INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Thursday, March 18, 1999

• 1535

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): Pursuant to an order of reference of the House dated Tuesday, November 3, 1998, we are considering Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

Mr. Dubé, you have a point of order.

[Translation]

Mr. Antoine Dubé (Lévis-et-Chutes-de-la-Chaudière, BQ): Madam Chair, I would like to respectfully raise a point of order. I wanted to do this at the end of this morning's meeting regarding an issue which I felt needed to be pointed out, but I was prevented from doing so. Commentary 319 of the Beauchesne says that when a member feels that a Standing Order has been violated, he must point this out to the Chair, who is obliged to rule on the question immediately.

I therefore am raising a point of order now, since I was unable to do so at the end of the last meeting. May I do so?

[English]

The Chair: Briefly, if you could. Mr. Dubé, you should be aware that the witnesses from Quebec have a time constraint, so please proceed.

[Translation]

Mr. Antoine Dubé: My point of order is as follows.

Often in the House, certain things are allowed to be said between political parties and between members. However, a member for whom I generally have a great deal of respect went a little bit too far this morning in speaking to the representative from the Ontario Health Ministry. What she said to him would not have insulted me personally, but I feel that he did not deserve it. She said to him: “You are a secessionist like the people from the Bloc Québécois.” I felt that went too far. I am simply raising a point of order; I do not want to open a debate on this. I would hope that our discussions could remain on a level that is more—

The Chair: Mr. Dubé—

Mr. Antoine Dubé: This is a point of order. I can read it to you in full.

[English]

The Chair: Mr. Dubé, you raised a point of order and I excused our witnesses to recess for five minutes. I was going to reconvene with your point of order, but you were not at the table when we reconvened.

That is what we normally do after question period. Questions end, the House settles down, and we reconvene. However, you were not at the table when we reconvened this afternoon, with all due respect. Therefore, I reconvened the meeting with another group of witnesses.

I had every intention of recognizing you this morning. It was nothing like that. I did not want to get into a point of debate and I am not going to get into debate. This is debate you are raising now.

I am going to move to our witnesses—

[Translation]

Mr. Antoine Dubé: No.

[English]

The Chair: —as they are in front of us.

[Translation]

Mr. Antoine Dubé: When you did that, you closed the meeting.

[English]

The Chair: Mr. Dubé, we will deal with your point of order at the end of the meeting. My duty is to maintain protocol. We have witnesses before us. I would have listened to your point of order this morning, but you were not here when we reconvened. Therefore, I will listen to it at the end of the meeting.

Now I am going to turn to our witnesses. We have three witnesses before us. We have the chair of the Canadian Information and Image Management Society, Mr. Vigi Gurushanta; Mr. David Johnston of the Information Highway Advisory Council; and from the Conseil du patronat du Québec, Madame Louise Marchand and Monsieur Gilles Taillon, president.

I understand there was an agreement amongst the witnesses that the Conseil du patronat du Québec would begin. Just so everyone is aware, all three witnesses will make their statements and then we will proceed with questions. Statements, hopefully, will be about five minutes in length.

[Translation]

Ms. Marchand.

Ms. Louise Marchand (Lawyer, Conseil du patronat du Québec): Thank you, Madam Chair. I would first like to say that I am accompanied today by Mr. Raymond Doray, from the legal firm Lavery de Billy, in Montreal, who is an expert in privacy protection. I would also like to apologize on behalf of the President of the Conseil du patronat, Mr. Gilles Taillon, who was held up at the last minute by an urgent meeting in Montreal.

I would like to begin by thanking the members of the committee for allowing the Conseil du patronat to provide its comments on Bill C-54.

The Conseil du patronat, which has been in existence for 30 years, is a confederation of management associations in Quebec. Its mandate is to raise awareness in government, among unions and in the general public of the opinions of Quebec business leaders on all issues directly and indirectly related to business. It is the only federation of its type in North America, with the exception of the Business Council of British Columbia.

• 1540

The Conseil du patronat represents over 100 business federations and associations with a variety of interests in the primary, secondary and tertiary sectors. Some 430 major companies are also members of the Conseil. In fact, most of the 100 largest Quebec companies are members.

[English]

Mr. Stan Keyes (Hamilton West, Lib.): Madam Chairman, I have a point of order. I am sorry to interrupt the witness during the presentation, but do we have copies of the presentation in English?

Ms. Louise Marchand: I'm sorry, sir. We have not been able to have it translated. Due to time constraints it was impossible for us to have it translated. It came in yesterday and I brought copies today. I'm sorry.

Mr. Stan Keyes: I know what the Bloc would do if it was only coming in English.

The Chair: No, in fact we allow witnesses to present in either official language, and it has been raised several times that we have—

Mr. Stan Keyes: I understand the presentation, Madam Chair, but not the written document.

The Chair: It will be translated and distributed to committee members.

Ms. Louise Marchand: I extend our apologies, but it was impossible.

The Chair: I instructed the clerk to distribute them in the French language.

Madame Marchand, please continue.

[Translation]

Ms. Louise Marchand: Thank you, Madam Chair.

What concerns the Conseil du patronat du Québec is that Bill C-54 would put in place two legal systems for Quebec firms and that would lead to major disputes. We note that the federal Parliament is using its declaratory power to act in the area of protection of personal information and its constitutional authority to act on an issue of national scope, as well as its international trade jurisdiction.

However, since subsection 92(13) of the British North America Act clearly gives the provinces jurisdiction in the area of protection of personal information and privacy and since Quebec has already enacted legislation within its jurisdiction and its borders, many jurisdictional disputes can be expected and businesses may pay the price.

Section 4 clearly demonstrates that the bill protects data collected, used or communicated by organizations in or outside of a province, and that it also protects private information in the context of business activities taking place inside or outside of a province. Furthermore, we understand that information on federal employees will also be covered.

Despite the fact that Quebec would be excluded from the federal legislation, as stipulated in paragraph 27(2)(d), which we don't think the current provision allows for, the provisions contained in the federal bill would subject companies operating in Quebec to two distinct pieces of legislation: the law from Quebec, which would apply to data collected, used and transmitted within the province, and the federal law, which would apply to data transmitted outside the province. Once the other provinces have passed similar laws, companies based in Quebec will also have to comply with those laws.

This is all very worrying for business people. Not only must they be able to count on predictable current laws, but they cannot afford to be caught in the middle of a fight over two different legal jurisdictions.

The Chair: Ms.—

Ms. Louise Marchand: Yes, Madam Chair.

[English]

The Chair: Could I ask you, please, to slow down. It is very difficult for translation when you read that quickly.

[Translation]

Ms. Louise Marchand: Even though the Minister of Industry stated in an October 1998 press release, when he introduced the bill, that Quebec would be exempt from the federal legislation, since Quebec already has its own legislation and that, in the Minister's opinion, it is in line with the federal bill, we submit that the current wording, as contained in paragraph 27(2)(d), does not allow Quebec to withdraw from it. We therefore believe that the wording of that section should be amended if the Minister truly intends to exempt a province from the bill.

Furthermore, this exclusion would only solve part of the problem insofar as—to our understanding—it only targets data being transmitted within a province. In fact, the federal law would apply the moment data was sent outside a province. As drafted, the provisions of Bill C-54 would still cover federal businesses operating in Quebec.

• 1545

We would recommend a solution based on the Divorce Act. Indeed, the federal government has decided that when a province passes guidelines on child support, provincial standards apply to the parent residing in that province.

We therefore recommend that Bill C-54 be changed so that when a province passes its own privacy protection legislation, if it is in line with the federal law, the provincial legislation applies inside and outside the province for federal and provincial businesses operating within that province. If the federal government enacts this principle, its advantage would lie in its simplicity: the law of the jurisdiction where data is collected would apply.

Furthermore, we are concerned that if the legislation provides for a referral to a voluntary standard, it will make it less straightforward and predictable. We are also rather concerned about the way the bill refers to the Model Code contained in the bill's schedule, especially in view of the fact that subsection 5(2) of Bill C-54 specifies that the use of the conditional tense in certain sections of the Model Code indicates a recommendation and does not impose an obligation.

A business must be governed by specific rules; vague and unclear provisions will only compromise the objective.

In conclusion, Madam Chair, we agree with the federal government that it is important to protect personal information, but if it is to reach its goal, we invite it to seriously consider our proposal in order to provide businesses, which will have to protect data, with a simpler and more predictable environment to work in.

Thank you.

[English]

The Chair: Thank you very much, Ms. Marchand.

I will now turn to the Information Highway Advisory Council. Mr. David Johnston, please.

[Translation]

Mr. David Johnston (Information Highway Advisory Council): Thank you, Madam Chair. My name is David Johnston. I teach law at McGill University's Centre for Medicine, Ethics, and Law and I have been past President of the Information Highway Advisory Council.

Thank you very much for giving me the opportunity to speak today.

[English]

It will not surprise you, Madam Chair, that our council and I are very strongly supportive of this legislation and applaud the government for presenting something that we think is important to Canada, to electronic commerce, and also to the basic civility of our society. We also believe that the balance that has been struck in this legislation with respect to privacy and electronic commerce is a very appropriate balance.

I will speak for a moment on the work of the Information Highway Advisory Council, and then I will speak specifically to the bill.

Our role was to advise the government on policies for the knowledge-based society, emphasizing in particular privacy protection. The Speech from the Throne of 1994 announced the intention of the government to develop a strategy to address the challenges of the information highway. In April 1994 the Minister of Industry established the Information Highway Advisory Council as one of the vehicles to provide advice to the government on public policy related issues.

Our council is made up of 29 members drawn from all walks of life and from all corners of the country: telecommunications, broadcasting and information technology industries; artistic, creative and educational communities; and consumer and labour groups.

There were three broad objectives given to our council by the government: to create jobs through innovation; to ensure universal access at reasonable cost to the information highway; and to reinforce Canadian sovereignty and cultural identity.

We were also given four guiding principles: an interconnected and interoperable network of networks; collaborative public and private sector development; competition in facilities, products and services; and privacy protection and network security.

Being good Canadians, of course, we took those objectives, principles and the 15 issues as our terms of reference. However, in our third meeting we went back to Mr. Manley and respectfully asked if we could add a fifth principle to the ones that should guide our work, which was accepted, and it was that lifelong learning should be a key design element in building the information highway, thereby indicating a culture where all citizens should seize the opportunity to learn throughout their lives and that we should make every opportunity available for those learning opportunities to occur.

Our advice was sought on 15 very large issues, ranging from competition to culture, access to learning, R and D, privacy and so on.

• 1550

Our first report was entitled Connection, Community and Content: The Challenge of the Information Highway. It was published in September 1995, and we made 224 recommendations that addressed a wide range of policy issues, including competition in telecommunications, cultural policies, access, growth and competitiveness, lifelong learning, and research and development.

In June 1996 we were invited to serve an additional year with a twofold mission, this time to report on Canada's progress and, secondly, to advance the public policy agenda by advising on outstanding issues, with particular emphasis on access, Canadian content, Internet, economic growth, workplace and lifelong learning. We completed that mandate in April 1997, became functus officio, and our final report Preparing Canada for a Digital World was released in September 1997.

Let me turn quite specifically to the matter of privacy. The crux of our work in the area of privacy protection was done in the first phase of our mandate, not surprisingly because of the importance we attached to that particular broad area.

We examined the wide range of issues on our table through five different working groups: one on competitiveness and job creation; a second on Canadian content and culture; a third on access and social impacts; a fourth on learning and training; and a fifth on research and development, applications and market development.

It was our working group on access and social impacts, chaired by Francis Fox, that was charged with the responsibility of addressing the issue of how to protect personal privacy and security of information in an electronic environment.

Many of the 224 recommendations were rooted in the concerns over how personal information is gathered, stored and used. We submit that with the increased amount of information—health, education, employment records, financial records—flowing over interconnected networks, there is a potential for information to be integrated with data to create individual profiles that could be sent over provincial and national boundaries and possibly sold or resold for purposes without an individual's knowledge or consent. We strongly believe that for consumers and citizens to have confidence in an electronic environment—that important word “trust”—they must be afforded some control over their personal information and need to be assured a basic level of protection, and we believe that is embodied in the legislation before you.

Therefore, we fully endorse and recommend that any privacy legislation approach embody all the principles of fair information practices that we believe were carefully and thoughtfully negotiated with industry through the Canadian Standards Association, which developed the CSA model code for the protection of personal information. With great enthusiasm, we recommended to government that it develop coherent national framework legislation that would provide effective privacy protection in the electronic environment, which would apply to the private sector and governments alike.

The legislation before you was announced in October 1998 when the Minister of Industry and the Attorney General of Canada presented the bill that is before you as one of the pillars that would ensure Canada's being a world leader in electronic commerce by the year 2000 and that Canada would be the most connected nation by the year 2000. This is a major component of the Canadian electronic commerce strategy announced by Prime Minister Chrétien in September 1998, and we believe it is a most attractive response to the recommendations that we made with respect to national legislation to protect privacy. We believe it will provide comprehensive and balanced privacy protection in commercial activities across Canada. We believe it is something Canadians feel strongly about, and more strongly about as we come to understand the information revolution with greater sensitivity.

A recent survey—and I am sure you have seen many—by Angus Reid found that 80% of Canadians think their personal data should be kept strictly confidential, and a 1998 Ekos survey found that four out of five Canadians want the government to work with business to set rules for privacy protection.

In this legislation we are striking a balance between the somewhat more prescriptive approach of the European nations in the European Union and the somewhat more laissez-faire approach of the United States, our neighbours to the south. In our opinion, the balance is just about right.

Some witnesses have decried Bill C-54 as being not strong enough and others have characterized it as going too far. In our view, it does strike the right broad balance between the protection of individuals' personal information and legitimate business needs to collect and use information. I would venture a little further to say that I believe this particular initiative, which is part of the trust we are trying to build in electronic commerce, in fact will be a competitive advantage for Canada in attracting commerce to a nation that provides a law framework that is fair, understood and accessible.

• 1555

Oversight will be complaint driven. We believe it will be responsible privacy protection without being unduly overburdensome for industry or for small business. The complaint-driven part of it is important in that it gives the privacy commissioner a strong public education and advisory role to help businesses comply with the law, to launch investigations, to compel witnesses and evidence, and to conduct audits where he or she, the privacy commissioner, has reasonable cause to think something might be happening that is contrary to law.

The crucial elements for control over one's personal data are twofold: first, being given the opportunity to consent to have it collected, used or disclosed; and second, once held by a company, being given the opportunity to access it and have it corrected. This sets an appropriate obligation on business, but consumers too must thoughtfully and thoroughly consider the consent being requested, the purposes for which consent is being requested, and withhold that consent where necessary. The same applies to access. Procedural requirements are set for business, but it is for consumers to use in order for the principle of access to become an effective protection tool.

I will not comment on the second and also very important part of the bill, which is more technical, but I have the sense that perhaps it is less controversial from a public policy concern.

[Translation]

I would simply like to say that I fervently support this bill. Thank you.

[English]

The Chair: Thank you very much, Mr. Johnston.

I am now going to turn to Mr. Gurushanta, chair of the Canadian Information and Image Management Society.

Mr. Vigi Gurushanta (Chair, Standards Committee, Canadian Information and Image Management Society): Thank you, Madam Chair, members of the committee, ladies and gentlemen.

On behalf of the Canadian Information and Image Management Society, CIIMS, I thank you for the invitation to address this committee. We are pleased that you have tabled this bill for deliberation.

We believe that electronic commerce will play a significant role in the Canadian economy. It is happening now and has been so for some years, and it will continue to accelerate at a much faster rate.

Canada needs electronic commerce to be a world leader in the global digital economy. You heard from the ministers of justice and industry that there are over 300 federal statutes that prohibit electronic delivery systems today. These restrictions have created a state of uncertainty in Canada's legal system in the acceptance of electronic records.

Over the years we have raised this issue. In fact the first time we raised this issue was when the Honourable Kim Campbell was the Minister of Justice, and you all know how long ago that was. Ever since that time we have kept up our dialogue. In recent years we have worked with the Uniform Law Conference of Canada to arrive at the uniform electronic evidence act that is now part of this bill.

In late 1993, having nothing in front of us, CIIMS and the Canadian General Standards Board developed a national standard for the acceptance of electronic and microfilm images to guide our user community. We needed this. This is a means to convert paper documents to a technology format to improve productivity in the user area.

We tackled this part first since paper carries the greatest weight in evidentiary requirements. Our efforts in this standard are to guide organizations to have reliable electronic image systems to produce accurate, reliable and trustworthy electronic documents in order to keep permanent records in the event that it is required for court proceedings. Revenue Canada, the GST department and others now make reference to this particular standard.

We recognize the complexity of this bill in having both personal information protection and electronic documents act together. We believe that because of the common thread of the technology, they are both essential to complementing each other in moving forward in the area of electronic commerce.

In our submission we have identified areas that need your attention and announcement where required. I would like to touch briefly on some of them.

The protection of personal information is deep and personal for every Canadian. We do not profess to be experts in this field. I guess you have heard quite a bit about this matter. Many dialogues and discussions have taken place, which are all quite familiar. Our support in this area comes simply from having the CSA code. It is a model and a standard to which we can all adhere. We are pleased that you have included that as a schedule to this bill.

• 1600

On the international front, we raised the implications that e-commerce had on international transactions. As we move forward, we need to be sensitive to the regulations of other countries and to honour the code, which will not disrupt the free flow of data to other countries.

Electronic signatures is an area that requires careful scrutiny and a stricter control on how we deploy the technology process to authenticate electronic signatures. It warrants perhaps a certification process to authenticate such records in this area.

In clause 37 the retention of documents under electronic media differs significantly from the paper format. We are constantly facing the challenges of technology obsolescence and the influence that will render electronic records useless in the future. We have scores of examples of how industry is struggling in this area. We project that different formats will emerge for the long-term retention of records. We need to make a provision to accept such records in the future. We commend the acceptance of the standards in your bill as a means to help the industry and the user community.

CIIMS has long advocated the use and express recognition in law of this inclusion. The user community of technology records needs a standard at the outset to prepare this system to produce reliable records, following the standards of best practices in the industry. Compliance with the standards does not necessarily mean we are asking that it be automatically admitted. It defines the best practices, the best the industry can offer, to be followed to ensure reliable electronic systems that will produce accurate and trustworthy electronic documents.

Madam Chair, we thank you for the opportunity to address this committee and for the consideration of our submissions. We realize that members of the committee are faced with highly technical issues in dealing with electronic technology, which is constantly evolving. It is also important to bear in mind that this technology will touch every ministry. Whether it be federal or provincial, whether it be Health Canada, Transport Canada, Industry Canada or Revenue Canada, electronic technology will touch it and you will have to deal with that.

For our part, we have identified that considerable efforts are needed to develop new standards and guidelines to meet the demands of the technology evolution in this bill. We are currently engaged with the Canadian General Standards Board to revise existing standards and to bring about new standards to meet your requirements under this bill. These standards will form the infrastructure upon which part 2 of Bill C-54 will be dependent. CIIMS and the Canadian General Standards Board are currently soliciting the necessary funding from federal departments, the provinces and CIIMS members.

Development of these standards needs the financial support of this organization. Canadians need trust and confidence to move forward in this area. They need well-defined industry practices and standards to rely on so their records will be accurate and trustworthy for all intended purposes. We cannot sit idle and become obsolete because we have not kept up to the standards and the regulations in the same way as e-commerce has. We cannot sit back and do nothing in Canada.

Canadians need this bill and the supporting standards in order to be a world leader in electronic commerce and data interchange. Moreover, we need to work together to meet the demands of electronic technology in our legal system. It needs your support, encouragement and resources now and in the future to ensure that Canada is prepared to meet the challenges of e-commerce in the next millennium.

Madam Chair, if permitted, we are prepared to answer questions.

The Chair: Thank you.

Mr. Lowther.

Mr. Eric Lowther (Calgary Centre, Ref.): Thank you, Madam Chair.

I am going to start with Mr. Gurushanta. I would like to ask a quick question about the CIIMS organization. Can you clarify a bit what your association is all about? What is the main thing you do?

• 1605

Mr. Vigi Gurushanta: Our association is a non-profit organization. We deal primarily with electronic images and electronic records and microfilm images. We primarily started off with microfilm image conversion and the series of standards that we developed. We are moving to the electronic side of it now.

Mr. Eric Lowther: All right. It is a management society, but do you have members right across the country?

Mr. Vigi Gurushanta: Right across the country, yes.

Mr. Eric Lowther: I think I am familiar with your organization. Have you changed the name in the last five years or something?

Mr. Vigi Gurushanta: Yes. In 1986 we changed from the Canadian Micrographic Association to the Canadian Information and Image Management Society to meet the electronics side of it.

Mr. Eric Lowther: Following along on that, I wonder if this legislation isn't trying to catch up with the development of the whole information age explosion. You made a bit of reference to that near the end of your comments, that this is moving ahead and we should try to keep in step.

I am reminded of how much information is out there. I was at home last week, and my son was able to go on the Internet to get a picture from a camera here on the Peace Tower shooting down on the snow statues that are no longer there. He gets a 15-minute snapshot over the Internet of what is going on in front of the House of Commons. You can digitize a picture of somebody now, put it on the Internet and broadcast it. It is just mushrooming, as you would well know.

The whole concept of trying to somehow put rules around this thing to protect privacy almost seems to be an impossibility. It is almost an impossible job. There is too much, going too fast and in too many places to contain this thing.

Within that context you talk about defining best practices. I like that idea, the best practices around what is the inappropriate use of personal information, and then using the privacy commissioner, with the appropriate staff, to make determinations on that inappropriate use and apply significant enough penalties that there is a deterrence factor; that we try more from the deterrence side around some best practices, rather than the control approach, just because controlling it is an impossibility, I submit.

What are your thoughts on that?

Mr. Vigi Gurushanta: We recognize the weakness in the Canadian legal system in dealing with the way this electronic world is moving. We raised this issue over 10 years ago. We recognized that this was going to happen and that we needed something. This was a welcome relief, to be honest with you.

We recognized the dangers of the use and the misuse of electronic technology. We know for sure that the information can be gathered and misused—or not necessarily misused, but it can be inadvertently exposed. These are elements that exist in the electronic world today. You have heard of the hackers and you have heard of the many examples of how information was lost.

These are all the issues we face. The reason we face them is that there is no legislation, no control, by which we can advise commercial operations or hospitals by saying “Look, you cannot be negligent in all of these things. You have to take responsibility.” This bill, we feel, provides that kind of protection and says you have to protect, there have to be security controls associated with it.

These things are currently not exposed to the general public. We are just using it very loosely, just like your son in the example you gave, without realizing the danger that may be caused. The only way to do that is to have a law that says you can't do this any more. You have to take preventive action, you have to be protective, and you have to be responsible in the way in which you use or misuse the system. This is where we feel it adds value, and we could be more conscious of that in the future.

I hope I have answered that question.

Mr. Eric Lowther: Thank you. I guess you did answer it.

Maybe I will broaden it to include Mr. Johnston as well, in the same vein. I want to press on this again.

• 1610

We are trying to define in law what you can or cannot do in relation to certain types or pieces of information, as far as movement and who has access to the information are concerned. I don't know how we are ever going to really be able to control that. We are sort of saying let's stop time and build law around what we know today, but tomorrow there will be a new development, some new way to move information, and what we have designed today will not work tomorrow.

Perhaps the approach should be more along the lines of best practices. There is information all over the place and our best practice is to find what we are comfortable with, how that information can be used without being inappropriate. Maybe the privacy commissioner or somebody like that, who would be an impartial ombudsman, could say “Yes, you are within the appropriate use” or “No, you are outside the appropriate use”, and then you could apply significant penalties when need be. It would be a looser approach, rather than trying to tighten it up with legislation.

Mr. Johnston, you're nodding. Do you have any comments?

Mr. David Johnston: Thank you very much for the question. You are quite right that law is always somewhat behind new functions, new technology. It is form following function, a principle of architecture that should always apply to public policy.

Number two, this is an area of very dynamic change. Therefore, if one is going to pass law, it should not be rigid, highly specific or highly detailed and it should be as technologically neutral as possible. I am satisfied that in the bill before you, you have achieved that.

Number three, in my judgment it is appropriate to have a rule of law framework to deal with privacy in today's information society. What is attractive about the rule of law framework that you have before you is that there is a high degree of flexibility in it.

Number one, it does provide an opportunity for voluntary compliance.

Number two, it encourages private sector associations to come forward with their own standards, which at least meet the standards and the principles of this legislation and in some instances will go further, and one hopes will go further because, in my judgment, that will give Canadian commerce a competitive advantage in the world.

Number three, there is a very careful adjustment and calibration of the penalties, remedies and sanctions in this legislation, which strike me as being not too heavy and as appropriate to try to ensure that the law, first, is understood and then, second, is applied.

Finally, I think the role that is given to the privacy commissioner is an appropriate one, to use that office both for educational purposes and to be involved in the sanction-applying mechanisms when necessary. It is not heavily criminal legislation; it is by and large civil legislation, and it strikes me that it is necessary as legislation, but it is rather light and not heavy.

The Chair: Thanks very much, Mr. Lowther.

Mrs. Barnes, please.

Mrs. Sue Barnes (London West, Lib.): Thank you.

I appreciated the effort and the eloquence of all three presentations today and I welcome you here. I wish to say a special hello to one of my early mentors, my former dean of law, who is now sitting across the table. As he said, it is my turn, so I'll start with him.

I want to start generally. Have you had experience in other situations where everyone is supportive of the principles but then says “Please exempt me” or “Not now, we're not ready yet; let's delay this, let's rethink it” and “The sky is falling; this is going to kill my business”? Do you have some generalized comments on your experience in that area?

Mr. David Johnston: Thank you very much, Madam Chair, Mrs. Barnes.

There is an element of poetic justice when a former student who has been been subjected to the Socratic method that is practised in law school has a chance to put the shoe on the other foot. There is a god and that god ensures that justice is done, whoever he or she may be.

I am not an expert in this area of the law. I have looked at this in at least two other contexts. The first time was when I led a delegation of the conference of rectors and principals of the University of Quebec before a standing committee of the National Assembly when the first privacy legislation in Quebec was being introduced. Our position, as you might expect from a very bureaucratic, ossified group of university administrators, was to please exempt us from this because, number one, we are perfectly capable of regulating these matter ourselves; number two, it really shouldn't apply in our particular world; number three, it will be enormously costly if it does occur; and number four, the world will collapse if this legislation proceeds as it should.

• 1615

We were totally ignored and probably deserved to be ignored with that kind of presentation. I think it would have been more appropriate to try to find some tailored way to establish compliance that met the spirit without the letter.

Our experience in our university was that while there were costs of implementation, and they were serious, nevertheless, for the most part, they were practices that we should have adopted ourselves in the earlier 5, 10 or 15 years. While I was not part of the data analysis teams that had to put the mechanisms in place, I am satisfied that our university is a much better place today in dealing with the various records about our students than it was prior to the legislation.

I think I have to recant a bit the submission I made at that time and say that by and large the Quebec experiment has been a very successful one.

The second thing I would say about requirements or propositions for exemptions is to be wary. Each of us who has our own ox gored, of course, will find a strong and compelling case.

What is attractive about this legislation is that it is pretty highly generalized. The measures to enforce it are not draconian. There is a high degree of emphasis on education and there is this wonderful opportunity for voluntary compliance to reach the same standard in a different way or an even higher standard. I think that is a very important part of being Canadian: to be more entrepreneurial, to be the most connected nation in the world, to be a world leader in electronic commerce, and to be a very civilized nation that understands that an individual's privacy is quite precious. And we should recognize that.

In law there was a famous article written by Warren and Brandies in 1903, in the Harvard Law Review, that first attempted to recognize a common law right of privacy. The basic theme of Professors Warren and Brandies was that privacy is the right to be left alone. Since that time, almost 100 years, as the information revolution has become more pervasive, it is much more complex than that. It is at least the right to be left alone, but it is also the right to know what other people know about us and have some control over that. I think that has become a part of citizenship, and it is important that we recognize it in this way.

Mrs. Sue Barnes: Dean Johnston, I would still be happy to be your student.

I want to go into one of the technical aspects of the bill, and it has to do with trying to create this balance. It is a very important part of the bill, especially for those who have large commercial interests. They are used to dealing in a certain way with a certain set of defences and procedures.

One of those concerns was brought out by a couple of witnesses surrounding the privacy commissioner's powers of not only investigation and audit, but also, in particular, respecting the search and seizure powers under some clauses of the bill. The request put before this committee for its due consideration was whether a search warrant should be a necessary procedure to be used. I would like to ask you directly whether, in your view, the powers given under this bill to the privacy commissioner are overly intrusive or appropriate. Or do you think we have to re-examine this area?

Mr. David Johnston: Let me make three brief comments.

Number one, I am not sufficiently expert to give a very thoughtful answer to your very important question.

Number two, my sense as an amateur in this area is that the balance has been struck about right, without having a real command of all of the details. These are civil powers, as opposed to criminal powers, and it strikes me that this is an important theme in this legislation at this time.

Number three, the analog, I suppose, that would occur to me, where I do have some expertise, is in the area of securities regulation, where the powers given to the administrative tribunal, the securities commissions of the provinces, and the various investigative and audit techniques they use, are much more draconian than the ones in this bill. Therefore, I would say that this bill is somewhat moderate with respect to the arsenal of powers available. Perhaps that is appropriate when we are dealing with privacy as opposed to movables such as securities.

Mrs. Sue Barnes: Would either of the other witnesses care to comment on exactly the same point?

Mr. Vigi Gurushanta: I don't have any comments to add to what David has said. He explained it very nicely, I thought.

• 1620

In listening this morning to Bruce Phillips' comment about the extent of the powers, since this is in civil hands and not police hands, there is a motivation and an understanding required, rather than making it into a rigid rule.

That is my gut feeling on this.

Mrs. Sue Barnes: Thank you. Would anybody else like to comment?

Ms. Louise Marchand: I think I will ask Mr. Doray to respond to that question, because he is the expert.

[Translation]

Mr. Raymond Doray (Attorney, Lavery de Billy): If I may say so, Madam Chair, I have a certain amount of experience with the legislation from Quebec. Twenty years ago, I had the opportunity to help draft this bill which covers the public sector. I work in this area on a daily basis, since 90% of my law practice deals with the protection of privacy information. I have been doing this for 20 years.

I must say that in Quebec, the Access to Information Commission has powers which go far beyond anything contained in this bill, powers which have never been used since the bill, as applied to the private sector, was enacted in 1994.

If I want the federal legislation to make sense, the monitoring authority must be able to act fairly quickly, without having to go before a tribunal. Things move very fast in the area of privacy protection. When private information is leaked, you have to act well before your medical record or other extremely sensitive information finds its way into the papers or on to a computer.

This has happened in Quebec. About seven or eight years ago, we found hundreds of files belonging to a well-known financial institution by sheer coincidence. They had been forgotten at the corner of Sainte-Catherine and Jeanne-Mance in Montreal. Children were playing with the files and were passing them around. In that case, it was important that the Access to Information Commission act quickly. The Commission did not have to seek authorization or a warrant for seizure; it was able to act quickly.

On a movie shoot in Montreal, an accessory provider had brought in medical files—authentic medical files—so a scene could look more realistic. The Commission was able to intervene right away without having to first go to a tribunal. On that point, I believe the bill, as regards the power of the Commissioner, is very fine-tuned and probably quite satisfactory.

[English]

The Chair: Thank you.

Thank you, Mrs. Barnes.

[Translation]

Mr. Dubé, please.

Mr. Antoine Dubé: My questions are for the representatives of the Conseil du patronat and, if I have any time left, I will ask questions of the other witnesses.

First, I would like to reassure you. Don't feel too guilty about presenting a brief in French. This is something our members have to live with. It gives our colleagues the opportunity to understand how we sometimes feel.

I thought your idea about compromise was quite interesting. I'm referring to the jurisdiction where the data is collected. Not many witnesses have spoken about this and I believe we should study the idea more closely.

Mr. Doray, you started speaking about the Quebec legislation. I did not know you were so involved with it.

Generally speaking, how satisfied is the Conseil du patronat with the Quebec legislation after five years?

Ms. Louise Marchand: You're right, it has been in effect for five years. When the bill was first enacted, Quebec companies were extremely reticent, but slowly, over the years, they have learned to live with it. This is what concerns us. Quebec companies have lived with this law for five years and they have begun to understand it and deal with it fairly well. If they are subject to a second piece of legislation, it will certainly make their lives more difficult.

• 1625

I will let Mr. Doray answer the more technical questions.

Mr. Raymond Doray: There are still a few problems with the Quebec legislation, but on the whole it works fairly well, despite the fact that we have a law written as a law—I mean whose legal and statutory obligations are defined. But it is still relatively difficult for companies to understand exactly what is expected of them.

Given that the terms of the law are fairly general in order to cover many situations and to adapt to changing practices and technologies, it is sometimes very difficult to understand how the bill affects a company on a day-to-day basis.

You often have to read hundreds and hundreds of pages of case law by the Access to Information Commission or by legal tribunals to understand what you should or should not do. And if, in certain cases, there is controversy around the case law, well, that's a wonderful thing for lawyers like me, but it becomes a nightmare for businesses.

The word of caution contained in the Conseil du patronat's brief alludes to this. Inasmuch as it is possible, it is important for standards to be clear because, in the ever-changing field of information, interpreting standards in order to adapt them to reality is in itself already a complex exercise.

As I listened to Mr. Johnston, I began to have doubts about his approach. I understand he is enthusiastic and optimistic because the standards based on ACNOR's code provides the necessarily flexibility for businesses, but I am nevertheless confused. I think companies prefer predictability to flexibility. They want the lowest possible number of lawsuits and they want clear guidelines on what to do and how to do it. Companies will quickly adapt and they will spend money if they have to, but they don't want the situation to change every week or every month, depending on how closely you interpret a provision or depending on which way the wind is blowing.

My concern, and this is something I've talked about with the Conseil du patronat, is that the code is rather vague in many areas and this might work against Canadian companies instead of for them. But this is just what I think.

Mr. Antoine Dubé: My second question deals precisely with that matter. You already know that the standards are contained in a schedule and that many sentences use the conditional tense, since you've already pointed this out. This might lead us to make some recommendations to that effect.

Some witnesses have said that it might be necessary to include mandatory measures in the main body of the bill and to use the conditional tense for the standards. Would you agree with this?

Mr. Raymond Doray: That might be a solution, but I don't think we are in a position to provide advice to legal experts. However, it might at least clarify the standards and the mandatory measures might be a good thing for companies. You have to understand that the code and section 7, which amends the code, is not readily available to the average Canadian businessman.

Mr. Antoine Dubé: I will ask you three small questions as quickly as I can, because this is probably the last chance I have to speak.

Was the Conseil du patronat consulted when the ACNOR standards were developed? We know it is a voluntary code.

• 1630

Do you think we need more time to fine-tune the bill before passing it? The Canadian Bankers Association wanted more widespread consultations, notably about subsection 7(3)(b).

We've also talked about data destruction. You mentioned it briefly and I would like you to go into a little more detail about it.

Ms. Louise Marchand: To answer your first question, we were not consulted when the Canadian Standards Association developed its code.

Second, I think it's important that companies be consulted about the regulations. In that regard, we support the recommendation made by the Canadian Bankers Association. In fact, this leads me to address several other concerns.

In our brief, we state:

...we recommend that the exception contained in paragraph 7(3)(a) of the bill as well as section 4.3 of the Model Code be expanded in order to let organizations communicate personal data without the consent of the interested party when the organization wishes to obtain a legal opinion...

This would happen during a lawsuit, but also before, so that a company may consult an attorney even before an individual launches a lawsuit against it.

Regarding the communication of data to an agent, there are more and more companies in Quebec and elsewhere in Canada which hire subcontractors for computer services. These companies must be able to provide their data to these agents without previously needing to obtain consent.

As for the destruction of documents, we are concerned that credit or insurance companies, which may have information on individuals, will have to, under section 4.5.3 of the code, destroy, erase or make anonymous personal information that is no longer required to fulfil the identified purposes.

We are concerned. Will a company have to destroy a credit file the moment it is closed? In the same vein, will an insurer who has collected information on a person have to destroy his file from the moment this person ceases to do business with him? We have a recommendation to that effect.

[English]

The Chair: Thank you. Merci, Monsieur Dubé.

Ms. Jennings, please.

[Translation]

Ms. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.): I would like to thank the three witnesses. I greatly enjoyed their presentations.

I have a question for Ms. Marchand regarding the solution her organization recommends. The aim of the solution is to prevent a company from being subjected to two laws.

On page 8 of your brief, you provide examples on how your solution would be applied. I feel that even with your proposed solution, some organizations or companies would still fall under two different laws.

In example B, which deals with federal enterprises and organizations, your solution is based on the principle that the law of the jurisdiction where data is collected would always prevail.

In your brief, you say:

If the data is collected in a province which has passed legislation deemed compliant, the provincial legislation prevails.

For instance, this would apply to a federal organization which collects data in several provinces. So, if I understood you correctly, if this data is collected in Quebec—which has legislation deemed compliant, according to the Minister of Industry—the Quebec statute would prevail and it would fall under Quebec's legal system.

• 1635

What about organizations which have offices in other provinces, which are covered by federal statutes? Take the Export Development Corporation or banks which have branches across the country. These organizations collect secret information in another jurisdiction.

In that case, the other province may or may not have legislation deemed compliant. Therefore, the data collected in the other jurisdiction would fall under either the provincial or the federal law. In any case, the organization would be subjected to two pieces of legislation if it collects data in other provinces. Is that correct?

Mr. Raymond Doray: It's very clear.

Indeed, it is impossible, and I would even say that it is one of the characteristics of Canadian federalism with everything that entails. Of course, the Canadian Constitution does not indicate which level of government is responsible for privacy protection. Therefore, we have to take the Constitution and adapt it to the ever-changing reality of information.

The same principle applies to the insurance sector. An insurance company which does business throughout the country has to respect British Columbia's insurance law when dealing with its clients in that province, and it respects Quebec's law when dealing with its Quebec clients; the company's head office is usually in Toronto. The insurance brokers of the insurance company follow Quebec's rules when working on an insurance policy in Quebec, and they follow British Columbia's rules when they are working on a policy in British Columbia. It works.

You are right in saying that a business which operates throughout Canada, such as a bank, will have to live by Quebec's rules and those of the other provinces, should the others also pass privacy protection laws. Let's hope that happens soon. But what is important for a business is that it not be subjected to two different legal systems when dealing with personal data. In the model suggested by the Conseil du patronat, the rules of the jurisdiction where the data is collected would apply. Nothing prevents the federal government or Parliament from saying in its bill that the rules of the jurisdiction where the data is collected should apply, even for data sent outside a province.

In your example, a Canadian bank collects personal information on someone from Quebec and must apply Quebec's rules to that information throughout Canada. The bank will in all likelihood not get information on a Quebecker in British Columbia. It might happen, but that would be an exception, and the law can provide for such cases. I feel we must have a legal framework to govern most situations. However, the Conseil cautions that there be one legal framework for collected data, not two. It would be almost impossible to apply two systems simultaneously.

Let me give you an example. Under the Quebec law, an individual must give clear, specific and enlightened consent, and case law tells us that it must be written. For data from Quebec, people living in Quebec would believe that this rule applies to all the information they provide, be it to a federal institution or a provincial organization. But when someone goes shopping or calls their financial institution or their credit union, they don't ask themselves, “Is this a federal institution?” That's ridiculous.

This bill is designed first and foremost with our citizens in mind. So, let's make it easy on them. That's what the Conseil du patronat is advocating.

Ms. Marlene Jennings: I appreciate the explanation.

[English]

The Chair: Last question.

[Translation]

Ms. Marlene Jennings: Yes.

I appreciate the explanation, because when I read your proposed solution, I understood that you did not want organizations and businesses to fall under two different systems.

Mr. Raymond Doray: As applied to the same data.

Ms. Marlene Jennings: Yes, but that was unclear. Now I understand.

• 1640

[English]

Mr. Raymond Doray: It is probably clearer in the brief I prepared for the insurance crime bureau. You should read it there.

[Translation]

Ms. Marlene Jennings: Perfect. If I can get a copy, I'll read it.

My second question is for Mr. Gurushanta. In your brief, you said that you support the fact that the CSA model appears in the schedule rather than in the body of the bill, that is, in part 1. Why is this? I'm asking you this because a few witnesses have told us that the principles should be included in the main part of the bill, but you're saying the opposite.

[English]

Mr. Vigi Gurushanta: Our position, and as I said in my presentation just now, is that the code standards do not mean that it is their legal admissibility. It is simply a means, a good practice and a guide for the people to follow.

Having followed the standard, it means that we have good control exercised in the CSA part of it, but we said it's a schedule because it is to help the industry understand why we need this, why we need a certain amount of codes to follow in order to conform to the law that is before us.

Our position is that standards should not become the law; standards should help the law. That is the position we are taking.

The Chair: Thank you.

[Translation]

Thank you, Ms. Jennings.

[English]

Mr. Jones, do you have any questions?

Mr. Jim Jones (Markham, PC): Yes, thank you. I will direct my question to Mr. Johnston.

Do you foresee any competitive or legal disadvantages in implementing this bill for Canadian companies dealing with the U.S.?

Mr. David Johnston: I think in general there would be a competitive advantage in dealing with companies from the U.S. because I think we will establish a standard of trust in this country that will bring companies with a North American mandate and a global mandate to do business here, because this is a safe, efficient, fair, trustworthy regime in which to do business.

I think there will be particular instances where companies will avoid the Canadian jurisdiction because they will not want to adhere to the laws expressed in this bill. That may be unfortunate in some cases. It may be fortunate in other cases because some of those would be companies that are simply not prepared to exercise rules of fair play, which I think is a part of establishing a Canadian commercial philosophy that can give us a competitive trade advantage.

Mr. Jim Jones: What jurisdictions would be in this scenario? I am aware that a lot of the large companies do all of their data processing in the U.S. They might do the data entry or whatever here, but it is shipped to data centres in the U.S. and processed down there. What rules would they be under? Would they be under the Canadian rules or would they be under the U.S. and state rules?

Mr. David Johnston: I don't have the expertise to give you a very precise answer on that conflict of law problem or private international law problem. The simple answer is, where the data has a significant point of contact with the citizens of a particular country, then that country would have jurisdiction.

One of the dilemmas we have at the present time is that the European Union has rather prescriptive rules with respect to data protection and data transfer. The United States at the present time does not have a federal law but is attempting to encourage voluntary compliance. I think, as we speak, we are in a situation where there is the potential for a clash between those two regimes, and it is a clash that may not be able to be worked out with a rigid prescriptive code in Europe and the absence of one in the United States.

Mr. Jim Jones: Also, the banks and some of the insurance companies send all of their data processing to countries like India for processing. How would this law apply to this type of situation?

Mr. David Johnston: Again, I'm not a conflicts of law expert, but I would presume that if the data is sent to India or to one of the Caribbean islands or to some other place where it is economical to have that matter processed, and there is no contact of a commercial kind with consumers in that jurisdiction, then there would be no application of the law of that jurisdiction.

Mr. Jim Jones: Therefore the individual wouldn't be really protected, right?

Mr. David Johnston: I think that is correct. But the individual may not need protection, because there may not be a point of contact in that particular jurisdiction. If the individual suffered harm in Canada or the United States because of the use to which that Canadian or U.S. company put that information, in putting it outside the jurisdiction, I suspect there could be an action brought in the Canadian or U.S. jurisdiction against that company because it caused harm in that jurisdiction by the way it treated that data.

• 1645

Mr. Jim Jones: I don't know what the composition is of the Information Highway Advisory Council, but I assume they are probably a lot of the larger companies or—

Mr. David Johnston: Yes, those among others.

Mr. Jim Jones: Who is in charge of privacy in these medium and large-sized organizations?

Mr. David Johnston: I think in a very large organization you would have a legal department, which would have a compliance arm to be sure the law is followed and, insofar as there are voluntary codes—and most of them do have voluntary codes—that the code is followed quite scrupulously. The company of which I am a director has a board committee that has an oversight of those kinds of compliance matters.

Mr. Jim Jones: A few years ago, when quality was a big issue, a lot of companies set up quality teams and quality managers in charge of quality. Do you foresee that these organizations might also set up a privacy manager who is totally responsible for privacy?

Mr. David Johnston: I certainly think they would have a locus of legal responsibility for compliance with the law and to be sure it was quite thoughtfully done and carefully done. Insofar as one is using voluntary principles, as I said earlier, in my judgment there is a competitive advantage to being a company that treats privacy information with trust. Therefore one could see it even in a place like the marketing department of the company.

Mr. Jim Jones: I think this morning they were saying that education is very important, as well as reducing the cost of education, and that one of the recommendations we should be making is that medium and large-sized organizations, and other organizations, should place somebody in charge of privacy and making sure everybody is educated.

Mr. David Johnston: I think one of the attractions of this bill is that it encourages responses that are appropriate to a particular industry or a particular company. I respect enormously the views of my colleague with respect to how flexible or how prescriptive these rules should be. It is quite clear that the Quebec legislation is more prescriptive.

I guess I would say, in response to that, that it is better to be light in the first instance because you can get heavier later, rather than being heavy in the first instance and then trying to lighten up.

Secondly, there is a particular attraction of the Canadian Standards Association code being in here as a schedule, because that schedule of principles is much more easily amended and adapted to new conditions as they come along.

Thirdly, we are speaking about a law that will apply all across Canada and is intended to give a brand to Canada as a world leader in electronic commerce, saying come and do business here and you will not find our rules highly rigid and highly unusual and departing from basic principles of fairness in different jurisdictions around the world. One can see a North American-wide company or a global-wide company saying “We come here and we do business, and there is enough flexibility in these rules that we can establish practices that apply throughout the world.”

The Chair: Thank you. Thank you very much, Mr. Jones.

Mr. Lastewka.

Mr. Walt Lastewka (St. Catharines, Lib.): Thank you, Madam Chair. I want to pose some questions to Ms. Marchand.

Could you give us a bit more information on the purpose of your organization?

[Translation]

Ms. Louise Marchand: As I explained, the Conseil du patronat du Québec is a confederation of business associations which represents various business sectors, such as mining, forestry and oil, and who has 430 corporate members.

[English]

Mr. Walt Lastewka: I take it from your earlier answers that you are quite satisfied with Bill 68 in Quebec, understanding that there are some areas in which you would like to see improvement. Am I right in that? I wasn't quite clear.

[Translation]

Ms. Louise Marchand: I said that companies based in Quebec have been applying the law for the last five years. At the beginning, they had a hard time with it. There are still many areas where it is difficult to apply the law, but they're getting used to it.

• 1650

[English]

A voice: We'll take our medicine.

Mr. Walt Lastewka: You mentioned earlier two regimes. You talked about the Quebec law, Bill 68, and a number of people, Mr. Dubé and others, have said that it is a much tougher law with higher standards. In this bill it is very clear that if a province has its own law, then that is the law that will be applied for that area, but for anything outside the province the federal law will apply if the other provinces don't put in their own legislation. Do you see a problem in working with that situation?

[Translation]

Ms. Louise Marchand: Indeed, it will be difficult for businesses to know which laws will apply if Quebec is exempt from section 27 regarding the collection, use or communication of data within the province. However, from the moment data is sent across the provincial border, federal law will still apply. So the data will be subject to two different types of legislation.

[English]

Mr. Walt Lastewka: I will give you this scenario. Let's say there was no federal law and that five different provinces came up with five different pieces of legislation. I believe you would have five different problems.

[Translation]

Ms. Louise Marchand: I will let Mr. Doray answer that. Your question is similar to the one asked by Ms. Jennings a little while ago.

[English]

Mr. Raymond Doray: I think the concern of the Conseil du patronat is to avoid as much as possible—and I said previously that it is not possible to do it thoroughly—two sets of rules applying to the same personal information.

Paragraph 27(1)(d) states that the Governor in Council could, “if satisfied that legislation of a province...is substantially similar to this Part”, decide to exclude an activity from the application of Bill C-54 for the “collection, use or disclosure of personal information that occurs within that province”. Those four words are important: “that occurs within that province”. That means that the possibility for the Governor in Council to exclude the province is not that wide. It is not complete. It is just for internal relationships concerning the commercial activities of a company or of all the companies of the province.

Mr. Walt Lastewka: Yes, and that is where the Quebec law applies, in Quebec.

Mr. Raymond Doray: That's true. That is why we said in our brief that it would be much easier for companies if the federal legislation provided that, for the same personal information, the Quebec legislation would apply, even when the information is conveyed outside the province. It is possible from a constitutional point of view for the federal Parliament to say so. This is an example that was given previously by Ms. Marchand. In the family law field, the federal Parliament decided that the provincial rules concerning pensions would apply everywhere in Canada to the same couple, to a married couple and so on.

We are suggesting that the rules be simplified. We are not saying that the federal Parliament does not have any jurisdiction over personal information. The Conseil du patronat is aware that the province is not able to legislate and adopt rules that will apply outside the boundaries of the province, but we're trying to simplify the mechanism.

Mr. Walt Lastewka: I think that is what we're trying to do too. We have the same objective; it is how we're going to get there.

Have you been involved with all of the amendments that have been tabled so far?

Ms. Louise Marchand: We've been aware of them.

• 1655

Mr. Walt Lastewka: I want to go further to what Mr. Johnston and Mr. Jones were discussing earlier.

My understanding of the bill—and I think you had the example of moving data to the Caribbean and so forth—is that the organization that does that has the ongoing responsibility to protect the transfer of data. Was that not your understanding?

I am talking about transferring data to a third party for processing.

Mr. David Johnston: Again, I don't have a high deal of expertise in this area, but yes, I believe an organization has a responsibility for that data which it collects, no matter where it goes.

I think the point I was trying to respond to with Mr. Jones was the question: if a Canadian were injured, would that Canadian have a cause of action or some remedy against the company? I think it would require that the injury occur to the Canadian in a Canadian jurisdiction for there to be a remedy. I presume that if someone sent data to India or to the Caribbean and it was mistreated and fell into the wrong hands and came back into Canada to injure that Canadian, that Canadian would have a cause of action here in Canada. As for whether they would have a cause of action in Barbados or India, I'm not sure.

The Chair: Thank you. Thank you very much, Mr. Lastewka.

Mr. Lowther, do you have any further questions?

Mr. Eric Lowther: Just a quick one.

We have the Canadian Information and Image Management Society and the Information Highway Advisory Council. You have to be right in touch with the information age explosion with names like that.

How long is this legislation going to last, Bill C-54? Has this a short lifespan, the way technology is moving? Will it be a year, five years, ten years or what? What do you think?

Mr. Vigi Gurushanta: I was led to believe that this was going to be revisited in five years' time, according to the legislation we have right now.

To give you an example of how the technology is evolving, every three years we rewrite it for whatever acquisitions we have, because it becomes obsolete. Five years, from a legal point of view, seems to be fair in terms of the need to revisit it. New regulations are adopted and the standards must complement continuously.

Standards can change very rapidly. We don't have to go through the same process as we have here. We are currently revising a standard just to meet these kinds of conditions. It was edited in 1993 and we know that it has to be done.

I think five years is a fair number of years in which to take another look at it, to amend where necessary and to move forward.

Mr. Eric Lowther: It almost sounds, from what you are saying, though, that we should start the relook in three years and be ready with something in five years.

Mr. Vigi Gurushanta: In five years. That would be very reasonable, yes.

The Chair: Thank you, Mr. Lowther.

Ms. Barnes, you had another question?

Mrs. Sue Barnes: Thank you very much, Madam Chair.

I want to use the expertise at the table from Quebec today. In various business situations, say a banking situation, you give once a written express consent for credit and that consent follows you for nearly the rest of your life. It can be used amongst different organizations, such as different credit bureaus. That I understand, and I think the Canadian public understands that and accepted it long ago.

My concern and question is: Where does this thread of consent, once given, go? Does it differ in the area of health information? Have you experienced that in your practice? I am thinking in particular of personnel files that may contain sensitive medical data. At what point does another consent have to enter into the process, in your opinion or in your experience?

Mr. Raymond Doray: You are perfectly right. In the health sector, it has been said by the Supreme Court of Canada in the well-known Metropolitan Life Insurance Company case that the consent has to be very specific and it won't necessarily last forever. Paradoxically, in that case the court came to the conclusion that a consent that had been given three years before was still valid. The principles were set but were not rigidly applied in that case.

• 1700

From what I know, in Quebec the hospitals and health care centres require insurance companies or third parties that are using a consent form to obtain access to health information or social information to have a consent that is dated less than six months before the information is required from the hospital.

You are perfectly right also to say that in the financial sector, once you have given consent, it will usually apply for a long period of time. It is a question of practices and sensitivity, I think.

Usually when you are giving consent, for example for a new bank loan, you will have to sign a new consent. That gives you at least an opportunity to understand that there will be some kind of inquiry with the credit information bureau and that the information will be shared with all the financial institutions in the future.

I agree that there is a clear difference in the rules or in the standards for the two fields.

Mrs. Sue Barnes: I have a follow-up question on another area of sensitivity that concerns me as I look at this legislation, and it has to do with the reality of life of people who are less than the age of majority in jurisdictions across Canada. I am talking about consent from children. In reality, every day our children go on the Internet or go into a store to do contractual transactions; yet if there was a default, say, on the basis of contract law, there would be a problem on follow-up. On the Internet right now we have—and I've been using the term—“cookies and kids”.

What is your experience about the consent required from children? Do you make the distinction like some of the marketing associations have just done with their own voluntary code, where they have taken 12 and below as one instance and then adolescence as another, even though they are not yet of majority age?

This legislation is essentially silent. It distinguishes between express and implied consent, but it certainly doesn't distinguish in any way, shape or form between adult consent, a legal consent, or diminished capacity consent and the reality of everyday life in society today.

My son had a commercial enterprise on the Internet and nobody asked his age, and things were going on.

Mr. Raymond Doray: There are provisions in the Civil Code concerning consent. Without being rude, I think this is totally a provincial matter. I don't think the federal government should legislate this kind of topic, but that is a personal point of view.

However, it is a real problem, and I think the Civil Code deals with those types of problems. We have specific provisions in the Personal Information Act of Quebec concerning the age of consent also, where tutors and parents are allowed to refuse or agree upon communication of personal information. It is specific in Bill 68.

Mrs. Sue Barnes: Could I have input from the other two parties at the table, please?

Mr. Vigi Gurushanta: You have an interesting question. We pondered the question of the consent of a child trying to make a transaction through the Internet. It is very common. There is no control at this point in time. I think something needs to be done. How do we control how children interact, and at what age do we permit such transactions to take place on the Internet? It is a real thorny issue between adults and children, how they will use electronic commerce in the future in the electronic world.

Something the committee may want to take into consideration is that those who try to do business using this technology may have to make a reference and say, if you are age such-and-such, you may need to get your parents' permission or you will not be allowed to make the transaction.

• 1705

Mrs. Sue Barnes: I want to take this up another notch to another level of discussion.

Say I am on a website for a manufacturer, and I have a website that my kids are going to play games on, and a little box drops down to say that before you can proceed in the game you have to supply information, personal information, about yourself or your family. Why was that never considered in any of the codes that we have looked at, that have come forward from standards associations across this land?

Mr. Vigi Gurushanta: In the CSA model they do emphasize the protection of personal information, but I don't know how far children would read that, how far they would say “Sorry, I can't divulge my information to the website.” They don't normally do that. It is a matter of education—not necessarily from an adult's point of view, but from a child's point of view also. There is certain information that we should not divulge and there is a code that advises you how much information you should divulge.

This can be a tricky situation, because you are into the world of electronic commerce and it is very difficult to control on the Internet.

Mr. David Johnston: I'd like to make two points with respect to those very thoughtful questions. Number one is related to the comment made earlier by Mr. Lowther as to when this legislation should be revisited, if at all.

I would regard the principles of privacy as being quite permanent now. We have now begun to see them finding their way into constitutional protections and declarations of human rights, including the United Nations Declaration of Human Rights. So we now have begun, even in the common law jurisdictions, long after the civil law jurisdictions, seeing privacy as a fundamental right. I think that principle in legislation is now established and will be reinforced in the private sphere, as opposed to the public sphere, by this legislation.

Number two, what is attractive about this legislation to me is that it is largely technologically neutral, it has a degree of flexibility, it uses schedules and appendices, and it provides for voluntary compliance. It strikes me that this is the way to recognize the dynamism of electronic commerce and technology that is moving much more quickly than it ever has in history.

Number three, I think three to five years is about right. My guess is that you will want to revisit this legislation in about that time because, as my colleague says, we may find that it is too flexible and needs a greater degree of rigour. In three years' time the question of whether all of the other 10 provinces have passed similar legislation will be before us, and that may change the dynamic somewhat, and life evolves.

To come to the question of consent, one of the CSA standards, the third one, is that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate. This may be an area where one does not want to be too detailed and too prescriptive on what is the age of consent in every circumstance, because it may vary.

We have a case in the newspaper today of a 13-year-old who is in need of an important medical intervention. The principle there is informed consent, which we, in places like the Centre of Medicine, Ethics and Law, have had a lot of difficulty dealing with even over the past 10 years, let alone over the past 30 or 40 years.

Two basic elements of implied consent are: one, the quality and nature of information that is given from which consent can be made; and two, the maturity or capacity of the individual receiving that information to consent to it with a fair mind or not. It may well be that this is an area where provincial jurisdictions will develop standards that are appropriate for each of those jurisdictions.

Mrs. Sue Barnes: It sort of becomes the oversight of a privacy commissioner, in and of itself, with special attention to that area.

Mr. David Johnston: Indeed.

Mrs. Sue Barnes: Thank you.

The Chair: Thank you very much, Mrs. Barnes.

I have no other questioners on my list. I want to thank our witnesses for being with us this afternoon. We appreciate your briefs and your presentations and the discussion that followed.

The witnesses are excused.

I want to let you know two things. First, with regard to Bill C-235, for committee members who will be studying it after we have finished Bill C-54, it appears that the first and the third amendments will be in order. However, I am advised that the second amendment is out of order because it substantially changes the nature of the bill. I understand Mr. McTeague is aware of that and is revisiting the second amendment.

We are going to proceed as scheduled, Mr. Lowther, with Bill C-235 next Wednesday and Thursday. Does that make any sense?

Mr. Eric Lowther: It makes a great deal of sense.

In some of our earlier discussions you had made the comment, Madam Chair, that we were under some deadline of April 14 to report back to the House.

The Chair: April 19.

• 1710

Mr. Eric Lowther: April 19, pardon me. I wondered if, due to the fact that the standing order that gave us that deadline was actually put in place after Mr. McTeague's bill was passed, that deadline applied to this bill or if, because it was in the works prior to that change to the standing order, we didn't have to honour that deadline.

The Chair: No. In fact Mr. McTeague's bill was under the old rules, and the old rules are six months. The new rules allow for a 30-day extension. His bill was under the old rules. That is the problem. There is no extension because he is still under the old rules.

Mr. Eric Lowther: I see.

The Chair: I'm sorry, maybe I didn't make that clear the other day.

The other thing is that Mr. Dubé has withdrawn his point of order.

Madame Jennings.

Ms. Marlene Jennings: This is precisely on Mr. Dubé's point of order. Given that he has left, and given that the point of order he made concerns me, notwithstanding the fact that according to the rules a member is to raise a point of order as early as possible, and he has left twice now, I would like this committee to waive the rule so that we will be able to address it at a later time.

The Chair: Madame Jennings—

Ms. Marlene Jennings: No. Mr. Dubé went on record saying that I insulted a representative from the Ontario government. His reference to my question was even formulated wrong, because what I asked the individual was “Since when has the Ontario government become a secessionist government?” I did not say to the individual “Since when did you become a secessionist government?” That is one.

Secondly, I find it quite interesting that Mr. Dubé, who is with the Bloc formation, finds it insulting for an individual who is a representative of another provincial government to be asked since when had that government become a secessionist government. I was not aware that under Mr. Dubé's value system a secessionist or a secessionist government was a pejorative term or an insult.

The Chair: Madame Jennings, I just want to say that I did excuse our witnesses. I apologize. I know that Madame Marchand has a commitment. I'm sorry, maybe I didn't make myself clear.

Madame Jennings, just to clarify, I was going to inform Mr. Dubé that I had heard that you asked them when they became a secessionist government—no link whatsoever to the Bloc. Unfortunately, he has withdrawn his point of order—

Ms. Marlene Jennings: Well, I'm on the record. That's what is important.

The Chair: —so I see no sense in continuing it.

The meeting is now adjourned. Thank you.