INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Thursday, March 4, 1999

• 0908

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): Pursuant to an order of reference of the House dated Tuesday, November 3, 1998, we are considering Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used, or disclosed in certain circumstances; by providing for the use of electronic means to communicate or record information or transactions; and by amending the Canada Evidence Act, the Statutory Instruments Act, and the Statute Revision Act.

I'm very pleased to welcome our witnesses here this morning. We have three different groups of witnesses. From the Information Technology Association of Canada, we have Ms. Carol Stephenson, who is from Bell Satellite; Mr. Wayne Scott from IBM; and Mr. William Munson from ITAC. From the Canadian Association of Internet Providers we have Ms. Margo Langford, the chair, and Ms. Julie Garcia. And we have our expert today, Professor Michael Geist, professor of Internet law from Ottawa University.

I'm pleased to welcome all three different groups here today. I propose that each of you go through your opening statement for about five minutes, and then we'll move to questions.

With that, I'll begin with the Information Technology Association of Canada. Is it Ms. Stephenson who will be doing the presentation?

Ms. Carol Stephenson (Chair, Information Technology Association of Canada): Yes. Thank you.

Good morning. I am Carol Stephenson, president of Bell Satellite Services and also the chair of ITAC. ITAC is the Information Technology Association of Canada. With me are Wayne Scott, who is from IBM Canada and also is a member of ITAC; and Bill Munson, who is from the ITAC staff.

ITAC is the voice of information technology in Canada. We represent about 200 of the largest information and communications companies in Canada, and 1,300 companies if we include the nine affiliates across Canada. Together these companies account for about 80% of 418,000 jobs, $70 billion in annual revenue, $3 billion in annual R and D, and expenditures and annual exports of about $20.7 billion. From hearing those numbers, I think you know the industry cares about this issue and that we do contribute to the Canadian economy.

• 0910

We have naturally worked very hard on a policy framework for Canada that protects and promotes those enormous contributions. Our members and the clients they serve are pioneering some of the new frontiers of electronic commerce and electronic service delivery. Canada is off to an excellent start, and ITAC believes that if we do get this formula right, Canada has an excellent chance of becoming a leader in the world in the emerging electronic era.

Maybe some of you witnessed Canada's leadership last October when we held the OECD ministerial conference on electronic commerce. I had the privilege of representing the Canadian business community and was very gratified by the compliments I received from people across the world about the value and clarity of Canada's contribution to the dialogue in the conference and the various forums that preceded it.

Certainly business in Canada and around the world understands that electronic commerce will never achieve its tremendous potential without a shared set of principles that establish consumer trust. Customers venturing into the virtual marketplace need assurances that their interests will be carefully protected. One of the most fundamental things we must do is protect privacy and personal information.

Therefore, independent of legislation, there is a growing awareness amongst the private sector organizations, certainly those in our industry, that personal information should not be seen or treated as a commercial commodity. Bill C-54 provides a very valuable complement to that new awareness.

Here I would like to stress that among Canada's industry associations, ITAC has been in the forefront on privacy issues. In fact we called for privacy legislation as far back as October 1994, in a submission to the federal government's information highway advisory council. We've been working on it actually since the early 1990s.

We've consistently advocated that legislation be based on the CSA model code for the protection of personal information, which was developed by a committee of industry, consumer, labour, and government representatives. ITAC was among them. There was a very broad cross-sectoral representation on the CSA privacy committee, and that gives great moral strength to the CSA model code and also to Bill C-54, which, as you know, is founded on the model code.

While different people around the CSA table had some different views, our dialogue was fruitful. At the end of a long, generative process of give and take, the committee felt we had achieved a strong and workable solution. We believe that solution adequately addresses the range of interests that were represented there.

ITAC therefore applauds the introduction of Bill C-54 and recommends its passage through Parliament for three fundamental reasons.

First, as I've just said, the bill is based on the CSA model code.

Second, the bill positions the Privacy Commissioner as a positive force for compliance. Adopting the ombudsman model, where the Privacy Commissioner acts as an arbitrator rather than as police, judge, and jury, is very commendable. This positions the Privacy Commissioner as a positive force to work with, rather than an enforcer to defend against.

And third, the government has shown initiative in attempting through this bill to create uniform law applying to all companies, wherever they are located across the country.

We would, however, in the spirit of continuous improvement—which certainly drives our industry—take this opportunity to support four positive changes to the legislation as it's currently written.

Here I'll note that we do fully support part 2 of the bill, which is intended to modernize the existing statutes so as to recognize electronic documents, and we won't suggest any amendments to the schedule to the bill, which is essentially the hard-won compromise that the CSA model code represents.

• 0915

Our first suggestion addresses the powers of the commissioner to investigate or audit. As I mentioned earlier, we see the positioning of the Privacy Commissioner in an ombudsman-like role as very positive. However, we are uncomfortable with the notion that the Privacy Commissioner, under subclause 18(1), would have the power to audit for and report publicly on compliance with what are clearly intended to be recommendations as opposed to obligations.

In most cases, best practices will dictate that companies incorporate in their privacy policies the “should” statements contained in the schedule. We are comfortable in saying that the few exceptions will be companies with valid and well-recognized reasons for choosing to meet their legal obligations in other ways. They should not risk being penalized for doing so.

Our second suggestion relates to the opportunity to respond to a complaint. We recommend that the legislation allow an organization some minimum amount of time to correct the situation that has been brought to the commissioner's attention before the commissioner may commence his investigative and reporting activities. We recognize that this may occur for practical reasons, but we would prefer to have the formal assurance of it in the legislation.

The third suggestion we'd like to make deals with the transfer of information within an organization. We recommend that the legislation explicitly allow organizations to transfer information internally. We recognize that organizations must be responsible for maintaining the security of information in their possession, particularly when that information is sensitive, but the law must recognize the nature of the multi-access database technologies already in everyday use both in government and in industry.

Our last suggestion deals with publicly available information. We note that Bill C-54 is silent on the issue of an organization's right to use publicly available information. To facilitate electronic commerce, companies should be free to use, collect, and disclose some information that is publicly available—for example, phone numbers listed in a telephone book. We should note too that the legislation should also recognize, as we do, that some kinds of publicly accessible information are more sensitive than others.

These are, we hope you will agree, recommendations to really fine-tune a piece of legislation that we support in general. ITAC members and staff will be pleased to work with this committee and departmental staff to incorporate any necessary amendments to Bill C-54 prior to its passage.

We also look forward to working with departmental staff and the Privacy Commissioner's office on efforts to get the word out to our constituents. Aside from its protective qualities, we must recognize that Bill C-54 is also a solid starting point for education and organizational development by the Privacy Commissioner. We're pleased to understand that the Privacy Commissioner has similar views and intends to pursue such activities.

With that, I'd like to thank the committee for allowing our association the opportunity to speak to you today. We'll be pleased to answer any questions you may have, either now or in the coming weeks or days ahead. Thank you.

The Chair: Thank you very much, Ms. Stephenson.

I'm now going to move to the Canadian Association of Internet Providers. Ms. Margo Langford, please.

Ms. Margo L. Langford (Chair, Canadian Association of Internet Providers): Thank you, Madam Chairman.

I'm going to start with an overview, and if you're looking for documentation that backs this up, it's this particular set of documents. I apologize for the fact that it's not in French. Most of it is in chart form, and it's just meant as a general overview for framing the industry. Ours is a very new industry, as Internet providers, and therefore I wanted to give you a bit of background before I turned it over to Julie Garcia.

On personal Internet usage, about 40% of Canadians now have access to the Internet, about 20% from home and about 14% from work, and about 10% have it at both places. Also, 70% of our university students now have Internet access, which is an incredibly high figure. Thanks to Industry Canada and their SchoolNet program, almost all of the schools—and certainly the goal is 100% of the schools—will have access by the year 2000. So we are getting to the point of critical mass in personal usage on the consumer side.

On the industry side, a number of industries of course have jumped on-line. The next chart, on industry distribution, deals with the various sectors that are actually using the Internet. These are not necessarily those who are selling on-line, but in fact those who are using the Internet in some way to conduct their business. And of course there are a variety of ways that businesses do use the net, including business-to-business activity.

• 0920

As you can see by the next chart, the percentage on-line by company size, small and medium enterprises are very much the growth part of Internet use by companies, and they are adopting the Internet in leaps and bounds.

In the next chart and next page I want to talk briefly about ISPs themselves. No two Internet service companies are alike. There are a variety of different business models, and many of them are unknown to us. Industry Canada did a survey and discovered there were 675 of them. Those are companies that identify themselves as in some way providing services for the Internet. I would suggest that many of those are just access providers or some other kind of related service.

CAIP itself now has upwards of 100 member companies that actually are more full-service companies, so they offer not only access to the Internet but also some of the value-added services, such as e-mail, hosting content, training, consulting, and those kinds of additional services.

Right now it's estimated the industry represents about $1 billion in revenue, and the typical ISP growth is between 5% and 8% per month. CAIP members represent about 80% of the traffic in Canada and about 90% of the users at the moment, so we feel significantly entitled to be here speaking on behalf of the industry.

The next chart shows you that the most amount of revenue is obviously coming out of the large companies, although none of them are making a profit on straight access, so that's a really important part of our story. The industry is diverse in its structure, and at the moment our membership includes major telephone companies and their affiliates, cable companies and their affiliates, and independent ISPs. There are three major consumer providers—AOL Canada, Netcom Canada, and PSINet—and some network providers, such as Teleglobe, MetroNet, UUNet, WorldCom, and AT&T, who also carry smaller ISPs on their network. Then of course there are lots of regional, local, and specialized services.

The majority of revenue from the industry comes at the moment from residential subscriptions and business subscriptions, so we're not yet at the stage where a significant amount of money is coming from electronic commerce transactions or even housing or hosting the content, but that is certainly the area that everyone wants to get into. It's just a much better margin.

Lastly, we are as an industry obviously extremely concerned about privacy and consumer concerns about using the Internet. Our business will not succeed without addressing this issue. I give you this chart to demonstrate that we do know about our membership, our subscribers, and their concerns. We are in touch with them and we are working very hard to build confidence.

CAIP itself has done a number of things to try to address this over the last three years. We started with a code of conduct in 1996, which addressed some things at a very high level, and privacy was one of the principles in that code. We refined that code this past fall with an on-line privacy code, which I believe has been distributed to you, and some user tips. And we are continuing to address those through something we're calling the fair practices program, which is an opportunity to go out and educate our users, our member companies, and indeed our merchant subscribers—the people whose web sites we host—to try to get them to all understand their obligations in the privacy chain.

On that note, I'm going to turn it over to Julie Garcia, who by the way brings additional value. Not only is she responsible for the legal affairs at AOL Canada, but she's also worldwide policy director for AOL, America Online, as a whole.

Ms. Julie Garcia (Chair, Privacy Committee, Canadian Association of Internet Providers): The Canadian Association of Internet Providers, as Margo indicated, is comprised of approximately 150 companies involved in all aspects of the Internet and Internet-related services. Many of our members are small regional and local Internet service providers, or ISPs, but we also include among our members such companies as IBM Canada, Bell Canada, and of course AOL Canada.

• 0925

CAIP is committed to the protection of the personal privacy of individuals on-line. We know consumers are wary of new Internet technology as regards the collection, use, and disclosure of their personal information. CAIP knows the appropriate protection of that personal information is a necessary prerequisite of consumer trust, and consumer trust and confidence are necessary prerequisites if the world of the Internet and electronic commerce is to reach its full potential. Our businesses won't flourish unless we have that confidence of our consumers.

To foster that sense of trust, CAIP has established its own model code of privacy protection that's tailored to the on-line industry. The model code is based closely on the CSA standards, taking what is best from those standards but blending it with the technical reality of the on-line environment.

CAIP prefers a self-regulatory model, particularly in the area of personal data protection. While Bill C-54 and the CAIP model code are both based closely on the CSA standard, CAIP's self-regulatory code is written in the language of our industry and reflects the unique technical environment.

Our privacy guidelines, which I believe you have a copy of, also feature user tips. Those user tips encourage individuals to do what they can to protect their own privacy. The CAIP approach emphasizes that the protection and safety of personal data are the responsibility of all parties to a transaction, not simply the obligation of one industry.

CAIP would like to work with this committee on four areas of potential improvement and clarification of Bill C-54.

The first area is the collection, maintenance, use, and disclosure of personal data by an ISP. In an on-line transaction, whether it be signing on to an Internet service provider, buying books from Amazon.com, or whatever, an individual user almost always has to provide what we call header information and billing information. That would be your name, your address, and normally a credit card number so that the transaction can proceed.

That information is required on the part of the business to process billing, just as it is in the off-line world, and it's part of our business function. The user affirmatively provides that information, and they know that's going to be used to process the business transaction, and in the case of a service provider, an ongoing business relationship.

As the user navigates around an on-line service and around the Internet, however, an access provider, just through the process of providing access, will automatically collect information such as the length of time the individual is on-line and potentially, if it's a proprietary network, where the user is going within that network.

That information is collected automatically by computers. It may be used for billing purposes, if users are billed based on time spent on-line. But sometimes it isn't used for any purpose; it just exists in an unreadable form in the storage system of the access provider. That information is not stored in a personally identifiable way, it's not kept in a dossier or a file about individuals, and therefore we believe it should not be made accessible for review and correction by the individual.

The way the bill is presently written, any information about an individual needs to be made available to them to review and to correct. While access providers—I don't even want to say “theoretically”—have this information about the individual, in terms of where they've been and how long they've been on-line, it's very difficult to get at. It would be possible to get, but it would be an incredible burden on the business. It's not something that in the normal course of business is kept in a personally identifiable way.

So privacy is better protected by leaving that information in the databases, where it is never accessed and where it eventually disappears over the course of time, when the servers get full and the older information just falls away. It is that type of information—which is automatically collected and stored, not retrieved in useable form, and not kept in a personally identifiable way—that should not be subject to the notice, access, and correction requirements.

The CAIP code, using the CSA standard, is able to reflect that reality of the on-line world and use the best of the code in a way that our industry can effectively implement it.

Again, different industries have different information management needs, so CAIP believes it's critical that Bill C-54 allow some flexibility for industry-specific approaches to provide the best privacy protection for Canadians.

• 0930

A second area of clarification that's very important to CAIP members concerns previously collected information. A company's obligations regarding personal information that it already holds are not clear under the bill. My company, for example, has 16 million members worldwide. All of those members have already provided to us their names and addresses, we know their screen names, we know their credit card or debit account information, it's already been aggregated in the database, and in many cases that information has been moved outside Canada. We need some clarification on those subscribers. It would be an incredible burden to have to go back to 16 million individuals and try to “re-get” that information under a new circumstance.

Another example is employee information within a company that was collected in some cases many years ago. We would suggest a standard of implied consent for business uses for both employee information and existing customer information to date. This is similar to the ITAC view on the internal transfer of information, which, I'll state for the record, we agree with.

A third issue I'd like to address is the issue of oversight. The oversight and the remedies currently available in Bill C-54 seem quite broad. CAIP agrees with ITAC's view that industry should have the first responsibility and opportunity to respond to a complaint about privacy and to correct the situation as necessary. I would be more than happy, as would other CAIP members, I'm sure, to provide specific examples of how industry is doing this already anyway.

The commissioner then would have to ensure that this avenue of going first to the company for redress has been exhausted prior to initiating that investigation and audit. That type of method is particularly appropriate for an industry such as the ISP industry, which has adopted a privacy code that's very close to the CSA standards to guide its members.

Our final issue of concern is a uniform regulatory environment. The jurisdiction issue is one that raises unique problems in an on-line environment, for our industry in particular. With the Internet and with on-line access service providers, it's unclear where information is gathered, where it's transiting, and where it may be collected. Certainly companies store information all over Canada and perhaps even outside Canada.

CAIP understands that in Bill C-54 there's going to be shared jurisdiction between the federal and provincial governments, but we'd like to emphasize the importance of having uniform legislation, if not between Canada and the rest of the world, certainly within Canada. We need to have some kind of harmonized regulatory system. It's imperative so that it can provide certainties for ISPs.

Allowing each jurisdiction to tailor additional laws could create a patchwork of legislation that effectively would prevent electronic commerce from crossing provincial borders. I don't think that's what anyone intends and I don't think that is the result anyone wants. To provide a base level of privacy protection to all Canadians as well as to foster the growth of electronic commerce, data protection laws should be uniform across the country.

CAIP appreciates the opportunity to appear before this committee and to share its views on Bill C-54. We applaud your efforts to protect the privacy of Canadians and we join those efforts. We hope we can work together to ensure a solution that works for all parties.

The Chair: Thank you very much, Ms. Garcia.

Professor Geist.

Professor Michael Geist (Individual Presentation): Good morning, and thank you for inviting me to appear before this committee to provide my views on the intersection of the privacy protections afforded by Bill C-54 and the Internet.

I'm a professor of law at the University of Ottawa law school, and I specialize in Internet law. Unique to Canadian common-law schools, I teach two Internet law courses, one on the regulation of Internet commerce and the other on the regulation of Internet communication, which focuses on speech and privacy. I've written several law review articles on Internet law; I'm co-editor of JURIS Canada, which is a legal education web portal; and I'm creator of the Canadian Internet law resource page, a web site dedicated to Canadian Internet law issues.

Let me begin by congratulating the government for this privacy initiative. Given the alternative of self-regulation, Bill C-54 is a major step in the right direction. In fact one need only look at activities this week in the United States, where the Online Privacy Alliance, the country's leading self-regulation advocacy organization, is pleading with on-line enterprises to post privacy policies. The reason? Next week the Federal Trade Commission begins their second annual privacy audit, and the fear is that such little progress has been made in the widespread adoption of privacy policies that the government may move towards some form of regulation. As the U.S. experience illustrates, legislation is needed to effectively protect the privacy of individual citizens.

• 0935

The focus of my remarks today will be on the application of Bill C-54 to the Internet. I certainly recognize that the bill's application extends well beyond just the net, but it's fair to say the growth of the Internet has been the major driving force behind the growth of electronic commerce and, by extension, this bill.

From an Internet law perspective, nothing is more important than strong and effective privacy legislation. As you are by now no doubt aware, in several surveys, Internet users have cited privacy as their primary concern. However, I would submit that the issue is even more serious than these polls indicate. As more and more people gravitate to the Internet, I see a widening gap between what might be called the haves and the have-nots.

The haves are aware of the privacy implications of Internet activity: the collection, use, and sale of their data. They frequently take steps to combat privacy concerns by using anonymizing technologies or, in other instances, providing false information when data is requested.

Sadly, there are far more have-nots than haves. The have-nots are simply unaware of the privacy concerns raised by the Internet. These users are more likely to think that cookies come in oatmeal or chocolate chip as opposed to being a source of potential privacy concern.

Given the large number of have-nots, there are really two sources of protection. One is education, and I certainly applaud Bill C-54 for recognizing the importance of increased public education with regard to the issue of privacy. The other protection is this bill, so when all else fails, the have-nots must be able to rely on this law to protect their private data.

The question, then, is whether it does. With your indulgence, I'd like to spend a couple of minutes tracing the experience of a typical Internet user, highlighting the privacy concerns and speculating as to whether Bill C-54 provides sufficient protection.

Our typical, and some might say fortunate, Internet user uses her new computer, equipped with a Pentium III chip, and has cable modem access using the cable provider @Home to access the web. She visits a site that offers some interesting content or maybe free e-mail, and in return for the content, she's asked to fill out a form that asks a variety of personal questions.

Consider the privacy implications of this simple and very common experience. The Internet service provider, in this case @Home, has access to information, as we've just heard, on where the user has visited. ISPs in Canada have tended to protect the user's interest, but consider a recent controversy in the United States involving TCI@Home.

Several weeks ago they announced they were amending their terms of service policy to allow the company to reproduce, publish, distribute, and display worldwide any content that was published, transmitted, or distributed over the TCI@Home Network. This was seen to include users' e-mail correspondence and their browsing habits. The haves became aware of this change and a protest ensued. Earlier this week, TCI@Home announced they were rescinding the change, characterizing the entire incident as a misunderstanding.

Would Bill C-54 protect a user from this sort of circumstance? Well, maybe, but by no means for certain. Consent would clearly and reasonably be assumed as part of agreeing to a service contract, and of course consent is at the very heart of the CSA code. However, clause 4.3.3 of the CSA code provides that you cannot make supply of a service conditional on consent to data collection beyond that required for an explicitly specified and legitimate purpose. It would have been interesting to have a user challenge the policy on the basis of that provision in the CSA code.

Let's move on to the P-III chip found in the computer. As I believe you have heard, the P-III chip contains a digital identifier that allows sites to identify which computer is accessing their site. Since each computer contains a single identifier, it's possible for different web sites to share their information and thereby obtain a detailed consumer profile.

Initially, Intel activated the identifier as the default setting, and computers that are currently shipping—they just began shipping over the past week or so—retain that configuration. When the haves learned of this, yet another protest ensued. Intel partially backed down by providing a software utility that allows for a change in the default setting and a promise that future shipments would set the default setting as an inactive identifier.

• 0940

But consider that last week, Intel released the technical specifications on the P-III. Within 24 hours, a German software developer had designed a utility that allows the identifier to be switched on and off by an external user; someone else can control it.

Now assume an organization wants to collect and use the identifier information. The question: Would Bill C-54 protect that user? If the identifier is off, they can't collect the information, so there isn't a problem. If they were to condition service on turning it on, clause 4.3.3 would kick in, and they would have to justify the use. If they turned it on themselves, using something such as the German software utility, they would probably violate Criminal Code provisions for tampering with computer data.

But if the identifier were on—let's say the user bought a new computer with the default setting turned on, or perhaps an unscrupulous web site happened to use that same utility to turn on the identifier unbeknownst to the user—then the user might not be protected. Clause 4.3.6 of the CSA code provides for implied consent, and given that the default of the identifier is off, it might be reasonable to argue that consent can be implied by virtue of the fact that the identifier has been turned on.

Finally, let's review providing data to the web site. On this site, the forms for the private data are contained right at the top of the web page, below is some general information, and then right at the very bottom is a negative-option check-box that requires the user to check if they do not consent to collection and use of their private data. Many users will never see this check-box, since they will never make it to the bottom of the page. They fill out the form, they hit the accept button, there's no reason for them to even make it to the bottom of the page. For these users, Bill C-54 is of no assistance. Paragraph 4.3.7(b) of the CSA code expressly provides that this form of obtaining consent meets the CSA standard.

Furthermore, consider a situation where the site doesn't even include a check-box. There is no indication that the personal information is going to be used. Does Bill C-54 protect against this? One would certainly hope so. However, an exception contained in paragraph 7(1)(b) of the bill, not in the CSA code, may provide an argument that nothing wrong has occurred. The paragraph provides that information may be collected without knowledge or consent if it is reasonable to expect that collection from the individual would compromise the accuracy of the information. Combined with paragraph 7(2)(d) of the bill, which covers use, a company might look to this provision to justify its actions.

As I noted, many Internet users have taken to providing false data to protect their privacy. As the bill is currently drafted, companies might be able to rely on this fact to justify an absence of obtaining consent, since to do so might reasonably result in the receipt of inaccurate information.

In summary, Bill C-54 is much better than the alternative of no legal privacy protection. However, I would submit that for the sake of the have-nots who are new to the Internet, the bill should be strengthened to remove some of the weaknesses I've articulated here this morning.

The Chair: Thank you very much, Professor Geist.

I'm now going to move to questions. Mr. Jaffer.

Mr. Rahim Jaffer (Edmonton—Strathcona, Ref.): Thank you, Madam Chair.

First of all, I'd like to thank all the presenters for being here this morning. A lot of the information being presented is useful to us, and I agree with many of the recommendations.

I'll start with Mrs. Langford, if I may.

I was looking through your presentation, with the charts and all the information pertaining to usage on the Internet currently and so on. I'm in favour of this legislation and looking forward to its passage. However, just from my own experience in using the Internet and from seeing some of these figures...

The issue of security has obviously been identified, and that's something people are concerned about. However, to some extent, the issue of security is also the job of companies to make their customers feel confident. Part of this process of being confident on the Internet is one of awareness. People are starting to learn more about the Internet and are starting to look at what's available on the Internet.

So even though I agree that Bill C-54 is an important framework to make security and privacy an issue, I don't know if that's going to have as much of an effect on the public and issues of security as, say, private companies such as yours promoting the security features on your own web sites and giving the confidence to consumers that you guys take that seriously.

Ms. Margo Langford: Thank you for your question.

We address these things not as a separate issue but in an integrated approach. Privacy and the collection of personal information in the context of Bill C-54 are one aspect of consumer confidence, but of course secure systems are the way you actually implement.

• 0945

It's fine to have a policy and/or a piece of legislation, but you have to drill down a level to getting not only business practices at best practice level, but also systems. So we actually have to do some things at the hardware and software levels. There are three processes of both education and implementation.

On the user information side, because we have subscribers and we have an e-mail account for every one of them, we have a lot easier time touching our customers than the average business does. So we do have the opportunity to give them user tips and to teach them as they come on-line.

Even though 40% of Canadians are on-line, every day people are buying computers for the very first time and we're setting them up from scratch. These are people who need a lot of education. We have help desks that cost a fortune, quite frankly, but they're critical to the business right now, because they work with people and explain to them how to use the Internet and how to protect themselves. So we do have a really good, close relationship with the users themselves.

We also have the opportunity obviously to touch the customers whose sites we host. We have a contract with them, which can be used in a very positive way. We can choose not to put up a site that doesn't meet both security and privacy standards. We can do that, as best practice. That's certainly, for instance, IBM's policy. We just simply will not commerce-enable a site that doesn't use our best security systems.

From an IBM perspective, we have spent a lot of time, money, and research developing security systems, but we've now made some of those publicly available to the other ISPs and merchants, because we are so critically concerned to make sure there is at least a base level of security. This is a “weak link in the chain” syndrome. Anybody at any point in the transaction can be the security breach, so we have to uniformly approach security in systems. We're all taking it very seriously.

That brings me to the P-III chip. Its intent and Intel's intent in developing it in their labs was in fact to make sure we could authenticate users more effectively so that we could actually avoid unauthorized use and hacking. It had a higher purpose. It wasn't to collect personal information on a particular computer, but to be able to in fact identify that you are you, and from an electronic commerce perspective, that that user is the person who's authorizing the transaction. So it was intended with all the best motives in mind. It does now have an ability to disengage it, but I would guess that many people would actually want that protection.

We always have this balancing act between systems that are designed to nail down and tighten up things and the flexibility to be able to do what people want us to do.

Mr. Rahim Jaffer: I just have one more follow-up question for Ms. Garcia.

I noticed that you talked about the jurisdictional issues within Canada. One of the concerns I've been thinking about recently is the position we've heard from many Europeans approaching this issue of regulation and security and building a framework.

The approach seems to be a little bit different when it comes from, say, North America, as opposed to Europe. There seems to be more of an emphasis here on allowing more flexibility, based on the CSA code, and allowing companies to be able to work within a framework so that they can deal with some of these problems, while in Europe it seems a little bit more of an effort is placed on putting heavier government regulations on this framework of the Internet.

In your opinion, is there a potential for trade disputes and so on, as Internet transactions increase? Or is there a way to be a little bit more global in scope, so to speak, in allowing a little bit more flexibility? What are your thoughts on that?

Ms. Julie Garcia: We would certainly love to see a more global scope. You've really hit the nail on the head.

It's interesting. The European perspective has always been the opposite of the North American perspective. The concern in Europe is not whether or not government has information about you, but whether or not private industry has information about you. The directive is aimed at protecting individuals from having their information used by private industry.

Whereas in North America the attitude has been, “Anyone in the world can know what I've done with my American Express card, but I don't want the government knowing where I go for health care”, or whatever the issue might be. It has been a different approach.

• 0950

We've seen the potential for difficulty between the United States and Europe in trying to negotiate data transfer. The European Union is saying the United States doesn't have legislation in place and data can't be transferred. You're probably aware of the talks that are ongoing right now. Actually it looks as though some progress has been made this week on what would be a safe harbour, so that certain industries in the United States that do have strong self-regulatory and enforcement mechanisms would be exempt from the directive.

So while there are the differences you've identified and there is the potential for that to cause a problem, I've also seen a good willingness for governments to work together to make e-commerce work. There has been and continues to be a growing recognition in every country that no one country or one group of countries such as the European Union can impose exactly what they want on the rest of the world, because they would be cutting off their nose to spite their face.

If the directive were enforced as it stands and no data could pass between Europe and the United States, everyone would lose. That's not what they want. They just want to know that there's an adequate level of protection. So to the extent that they have a comfort level with the data protection, I think we'll be able to move forward.

Mr. Rahim Jaffer: Thank you.

The Chair: Thank you very much, Ms. Garcia.

Thank you, Mr. Jaffer.

I should have mentioned that if a question is not addressed to you and you have anything to add, just let me know. We're more than happy to allow others to participate in the discussion.

Mr. Shepherd.

Mr. Alex Shepherd (Durham, Lib.): Thanks very much. I just want to ask a quick question and then I'll go on to a more substantive one.

Mrs. Garcia, I guess this would be for you. I'm interested in the concept of the Internet viewer, someone who would actually access the information that's flowing over the Internet by having a little key.

I was interested in this happening, because I was talking to an American company, Schwab Online, and they claimed that as long as I had a corporation's U.S. ID account and I used the Quicken system or something, I could simply go into their investment account and see all of their investments. I thought that was pretty profound. Anybody could go to a local bank and clear out the wastepaper basket and find everybody's ID numbers. How are we protecting those people's privacy?

Ms. Julie Garcia: A financial institution or a bank actually has a built-in level of protection in the States. If you're talking about Schwab, they can legally use a higher level of encryption. They can encrypt the messages back and forth so that they're more secure.

In terms of simply having a password, that is an area where ISPs really need to work with—I'll call them the have-nots—to educate them. You would always have an opportunity to change your password, and it's probably never a good idea to use your dog's name or to use your address. There are passwords you can choose that can't be cracked. If it's a combination of letters and numbers, for example, instead of just letters, then a code cracker won't be able to get at your access number and get into your account.

Am I addressing your question?

Mr. Alex Shepherd: Not really, because this was done by setting up a PIN number, and it was a combination. You could view the account, but you couldn't trade it. It was the person who had the actual password who could trade the account, but it was possible that anybody, if they had that corporate ID number, could set up a PIN number and visually see it.

Ms. Julie Garcia: So you could see, for example, my account.

Mr. Alex Shepherd: Yes.

Ms. Julie Garcia: And see how much money I had.

Mr. Alex Shepherd: They just said that's the way it is. If you had a Quicken system or something, you could do that.

Ms. Julie Garcia: If you had the PIN number.

Mr. Alex Shepherd: You could go in and create another PIN number once you had the corporation's ID number.

Ms. Julie Garcia: I see. I'm sorry I'm being slow. So the idea would be, for example, if I were in the accounting department of my organization, we would have an organizational ID number, and then there might be six or seven of us who could view the account.

• 0955

Mr. Alex Shepherd: Well, I would think a U.S. corporate number is widely known, no different from in Canada. That's something I really find strange and something that should be addressed here.

Anyway, I'm getting off topic. The real issue I'm interested in—

Ms. Margo Langford: Schwab is actually an IBM account. Perhaps we could undertake to find out more about that system and provide you with—

Mr. Alex Shepherd: Well, I talked to their IT department, and they said that's just the way it is. I thought it was kind of strange.

Ms. Margo Langford: It's not something I'm familiar with.

Ms. Julie Garcia: Yes, it does seem strange.

Ms. Margo Langford: It does, yes.

Mr. Alex Shepherd: Okay.

You used the words “implied consent”. This bothers me as a position of law. You're saying that because I come to one of your user sites and I give them my social insurance number or I give them my Visa card number, I have consented not only to do business with that user, but also to allow them to take my data. You're telling me they're storing it in some kind of form. Obviously they go through the process of storing it for a reason. I don't think they store it for... Storage costs money too, right?

Ms. Julie Garcia: But it does happen automatically.

Mr. Alex Shepherd: I know, but there's a reason for it. So isn't it more appropriate to ask people up front for their consent, to say, “We want to use your information for these purposes. Do you consent?”

Ms. Julie Garcia: I absolutely think that is more appropriate. I used “implied consent” in the context of existing data, the data that already exists in our database. Going forward, there would be implied consent that everyone to whom this bill applies would not have to backtrack with all of the information they already had to make sure that those people...

That was the context in which I used “implied consent”.

Mr. Alex Shepherd: I understand the grandfathering idea, but from this day forward, when I go on one of your organizations' sites, what is going to give me the assurance that I consented or did not consent to the use of that information?

Ms. Julie Garcia: It's the disclosure requirement. We fully support the part of the CSA standard that indicates that you provide notice of your policies and disclosure of your policies, and that anyone who comes to your site can choose to not have their information shared. We agree completely with those aspects of the code.

Mr. Alex Shepherd: So you see that all of the people who are your members are going to change those sites. In other words, when I go into whoever's site now and they say, “Fine, we'll let you use the service for free; just give us your e-mail number and some other statistics about you”, I'm also going to see a little box saying, “And by the way, you are consenting to us using this data somehow”. Is that what they're going to do?

Ms. Julie Garcia: That's what we would like to see.

Could I say a couple of things about that? We certainly don't want to regulate what the privacy policies of our companies are. We just want to make sure they provide notice to members.

It might be interesting for you to know that in England, the second-largest ISP and probably soon to overtake AOL in England is Freemail. They provide free Internet access and free e-mail accounts in exchange for user information, and users love it. People flock to that service by the hundreds of thousands. They know that in exchange for getting free Internet access, they're giving their name and address, they're checking a box on what their interests are, and they're going to get junk mail and e-mail and off-line mail, and they do it. They love it. There are hundreds of thousands of subscribers.

So our point is simply that you have to have notice. People have to know what they're getting into. If someone says it's worth it to them to have lower-priced or free Internet access in exchange for getting junk mail, so be it. It's their choice.

Mr. Alex Shepherd: The argument is that in this legislation, we don't see where it demands consent, where it's clearly stated that anybody accessing this site gives positive consent. Would you agree with that?

Prof. Michael Geist: As I indicated, there is a problem with the use of implied consent here, because in many instances, it's open for a company or a collector of data to rely upon standards that have been set in the CSA code to say they've received implied consent, where the user really hasn't been aware of the fact that they've been providing consent at all.

• 1000

It's important in some respects to distinguish between information someone provides to a web site and an agreement they might have with an Internet service provider because the ISP is providing them with service to access the various sites.

Certainly my colleagues on the panel can correct me, but it seems to me that the boundaries in terms of data collection will be set by the terms of service—the contract, effectively—that you sign with the Internet service provider. The contract may say the data can be collected, transferred, and whatever, and by signing the contract or signing up for the service, you effectively agree to those standards. That's somewhat different from when you go to a web site and provide information, and somewhere on that site, at the bottom of the page, you have to check to tell the person you don't want them to use your information.

Ms. Julie Garcia: Could I interject?

Something that is important to think about is the distinction we seem to be making between what is appropriate in the on-line world and what is appropriate in the off-line world. When I subscribe to a magazine in the off-line world, I give implied consent to that magazine to bill me and to send me information about other magazine subscriptions. So it's unclear to me why, when I sign on to an access provider and provide that same information, we would want to put a different standard on that.

Prof. Michael Geist: We wouldn't. We want to set the same standard that they have to obtain consent. That's the point. It isn't exclusively for the Internet; it's for everybody. You have to get consent.

Ms. Margo Langford: The challenge here is that in the first three years, all of the businesses are not captured by this legislation. ISPs are captured, because they're telecommunications services and therefore federal entities. We developed our policy with that in mind. We can't take responsibility for every merchant who goes on-line or every other business that's on-line, except through contract.

The Chair: I'm going to move on to Madame Lalonde now, and Madame Lalonde probably will speak to the Quebec legislation that already exists. They already have this problem in Quebec.

Madame Lalonde.

[Translation]

Ms. Francine Lalonde (Mercier, BQ): Perhaps it's Quebec that has a problem with Bill C-54.

[English]

The Chair: You already have laws in Quebec, but how can you argue that? Go ahead, Madame Lalonde.

[Translation]

Ms. Francine Lalonde: Yes, I certainly would like to comment.

Thank you for your presentations. You are experts in this field and you represent companies in a constantly evolving sector of the economy. I'm sure you can understand why a member, particularly one from Quebec, may be somewhat concerned by your comments.

I'd like to speak directly to the representatives of ITAC. In your fact sheet, which hasn't been translated into French, you argue that there is a need for uniform legislation in Canada. As you undoubtedly know, Quebec enacted privacy legislation which extends to the private sector back in 1994. My colleague Jaffer referred to Europe where requirements are much more stringent. He could also have mentioned Quebec because its legislation is more in keeping with European tradition, in that we believe protecting personal information is a cultural issue. Moreover, that's what Mr. Cleghorn states at the beginning of his paper on personal information. If you were the Quebec government, or someone in Quebec who had been involved in the drafting of this legislation and had helped to... I'm sorry, but we seem to be having problems with the interpretation.

Therefore, I'm somewhat concerned to hear you talk about the need for uniform legislation.

• 1005

At the outset, we in Quebec thought the federal legislation would draw its inspiration from the Quebec initiative. This would have resulted in closely harmonized laws. However, the federal government chose to go off in an entirely different direction, which raises an important question in Quebec. If we go along with your recommendation, are we then saying that Quebec should accept a weakened law? In my view, that wouldn't be right, particularly since the effectiveness of the provisions of Bill C-54 are being called into question quite a bit, not just as they pertain to the protection of personal information in sectors other than electronic commerce, but also, as Mr. Geist and others pointed out, as they pertain to electronic commerce. A number of questions have been raised.

Since this sector is still in its infancy and since there is a risk that the less fortunate or uninitiated could be taken advantage of, shouldn't the legislation take a more preventive approach in terms of setting out obligations for protecting citizens? For instance, Quebec's consumer protection legislation stipulates that consumers have a certain period of time during which they can change their mind after signing a contract. A business contract may be something else, but shouldn't citizens have the benefit of this grace period? Shouldn't there be a box on the agreement that can be checked off, where they are asked: "Do you really want to purchase this item?" or some such thing?

Some people are new to the field of electronic commerce. Not everyone spends ten hours a day on a computer. It's possible that someone could quite inadvertently purchase an item or disclose information and there's nothing that can be done about it. Service is a problem. It's not always easy to contact one's Internet provider, even if that provider goes by the name of Sympatico. This requires time as well as patience. Shouldn't the legislation be more stringent, precisely to protect consumers who are likely to encounter major problems?

[English]

The Chair: Ms. Stephenson.

Ms. Carol Stephenson: Let me start with the ITAC comment that legislation should be as uniform as we can possibly make it. The reality in this country is that over the last hundred years, business has effectively operated in Canada. Quite frankly, sometimes we have to operate a little differently in some places from the way we operate in others. But we have found ways to make that work, and I am absolutely confident that we are going to find a way to make this work, because this business is so important to consumers and businesses. So I have a lot of confidence that ITAC member companies will find ways to make it work.

What we were saying is if we can minimize the amount of differences in legislation across the country, then it helps to make us work more effectively. It helps to make it less likely that someone will make a mistake in one province versus another. So it certainly eases our business transactions. Therefore we would want it to be as similar as it can possibly be, though we recognize that there are companies doing business across Canada and there is different legislation today, and we find ways to make that work.

I'm going to pass it to Wayne, because Wayne is from a company that does business across Canada, and he can probably give you some examples of how his company has had to do this.

Mr. Wayne Scott (Executive Director, Government Operations, Information Technology Association of Canada): Let me start with our approach to a matter such as protecting personal information. We're actually very actively involved in this, not only in Canada but on a global basis right now.

• 1010

What we do is set a norm that is consistent with our values as a company, which we want to use as the baseline for operations wherever we do business. That's globally as well as across provinces. I'll tell you that in terms of personal information, that norm is a pretty high standard for us right now. Having set that norm, we look, jurisdiction by jurisdiction, to understand whether we have any additional obligations, because another founding principle for our operations is that we will always comply with the law.

The situation in Canada right now is that Quebec has legislation that governs our operations, so when we want, from a business point of view, to send personal information outside the country—in fact, outside Quebec—then we're conscious of the consent requirement to do that, and we build that into our business operation. As we implement a uniform standard, we will make sure that gets harmonized across Canada and in fact globally. That's just one example of the kind of thing we're aware of and the kind of practical approach to this that Carol is talking about.

To the extent that the standards we're asked to meet are similar in jurisdictions, it's a benefit to everyone. It's a benefit to us as a business and consequently a benefit to our customers, who have a simpler set of expectations to learn and a simpler standard set of interfaces to deal with. It just works for all parties, companies and individual consumers alike.

Ms. Margo Langford: Could I add to that?

You raised the issue of jurisdiction in a consumer context as well, and some of us are also working with the consumers' groups to try to come up with some guidelines for consumer policies in a harmonized way. It's a complete conundrum for all of us who are trying to deal with it on a variety of different subjects, whether it's taxation or any of the aspects of doing commerce in a global market.

Canada has to be careful to lead and to develop the thought leadership in particular, but not to get too far ahead of everybody else, or we will find ourselves with this very mobile business. And it is. It is so easy for companies to take their business someplace else, and we are constantly threatened by this. Literally, if you make too many regulations and add to the costs, it is very simple to house sites in the United States, Bermuda, or someplace else.

So the challenge from our side is to always have this balancing act between the need to protect people and the need to compete with organizations such as Amazon.com, which is collecting personal information, and people are going to that site in droves because they have personalized service. So to just tell someone in Canada they can't compete—

[Translation]

Ms. Francine Lalonde: Precisely...

[English]

The Chair: Just a second. Professor Geist has a comment before you.

Professor Geist.

Prof. Michael Geist: Thank you.

I have a comment on consumer protection. If anything, Canada is not leading or moving far out ahead on this issue. If anything, we are far behind on this issue. The government, in its framework for electronic commerce, noted that consumer protection was one of the areas of priority and suggested that they would have something prepared by the end of 1998. They still do not have that.

I contrast that with the European Union, which has a directive in place on distance contracts that provides for a cooling off period along the lines you were just suggesting. The Australians have produced a proposal for consumer protection that calls for a triple-click, with the knowledge that it's very easy to click a button once and suddenly you've consented to something that you may not have meant to consent to. Their proposal is that you actually have to ask three times, to ensure that you are fully aware of what you are consenting to.

So with all due respect, if anything, Canada has some catching up to do with other jurisdictions on the issue of consumer protection.

The Chair: Madame Lalonde, your last question, please.

[Translation]

Ms. Francine Lalonde: First of all, I have a brief comment to make. These same concerns were voiced in Quebec prior to 1994, back when the government decided to proceed. I recall that the Parti Québécois supported the federal Liberal government on this issue at the time. The many fears voiced at the time never materialized. If some companies had relocated because of the privacy legislation, we would have heard about it.

You are all informed persons and no doubt you know that the UN task force on electronic commerce, as I recall, spoke out several weeks about expressions like "electronic signature" and "secure electronic signature" which were defined in legislation. Its view was that such definitions should be avoided because

[English]

inappropriate in the light of the diversity of the concept of “signature” in the different legal traditions.

[Translation]

This would also hold true in Canada. Have you heard anything about this? Since you have indicated that you support Part 2 of the bill, I'd be interested in hearing your views on this subject, particularly since the definition of "secure electronic signature" refers us back to section 41 which in turn refers us to the schedules and regulations which we don't have.

• 1015

[English]

Mr. Wayne Scott: Our focus this morning has of course been on the privacy aspect of Bill C-54, as you've heard. In terms of digital signatures, we've expressed our support for part 2 of the bill in enabling the same kinds of transactions electronically that we're all used to on a paper basis.

We are involved, both as an organization, ITAC, with our sister organizations in other countries, and as individual companies, in the global discussion to ensure that standards supporting electronically based business transactions are in fact uniform and will work across country boundaries. We are aware of the work sponsored by the United Nations. That's only one group that's working on this.

Our goal collectively, working with private sector organizations and governments around the world, is to work towards an environment in which we can with confidence exchange documents, make commitments, and know that we have in fact transacted something that works.

The Chair: Thank you.

Ms. Langford.

Ms. Margo Langford: Moving a web site is an insignificant activity. It's a question of where they choose to host the site. The business doesn't have to move. There are many Ottawa companies, for instance, that already host their site in some other country, primarily the United States. That's an important part of the ISP business that we don't want to lose.

That's the perspective we're taking: we can't make it so costly. Having different legislation in different jurisdictions adds to the administrative burden. That was just a cautionary note. It does in fact already happen that companies are choosing not to host their sites in Canada. They can still ship from Canada, they can still have their business in Canada, but they have their web site in another country. Therefore the money involved in hosting that site, in staffing that site, and in the telecommunications costs of that site is going to another country.

The Chair: Thank you, Ms. Langford.

Thank you, Madame Lalonde.

Mr. Lastewka, please.

Mr. Walt Lastewka (St. Catharines, Lib.): Thank you, Madam Chair. I just have a few questions.

First, to the ITAC group, in your second suggestion, you requested that there be a minimum period of time to correct a situation. You yourself reported that this would probably happen because it was just a practicality and so forth, but you're almost suggesting that we want to identify a complaint and give a company time to change, rather than assisting the commissioner.

I use the example of receiving three or four complaints about a company. In your case, we'd have to give 45 days or a time limit all the time. The commissioner couldn't go in and say, “That's enough. I'm not going to give the time, because that company is not responsible.” And you and I know there are companies that will take that route.

Ms. Carol Stephenson: We're really trying to take a practical approach here, so we're talking about maybe 30 days. Who knows the number of complaints? But we expect that a customer should go to a company first. Perhaps a mistake has been made.

If it's intentional, though, and there are repeated examples of the kind you gave, where a company is clearly not following the rules and there are repeated mistakes and a file is building up on that company, then by all means, I see no problem with the Privacy Commissioner taking action quickly.

What we were really talking about was that you might get the odd complaint, so just give some practical time for a company to respond and investigate. Certainly we weren't suggesting that we wouldn't work with the Privacy Commissioner. We're just trying to be a little bit practical in our approach to a complaint.

• 1020

Mr. Walt Lastewka: But when the commissioner was here, the commissioner expressed that in the legislation, the first step is to have the complainant deal with the company.

Ms. Carol Stephenson: We agree with that.

Mr. Walt Lastewka: Right. Therefore the complaint would never get to the commissioner.

Ms. Carol Stephenson: Is it in the legislation clearly?

Mr. Walt Lastewka: It's implied that way to me.

Ms. Carol Stephenson: Then we're in violent agreement on that point.

Mr. Walt Lastewka: Okay, I understand.

The Chair: Ms. Garcia has a comment.

Ms. Julie Garcia: I just want to give a perspective on the number of privacy complaints. My company has been in business in Canada since November 1995, and since that time we have not had one single privacy complaint. That's just to give some perspective on the volume.

Obviously when there is a problem, it gets a lot of publicity. There have been maybe two or three cases in the United States that have gotten a lot of publicity. I know of at least two or three in Canada over the past few years that have gotten a lot of publicity, but I would say those two or three are probably two or three out of maybe a dozen. That's just to give a little perspective on the size of the problem.

The Chair: Ms. Langford, you guys are going to have to decide which one wants to answer. I can't allow you both to answer every question, because we're running out of time.

Ms. Margo Langford: I was just going to give an example of what we thought we would do in a practical sense, which was to create an on-line system where complaints could go more efficiently. The telecom foundation does this now for all kinds of complaints, including consumer complaints. If we could have the opportunity to resolve it at that level, that seems to be working in the telecom world. Then if it doesn't work there, it goes to the commissioner, who clearly is going to have a variety of different kinds of privacy complaints from all sectors.

Mr. Walt Lastewka: My next question will be to Ms. Langford and Ms. Garcia.

I have a little problem with previously collected information. If that information was collected without consent, you seem to be saying it should be deemed to have been provided with consent. I realize you're talking about millions of people, but isn't the concern of millions of people also that maybe their privacy has been affected and somehow that should be corrected?

I'd like the professor to also answer.

Ms. Julie Garcia: I have a few points to make on that.

If this legislation is enacted, the millions of people, and certainly the Canadians who are affected, will know it is in existence and will understand. At that point, going forward, companies will have to provide that kind of disclosure and access and the ability to choose whether or not to have their information used. A little bit of education would go a very long way for the previously existing users, and they would certainly all have the opportunity, as they do on many ISPs, including ours right now, to say, “I don't want to receive any mailings. Don't use my information. Take me off your list.” So a little bit of education would take care of the information that was previously collected.

Also, as a legal matter, information was collected during a time when this law did not apply, and to apply the law retroactively just places an incredible, unfair burden on companies that were acting lawfully at the time they collected information.

Prof. Michael Geist: It's my view that it would be unfortunate if information that had been collected, in some instances unfairly, without actual consent or consent with full knowledge, were then able to be used by ISPs under the guise that it was collected at that time in a legal fashion. Certainly it's the position of Internet service providers that they have no intention of using any information they obtain on a go-forward basis. I don't see any reason they can't at that same time inform people that they have no intention of using information that has been previously collected and make that very clear to them at that point in time.

Mr. Walt Lastewka: My only other question is this. I wasn't quite clear on your retention-disposal guidelines. I heard you say information is collected and then drops off. I wasn't sure if you said that happens over time. Could you explain that again?

Ms. Julie Garcia: Yes. It would be a little bit different for each ISP, depending on their technical capacity and their service space, but at my company, for example, in different countries we bill in different ways.

• 1025

In Canada we have packages where people will get a certain number of hours for a certain price and then they will pay an hourly fee for using the service beyond that number of hours. So for billing purposes, we have to know how many hours they've used the service. That information is collected and generated automatically, and a bill is generated for that individual.

No one in my company ever looks at that information and says, “Oh, Margo Langford was on for seven hours, and she went to the Catholicism forum. We know where she's been and what she's been doing.” That information exists on the databases because we need it to bill her, but it's not personally identifiable in that we don't have a dossier on her; no employee of my company could go and find that information and see where she's been.

Then, after a course of time—it might be a matter of 30 days; it might be a few months—that information just gets bumped off the server, because new information about her new usage and other people's new usage comes on. Just by date, the older information gets erased as the new information replaces it.

It would be different depending on functionality and depending on company. For example, e-mail will stay on your system for three days. We have probably 28 million e-mail messages transiting our system every day, and we can't store them all. So if you don't look at it over a period of a couple of days and save it on your hard drive, it's going to disappear off our server, because there's just not enough space to keep it there. It's the same with all information.

Mr. Walt Lastewka: Well, you just scared me with what you just said.

Ms. Julie Garcia: I didn't mean to.

Mr. Walt Lastewka: If I'm a company that works on the edge, right against the wall, or maybe a foot over the wall, I have all that information. That's the problem we're trying to overcome.

Legislation is never put through for good corporate citizens and effective companies, such as the one I used to work for. It's the 5% or 10% or 20%, depending on what sector, that causes all the problems. So how do you come up with legislation in order to cover that? That's the balance we're trying to achieve.

Ms. Julie Garcia: I certainly didn't mean to scare you. I actually meant to ease your mind, so perhaps I didn't explain myself as well as I should have.

I agree with you that legislation and laws should target the wrongdoers. The difficulty that the ISP industry is having in Canada and around the world is that rather than being the wrongdoer, in most cases we are the easy target. We're the easy target for the music industry; we're the easy target for copyright infringement. We're not the wrongdoer. We're like the telephone system, but everyone looks at us and wants us to solve the problem. So as I said, I'm agreeing with you that I want a law that addresses the wrongdoing.

I wish I had an answer for you. I would love and our industry would love to work with you to make sure that is the kind of law that does get enacted. It just will be very unfortunate if the entire industry gets caught up with expensive and onerous regulation when the entire industry either is not the wrongdoer or has nothing to do with the wrong being committed; it just happens to be able to stop it, if you understand what I'm saying.

Mr. Walt Lastewka: And life goes on.

Ms. Julie Garcia: For example, the phone company doesn't make the bad calls; it just...

The Chair: Thank you, Mr. Lastewka.

Before we move on, I just want to clarify something. Ms. Garcia, you said that for an Internet user, you know which sites they've been to. I don't really understand the reason for that. I pay for my Internet use based on the time I'm there, so I'm either on or off the Internet. Why do you need to keep or store the information of where I've been, and why do you do that?

Ms. Julie Garcia: We don't.

The Chair: You just told me you could tell me that I spent seven hours on the Catholicism site, which I find very offensive. I don't understand a need for that, because I pay based on the time I'm on, not where I go.

Ms. Julie Garcia: Right, and obviously I either misspoke or have been misunderstood. We do not keep track of where people go on the Internet, and we can't. As far as I know, there's no technological ability.

AOL has a proprietary on-line service as well as providing access to the Internet. We do not keep track of where people go on our proprietary on-line service. It is possible to do that, because it is all within our proprietary network. Once somebody goes out to the Internet, you're exactly right, we don't care where they go and we don't want to know where they go. We don't charge them for it. It's not us; it's not our proprietary service.

• 1030

In terms of where people go on-line, what I intended to say is it is possible to know that, but we do not keep track of that and it is not something that any employee anywhere in my organization would be able to find out about Margo. I was giving that as an example of what we do not do.

Ms. Margo Langford: If you look at our policy, you'll see that's called click-stream data, and we don't want to keep click-stream data, nor do we want to have to be able to provide it to the individual user asking, “Can I see where I was?”

Ms. Julie Garcia: Right.

The Chair: But you say it is possible to know that, so why can you not stop it from being possible to know that? With all the things we can do with technology, with this Intel P-III chip that we can turn on and turn off, you should be able to stop that from even being possible. I find it very offensive, to be perfectly honest, that you have the ability to do this without my permission.

I also have some difficulties with negative-option billing, which Professor Geist addressed. I have tremendous problems with that, as a consumer and as an individual, and I have heard nothing from any of you that tells me why it's a great thing. I have tremendous difficulty.

I also have concerns, Ms. Garcia, with your comments about the 16 million bits of data that you already have. It's a yes-or-no question. When I come on to use your service again, you can just ask me, “Do we have permission to use your existing data, yes or no?” If I say no, it's a no, and it's not a big deal; it's not a difficult thing, in this day and age and with the technology we have. So I disagree with you that there's anything onerous here in asking for consent.

But I have real difficulty with the code itself, as Professor Geist pointed out, which has negative-option billing. I have real difficulties with it. So there are some real problems that we have to resolve still.

Mr. Jaffer.

Mr. Rahim Jaffer: Yes, there are problems to follow up on, Madame Chair, but one of the things that we have a habit of doing in this country is, when there is a successful industry that hasn't been meddled with by government, we like to regulate and tax the hell out of it. I don't know why.

Professor Geist was saying Canada has a lot of catching up to do when it comes to other countries. Again, as I said, I support this legislation, but when I look at some of the figures coming out of this industry, with very little government interference currently, I see that close to $100 billion worth of business is being done on the Internet. There's obviously some sense of security for people doing business on the Internet currently, and many of the companies are obviously doing a decent job in providing those services right now.

I would like anyone to respond to my question, which is this: What are the potential costs to the industry? This is a growing industry, and I don't think it's tapped into its growth at all yet. A lot is still going to happen. If some of the restrictions you've mentioned become quite heavy-handed and aren't flexible, what could be the potential effects on the industry right across the board?

Ms. Margo Langford: I'll take that question.

There are so many different effects. As Julie said, ISPs right now are seen as the gatekeepers, so we have to balance also the interests of law enforcement and the tax department, who want us to keep these logs and want us to be able to find out where people went. There are these challenges to balance all over the place. People want us to pay for piracy on the Internet. Right now we have a proceeding before the Copyright Board, which is asking for 3.2% of our gross revenues, because there's pirated music on the Internet. Again, if they're successful and if everyone is successful...

In France right now there's a proposed bill to make ISPs keep their logs and the click-stream data for three years so that the police can get access to it.

Mr. Rahim Jaffer: So for instance, some of the information that our chair was asking about, in fact you're forced to keep it because of government regulation.

Ms. Margo Langford: We haven't so far been, but everyone is seeing us as the gatekeepers. In the same way that people go to the telephone company logs for illegal activity, they're looking at the opportunity for us to be a Revenue Canada tax collector kind of record of what kind of business people are doing and keeping electronic commerce transactions and so forth.

The challenge of regulation comes at us from about a hundred different departments right now. Even trying to manage the number of policy issues that have to be developed at the same time is a cost burden to our industry. We're also trying to manage the telecommunications side and the regulation there, which is not yet perfect in terms of getting access for ISPs. We're fighting on at least fifty different files right now.

• 1035

So even the cost of trying to sort out the problems is extensive, but you can imagine that if everybody did get their piece of the pie along the way... There are 13 rights collectives. If everybody got 3.2%, there wouldn't be too much left over.

All of our commissions—the Human Rights Commission and so forth—have proven to have lengthy and expensive proceedings. So we're just concerned that having to maybe match to a privacy commissioner in every province, for instance, would be untenable in the context of this particular hearing.

The Chair: Ms. Stephenson.

Ms. Carol Stephenson: I'd like to elevate it a little bit. I know we're talking about privacy at this committee, but the issue you're really raising is e-commerce and whether Canada can be a leader in e-commerce globally.

I'd also like to address the leadership issue, and I go back to the October OECD ministerial. I would say, including people from Europe and from the U.S., they were very impressed with the leadership Canada has shown in developing e-commerce.

I also am very impressed and I do applaud government, because they have taken a very balanced approach, one that lets e-commerce flourish, lets us take a leadership approach, and also doesn't make it so restrictive that business will just pick up—and as you say, it wouldn't physically pick up; it would electronically pick up—and go elsewhere.

The position on taxation has been commendable. We are showing that we are the model in Canada for those around the world.

So I take exception to the comment that we are not leaders. Everything I'm hearing from my global contacts is that we are leading, and I would just hate to see Canada lose its leadership position, because it's such a growth industry and a lot of us depend upon it in Canada.

The Chair: Dr. Geist.

Prof. Michael Geist: Just to return to the issue of Bill C-54, which is one of privacy and the cost of the privacy legislation, it's my view that the cost of not having this sort of legislation is far greater than the cost of the legislation itself.

Look at the fact that e-commerce, particularly at a consumer level, while growing, is still quite insignificant in the overall scheme of things. In order for e-commerce to grow to the ubiquitous level that the companies involved in the area would like it to be at, consumers need to know their privacy is being protected. They say it again and again in policies.

Frankly, I'm frequently surprised when I see the opposition, in the United States in particular, where they argue quite strongly for self-regulation. It seems to me that having no regulation is going to cost them far more than the regulation that's on the table here and that would be in place in other jurisdictions.

Mr. Rahim Jaffer: Again, I agree with you and I agree with this framework, but surely you agree there needs to be flexibility to some extent. You can't impose restrictions on many of these companies that have pioneered a lot of this technology and have pushed it forward. There has to be a balance. Otherwise both sides lose.

Prof. Michael Geist: Oh, without question. My fellow panellists started raising issues about copyright, and there are issues about defamation and issues about taxation. There are all sorts of issues, and certainly a balance will need to be struck in each one of those. I'm concerned today with the balance that's being struck on privacy.

The Chair: Thank you.

Thank you, Mr. Jaffer.

Mr. Shepherd, please.

Mr. Alex Shepherd: Ms. Langford, you mentioned Revenue Canada, and I'd like to zero in on that. What are they asking you to do?

Ms. Margo Langford: Right now they're in an investigation stage of what we can collect and how long things can be kept and whether or not they are entitled by law. I don't know if they're entitled to access to those logs, but they are certainly asking questions about what is kept and for how long, in the same way that the justice department is asking to try to coordinate internationally on police initiatives.

So in the context of this legislation, again, it's that kind of balancing act between not collecting data and being forced to collect data through other pieces of legislation, potentially.

Mr. Alex Shepherd: I presume this hasn't developed this far, but presumably they could simply go to you and say, “Look, I know Mr. Shepherd, and I know his e-mail address. Would you give us his records, or let our forensic people go in and view those records and see what transactions he's been doing over the Internet?” Is that what they're saying to you?

Ms. Margo Langford: ISPs right now have taken the approach that you need a court order in order to be able to access anybody's records on anything. So if the taxation department were able to get a court order, it wouldn't stand in good stead for the ISP to refuse.

Mr. Alex Shepherd: But that flies in the face of your original comment that the information is unreadable. You said the stuff you have is unreadable.

• 1040

Ms. Margo Langford: And that's part of our challenge: to explain to them what we keep that can be isolated, versus what is kept and flushed.

Mr. Alex Shepherd: Are they asking you to make it readable?

Ms. Margo Langford: I hope the exercise is going to be one of educating them that to do so would cost...

For instance, in France, where they are thinking about making them keep it for three years, that would put ISPs out of business in France. Quite simply, they couldn't store that much data for that long. So we're trying to work with the authorities on the realistic principle that if you make us do that, you will actually drive the business out of Canada, because we can't possibly afford to keep the click-stream data, for instance, if that's what they're demanding.

Mr. Alex Shepherd: But that flies in the face of the legislation we're talking about right here.

Ms. Margo Langford: Sure it does.

Mr. Alex Shepherd: So if this legislation is passed, we're saying Revenue Canada should not have the access to it.

Ms. Margo Langford: But whose legislation will prevail? Do the police have the right to go and get a search warrant and come in, even if there is this legislation?

Mr. Alex Shepherd: So we need exempting provisions under this act.

Ms. Margo Langford: Yes. And as to whether the Income Tax Act gives them the right to get a court order, I am not sure.

Mr. Alex Shepherd: Professor, you made a comment in the press. You said the law is too narrowly constructed to target this fast-moving and broad technology. Do you have proposed amendments to make to this?

Prof. Michael Geist: To the bill itself?

Mr. Alex Shepherd: Yes. You talked about consent.

Prof. Michael Geist: Yes. Consent would be the first order of business.

Mr. Alex Shepherd: Do you have any amendments that would achieve those goals?

Prof. Michael Geist: I'd like to see the negative-option check-box removed as a method of consent. I'd like to see implied consent either removed completely or limited to very specific situations. So I would like to see, particularly on consent, that it is truly informed consent in every instance. There's no reason that someone should not have the opportunity to properly consent to the use of their private data.

Mr. Alex Shepherd: Thank you.

The Chair: Thank you, Mr. Shepherd.

Madame Lalonde, please, briefly.

[Translation]

Ms. Francine Lalonde: I've heard the argument about the need to balance the various interests several times. In my view, the scales are tipped largely in favour of business and citizens are left mostly to fend for themselves. I took part—and I'd like to thank the minister for the opportunity—in the conference on electronic commerce and I was impressed by the Europeans' stand, in particular the position of the French minister. He argued that companies should enact their own regulations and the government, or state, should be on the side of citizens. If businesses don't go far enough, if they disregard their own regulations or fail to enact any at all, then the state must be on the side of the public. The rights of citizens must be clearly established and the recourse available to them must also be clear.

Apparently, you have some concerns about the powers granted to the commissioner under Bill C-54. What happens in reality is that citizens must first take up their case with the company and then ask the commissioner to investigate and make a recommendation. Subsequently, if the citizen's complaint has not been resolved to his satisfaction and he stills wants to pursue the matter—often the remedy sought is not enough to warrant lengthy delays—then he must take his case to court. Do you really think this bill is well- balanced?

[English]

Ms. Carol Stephenson: I just want to make it clear that we do support the powers of the Privacy Commissioner, so in no way was I trying to suggest, by putting a small timeframe there... We were trying actually to make it more efficient, but it's not a big deal.

Quite frankly, we are very much supporting the powers of the Privacy Commissioner. We very much support the bill. We think that some regulation and some legislation is positive. So I agree.

The question is, how far do you go in making sure we do have this balance, as you call it? Quite frankly, my experience, if I go back to the telephone business and your earlier point, is that the scam artists very quickly go out of business. We're all smart enough in business to know that if we don't have consumer trust and we don't have consumers wanting to use our system, we're toast. So it's very much on our minds to make sure our customers are properly treated, as customers should be.

The Chair: Ms. Garcia.

Ms. Julie Garcia: I'm just agreeing.

The Chair: Okay.

Madame Lalonde, do you have a further question?

• 1045

[Translation]

Ms. Francine Lalonde: I'd like to put the same question to you again about Quebec. Do you think Quebec should agree to weakened legislation for the sake of harmonized legislation elsewhere in Canada?

[English]

The Chair: Ms. Garcia.

Ms. Julie Garcia: I'll address that in terms of e-commerce rather than in terms of all consumer protection laws, because that's really the area I'm familiar with. I would say if the federal government and the members here decide this is the way to protect Canadians' privacy and that these are the standards to use in terms of electronic commerce, then I would like to see those be uniform. So I guess bluntly, the answer would be yes, Quebec should come in line.

Electronic commerce is unique, because of the transborder flow of information and services. To walk into a Chapters bookstore and buy a book in Quebec or in Toronto and have different laws apply is very different from going on-line to the Chapters web site. Should different laws apply if I have ordered the book over the web as opposed to walking into the bookstore?

[Translation]

Ms. Francine Lalonde: We have already anticipated situations like this in Quebec.

[English]

The Chair: Professor Geist.

Prof. Michael Geist: Thank you.

With due respect, I absolutely disagree. It's far preferable to see a race to the top as opposed to a race to the bottom. The idea that we'd come up with some standard that, at a minimum, meets some lower threshold and everybody must reach that level flies in the face of what this is all about. The European Union privacy directive sets minimum standards and then allows countries to exceed those standards if they see it necessary. I don't see any reason we wouldn't want to have the same thing in Canada.

The Chair: We'll have the last comment from Ms. Stephenson.

Ms. Carol Stephenson: We do want them to be as close as possible, but I can assure you that the businesses we deal with are going to respect the legislation wherever we do business.

[Translation]

Ms. Francine Lalonde: Thank you.

[English]

The Chair: Thank you very much.

[Translation]

Ms. Francine Lalonde: The provisions of the federal legislation could therefore be more stringent.

[English]

The Chair: Thank you very much, Madame Lalonde.

I just want to clarify something with Professor Geist before we end the meeting.

Mr. Shepherd asked you about possible amendments. Is it your opinion that we could amend division 1 to solve your concerns? The schedule with the code contains your concerns. Could it be done through amendments in division 1?

Prof. Michael Geist: It would make an already complicated bill even more complicated, which would pose a problem.

Frankly, I have a problem with attaching the CSA code as a schedule, as opposed to having tried to draft the provisions contained within the CSA code into the legislation itself. I understand the desire to use the CSA code as the basis for the legislation, but I just don't understand why it wasn't seen fit to try to use those principles as a starting point and create legislation that meets the needs of Canadians. In some instances, the CSA code, which is, as you are aware, a compromise document, may not meet the needs of Canadians.

The Chair: Okay. Thank you.

I want to thank all of you for being with us and for braving the weather this morning to get here. I want to commend all our witnesses for arriving on time. I also am glad committee members got here as quickly as they could. We appreciate that. We appreciate all your comments and your presentations, and we want to thank you. We'll let you know what we do.

The meeting is adjourned.