INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Wednesday, February 10, 1999

• 1531

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): I call this meeting to order pursuant to an order of reference of the House dated Tuesday, November 3, 1998, dealing with the consideration of Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions, and by amending the Canada Evidence Act, the Statutory Instruments Act, and the Statute Revision Act.

We're very pleased to have with us today witnesses from the Canadian Standards Association, but what I thought we would do first is skip down to item 4 on the agenda, which is the motion that the Standing Committee on Industry travel to Montreal on Monday, March 22, 1999, for the purpose of visiting the Canadian Space Agency.

Members will recall that we have already approved the dollar figure; we just need to approve a date. We had originally scheduled it on a Friday, but we moved it to a Monday to accommodate more members.

Mr. Lastewka, do you move that motion?

Mr. Walt Lastewka (St. Catharines, Lib.): I'll move that, Madame.

(Motion agreed to)

The Chair: That was easy. Now we'll go back to welcoming our witnesses.

From the Canadian Standards Association we have with us today four people: Ellen Pekilis, Project Manager; Jim Savary, Department of Economics, Glendon College, York University; Gérald Lavallée, Executive Director, Cable Television Standards Foundation; and Suzanne Morin, the Canadian representative on the International Standards Organization ad hoc privacy group. I am pleased to welcome the four of you with us today.

I'm not sure who's going to do the opening statement. Mr. Savary, I'll turn it over to you.

Mr. Jim Savary (Chair, Technical Committee on Privacy, Canadian Standards Association): Thank you, Madam Chair, and thank you for inviting us to meet with you today.

The primary focus of our presentation and brief is a description of the development of the CSA International's Model Code for the Protection of Personal Information, which we will refer to as the code. We want to explain why it provides an excellent basis for private sector handling of personal information.

Regarding standards development under CSA, CSA is a global leader in developing standards and helping people in businesses understand, interpret, and apply standards. CSA International is an independent, private sector, not-for-profit organization supported by over 8,000 members and a network of offices across Canada, the United States, and around the world. As CSA International is not a government body, our standards are voluntary unless the government body chooses to reference them in legislation. Many CSA International standards are referenced in legislation by governments across the country.

CSA International provides a neutral forum where qualified and committed individuals from business, industry, labour, government, professional associations, and the public unite to develop standards. Each standards development committee has balanced representation to help ensure that no single group dominates. The goal is always to strike a balance among different points of view about what should go into a standard.

Let me then emphasize that while the chair introduced us all as belonging to specific organizations, we are all here as representing the Canadian Standards Association and not any other organization with which we may be affiliated. I want to emphasize that this is consistent with the goal and the method that CSA uses in developing standards, and that these standards represent a consensus among the volunteers who are part of the process.

Therefore, in taking on the important issue of privacy, the CSA's technical committee attempted to bring about a convergence of two forces: individual rights to privacy and the legitimate needs of business and governments operating in an information age. This insight is embodied in the code. To our knowledge, it marks the first time ever that private sector organizations in any country have collaborated with consumer advocates and government officials to create a national information protection standard.

• 1535

Let me now briefly review the history of the development process for the code.

In 1991, CSA International embarked on the process of developing the code as a voluntary document that could be adopted by any organization seeking a consistent, recognized, national standard for personal information protection. Developing this code would prove to be an intensive four-year process. By the end of 1994, a first draft was completed. In December 1995, the CSA's Technical Committee on Privacy unanimously approved the code. It was published by the CSA in March 1996. Subsequently, the Standards Council of Canada adopted it as a national standard for Canada. Since that time, major organizations, including federally chartered banks, the Insurance Bureau of Canada, the Stentor companies, the Canadian Direct Marketing Association, the Canadian Cable Television Association, and others, have either adopted the code or have indicated their intention to do so.

We would like to focus the balance of our remarks this afternoon on why the Technical Committee on Privacy believes the code provides effective privacy protection. I will speak about both the open and consensus-based process used to create the code and the fair balancing of interests that the code embodies.

First, as is normal for all standards developed by the CSA, a technical committee on privacy was struck to oversee the process of developing this code. In accordance with CSA policy, membership on the CSA Technical Committee on Privacy includes a diverse range of stakeholders in a relative balance that does not permit any single group of stakeholders to dominate the voting. Technical committee members are responsible for the content of the standards. The committee consisted of 44 members representing the interests of business groups across broad sectors of the economy, consumer groups, labour organizations, privacy commissioners, and various other provincial and federal government agencies.

The CSA standards development process is consensus-based as opposed to using a majority rules approach. All CSA standards are developed through a highly formalized, consensual process that is outlined in “CSA Policy Governing Standardization—Code of good practice for standardization”, a publication available through the CSA. Within this policy, CSA defines consensus as a:

substantial agreement reached by concerned interests. Consensus...implies much more than the concept of a simple majority, but not necessarily unanimity.

This process worked well. In addition to its own input, the committee also called upon outside experts within the privacy field to prepare detailed reports on specific issues of concern, including implementation models for the code. We can attest to the emphasis that was continually placed on this consensus-based decision-making process. To a large extent, this is why the process took five years.

I'd like to now ask the vice-chair of the technical committee, Gérald Lavallée, to continue from this point.

[Translation]

Mr. Gérald Lavallée (Executive Director, Cable Television Standards Foundation, Canadian Standards Association): In drawing up the code, all the members of the Technical Committee on Privacy recognized the need to come up with an equitable balance preserving the rights of consumers to control personal information while recognizing the legitimate needs of the business world to use the information to meet consumers' need, legal requirements and other reasonable needs of the business world.

The fact that the code is so balanced is shown by the comments made by the Federal Privacy Commissioner, Mr. Bruce Phillips, in his 1994-95 report. Mr. Phillips calls the code through and complete:

The code's statement of fundamental principles is as good as and arguably better than those contained in the Privacy Act.

To achieve this success, the Technical committee began with the widely recognized and accepted OECD Guidelines on the protection of privacy and transborder flows of personal data as a basis.

• 1540

However, the technical committee identified many aspects of the OECD's guidelines upon which, they felt they could be improved. The OECD's guidelines originated in the late 1970s and were formally approved in 1981. They've rather aged and some aspects of the wording are hard to understand. Moreover, the Guidelines were intended in great part for national governments and the major data users.

Although they go back to human rights, one of their inherent finalities is to remove obstacles which would limit the transborder flow of data between OECD country members.

Finally, the structure of the Guidelines, including the basic principles and the explanatory memorandum mean that they don't lend themselves to easy interpretation or use.

CSA's model code is more specific than the OECD Guidelines and it provides a higher level of certainty to decision-making processes.

[English]

Mr. Jim Savary: One of the strengths of the code is the flexibility of its language. It is impossible to identify and address all possible situations in which a code might be applied. Some discretion should be left to users to interpret the code in specific cases, based upon strong, clear, and underlying principles. The ten principles of the CSA code are strong and clear. They specify a set of interrelated obligations that collectively provide a high degree of individual control over personal information use. Essentially, no personal information may be collected, used or disclosed without an individual's prior knowledge and consent, except in extremely limited and specified circumstances.

Where the word “should” or similar phrasing occurs, suggesting a recommended best practice, this is intended as commentary providing further guidance and advice for specific types of situations. I will speak on two examples that have been the subject of some discussion.

Clause 4.2.3 in schedule 1 states:

The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.

Clause 4.2.5 states:

Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.

Both of these articles reflect the practical realities of data collection. There are some limited circumstances in which full details of all intended uses cannot be readily provided at the time the data is collected. There are, as well, circumstances in which front-line data collectors, such as commissioned sales agents, telemarketing order-takers, etc., may not be able to answer all of a person's questions about data use on the spot. However, before any such data is actually put into use, the code requires full disclosure of intended uses as a requirement of consent. The code thus provides some reasonable latitude to business to determine when and how the knowledge of intended uses is provided, but specifies that it must always occur before information is actually used. Individual control over personal information use is therefore preserved.

The other article I would like to mention is clause 4.3.2 of schedule 1. This clause states:

Organizations shall make a reasonable effort to ensure that the individual is advised of the purpose for which information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

These sentences place an onus on business to explain information uses clearly and distinctly, in keeping with the requirement for knowledge and consent, and the obligation to collect information by fair and lawful means. At the same time, the reasonable effort and reasonable understanding provisions recognize that organizations cannot, in every circumstance, attest with certainty that individuals are actually cognizant of and clearly understand the implications of specific information uses. Beyond satisfying a test of reasonable effort, it would be unfair to task business with a more onerous and potentially impossible to achieve obligation.

• 1545

The other articles using “should” and similar non-mandatory language strike a similar balance in proposing recommended best practices without depriving business of a necessary level of flexibility. In all cases, recommended best practices come under an umbrella of mandatory obligations that create a strong and enforceable code.

The CSA Technical Committee on Privacy believes this code to be effective and credible. It provides adequate guidance to business, requiring full transparency and openness, and gives individual Canadians a high and indeed necessary degree of control over the use of their personal information. In short, this code achieves a proper balancing of interests that is based on fair information practices reflecting the legitimate concerns and needs of diverse parties, including both business and consumers.

In summary, the code represents a carefully achieved consensus between numerous interests, including business, consumers, academics, and government. The code provides an effective and credible approach to handling personal information, balancing commercial uses of personal information with the need to protect privacy. We encourage the use and implementation of the principles embodied in the code.

We have provided more detailed comments in our written presentations, copies of which have been distributed, Madam Chair. We welcome any questions you may have about the CSA code, how it was developed, and the process for review. Before turning to those, however, I would like to ask my colleague, Suzanne Morin, to talk to us very briefly about the way in which the CSA code impacts on the possibility of achieving an internationally agreed upon standard for privacy.

Ms. Suzanne Morin (Canadian Representative, International Organization for Standardization Ad Hoc Advisory Group): Thank you, committee members.

Just to briefly let you know what the International Standards Organization is about, back in January 1997 the ISO general assembly agreed to set up an ad hoc privacy group to look at the desirability of the ISO developing an international standard for the protection of personal information. This initiative goes back to something Canada spearheaded just before the CSA standard was finalized at the ISO. In a sense, then, we went before the ISO and told the organization that we were developing this standard and wanted to propose that it look at doing the same thing at an international level. A committee was struck, with two reps from twelve different countries. I was lucky enough to be appointed as one of those representatives.

The committee has been meeting occasionally a few times a year. Reaching an agreement is not something we have come to. Generally, people agree that there is a need to protect personal information and a need to look at the means of doing so. There is disagreement, though, and there is also much happening right now. There was the OECD meeting. The European Union Directive on the Protection of Personal Information came into force in October. There's Canada's initiative, Bill C-54. Australia is also looking at developing legislation. So right now, some of the committee members seem to prefer taking a wait and see approach, whereas there are others, including Canada, that still believe taking the CSA model and developing something at an international level would be very useful to Canadian companies operating internationally. They also believe it would help to bridge the gap between those countries that do have legislation and those countries that do not.

Thank you.

The Chair: Thank you very much.

Did you have any questions, Mr. Pankiw? No?

[Translation]

Mr. Dubé, are you ready?

Mr. Antoine Dubé (Lévis-et-Chutes-de-la-Chaudière, BQ): Yes. Before putting my question, I'd like to know how many were on the committee. I want to talk about process, consensus and the broad majority. How many people are we talking about? To consider there was a consensus, how many people had to be present?

[English]

Mr. Jim Savary: The technical committee itself consists of 44 members. The actual development of the code itself was delegated to a coordinating drafting committee that met regularly with the full committee as the drafting process proceeded. When the final version of the code was developed, a full meeting of the committee was held. The vote that was taken was a mail vote, so essentially the full committee voted, and acceptance was unanimous.

• 1550

[Translation]

Mr. Antoine Dubé: I think you did your work in the light of a code. When the committee elaborated and even decided to adopt this code, it was in the context of voluntary acceptance. This was not done in a legislative framework. What the government wants is to integrate this code as an appendix to a piece of legislation.

I'll put the question to you simply. If you had known that you were doing this with a view to have it referenced in legislation, do you think that would have changed anything?

[English]

Mr. Jim Savary: That is a hypothetical question that I would find difficult to answer. The object of the exercise at the time was, as you suggest, to develop a voluntary code. The stakeholders around the table worked on the code from that perspective. Like many other CSA standards, the government elected to reference this code in legislation. Because the code does embody good privacy principles, we certainly believe that is one way to go. But we have no opinion really on whether we would have been able to write it in some different way. None of us are legislators. We had relatively few lawyers around the table actually, so I think that's why the code is as readable as it is.

[Translation]

Mr. Antoine Dubé: Would you prefer to have your code written into the Act as being part of it rather than having it as an appendix, even though that might mean it would have to be worded differently?

[English]

Mrs. Sue Barnes (London West, Lib.): As a point of order, I can't understand this. The translation is having some problems.

[Translation]

Mr. Antoine Dubé: I have the same problem. I'm not getting the English. In any case, I can get along in English.

Do you want me to start over again?

We now know that the code will probably be part of the legislation. Would you prefer to have the code written in as part of the legislation rather than having it as an appendix, even though it might have to be worded differently?

[English]

Mr. Jim Savary: Again, I think I would leave that to people more knowledgeable than I am concerning legislative procedures.

The advantage of leaving it as a schedule is that it then stays as a standard and can therefore become the basis for work toward an international standard, which I think is government policy. It certainly is one that I personally would support, and I suspect the CSA would as well.

[Translation]

Mr. Antoine Dubé: I have another question. Maybe it's a specific point that I'll be getting back to later, but it has to do with consent.

In the Quebec legislation, that you have probably seen, it's defined a bit more specifically. It says here:

14. The consent to communicate and use personal information must be manifest, free, enlightened and be given for specific purposes.

In the bill, as regards consent, the principles are broader, more vague and leave more room to interpretation and thus are unfavourable to the consumer.

As an example, it says that “the organizations must make a reasonable effort”. To my mind, wording like “must make a reasonable effort” doesn't contribute to establishing a very precise standard. One feels that there was a lengthy discussion on that.

[English]

Mr. Jim Savary: It was indeed, and I think your last point is a good one. It brings up the fact that the Quebec legislation was developed from the beginning as legislation. The government in power was able to therefore write the legislation in the way it felt was best. We did the same thing in developing the code, although we were developing towards a consensus. The result is that while the principles are extremely clear, and while stakeholders make an implicit commitment to live with the spirit as well as the letter of those principles in agreeing to the code, the language is perhaps not as specific as what you would find in legislation.

• 1555

[Translation]

Mr. Gérald Lavallée: I'd like to add that those who were adopting the code could adopt it in part. If the code was to be adopted, it absolutely had to be adopted in its entirety. It was all or nothing. The principles contain the key words and establish the standards, while in what follows what you have is like explanatory paragraphs to help better understand the 10 principles of the code.

[English]

The Chair: We'll have to come back to you, Mr. Dubé. Thank you.

Madam Barnes, please.

Mrs. Sue Barnes: Thank you, Madam Chair. I just have a couple of things.

I understand that in the past the federal Privacy Commissioner has not been entirely satisfied with the code, the standard of Canada as it now stands. There were modifications that he was after and they have not yet been incorporated by your committee. I just want you to give us some of the history of that and why you didn't feel they were as important or necessary.

Mr. Jim Savary: The privacy commissioners were not themselves part of the technical committee. While we certainly did meet with them informally—at least, some members of the coordinating drafting committee met with them informally—we did not have direct input in detail from the privacy commissioners as such. This is because it was a technical committee of the Canadian Standards Association and because we were working to develop a consensus based on widely accepted privacy principles.

My understanding, in fact, has been that the federal Privacy Commissioner is generally very supportive of the code now. While we would certainly be glad to hear from him in regard to what changes he might want to see made eventually, we have not heard from him as far as I know. I would ask my colleague Ellen Pekilis, who is the project manager, to tell us if we've heard anything formal from the privacy commissioners.

Ms. Ellen Pekilis (Project Manager, Canadian Standards Association): No, we haven't had any formal comments that he would prefer to see changes made to the standard or that he would like to see amendments to it. Those haven't been submitted to us.

Mr. Jim Savary: If I might, Madam Chair, I would add that I think this committee would be the place where they would raise such concerns, with the intent being to get the legislation modified.

Mrs. Sue Barnes: Just to clarify, I think it was in the written brief to this committee from the federal Privacy Commissioner. Maybe it would be wise to take a look at that and perhaps give us your comments at a later date, by way of a letter—if I can suggest that, Madam Chair—that can be circulated around.

The Chair: It would be great if you would do that, Mr. Savary.

Mr. Jim Savary: I certainly would be pleased to do that.

The Chair: Perfect.

Mrs. Sue Barnes: I say that because there were points raised, but I'm not going to take the time now if you haven't heard them.

The Chair: You should know that the testimony from the hearing we had with the Privacy Commissioner is already on the web. It was back at the beginning of December.

Mr. Jim Savary: Excellent. Thank you. We'll take a look at both his testimony and that of others.

Mrs. Sue Barnes: I was going to pursue things along that line, so I'll just pass. Maybe some of my colleagues would like to take my time.

The Chair: Thank you. We'll just move on.

Mr. Jones.

Mr. Jim Jones (Markham, PC): Thank you.

When you say “code”, you mean “rules”, right?

Mr. Jim Savary: When I say code, with a capital C, I'm referring to the CSA privacy code, standard 830.

Mr. Jim Jones: Yes, but you mean rules and not a programming code.

Mr. Jim Savary: No.

Mr. Jim Jones: Okay.

You said you have 8,000 members around the world. I take it that does not mean there are 8,000 members in the Canadian Standards Association. Does it mean things like the IEEE and the ISO and all of those? Who are you referring to when you say you have 8,000 members?

Mr. Jim Savary: Let me refer you to Ellen Pekilis on that please.

Ms. Ellen Pekilis: The CSA is a non-profit corporation. As such, instead of having shareholders, we're a membership-based organization. People can purchase memberships that entitle them to vote for the board of directors. When he's talking about the 8,000 members, then, he means those people who have chosen to join the CSA as members.

ISO is a totally separate organization. It's a Swiss-based organization. It is international. It is composed of the member most representative of standardization in each member country. Canada's member is not CSA; it is the Standards Council of Canada, which is a federal crown corporation.

Mr. Jim Jones: Also, does your organization certify organization programs or products when those organizations say they conform to CSA standards? The question is, do they have to conform 100% to these rules or you won't certify them?

• 1600

Ms. Ellen Pekilis: The auditing end of it is handled by a separate division of CSA. They're only one of several auditors in Canada that could perform auditing services. An auditor would have to be assured that somebody had complied with the standard as a whole; they can't cherry-pick.

Mr. Jim Jones: Okay. Do you sit on other organizations, like ISO, IEEE, and all these other organizations? Do you make sure our rules conform with world-standard rules?

Mr. Jim Savary: I can answer that partly. Through the Standards Council of Canada, as I understand it, Canada belongs to international standards organizations. There may be some volunteers who serve on committees for both the Standards Council of Canada and ISO and CSA. Suzanne is an example.

Mr. Jim Jones: Stan brought up an interesting point a couple of weeks ago on the new Intel Pentium 3 chip and how they're storing information on the chip to exchange information when you get on the Internet. I don't think Intel did this on their own. They probably went through some type of standards body and said this is the type of information they'd like to collect and this is how they're going to hand it off. Are you aware of that, and were you involved in it at all?

Mr. Jim Savary: No. This is not a CSA opinion; this is off the top of my head as an economist at York University. I question whether Intel would have gone through any kind of standards organization whatsoever. I suspect they simply encoded the serial number in the chip, hoping to market the technology that would indeed allow what seems to me to be a massive invasion of privacy.

Mr. Stan Keyes (Hamilton West, Lib.): Marketing information, not technology.

Mrs. Sue Barnes: That's right.

Mr. Jim Savary: Exactly. Data mining is with us in a big way and none of us ever suspected it, if this ever goes through. Fortunately, in Canada, the CSA code would pick that up because the consumer would need to be informed that the data was being collected, what the purposes were, and given an opportunity to decline having their data collected in that way.

Enforcement might be another problem. We might need some kind of technical solution to force compliance with the privacy code and legislation, if it were to become legislation. But the code is certainly broad enough to pick up that kind of thing.

Mr. Jim Jones: I mention these other bodies, like IEEE and ISO—and there are a whole bunch of others that I don't know the acronyms for right now—because I believe they would have discussed this type of information there. That's why it is important for your organization to interface with these organizations.

Mr. Jim Savary: I certainly agree it's important for CSA, through SCC, to work very closely with these organizations. There are also, as you know, other organizations, such as the Telecommunications Standards Advisory Council, that are keeping a very close eye on the technical aspects of many of these things. But as I understand it, IEEE would only be concerned with the technical standard involved in interfacing hardware or developing software protocols. Even then I'm not sure if IEEE is involved in software. In any case, I doubt they would have a nay or yea role in letting Intel go forward or not. But you may well be right.

Mr. Jim Jones: Maybe ISO.

Mr. Jim Savary: I'd be surprised. But perhaps you're right. As long as our code prevents it, I think we're in good shape.

The Chair: Does someone wish to comment on that?

Ms. Suzanne Morin: My colleague Mr. Savary answered my question. In my personal opinion, I don't believe Intel went to any standards body for that. Unfortunately, what tends to happen with a lot of that technology is after it's out in the market, different companies, either through their governments or voluntarily, which is how many of the standards are developed, decide there is a need to come up with an international standard for them to follow.

A similar example being developed right now is something called personal preferences. I don't want to go beyond what I actually know, but an organization called the world wide web organization, W3W or W3, is looking at establishing a default for personal preferences, so when I'm surfing on the web, my web browser will only allow me to interface with web sites that meet the preferences I've established.

The question is, what's the default for those preferences, and do I have to be a techie to know how to change them? Someone yesterday referred to cookies and how easy that is.

• 1605

Unfortunately, companies very often develop their proprietary hardware or software and only after the fact, when it either blows up or there's a need, do they get together and develop an industry standard. So I would agree with Jim that I don't believe Intel went to any standards body for this.

Mr. Jim Jones: Can I make a suggestion? I would contact Intel and see what standard bodies they sit on and if they sent this proposal to those standard bodies. Maybe the rest of the world is approving this standard for getting this information and there's a reason why they're doing it.

Ms. Suzanne Morin: First to market.

Mr. Jim Jones: I was in the high-tech sector and my company served on many of these standards bodies. They tried to very strictly conform to these standard bodies with a lot of things. I have to have a little respect for Intel that they probably did it too. I don't think they had any other motive.

Mr. Jim Savary: I think that's an excellent suggestion, and I'll see what I get from them.

The Chair: Thank you.

Mr. Lastewka.

Mr. Walt Lastewka: Thank you, Madam Chair.

Can you give us an idea of how many organizations have sought to be recognized using the standard?

Mr. Jim Savary: I have a general idea. Ellen, do you know exactly how many?

Ms. Ellen Pekilis: You know the whole list.

Mr. Jim Savary: I don't know if I should name the organizations or not. I guess I did name them in our opening remarks. The Insurance Bureau of Canada is one. Another is the Canadian Bankers Association. The Canadian Medical Association has one in draft at the moment. The Canadian Television Standards Council has one in draft, and there are several others.

Ms. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.): There's the Direct Marketing Association.

Mr. Jim Savary: Of course, thank you, the Direct Marketing Association was one of the very earliest.

There are a number of others who have indicated their intention as well. This might have gone a little faster, except for the fact it was known that legislation might be coming down the pike, and I think some companies decided to hold off until they saw the shape of that legislation.

Mr. Walt Lastewka: One of you mentioned earlier that the audit section is a different area that oversees whether a company has abided by the CSA code. Am I right? I think Ellen made that remark.

Ms. Ellen Pekilis: Yes.

Mr. Walt Lastewka: How is it publicized to the customers—to the people—that they have achieved it?

Mr. Jim Savary: Generally this is left up to the company itself. If, for example, as Widgets Unlimited I decide to get my privacy code approved, and get it approved, I would certainly want to let my customers know, through my web site, advertising or whatever, that this code had been independently approved as complying to CSA-830.

Mr. Walt Lastewka: Can you tell me how often you will be reviewing the code?

Mr. Jim Savary: There is a general provision in the CSA standards-setting exercise that standards are reviewed every five years. However, standards can be reviewed more frequently. The chair of the technical committee, or indeed a subset of its members, could ask to have a review carried out if there were good reason for doing so earlier.

Mr. Walt Lastewka: Is this the first time the standard is being used in an act of Parliament?

Ms. Ellen Pekilis: No.

Mr. Jim Savary: This standard—but you mean standards generally, I take it.

Mr. Walt Lastewka: I mean this standard.

Mr. Jim Savary: It's the first time this standard has been referenced in legislation in Canada.

Mr. Walt Lastewka: Thank you, Madam Chair.

The Chair: Thank you very much, Mr. Lastewka.

[Translation]

Mr. Dubé, do you have any further questions?

Mr. Antoine Dubé: I'd like to come back to the Quebec legislation. At the time you determined these standards, did you know about the contents of the Quebec legislation?

• 1610

[English]

Mr. Jim Savary: We were indeed. We started with the Quebec Bill C-68 and the OECD guidelines. Bill C-68 itself used the OECD guidelines as a starting point, as did we in developing our standard. In addition, we commissioned a study that examined legislation worldwide, essentially, and we had all of that in front of us to develop the code.

[Translation]

Mr. Antoine Dubé: I had the opportunity to discuss things with the OECD representatives who came, to Hull, before the holidays. The French specifically told me that they knew the Quebec legislation and they found it interesting. We asked you if you would proceed with any review every five years or maybe even more frequently. If you didn't do it before, could you think about examining the Quebec legislation?

[English]

Mr. Jim Savary: It has been done in the past, in the sense that we used the Quebec act as part of the input to develop our own code. Again, the Quebec act is legislation that was passed by a parliament; our code is a voluntary code that was developed using a large number of sources—primarily the OECD code and Bill C-68. However, the language is different, reflecting the voluntary code. I imagine, when the standard is reviewed again, we will certainly use all information available to us, including the Quebec act, which may well be amended by then.

[Translation]

Mr. Antoine Dubé: As the standards are set out in an appended article, would it be possible for the Minister or the Cabinet to simply change those standards? Some witnesses have told us that as it would be an amendment to the legislation, any change would have to be debated in the House and so on. What are your thoughts?

[English]

Mr. Jim Savary: We really have no views, as a standard-setting organization, on how the government chooses to legislate in this area. Not being an expert in either administrative law or legislative procedure, I don't know what the implications are of the way the legislation has been put together. Perhaps somebody else would like to comment.

Essentially, our concern is that the standard be the best standard we can make it, and we'll leave it to the government to decide what they want to do with the standard. That's what happens in the case of other CSA standards, and I guess that's what our view would be with regard to this as well.

[Translation]

Mr. Antoine Dubé: During your discussions, what was the point that you had the most trouble getting your members to accept?

[English]

Mr. Jim Savary: That is a good question. Let me turn that over to you, Gerry.

[Translation]

Mr. Gérald Lavallée: In my opinion, we have fully debated almost all the points. As we were saying during our oral presentation, it took us four years to come up with a code that garnered our members' unanimous support. We discussed, in depth, all aspects and all principles taking into account all the concerns and we managed to come up with a consensus. I couldn't identify one specific question as posing more problems than the others.

Mr. Antoine Dubé: It was said that it was a balanced process and that there was representation from the different stakeholders. Could you give me an idea of the proportion representing consumers? Of the 44 members you mentioned, how many were representing consumers?

[English]

Mr. Jim Savary: There are two different types of members of the technical committee. There are voting members, where the voting membership is divided equally between consumer organizations, industry, and government. On the remaining members, I really should ask Ellen to give a more precise definition....

Ms. Ellen Pekilis: Associates.

• 1615

Mr. Jim Savary: The associate members there didn't vote, but they took part in the debate. So when it comes down to the final votes, of course only those who are voting members vote, and they are balanced.

The result of the vote, as I said before, is unanimous in any case. The way in which the standards-setting process works is to achieve consensus and we work until we get it.

The Chair: Thank you very much, Mr. Dubé.

Mr. Murray, please.

Mr. Ian Murray (Lanark—Carleton, Lib.): Thank you.

You've touched on a question I want to ask in your reply to Mr. Dubé and it is about the review process. First of all, you must be very proud to see this enshrined in a piece of legislation. I would think your organization would be very proud of that, but it must also be like giving up a child for adoption in that your code could now be changed by order in council. You went through quite a process to get to where we are today with this code.

It's the same question Mr. Dubé was asking. Have you been told that you'd be involved with government in any future changes, or has it been taken out of your hands now, essentially, in terms of this bill? I know you can still change the code for your own purposes.

Mr. Jim Savary: I don't think we've been told anything officially. We naturally hope, as the natural parents of the adoptive child, that the adoptive parents will continue to use the expertise that we like to think we've developed.

Ms. Ellen Pekilis: You should also realize that the adoptive parents, being Industry Canada, are fully participating members on the committee and there's a cooperative relationship there to keep each other informed of what we're doing.

Mr. Ian Murray: I would like to ask, in regard to the Standards Council of Canada, whether they fit in at all with what you do in your normal day-to-day business. Do you have to have their approval for anything you do before it becomes a national standard? I'm not clear exactly on how they operate.

Mr. Jim Savary: I can attempt to answer that—

Ms. Ellen Pekilis: I can give a pretty good answer to that.

Mr. Jim Savary: You answer it then.

Ms. Ellen Pekilis: It's up to you.

Mr. Jim Savary: No, you answer it. You can give a good answer because I probably can't give a good answer. Go ahead.

Ms. Ellen Pekilis: This is the type of procedural thing we deal with a lot. The Standards Council of Canada is the federal oversight body. They're a federal crown corporation that reports to Industry Canada, as it happens. They accredit standards development organizations in Canada; CSA is one of several of those. They do not have direct oversight of each sort of committee that goes on under CSA. CSA, by our accreditation, which has been embodied in our internal corporate rules, operates according to the standardization rules put together by the Standards Council.

When something is called a national standard of Canada, as is our model code, that means we have taken an extra step. We have taken the step of taking our code back to the Standards Council and providing them assurance it was developed in strict accordance with all the procedures they have laid out in their documentation for balance and consensus and that everything was done very correctly. That is what being a national standard means; it means that the Standards Council has looked at the process—not the content, but the process—to ensure a consensus was reached according to the correct rules.

The Chair: Mr. Murray, Ms. Morin wanted to add something earlier. I'm not sure if she wants to now.

Ms. Suzanne Morin: Thank you, Madam Chair.

This is in response to your first question dealing with the amendment of the schedule, meaning the standard. I'll confess I am a lawyer and my reading of the bill was that actually the way it would happen is that the governor in council isn't given the power to amend the schedule, but only to amend it to reflect the change that the Canadian Standards Association would, through its very elaborate process, bring to the standard.

So in the five-year review process, at the instigation you'd have to go with the balance of the voting should an amendment be made. And we would all hope it would be for the better because it would be business, government, and consumers at the table. Then, in that instance, my understanding is that the Governor in Council could choose to reflect those amendments in the standard rather than bring it through Parliament. That's a government policy issue, but it was my understanding of how it would work.

I would agree with Jim that as the parent, if you like, of the standard, it would be unfortunate if that could happen, but obviously the government is free to do that. But that was my reading of how Bill C-54 works.

Mr. Ian Murray: If that's the case, that's quite a vote of confidence in your organization, which, again, I think should be applauded.

Ms. Suzanne Morin: But the Governor in Council may not do it.

Mr. Ian Murray: Thank you very much.

The Chair: Thank you very much, Mr. Murray.

• 1620

Mr. Jones, did you have any more questions?

Mr. Jim Jones: Thank you.

I'd be interested in your comments regarding the possibility of multiple privacy standards in Canada. Bill C-54 would create multiple privacy standards by enacting them into federal law in conjunction with the Quebec law, and then over the next two or three years the nine provinces plus the territories might be enacting their own privacy laws. Do you see this as a good thing or a bad thing? Do you think it would confuse consumers? From your experience, how well do multiple standards co-exist in practice? Do the higher standards drive out the lower ones, or is there just a confusing multiplicity? Could this also lead to jurisdiction shopping, where you go to the province that has the privacy standards you like?

Mr. Jim Savary: I think that's an interesting suggestion. Gresham's law, for those of you who remember your first-year economics, says that bad money drives out good. I think you're suggesting that bad standards may drive out good in a multiple standard environment.

My understanding of the bill is that there will have to be consistency with the federal legislation. But you, of course, are much more familiar with the intricacies of the bill and have had the benefit of hearing a number of legislators, I suspect, on the topic, so you'll have a better read on that than I do.

Again, our concern was simply with the standard CSA-830, which, as I said, represents a buy-in on the part of a large number of stakeholders and which we think provides an excellent model. It's really up to the federal and provincial governments to determine through negotiation how that legislation works out at each level of government.

Mr. Jim Jones: I assume that you work also with all of the provinces on this.

Mr. Jim Savary: There is provincial input, yes. Several provinces actually sit on the technical committee, so to that extent there is certainly input from the provinces, and I think that will lead to consistency across the board.

Mr. Jim Jones: Okay. Thank you.

The Chair: Is that it, Mr. Jones?

Mr. Jim Jones: Yes.

The Chair: Thank you.

Madam Jennings, please.

Ms. Marlene Jennings: Thank you.

You answered a question Mr. Bellemare posed, which was has this standard been incorporated in any other legislation, and you said no, it would be the for first time in Bill C-54. Has any CSA standard ever been incorporated into legislation, and if so, was it incorporated in the same manner this particular model code is being incorporated? What has the experience been?

Ms. Ellen Pekilis: Many hundreds, if not thousands, of CSA standards have been adopted by governments across the country. They use a variety of methods. I believe the Canadian electrical code was also put right into the legislation. As for the method they choose, that's a drafting question that has to be addressed to the legislative drafters.

Ms. Marlene Jennings: I understand that, but I'm asking whether CSA standards have been put in other legislation in the same manner as is being done in this particular legislation.

Ms. Ellen Pekilis: As I said, a variety of methods have been used and—

Ms. Marlene Jennings: Has this method been used?

Ms. Ellen Pekilis: I honestly can't answer that. I don't know.

Ms. Marlene Jennings: Okay.

The Chair: Can anybody else address that? No.

Ms. Marlene Jennings: If it's not too difficult, I'd appreciate it if you could do some summary research, not heavy research, to see if this method has been used.

The other question I have is, in the cases where it has been adopted and there have been multiple standards because there are overlapping jurisdictions, what has been the experience? What has been the experience with the federal government adopting legislation within its area of jurisdiction and the provincial governments having their legislation? How does that impact on business and consumers?

I was looking at you, Ms. Pekilis, but it could be answered by anyone.

Ms. Ellen Pekilis: When it comes to these broader policy issues, these are really questions for the government. Our scope is in writing the standard. When it comes to confusion and multiplicity of legislation, we can write one standard that works across the country, and then the rest of it is out of our hands.

• 1625

Ms. Marlene Jennings: Yes, but you don't operate with blinkers on. Mr. Savary stated that when you began work on this code, at least one province's legislation was part of the resource material used to develop the standard, which means you already know that exists. Once a standard is put in place, it's actually used. Your members adopt it. I'm assuming that at some point they come back to you and say either “We're not having any problem with the fact that there's a provincial standard and a national standard” or “There is a problem”. Then you may say, “We can't do anything about it because it's under legislative jurisdiction”, or you may say, “We have to rebalance our code”. In the general practice of the CSA, have you had that experience, and if so, what has been the result of it?

Ms. Ellen Pekilis: I understand the question better now. First, you should know that as part of the balancing of our committees, we always have government representation, so it isn't unusual for committees to be working with government people who have knowledge of and are intimately involved with the subject matter of the standard. In fact, if we left people like that out, there would be a real problem on our committee. I can't think of a committee that wouldn't have a government member on it and be composed of appropriate representation.

We have a whole set of processes for the maintenance of a standard. Once a standard is implemented, there's a periodic review to make sure that a standard never gets too stale. There's also the potential for amending a standard where a problem arises. For instance, if a standard is being used to mislead consumers and that comes to our attention, then that is brought forward, and it is our responsibility to do something about that. So, yes, the implementation experience is brought forward. We depend on the fact that we have a balanced membership from all different walks of life to bring forward the problems that come to light, and then we deal with them as the committee sees fit.

Ms. Marlene Jennings: Thank you very much.

The Chair: Thank you very much, Ms. Jennings.

[Translation]

Mr. Dubé, please.

Mr. Antoine Dubé: As the title indicates, the goal of this legislation is to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means.

The standards you have established were to be applied in a self-regulatory and self-implementable context. They weren't established in view of a review of the legislation. Are your standards limited to electronic communications or are they broader than that?

[English]

Mr. Jim Savary: Can you answer that?

[Translation]

Mr. Gérald Lavallée: The aim was broader than that. At the outset, we wanted them to apply to the private sector in general, no matter the means used to conduct business.

Mr. Antoine Dubé: As the present review concerns mainly electronic commerce, do you think that amendments should be brought to make this even more specific?

Mr. Gérald Lavallée: As we already mentioned, the standards could be reviewed, although our code does seem to cover electronic commerce.

Mr. Antoine Dubé: You may already have given us the answer, but as you can see, we have to wade through quite a bit of documentation, and we are also working on other issues.

Could you supply us with a list of the 44 members of the Technical committee, which would allow us to determine, as Mr. Jones was asking, whether all the provinces are well represented and so we can know how many representatives there are from government? Thank you.

• 1630

[English]

Mr. Jim Savary: Yes, that should be no different.

Ms. Ellen Pekilis: I actually have the list with me. Do you want it sent afterwards, or do you want to photocopy it?

The Chair: You can provide it to the clerk and the clerk will circulate it to the committee.

Mr. Shepherd.

Mr. Alex Shepherd (Durham, Lib.): I would just be interested in the reconciliation of these codes within your organization. Obviously, the CSA has many codes for equipment manufacturing, and so forth. Within your organization, is there some way to reconcile those?

Just as an interesting and topical point, we talked about the Intel chip. That computer system would presumably be available for sale in Canada. Does it go through a CSA approval system at that level, and how do you reconcile that approval system with this code?

Mr. Jim Savary: That's an interesting question. You're combining two different standards there: a technical standard, whereby Intel would have to meet CSA standards for safety and so on, and a management standard, which is the privacy code. They might very well be cleared on the technical standard—in other words, the board may be safe to use in a computer and meet any other CSA requirements—but with regard to the management standard, whether the inclusion of this method of tracing the user meets the code or not, my guess is it would wait until the device was misused.

It would not violate the standard, in other words, to have a method of tracking the user, but the moment the user's information was collected and used without the user's consent, the code would be violated, if Intel were to subscribe to the code or operate in Canada when this legislation is passed and in the fullness of time applies to all commercial operations. Then presumably Intel would have to meet the requirements of the legislation.

Ms. Ellen Pekilis: Can I add to that answer, please? Jim wouldn't know this because he's the chair of our committee, but I'm internal staff.

We have an internal e-commerce working group. We do this for all our subject areas where there are crossovers, for instance, between environment and occupational health and safety. Sometimes the difference between whether something is an occupational health and safety issue or an environmental issue is whether the door was open or closed. Internal tends to be occupational health and safety.

So whenever we have these standards, especially policy ones that cut across broad areas, we try to identify people from the different standards areas who would be involved and set up a working group. So we do have an internal e-commerce working group that includes people who deal with the sort of electrical standards and people who deal with the computer-type issues.

Mr. Alex Shepherd: Just to carry this one more step, if you have a technical standard that would be applied, say, to this computer Intel is providing, and it meets those technical standards and has your name and that CSA seal on it, what does it tell me as a consumer? Doesn't it also give me an illusion, or misinform the public, that it also subscribes to your privacy standards?

Mr. Jim Savary: It certainly wouldn't yet, because I doubt the public is really very familiar with the CSA standard as a standard. They are much more likely to be familiar with Bill C-54 as it winds its way through the legislative process.

Practically, if the CSA logo were to be used to indicate compliance with the standard, it might be confusing. This was one of the reasons why we had what would appear to be a surprisingly lengthy and intense discussion about whether CSA should offer any kind of logo to companies who had a code in place that was found to comply with the CSA code. So nothing was done, as far as I know, about that. The CSA logo would still apply only to the safety and electrical features of the computer. It would not carry any implication that there was privacy protection in place by Intel.

Apart from that, the consumer would probably be confused as to who was responsible—whether it was Intel, who makes the chip that's held inside a computer, which may have been assembled in some small little shop up in Markham—

Mr. Jim Jones: Well....

Mr. Jim Savary: Well, a large shop up in Markham. Mr. Jones, I had forgotten that very prosperous riding you represent.

But I think you raise a good point. How do consumers have confidence that their privacy is protected? It's a difficult and hypothetical question because consumers would need first to be aware that their privacy was at risk. Then, if they were aware that their privacy was at risk, they'd have to find out how their privacy was at risk. Once they found out it was Intel, an offshore corporation, my guess is they would either ignore it, or if they complained at all, they would complain to the provincial consumer protection agencies.

• 1635

Ms. Ellen Pekilis: Can I add to that answer?

The Chair: Sure, go ahead.

Ms. Ellen Pekilis: Certification in testing is a set of functions that relate to a certain set of standards that set product specifications, and then the CSA logo accompanies that on a product in accordance with a contract and that there has been a test done. This is not that kind of a standard. This is a management system standard, and those are audited in a separate manner and by a separate division. All three divisions of CSA—the standards development, the management systems registration, and certification of testing—are separated by an internal fire wall to prevent conflict of interest, and they report to different boards for that reason.

The wing of our business that handles management systems registration is not the same wing of CSA that puts the standards that all consumers in Canada tend to be familiar with: the little CSA on the light bulb, the CSA on a computer. Any electrical appliance, anything that gets plugged in, has to have one if it's for sale in Canada. QMI doesn't give product labels; they will issue a certificate of registration. Management systems certificates are communicated in a different way. They are not communicated by the same CSA logo that is used to communicate electrical safety.

Mr. Alex Shepherd: Okay.

The Chair: Do you have any other questions, Mr. Shepherd?

Mr. Alex Shepherd: No.

The Chair: Mr. Jones, do you have any more questions?

Mr. Jim Jones: Yes.

The Chair: Before we go to you, I have a technician standing by, and we're going to take 15 seconds to try to readjust because the English is still translating incorrectly. We're going to do that right now.

We'll go back to Mr. Jones now.

Mr. Jim Jones: I have two quick questions. One goes back to the government subcommittee of the CSA. You said earlier that you go by consensus versus everybody having to agree. Does this government subcommittee have a higher weight?

You'd want to have all the provinces and the federal government agree on some privacy standards. Do they have higher weight than others of your 8,000 members?

Mr. Jim Savary: The subcommittees to which I referred were the coordinating drafting committee and the implementation committee. As I recall, the coordinating drafting committee had only one or two government representatives on it—two, I believe, and occasionally three—and the rest were from advocacy groups and the private sector.

But I think your question more generally is, do government representatives have higher weight than do other representatives of other organizations? The answer is no.

They take part in the debate. Again, I suppose because it is a consensus-building operation, everyone has equal opportunity for input. Whether everyone actually avails themselves of that opportunity is another question. Certainly the government sent well-informed and articulate representatives, but then so did the private sector organizations and some of the advocacy groups. So I would say no, there is no over-weighting one way or the other.

Ms. Ellen Pekilis: If I can add to that answer, our internal regulations—and this goes back to our accreditation stemming from the standards council—require us to set up and maintain our technical committees with a certain balance of membership, and it is such that no one group can ever control the voting. The largest group on a technical committee cannot be so big as to outvote the two smallest groups put together, so you can never have a situation in which the biggest groups can steamroll over the little ones.

• 1640

Mr. Jim Jones: The second question goes back to this Internet chip thing. Can you get back to us with the reasons for why they did it? I can see that it might be as simple as when you go into a department store or a grocery store and they ask to see your ID. When you sign up for Internet services and that, you probably have someplace that you automatically store your ID. Then, when you want to buy something or get something there, they have an audit trail on who was doing what.

Mr. Jim Savary: That is a very charitable way of looking at it. I suppose there are organizations already on the Internet that ask you to register with them. The idea is that if you register with them, you only have to give the vital data once. You can then access any one of a large number of commercial enterprises that subscribe to their service. In theory, at least, it is supposed to make the shopping experience on-line much happier, much less time consuming, and good for keyboard klutzes like me. I've checked with a couple of the organizations, though. They have no privacy policy in place as far as I can see from checking their web sites. Almost certainly, they intend to use the data they gather as a rather inexpensive—

Mr. Jim Jones: I take it from the other standpoint. When I log on, every time I want to buy something, I get this screen and I have to fill out a whole bunch of data. I'd like to have that commonly stored someplace so that I can hit a button or something like that in order to send that data instead of having to type it in all the time.

Mr. Jim Savary: You can do that with some of these organizations offering that service. I guess my problem is that I don't like Intel forcing it on us through technology, especially through hardwired technology like that. That's firmware, not software. It's much harder to deal with firmware.

The Chair: I believe Ms. Morin wishes to add to that as well.

Ms. Suzanne Morin: Yes, just to continue with that, Mr. Jones, I'll mention one of the reasons for why we view the work of the International Organization for Standardization as important, picking up on something Jim said earlier about the CSA standard being technology-neutral. Regardless of even the Intel chip, as invasive as it sounds to all of us, and even after the legislation, the CSA standard will still capture the use of that technology by a particular organization or company.

In this ad hoc privacy group on which I'm one of the Canadian reps, the biggest problem at our first meeting was that, in particular, the U.S. representatives—surprise, surprise—were saying we should be getting into technical standards, technology standards, and all of that. Our perspective was that those are important because they are the technical tools that you use to implement a management system standard or Canada's CSA privacy code, for example. If you were to develop a Canadian standard to deal with the problem associated with the Intel Pentium 3 chip, you would try to develop your technical standards so that they capture the policies and the principles behind your privacy code, your privacy standard. That's how we would do it.

Mr. Jim Jones: So you could get back to us on that then.

Mr. Jim Savary: Yes, I made a note.

Ms. Suzanne Morin: Maybe you should call them before the committee.

Mr. Jim Savary: Yes, maybe you'd like them to give evidence.

Ms. Suzanne Morin: Jim has undertaken to get back to you.

Mr. Jim Savary: Yes, I'll do that.

The Chair: Is that it, Mr. Jones?

Mr. Jim Jones: Yes.

The Chair: Thank you.

Since I don't have any other questioners, I'd just like to ask one question myself. You set out the standards with regard to consent, but what about the exemptions in legislation? Do you have any comments on those that are not subject to the same standards?

Mr. Jim Savary: When you say “exemptions”, are you referring to the journalistic one?

The Chair: The journalistic one in particular.

Mr. Jim Savary: The journalistic and scholarly exemptions were not part of the standard. This was added by the legislators, in their wisdom, so I guess I should say that CSA has no opinion on those.

The Chair: No opinion.

Mr. Jim Savary: Well, CSA has no opinion. I suppose none of us likes it. Although we don't like it as a corporate body, we might not like it as individuals.

The Chair: All right.

Did you have anything else to add? Did you wish to leave us with a parting thought or final comment? Dr. Savary.

Mr. Jim Savary: I'd only say that we appreciate the opportunity to meet with you, and we reiterate that the consensus-building process has led to what we think is a very good standard. We happily leave it in the hands of government.

The Chair: On behalf of the committee, I'd like to thank all of you for joining us here today.

The meeting is now adjourned until tomorrow.