INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Tuesday, March 9, 1999

• 1531

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): I would like to call this meeting to order.

Pursuant to an order of reference of the House dated Tuesday, November 3, 1998, we now have consideration of Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

We have two sets of witnesses today. First, we have TELUS Corporation from 3.30 p.m. to 4.30 p.m., and then at 4.30 p.m. we'll have Bell Canada. We have with us Ms. Lorna Higdon-Norrie, the vice-president, public policy and government affairs, and Mr. Makaryshyn, senior advisor, industry policy. I'm not sure who will be doing the opening statements, so I'll turn it over to you.

[Translation]

Ms. Lorne Higdon-Norrie (Vice President, Public Policy and Government Affairs, BCT.TELUS): I would first like to thank you, Madam Chair, for this opportunity to take part in the hearings of the Industry Committee on the consultation process with respect to Bill C-54.

[English]

Thank you very much for this opportunity to appear before the committee. My name is Lorna Higdon-Norrie and my title has actually changed since the merger. I am now vice-president of government and community affairs for BCT.TELUS, and I have with me our senior adviser of industry policy, John Makaryshyn. It is my sincere hope that John will be able to address any technical questions the committee may have.

[Translation]

Formed recently following a merger between TELUS and BC Telecom, BCT.TELUS is the second largest telecommunications company in Canada..

[English]

Through wholly owned subsidiaries and joint ventures, we employ 25,000 Canadians and manage assets of nearly $9 billion. BCT.TELUS companies provide voice data, visual communications, information and advertizing services.

We welcome this opportunity to comment on the draft legislation. We believe that Bill C-54 is an important and much needed legislative initiative in order to build trust and confidence in the digital marketplace and to protect the privacy rights of Canadians. It's absolutely critical to have a clear federal legislative privacy framework within Canada to promote the growth of electronic commerce and to provide the level of privacy protection that Canadians seek. Bill C-54, in our view, provides a balanced and consistent framework for privacy protection in Canada.

The bill is based on the Canadian Standards Association model code for the protection of personal information, and we think it's an excellent model for federal framework privacy legislation. The CSA standard recognizes individual rights to control and limit personal information use. It reflects the legitimate needs of companies to use information for business purposes and establishes obligations for companies to be accountable, to obtain informed consent, to safeguard personal information and to make policies and practices transparent to individuals.

We therefore applaud the government for introducing Bill C-54, and with the few specific amendments that we're proposing to you, we fully recommend its passage.

Before I make some specific suggestions in areas of improvement to this important initiative, I would like to briefly highlight some of the initiatives that BCT.TELUS companies have undertaken to address the privacy issues that we're all concerned about. I would also like to briefly share with the committee some of the perspectives of our customers, based on what we've learned from conducting customer focus groups. As you know, electronic commerce is growing at an enormous rate, and in response to new technologies and new ways to collect, use and disseminate information, issues related to privacy, security and consumer protection have emerged.

• 1535

We think that in order to succeed in the marketplace, Canadian businesses must be attuned to the new privacy-related issues that new technologies have caused to arise. Business relationships, in particular those on the Internet, are made successful by establishing trust. Personalized interaction becomes possible through the implementation of comprehensive privacy codes and technology solutions that inspire customer confidence.

BCT.TELUS is very active in addressing these policy issues that are of concern to Canadians. We understand the need for security and protecting consumer information and privacy rights, and I believe we've demonstrated our commitment to privacy.

As a responsible corporate citizen, we believe it is good policy to protect the personal information of consumers and employee data. Customers value protection and make a choice to deal with service providers that respect their privacy. I think that's a very important point. Especially in today's high-tech world is this especially true.

Privacy issues are very important from our customers' perspective as well. We have conducted customer focus group sessions to find out what our customers have to say about privacy and about the CSA standard in particular, which is what we were considering at the time.

One key message we received from our customers when we conducted these sessions is that they did, at the time, want us to adopt a privacy code that is based on the CSA standard. In exercising choice, customers choose to deal with companies that have adopted a privacy code and they view the CSA standard as a very important standard to safeguard their rights. We have worked hard with other industry members to produce the Stentor privacy code and we intend to fully implement that code through the BCT.TELUS group of companies.

In the package that we've brought along today we've included copies of the BCT.TELUS privacy code and information on the electronic commerce services we offer, which enhance both privacy and data security. Furthermore, our corporate web sites contain very clear statements about the company's privacy practices.

Adoption of a privacy code demonstrates to both residential and business consumers that we are responding to the growing public concerns about the privacy of information. The 10 principles in the CSA standard represent a balanced and comprehensive set of information management principles and practices to govern the use, collection and disclosure of personal information. Our customers have told us that they understand and see value in a corporate privacy policy that is based on this standard.

Another important message our customers told us is that they are comfortable with our sharing information within our corporate family so that we can offer them a full range of communication services. The ability to freely share information within an organization is critical to serving customer needs. Our customers know this and demand that we serve them to the best of our ability.

It is as a Canadian communications company that has been and will continue to be active in addressing the privacy rights of its customers and employees that we're pleased to come before you today to offer our support for this draft legislation. In particular, BCT.TELUS supports the adoption in Bill C-54 of the CSA standard as the benchmark for protecting privacy rights in the private sector.

We've carefully reviewed the draft legislation and I would now like to offer for your consideration a few specific comments on what in our view would help improve the draft legislation to ensure that it meets the interests of Canadians and Canadian businesses.

There are two areas of the draft legislation I will comment on. The first area relates to the powers of the privacy commissioner. The second area relates to some housekeeping amendments to the bill to recognize the concept and use of publicly available information and to ensure that the bill does not create barriers to internal corporate information transfers.

• 1540

With respect to the powers of the privacy commissioner as set out in Bill C-54, we seek two specific amendments.

The first amendment we seek in this area relates to the power of the privacy commissioner to conduct audits over alleged violations of recommended business practices, as set out in schedule 1 of the bill. Subclause 5(2) of Bill C-54 states that the word “should”, when used in the schedule that contains the CSA standard, indicates a recommendation and does not impose an obligation on a corporation. In our view, corporate audits should be reserved for situations where there are reasonable grounds to believe that a violation of the law has taken place, but shouldn't go beyond that to cover disputes over recommended business practices. In our view, audits are intrusive, and they place an administrative burden on the business operations of companies. The audit power should therefore be used judiciously to cover alleged violations of mandatory obligations set out in the bill, but should not be expanded to permit a micromanagement of recommended business practices.

For example, clause 4.7.3 in schedule 1 states that:

The methods of protection should include

(a) physical measures, for example, locked filing cabinets and restricted access to offices;

(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and

(c) technological measures, for example, the use of passwords and encryption.

Clause 4.7.2 states that “More sensitive information should be safeguarded by a higher level of protection.”

The exact procedures that are used to comply with these business practices will vary probably a great deal, depending on a number of factors such as the nature of the business, the type of information in question, the adequacy of existing procedures, etc. These are very useful recommended practices that will help guide Canadian companies in complying with the law, but in our view the audit power should not deal with recommended practices.

Let me be absolutely clear. We regard it as very important to ensure that proper business practices are being followed. However, the privacy commissioner already has the tools needed to ensure that these business practices are being followed in other sections of the draft legislation. Clause 11 allows an individual to file a complaint if the individual feels that an organization is contravening the legislation or not following a recommended business practice. Additionally, under clause 12, the commissioner has the power to investigate all such complaints, including complaints that an organization is not following a recommended business practice. And the privacy commissioner has the power to work to resolve any such issue.

Therefore our specific recommendation in this area is to amend the audit section, specifically subclause 18(1), to delete the words “or is not following a recommendation set out in Schedule 1”.

The second area relates to a concern we have about ensuring due process, specifically whether there should be a requirement to obtain prior court approval before the privacy commissioner—

The Chair: Could I ask you to summarize the rest of your brief? The clerk had advised everyone there was a five-minute time limit to present, and anyone who wanted a longer brief should have submitted it in advance. So I would ask you to summarize the rest.

Ms. Lorna Higdon-Norrie: I'm sorry, we must have miscommunicated. I was working to 10 to 12 minutes. I certainly will. I'll try to summarize very quickly.

The second substantive area regarding the powers of the privacy commissioner is our concern about whether or not in fact an exercise of due process should be followed before the privacy commissioner exercises his search and seizure powers. Right now the commissioner's discretion to enter an organization's premises is not subject to any prior judicial authorization. It is quite a strong power, and we would like to discuss further with the committee whether or not there shouldn't be a requirement for the privacy commissioner to obtain a warrant before conducting a search and seizure.

I'll go very quickly through the two housekeeping amendments we wanted to mention, because in fact the federal government's amendments that were tabled last week have addressed both of the ones we had a concern about. They were on the use of publicly available information and the internal use of information, and we fully support those measures as they were tabled.

I apologize for having gone over time with the opening remarks. Let me emphasize that we see Bill C-54 as an integral part of a sound electronic commerce framework, and we do urge its passage with those recommendations.

• 1545

The Chair: Thank you very much. I apologize. I know there are going to be several questions and we only have a limited time for questions as it stands.

Mr. Jaffer.

Mr. Rahim Jaffer (Edmonton—Strathcona, Ref.): Thank you. I have a couple of questions here. I'm going to try to figure out which ones are the best, given the time restrictions we're under.

I would like to make a comment on behalf of TELUS. Thank you for being here today and thanks for your recommendations. I think you've brought up a very serious issue with the power of the privacy commissioner, and I think we've overlooked that to some extent.

My colleague and I on this committee have asked previous privacy commissioners whether under the CSA standard there has been empirical evidence of complaints of privacy violations that they could bring to the floor. We haven't really been provided with this information, or it's not very plausible yet. There doesn't seem to be any justification that there have been many violations of privacy. The only one that was brought up was last Thursday by the person representing AOL, who said she was aware of one complaint under the CSA standard currently.

My question is this. We're all in favour of this legislation on this committee, and I think obviously you've stated that you are as well, but with regard to privacy—

Ms. Francine Lalonde (Mercier, BQ): [Editor's Note: Inaudible]

Mr. Rahim Jaffer: I guess my colleague from the Bloc says not the Bloc. Is there really a need for this legislation if the current CSA code is obviously meeting the requirements of most people when it comes to privacy intrusions?

Ms. Lorna Higdon-Norrie: I think there is. In fact I believe that as an industry we're probably pretty convinced areas. Companies like our own, very large companies who have substantial resources and are handling a great deal of sensitive data, have demonstrated our commitment, I think. We've published our codes, and I think that goes a long way toward engendering trust among our customers and our employees. Nonetheless, the world is changing very quickly, and even people dealing with companies like ours will have an added measure of trust, especially in the electronic commerce domain, if there is also a fallback, if there's somewhere for them to go to complain about us.

Even more serious, I think, is that there are a lot of companies who perhaps don't have those resources, who have not quite addressed the sensitivity of these issues to the extent that one would like, and I think a federal legislative framework is helpful, not to say essential, in guiding their practices and giving their customers a place to go.

Mr. Rahim Jaffer: With regard to the powers of the privacy commissioner.... I know, being from Edmonton and dealing with TELUS, they take privacy quite seriously, especially when it comes to dealing with information.

It seems to me one of the concerns you've raised is that if we do keep this portion of the bill the way it is, we're giving a lot of power to an unelected body who could be quite obtrusive, in fact, when businesses are trying to carry out their obligations and their commitments to customers.

First, there is obviously a potential of violating fundamental rights if this section is not amended the way you suggest.

Second, what are the costs to your business that could potentially be associated with a privacy commissioner having the amount of power that you've suggested and we've identified if this clause isn't amended?

Maybe I could address this to John. Since you're a lawyer, you could address that.

Ms. Lorna Higdon-Norrie: I'll speak to it first.

I don't think our recommendations in any way weaken the power that's provided in this bill to the privacy commissioner. We're suggesting, in effect, an element of due process with respect to obtaining a court order because we feel it's fair, it's a standard that's applied elsewhere in legislation. It's difficult for us to contemplate a situation where the privacy commissioner, or anyone else for that matter, has the power to conduct a search and seizure without necessarily having anywhere for us to go to determine whether or not that's fair or warranted in the situation. Obviously, if it is fair and warranted, such a court order is going to be forthcoming. It happens all the time in other commercial investigations, so we don't see that it's going to withhold any power from the privacy commissioner.

• 1550

Obviously, to your question of cost, this is new legislation, this is new terrain for all of us. Who can know? I think there is an express intent to make the bill subject to review after some time. I understand those times are under debate. That may be an issue that's raised at the time, if in fact it's costing the privacy commissioner, the private sector, or individuals more than anybody really intended. I couldn't presume to judge except to say the actual practical costs to a corporation are one thing, and the potential costs to a reputation are another. The potential cost to a corporate reputation from a search and seizure is something we care deeply about.

Mr. Rahim Jaffer: Did you have anything to add to that?

Mr. John Makaryshyn (Senior Adviser, Industry Policy, BCT.TELUS): Thank you.

I would just add it's important to understand that in our proposal we're just talking about the search and seizure powers under either investigation, clause 12, or audit, clause 18. The privacy commissioner has broad powers beyond search and seizure to compel witnesses and documents, administer oaths, or converse with any person in any premises—all without ever going to a court.

But it's at the point where a determination is made to enter a private dwelling, like the offices of an organization, that we believe due process should require not just reasonable grounds but a decision by a neutral and unbiased party who is not also charged with the investigation under the legislation, or proposed legislation.

The Chair: Thank you very much, Mr. Jaffer.

Mr. Lastewka.

Mr. Walt Lastewka (St. Catharines, Lib.): Thank you, Madam Chair.

I'm a little bit surprised about some of your comments, but let me approach it this way. When you talk about the powers of the commissioner and the ability to enter a premise and so forth, we have other inspectors and commissioners who have that power today, whether it be agriculture inspectors or, for the provincial codes, the labour inspectors.

What I heard you say is that you didn't want to have that same type of power given to the commissioner who is concerned about the privacy of Canadians. You want to go through the various procedures before he or she can inspect. Under a privacy item, where it's so important to all Canadians, why would you take that approach?

Ms. Lorna Higdon-Norrie: Let me clarify, first of all. I certainly did not intend to convey that we were suggesting putting roadblocks in front of the commissioner before he investigates or before he exercises the vast majority of the powers that have been given. The only issue we're raising, where we would like to see a further element of due process, is when he is going to exercise a search and seizure power. And that's where a simple court order, an ex parte application—which is usually granted, if circumstances warrant it, very swiftly—is all that we're asking for. We don't feel it would introduce undue delay or an undue impediment.

Mr. Walt Lastewka: I guess I would agree with you. Other commissioners under the privacy acts across the country have similar powers as those we've put into this legislation, and I'm just trying to figure out what the difference is.

Ms. Lorna Higdon-Norrie: I think one important difference is that most of the privacy commissioners across the country are government bodies investigating themselves.

• 1555

When a public sector official is examining documents from elsewhere in the government, I think that's one situation. When you're actually talking about coming into a corporation, a small business or a large business, for a search and seizure of documents, that's another case all together. I don't believe the search and seizure power will be exercised very often by the privacy commissioner; at least, I certainly hope it wouldn't be. I would hope the vast majority of issues could be resolved well in advance of that, and when he appeared before the committee, I think the privacy commissioner seemed to hope so as well.

Given all of the other investigative powers, the powers to consult will all parties and so on, it would seem that it's going to be a very serious situation. There will probably be a lot of complex elements at hand before such a situation arises, so we're asking for due process there.

Mr. Walt Lastewka: Knowing that it would be used very sparingly because of what the privacy commissioner said, and because of what I think the theme of this committee has been on the concerns of privacy, it would be the real abusers who would have to be moved on. What I heard you say is that the real abusers need to go through that due process too, so I guess we can disagree.

The other thing I want to talk about is the definition of collecting information for use in other parts of a corporation. Of course, corporations are getting bigger and bigger all the time now. But if data is collected for a specific purpose in one part of the corporation, in terms of moving that information to another part for something it wasn't intended for, are you saying that should be okay, or that consent should be received again when that information moves?

Ms. Lorna Higdon-Norrie: No, it's our belief that if the information is moving to another part of the company for a use for which it was not originally collected, then express consent should be obtained.

In our situation, I suppose there's an element of definition involved. We would define ourselves as being in the business of providing telecommunications services. If you have a cellular telephone from us, a local telephone from us, an Internet service, a pager and so on, those are all related to the same essential purpose, that being the provision of telecommunications services. Moving back and forth across the company information that is related to all of these seems to be a reasonable interpretation of what should be an allowed flexibility. If, for reasons that would currently elude me—but heaven knows—we decide to go into the vacuum cleaner sales business, that's a different purpose.

Mr. Walt Lastewka: Your example to me was that it was collected for that specific reason. The way it's written today, are you reading that the bill doesn't allow you to do that?

Ms. Lorna Higdon-Norrie: With the amendment the government has put in around the definition of “use”, it would now allow us to transfer the kind of information. But without that amendment, we have some concerns.

Mr. Walt Lastewka: We're all trying to get caught up to the amendments to make sure we understand what is different, what has changed.

Thank you, Madam Chair.

The Chair: Thank you very much, Mr. Lastewka.

[Translation]

Ms. Lalonde please.

Ms. Francine Lalonde: From what I have read in newspapers from Eastern Canada and Quebec, the company's competitors are a little disturbed about the merger of TELUS and BC Telecom. If, as some people suggest you intend to, you decide to do business in Quebec, will you respect Quebec legislation on personal information?

[English]

Ms. Lorna Higdon-Norrie: I think I'll ask Mr. Makaryshyn to speak about the jurisdictional issues that are inherent in your question.

• 1600

Mr. John Makaryshyn: In terms of federal undertakings like telecommunications companies, my understanding is that they're subject to the federal laws. Insofar as there is an application of provincial laws, we're not currently operating within the province of Quebec, but if we were and if the laws were to apply to a particular division or subsidiary, we would definitely comply and would work with the government and the privacy commissioner to comply with those laws.

[Translation]

Ms. Francine Lalonde: If I were to tell you that one of your potential competitors in Quebec, without asking whether it was constitutionally required to do so, agreed to comply with the legislation, would you still give the same answer?

[English]

Ms. Lorna Higdon-Norrie: I would have to say yes, we would. We do respect the federal jurisdiction that extends across telecommunications. A number of our companies currently operate under provincial jurisdiction. As John has said, if there were those that were under Quebec provincial jurisdiction, we would operate within the Quebec legislation.

I also have to point out that we, as well as many other companies, regard the provisions in Bill C-54 as a minimum, not a maximum. To the extent that it is possible to provide even greater privacy protection according to the expectation of customers in a given location, obviously we would respond to the requirements of our customers.

[Translation]

Ms. Francine Lalonde: Thank you.

I would like to talk to you about Part 2 of the Bill and particularly about the definitions of “electronic signature” and “secure electronic signature”. I would like hear your viewpoint, particularly as the definition of “secure electronic signature” refers the reader to a schedule which is not there and to regulations which are not there either.

[English]

Ms. Lorna Higdon-Norrie: I will speak in general about that part of the bill, and then I'll ask John to follow up on the issue of the annexes.

In general, we think the digital signatures piece of the legislation is well grounded. We see no problems with it. It has been drafted in a way that is quite comforting to us. It is technology neutral, and it essentially provides the same protection for individuals in a contract as any other type of contract legislation.

With that, I'll ask John to respond to the issue that you raised.

Mr. John Makaryshyn: Thank you.

We definitely support the part in part 2 and the others in part 5 of the proposed legislation in terms of both the electronic signatures and the secured electronic signatures. We recognize the need for the federal government to require, for certain purposes, something more secure in some cases. We are again thankful that the proposed legislation is technologically neutral, so that a number of different technologies can be used to satisfy the criteria set out in subclause 48(2) for a secured signature. In terms of application for the private sector, my understanding is that this proposed legislation doesn't dictate, for example, the types of signatures that would be used in the private sector. It respects freedom of contract, and it basically deals with the federal government empowering itself to get into the digital age.

[Translation]

Ms. Francine Lalonde: Have you studied the various technologies available for making signatures secure, and could you talk to us about them?

[English]

Ms. Lorna Higdon-Norrie: We could certainly undertake to have some information provided to you by people who are more adept at the technology issues than either of us, but let me again speak about it in general terms.

• 1605

Again, we are very pleased that the Canadian government has seen fit to allow the use of strong encryption technology. This is one of the types of.... As I mentioned in our document,

[Translation]

we have published a brochure on solutions regarding electronic commerce,

[English]

and that may provide you with a bit of an overview of some of the types of technologies we're offering in our company. We're using encryption technology if customers want it for the protection of their data.

There are many different types of secure solutions. Companies can offer one or two or many, depending on the demands of their customers. These will change over time, and that's one of the reasons we're really glad the bill doesn't fall into the trap of getting stuck in today, with what technology is available today. Rather, it sets out some principles for contracted digital authorization going presumably well forward into the future.

The Chair: Last question, Madame Lalonde.

[Translation]

Ms. Francine Lalonde: In your introduction, you said that you want the Bill to be clear to ensure security for consumers. I was therefore expecting you to express some very tough criticism of the legislation. I am far from being the only person to have pointed out that this Bill is based on the CSA code, which is appended and not designed to serve as legislation. It is then interpreted within the body of the legislation, in clause 7, and as a result the position of someone with rights or someone with obligations is far from clear.

[English]

Ms. Lorna Higdon-Norrie: In our one suggestion, I think we are certainly seeking a bit more clarity. Right now, the bill does seem to blur the lines a little between what is required, what is recommended, and what the penalty might be for not adopting a practice that is in fact in the bill. It's simply a recommendation, and that's why we've suggested the amendment that we have.

That matter is an issue. Overall, however, I think it does provide a pretty clear framework. It gets very close to being as close to perfect as a piece of legislation can be, given that we're looking forward to the future in a lot of ways with this piece of legislation. We're not legislating issues of the past.

So imperfections may well arise, but that doesn't mean the bill is fundamentally flawed in the first place. We don't believe it is. We'd like to see a bit more clarity in those areas that we've suggested, but I think it provides a pretty clear framework overall for businesses and for consumers to know what the acceptable level of protection is that they're entitled to.

The Chair: Thank you, and thank you, Madame Lalonde.

Mrs. Barnes, please.

Mrs. Sue Barnes (London West, Lib.): Thank you, Madam Chair.

I think what we're trying to get to here is a place where we can feel happy both in commerce and in privacy, and feel balanced. The hand we're using legislatively is not a heavy-handed criminal law; it's more of a light, flexible approach, with as much possible informality as can be there. It is judicious and limits use of some of the powers the commissioner would have.

Now, I heard my colleague from the Reform Party mention a concern about fundamental rights being violated under this legislation. I'd just like to ask the policy adviser if that's the way he sees it.

Mr. John Makaryshyn: I'm not sure about fundamental rights. If we're talking about warrantless search and seizures—

Mrs. Sue Barnes: That's what we're talking about. That's what he raised.

Mr. John Makaryshyn: Okay. When we're dealing with warrantless searches and seizures, they are prima facie unreasonable. This has been established in a number of cases, including the Supreme Court of Canada case Hunter v. Southam Inc. They are subject to being rebutted. Our proposal is therefore probably for the benefit of not only the party being searched but the commissioner himself. When you're taking the steps to that level, one on which you're looking at going into a private premises, that's a fairly intrusive and serious action within the private sector. Getting an ex parte application—

• 1610

Mrs. Sue Barnes: Maybe I'll just stop you here, because I think that's the problem. There are two exceptions in the bill already written in, where they can't access private dwelling-houses. It's a very explicit exception.

Mr. John Makaryshyn: I understand.

Mrs. Sue Barnes: I would understand your point, because then you'd be into charter issues, but under clauses 12 and 18 we've specifically excluded that. So I would like to see where this argument is going.

Mr. John Makaryshyn: Basically, whether or not the search is reasonable will depend on the circumstances of the case. So I can't say definitively, yes, it's a violation of the charter at this point, or no, it's not, but it would really be fact specific. We're talking not about private dwelling-houses but private sector organizations. It could be a small business in northern Alberta that's running as a sole proprietor. It could be those sorts of situations.

Mrs. Sue Barnes: I think I'd better clarify, Madam Chair, that in clauses 12 and 18 the subclauses specifically exclude private dwelling-houses, and I think that has to be clarified and made very clear.

I'll move on to another point, because I think you're wrong on this point. But I will take your cases, if you like, afterwards. Maybe they can be given to the chair if they're applicable. But let's go on to the cost when we're trying to put in a flexible system, the bureaucratic process that would have to be involved.

Do you see getting the warrants that you're asking for in a non-criminal situation where you're trying to follow agreed-upon standards that industries have accepted and that I think you're a model user of...? We're not saying that. I think you do very well in your industry, as do many of the corporations across the country. I don't see why we would want to move into an area that would have the expensive court proceedings here when we're not talking criminal law, we're not talking litigation, we're talking protection of privacy to a standard that industry has accepted and will be the law. I'm having difficulty understanding the idea of approving and saying you're supportive, but then you want blocks that would be financial blocks. We're talking about limited resources here from both sides, and I think that's the balance too.

Ms. Lorna Higdon-Norrie: May I speak to that?

Mrs. Sue Barnes: Yes.

Ms. Lorna Higdon-Norrie: I hear your concern. If one were to try to lock down this power and introduce maximum restraint on its use, I think there are steps you could take that are substantially further than the one element of process that we're asking for. We certainly don't want to see it evolve into that, because, you're right, it would undermine the bill if you were to create enough roadblocks that you could be mired in the courts for months; you know, the investigation gets stalled.

Generally speaking, it seems, yes, it's costly and time-consuming and a deterrent to the effective application of the legislation, and we are not suggesting that you go there. All we are suggesting is the type of—it seems, in experience—relatively swift kind of action that can take place.

It's a simple question. It's kind of the principle that if it can be avoided, one shouldn't be both judge and jury. The privacy commissioner presumably will have taken an investigation quite far down the road by this point and will have a particular view. Presumably the other party will also have another view, and if I imagine our own case getting to a point like this, as I said earlier, there would probably be some issues around this that it would be a good idea for an impartial third party to hear before a search and seizure, which is really quite an extreme measure, should be undertaken.

The Chair: Do you have any further questions, Mrs. Barnes?

Mrs. Sue Barnes: No, that's fine. I've heard the comments, and we'll take them into consideration.

The Chair: Thank you very much.

Mr. Jaffer, did you have any more questions?

Mr. Rahim Jaffer: As one sort of question/comment to follow up on my colleague Mrs. Barnes, one of the things that it seems to me this issue is bringing up, at least the concern you've brought up, is in fact that you're again, as you've stressed, not trying to take away any power from the privacy commissioner but simply adding a check and a balance to the process. I think that's fair on all sides. It doesn't seem to me that it's suggesting anything different.

• 1615

My colleague Mrs. Barnes cited clause 12, it does say private dwelling, or dwelling-house, or something along those lines. You made a clear distinction, obviously, between when it comes to the privacy commissioners with regard to their mandate in public institutions and when that crosses into a private institution, and I don't think this legislation seems to be very clear on that note, according to what you're saying.

So would you agree that basically what you're trying to put forward is the fact that that check-and-balance process may be missing currently, which your amendment would address, at least with the privacy commissioner?

Ms. Lorna Higdon-Norrie: I think it is a balance that we would like to see introduced at a point in the process before the most extreme measures are taken. That's really all we are suggesting. It would be our expectation, as I say, that the vast majority of situations can be resolved long before things ever get to that point. But the possibility of a warrant with search and seizure is one that gives us great pause, and we would like to see that extra measure of impartiality introduced at that stage.

Mr. Rahim Jaffer: I'm sure no one would disagree...to give anyone powers above the law in any area of our society.

I appreciate your comments. Thank you.

The Chair: Thank you, Mr. Jaffer.

Mr. Shepherd.

Mr. Alex Shepherd (Durham, Lib.): I differ somewhat from my colleague. I find it difficult to see why we're empowering a privacy commissioner to possibly invade people's privacy, which is your point, is it not?

Ms. Lorna Higdon-Norrie: What is “people” and what is “privacy” when you're discussing a corporation, I suppose?

Mr. Alex Shepherd: Anyway, what I really want to look at is this. You used as a part of your argument the fact that these were recommendations and not obligations of the corporation. First, the question that comes up is how significant is that? All we're doing is making recommendations in the first place. The corporation hasn't complied with them. So what?

Ms. Lorna Higdon-Norrie: I think the “so what” is an issue of clarity for us. As I say, the bill sets out certain things that are clearly obligations, and the privacy commissioner has audit powers, and certainly other powers, if an organization is not meeting its obligations under the bill.

Our concern on that point you're raising is that a commissioner seems to also have essentially the same powers over recommendations, so it's left unclear to us whether that transforms the recommendation into an obligation, because if you don't do it, you're going to be subject to the full audit, the full weight of the powers, anyway. The bill really ought to make it clear what you can be held accountable for and what are recommendations that, again, he can investigate. We're not proposing to hold back any of those sorts of issues, but the audit is something where you're supposed to demonstrate what you've been doing.

It is a time-consuming process on something that is not an obligation in the first place, and I do have visions—in fact, it has been reality—of lawyers sitting around boardrooms for hours on end trying to figure out exactly what we might have to conceivably do to comply here, and when you're in that situation, that just might not be good legislation. You might want to take the opportunity up front to engage in a little more clarification for us.

Mr. Alex Shepherd: I have two more questions, one on your code of fair information practices. You don't use the word “should”; you use the word “shall”. You say BCT.TELUS “shall adhere to the ten principles as a whole”. So you have actually placed an obligation on your corporation that is stronger than the act, correct?

Ms. Lorna Higdon-Norrie: Yes.

Mr. Alex Shepherd: So you wouldn't really have that much of an objection, then, because you've taken those recommendations and made them obligations, have you not?

Ms. Lorna Higdon-Norrie: I see John wants to comment.

Mr. John Makaryshyn: Actually, at the end of the day, what we're saying here is that this is true, they interpret it and comply with the highest level of security and privacy. But if a privacy commissioner is conducting an investigation and comes to the conclusion that there is a dispute potentially over recommended business practices, but everything is secure at the end of the day, there's no violation of a mandatory obligation, all we're saying then is that there shouldn't be at that point any ability to trigger a requirement for a full-blown audit over these sorts of recommendations.

• 1620

Mr. Alex Shepherd: I don't want to spend a lot of time on that. I want to get into this issue about implied consent, because you raised that as well in your code of fair practices. You made the definition: “Implied consent is consent that can reasonably be inferred from an individual's action or inaction.” What does that mean?

Ms. Lorna Higdon-Norrie: John.

Mr. John Makaryshyn: I think at the end of the day it gets down to reasonableness, and informed consent must be obtained from individuals for all purposes, for collection, use and disclosure. So what is reasonable within a circumstance is going to vary depending a bit on the circumstances. But I think the bottom line, the hallmark, is that consent must be obtained irrespective of...the form may vary.

Mr. Alex Shepherd: Wouldn't it be better if the act just said that everybody had to have positive consent and did away with the whole concept of an implied consent?

Mr. John Makaryshyn: No, I don't agree with that, only because it takes away a lot of flexibility. It may well be reasonable in certain circumstances to have different forms of consent. Not everything has to be signed, sealed and delivered in writing on a piece of paper. In some cases you may have verbal consent; it may be reasonable, and other forms of consent may well be reasonable. As long as the customer or the individual understands and has knowledge and gives informed consent, or it's reasonably inferred from the circumstances, then that's acceptable.

Mr. Alex Shepherd: So if it was a requirement under the act to have express consent, how would it hinder your business?

Mr. John Makaryshyn: I'll give you an example with respect to potential terms of service where express consent meant express in writing. If a customer phones up and says, “Provide me with Internet services, and you have my consent for the marketing of those services to me”, and for some reason we had to have it in writing, we'd then have to tell the customer, “Come on down and sign a contract, because your verbal consent is not valid.” That would be an artificial restriction.

Mr. Alex Shepherd: When he signs on to the site he could consent; he doesn't have to physically go to your premises.

Mr. John Makaryshyn: Sure, in this circumstance maybe that would be reasonable, but it's a type of consent that's not in writing. But we can call that implied consent or express—

Mr. Alex Shepherd: I would think that it's express consent. Somebody is doing something to say, “I agree to consent that you use this information on me as a condition of the contract for you to provide me Internet service.”

Mr. John Makaryshyn: Certainly I think in the Internet environment a lot of what I call opt-in clauses are quite reasonable. You know for a fact that somebody is giving you consent for the particular purpose, so it's unequivocal.

But again, circumstances vary depending on whether it's express or implied in a given circumstance. So I think the legislation and the CSA code are built with enough flexibility and some guidelines in the schedule to help guide businesses, but at the end of the day I think that's also a strong point of the proposed legislation, because in clause 24, with the strong education mandate for the privacy commissioner, if there are grey areas we don't understand, we can work with the privacy commissioner to help resolve these issues.

The Chair: Thank you very much, Mr. Shepherd.

[Translation]

Ms. Lalonde, do you have any other questions?

Ms. Francine Lalonde: No, thank you.

[English]

The Chair: I want to thank our witnesses from TELUS for being with us this afternoon. We appreciate your taking the time to prepare the brief and to be here, and we will definitely take your concerns into consideration.

We're going to take three minutes while we change witnesses. We're going to ask TELUS to move and Bell to join us. So I'm going to suspend for about three minutes.

• 1624

• 1627

The Chair: We are going to reconvene. I'm very pleased to welcome to our table this afternoon Bell Canada. Appearing on behalf of Bell Canada is Mr. Bernard Courtois, chief regulatory officer, and Ms. Suzanne Morin, senior counsel. Welcome.

Mr. Bernard A. Courtois (Chief Regulatory Officer, Bell Canada): Thank you, Madam Chair.

[Translation]

Madam Chair, we have brought French and English versions of our brief, which have been distributed to you. I do not intend to read the brief to you in whole or in part. I will just make a few comments, following which I will be pleased to answer any questions you may have.

[English]

I'll simply emphasize that we represent six telephone companies, Bell Canada and the major telephone companies in the Atlantic provinces and Manitoba. Also, in my role as chief regulatory officer and privacy ombudsman for Bell, I'm also in a position to speak for a number of our affiliates, including the Sympatico operation. As well, Suzanne has worked with the Stentor group that worked on the Stentor industry code and the CSA code, with all the representatives who worked on that.

From our standpoint, while we support the bill as a whole, we will concentrate our comments on part 1, dealing with privacy matters. We come with extensive experience in these questions. It is inherent to the operation of a telephone company to be quite sensitive from the very start to matters of security and protection of customer privacy both in the handling of calls and in customer information. We've also operated under regulatory requirements covering this for many years. So we've actually lived with regulation and privacy protection for many more years than most industries.

We welcome this bill. We think it strikes a good balance between the various approaches that can be taken. As you've heard, no doubt, from many industry representatives, trust, particularly in the era of electronic commerce—and electronic commerce, by the way, started long ago with voice transactions over the phone—is extremely important, otherwise electronic commerce will not take off. In order to achieve that, because our industry is now global in nature and you need to build trust, it's important to have something that consumers and customers will recognize. It's important, it's useful, that this bill capitalize on the work done by various groups to produce the CSA code, and capitalize on the OECD guidelines, which can become a global standard that customers will recognize and inherently associate a good degree of privacy protection to.

• 1630

It's also good this bill will then take the process of a CSA code and spread it to various industry sectors so we achieve, as well, broader coverage of privacy protection to again build public trust on it. At the same time, it avoids some approaches that might have been perceived as rather difficult to do in this day and age, which would be to impose a whole heavy new regulatory mechanism and bureaucracy on the process. So the bill does strike the right balance in that respect, and we think it'll be a very good contribution to the success of electronic commerce and the appropriate protection of privacy for Canadians.

In our submission we've listed some minor amendments that would help to ameliorate the bill. I'll draw attention to the one on public information, which is that we support the proposed government amendments that will make it clear that the collection, use and disclosure of publicly available information, such as that which is found in telephone directories, doesn't have to get caught up in any complicated processes.

The other topic is the one that was discussed earlier with the TELUS people, and we think it would be a little ironic if a bill intended to protect the privacy of Canadians allowed government officials, or someone delegated by them, to walk into business premises and search and seize without the very simple protection of having a third party having a look at that to authorize it.

[Translation]

In conclusion, Madam Chair, I would like to say that we support the main points in this Bill. We have made some comments in our brief and suggested a few amendments. We will now be pleased to answer any questions.

[English]

The Chair: Thank you very much, Mr. Courtois.

I'm going to turn it over to Mr. Jaffer for questions.

Mr. Jaffer.

Mr. Rahim Jaffer: Thank you.

Thank you to both people from Bell Canada for their submission.

I just received the submission, so I hope to go through it in a little more detail after the committee. However, there are two questions I'd like to ask, and one is pertaining to your opening comments when you talk about trust with electronic commerce and the amount of trust on behalf of consumers wanting to use the services provided.

It seemed to me last Thursday when we had some people from various Internet providers making presentations to the committee that the actual industry currently is in its growth stage, but we have, I think they said, close to $100 million worth of business being done on the Internet currently. For me, that's outstanding, given the fact it's a growing area and the fact that we still have a long way to go to build that trust.

My question to some of the people last Thursday—and I'm going to pose the same question to you—is about the fact that we have an industry that's been built already without any real legislation, without any real protection. In fact, it's been strictly the companies that have been providing these services, through education and through various other forms of bringing customers on board...that this growth has actually been enhanced.

You talked about the issue of striking a balance in this bill. I'd like to hear your comments on what are the consequences if some of the amendments you put forward aren't made. Could the bill become heavy-handed, or in fact could it restrict the growth of this industry as opposed to when this legislation is introduced? Without the legislation, currently there seems to be much growth in the industry.

I would appreciate it if you could comment on that.

Mr. Bernard Courtois: Yes, I think again that's where the bill strikes a good balance, because electronic commerce, even though it's growing very fast and it seems to be big amounts of money, is still only a tiny fraction of the retail sales, for example. As well, there's the whole area of dealing between businesses and their suppliers.

The concern would be that trust would build in favour of the recognized brand names, the big players in the industry. It would not necessarily build for the smaller players. One of the great things about the Internet is that it democratizes everything and everybody can play; everybody can be a global player and get into commerce. What would happen is that the small ones would be left out because people would recognize and trust the big names, the IBMs of this world, not the small retailer.

• 1635

Secondly, you only need a few horror stories about someone dealing with someone disreputable and causing all kinds of concerns and you find yourself, instead of progressing, going backwards. The interactions with customers and surveys show that a lack of confidence or a fear of what happens to personal information on the Internet, for example, is a barrier to the development of electronic commerce. So a bill like this, which really capitalizes on the cooperation of interest groups and industry that built the CSA code and then spreads that through various industry sectors, with a government official there for oversight and guidance, I think is a very ingenious balance compared to the fights that are going on in other parts of the world about more extreme solutions on one side or another.

Mr. Rahim Jaffer: That clarifies it. Thank you.

My last question is with regard to the issue that was brought up with TELUS and the one you referred to with the privacy commissioner. I think you mentioned just now the importance of the reputation of companies when it comes to customers wanting to deal with them. It was brought up by our previous witnesses that an audit process on a company or, in its current form, the privacy commissioner powers could really affect the reputation of a company if there's not that check or balance being brought to the current powers of the privacy commissioner.

So my question would be, do you believe that in the current sense the privacy commissioner is almost elevated above the law, or do we need to really address the issue of putting that check into place on the privacy commissioner, to allow yourselves to feel safeguarded to some extent in this whole privacy process?

Mr. Bernard Courtois: Yes, I guess companies have concerns in that area as well, not just individuals in their homes. For example, the Supreme Court judgment involved the Competition Act, and that usually is search and seizure of companies and company information. The fact that, as I say, a government official can come in and search and seize documents is pretty impressive to people. It's not something that goes off very smoothly and very easily.

Just the concept, also, that it's not going to be used often...and I think the expectation is that it's not going to be used often, the experience to date with various commissions that have that is that it's not going to be used often. But conversely, if it's not going to be used often, why not have a third party cast independent eyes on it to give that degree of protection? The degree of protection extends to businesses as well as individuals, so I think it's a very simple thing. It's not going to prevent the use of the power at all and it's just going to give something that I think would be more in line with a law that is intended to protect privacy.

The Chair: Thank you very much, Mr. Jaffer.

Mrs. Barnes, please.

Mrs. Sue Barnes: I'm going to follow up on this point directly, and you've heard the previous witness.

In Canadian legal framework we have had different standards throughout history between criminal and civil. In this bill, in your own brief—which I just received and glanced at after I'd questioned the last witness, by the way—I commend you for showing the difference between a criminal standard and a civil standard. You've pointed out on page 8 of your brief that Bill C-54 already meets the third test on the criminal standard of requiring reasonable grounds, so that is a limiting factor.

Now, most people in this world aren't lawyers, so I'm going to keep it down to a simple premise that most people in Canada would understand, because they're aware of the differences in proof required, the burden of proof between a civil action and a criminal action. Maybe Ms. Morin could just explain the differences of burden of proof. What level would be needed to prove a criminal charge, the burden of proof?

I'll make this simpler. It's beyond a reasonable doubt. Beyond a reasonable doubt is a stronger burden on a system than the civil one of a balance of probabilities. I mean, that's a basic tenet.

Mr. Bernard Courtois: Yes.

Mrs. Sue Barnes: The only case you have cited here is the same one cited by the previous witness, which is a criminal case. What you're asking for is a criminal standard here, and I have real problems with that because I see a limited resource.... Most corporations—and I'm not saying your firm but most corporations—have more massive resources. This privacy commissioner is going to have to resource from a limited amount of funds to educate the public, which I think is a significant role for this commissioner to attempt to do in a very complex world.

• 1640

What I see, if you get into a search warrant situation on a different level—the criminal level in a sense is the standard you're asking for here, not the civil level in the trade and commerce area, which is a lower level—is that you're going to be able to wind this guy up forever. I don't mean you personally, I'm not trying to be directive here. I'm trying to look at the reality that every time there's a document needed, search warrants.... What are we trying to accomplish here?

It's like any other situation where the good actors are going to be able to not have to worry, as you know, and the bad actors are going to be able, if we do this, to tie up in expense, in delay, in bureaucracy.... This is not unlimited funding that's envisioned in this thing. It's supposed to be light, flexible; that's why we went with a code that is precatory for the most part.

I think there were some valid points made between the “shalls” and the “shoulds”, but often, even if you take the example that was used earlier today—and I rarely like to cross-reference—the “should” actually led into a section that “shall” had an obligation on, keeping documents private. So for a lot of these things, even though there could be some clarification in that area, I think in this area I see them emasculating the act.

First of all, my question to you is about what you've pointed out in your brief. Do you want that standard, do you want that here, and how reasonable from both sides do you see it would be in accomplishing the goals?

Mr. Bernard Courtois: The standard as to whether you've proved something beyond a reasonable doubt or according to a balance of probabilities or whatever determines what happens to the evidence once you have it—

Mrs. Sue Barnes: Yes, that's right.

Mr. Bernard Courtois: —and once you go through a trial or something like that; it doesn't apply to the notion—

Mrs. Sue Barnes: It's a differentiation.

Mr. Bernard Courtois: Yes. So it doesn't apply to what's at issue here. What's at issue here is that a person is on your doorstep wanting to come in and go through your files and your papers, and that's very different from whether in the end the evidence will convict you of something or not. It doesn't have anything to do...and the Competition Act, for example, has civil sections as well as criminal sections.

What we're talking about here is someone who could be a small company, and even though the privacy commissioner may not have huge funds it's still the government, and for a small business it's government coming to your door or sending someone they've delegated to come in your door and look at your papers. The fact that a third party will have cast eyes over that ahead of time to make sure there's no abuse going on is an extra degree of protection that I think is entirely consistent with something called an act to protect the privacy of Canadians. So I think it's reasonable for that process.

Now, there are not going to be warrants issued by the privacy commissioner every day. He's not going to spend a lot of money doing these things. He's not going to exercise these powers except in the rarest of circumstances, so the fact of having to show that to a judge before doing it shouldn't have any impact on the financial ability to fulfil his duties.

Mrs. Sue Barnes: My point, Madam Chair, was specifically that there are different standards, which are different in the law.

Mr. Bernard Courtois: For the decision at the end, but not for whether someone's taking your papers without your consent.

Mrs. Sue Barnes: Well....

The Chair: Thank you.

[Translation]

Ms. Lalonde.

Ms. Francine Lalonde: Good afternoon.

Mr. Bernard Courtois: Good afternoon.

Ms. Francine Lalonde: In the past you complied with the Quebec legislation, Bill 68. What are you going to do in the future?

Mr. Bernard Courtois: We will do as we have done in the past. We will have a federal Act and, as you know, we were already covered by federal regulations. Moreover, we have always been governed by some regulation or other. Some of our subsidiaries operate under provincial jurisdiction, just as Bell and some companies operate at the federal level. As you heard us say, we are interested in focusing more on protecting the privacy of our customers and of our employees. If the Quebec commission asks us for information, we are not interested in getting caught up in issues of jurisdiction. We prefer to cooperate. We have never gone so far as to consider whether we should challenge the jurisdiction of the commission or not. As we indicated, our company has perhaps had to deal with jurisdictional complications and we would prefer that these companies not get involved in such complications.

• 1645

This Bill clearly applies to companies operating under federal jurisdiction. It leaves a place for the Quebec legislation within its particular area of responsibility. That seems to us to be quite a clever way of not getting involved in needless jurisdictional disputes.

Ms. Francine Lalonde: You seem to be saying two things at the same time, and I find it difficult to follow you.

When someone continues to complain to the Quebec access to information commission, will you respond to the said commission or will you say that the matter does not come under Quebec jurisdiction? This is very important because in the past you did not ask that question.

I have made a few inquiries of my own and identified cases where lists were sold. The Quebec legislation prohibits the sale of lists of names without offering the people concerned the right not to be included. It seems that you have found a regulation, but it is very important that you indicate whether you are going to apply the federal legislation, which does not provide for such cases, or whether you will not trouble yourself, as you say, and respond to the Quebec access to information commission when it tells you it has received a complaint.

Mr. Bernard Courtois: As a lawyer I could certainly tell you that, from a purely legal viewpoint, there are certain companies reporting to me which are subject to provincial legislation and others which are not, but our record to date shows that in such cases we do not raise questions of jurisdiction. Rather we try to get to the heart of the problem and cooperate. That will not change the issue of jurisdiction, in other words which legislation should have precedence in law, but in practice it is obvious that if a situation were to arise where we believed we were being treated unfairly or there was a problem with the legislation, we would be able to deny the jurisdiction of the Quebec commissioner. In practice we do not expect to raise this kind of problem; we expect to cooperate both with the federal commissioner and the provincial commissioner.

Ms. Francine Lalonde: I should not have to remind you that Bill 68 was adopted in Quebec in 1994, when a federalist Liberal government was in office, and it was supported by the Parti québecois. As I know you appreciate, we in Quebec would have preferred that this Quebec legislation be used as the basis for the federal Act.

There is a value judgment in that the federal legislation would create a new approach between two extremes, namely the European directive, with which in any event you will probably have to comply at some point, and the United States. Do you consider the Quebec legislation to be at one extreme?

Mr. Bernard Courtois: No. There is a whole range of possibilities and the Quebec legislation is somewhere between these two extremes. You have to appreciate that the electronic commerce industry, which we expect will grow significantly, was subject to strong US influence and was very reticent about the idea of any government involvement in the Internet. There was also concern that some people from big business would rely on it and others would not. All I am saying is that Bill C-54 seems to address the subject very well and deal with the various interests quite cleverly.

Ms. Francine Lalonde: The only people who have expressed that viewpoint here are corporate representatives. The other groups do not feel that this is a balanced piece of legislation. You can decide for yourself.

Let us come back to the Internet, to this knowledge-based economy. We are at the dawn of a new era. Isn't this proposed legislation far too soft to reassure people?

• 1650

Every day we hear disturbing news. This morning we learned that Windows 98, which many of us have installed in our computers, may disclose personal information, and nothing can be done about it. We are told that it is not directly connected but it is. Not a day goes by without us hearing this kind of thing, and really the legislation before us does not do much to address these issues.

Mr. Bernard Courtois: You are correct in pointing out that companies don't want to create doubts or worries in the minds of the public, and this has a direct negative impact on us. We want the legislation to operate effectively and efficiently. The CSA code was developed through the cooperation of public interest groups. Perhaps our experience is more extensive than that of other corporate consultants or representatives who have appeared before you.

If technology such as Intel's Pentium 3 or something on the Microsoft system could collect information against the will of the clients concerned, there would be an outburst of protest in the market. But the legislation would apply to such situations, and companies would not be allowed to use that information. So the result is neutral: technology has no effect in this case. The legislation prevents people from doing that kind of thing. People are not afraid of the machine, but rather that the machine may gather information which someone will use. The legislation applies to that kind of use.

Ms. Francine Lalonde: Information that people won't be able to recover.

Mr. Bernard Courtois: That's right. The legislation will apply to such cases.

Ms. Francine Lalonde: But a member of the public does not have the right to demand.

[English]

The Chair: Thank you very much, Madame Lalonde.

Mr. Lastewka, please.

Mr. Walt Lastewka: Thank you, Madam Chair. I appreciate the witness.

I want to ask a couple of items. Mrs. Barnes covered the one area.

This bill grants and expects to have a lot of education for Canadians. A number of witnesses have come forward, and various commissioners and reports by commissioners—all provinces—on the importance of education. It will be a large mandate.

So I'd like to get your input on how you would like to see the commissioner, or do you have suggestions as to how to educate Canadians on privacy? You've had a lot of experience on that from the various years, especially in your business. How do we educate Canadians to understand privacy and what they should be expecting from large corporations like yours?

Mr. Bernard Courtois: I think one of the things you get, for example, with this law, which I mentioned, is that by using the OECD guidelines you get more bang for your buck, in a way, because you eventually have a set of principles that becomes generally recognized. If every industry or every business were to have a very complex set of privacy principles that differed from one to the other, then educating the public about that, or for the public to find out what it all means, would be a monumental task. It's made easier by the fact that they recognize something is pervasive and will become the global standard.

Education, then, I think, is not so much a formal.... I don't have any suggestions or any views as to how someone could formally educate Canadians, but you need discussion around it. I don't think Canadians need to be educated into every little detail of a code, of how it works. They have to have an inherent understanding that they have certain rights, where they can go if they want to complain, and what the basic principles are, and that comes from public debate. It could come from coverage in the media, discussions on various kinds of shows. On the Internet there are sites where people go to talk about privacy and can get to find out about it.

I think you'll need a diversity of means. I'm not necessarily thinking therefore of formal education—get a bunch of people in a room and give them a lecture for two hours.

Mr. Walt Lastewka: No, I didn't expect that either. I guess when this bill is approved and the commissioner is doing his work and so forth, there is also an expectancy of large corporations to be part of the education process, first with their own clients and customers, and second with potential clients and customers and other Canadians. Can I have your comments on that?

• 1655

Mr. Bernard Courtois: Yes, I think that's another thing that will take place. As you've probably heard and you'll hear from a number of industry representatives, we need that sense of security to be built up out there, and we need people to know it's out there and that these principles are operational. So in our various means of communicating with the public, it's in our interest to participate in getting this better known. Yes, I think you can count on our capitalizing on that.

The Chair: Ms. Morin, do you wish to respond as well?

Ms. Suzanne L. Morin (Senior Counsel, Bell Canada): We can actually provide copies, but one of the educational tools that the telephone companies, including BCT.TELUS, helped sponsor was the development of an Internet game, a CD-ROM called Privacy Playground: The First Adventure of the Three Little Cyberpigs, and it's being distributed to schools across the country. Minister Manley was there for its launch in May. We've sent copies to Hong Kong. New Zealand has asked for copies. It's tailored to children 7 to 10 years old. It's something we're really proud of, and it has gotten a lot of mileage, and if anyone has 7- to 10-year-olds, I would be glad to supply you with copies.

That was done with the Media Awareness Network, which has done a lot of work on the Internet. Actually, even when the discussion paper for this particular bill was issued last January, Media Awareness Network had an on-line forum where you could provide comments on it. So we were very happy to be associated with them in that particular educational tool for children.

Mr. Walt Lastewka: I have another question. What do you consider the biggest threat to privacy in telecommunications in your field today?

Mr. Bernard Courtois: Nothing comes to mind as one single thing. I think the biggest threat is to not take off with the degree of trust that the public will require in order to use the new technologies. I think it's a threat of something not happening as opposed to one individual type of threat.

Mr. Walt Lastewka: I suppose those large corporations who, I guess I'll say, get in the game properly and promote properly are going to gain a trust advantage very quickly and a competitive edge. Would you agree with that?

Mr. Bernard Courtois: Yes, and in that sense, there are various certification processes taking place.

For example, Bell Canada was the first to obtain the WebTrust seal, which is run by Ernst & Young, a major accounting firm. You'll see a lot of that, where people are really trying to gain a competitive edge. As I mentioned, the reputable brand names will go for that and maybe be able to get that early.

We still have an interest because we are a carrier and we benefit from everybody using these new technologies. We still have an interest in this degree of trust spreading throughout the economy and throughout businesses, but there's no doubt that the reason we, for example, go for this, to be first to have the WebTrust seal, and others have various forms of certification is that it's viewed as a very useful enhancer of our business success.

Mr. Walt Lastewka: Thank you, Madam Chair.

The Chair: Thank you very much, Mr. Lastewka.

Before I move on to further questions, I want to clarify something from Mrs. Barnes' question. Mrs. Barnes was talking about two different standards. You're asking for a standard—and I'm not a criminal lawyer, so correct me if I'm wrong here—that you would normally see in criminal proceedings for search and seizure.

Mr. Bernard Courtois: No, we're not. To clarify what I was talking about, the criminal standard has nothing to do with what we're proposing here. That applies to what you do with information once you have it.

We're saying that civil or criminal, the concept of a search and seizure should be subject to a third party having a look at it, whether it's for purposes of civil proceedings or criminal proceedings.

The Chair: My understanding was that Mrs. Barnes was citing examples for other civil proceedings that would have the same search rights as those being proposed under this bill, and you're asking for a higher standard that you would normally see for cases that could end up in criminal matters. I'm trying to be clear here.

Mr. Bernard Courtois: Just to be clear, no, we're not—like the Competition Act, for example.

The Chair: But the Competition Act has both civil and criminal sections to it, so are you suggesting in this act we should have both civil and criminal sections?

• 1700

Mr. Bernard Courtois: No. I'm just saying that—

The Chair: You want part, but not all, of the Competition Act.

Mr. Bernard Courtois: Yes. Whether it's the civil part or the criminal part of the Competition Act, if there's going to be a search and seizure, they have to get prior authorization. So it has nothing to do with civil or criminal. It'll apply to civil and it will apply to criminal under the Competition Act. And that's why we don't make the distinction here.

The distinction that perhaps has more value is that in some other instances urgency or safety might not make it practical to go through the prior authorization. It might be food safety, airplane safety, drunken drivers, or whatever. Then it doesn't fit to go through a process. Here there is no reason you wouldn't go through the protection of having someone look at it first.

The Chair: I know that recently, as an example, I received a call in my office from a constituent who was very upset about the fact that he'd been trying to contact Revenue Canada and every time he dialled the number a busy signal would come on, and Bell would come on with that telephone message that if you press whatever for 30 minutes...and he found that very intrusive. He was trying to call Revenue Canada and he wanted to know why that was happening.

Mr. Bernard Courtois: Yes. We have a lot of automated messages, perhaps because the line is overloaded or it could be, as for Industry Canada, an automatic voice answering system. Those are sometimes quite annoying to the public and sometimes quite useful. Obviously those systems allow people to deal with the government, their bank, or whatever 7 days a week, 24 hours a day. They can be quite convenient. They're cost saving and they can be effective. But we're still learning how to work those things to make them simple and customer friendly, and in some cases they're not. But I don't think it's any more than that.

The Chair: Most people would assume that local calls are not known—not tracked—because local calling is free from your home. When you do this, is that phone call then tracked?

Mr. Bernard Courtois: No. The switch, which is a big computer, collects the information, whether it's a local call or a long distance call, but there's no system in place to extract and collect that information, because we don't use it for billing or whatever. So it just doesn't get used. But the calling number is available, and that's how you get caller identification, or you can trace a call after the fact if a person has tried to block it. So there is some information there.

The Chair: Thank you. Mr. Jaffer, do you have any more questions?

Mr. Rahim Jaffer: Yes, I do.

Given the amendment that you're asking for, which Madam Chair just wanted some clarification on, when it comes to a check or a balance, I'm curious whether right now, under the current legislation, there's any provision in the law that gives you recourse if the privacy commissioner launches an audit or wants to go through the process of search and seizure and you feel that's completely outlandish. Is there any recourse currently you could use to bring light to that?

Clause 22 of this legislation says that if the commissioner is acting in good faith and going through a process, he or she is literally untouchable. So I'm curious, in that given circumstance, without the provision that you're suggesting in the amendment, is there anything you can do to bring light to something you think is unfair?

Mr. Bernard Courtois: Yes, but the awkwardness with something like that is that when it's done, it's done. You can't go back. If for example someone were to come upon privileged information, solicitor-client privileged documentation, you could try to pick up on that after the fact. But if they've looked at things they should not have looked at, well, it's too late. They've looked at it, they've already been in your premises, they've already come in whether you consented or not. So in practical terms you can't really undo that after the fact.

Mr. Rahim Jaffer: My last question is to follow up on what Ms. Lalonde was asking, with regard especially to provincial jurisdictions of privacy and this federal legislation. When it comes to privacy laws being established within the provinces, Quebec is the only one currently. But if that continues and other provinces start to implement changes to privacy and to build something in line with this or their own concerns, could it not become somewhat cumbersome in the end? Or do you see it as a positive thing if different provinces have different laws and, as you're operating a business, you have to overcome those challenges that different provinces put in front of you?

• 1705

Mr. Bernard Courtois: Yes, it could become quite awkward if they're substantially different. That is again a good thing about this bill, because it has some mechanism to assure that they're not wildly different from one to another. You're talking about an industry that, by nature, is even global. If Canada can take a lead and can cover at least that, we have a good base and we'll have a brand and image out there that can be trusted in matters of privacy.

As long as the legislation is fairly similar, then businesses should not have much of a problem. We've been living with that very situation, being subject to federal regulatory requirements. Section 11 of our terms of service is very detailed about privacy protection of customer information, and we've lived with the fact that some of our affiliates are subject to the provincial law. As you've heard, even when the provincial commissioner asks for such information from the company that's not subject to the provincial law, we cooperate in any event.

So as long as the laws are generally comparable, it's going to be quite liveable for business. But if you didn't have a mechanism like the one you have in this law, and if you just let the provincial laws prevail in provincial jurisdiction and they were quite different, then it would become quite awkward for business. I think we'd then be missing out on the objective of giving Canadians a sense that there's a certain degree of privacy protection out there.

The Chair: Thank you very much, Mr. Jaffer.

Ms. Barnes.

Mrs. Sue Barnes: Thank you, Madam Chair.

Having just listened to the answers to those questions, I'm going to take you to your own brief on page 7, because it's now very confusing to me. It seems that you've said the opposite to what's on page 7 of your brief. Here you say, “In criminal matters, the Supreme Court of Canada has established three preconditions for a valid search and seizure”. You cite the Hunter case, and you set out items i), ii) and iii), with iii) being the reasonable grounds.

I'm now going to read you the paragraph that you have in your brief:

While we appreciate that this is not a piece of criminal legislation, we would submit that the same preconditions

—the ones that were just cited above in the criminal case and are the standard-bearers in this area—

should exist when the Privacy Commissioner wishes to exercise his or her search and seizure powers in the context of conducting an investigation or an audit.

Now, correct me if I'm wrong, but I heard you answer in reply to the chair's question that you didn't want the criminal level on the search and seizure.

Mr. Bernard Courtois: I think it's good that we clarify that. The reason we said it here is that the Supreme Court decision applied in a criminal matter. The object of what we're saying in our brief is that it should also apply when it's not a criminal matter. In fact, the Competition Act was subsequently amended so that the same protection applies to actions under the civil portions of the Competition Act as well as the criminal. That's the point we're making. We're saying that even though that judgment pertains to a criminal matter, we think it should apply here even if it's not a criminal matter. And the Competition Act is another example.

Mrs. Sue Barnes: That's my point. You do want it to apply in this thing where we don't have criminal protection—

Mr. Bernard Courtois: That's correct.

Mrs. Sue Barnes: As I heard it, that is opposite to the answer you gave a couple of minutes ago.

Mr. Bernard Courtois: Oh, I see, I'm sorry. I thought I said that whether it's criminal or not criminal, we want this protection to apply. So here's a law that's not criminal, but we want this protection to apply. Here's a court case that was a criminal matter, and that protection applied. The Competition Act was then amended for non-criminal matters in order for the same kind of protection to apply.

So just to make it clear, whether the question is a criminal one or a civil one, we think you still need protection against unauthorized search and seizure.

Mrs. Sue Barnes: The criminal standard.

Mr. Bernard Courtois: No, I'm sorry, protection against search and seizure is not a criminal matter, it's protection against search and seizure. It can apply in a criminal case or it can apply in a civil case. We're saying this is a civil case, and it should apply in a civil case.

Mrs. Sue Barnes: Okay, now we're clear on what you're saying.

The Chair: Thank you very much, Ms. Barnes and Mr. Courtois.

[Translation]

Ms. Lalonde please.

Ms. Francine Lalonde: I would first like to indicate that the CSA code was not designed to be an integral part of the proposed legislation. I know people who would never have helped implement it if that had been the case.

You say that you are appearing before us to speak only on Part 1 of the Bill. Nevertheless, I would like to ask you what you think about the definition of “electronic signature” and “secure electronic signature”. I have in front of me the report of the UN task force which states that the term "signature" should not be used because in the cases in question these are not signatures.

As the copy of the report I have is in English, that is the language in which I will read it to you:

[English]

...rather, [they are] techniques that enabled the identification of the sender of a data message and identification of the message that was sent. Accordingly, there was no rationale for using the term “signature” to describe such techniques, and in fact to do so could create confusion as the term “signature” carried with it meanings closely associated with its use in the paper environment and with the legal effects of its use in that environment.

• 1710

[Translation]

Like Mr. Lastewka, I also would like to hear your views on that point.

Mr. Bernard Courtois: As I said, it is because of our experience in the protection of privacy that we commented on that aspect. I have not studied in detail the other aspects of the Bill, which I find very helpful.

Clause 31 provides a definition of “electronic signature”. Another term may be preferable, but I believe that, once an expression is defined in the legislation, all doubt is removed and problems are not likely to arise. For reasons of style, the person drafting the Bill might choose a different expression, but since it is in this Bill that the expression is defined, any doubt will be removed. The term will have the desired effect since it is defined expressly.

Ms. Francine Lalonde: But the problem is that what is a signature is already defined in the civil code or common law. We will be faced with two undesired legal consequences if there are two types of signatures. I have listened to the opinion of the legal specialists on this matter. I would put the same question to the members of the committee. This definition certainly has to be examined.

Mr. Bernard Courtois: The courts apply at the same time common law, civil law and statute law, and they will apply this legislation, including the definition contained therein. Could the legislator have chosen a better term? I don't know. I have no alternative term to propose, but I believe that legally speaking the Bill could be applied without problems since the said definition is contained therein. The courts may apply a definition from the civil code, from a provincial or from a federal piece of legislation, as the case may be, so long as the Act is clear.

Ms. Francine Lalonde: I would like to go back to an expression you used earlier. Some people may perhaps not agree with you. Thank you anyway.

[English]

The Chair: Thank you very much.

I want to thank you both for being with us. We appreciate your detailed presentation and your participation in the hearings.

Committee members, just before you go, I want to raise an issue about what's happening with Bill C-54. We've had a number of witnesses call us. We said at the steering committee meeting last week that we would only entertain briefs. I just want to make committee members aware that about five more groups have asked to appear. As it stands right now, next week we're sitting Tuesday morning, Tuesday afternoon, Wednesday afternoon, Thursday morning and Thursday afternoon. The only way to accommodate another meeting would be to meet either in the evening or to meet Monday afternoon. Monday afternoon would probably create the least conflict for people. I don't know what the committee's feelings are on that, though, so I'll raise that with you.

Ms. Francine Lalonde: Is that March 22?

The Chair: No, March 22 is the following Monday.

A voice: That's the day we go to Montreal.

The Chair: No, we're talking about next Monday, not March 22.

[Translation]

Ms. Francine Lalonde: No problem.

[English]

The Chair: All right, so I'm thinking that we'll try to entertain the rest of them on Monday afternoon, if everyone's in agreement with that.

Mrs. Sue Barnes: For how long?

The Chair: All the meetings are scheduled for two hours.

Mrs. Sue Barnes: Two hours? So it would be after QP on Monday.

The Chair: Yes, it could be Monday afternoon. That's what I'm thinking.

Mrs. Sue Barnes: Okay.

The Chair: All right.

The meeting is adjourned.