ETHI Committee Meeting

    Colleagues, we're here with regard to our order of the day, Privacy Act reform.

    We do have a couple of witnesses today, but before we commence with the witnesses--we still have a couple of colleagues who have yet to come--it's been raised with me about the witnesses we have had.

     As you know, when we started this process we wanted to consult with the Privacy Commissioner about what was possible for us to do in the timeframe leading up to the summer break. As a consequence of our realizing it was going to take three months or more to do the full review of the Privacy Act, we came to the conclusion that we would be better advised to use our time to look for the quick fix, the band-aid approach.

    As a consequence, the commissioner provided us with ten suggestions--an excellent paper--to give us a start. We have been providing witnesses with that document, and asking them to provide us their input on the quick fixes or the band-aids that have been identified by the commissioner, as well as any other suggestions they may have.

    The remaining witnesses that we've committed to are the justice department officials, the minister and officials; that will be a full meeting. We also have the bar association and the commissioner herself. Those are two meetings, and we are required to discharge those. For the rest of the period now, we have six meetings in total. I think I talked to Mr. Tilson about this earlier, that there were another four meetings in which we would hear witnesses. That would bring us, hopefully, to the end of the witness phase.

     Then, during the summer break, the plan I had discussed with our research assistants and the clerk was that we would then provide a summary of the proposed band-aid solutions for consideration, a summary of the evidence on each of those items by the witnesses, and any other items that came up and were suggested, by whom, and the argument there. So you would basically have that summary of evidence document, which would be distributed to us and available to us so that when we return from the summer break we will be in a position to start to assess and discuss those.

    When we started the commissioner provided us with a list of witnesses, which in the first instance were to review the entire act. This a much broader list; there's quite a large number of them. Most of them were before the committee with regard to its PIPEDA review.

    Our researcher had also provided us with a list of witnesses, not on the band-aid approach, but rather on the full review. Some of these we have, in fact, heard. We have also received from Mr. Hiebert a list of another dozen or so witnesses for consideration. I have no more witnesses other than the ones that have now been submitted by Mr. Hiebert. I don't think we're going to be able to accommodate them all in the four meetings.

    It's nice to have a list of the possibilities here, but I think we have to have a little bit of an assessment of where the gaps are that we need to fill in: the other side of the story; new items; new input; and where can we get this thing rounded off and have a good balance of argument, not only on the band-aid issues, but also on any other suggestions that people may have.

     I'm going to seek some assistance from Mr. Hiebert or the Conservative members on prioritizing or rationalizing if we are going to fill the four meetings with people from this list--the approach. If we want to deal with them all we can have panels. That will reduce their time, but in fairness to witnesses coming in we want to be sure they have ample time to do their work. Some may be better.

    That is the game plan. Then when we come back we can review all the recommendations and the input from the various witnesses. We can then do our diligence in making a critical assessment of which items we feel are most appropriate and why; which ones at this time should be stayed or tabled for future consideration, for whatever reasons; which ones will start to give us the skeleton we need to do a report. That is where I'm looking right now.

    I'd like to hear from Mr. Tilson, Mr. Wallace, and Mr. Van Kesteren.

    That pretty well covers it.

    What do you think, Mike?

    Mr. Chair, I'll pass.

    You've pretty well covered the issues I was interested in. I'm not privy to the different list you have, and I question whether or not the subcommittee or the overall committee should be privy to that. So far, with the exception of the police officer, everybody has pretty well agreed generally with the commissioner's recommendations.

    Someone out there must have some opposing opinions. Everybody has opposing opinions on everything. Without looking at the overall list, I don't know who that would be. I'm interested in the possibility--maybe the clerk and Ms. Holmes can make some comments--of having groups, as opposed to one person. We have two hours in a day, so you could have groups for either the full two hours, or two different groups, depending on who they are.

    One of my observations is that several witnesses have come here, with due respect, who didn't seem to be prepared. They didn't seem to know why they were here. They had no comments about anything. They said “Here we are. Fire away with questions.” That's okay, but normally people come with some observations. They've looked at the recommendations. I'm just throwing that out to the clerk for the future. Maybe they were briefed--or maybe they weren't--but I hope in the future, groups will come and tell us what they agree with, what they don't agree with, and give us their own observations. If they had something in writing it might be useful for committee members as well.

    So my observation is that several witnesses--not all--came here unprepared. I'm sure the group here today will be very well prepared, absolutely.

     I don't know who's on your list, but one name I have is Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario. I know she's respected across the country as a privacy and information commissioner. If she's on your list and coming, that's fine; if she isn't, I hope we will consider her.

    There's a group that Madam Lavallée might remember. I don't remember what it was called. It was a newspaper guild. Does anyone remember them? They were mainly an information group, but they might have some observations on privacy. They represented the newspaper people across the country.

    Those are the only names, and they may well be on your list. I doubt if the newspaper people are, but hopefully Dr. Cavoukian is.

    The commissioner's list to us was circulated to the members. It came in a package to us. They are experts, most of whom were involved in PIPEDA as well, but there were some others.

    The second list was from the researchers. It was also circulated to all members on April 4, and included provincial privacy commissioners for B.C., Saskatchewan, Quebec, Ontario, and New Brunswick as possibilities, because you don't know about availabilities. There were 17 there, plus we have 14 here. I haven't checked to see whether there's any duplication here.

    The important thing for us to do--and I want to hear from the other members--is to try to fill in where we feel it's necessary. I don't think I want to have everybody, just because they're on a list. Members should make recommendations based on need and propose them to the committee. We want to use that time wisely. I don't know the people, where they might be able to fit in, and some of the other concerns. Maybe we'll hear that from the other members.

    Let's hear from Mr. Wallace, and then Mr. Van Kesteren.

     Thank you, Mr. Chair.

    Likely, most of the names you got from our parliamentary secretary came from me. I don't mind having them lumped together on a panel. I do take a little bit of exception. The Privacy Commissioner provided us a list of quick fixes, but we haven't looked at this for 25 years, as parliamentarians. I think we thought it was sort of an easy way to look at these ones first. It doesn't preclude us from looking at deeper things.

    My thinking was that most of these fixes are for government agencies and government organizations that relate to the Privacy Act and are not necessarily third parties. But there are a number of third parties that deal with government that I'd like to hear from. For example, I had on the list the Canadian Association of Chiefs of Police; the RCMP, which we had heard from; and the Canadian Resource Centre for Victims of Crime. Those are the kinds of things.... I'm not sure what government information they have and whether the Privacy Act would affect their ability to do their work, or help them do their work.

    There are two other areas I'm interested in. We have a heavily regulated banking industry in this country. Maybe that's coming from my finance committee. I'm not sure. We could hear from anyone in the banking insurance area--there doesn't have to be one meeting for each--to make sure that I have an understanding of whether what we're doing here for privacy has any effect on that industry and the private sector. It could be a panel group. Unless we invite them, we don't know whether they'll even come or not. Right? They could say “Look, it doesn't affect us, and we're not interested”, which is fair.

    I had a few others, but the other group I'm particularly interested in is the Canadian Medical Association on medical records and anything to do with personal information that has to do with people's.... Hospitals aren't private sector and they're not public sector. The medical field is a little quasi.... I'm not sure exactly how you'd phrase that.

    Those are the three areas, Mr. Chair, I'd be interested in. I may not have all the answers in terms of who those guests might be. Other lists may produce other, better guests, but the medical area, the banking and financial institutions area, and the crime and criminal side are the three I think we should try to see before we make any decisions.

    And of course we haven't debated this as a group. We may agree or disagree with the quick-fix recommendations, as she calls them, or we may say this is obviously a bigger project than we thought, and we do need to take more time to do it properly. I just put that out for the record.

    Thank you.

    Okay.

    Mr. Van Kesteren.

    Thank you, Mr. Chair.

    The group I want to specifically speak to would be the prison guards, correctional services.

     I find that most of the recommendations are sound. I think we've had some good witnesses who have presented their cases. But I'm concerned about some of the flaws in the system now. And although we can improve on this act--and as Mr. Flaherty pointed out last week, there definitely is some room for improvement--there is also room for improvement of some of the flaws. It appears that is a very serious flaw.

    I would like to know, too--and I don't know if we've studied that or asked enough questions--whether or not there are other flaws in the system. But that seems to be a glaring error, or there has to be something there so we avoid having this happen if we make amendments to the act. I want to know what, first of all, is going on. I really want to uncover that. We probably could devote one of the meetings just to the correctional services.

    The other thing--and I mentioned his name too, and no disrespect to any of the witnesses--is that Mr. Flaherty was a wealth of information. And I wouldn't mind, once we compile this thing, if we want to look at him one more time. I don't know if we were finished. That particular day we went right to 5:30, and I think most of us had two hours of bombardment. That was the day you left. He pretty much socked it to us for two hours. There was mental fatigue, I think, more than anything else. And Mr. Tilson was the chair at the time and it was like, “Okay, we've heard enough for a while”, but I'm not sure if we heard everything we want to hear from Mr. Flaherty. I think his presentation was excellent. So those are the two I would suggest.

    Most definitely we have to get to the bottom of the problem we're experiencing in the correctional services.

     I don't disagree with you.

    Madame Lavallée.

    First, I want to apologize to our guest, Mr. Comeau, for making him wait, but we absolutely have to establish the procedure.

    Mr. Chairman, I didn't bring the first list that you distributed to us with me, but I have never seen the second one. So if we want to have a discussion that is in the slightest way informed, it seems to me that, if we obtained both those documents immediately, perhaps we could set aside 20 minutes or so at the end of the meeting to discuss future witnesses.

    If I understand correctly, the purpose is to have guests who will provide us with diverse evidence, not to hear two or three witnesses who will talk to us about the same concerns. Nor should we lose sight of the fact that our goal is to finish before the end of June, even if it means extending our hours or summoning groups. The idea would be to finish before June and to have the best witnesses from both lists.

    Okay.

    Mr. Hubbard.

    I'm a little bit concerned, because we have a witness here who's been waiting 20 minutes. In all fairness, I think we probably should proceed with our witness.

    I agree. I just wanted to be sure, because we need to have some clarity here.

    I've taken note of the input and that some of it really concerns PIPEDA more than the Privacy Act, but I think we have some direction. We're going to make some contacts. I think we've had some good input from members and nothing is going to preclude the committee from adding further witnesses to the extent they're needed to do the job properly. There's no time limit or deadline for this project, but we do want to make each and every meeting a constructive one that will add to our knowledge. So that will be our objective. I've taken the input from the members, and we will do our very best to make sure that we have good quality witnesses before you.

    The Minister of Justice and the officials are coming the week of the 27th, so these witnesseswill not appear until June. We'll come back to you when we return, just to update you on what we've found available and have booked tentatively—to make sure everybody's comfortable.

    Is that all right? Terrific.

    Mr. Comeau, I'm sorry.

    We're going to split the time equally between you and our subsequent witness. I want to be sure that you get all of the time you need. I thought this was also important for you to hear, because we have a little bit of experience with some witnesses who have tended to try to cover the whole Privacy Act with a general approach. At this point, I think we understand that we cannot do a full or comprehensive review of the Privacy Act. But the commissioner felt that it would be helpful if certain urgent matters that required remediation were considered, either a so-called band-aid solution or a quick fix to hold us over until the appropriate time could be dedicated to doing a full review of the Privacy Act—which, as you know, has gone 25 years without changes. Obviously, there's a great deal to do.

    I'm not sure, but have you seen the list from the commissioner? You have. So you're generally familiar with the ballpark.

    You have also provided us with your opening comments. Don't feel obligated to read all of them to us if you don't want to. If you want to just focus or target or highlight some points, that would be fine, or whatever you wish. But I'm going to invite you now to make your opening comments to the committee. The best and most productive part of the meeting, though, is the questions and the comments, so we want to move to those as quickly as we can.

    Thank you. Please proceed.

    Mr. Chairman, ladies and gentlemen members, thank you for your invitation. I am pleased to be here with you. For 10 years, I was used to appearing before the committees of the National Assembly. I've only been here once; so it's with some apprehension that I've come back. I won't read all my remarks, but I would simply like to make a twofold admission at the outset: I am a member of the Privacy Commissioner's external advisory committee, and I also wrote a study for the Commissioner on oversight agencies in the countries of La Francophonie. So I would like to avoid any idea of conflict of interest.

    I would also like to say that I am not a theoretician. I will be addressing your topic from the viewpoint of a practitioner, which is what I was for 10 years during my term as chair of Quebec's access to information commission, which is concerned with both access to information and privacy.

    I would like to draw your attention to three aspects, which are moreover quite directly related to the 10 proposals submitted by Commissioner Stoddart. The first is the reaffirmation of the fact that, with respect to your work, this is a study of a fundamental right, a right that is reaffirmed by the Constitution, or virtually so, by members of Parliament, the Supreme Court and doctrine on the subject. The consequence is very clear: with respect to a fundamental right, there cannot be two standards, one for the private sector, the other for the public sector. Citizens are entitled to the same respect for that fundamental right, regardless of which side of the fence they are on. That is why I have a practical suggestion to make on the subject, which is that you cheat the classic ombudsman model and, in certain areas, confer decision-making powers, concrete powers on the Commissioner to meet needs and to join the universal trend in this matter. If you have any questions on that, I can answer them.

    My second point is the exemplary role that government must play in the implementation and respect of a fundamental right. In my view, it's unthinkable that government shouldn't have the same obligations and not be subject to the same restrictions as the private sector. And yet that's currently the case, when you take a close look at the two statutes, that concerning the private sector and the other concerning the public sector. In that sense, I think some of the Commissioner's recommendations are entirely consistent with this rebalancing of the two acts governing the same right.

    Third, I would also like to encourage you to take a look ahead of or outside the problem that has brought us here today. Very simply put, the work, research and solutions in the privacy field are now being developed in large part in Europe, not the United States. The United States had the lead in this field. They innovated. They launched the Privacy Act, which was used as a model around the world, but they are now distinctly lagging behind and out of sync with a certain number of countries.

    I would suggest that the Canadian government take advantage of its ties with the European Union to ensure that the Privacy Commissioner is, in one way or another, associated with the work of what's called in the language of Brussels the Article 29 Working Party, which consists of all the European commissioners in the field and which is the centre of research, innovation and especially dialogue with the United States. The Europeans have problems with the United States regarding personal information transactions and have structured a dialogue that I think could be helpful to us and wouldn't result in Canada being isolated in its dialogue with the United States. There will be a Canada-European Union summit in Quebec City in October. I think that could be an item on the agenda: how to involve the Commissioner in the business of that group? This is currently the fundamental international group in the area of privacy, especially, in the consideration of the impact of new technologies and inventions being deployed virtually everywhere which may constitute a threat to privacy.

    Those are the three points I would like to raise. I think I've summarized them clearly. In any case, my brief is here, if you wish to use it.

    I am ready to dialogue with you and to answer your questions at your convenience.

    Thank you.

    We'll start with Mr. Pearson.

     Thank you, Mr. Chair.

    Welcome, Mr. Comeau. I'm glad you're here.

    You mentioned the obvious discrepancy between privacy in the private sector and privacy in the public sector. Those of us who worked on PIPEDA a year ago definitely get that; we understand the difficulties there.

    But when it comes to certain public sector practices, we've had witnesses here—for instance, from the RCMP, or the Treasury Board—who think the act, as it exists, is fine. It could be retooled a bit, but basically it's okay to them. So when I asked them specifically, why is it that you would fight against legislative changes to this act, and I gave them something of an answer—is it because you're looking for more flexibility in the things you do—they said yes.

    I would like you to comment what you think are the reasons for the Treasury Board or the RCMP or others in the public sector having problems with changing this. Why are they hesitant about this change that the Privacy Commissioner has recommended?

    You'll allow me to draw on my previous experience in the field. I think that public servants, government administrators, are the same everywhere, regardless of the type of government. An act such as this is clearly not a very pleasant thing that makes life easier. It confers rights solely on citizens, and it imposes obligations on them. That's already discouraging, especially when a framework is provided for those rights. I think you nevertheless have to be very realistic.

    The Treasury Board Secretariat has already developed this entire technique and these privacy assessment forms, which are part of the directives. I would be very surprised to see those directives applied uniformly across government as a whole. If the privacy assessment becomes an obligation under the act, I think that avoids abuses and errors as well. When an administrative reform is launched, when you need personal information to administer that project, what do you do? You always go after computer engineers who have all the right answers in the world with regard to security, but, nine times out of 10, have no idea what privacy may be. That, at the outset, is where the problems start, and then it becomes extremely difficult to make corrections. When you've realized that there was a problem, it's extremely hard and costly to go back.

    I'll give you an example of a Quebec company that, to make its computer system compliant with the Privacy Act, had to spend more money on the upgrade than the initial cost to build the system. You'll say that happened a few years ago.

    The guides published by the Treasury Board Secretariat are extremely well done. I don't see why organizations like the Royal Canadian Mounted Police, CSIS and others wouldn't submit to that. It's something prudent and prevents abuses. That directive exists. I think that making it an act is a wise move.

     Thank you. That's helpful.

    One of the other things that the commissioner asked for, as you know, is order-making powers. She felt it was essential to the work she had to do. She said she felt that she lacked the teeth necessary to make the kinds of changes that are necessary.

    In her statement to this committee she said she wanted to be able to triage complaints and that there had been a backlog because some were somewhat frivolous. In order for what she wants to do to be successful, and from your own knowledge of the provincial jurisdictions, do you think the kind of triaging she wants to do would require order-making powers, or could she do it without order-making powers?

    It must be said that triage is an objective specific to all jurisdictions responsible for privacy. It's universal and fundamental problem, regardless of the options, the models: an ombudsman, administrative tribunal and so on. So how do you resolve that? How do you deal with frivolous requests and those from people who are characterized as “quarrelsome”, that is to say people who file applications with various tribunals and agencies in order to block the system? It's not an easy question, especially since we're talking about a fundamental right here. You must not deny the rights of some for the benefit of others.

    So there's a basic problem. My solution, although very limited, would be to give the Commissioner the power to require that the processing of certain applications be expedited. That would be particularly the case where it's realized at first glance that the application is unnecessary, deals with a matter that has previously been decided or is simply designed to cause delays in the process as a whole. The Commissioner could have the power to decide, even if it meant delegating that power to an associate. In my opinion, if the Commissioner's decision raised major problems, it would have to be possible to appeal it to the Federal Court or an organization of that kind.

    Last year, I studied seven organizations from a number of regions of the world and I saw that it was the same everywhere. They're dealing with backlogs resulting from an increase in the number of actions by a small number of individuals. So there's no miracle solution.

    Go ahead, Madame Lavallée.

    Mr. Comeau, as you observed, each of us has only seven minutes to ask you all the questions we want to ask.

    So you want me to answer briefly?

    If that's possible.

    Everything you say is really interesting. I know you're very familiar with this issue. You are an expert in the matter. That moreover is why we invited you.

    The Commissioner made 10 recommendations that you've no doubt examined. Are you in favour of all those recommendations?

    Yes, except—

    But would you make any additions?

    The subject addressed by your colleague poses a problem. We haven't managed to resolve that matter. I proposed a solution that would be to grant decision-making power to the Commissioner. That would make it possible to solve the problem, but, to do that, you'd have to put on kid gloves because fundamental rights are involved.

    In her sixth recommendation, which concerns the problem of frivolous applications, the Commissioner asks to be granted discretionary power. I think that's vast. Would it be possible to achieve the same objective by stating the kind of applications that she may deny? Is this way of proceeding applied elsewhere in the world?

    Yes, statutes state very clearly that applications deemed frivolous, repetitive or completely beside the point may even be dismissed. You don't need to be good at advanced mathematics to arrive at that reasoning. The discretionary power could be exercised, even if it meant it could be subject to appeal.

    But that would be within this framework. It would also be the case if we also accepted the second recommendation, in which the Commissioner suggests that the power to prosecute citizens be expanded.

    And that citizens also be allowed to go to court.

    Indeed, a practice that is not very widespread.

    No. I'm going to give you a very simple example of an individual who, after requesting access to personal information, observes that the information on him is false and incorrect. He asks that it be corrected, which is a right that has been recognized by the OECD since guidelines were adopted in the 1980s. The government official or department denies his request for access and for corrections to the incorrect information. He finds himself at a dead end. He can't go to court, and he can't have that information corrected. It's absolutely unthinkable. There are major errors in the personal information files.

    As regards the quasi-judicial power, the Commissioner says that she doesn't want it, that she doesn't need it. And yet, you say in your presentation that that's what it takes. Other individuals have come and told us that she won't be taken seriously if she doesn't have it.

    First, from a theoretical standpoint, a recognized citizen's right, particularly a fundamental right must be accompanied by a mechanism for respecting that right. Otherwise these are pious hopes, statements of principle. The Commissioner must therefore be able to intervene in the specified areas.

    Second, when the act was passed in 1982, it was progressive. In the western world, it was considered an impressive act. We had progressed beyond the U.S. Privacy Act and France's 1978 legislation. Today, however, the act is lagging behind in this respect, particularly concerning the power of organizations similar to that directed by the Commissioner. These powers have been enhanced everywhere. The latest example, which is a very strong one, as you will agree, is the authority granted by the French act to the Commission nationale de l'informatique et des libertés to levy fines without going to court when people commit offences under the act. This is an enormous power. Most similar organizations now have increasing powers. These are watchdogs with teeth. There's clearly a universal trend.

    How are we to understand the Commissioner? I don't understand her. How do you understand her when she says she doesn't want this kind of power, which would enable her to be more effective?

    I can't read Ms. Stoddart's mind. I have two interpretations on the subject. The first is that she is a lawyer and espouses the ombudsman model. In theory, an ombudsman has no decision-making power. As she respects power, she is unable to reason in that manner. I'm from another school, and I say to myself that the Privacy Commissioner has been given mandates respecting the private sector. Is there another officer of Parliament who intervenes in the private sector? The Auditor General, the Chief Electoral Officer, the Commissioner of Official Languages all deal with the public sector. So we've departed from the model and there's been no scandal. The building is still standing. That's a theoretical response.

    The second interpretation is that an entirely different factor has been introduced in 25 years of practice. We have to make a clean break with tradition and go against what has been put in place. You have to assess the pros and cons. That's why my recommendation on the decision-making power is limited to specific cases that are consistent with some of the Commissioner's proposals.

    I'd like you to talk about the European Article 29 Working Party. I'd like to know why Canada is excluded from that.

    Because it's not a member of the European Union. It's a combination of all similar organizations in the European Union. It is informed of decisions, it is solicited, and it sometimes takes part in processes. That was the case in the investigation of SWIFT, the personal information analysis and credit business. However, it still lags behind. It is not a participant in what is really the authority where privacy matters are considered, evaluated and decided.

     Merci.

    Mr. Tilson, please.

    When we were looking at PIPEDA, we talked about the concern of destruction of documents. We talked about the concern that documents were being found in dumpsters and dumps in the United States and all kinds of rather worrisome issues. If it happened there, it could certainly happen with this legislation.

     I'd like you to comment on the whole issue of destruction of documents, because I don't think there's anything in the act that deals with destruction of documents. In other words, it's a problem, and if it's a problem in one area, it's a problem in this area.

    You're entirely right. The destruction of personal information, whether it be in paper format, on magnetic tape or CD-ROM, is a major problem that arises from time to time. When I was at the access to information commission in Quebec, there were major cases of documents thrown into the waste basket, in the street, which disclosed individuals' credit information and mortgage information in suburban East Montreal, for example. In the middle of Rue Saint-Jean, the main road in Quebec City, personal information from a law office on the preparation of divorce cases was found. There's also the latest case that was just handled by New Brunswick—

    And we could, too. We've heard them in this committee when we were discussing this issue before.

    My question is whether there should be specific provisions in the legislation dealing with this. I mean, you try to encourage private corporations, whether they are banks or department stores. Winners was a problem. There was something there. There was CIBC. I hate to mention those names again, but it happened.

    If it happened to those institutions, it could happen to governments. Dealing specifically with governments, should there be something in the legislation, and if so, what should it be?

    That's possible. The Commissioner didn't make that a direct recommendation, but Recommendation 3 talks about the privacy assessment—

    Excuse me, was that three?

    That's the recommendation that concerns the privacy assessment. The privacy assessment models developed by the Treasury Board Secretariat obviously provide for the destruction of personal information. It should be included in the act and the privacy assessment should be made mandatory. It may not solve the problem, because there will always be accidents and negligence, but mechanisms will have been put in place to prevent them.

    I think that's one way of responding to your concern, which is indeed a constant concern.

    The issue of order-making powers was raised by Mr. Pearson, and it has been raised by some witnesses in the past. I haven't formed an opinion yet as to whether she should or whether she shouldn't, although I get the impression she already has mediation powers. Is that a fair statement?

    Does she have mediation power?

    Well, people call up and officials investigate. Maybe I'm not using the right terminology, but investigators talk to people. I know I'm using a rather broad term for mediation.

    Let's say we do give her those powers, then you can go to the courts.

    Exactly right, yes.

    I will raise the question that I've raised with other witnesses. The commissioner has come here in the past. I get the impression she doesn't have the resources to do what she's doing now. She has a tremendous backlog. If she doesn't have the resources to do what she's doing now, how in the world is she going to have the resources to get into a court system within her commission?

    I have two answers to your question. First, in very practical terms, giving her decision-making powers in very specific areas would, on the contrary, help prevent backlogs simply by eliminating frivolous applications, repetitive applications, unnecessary applications and all that. I'm convinced that would make it possible to avoid the rising backlog. And the problem is the same everywhere.

    It must also be realized that there is decision-making power in the Canadian provinces, and it has never been abused. It is one way to resolve matters—and this is the second part of my answer—and it is an extremely effective deterrent. I'll give you a specific example.

    Quebec's Act respecting the protection of personal information in the private sector came into force on January 1, 1993. When I entered the office on January 2, it was panic. We had received a letter from the vice-president of one of Canada's six big banks. I was astounded to see that the vice-president had tried to reach me over the Christmas holidays—I was in Europe—and simply because he had learned that a client was going to file a complaint under the new part that was entering into effect and he was afraid that quasi-judicial powers would be used in that area. Do I need to tell you that the whole matter was resolved in two hours? The client was satisfied and no hearing was ever held on the matter.

    There was a deterrent effect; that is the theoretical element. The provincial commissioners use it very prudently, but it is a power that prevents abuses and deviations. In an actual case, it would make it possible to prevent backlogs, which have become characteristic of many organizations similar to the Commissioner's office.

    Do I have any time?

    Do you have one more quickie?

    It's not a quickie, so I'll pass.

    All right.

    Mr. Hubbard.

    Thank you very much.

    Good afternoon.

    In part of your submission you say that the incumbent has a position of prestige or moral.... I think you said she could bark but she couldn't bite. What pieces should she have--or what should he have--to be able to bite?

    There are two things that I am sure of and that I've already spoken about: the entire problem with these marginal but numerous applications, and the importance of solving the problems of these frivolous, unnecessary, systematic applications, and so on. I think a very clear decision-making power and a power regarding compliance with new obligations could be conferred on the departments and agencies, particularly regarding the privacy assessment. The objective is to ensure that the Treasury Board directives that would become law would be inspected and for it to be possible, at the outset, to rule out problems and errors that, most of the time, result from the fact that there isn't any money to deal with that. So people forget, and those responsible for these matters do not concern themselves with them, very often because they are engineers from the outside, consultants who don't have this privacy culture, although things are changing now, since the private sector act.

    If I'm a complainant, and I complain, and it's found that my complaint is justified, what would you suggest the recourse might be if it's against a federal department, for example?

    I also think the act should be consistent with the statement of rights. A citizen who requests access to his personal information and does not obtain it can go to court, but everything else is completely eliminated from the rights that are specified in the act, stated in the act. I'm not at all asking that new rights be added, but simply that complainants be able to have their rights respected as they are defined in the act, and that that doesn't remain in a free area, in limbo as it were, where there are recommendations, the matter can't be brought before the courts, and the complainant has his head down.

    When you look at all of these, it seems as if we're trying to give the commissioner additional powers. With the Privacy Act, as it was defined and as it's being applied across Canada, are there situations where there are too many protections to the individual versus society's best interests? How, as legislators, can we develop a balance between what society needs and the rights of the individual in terms of that privacy?

    For example, today people go before the courts and it's ordered that DNA should be taken from them and filed in a registry. We've never really established that registry. Are there too many rights for the individual, as opposed to the rights of society to know which people are dangers to society and should be included in a public record for police forces or public people across the country?

    Another example is the terrible tragedy at Virginia Tech, where somebody thought they had no right to warn the public of a person who was unstable, and that person created a great episode and tremendous tragedy. What rights does society have to overcome individual rights that would be protected by the privacy legislation?

    On that point, there are provisions in the federal act and in the provincial acts for instances where lives are in danger or serious problems arise. That's provided by the act. Very often, those responsible don't know that or don't dare use those provisions. Parliament, in its wisdom, has put things in place. There isn't an absolute void in this regard. What is the balance between individual and collective rights. That's a problem that, at the outset, stems from the Charter, which defines individual rights and government obligations, with a few collective rights for aboriginal people and things of that kind, but very few. Individual rights take precedence in our society and in our democratic systems. We obviously have to respect that precedence. Individual rights must be protected, even more so, by the political branch. All these rights are defined on the basis of the individual, but relative to political or economic powers in other fields.

     Thank you.

    Mr. Wallace, please.

    Thank you, Mr. Chair.

    Mr. Comeau, thank you for coming today.

    I want to clarify something, because the wording is getting thrown around a little here.

    I've been on the committee for a number of years now. The commissioner has not asked for order-making powers, and is still not asking for order-making powers. As one of the recommendations, she is asking for the ability to determine whether an application is frivolous or not, and be able to get rid of it quickly. That's not really an order-making power. In my view, order-making is saying there's been a mistake so you owe a fine--there's a punitive aspect to it. I don't see that in this.

    I read the brief you provided us, but I'm just learning French and need a better understanding. Could you explain the organization you belong to? I don't understand what you do.

    I'm a guest professor at the Quebec National School for Public Administration, and chair of the Centre for Study on Globalization and Public Policies.

    Is that attached to a university?

    Yes.

    What university is that attached to?

    It's at the Université du Québec, and the École nationale d'administration publique is part of the Université du Québec.

    Were you the privacy commissioner for Quebec?

    I was the information and privacy commissioner from 1990 to 2000.

    Does Ms. Stoddart also come from Quebec?

    She replaced me when I left.

    So you both come from the Quebec system, and if I recall correctly, the Quebec privacy commissioner does have order-making powers. Is that correct?

    That's right.

     What can the commissioner in Quebec do in terms of fines?

    The Commissioner can't impose fines. He can impose changes and directives and order changes to computer systems, but he can't impose fines. Financial compensation can be imposed by the courts under the Civil Code.

     Because of your familiarity with the Quebec system—I have no familiarity with it--do they have a privacy impact assessment program similar to what we have here?

    No. Some departments and some agencies do that. It isn't a rule like that imposed by the Treasury Board Secretariat. I think this is major progress that must be taken and imposed everywhere.

    So it's not a system that's used there now.

    You mentioned in your introduction that you're an adviser to the current privacy commissioner, but you're not the privacy commissioner in Quebec. Is that correct?

    That's right. As I said in my remarks,

when I left the access to information commission, I decided I would let the new Commissioner do his job and not look over his shoulder.

    That's very wise of you.

    What influence did you have on the development of those quick fixes, if any?

    I had no influence.

     I'm assuming this document was sent to you, or you at least picked it off the Internet.

    I picked it off the Internet last Sunday.

    Was that the first time you had seen it?

    That's exactly right.

    Okay.

    As an adviser to the current Canadian commissioner, how often do you meet?

    We have two annual meetings.

     I'm struggling here with the third recommendation on the privacy assessment. She would like to see an obligation through legislation. Do you have any comments to that? Do you think that's the right way to go? Is it actually a requirement, or is there another way of making it happen without having legislation?

    There may be other ways. I don't know. But what I'm sure of is that putting it in the act would compel all departments and agencies to apply those directives in standard fashion and at the same time. That would thus prevent errors, abuses and problems.

    I think that's the beginning of wisdom. The same standard would apply everywhere. The Treasury Board imposes the privacy assessment. Where it observes from departmental reports that those departments have not conducted that assessment or have done it poorly, what will it do? It will go and tell the departments that that's not good and that they need only do better the next time, but the budget will nevertheless be allocated. There's no compelling force. A directive isn't an act. We're playing with a fundamental right, the right to privacy.

    Thank you very much.

    Mr. Malo, go ahead please.

    Thank you, Mr. Chairman.

    Thank you very much for being here with us this afternoon, Mr. Comeau. Your testimony is very, very interesting.

    Before handing over to Ms. Lavallée, who will ask the essential part of the questions in this round, I would like to ask you for some clarification. The Commissioner is requesting the right to exclude or dismiss frivolous applications. It seems to me the word “frivolous” is a bit vague.

    Can you tell me, based on your understanding, what the word “frivolous” means in the current context?

    I'm going to tell you about a personal experience. As commissioner, I had to hear complaints filed by a prisoner whom you all know. Following a heart attack that he had suffered in his cell, he requested access to all documents on the subject held by the prison, the hospital, the doctor and so on. It was un unbelievable job. They had just saved his life—this was the last straw—and he wanted to block the system by means of a request that had no relevance. It was absolutely unnecessary and frivolous.

    There will be no criterion for establishing what a frivolous request is. In your view, will that really be at the Commissioner's discretion?

    There are two answers to that question. There is a limited amount of settled case law on the subject in the provinces, and there's also common sense. That doesn't prevent an individual who is not pleased with the Commissioner's decision from filing a complaint in Federal Court to have that right respected.

    Do I have any time left, Mr. Chairman? Thank you.

    My speech will be in two parts. First, I would like you to react to my comment. It's true that people—among others, the RCMP and the Canadian Security Intelligence Service—have said they more or less agree on the recommendations. They said that those they agreed on were already being complied with. They already have directives that they comply with, that they will continue to comply with, and they don't want there to be an act on the subject. I get the impression it's an old record I've already heard from everyone who comes and sits down here, particularly from the private sector and from people who ask us to change nothing. It's like me telling police officers that I will definitely stop at red lights and that it's not necessary to have an act or to fine me if I go through one. That's the impression I get.

    You have to be aware that the acts that establish fundamental rights are always embarrassing, irritating and annoying for government and the private sector. Constraints are being imposed and burdens added; that's inevitable. However, I think that's the only way to respect citizens and to ensure that what is stated in the Charter and taken up by the Supreme Court corresponds to reality.

    Now let's go to the second part of my question. Earlier you said you had no criticism to make of the 10 recommendations. I want to be quite sure I understood that those recommendations suit you.

    There's only one that I'm somewhat reluctant about. It's precisely the one concerning the rejection of frivolous requests. That's why I suggest that it be accompanied by a right subsequently to go to court to have individual rights respected.

    Other people have made other suggestions. Let's talk about the quasi-judicial power. Earlier we saw that people use a number of terms on this subject: the quasi-judicial power, the order-making power, the power to compel. No doubt there are others.

    You were Quebec's information commissioner and you exercised those powers. I'm not a lawyer—

    I'm not either.

    In that case, you're a good guy. That's a joke.

    Are those different powers, or do those terms mean the same thing? Earlier you gave a brief enumeration. I would like you to explain each of those expressions and to tell us exactly what they mean.

    Quasi-judicial power is an administrative law term, that is to say that it concerns a right that provides for the intervention of a quasi-judge, an administrative judge, who may make an order. In our system, however, quasi-judicial decisions can virtually always be appealed to the courts. So there is respect in the judicial system in place.

    You can have order-making power, without being in a quasi-judicial system, which are limited to specific objects. You may grant the power to make orders without making it so the machinery as a whole operates quasi-judicially. That's an adaptation.

    Then, at the other end, there is the pure ombudsman model, in which the Commissioner or the holder of the office may only make recommendations.

    Do you recommend the quasi-judicial option, or the order-making power?

    The order-making power.

    All right. Thank you.

     Mr. Tilson.

    Thank you, Mr. Chairman.

    I have a very brief question. It has to do with recommendation six in the frivolous section, as it's coming to be dubbed.

    Are there any other jurisdictions anywhere that you know of that define frivolous, or do they all give the commissioner, or whoever is making the discretionary powers, the power to deem something as frivolous?

    In response to your question, it's the case law that has accumulated on the subject and has been confirmed, in certain cases, by the superior courts. I'll cite a specific example: when an individual who is not happy with a decision or recommendation files exactly the same request the following week and repeats it systematically, that corresponds to a frivolous request. It's quite complicated to define that in legal terms. It's a matter of both case law and common sense.

     Okay, thank you.

    Monsieur Comeau, thank you kindly for your thoughts. I think you've helped us to open it up a little bit more. I have a feeling that in our case, we'll be seeing you again in some capacity because of your experience and expertise. Thank you kindly for your time. I apologize for the brief delay in commencing, but I think we got the important information on the table.

    It's been a pleasure.

    Thank you, and you're now excused.

    Mr. Pearson.

    Mr. Chair, when I was asking the questions of the previous witness, I might have implied in my question that the Privacy Commissioner wanted order-making powers. That was not my intention.

     I appreciated your gentle nudge, Mike. That was great. I was trying to go by what the witness was saying. So thank you.

    An hon. member: It was a gentle nudge.

    An hon. member: Mike's a gentle nudge.

    An hon. member: I was a little shocked at first.

    An hon. member: As opposed to the usual sledgehammer.

    Okay, I think we're ready.

    Our next witness is Mr. Michael Geist, Canada Research Chair.

    Mr. Chairman, I know we're on to something else, but we're all making statements about order-making powers. My recollection is--and the analysts of the committee can correct--that originally Commissioner Stoddart said she wanted order-making powers. Then Commissioner Reid came and said he didn't want order-making powers. Then she changed her mind.

    No, that's not true.

    Well, there you go. You see, we have another interpretation. I don't know, but I believe at some point in time she said she wanted order-making powers. I'm not too sure now.

    Maybe, but the latest is she does not.

    There you go.

    And she might change her mind.

    Ask her when she comes back.

    Okay.

    We have Michael Geist, Canada Research Chair, Internet and e-commerce law, University of Ottawa.

     Michael, thank you kindly for coming to share a little bit.

    We started a little late, and we started talking about witnesses, and I think we wanted to encourage people to help us really get focused. It's easy to slip into wanting to reform the whole Privacy Act and talking theoretically about the big picture, as opposed to asking what the state of the union is, asking whether we have some problems. There are ten quick fixes on the table for discussion, along with anything else. The committee certainly isn't looking for people to say yes to everything. I think a critical assessment of what is on the table would be very helpful as well.

    Do you have an opening statement?

    Yes. I didn't distribute anything, but I do have some remarks.

    I think if you'd like to submit something to us, that's great. Or you could simply leave that with us and then go on to something else. Maybe you can give us a little taste. I've found that the dialogue between witnesses and the members tends to really put some edge to what we're talking about.

    Welcome. I'm going to turn the floor over to you to get us started.

     Thanks.

     I'll speed through this quickly. I apologize for not having submitted my remarks in advance, but I'm happy to distribute them now. Let me just go through this quickly.

    My name is Michael Geist. As you heard, I'm a law professor at the University of Ottawa, where I hold the Canada Research Chair on Internet and E-Commerce Law. I'm also a syndicated columnist on law and technology issues for a number of papers, including the Toronto Star, Ottawa Citizen, and The Vancouver Sun. I served on the national task force on spam that was struck by the Minister of Industry in 2004. And like the prior witness, I currently sit on the Privacy Commissioner of Canada's expert advisory board. I am the editor of the Canadian Privacy Law Review , and last month I launched a website called iOptOut.ca, which has already been used by tens of thousands of Canadians to opt out of unwanted telemarketing.

     I speak today in my own capacity or on my own behalf. I should note that my primary expertise is in technology and Internet law. For the most part, my focus on privacy has been on the private sector side, on PIPEDA and its effectiveness in light of a globalized Internet and emerging technologies. But I must say that since my appointment to the Privacy Commissioner's advisory board, both the importance and inadequacy of the Privacy Act have become glaringly clear. Those limitations have been a constant source of discussion, certainly among the commissioners and many of the task force's members.

    As you may know, I'm very active in researching and speaking out on copyright-related matters. Last night I appeared before the parliamentary IP caucus, where we debated in part whether or not the Copyright Act was as outdated as some critics would claim. While a copyright bill appears imminent, it's noteworthy that since the release of the very first set of recommendations on reforming the Privacy Act in 1987, Canadian governments have passed two major bills reforming the Copyright Act, and multiple smaller bills. So if the Copyright Act is out of date, I think the Privacy Act is positively ancient by comparison.

    In deference to the notion of drilling down, I want to focus on five primary areas of concern, and I'll pick up on the recommendations made by the Privacy Commissioner that I found to be most compelling.

    First is the issue of education and the ability of the commissioner to respond. I think that part of the failure to engage in meaningful Privacy Act reform may be attributable to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important and, I have to say, increasingly innovative role in trying to raise awareness and educate the public about PIPEDA and broader privacy concerns. I think the Privacy Act deserves no less, in terms of the kind of educational role that we could have. Moreover, the notion of limiting reporting to an annual report I think clearly reflects a bygone era. We're in a 24-hour news cycle, and any restrictions on the ability to disseminate information, particularly information that might touch on the privacy of millions of Canadians, such that it remains out of the public eye until an annual report can be tabled, need to be reformed so there's power to disclose the information in a timely manner.

    I'll also focus on the issue of strengthening protections. As this committee has already heard, I think there are few, if any, privacy experts out there who would argue that the current Privacy Act meets the standards of a modern privacy act. At a time when I think the government is expected to be a model role player in this, it is instead finding itself doing far less than the private sector.

    You've heard of several areas for reform. I'll focus on just a couple. One is the issue of the limiting collection principle—this “necessity” provision that has been talked about. I think it's a hallmark of private sector privacy law. Government should similarly be subject to collecting only that information that's strictly necessary for its programs and activities. I think that could play a role in a range of issues--identity theft, for example, which has taken on a growing importance and a growing amount of concern within our communities. It's an issue where, if we limited the amount of information collected and disseminated, we could have a positive impact.

     I'd also argue that Federal Court reform, which has been raised, is something that ought to be considered, broadening it to include complaints beyond refusal to provide information, and the power to award damages, which all weigh into the issue of order-making power here as well.

    I believe that the commissioner ought to have order-making power. It may be that she currently feels that's not necessary. My position on PIPEDA reform is that the commissioner needs order-making power. It's my position in some ways to be consistent, and I think that order-making power is appropriate here as well—even if, at the moment, the Privacy Commissioner doesn't feel that power is necessary. I think it would be helpful.

    The third issue is that around third-party disclosures. In this current globalized “flat world,” the Friedman term, data, as we all know, moves easily between jurisdictions. Governments at both the federal and provincial level will be, and are, increasingly outsourcing data for efficiency purposes and other means.

     Our privacy law needs to keep pace. An accountability principle is essential that makes clear that with the collection of that data by government, the government then remains accountable, regardless of where that data may flow.

     Moreover, I would agree with those who have recommended a formalized approach to transborder information sharing agreements. That is needed. While some of those agreements may already be in place on an informal basis, I think an approach similar to what we see in the European Union, with an adequacy standard, and making that more formalized, would be valuable.

    The fourth issue, and one that has been raised, I believe, by this committee in the past, is the issue of security breach disclosure requirements. It's something that has become readily apparent as being necessary in the private sector world. As you well know, there is currently work under way to try to deal with that within the PIPEDA framework. I think a similar provision would be valuable within the Privacy Act as well. Indeed, one could make the argument that given the absence of strong security standards in the act, it's even more essential.

    Finally, there is the issue of privacy impact assessments. Privacy, of course, touches us in many ways, and it's implicated in many pieces of legislation--sometimes where you least expect it. The Privacy Commissioner has regularly appeared before committees, but I think that leaving it to the point where it's already before a committee and having the privacy commissioner deal with it runs the risk of having privacy be little more than an afterthought within pieces of legislation. From my perspective, it's more important to ensure that there is some sort of impact assessment--frankly, before the legislation is even tabled.

    To return to my concerns associated with copyright, this privacy commissioner, as well as several other provincial privacy commissioners, has already spoken out about the privacy impact of potential copyright reform. As legislation is imminent, we know there's no sense that those issues have been factored into the legislation. I think those kinds of things could be better addressed by raising them up front, as opposed to a later date.

    I'll stop there, I think. I welcome any of your questions.

    Super. I think that's a good start.

    Mr. Hubbard, followed by Madame Lavallée.

    Thank you very much. It seems that you have an excellent grasp of all this.

    When you think about privacy--and there's such a big world out there, and so many people holding information--how can an individual be really definite that his or her privacy is protected?

    As an example, the other night I was calling about my credit card, and I wound up with a call centre in India. That is a TD credit card, and someone in India has my privacy. Now, even if I had the right to retrieve it, what assurance do we have in the Privacy Act, whether it be a government department or some outside source, that it is protected? How do you ever clean up your privacy file? Most of us have been around for a while, and there's all kinds of information out there that somebody has on us.

     As a researcher, I suspect you have a number of graduate students helping you with all this work you're doing. What information could you offer to our committee in terms of how we restrict and control information on people's privacy?

    The short answer--and I think for some the rather depressing answer--is that there are no absolute assurances. I think the current environment, where our personal data does traverse national borders with ease, to the point that your information is in different parts of the world, often without your direct knowledge, is a reality of this current globalized world.

    I don't think, though, that means we take the proverbial Scott McNealy approach. He's the former CEO of Sun Microsystems, who said you have no privacy, get over it. There are people who can choose to say they don't want that information shared, but in a sense they forfeit, or they are forced to surrender, some of the benefits the globalized world provides.

    I think most Canadians are comfortable with a certain amount of risk. Sometimes they're aware of it; many times they're not. But they recognize that there are benefits to even some of the outsourcing you've just described. They're comfortable knowing that does create a certain risk. But I think that then creates an obligation, from a regulatory law perspective, to create as many safeguards as we can within the realm of ensuring that we maintain some of these efficiencies.

    Law doesn't become irrelevant in the scenario you've just described; it becomes more relevant than ever. It becomes more important than ever to ensure that our privacy legislation, while not providing anyone with an absolute certainty about protection of their privacy, at least provides some measure of assurance that those who are good actors know they have certain obligations in order to ensure they're complying with the law. And we have to ensure that the law sets the right kinds of obligations.

     As a researcher--and we look basically at our federal institutions--how would you say we should ever go about cleaning them up? Would there be directives that departments should have on how to ensure that information is first of all protected, and secondly that it would be destroyed if it's not relevant?

    It's not unusual that you would call a government department, and they would say that you have called six times before on certain dates. All the information is somewhere in a big data bank that departments have, and I would suspect they don't share it from department to department. Maybe they do between Revenue Canada and say Service Canada under the EI legislation.

    What concerns would you have, and what might you suggest could be made as a part of a mandate to ensure that individuals have their privacy at least safeguarded, and maybe withdrawn?

    I think we talked the other day here about somebody who had smoked a joint back in 1974—

    An hon. member: It must have been Charlie.

    You did it, Charlie.

    You didn't inhale.

    I maybe didn't exhale.

    But even though you get a pardon, and you apply, it's still somewhere in your record. How do you protect yourself in terms of that sort of information? Should there be a point where it is destroyed or it's taken out of your government files?

    Certainly you find in countries around the world that many of the standards of privacy legislation are derived from the same basic principles, many of them from the early 1980s with the OECD. The notion of the destruction of documents, that you're going to flush certain personal information at some point in time, is part of those standards.

    The broader question you've asked is how you develop the kind of privacy culture within the federal government that provides at least a greater level of assurance that people's privacy is adequately protected. I note that I think our private sector companies face precisely some of the same kinds of challenges, with larger companies having data housed in subsidiaries and in different parts of the company. There is the front person, who is speaking to you on the phone. Are they going to respect the privacy appropriately, and are other people who have access to different pieces of information?

    It starts in a number of ways. One is to prioritize, and make clear that privacy culture is something that matters, and that there is an expectation that no matter where you come from within that broader bureaucracy, whether you're the person providing call centre assistance or someone who is making larger decisions, those privacy obligations will be respected.

    But how do you begin to even imbue that? It starts with the legislation. If the legislation itself is seen as somehow substandard, and it doesn't even come up to the same level that, as I mentioned, our private sector companies are facing, I would argue that sends a message in itself. It sends a message that somehow we're comfortable with decades-old out-of-date legislation, and perhaps those privacy interests simply aren't that important.

    Okay. Thanks.

    Madame Lavallée, s'il vous plaît.

    Good morning, Mr. Geist. You hold the Canada Research Chair in Internet and e-commerce law. Are you more familiar with the Personal Information Protection and Electronic Documents Act or the Privacy Act, the one we are studying? Which of the two do you know better?

    My critics would tell you I'm not well informed about any of the above.

     I would say that I've come to the privacy issue from a technological perspective. What I have found in the five years I have been the chair and in the about ten years I've been at the University of Ottawa focusing on these issues is that if you're going to focus on the digital environment and on emerging technologies, things like copyright and telecommunications and fundamental things like privacy are inseparable. They form a core part of this emerging environment, so you have to focus on it.

    Between the Privacy Act and PIPEDA, as I alluded to in my remarks, I'm more familiar with PIPEDA than I am with the Privacy Act. I've been on the Privacy Commissioner's advisory board for a couple of years, and in the course of its meetings and in being the closing speaker at the International Conference of Data Protection and Privacy Commissioners in Montreal last fall, I have become so aware of the importance of the Privacy Act, as I mentioned, that I felt it was appropriate to come and speak to it, because so much of what the Privacy Commissioner is concerned with becomes so essential.

    If I understand correctly, what you're more familiar with is the technological field.

     I think that's right. That's why I focused on things like cross-border data transfers, security breaches, and the like.

    The documents I'm reading for the purpose of our study state that this act should be amended based on new technologies that are emerging, but that we don't yet know about. Perhaps an expert like you can see what's coming, in addition to the Internet. I say that to you in the most naive way possible.

    Anybody who tells you they know for sure what's in store is probably lying, or just just guessing at best. What has become clear--and we certainly see this from jurisdictions and privacy commissioners from around the world--is that we are collecting ever more data. The ability to access that data, regardless of location, is something that technology has changed quite dramatically, and something we now have to factor into the kind of frame in which we live. The kind of data we have access to, DNA data and other sorts of biometric information, is the sort of data we didn't previously have access to. The impetus to collect new forms of data through this technological world comes up as well.

    I think, for example, of CCTV, the closed-caption television cameras. I did one of my degrees in England at Cambridge University, and one became almost laissez-faire about having a camera around every corner. I know there are plans to install some of those cameras as part of the Vancouver Olympics in 2010.

    So technology is increasing our capacity to collect this information, and disseminate and distribute it on a global basis. On whether we need reforms that address specific technologies or instead rely more heavily on the core principles, and ensure we have a principle-based statute that reflects the broadly accepted principles, in many ways the latter is better, because predicting with any kind of accuracy what this technological environment is going to look like a few years from now is really just a guess for everybody.

    All right. I understand that we can't predict it, but perhaps there are people who already know how those technologies will develop. Perhaps we should focus more on that. How will we use that technology to obtain even more information on individuals?

     I think we do have a sense of where we are moving from a technological perspective--at least how it's going to impact privacy. There is broad agreement on the fact that there is a scope for greater collection, greater use. Some of that is very good, but there are some potential negative consequences. I wouldn't say I'm convinced there is a necessity to try to update a law with a specific technology in mind. If we take a look at some other areas where there have been attempts to do that, we invariably find that we either guess wrong or render the statute, at some time, out of date yet again, because the technology itself has moved much quicker than the law possibly can.

    I'd like to go back to the recommendations you made. I took note of them. You talk about the Commissioner's 10 recommendations in the same order, but it seems to me you're generally quite in agreement with all those recommendations. Is that correct?

    There are a few I didn't highlight because I don't feel I'm in as good a position to make that kind of recommendation. You were talking with a witness earlier about the discontinuance of complaints. I have some concerns about that in the context of PIPEDA. I have similar concerns about it in the context here, knowing that for many individual Canadians this is effectively the only form of recourse. Unless we have some very clearly articulated standards we run the risk of having someone who feels their complaint is legitimate, someone on the other side reaching a different conclusion, and the first individual leaving themselves with effectively no real recourse.

    You spoke briefly about the order-making power that you would grant the Commissioner. Can you tell us more about that?

    As I mentioned, I focused on that, both at PIPEDA and here as well. From my perspective, the Privacy Commissioner plays a critically important role in ensuring adequate enforcement, from both private sector and public sector perspectives. On the private sector side, issuing nothing more than non-binding findings isn't good enough, and I think order-making power would be more valuable.

    In the context of the Privacy Act, I must admit that the power of moral suasion that the commissioner might well have might well be more effective with a government department than it would be with a private sector entity. I think both from a consistency perspective and for those instances in which you effectively have a standoff between a department on the one hand and a privacy commissioner on the other, order-making power might well prove valuable.

    Mr. Van Kesteren, please.

    Thank you for appearing here.

    I want to continue on, just quickly. I was going to pursue the line of questioning on order-making power. We talked about teeth. How many teeth should the order-making power have?

    I think the prospect of fines and the like may have some impact, but I think a conduct-based order-making power is more essential. Both in a private sector and in a public sector environment, it's the ability to compel certain kinds of action.

    Are you not afraid that we're opening Pandora's box when we give order-making powers, if we say this doesn't work so now we're going to expand that? Is that not just a slippery slope?

    The Privacy Commissioner has already told you she doesn't want it--

    I'm not worried about this one.

    --so if she gets it, my guess is that there'd be something of a reticence to use it. I think that any person in that position, regardless of who the particular commissioner happens to be, would recognize that ordering another government department to act in a certain way is the sort of thing you would do only in the most extreme of circumstances.

     Indeed, if we can imbue within our federal government that notion of a privacy culture, one that is consistent with the act, one would hope that you'd never need to actually resort to the order-making power. But the fact that it is there I think would perhaps help move some of those cases along.

    Mr. Chair, I'm going to be splitting my time. I do have another question, but I'll split my time with Mr. Wallace.

    I missed the intellectual property caucus last night. I had a previous engagement with the industry committee. You're probably most knowledgeable in that area. Is there not somewhat of a.... I guess I'm trying to understand your position. I'm not disagreeing or agreeing with it. I don't want to do that. I'm trying to understand your position on IP.

    When somebody owns the rights to a game and sells it, then we suddenly take possession of that. Isn't that their personal property? I'm trying to find out how you marry this with whatever information that institution has. Isn't there a little bit of a disconnect there?

    I don't think so. I didn't think we'd be talking copyright, although I'd be happy to do so. I got into a lengthy debate with your colleague Gord Brown, talking about some of those specific issues.

    I actually think there is a consistency, both with the concern for appropriate protections of privacy and with concerns about where copyright legislation may go. A good example of that is the prospect that some technologies--to come back to the question about different kinds of technologies--can be used not only to lock down certain kinds of content but also to extract personal information without the knowledge of a particular individual.

    We've had that in one case, the Sony rootkit case, in which hundreds of thousands of Canadians found themselves subject to both a security breach and fears that their personal information would be sucked out and sent, essentially, to the mother ship without their knowledge. One of the concerns is that to effectively provide appropriate protection, you have to provide someone with the ability to circumvent, to ensure that they can indeed protect their personal information.

    So when I come before you to argue about the essential need for a strong privacy culture, both within the Privacy Act as well as, frankly, within PIPEDA, I think that's wholly consistent with calling for a copyright act that reflects a fair balance between the interests of users and creators.

     I'd be happy to talk about that offline.

     I don't want to use all my time. Mr. Wallace is going to share.

    I have two quick questions about consistency. This may not go right to the act, but I'd like your opinion on this.

    The government, through the Auditor General, notes that 64,000 people have been identified to leave the country, and we have no idea where 42,000 of them are. Some of them have been in my office. Some of them are working, so they need to have SIN numbers. CRA knows who they are and where they're working, but our border security may not know where they are. Do we have the right, from a privacy perspective, to pass information on from one organization to another within government?

    I think it's a question better posed to the Privacy Commissioner, who would ultimately be able--

    Chicken. What's your answer? I want an academic opinion on this.

    Chicken? With respect, I try to speak authoritatively on the issues I know well. To give you an opinion when there are people who are better situated to give you one isn't the best idea.

     I was hoping for an academic opinion on it, but that's okay.

    You have mentioned that you are part of the press, part of the media--you've written for the media. The media has a role in privacy, which I don't disagree with. A source is private between them and the individual in the media. But I find it kind of ironic when I hear from the media that the government isn't as forthcoming as it should be with information, and some of it may have privacy issues attached to it.

    Do we not have the same right to protect, as a government--I'm not saying us as a government, but government in general? Are we not being consistent? The media asks for more information, but they have the right to protect their source. Do we not have a responsibility as a government to protect the privacy of people, even though the media may want to know about the issue?

    Our access-to-information legislation has privacy protections when it comes to particular personal information, so there has already been an attempt to strike that balance. In many instances the media relies on sources, where people provide information at great personal risk, so I think it's logical that you'd provide a measure of protection for that. In the context of government, if you're a firm believer in an open, transparent, and accountable government, it must absolutely follow that openness is one of the priorities. The ability, not just of the media but of all Canadians, to access that is truly essential, whether it's through the access to information office or something like CAIRS, the database that I think has proven to be so useful to so many Canadians.

    So you think those private protections should lie in the ATI Act and not the Privacy Act, and you agree there should be protection of people's private information in the ATI Act.

    As someone who has been the subject of some ATI requests, absolutely. There are appropriate limits within ATI on that, but at the same time, even in those instances, the obligation falls to the individual to show that the information is subject to an exemption, or that the Privacy Act applies.

    The paramount perspective is one of openness, transparency, and accountability within government. That's the right approach, and it's why I'm a big supporter of ATI and the CAIRS database.

    Thank you.

    Mr. Pearson is next, followed by Mr. Tilson.

    Thank you, Mr. Chair.

    Welcome, Mr. Geist.

    The government of B.C. recently outsourced health information. Are you aware of that?

    Yes.

    Then they got into some difficulties. They changed their public sector act to not allow it to be shifted, and then they ran into difficulties with that as well and had to make further changes.

    Can you help us understand what happened there and how the changes had to be modified, as far as this data-sharing in the outsourcing?

     You've put your finger on what may be unquestionably one of the biggest issues, if not the biggest issue, that our private sector companies, global companies, and our government face. And that's the issue of outsourcing, particularly around sensitive data. The issue is particularly acute in a governmental context when you move towards that outsourcing. Where it was previously just the government that controlled the information subject to something like the Privacy Act, the concerns about what happens when it's in India or elsewhere in the hands of the private sector simply didn't arise.

    As you likely know, in the context of British Columbia, we were talking about arguably the most sensitive information, or certainly one of them, when we talk about health information. There was very real concern that by outsourcing--in this instance, there was a choice between one of two U.S.-based organizations--that suddenly access to that information could fall into the hands of U.S. law enforcement or others. Previously, that simply wouldn't have been the case.

    That presents an enormous challenge. On the one hand, there are efficiencies from outsourcing and value to the taxpayer to outsource in certain circumstances. At the same time, there are real concerns about some of the costs, not costs in terms of what you pay for it, but the broader costs in terms of privacy and other issues that arise in that context.

    The B.C. government, and now some other provincial governments, tried to strike a balance of whether to establish a statute in that regard, or at least create a greater level of accountability so you can achieve some level of protection through contract. That's another potential avenue.

     It's an issue that I think really needs to be at the forefront when you think about some of these outsourcing opportunities. On paper they look fabulous, until you realize there are some costs once you scratch below the surface.

    Just to dig down a bit deeper, when they tried to limit the information going out, that didn't work either, and they had to make modification. Can you go into that modification again?

    Sure. Part of the concern comes from a technological perspective. There was early talk, for example, of requiring an organization to ensure that the information only resided on computer servers based, say, in Canada, so the information would never physically leave the jurisdiction. The outsourced company could provide some level of assurance that yes, it's in the private sector, but Canadian law still applies and it's going to remain in Canada.

    For many of the major outsourcers, creating that clear distinction, essentially creating a virtual border where the real space borders exist, is challenging if not impossible. Data really does flow that freely. It's difficult to create those kinds of strictures in an environment. Many organizations say they can't provide that level of assurance.

    To go back quickly to the order-making powers--and I'll be kinder to you than Mike was--I'm still grappling with whether the commissioner being given order-making powers assists her or him in triaging the backlog of information. What I'm trying to get to is if they don't have order-making powers, then what is available to the commissioner to triage, to be able to set aside some of these frivolous kinds of things? Is she actually able to do it without order-making powers? What would be required?

    Well, here we get into this issue of how we're going to describe it. I think it's certainly the case that you could create a power, which isn't the order-making power we were just discussing, that could give the commissioner the power to dispense with say the frivolous complaints without at the same time moving the full way towards providing a full order-making power--conduct-based orders. It's really an order-making power in the sense of giving the commissioner's office the power to dispense, to issue an order that they aren't going to continue.

     I see that as something different. I think that was brought up with the earlier witness, and it's certainly within the realm of possibility to do one or the other. If you were to go for the broader order-making power, then certainly I think that would include the ability to dispense with a decision.

    But in your mind, the order-making power would be better.

    In my mind, it would, yes.

    Thank you, Mr. Geist. I appreciate it.

    Mr. Tilson, please.

     Mr. Chairman, thank you.

    I'd like to continue on this topic of outsourcing. I don't know whether you've had a chance to look at the recommendations, but outsourcing may be partially dealt with in recommendation 10.

    There's a paragraph in the booklet that the commissioner provided to us that I find startling. It's on page 29:

    I just find that an incredible statement. The recommendation simply says that we strengthen the provisions governing the disclosure of personal information.

    I'd like to know how to deal with this.

    There was a book that I read, and I can't remember the name of it, but I think it was called The World Is Flat, by somebody called Friedman, which also scared the heck out of me. It dealt with the very things Mr. Pearson was talking about.

    So then you start asking about what a government can abuse. They can abuse all kinds of things. They can abuse outsourcing. We don't even know what could be done. There's income tax. It could go on and on—police abuse, security abuse, and no-fly lists. People are gradually getting very concerned about this, because all of a sudden they try to get on a plane and they can't get on a plane.

    So in regard to recommendation 10—and I don't know whether you have looked at it or not—how can we make the public feel better about all of these things? The wording that's on that page, or the two pages for recommendation 10, I don't think the average person in this country would really feel very confident about, with its general phrase, well, let's strengthen the provisions.

    How are we going to deal with all of these things?

    Well, in some ways that's the very question I was asked right off the bat. Do we have no privacy, and get over it, or are there solutions?

    Unlike the environment we lived in when the Privacy Act was first introduced, where much of the privacy may well have been protected, because it was obscured or largely inaccessible, since it was, by and large, in paper form, the environment today is such—as Friedman talks about in his book and as I think is readily apparent to everyone around the table—that data really do traverse instantly around the world.

    There's the story of the person with the credit card in India. I was at a hotel recently in Montreal where I couldn't get onto the Internet, and I called down to the hotel desk and they tried to help me and it didn't work. So they said, let us put you through to tech support. I spent five minutes with this person, who was literally looking at my computer, the IP address and the like; and then at the end, I asked, do you mind if I ask where you are? She was in Warsaw, literally able to look at my PC in real time in another part of the world. So that's an environment that I think in many ways is very scary, but at the same time, it obviously provides a great deal of opportunity.

    Now, what the commissioner is recommending and what I think many people are saying is that we aren't going to take an approach where we're simply going to shut down and not take advantage of these technologies and move data across borders. It doesn't work in the private sector, and it doesn't work in the public sector; it doesn't even work from a government-to-government perspective. And if these are being labelled as quick fixes, there is no quick fix, as it were, to this issue. But what there is, I think, is a starting point to move us toward an environment where we have a greater level of accountability and a greater level of transparency about what some of these rules are, so that when we go in and begin to pass along that information in some instances, or recognize that the information may be put at risk in certain circumstances, we will do so with some sort of framework around that, taking whatever precautions are possible—albeit there is nothing that can provide people with an absolute assurance.

    When you say this sort of stuff is scary, it speaks exactly to the question Mr. Pearson raised in British Columbia. The effect of knowing that people's health information was suddenly going to be elsewhere and subject to the U.S.A. Patriot Act, in an extreme circumstance, is what crystallized in the minds of many that, well, let's hold on a second and back up to see if we've taken all the precautions we need to. The answer in B.C. was no, we haven't; let's do something about it. If people were to ask those same questions in a federal context, I think the answer would again be no, and it's time to do something about it.

     Am I finished?

     Mr. Allen has the last slot, so we're a little flexible.

    Who's he?

     We have seven or eight minutes here. Carry on--you're on a roll. Go ahead.

     I appreciate everything you've said. Some of this stuff may be rather impossible, but there have to be jurisdictions around the globe that have looked at this topic. Do you know of any governments that have looked at this and have tried to create some sort of government legislation to protect us against our own government?

    Many governments have privacy legislation. From an outsourcing perspective, there have really been two schools of thought. One is the accountability principle that you've heard discussed, the idea that whoever collects that information is accountable for it, wherever it goes, which effectively places the obligation on the data collector in the first instance to ensure that no matter where that data goes, it will meet a certain standard.

    The other school of thought is to create a prohibition against data moving across borders unless there is an adequate level of protection in that other jurisdiction. That's the approach that, as you may know, has been adopted in the European Union. There are those who are supportive of it. Others would say that even though it came in the mid-nineties, it still predates the kind of world we live in just 13 years later, and that creating absolute prohibitions on data transfers is just a very difficult thing to do, and that an accountability principle, for all its shortcomings, may better reflect the current realities of both technology and the marketplace.

    Okay.

    Mr. Allen.

    Thank you, Mr. Chair.

    Obviously my personal information hasn't been disclosed, because Mr. Tilson said “Who's he?”, so I should be pretty safe then. I'm safe.

    You made a couple of comments on security breach disclosure, and also on the timeliness of reporting. I just want to follow up on a couple of those.

    Just about a month or so ago we got a letter from a company that my wife had been working for in the U.S. It indicated that a computer with a lot of personal information from a number of employees had been stolen. The letter detailed in infinite steps what happened, roughly when they thought it had happened, and the detailed steps that we needed to take to protect ourselves. While it was traumatic being told that, we were still able to know what the actions were.

    So my question to you is, with something like that in this large government bureaucracy, given your experience, how long would you say it would take to implement something like a breach disclosure requirement? It wouldn't seem to me to be that easy to implement.

    I'm not sure that it's easy to implement security breach disclosure legislation, but it has been implemented effectively in some organizations in the U.S. that are probably equal or quite close in size to the federal government and are located in multiple jurisdictions with client bases that could rival, in theory, the number of people who might be affected by a security breach from a governmental perspective.

    I don't think it's easy, but I think it's essential. In light of both the concerns around identity theft, as well as to create appropriate incentives for real safeguarding of that personal information, mandatory security breach disclosure legislation has proven by far to be the most effective tool in addressing both of those issues, based on our experience to date in the United States.

    We have certainly seen quasi-public state organizations face those requirements in the U.S. And it's come up, particularly in a university context. Some very large universities--including the University of California, which is one of the largest sets of state universities in the United States--have faced precisely these kinds of issues, and have had to notify literally hundreds of thousands of students and alumni. It's a big obligation, but at the same time the potential costs to those individuals are great as well.

    Do you see that as a complement to privacy legislation, or legislation on its own?

    I just want to see it. I think it's something that could well be put into the Privacy Act. Whether it appears directly within the Privacy Act or is put into place through stand-alone legislation, either way I think it's long overdue.

    Okay. I have one last quick question. You talked about annual reports being from bygone days. And again, I have a little bit of a technology background myself. Looking at the number of information systems and everything else we have in the bureaucracy, how practical do you think that more than annual reporting is, given the resources it would take to actually do that? And when you've seen it in your experience, has it been on a risk-based type of thing or has it been a revolving process? Mechanically, how do you implement a process like that?

     I think even our federal commissioner has already identified alternative mechanisms for educating. The office now has a blog, for example. The issues I'm talking about wouldn't be raised on the blog, but it provides the opportunity to get the information out into the community and get people to start thinking about some of these issues.

    I'm thinking particularly about sort of emergent or sensitive kinds of discoveries or issues that may arise, in which there is a benefit to all to ensure they are made widely available. I'm sure the annual report is well read and taken seriously. When I describe it as a bygone era, I don't mean to suggest we ought to do away with an annual report. It still provides an awful lot of very valuable information on an annual basis about the activities of that office. But when we have certain issues that simply can't wait that period of time, there are mechanisms to ensure that the public and government, at the same time, are made aware.

    Thank you.

    Thank you, Mr. Chair.

    Mr. Wallace.

    Thank you, Mr. Chair.

    I want to apologize to Mr. Geist. It was a tongue-in-cheek comment. It was my colloquial way. I didn't mean to offend him. It was just for fun.

    He's a mean man.

     It wasn't meant to be negative in any sense. I have a lot of respect for Mr. Geist. I've seen him before--

    He's not a chicken, and you're going to eat crow.

    Yes, I'm eating crow. I apologize.

    I think this has been a very good session.

    Michael, I try not to participate too much. I was really trying to keep open on this stuff. We've decided to start with a band-aid approach, and try to not mess things up while we find out how serious things are and how serious a commitment we have to make.

    Are we on the right track? Should we do something like a quick fix? Do we have a big problem, or are you comfortable that even though the act hasn't been touched in 25 years, it's still meeting the public interest?

    I think because it hasn't been touched in 25 years, you're on the right track. Experience to date has left many discouraged about the prospect for broader reform, so improvements, even if incremental, are better than nothing at all. We've literally had nothing for decades.

    Of course, as you know, we have the same problem with the Access to Information Act.

    Thank you kindly for sharing your words of wisdom with us. You're excused.

    Colleagues, when we come back on the 27th we will have the Minister of Justice and officials for the full meeting. I hope you'll have an opportunity to prepare for a rigorous meeting.

    On the witness expenses, we need $18,500. I'll ask for approval of the committee to submit a request for the budget.

    Some hon. members: Agreed.

    What do we do about the witness list?

    I've given you all the lists I have for your information. Speak to me if you want to have somebody urgently. We'll talk to you when we come back about who we have, and consider any further witnesses you want.

    All right. That will be in four meetings?

    That will be in four meetings.

    In six meetings.

    We have only four remaining. We have the Minister of Justice and officials at one meeting. The Bar Association and the criminology is another meeting. We have two provinces coming, so that will be another meeting. Corrections, etc., will be the fourth.

    Do you want somebody else added in there?

    No. If I want to summon someone else, I'll write to the clerk next week.

    All right.

    Thank you.

    The meeting is adjourned.