière: First, you must be aware of the relative efficiency of legal recourse. There is recourse, for example, for the protection of confidential information. A complaint can be made to the Privacy Commissioner. He can then investigate and if he feels that there are sufficient grounds for a complaint, then he can bring the case before the court. A court can issue an order and in some cases can order damages to be paid. That is all very well, but it is not necessarily a very accessible route. Some people may in fact benefit by it. Let us forget for the moment the problems with class action.
If we act preventively, that is if we establish rules regulating the use of certain techniques, techniques that in themselves could provide us with the result that we want to obtain, that is individual privacy, then we would be one step ahead of our problems. If we were to obtain a consensus on these initiatives, whether it be necessary or not to regulate later on so that the industry or category of people comply with this initiative, then these problems would not occur.
I'll give you an example of a technical solution. In France and in some other European countries, banks are using a system of anonymous transactions whereby bank computers can verify the authenticity of the authorization that you provide to debit your account. However, information cannot be compiled to follow your transactions.
For example, by reading your Visa, American Express or other credit card statement, we can know where you have gone, what you ate, what you spent your money on, what your lifestyle is, etc. These contain all kinds of information about you. In an anonymous transaction system you can no longer be pigeonholed, your profile can no longer be drawn, there will no picture of everything you have done, etc.
These systems exist. However, one of the reasons they are being used everywhere is that information currently has a market value. This is not necessarily the case for the banks, but a business may use this information and use it for internal marketing, or to sell the information as Bell Canada does with telephone numbers. There is a whole industry based on this information, whose secondary uses can be very profitable to the business using them. That is why only technical solutions will be capable of preventing this type of trend.
Mr. Tremblay: I would like to know that you think about the public's reaction to this. There does not seem to be a uniform reaction to a great number of technologies that could significantly infringe on privacy.
You referred to the banks. As we know there has been a very rapid switch to automatic tellers and to technology, which supposedly is always been carried out upon the advice of consultants. In reality, this change is quickly becoming an open telephone marketing system, by people who, in the end, know all about you.
When we are told that we are going to be advised, what is meant is that the person at the cash will not just serve us; they will be aware of our lifestyle in its smallest details and they will call us to suggest one or another type of transaction. This will make the public react much more than it has today.
Canada Post used to be used often. Now, Canada Post is used for sending bills and flyers, because nobody knows how to write anymore. Thus, we pay our bills and we throw the flyers in the garbage can. That is an advantage. But soon, we will have to have an answering machine to select the telephone messages that we want, because the use of the telephone will become more and more aggressive.
.1200
A social transformation is taking place and we need to act quickly.
The problem I see, and you touched upon it, is that a good number of people know almost more about us than we do. They have sophisticated analysis tools that we do not have. Perhaps it would be useful for us to obtain a description of our behaviour from our credit card statement. Nobody provides that.
[English]
The Chair: Why don't you just call your bank? They'll tell you where you buy what and how much. They'll also sell the list for you.
[Translation]
Mr. Tremblay: I understand that you want to protect privacy, but the other side to the problem that you spoke about and that I want to emphasize is that there is a minimal obligation to inform the people in question about what others know about them. It seems to me that would be one step forward. I do not know how we can do it, but people absolutely have to know to what extent they have been monitored. You said that we should not be filmed by a camera without being aware of it, well we shouldn't be analyzed without being aware of it either.
Maybe the people being monitored would react, because currently these people do not know that they are being analyzed, not only by governments but by a whole series of businesses, and these analyses are very easy to obtain. Let's not fool ourselves. Just about anyone can know just about anything without us being aware of it. How can we at least establish an obligation to inform people?
[English]
The Chair: If you would like to add a word, feel free to respond. You've got two more minutes before Mr. Allmand starts his questions.
[Translation]
Mr. Laperrière: This is very difficult to do because so much information has been accumulated over the past few years. In some specific cases where people have been treated unfairly and they are aware of it, in that case, these people will make the effort to inform themselves to know whether their files contain mistakes, for example at a credit bureau, to find out why an application was refused, etc. However, in general, trying to find out what information exists about you is very difficult. One could ask...
Mr. Tremblay: I am sorry to interrupt. My question was about the obligation that people who do an analysis or provide information on other people should have to inform others about what they are doing. Perhaps that exist and has already been written in such small types that one would need very strong glasses to read it. The obligation to obtain permission must exist somewhere.
Mr. Laperrière: Yes. Obviously this is included in some standard contracts. In Quebec, by law, people who do marketing or commercial or philanthropic soliciting must obtain permission from the people in question to provide lists with their name on it. But that is all. You do have rights, but exercising those rights is relatively complicated.
[English]
The Chair: Perhaps, Mr. Lawson, you might address the fact that on all credit cards there's a tiny line stating that your information will be used.
Mr. Lawson: I agree completely. The issue is that people should know about this, and I'd like to say that what you described is really not very hard to solve. The principles we've talked about, which were worked out 16 years ago and based on which the CSA code was put in place, apply marvellously to that type of problem. You need to know who's collecting information and where it is stored. If it's wrong, you have a right to correct it. All that is eminently solvable.
The only reason it's a problem in our country today is that none of those principles apply effectively in the private sector. The issues you're talking about are mainly private sector issues. I'm very happy to say - I'm probably an optimist - that I think those issues can be very easily, quickly, and efficiently solved. We can spend some time arguing about what the best mechanism is to put those in place, but the time today doesn't permit a detailed discussion of that. But I say very confidently that those problems can be solved to a large extent by simply putting into practice in the private sector what we already know and what the industry has basically already adopted - for example, the Canadian Standards Association model code.
The Chair: That deals with business. It doesn't deal with the private sector, and it doesn't deal with federally regulated organizations. I'm sure Mr. Allmand has a few questions in that regard.
[Translation]
Thank you, Mr. Tremblay. We will come back to you.
[English]
Warren Allmand, please.
.1205
Mr. Allmand: I have a few short questions, Madam Chair.
First of all, I'd like to ask either witness if there has been any list compiled by academics or otherwise of all the laws in Canada we presently have that in one way or another protect privacy. For example, such a list might contain provisions of the Canada Post Corporation Act that don't allow them to open first-class mail; the provisions of the Canada Evidence Act that deal with privileged communications with lawyers, doctors and priests - in other words, that in courts you can't force lawyers, doctors, priests or clergymen to reveal what was given to them; or wire tap or medical laws dealing with doctors. Has anybody ever put together a list of all the types of laws we already have on this subject so that we would have some kind of catalogue?
Mr. Lawson: At the risk of self-promotion, that was what I first looked at, because there was no legislation.
Mr. Allmand: There is some legislation.
Mr. Lawson: Yes, but it doesn't really answer some of these problems in the private sector, for example.
I never actually looked at the Canada Post Corporation Act. I'm talking about the publication I did in 1993, Privacy and Free Enterprise.
The Chair: Excuse me. Does that publication cover much of the question that Mr. Allmand has just raised?
Mr. Lawson: I think it does.
Mr. Allmand: What's the publication?
Mr. Lawson: I'll be happy to provide you with a copy. It's Privacy and Free Enterprise. I'm not saying it's the answer to all your questions.
Mr. Allmand: I'd like to have a comprehensive list not only of laws that in part protect privacy with the private sector, but also the public sector. This might be helpful anyway.
Mr. Lawson: I'm sure the privacy commissioner's office would be able to provide that.
Mr. Allmand: Okay, we should get such a list. The more I think about this, I know there are bits and pieces of laws and some that have been in force for a long time. I referred to privileged communications. Many people ask why it is limited to lawyers, doctors and priests. Journalists ask that.
The Chair: Excuse me for interrupting, but that document is being prepared. The privacy commissioner's office is helping us with that document.
Mr. Allmand: Good.
[Translation]
Mr. Laperrière, as you know, section 35 of the new Civil Code, that reads as follows in English:
[English]
- Every person has a right to the respect of his reputation and privacy. No one may invade the
privacy of a person without the consent of the person or his heirs unless authorized by law.
is relatively new. When I was studying law in Montreal, that section did not exist.
Do you know if any legal proceedings have been undertaken by individuals under this section? The new Civil Code has only been in existence for five years, I believe. Do you know if any legal rulings have been made under that section?
Mr. Laperrière: I have not checked because the Civil Code has not been in effect for very long. What I can tell you is that the Quebec Charter of Human Rights and Freedoms has an equivalent section whereby every person has the right to respect his or her reputation and privacy. Under that section, about three years ago I found about 20 legal rulings that resembled some common law rulings and American rulings. There has to be some type of prejudice, the information cannot be used just any old way, etc. There is in fact jurisprudence.
[English]
Mr. Allmand: Okay.
Mr. Lawson, who would you say are the major intruders or potential intruders into our private life with all this technology? Would it be governments, journalists of all kinds, private detectives or credit bureaus? Who are the major potential intruders using the technology?
.1210
Mr. Lawson: I can answer that in two ways. First, we perhaps don't need to answer that because the decision about whether some behaviour in the marketplace or by government is offensive is truly up to the individual. Somebody may not care that credit card information -
Mr. Allmand: If we're formulating a log, I'd like to know who I have to deal with politically. If I have to deal with journalists, that may be more difficult than dealing with banks, but maybe not.
The Chair: It depends on if they're looking at your credit rating.
Mr. Allmand: Or private detectives who are following me around on behalf of somebody else.
A bug was discovered a few years ago in the NDP caucus room. There have been other instances in our offices of bugging, and so on.
Mr. Lawson: That's the best way to get legislation. That's how B.C. in 1968 got the very first part of the act passed. It was in that very same situation.
I don't want to blame industry. There are some industries that are very information-intensive and computerized. Credit reporting comes first on my list. I'm not too worried about financial institutions because they're usually prudent. It's not good business to be loose about that type of information.
It is the private sector generally. You never really know. I'm not going to finger any individual.
Mr. Allmand: Do you mean it is the private sector more than government?
Mr. Lawson: It is the private sector more than government, absolutely. Without a doubt, the private sector is a lawless frontier in Canada.
Mr. Allmand: Okay. I'll move to my next question. How successful do you think our laws from the 1970s have been to control wiretapping, bugging and that field? At the time that was the big technology by which we really felt threatened. How do you judge the legislation in that sector of listening devices as an attempt to deal with it? That only dealt with listening.
Mr. Lawson: To tell you the truth, I would argue it's big enough to handle some of the other issues, such as video surveillance. It deals with private communication. It seems, when looking at it, it was all aimed at listening devices. When I read it, I think it could be used for other issues.
An idea that we had when colour ID first came out was to take a look at the Criminal Code provisions. I think it's not used enough. It has not been taken advantage of to the extent it should. There are some very important things you should be careful to consider about that. It's a cumbersome technique. If we were to leave it to the police to solve these, it would be a monstrous problem for them.
It's useful. It could be improved to cover some of these issues, but it would not be high on my list of effective solutions to these problems. I do agree there's potential there and that's why I commented on it in my book. In the absence of anything else, it's sitting in the Criminal Code, so it should be used.
Mr. Allmand: This is my last question, Madam Chair.
If we were to recommend legislation, what do you think is the best model we could copy in Europe, the United States, or Canada? If we were to look at a model, what do you think is the best one?
[Translation]
Mr. Laperrière: what do you think yourself?
[English]
Either one of you may answer. What do you think is the best model?
[Translation]
Mr. Laperrière: That is very difficult to answer because the European model is very strict and I do not feel that it could easily be used for legislation here. Furthermore, one can't really speak of an American model. In terms of the federal public service model, it could be applied with some changes to the private sector.
That is somewhat like what happened in Quebec. The public service model was used for the private sector. I would say that rights in Quebec overall... Quebec law covers about 50% of European law. However, in terms of North America's situation, its coverage is about 80 or 90% because several exceptions in the legislation exclude some activities, certain types of communication, etc. However, it does not cover all circumstances and all problems.
The choice that must be made between extending the public sector legislation to the private sector or to draft new legislation with a different administration, etc. depends on political choices. It may be a financial choice, for example.
[English]
The Chair: Thank you. Warren, I just want to forewarn you that you're well over your time, but we'll let you finish that intervention, and then it's Mr. Assadourian.
.1215
Mr. Lawson: The correct answer to that question is that the best is a data protection act like New Zealand. It's half an inch thick. It's impossible to read. It's a marvellous new reworking of European data protection acts and there are tremendous powers in there I won't even start trying to describe. It's wonderful, but I don't know whether that's going to happen in Canada. That's why I'd say a second-best approach would be what I've called some form of standards enforcement.
As I've mentioned, we're already up to speed with the CSA code. I think some of the thinking of the minister is to enact legislation that would enforce certain standards that perhaps might be created in the private sector.
The Chair: Yes, but that's not an invasion of the privacy of a person.
Mr. Lawson: Most of it happens in business, Madam Chair. I think we really want to work on the private sector.
Mr. Allmand: It doesn't mean the private sector is infringing on privacy too, as Madam Chair said. Maybe I misunderstood. It's not one business on another business; it's business on individuals.
Mr. Lawson: Yes.
Mr. Allmand: Thank you, Madam Chair.
The Chair: I just want a precision. Did you say that New Zealand has new and enlarged evaluation and laws built on the European model?
Mr. Lawson: Yes, I believe it was in 1993. It's the latest creation in the common-law world. It applies to the private sector just as much as the public sector. There's a privacy commissioner who has the power to create and impose codes and the power to order compliance with the provisions of the act. It's a tremendous document and it's a place to start. However, I really point out it's completely inaccessible to individuals. Plain language is critical. If we expect the private sector, the humungous number of people who are working with legislation, to understand it, it has to be in plain language. I'm sure it's good work for lawyers from here on, but plain language is a very critical ingredient.
It repays you to take a look at the New Zealand act as a recent example of a data protection act.
The Chair: Thank you. Mr. Assadourian.
Mr. Assadourian: Thank you very much. When we began this study, Madam Chair, I thought it was going to be very boring, but I think it's becoming very interesting.
I have a few questions. You mentioned the European governments began protection of human rights and fundamental freedoms in the 1950s. Was there a case since then where they had to suspend fundamental rights of privacy? If there was a case, how did it happen and how was it handled? That's my first question.
The second question is whether you think judges in Canada are trained enough and sensitive enough now to deal with issues when they come to court relating to privacy, and what kind of recommendation you would have.
I was reading this summary from the parliamentary library where they mentioned article 12 in the 1948 Geneva declaration and the European one in 1950. They mentioned specifically the privacy of the individual in his home and in his correspondence. They never mentioned the workplace. I think I spend more time here in my workplace than in my house. There is no such privacy for me or for individuals in their workplace. That was never mentioned.
The other question is about genetic testing, which was earlier reported by the professor. I raised this issue a couple of days ago with Bruce Phillips. In the next four, five, or ten years science might prove that some diseases like cancer could be genetic from father or mother to offspring. Insurance companies could have access to your data and know you will die because of your cancer and they know also by science that it could have been transmitted to you in your genes. Would they have the right to deny you insurance? Also, if you purchased insurance and they found out afterwards, do they have the right to deny payment of your life insurance?
Mr. Lawson: I'm not too positive about your question regarding where the rights have been suspended. I'm not aware of any event that may have put any end to the convention protections. The issue with the convention of course is how it is implemented in the respective countries. That's where we get into the documents we talked about earlier and data protection. I'm not aware of any event that would have terminated that type of protection.
.1220
Are judges good enough? Are lawyers good enough? The judges are only as smart as the lawyers are able to put something in front of them for a case. I would like to see judges more able and accustomed to addressing issues of privacy. It's a matter of human dignity. It's not a foreign concept for courts to deal with these types of issues. But to date there has been very little experience with the judiciary relative to dealing with these issues. It's expensive to litigate. There are the types of damages you get. This is not the United States. It's often uneconomic to even advance a privacy claim in the courts.
However, as part of a package of legislative protections, I would be very happy to see a duty of care imposed on users of personal information. There is no harm in doing that. We have some constitutional problems with doing something like that. Legislative recognition, for example, of a tort of privacy has been done already in the provinces. These things would help. We can't enter into a constitutional argument at this point. I don't dismiss judges. We need to use them more, but that's not really the technique I think is the best for this type of issue.
With respect to workplace issues, I don't have an answer to that. I suppose they weren't as much on the forefront back then. Technology, monitoring, surveillance and these types of issues maybe weren't as much of an issue back in the 1940s, 1950s and 1960s. I don't really have a good answer for you.
Mr. Assadourian: Do you think we should include the workplace when we make recommendations to the government?
Mr. Lawson: Absolutely. It may not even be necessary to specify places, but rather simply the collection of information, the active surveillance of somebody.
Mr. Assadourian: We mention here specifically family, home, correspondence, telephone conversation, or whatever my colleague referred to earlier.
Mr. Lawson: That reflects the problem of looking at European developments with our political culture. It's a different experience there, so correspondence, home and family are different.
The Chair: There was a tremendous intervention during the course of the second referendum by a certain top civil servant, a deputy minister, which had serious implications, so I don't think we're importing anything. I think it's a reality right here. We're not immune to any of that.
Mr. Lawson: I agree completely and absolutely.
[Translation]
Mr. Laperrière: I would just like to point out, in terms of your last two questions on the work place, that the International Labour Organization has just issued a general guideline, which is neither a convention nor a formal recommendation, on privacy protection in the workplace. Professor Spiros Simitis from Frankfurt University chaired the committee that issued that guideline.
This comes after a very extensive study was published in three volumes. All the problems in this area were included in this Draft Code of Practice on the Protection of Workers' Personal Data and the recommendation was submitted for adoption to the International Labour Bureau and will become a type of code of ethics that all employers will have to use. It is not an obligatory international instrument.
In terms of insurance, we still do not have enough jurisprudence to my knowledge on refusals by insurance companies to ensure people they may have genetic information about.
However, the refusal to compensate a person because that person did not declare everything they should have at the outset, is based on a principle of insurance law, the uberrima fides principle, which calls for absolute good faith on the part of the person who is being ensured. That person must reveal everything they know about their health, and the Canadian Supreme Court's jurisdiction is not favourable to those people who would try to hide anything from insurance company people. For companies the door is wide open for obtaining confidential information about someone who wants to be insured.
.1225
Should insurance companies have obligations toward the public under the law that extend beyond an assessment of individual risk? That is another question. I'm not an expert on insurance law.
[English]
The Chair: So you believe from Mr. Assadourian's question that is something we have to examine a little bit more closely.
[Translation]
Mr. Laperrière: Probably, yes.
[English]
The Chair: With respect to either legislation, I think you had some reservations as to whether we did it from a judiciarized process or from a preventative process.
[Translation]
What would your choice be in that case? Prevention or legislation?
Mr. Laperrière: I do not want to raise the issue of jurisdiction, but insurance is of provincial jurisdiction.
The Chair: But whether it is federal or provincial does not matter. We are responsible for all citizens living on the territory that extends from the Pacific to the Atlantic to the Far North. So, what is the best solution? Regulations or legislation on life insurance and on the requests by insurance companies to obtain all types of information, as well as on whether they have the right to act or not? Do I have the right to know or not?
[English]
I think that's basically your question.
[Translation]
Mr. Assadourian: Yes.
[English]
The Chair: I think we are really asking whether you have an opinion.
[Translation]
Mr. Laperrière: I think so. That would really depend on the insurance legislation in effect. In Quebec, the civil code contains sections on that point. Until now, this has been dealt with through jurisprudence and I do not know how we could regulate it. I am not familiar enough with insurance regulations.
[English]
The Chair: It's up to John. You want to make a small intervention. John, you don't mind, do you? All right. Mr. Bertrand.
[Translation]
Mr. Bertrand: I worked in insurance for several years and I think that if the insured dies during the first two years of their insurance contract, then the company can refuse death benefits. But after two years, according to my own experience, it is rather difficult for a company to refuse to pay. It could only refuse death benefits under horrible circumstances.
Are you aware of any Quebec or Canadian insurance companies currently using genetic tests?
Mr. Laperrière: Truthfully, not really. Ms Bartha Knoppers from the University of Montreal did a study on these issues. It was published, I believe, in the Bar Review three or four years ago. It was about the use of genetic tests in employment and insurance. Your researchers could probably find it quite easily. Since then I have not seen any studies on these issues and they have only been studied from a hypothetical perspective. What would happen if we were to use the principles that are contained in the jurisprudence, but that are not necessarily about a particular case?
[English]
The Chair: Thank you. Did you finish your question, Mr. Assadourian? It's Mr. Godfrey's turn really and then Mr. MacLellan.
Mr. Assadourian: I have one quick intervention. My colleague raised the issue of denying life insurance for the first two years. My question is about denying you insurance, not the benefit. Can the insurance company deny you insurance because they know one or both of your parents died of a disease that is genetic and that might have affected you the day you were born? Can they deny you life insurance because they know you'll be dying in 15 or 20 years before your life expectancy in Canada?
[Translation]
Mr. Laperrière: What I can say, is that I've not seen such an example here nor in the United States. I have not seen an example of that before the courts. I have seen the courts deal with this particular issue. Could this have happened? I don't know. One would have to look into it.
[English]
The Chair: I think we'll look into that predisposition to risk and whether it can have any application.
Mr. Godfrey, followed by Mr. MacLellan.
.1230
Mr. Godfrey: Let me try to summarize where I think we as a committee are in all this.
First of all, we have a series of dynamic and emerging technologies that are challenging us and that are throwing up potential threats and actual cases. That's where we are. We as a committee decided to look at four of them but they obviously all come under a larger rubric of privacy.
Secondly, I think as a committee - and I certainly hear the witnesses saying this as well - we've decided the thing that makes the most sense in terms of general principle is to see this as a human rights issue. The problem we face with that is it's not as undergirded a right as other more traditional rights, such as freedom of speech and so on. So we have that as a challenge.
Thirdly, in various jurisdictions, including our own, we have codes like the Canadian Bankers Association privacy code, the Canadian Standards Association model code, the Quebec act, our own Privacy Commission's act, and so on, and these are the building blocks with which we have to work.
Fourthly, as a committee we've got to figure out what's realistic. What can we as a committee pull together as perhaps an imperfect answer to some of these questions, understanding that to take too ambitious an approach, for example to try to force through a constitutional amendment, would be more than we're capable of or we're asked to do?
Bearing in mind all those factors, I guess the kind of practical question that I want to put to the witnesses, which has been put very well by others, particularly Mr. Allmand, is this. Given that we're not in a European culture or society, that we do not come out of those experiences, but given that we're also frail humans who are capable of doing dreadful things to each other because we're humans, do we have within our grasp among existing models in Canada some things that, if we were to generalize them or couple them, might at least provide a bit of a working answer and solution to our problem?
I'm going to ask this of our visitor from British Columbia. Absent a more firm constitutional declaration about privacy being a fundamental human right, what if we were to take as a model to the extent that it's possible the new Quebec act respecting the protection of personal information in the privacy sector, as well as the Canadian Standards Association model code, and perhaps firmed up our own Privacy Act of Canada concerning activities in the federal field?
We discovered when we talked to the privacy commissioner that there are huge ambiguities between sections 7 and 8. On the one hand everything is protected, and on the other hand there are a bunch of exceptions that you can drive trucks through, including how you might possibly link up unemployment insurance data with Revenue Canada data on border crossings, which was being defended.
We would recommend three things: tightening up our own legislation, which is within our own domain; a generalization, if I may put it that way, of the Quebec act respecting personal information in the private sector; and encouraging the adoption of the voluntary code, perhaps the one put forward by the Canadian Standards Association.
I put this to Mr. Lawson. If we were to do those things, would that take us about as far down the road as we could reasonably expect to go without a major crisis or constitutional revision?
Mr. Lawson: I'd be very happy to see legislation recommended that would mirror the Quebec approach to the private sector. You were saying we should recommend what's in our purview. I think what I'm inviting or I'm suggesting is possible is something a bit bigger than that. It's very simple, in my respectful view, to amend the Privacy Act of Canada and extend it perhaps to the federal private sector. That's not a very difficult thing at all to do, but it's going to leave a huge gap. What about everyone else who's operating in the country? It's not a tenable solution, so I think the solution must be a fairly bold step that will include the private sector.
Mr. Godfrey: This would be modelling the federal piece of legislation inspired by the Quebec example, which would perhaps invite the other provinces to participate with complementary legislation à la québécoise, si j'ose dire.
.1235
Mr. Lawson: Perhaps - or make some very careful assiduous use of the model code. Standards enforcement is what the minister has already said.
It's very exciting and very difficult to work on. Well, what is that going to look like? The principles of data protection are not controversial; they're now accepted basically by industry and the private sector through the CSA's work.
I wouldn't be happy with simply inviting more voluntary codes in the private sector. I'm not sold on that, I confess. I'm very concerned that there should be not only a perception, but an ability, to put some teeth behind whatever rules there may be that a firm might adopt.
So the act of adopting an ethical code of practice is excellent, but when push comes to shove, I want to see some way of actually enforcing that protection. That's where some type of framework legislation that has already been proposed might be very effective. It would make use of the very good work that's been done already, and yet perhaps not be a humongous data protection act with all the trappings of it that I think may not be in the cards.
As for the Quebec approach, Quebec is the only jurisdiction in Canada that has met our obligation in the OECD as a member of the OECD, as late as it is. It behoves us at the federal level to really sit down and do that.
Mr. Godfrey: We should take a good look at that.
The second question relates to the first one. If we did something along the lines you proposed, could it be designed in such a way as to cover off the particular concerns the committee is addressing? That's everything from video surveillance to genetic testing technology and so on. Would it be too cumbersome or could general principles be established clearly enough to cover all those things?
Mr. Lawson: I'll go on record as saying that I'm happy with the general principles.
I'm sure you hear at great lengths from all sorts of groups that will be very concerned with the particular attention paid to genetic testing. I cannot imagine a technological technique that can produce one's identity more completely than DNA. So that's a particularly sensitive issue, but is it any different from the other issues we were talking about earlier? I don't know.
I'd be happy flying with a general approach to it. Set out the principles that are not disputed around the world, but put some teeth in to implement it. Invite firms that may be working in these areas, such as insurance, genetic testing and surveillance, to take a look themselves at how are they following some of these principles. With the help of a watchdog, push them into rethinking this on their own as to whether they are complying with some of these very basic human rights principles that are not controversial.
Mr. Godfrey: A final question just to make sure I'm understanding you clearly. As for the model codes and so on you're talking about that you're happy to see coming, are these the ones being proposed by the Minister of Justice?
Mr. Lawson: I'm eagerly awaiting whatever the minister might have in mind as far as legislation goes. One of the things I've suggested is that if we have this good work done, then Canada should be proud internationally of building a consensus.
I don't think there has ever been this type of consensus internationally between public and private users of information in terms of what the basic principles are. We've done it, and it's very respectable. Now let's make use of it.
Mr. Godfrey: So it would be crucial for us, as a committee, if we're not going to be at cross-purposes, to have the minister come by to talk about what he's working on so we're all singing from the same song sheet.
Mr. Lawson: I would agree with that.
Mr. Allmand: Good idea.
The Chair: John, through you to the panel, the European decision in OECD calls for ratification by 1998 by all participating nations. There are only two countries that have not done so as of now: the U.S. and Canada. I just wonder whether or not the differential of two years at this late date makes any difference.
Mr. Allmand: Even when we ratify conventions, we can always legislate in the field. There are many examples.
Mr. Lawson: That's right.
The Chair: Russell, perhaps you might pick that up.
Mr. MacLellan: As for the rights of the child, there are various examples, Madam Chair.
I'd like to go to this genetic testing once, just to take it to another dimension, I guess.
.1240
I agree that there is a general human rights issue, the right to privacy. I agree that it is a human rights issue. I think that's very well stated by our witnesses today. I think it has to be so. It's more than privacy; it is a human right.
I wanted to also mention that Mr. Lawson talked about the generality. I think there's a general position on human rights and privacy.
I think it's important, though, to look at it from the point of view that there's a general right of privacy, which is a human right, I feel. But on the other side, as for the party with which we're competing for this human right, I think we have to determine what their position is as well.
For instance, take surveillance cameras. You put them in certain places. You may find they're fine in the workplace and in malls, but in a park or a community, that's just going too far.
I think that's easier to determine than in the case of genetic testing and biotechnology because of the fact that you have such strong competing forces. There's the person's right to have privacy in terms of a deficient gene or the person's right to improve his or her health, which is the desire of that person to improve their health. if there can be something medically done.
Say they have a defective gene that would cause a certain crippling disease in the future. Say there is a possibility - not all cases have the medical technology yet, but in many cases there will be - that they will want to correct that deficiency, not only for themselves, but if possible, for their children, so they don't pass it along.
Yet you have the insurance companies. What is the insurance company's right to be able to deny insurance to somebody who has this medical treatment done to them? Insurance companies now can say that if the medical information is out there, they should know about it. They say that if a person has problems with their heart or has had cancer, then they should know that.
They ask us to fill out a form. We're obliged to tell them what our medical history is. They just merely add another question asking whether we have had any indication that we have a deficient gene that would be a cause of a crippling of a disease in the future.
Can they really enforce that kind of information being made available to them? What right is that? Is that a common law right? Is that a constitutional right? Can they say that this affects their whole ability to do business in the marketplace?
I think these are important questions, and I think we've got two good witnesses here to help us with those answers.
Mr. Lawson: I'm very keen to make a point about this contention. You used the words ``competing forces''. Are they really competing? I'm not sold on that myself.
I've talked about Europe, which is 100% covered by very terrific data protection. The world hasn't ground to a halt; business goes on. In fact, the basis for data protection legislation is to facilitate trade. The OECD guidelines are aimed at respecting human rights. They operate in a way that is mindful and respectful of these fundamental rights, but certainly not interfering for one second with the reasonable conduct of business.
It's easy for us to talk that way while there's privacy and then there's business, but privacy is good business. That's why we see the private sector so involved in the CSA process. Any prudent person in the private sector would never want to be connected with something that's so sensitive as invading peoples' privacy.
I think the insurance companies may not be a very big issue. As for becoming a friend of the insurance companies, that's a policy matter. I don't see much difference between a predisposition to heart attacks and some genetic predisposition. The difference, however, is that the insurance companies are playing around. They're already working with very sensitive information. They're embarking on a type of information, testing and technology that's brand new and that has never before been so capable of identifying people and causing so much havoc.
.1245
This committee, I submit, shouldn't worry unduly about whether the companies are correct in what they're doing. What are they doing with this information? How are they collecting it? That leads us again to the general principles that I'm very confident will be enough to cover what we're worried about today.
Mr. MacLellan: I don't have as high an opinion of the marketplace. I think that certainly a lot of private sector companies wouldn't want to be found to be accused of having used information to the hindrance of an individual. I think it's a fact that they don't want to get caught doing such and such a thing. I think knowledge is still power and money. I think we have to consider that.
I realize certainly what Mr. Lawson is saying, but I'm concerned that if there's an edge in the marketplace that could be used for business purposes, that while business will continue with the protections, I think we have to be careful of the situation with respect to the edge, whereby we're taking away from people in business on the other side. That's a concern. I think we have to be mindful of that.
The Chair: Were you concerned at all about the nature of the new types of health cards, smart cards or swipe cards that may have computerized information on them? These are information banks. One line might hold your DNA information. A second line might hold all your medical treatment information. A third line might have all your drugs.
That particular third item is now throughout Quebec and British Columbia on all the pharmaceutical machines. My husband got sick, and I wanted some medication. The doctor didn't have his information. We were isolated in the country. He went to the pharmacy, which produced the list of medications my husband was on. He looked to see what would be the complementary medication.
I was grateful - that's where the balancing act comes in - because they could find what would be complementary and helpful as opposed to what might create a problem. That's why your question of complementarity, fair balance and information becomes very vital. Where's the line? When is it too much, enough and not enough?
Mr. Lawson: There's a phrase called informational self-determinism. It's actually part of the German constitution. They made a constitutional amendment. Let people decide for themselves the extent to which they are offended by some use of their own information.
The first ingredient to this is that you have to know who has it, what they are doing with it and where it is. This is the principle of transparency. Once you know all about what other people are collecting and gathering about you, you decide for yourself. Under the rules of law, you're given some control over the practice. There are many ways of doing it.
Again, I'm very confident that these types of problems are resolvable. We're very close to it. We just have to take that step and put it into place, like everyone else in the world basically. It's high time for us to do that. We're one of the last, as you pointed out yourself, next to the United States.
The Chair: Mr. Laperrière.
[Translation]
Mr. Laperrière: To answer your question, madam Chair, I think that we can trust people to try to monitor information that exists about them, but we also need public rules to do so. In my opinion, the situation Mr. MacLellan described earlier on is very typical of what the future holds.
Big businesses and organizations can make systematic decisions at any point in time and can begin to require genetic tests for people applying for insurance.
.1250
[English]
The Chair: The American army is doing that right now. They'll have millions of DNA portraits of everyone in the armed forces, which can then be accessed by the police afterward. You're not even a criminal, and there's no warrant for your arrest. Those are the things we have to look at.
[Translation]
Mr. Laperrière: That is exactly the type of topic that should be addressed. We can refer to general rules and principles; we already have many of those and we can begin to use them. However, each sector, each type of problem and each industry is different. What is called second generation legislation or regulations, are precisely those rules that will apply to a particular sector, that is sectorial rules.
I think that at that point, the best way to approach the issue would be, for example in the insurance industry, to bring together insurers and companies that work in that field, government representatives and representatives of the public to try to see, as the Canadian Standards Association did, how a certain number of rules could be established for that sector if there is a consensus about them. When the interested parties are on board, administration and implementation problems are much easier to solve, because people know that it is in their business' interest to do so.
All this works together, but I still think we need some impetus from the government to have this process put in place, for everyone to be satisfied and in order to achieve interest balancing.
[English]
The Chair: Could we go back for a moment to the question that was posed by Mr. Godfrey? I think it summarizes, in a sense, the things we've been looking at and how far we should go.
We'll start with Mr. Allmand, who worked on that committee for amendments to the Criminal Code. What was it called, Warren?
Mr. Allmand: It was called Open and Shut. It was a review of the Privacy Act.
The Chair: Okay.
Mr. Allmand: It made lots of recommendations that were never implemented.
The Chair: Say we take what Mr. Godfrey said. Say we take Open and Shut to look at those things that have to be improved. Say we look at the strengthening of the Privacy Act, which has been recommended. Say we look at the CSA, the Canadian Standards Association, and the banking associations.
In a sense, we could take the Quebec-based act and allow for regulations. I sense you feel there are regulations in the different sectoral areas because each sector has particularities to it, but there has to be an overall ethical framework from which one has to work.
I got the sense from you, Mr. Lawson, that although New Zealand has a fine act, it's far too comprehensive and complex. It isn't, in a sense, sectoral; it's more global, and a feast for the lawyers.
Mr. Allmand: On that point, I understood that Mr. Lawson didn't complain that it was too comprehensive, but that it was too difficult for ordinary people to understand. The language was too complex.
Mr. Lawson: If there's a transcript, I want to read it very carefully. I'm not going on record as saying that the New Zealand act is too complex; it's difficult to read.
The Chair: Okay. So use ordinary language, as Sarkis would say.
Mr. Lawson: This is a challenge in itself. Not many people are enthused about it, but plain language is a very important thing. If we're expecting a small business operator to try to figure out what's going on and not hire lawyers, it's got to be pitched at a certain level of understanding. It's not tough to do it. It takes extra care in drafting it.
In response to what you're saying, Madam Chair, I think what the committee needs to do is very difficult. You cannot draft legislation in this room. It's an impossible task.
I'm very keen to see a variety of views about what the legislation could look like. You may hear from the minister as to what he has in mind. I would like to have you hear other ideas about what could be included.
.1255
In the work I've done, I've not had the opportunity to take that next step, which is to play around with it. How would it look? It's very difficult. It's not impossible, but it takes some very careful work. I think the more views you hear on the content and the mechanics of pulling this off, the better.
The Chair: Thank you very much. That's precisely our goal.
Mr. Godfrey: Just a suggestion to follow this up. Perhaps as we look at our work plan we might modify it to the extent of inviting the ministers, if they're both involved, from the Department of Industry and the Department of Justice to present us with a kind of working hypothesis of where they are before we go to talk to Canadians. Then we can test whether these are complete and consistent or not. That might in fact save time in the presentation and formation of the legislation.
We will be working together, rather than waiting around for something and carrying on in a different fashion. Say we could actually get hold of where they're going with this. Have the minister in. We could say we're not restricting ourselves to this, but that these are the general issues we've delineated. Here is the general approach. What do you think?
Then we can actually be quite helpful in getting those views from Canadians as to whether this is going to work or not, or whether we've left something out. Would that be a helpful way, do you think?
Mr. Lawson: I must express some sympathy -
The Chair: I just want to remind the committee that the Minister of Justice has already indicated that there are steps he has taken.
Number two, there has been a strong indication given to us that within a very short period of time a white paper will be out with precisely these questions. I don't know if the minister would respond prior to that, but certainly we could examine that.
Mr. Allmand: On John's point, having listened to this, I think we should also consider expanding our work plan.
So far, we've been listening to people who more or less favour the toughening of privacy. I think maybe we should call a few witnesses who may prevent obstacles if we get their point of view. For example, consider either the National Council on Business Issues or the chamber of commerce. I'd like to hear the business side.
It's no use listening just to witnesses who may be 100% favourable. We may want to find out the views of the people we may control, if we move to the private sector, so we know what we're up against.
Mr. MacLellan: I think this is important not only from the point of view of getting their perspective, but if we make recommendations that affect them and they don't have a chance to dialogue, then we will present our recommendations and they will then go to departments and put forward their concerns, of which we will not have any knowledge or anticipation. We'll be out of the picture with respect to their point of view altogether. I'd like to have their point of view, even if I don't agree with it, for the point of view of formulating a report.
The Chair: Thank you very much. I'll certainly take all of this into account when we have a session of our committee with respect to where we're going on the next steps.
I think that we're well aware of the fact - it was brought to our attention during a round table held by the privacy commissioner and the Minister of Industry - that data protection for the business sector has been looked at quite closely. We certainly can have that review very carefully done.
I really want to thank you very much for being with us. I think you've moved the debate forward into an area at which we must look a little more closely.
I'd like to tell those who are watching that if they're interested in transcripts, if they want more information, they can speak to our clerk, Mr. Wayne Cole. The phone number to reach him is 613-996-4663. As well, you can find committee transcripts in about three weeks on the Internet under PubNet.
I want to thank our researchers, Nancy Holmes, Susan Alter and certainly Bill Young, who are with the Library of Parliament.
.1300
I sincerely hope that those of you who are interested will be following our travels as we start sometime early in February to meet you across this country.
Thank you very much.
The meeting is adjourned.