INDY Committee Meeting
Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
For an advanced search, use Publication Search tool.
If you have any questions or comments regarding the accessibility of this publication, please contact us at firstname.lastname@example.org.
STANDING COMMITTEE ON INDUSTRY
COMITÉ PERMANENT DE L'INDUSTRIE
[Recorded by Electronic Apparatus]
Wednesday, February 17, 1999
The Chair (Ms. Susan Whelan (Essex, Lib.)): I'm going to call the meeting to order.
Pursuant to an order of reference of the House dated Tuesday, November 3, 1998, this is consideration of Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.
I'm very pleased to welcome here today our witness from the Information and Privacy Commission of Ontario, Ms. Ann Cavoukian, the Information and Privacy Commissioner.
I would like to apologize for the delay and I'd also like to apologize for the fact that our members from the Bloc won't be with us today, because Mr. Dubé's father passed away and they're at the funeral this afternoon. Also, the Information and Privacy Commissioner from the Province of Quebec cancelled last night, so we apologize again for not giving you advance notice of that.
That being said, we now welcome your opening statement.
Ms. Ann Cavoukian (Information and Privacy Commissioner of Ontario): Thank you very much.
Good afternoon, Madam Chair and members of the committee. Thank you very much for inviting me to speak today before you to address this very important piece of proposed legislation, Bill C-54, which will have a significant impact on all Canadians in both their professional and private lives.
I have brought with me today a separate written submission addressing a number of issues that we believe this legislation should address. It is likely that many of the items raised in our paper will have been mentioned by others or will be the focus of amendments. We are thankful that a debate such as this is taking place on such an important piece of legislation and that all points of view are being considered.
Last December, when my assistant commissioner, Tom Mitchinson, appeared before you in my absence, he detailed the current state of privacy legislation in Ontario. I will not repeat what was said about the history of the Ontario Information and Privacy Commission, its role or mandate, or any of the particulars of our acts, but I'd be delighted to answer any questions you may have in that regard.
My remarks today will be confined to addressing a limited number of issues we have identified regarding the potential privacy implications of Bill C-54. By keeping my remarks relatively short, I hope we can engage in a meaningful dialogue on some of the issues of particular interest to the members of the committee.
As Assistant Commissioner Tom Mitchinson noted last December, it is our view that Bill C-54 is an excellent first step in providing protection of personal information held by private sector organizations. Ladies and gentlemen, we need this bill, and we need this bill now. Please do not delay its passage.
It is important to note that the introduction of this bill is taking place within a much larger international context. Canada is far from being alone in seeking to establish stronger measures to protect the personal information of its citizens. Indeed it is incumbent upon Canada to take the necessary measures to address the European Union directive on protection of personal data, which came into force last October.
While our American friends are pursuing a different path in their efforts to achieve a privacy regime that will be deemed adequate—a far less stringent, much weaker path—we Canadians believe a legislative response will be the most appropriate one.
In many ways Bill C-54 is a 21st-century response to the realities of electronic commerce. More important, though, it is founded on the basic premise that protection of privacy is a fundamental human right that must be upheld by our government and our legal system.
In order to stress the importance of these privacy rights, it is recommended that the primacy of this legislation be asserted. Subsequent acts of legislation must not be allowed to chip away at the protections afforded by this bill. The assertion of primacy will also assist in the judicial interpretation of the act should it come under review or appear to be in conflict with any other acts.
As you know, poll after poll, survey after survey, indicates that the public is calling for the extension of these privacy protections to the private sector, both to address general privacy considerations and now to address the new issues associated with electronic commerce.
Given the ever-widening scope of e-commerce, we support measures to ensure that personal information held by all organizations is covered by the legislative protections, regardless of whether the organization's primary business is commercial in nature.
We recommend that the coverage of this bill be extended to include all private sector entities, such as non-governmental organizations, the non-profit community, self-governing bodies, and associations, regardless of whether they are primarily involved in conducting commercial activities.
We agree with the position of the Minister of Industry that the provinces are to be encouraged to adopt comparable harmonized provincial legislation. To that end, I have recommended that the Government of Ontario do so and I have written to the premier and urged him to do so, to ensure that personal information held by all private sector parties is subject to appropriate privacy protections.
We are well aware of the concerns raised by some regarding the possible application of federal law to the provinces, challenging the constitutionality of such a measure. However, we do not believe the focus of our attention should be diverted from the task at hand, namely, establishing a law providing privacy protection in the private sector. Please, let's avoid the mistake of getting mired in a debate around issues that shift our attention and our concern away from the primary goal of this bill, namely, establishing a means by which to protect our citizens' privacy in all arenas, which must include the private sector.
It is important to note that the public and many in the business community are supportive of laws that clearly detail measures for the protection of personal information, provided that organizations are all on a level playing field. It is extremely important that there be a level playing field, that no one group face unfair burdens that would put them at a competitive disadvantage.
It is also important to note that a number of businesses themselves have called for privacy legislation for the private sector. This may be unprecedented. Many private sector organizations contributed to the development of the Canadian Standards Association's model code for the protection of personal information and have in fact voluntarily been using this code as part of their daily business practices for a number of years.
If time permits, afterwards, during question period, I would love to give you a little bit of the background of the development of the CSA code, how much effort went into it, and what a consensus-building process it was.
I'd like to point out that both the Ontario provincial Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act base their privacy protection rules on the widely acclaimed code of fair information practices. As you know, these fair information practices were developed by the OECD around 1980. These same principles subsequently became incorporated into the CSA model code and are the basis for privacy legislation in virtually all jurisdictions around the world.
As I'm sure you're aware, the general public is very much in favour of strong protections for their privacy and for their personal information. A 1998 Angus Reid survey found that 80% of Canadians believe their personal information should be kept completely confidential except in very limited circumstances. In response to this public concern, many companies are developing and publicizing their own privacy codes on a voluntary basis.
As information becomes an increasingly valuable commodity and technological developments enable powerful yet inexpensive data-mining exercises and facilitate easy access to all types of information about us all, it is all the more important to ensure that personal information, wherever it's held, is strongly protected.
The rapid advances in information technology reinforce the need for very clear rules governing the collection, use, and disclosure of personal information. Consent, when given, must be explicit. Consent must also be informed and given freely wherever possible. Furthermore, consent must be revocable. Any exemptions to consent must be narrow and explicit.
We are very pleased to see that the federal Privacy Commissioner, Mr. Bruce Phillips, will be given a greatly expanded role under this legislation. This will be much needed in order to perform the required functions. Please give him the money he needs, and give him lots of it—he's going to need it, I assure you—to accomplish the goals set out in this bill. At such time that our province introduces its own legislation, our agency would be looking forward to performing a similar oversight function in Ontario.
We are pleased to see that the proposed legislation gives the federal Privacy Commissioner a mandate to develop and conduct information programs to promote the public's understanding of the issues. This is at the heart of the legislation and of this entire exercise. This is an extremely important role to perform. Only an informed citizenry is able to truly understand and consent to various activities involving their personal information. Ignorance is the enemy. We need an informed, actively engaged public.
Further, I'm pleased that the bill calls for a mandatory five-year review as a means of judging the overall effectiveness of the legislation in practice. This review to analyze the working of the law in practice, on both a federal level and a provincial level, would note which provinces, except for Quebec, have adopted corresponding legislation and where any gaps or omissions may appear in the country's privacy coverage.
When passed, Bill C-54 will significantly increase the privacy protections afforded to all Canadians under the law. The members of this committee have a very important role to play to ensure that the bill can in fact achieve the goals it sets out in principle.
I appreciate the opportunity of appearing before you today. I hope my comments are of some assistance, and I would be glad to answer whatever questions you have.
Thank you very much, Madam Chair.
The Chair: Thanks very much, Ms. Cavoukian.
I'm going to turn it over to questions. Mr. Pankiw.
Mr. Jim Pankiw (Saskatoon—Humboldt, Ref.): So the province of Ontario doesn't currently have legislation?
Ms. Ann Cavoukian: Not for the private sector. The legislation we have applies to provincial and municipal governments.
Mr. Jim Pankiw: Okay, but you're saying that kind of legislation could be forthcoming.
Ms. Ann Cavoukian: My hope would be that when Bill C-54 gets passed, as required under the bill, in three years' time, it would extend to cover the provinces, unless the provinces had introduced their own legislation. We believe a made-in-Ontario solution for the private sector would work better than a national solution, so I am optimistic that our government would introduce such legislation, harmonized to the federal bill.
Mr. Jim Pankiw: Why would you want to have two levels of government enforcing legislation to accomplish the same thing?
Ms. Ann Cavoukian: Because it's extremely difficult to have a confused public. The public in Ontario is used to calling us for complaints or compromises of privacy relating to public sector matters, to government matters. They are accustomed to having us as the group they normally contact.
During the past 11 or 12 years, we have had numerous calls relating to the private sector. In fact now we probably get as many calls about private sector concerns as we do about public sector concerns. We're not in a position presently to address the private sector concerns, and unfortunately have to refer them elsewhere. I don't want to refer them elsewhere.
Mr. Jim Pankiw: That answers it from the perspective of the province, but it still seems to me that you'd have federal and provincial legislation. You'd have a federal Privacy Commissioner and a provincial one effectively doing the same thing, wouldn't you?
Ms. Ann Cavoukian: But that's exactly what we have now. We are accustomed to that. We have a federal Privacy Commissioner; we have a federal Information Commissioner. All of the larger provinces have single information and privacy commissioners. That is the regime we presently operate under. It seems to work quite well. There is a considerable degree of cooperation among commissioners in various jurisdictions, and that cooperation would need to continue in order to make this bill a success.
Mr. Phillips is going to have his hands full dealing with federally regulated businesses, jurisdictions, and companies. It's a very large country. It would probably be to his benefit to have some complementary legislation—as there is in Quebec, for example—and oversight in the jurisdiction where the complaint originated.
Mr. Jim Pankiw: So the difference then between you and the federal Privacy Commissioner would be a jurisdictional thing, whether it's a provincial business or federal?
Ms. Ann Cavoukian: That's how I would see it. I haven't completely worked it out, but that's how it certainly operates at the public level.
Mr. Jim Pankiw: So how would it be determined in businesses where there's some confusion or disagreement as to which legislation they should be subject to?
Ms. Ann Cavoukian: We would have to work that out. I don't have an answer for you immediately, because I'm not certain what would delineate....
We could probably agree to some set of ground rules on what's federally regulated and who regulates them. For example, real estate agents are provincially regulated. We would see who's the regulating body. I'm sure there are measures we could use to make that determination.
Mr. Jim Pankiw: So if provincial legislation is enacted that differs in some area from the federal legislation, which in your mind would or should take precedence?
Ms. Ann Cavoukian: I believe the language of Bill C-54 is such that the stronger of the two—not the minimum standard, but the stronger of the two pieces of legislation—would prevail.
Mr. Jim Pankiw: So conceivably then Ontario could enact stronger legislation than the federal legislation and than any other province in Canada, and that would prevail?
Ms. Ann Cavoukian: That is my understanding, yes.
Mr. Jim Pankiw: And you're comfortable with that?
Ms. Ann Cavoukian: I'd be delighted if we had stronger legislation, but I would be very pleased just to have legislation in three years' time.
Mr. Jim Pankiw: Thank you.
The Chair: Thank you, Mr. Pankiw.
Mr. Walt Lastewka (St. Catharines, Lib.): Thank you, Madam Chair.
First of all, I want to thank you for your report and for the additional items you spelled out on what could be changed in the suggested wording.
I have a couple of questions. Does your Ontario privacy legislation now have jurisdiction over other statutes, or can other statutes remove its impact?
Ms. Ann Cavoukian: If the other statute explicitly identifies and excludes itself from our statute, then we do not have jurisdiction. But the other statute would have to explicitly have a clause saying it was exempt from the Freedom of Information and Protection of Privacy Act. If it was silent on that, then our act would apply.
Mr. Walt Lastewka: Do you have much legislation that allows that?
Ms. Ann Cavoukian: There is some, and increasingly there may be others. One of the concerns we have, actually, and why we want private sector legislation so much, is that more and more, with the move to privatize government organizations, organizations that would have fallen under our jurisdiction no longer fall under our jurisdiction.
An example was in the paper today. Ontario Hydro, as you know, is being divided into two private sector organizations. We had very strongly asked that they fall under our jurisdiction, as the previous Ontario Hydro fell under our jurisdiction. And we've had a number of cases involving Hydro where I believe it's been beneficial to the public.
We have not won that battle. The new Ontario Hydro, the two organizations, will not fall under our legislation any longer. All the more reason to have private sector legislation that could capture them.
Mr. Walt Lastewka: Can you tell me about complaints regarding getting access to information? Are fees attached in your legislation, and has that been a problem?
Ms. Ann Cavoukian: Initially there were no fees. A few years ago fees were introduced at the request level. When a member of the public makes a request for information at a ministry, for example, there's a $5 application fee. That in itself I don't think has been much of a deterrent.
The greater deterrent has been, in our view, the appeal fee that now exists. If you're refused access to your information and you appeal to our office, there's now a $25 appeal fee for general freedom of information records and a $10 appeal fee for personal information records. That may not sound like a lot, but we believe it has had a deterrent effect.
Mr. Walt Lastewka: Have there been abuses in the system and that's why there are the additional fees?
Ms. Ann Cavoukian: Cautiously, yes, if you had absolutely no application fee.... If you were going to go and put in a hundred frivolous requests for information and there were no fee associated with it, then you might be more likely to do it. You're not going to do it if you have to pay $5 a shot and that's $500. So perhaps there was a need for that at some level.
I don't think there's any need for an appeal fee at all, and I regret that there is one.
Mr. Walt Lastewka: I notice you commented that we should have this legislation and do it now and not delay the passage. Do you see any problem with the province harmonizing with the federal legislation? Are there things in Bill C-54, as you have seen them, that don't allow harmonizing of one province with the federal government?
Ms. Ann Cavoukian: No, I don't see any problems to that effect. In fact, because Bill C-54 is essentially built on top of the CSA code, that is a very strong factor in its favour.
The whole process involved in the development of the CSA model code for the protection of personal information was a consensus-building one. It took four or five years. I was at the table, as were many sectors from industry. The bankers were there, the Insurance Bureau of Canada, the telephone companies, the cable companies, representatives from the federal Privacy Commissioner, consumer groups, Industry Canada—a lot of people were at the table.
It took a long time to craft this product, but when the final product came out in 1996, it had immediate buy-in from all of these organizations, from business sectors, and from the Direct Marketing Association, which you would normally think would not support this. They supported it immediately and introduced the codes into their own organization.
So you already have, in the major business sectors, approval and support for the CSA code. This is no small thing in areas where you have to convince business that they should be protecting privacy and protecting information. So it is a great advantage of the bill that it is built on top of the CSA code, which forms its foundation and has the acceptance and trust of many groups within business. You're going to have an immediate buy-in, and it's not much of a stretch that it's now going to be legislated. Yes, there will be a few changes, but you're not going to have the selling job you would have otherwise, and that's an extremely important feature.
Mr. Walt Lastewka: In your testimony, you've also mentioned the importance of education and the importance of making sure the commissioner has enough funds to do the educational process. I take it that educational process would be tied in with all privacy commissioners across the country. What type of education budget do you have for educating people?
Ms. Ann Cavoukian: That's a good question. We have our budget, and we don't, that I'm aware of, have a demarcation for how much of it goes to communications and education. But I can tell you I probably spend at least half of my time in that capacity. I give dozens of speeches, maybe 40 or 50 a year. I am constantly appearing before groups. I do hundreds of media interviews.
We have an extensive public education process, where we have publications that we produce annually and quarterly. We have brochures. My staff are encouraged to go out and speak to groups. We have a new program, starting this year actually, on access and privacy rights in the schools, targeted to grade 5 students, 10-year-olds.
We spend a great deal of time on this. I can't give you a dollar figure. I can look into it and get back to you on that, but I certainly know the majority of my time is spent on that.
Mr. Walt Lastewka: I know from having some discussion with Mr. Phillips that he feels that is a very key item and that ignorance is our problem in the privacy connection right now, and that unless there's good education, the message just won't get through. That's why I was asking about the time you spend on education.
Ms. Ann Cavoukian: I agree with Mr. Phillips completely. Nothing could be more important in this bill than that aspect of it, because you have two hurdles: you have to educate the public and you have to educate the business community. Both of these are formidable tasks, because your countervailing forces are technology and the Internet and the rapid advances, which are unprecedented.
You have this message being imparted that information wants to be free and about data integration and connectivity—“Let's put everything together and link everything.” That's the message. The genie is out of the bottle.
We are trying to place some controls on that and to educate the public as to the consequences of having no controls. Why, in a free and democratic society, are the right of privacy and the right to be able to control the uses of your information so important? This is critical. Most people haven't turned their minds to this, unless something has happened to them specifically to cause them some duress in this area.
It is a huge task, it's an extremely important one, and it's one that people are going to need, especially going into the next century, in order to protect themselves and protect their own information, because we're not going to be able to do the job entirely for them. So you educate the consumers, who can then educate themselves and their families on what to look out for.
Mr. Walt Lastewka: I'm only sorry that our colleagues from the Bloc are not here to hear your testimony on having done all the work on the CSA standard and having buy-in. I know, having worked on the other side of the House at times, that having the CSA standard will make it that much easier for businesses to get on with getting the job done, because you won't have to get unanimity. The CSA has had that process completed.
Ms. Ann Cavoukian: That's exactly it, sir.
If I can add one point, in order for this bill to succeed, you must have businesses self-regulating, in effect. Yes, you're going to have an enforceable legal right to privacy in this bill, but unless you have billions of dollars devoted to policing the bill, you have to rely on the good faith of those who have to follow the bill. The way you do that is to make sure you have some buy-in, that you have taken in the interests of the other side—namely the business community—in a way that is manageable, that is built on compromise, and that they can live with. If they can live with it, they'll do it, they'll do it on their own, and they'll do it better than you and I can make them do it.
So some self-regulation has to be built into this so that we can then do a higher level of enforcement, compliance, and audit. But you can't rely on the audit powers, for example, to make it happen. It just doesn't work that way. Again, that's the part about educating the public and educating business on why it's in business' best interests to do this.
I talk to business all the time. I've spoken to four out of the five major banks several times on this issue, and the message I repeat again and again is that it is in their best interest, as a business, to protect their customers' privacy, not just in my best interest. When they understand that, as they do, it's the “Aha!” phenomenon: they get it and they want to do it. That's critical here.
Mr. Walt Lastewka: Thank you.
The Chair: Thank you, Mr. Lastewka.
Mr. Pankiw, did you have any more questions?
Mr. Jim Pankiw: Yes.
Do you anticipate or have there been any projections as to how many complaints you'll have to deal with, or how much investigation and auditing—in other words, how much compliance there will or won't be?
Ms. Ann Cavoukian: That is an extremely difficult figure to arrive at. I'm sure Mr. Phillips has done some of that, and I would check with him. I have not.
What I would say is if you have to make a choice on where you devote your resources, devote your resources to the education and communication part of the function, as opposed to the one-off investigating of complaints.
We do both in my office, and both are very important, but when you investigate a complaint, you have a finding, and half the time or some portion of the time, it's not in favour of the complainant; they're not happy. There's always somebody who's not happy, and then there's nothing you can do about it. There's a bill, and you must enforce the bill. And you reach a finite number of people. So you must have that complaint resolution ability, but it is a very limited ability in terms of your reach and who you get the message out to.
I reach thousands of people, maybe tens of thousands of people, over the course of a year by going out and speaking, knocking on their doors, getting the message across, and talking to consumer groups—many more than I do in the complaint resolution process.
So what I'm saying is if you have to make decisions on where to devote your resources, the public education and communication function should be first. That's what you should lead with. Then over the course of the year, you will be in a position to determine the number of complaints you've received and whether you're understaffed or overstaffed, and you can make adjustments. But I don't think you can underestimate what the costs or needs are going to be on the public education side.
Mr. Jim Pankiw: What if there's a flood of unexpected complaints?
Ms. Ann Cavoukian: We have means by which we can address that. For example, in our office, experience has shown that certain types of complaints will always result in the same outcome, because it's identically the same fact situation, the act is clear, you apply the act, and it leads to this case. So if you have a set of complaints and that's the case, you don't have to do a complete investigation of each one. You can offer the previous investigation for it. You can say, “Here are our findings. We believe your situation is like this.” More than half the time, the complainant is satisfied, because often they don't have a good understanding of how the act operates or something.
So you can find systemic ways to investigate complaints as well. There are ways in which you can address these issues.
Mr. Jim Pankiw: Okay.
The Chair: Thank you very much, Mr. Pankiw.
Mr. Eugène Bellemare (Carleton—Gloucester, Lib.): Ms. Cavoukian, welcome on Parliament Hill. My questions are the following.
On protecting children, what are your views when it comes to the electronic commerce?
Ms. Ann Cavoukian: Nothing could be more important than protecting children.
Mr. Eugène Bellemare: Do we have laws? Do we have laws in Ontario?
Ms. Ann Cavoukian: Not that speak to children or the Internet or any of those concerns.
This is an extremely difficult issue. South of the border, as you may know, they have attempted on several occasions to introduce legislation to protect children and have not met with success, because the extreme difficulty is if you legislate in a very broad way that this type of information, these words or these scenes, should not be shown to children, then you get into areas you didn't intend. You don't mean that information on breast cancer shouldn't be made available, for example, but it has the word “breast” in it, so perhaps that shouldn't be made available to children. It's very difficult to legislate in this area.
I would encourage the development of, and the education of the public in, technologies that can be used by parents, for example, with respect to the Internet that will allow them to screen what their children see. Privacy-enhancing technologies are just evolving that will put into the hands of parents some measures by which they can control the access their children have to various web sites.
This is an extremely difficult area and an extremely important area, but it would take almost another session for us to address all the nuances and all the considerations that have to be brought to bear. For minors, the responsibility has to lie with their parents in terms of—I don't want to use the word “policing”, but overseeing—what their children view on the Internet.
I'm going to be dating myself here, but I remember when I was a child, my father, who was very strict, would only let us watch two TV shows a week. That was unheard of. And he would approve them. He would go through the TV guide and say, “You can watch this.” I think one was Leave it to Beaver and one was Father Knows Best, of course, and that was it. I don't know how they did it, but I would never have thought of not doing that.
I'm not suggesting it's the same situation today, but my parents took a very active role in overseeing what I viewed on television. Surely we can encourage parents to take an active role in overseeing what their children see on the Internet, and also give them the tools to try to do that.
Mr. Eugène Bellemare: I will let my colleague from Quebec, Marlene, speak on the Quebec laws that protect children. I think Quebec is really ahead of everyone else on that issue.
My second question is regarding data-mining exercises. It's possible that something like junk mail will occur, people will complain, and those who do the data-mining exercises will say, “Well, that's the same philosophy as people who say their definition of junk mail is anything commercial that comes to them. There's an industry here and there's a necessity to advertise, and the mode of transporting this information to the household is often through a leaflet, which is referred to as junk mail.” How would you respond to people who say, “That's the same problem as junk mail; don't bother us”?
Ms. Ann Cavoukian: I would say, once again, give people a choice. I accept opting out as the lower standard, but I would say even then, you must allow people a choice, even if it's a negative, to say they do not want to receive any solicitations or any marketing material.
We've found that if a business gives a person a choice of what information they want to receive from the business, often the customer doesn't mind receiving marketing material from that company, with whom they have a trusted business relationship and presumably have some interest in the material the company is offering. What they usually object to is receiving third-party solicitations from a host of unknown companies and being bombarded with things that truly fit the category of junk to them.
So again, it's to the advantage of the business to ask their customer, “May we send you marketing information from time to time or not?” and give them a multi-choice option. Don't do just a yes or no, but give them a choice: “May we send you marketing information from our company? May we give your information to other companies to send you information?” and give them tick boxes.
It's very important. You can address the issue of data-mining and the issue of junk mail through that type of exercise.
Mr. Eugène Bellemare: You have a lot of confidence in the business community. Obviously you reside in an area where you do business with and socialize with nice people. You seem to forget that unfortunately there are neighbourhoods, whether physical neighbourhoods or business neighbourhoods, that are not the type that would worry too much about the nice, commendable comments you have. Say Mr. Goody Two-Shoes calls in and says, “I don't want any more of your mail. Please don't send me any more.” The reaction over there could be just laughter at the other end of the line.
Ms. Ann Cavoukian: That's why you need a law. If he just laughs at you and keeps sending you the mail and he gets slapped with an offence under this act, hopefully he'll stop doing it.
I have great respect for corporate citizens such as those who belong to the Canadian Direct Marketing Association—sorry; they're now called the Canadian Marketing Association. We have had considerable dealings with the head of the CMA, and they have a wonderful code of conduct, based on the CSA, that they follow voluntarily and that their membership follows.
But they don't represent all direct marketers in the country. They represent about 80%, for example. So you have 20% who are the bad apples and who are probably engaging in practices that we might find offensive from an information privacy perspective. Those are the ones I want to get, and those are the ones the CMA wants to get.
The CMA took the unprecedented step of calling for legislation, which, believe me, drove their American counterparts crazy. The DMA was apoplectic that their Canadian counterparts were calling for legislation: “Are you crazy?”
The reason they did that was they wanted a level playing field. They wanted the other 20% captured. They weren't worried about their membership. They were worried about those who couldn't be caught in a voluntary act. That's why you need this bill.
Mr. Eugène Bellemare: You have data-mining, but you also have people who buy lists.
Ms. Ann Cavoukian: Yes.
Mr. Eugène Bellemare: These could be bought, for example, in the worst case scenario, by foreigners who would hassle our Canadian community. How do we protect ourselves from this? There's no goodwill here. You can't tell these people who do this kind of business that they shouldn't be doing it, because they're bothering the old ladies and the old men.
Ms. Ann Cavoukian: Well, there would be a prohibition in this bill from selling the lists to them, from disclosing those lists, without the consent of the individuals involved, even if it's a negative consent. So there would be some prohibitions that you'd place on people in this country from selling the lists elsewhere.
Mr. Eugène Bellemare: You're satisfied with the prohibition in this bill?
Ms. Ann Cavoukian: Well, it might need some tinkering here and there. I'm not saying this is a perfect bill, but sir, we don't live in a perfect world.
The message I would like to give to you all is that we need protection for the private sector now. We need it in the form of the best bill we can produce. To wait another year is not acceptable to me. The EU directive was passed last October. We don't want this to become a non-economic trade barrier, but more important, we want the private sector to know there's a standard they have to meet with respect to information practices.
So, accepting that we don't live in a perfect world, I am willing to live with this bill, with some slight modifications and amendments, and make it work. And I think we can make it work.
Mr. Eugène Bellemare: You will send us the amendments you'd like to see?
The Chair: [Inaudible—Editor].
Mr. Eugène Bellemare: Okay.
Ms. Ann Cavoukian: Thank you.
The Chair: Mr. Murray.
Mr. Ian Murray (Lanark—Carleton, Lib.): Thanks very much.
Dr. Cavoukian, it's good to have you with us.
You referred to this piece of legislation as an excellent first step. Does that mean it's 50% of the way or 90% of the way? Or would it be perfect, or as close to perfect as possible, if we incorporated your suggestions? And along those lines, if you did have an opportunity to be involved in the creation of an Ontario act, what would you add or delete in that piece of legislation if you were to consider that this is not quite there yet; it's just a good first step?
Ms. Ann Cavoukian: That's a tough question. I haven't quantified a percentage in terms of how complete it is.
Mr. Ian Murray: The question may be a little unfair. You spoke in glowing terms about the act, and perhaps your term “an excellent first step” is more a suggestion that some more can be done. As I say, I don't mean to be unfair with the question.
Ms. Ann Cavoukian: No, I understand.
I would like to see the scope of the legislation extended beyond simply companies whose primary activity is commercial activity. I mentioned in my remarks that many organizations, such as non-governmental organizations and professional bodies that oversee lawyers, doctors, accountants, etc., are not covered under our legislation, unlike the B.C. legislation, for example.
We would like to see those bodies captured. A great deal of personal information goes their way. They probably engage in possibly some commercial activity. I don't know. It's worth exploring. But we would like to see that extended, because we don't think there should be any pockets of personal information that are unprotected. Basically, everybody should be covered. How do we do that? That's our goal.
Some fine-tuning can take place with this bill. I want to make sure the bill has primacy and a number of other things, as I said. But my message is it would be better to pass this bill now, with whatever shortcomings it has, than not to pass it, let another year or two pass by—who knows?—be in the same position again with another bill that will no doubt have its own shortcomings, and have to revisit it again.
We could engage in this exercise ad infinitum. We need this now. The genie is out of the bottle. Hopefully we can put some clothes on the genie, but we're not going to be able to if it goes out much longer. This is the time to act. We have to move, and I really think we have to move now.
Mr. Ian Murray: This is a balancing act, as is the CSA model code. You're quite enthusiastic about the process that led up to the acceptance of the code, but also it appears it was quite a struggle to get it to that point, so there must have been some trade-offs along the way. Or did everybody just see the light at the end of a few years and say, “Yes, we'll have this perfect code”?
Voices: Oh, oh!
Mr. Ian Murray: As somebody whose first priority is protection of privacy and as somebody who lived through that process of trying to balance off competing interests, can you sit here today and say you are very comfortable with the provisions of that model code and that no more could have been done even at that point?
Ms. Ann Cavoukian: There's always more that can be done, and I'm not going to suggest otherwise or that compromises weren't made. Could we tighten the collection practices, for example? Of course we could. Could we tighten various aspects of the bill? We could go through it clause by clause and find something we could tighten a little bit. But what I'm trying to convey is I don't think the minutiae of the bill are going to determine whether it's effective or not.
What ultimately is going to protect privacy in Canada are the efforts of commissioners and people like you to raise the consciousness of both the public and the business community in terms of really understanding why this is important to do and how you can do it.
I see us as parlaying the nuances of the bill to the business community and explaining what needs to be done and how it is to everybody's advantage to do it. That is what I see as our task: being very proactive in nature, meeting with the business community, meeting with the public, and conveying this message to them.
I know my colleague, David Flaherty, refers to us as cheerleaders for the bill and for privacy, but very much what we do is convince people that the business of protecting privacy is very important to a society and explain to them again and again why privacy doesn't equal security and why you have to protect both. This is the message we have to impart, and if we can do so with some passion and some life, then hopefully the people we're talking to will want to do the same thing.
I know in my business—and we have many staff in my office—we don't have a hope of policing all the departments in government and hoping they do all these things. Our only hope is to convey to them the reasons it's important and the understanding of fair information practices.
Basically that's the raison d'être. Why do we have fair information practices? Why should we care about these things? If they have an understanding of that, they will enforce the act more strongly than anything we could draft. That's been my experience. Once you can convey this message—and this is why it's so important to be proactive and educate the public—they will then get the spirit of it and want to do it better.
I know that must sound Pollyannaish, but I've seen it happen again and again. That is a much more effective tool than tinkering with this word and that word, making it stronger, shoving it down the throats of business, and them doing it with great reluctance and only to the letter of the law. That's not what you want. You're not going to be there. You don't have the resources to be there to police this in that manner, nor would you ever wish to. Make it so that they will take it upon themselves to protect the information, will buy into the spirit of the act, and will do so in the spirit in which it's intended, and not grudgingly.
Mr. Ian Murray: How's my time? Do I have time for a short one?
The Chair: One last question, Mr. Murray.
Mr. Ian Murray: I just wanted your opinion on the exemptions under clause 7, which essentially exempts journalists and artists and in the case of literary purposes. Do you have any thoughts on that at all that concern you?
If you're looking at journalism, say, the question is how do you define it, especially in the Internet world, where you can have all kinds of people claiming to be doing journalistic work when essentially they're just doing some kind of newsletter over the net, which may or may not qualify? Do you have any thoughts at all on that?
Ms. Ann Cavoukian: Well, Mr. Murray, I'm a privacy advocate at heart, and part of me would not have that exemption, or would have journalists have to protect the public's privacy as much as everybody else. But the reality is I also do value freedom of speech and freedom of the press, and I believe the press performs an important role in society that requires them to have some access to information. That would be extremely difficult if they weren't exempt from this act.
The notion of balance probably kicks in here more than anywhere. Unfortunately, or fortunately, privacy is not an absolute right. It has to be weighed and balanced against other competing interests and the interests of the public, which in this case the press represents. That is the reason there is the journalistic carve-out, as there is, I might add, in most jurisdictions. If you look at most data protection legislation, some consideration is given for journalists, for these reasons.
Freedom of the press is also included in our Canadian Charter of Rights and Freedoms, so it is a value that we have to uphold. Unfortunately that necessitates certain allowances being made to journalists.
Mr. Ian Murray: Okay, thanks.
The Chair: Thank you very much, Mr. Murray.
Mr. Alex Shepherd (Durham, Lib.): These are your proposed amendments, attached to your presentation?
Ms. Ann Cavoukian: I do not have a copy in front of me. I apologize.
The Chair: The clerk will give you a copy.
Ms. Ann Cavoukian: Thank you. I might just remember if you read them. =1287=]
Mr. Alex Shepherd: I was just reading one here. You propose a new subsection, 28(4):
If a corporation, association or partnership commits an
offence under this Act, every director, officer,
member, employee or agent of the corporation,
association or partnership who authorized, permitted or
acquiesced in the offence is a party to and guilty of
the offence and is liable, on conviction, to the penalty
for the offence whether or not the corporation has been
prosecuted or convicted.
What's the purpose of this?
Ms. Ann Cavoukian: Well, we thought it strengthened it.
For everyone else, just in case people aren't looking, we recommended that the offences in clause 28 be expanded and that individuals within organizations who commit offences be held personally liable and a number of other things. Finally, we suggested that the penalties associated with the offences be increased for repeat offenders in order to provide a deterrent, rather than becoming a de facto licensing scheme. So following along that, we felt this was a real Styx, if you will.
Mr. Alex Shepherd: I'll tell you, one of the concerns I have is that legislators keep coming along and penetrating the corporate veil. The whole idea of a corporate structure is to provide limited liability. The federal government has done that in its tax legislation, and now you're asking us to extend that for privacy legislation so that employees and directors of corporations should be liable for acts of transgression of privacy laws. Is that appropriate?
Ms. Ann Cavoukian: I have a hard time defending this one too stringently, because, of all the clauses you pick, this is the one I was a little uncertain of. I discussed it with my legal staff and asked if they were sure we should put it in, and they convinced me that we should, and we did. I personally would be just as comfortable not having that there. It's a real debate as to whether to include that kind of offence or not. You clearly feel it's excessive.
Mr. Alex Shepherd: Yes.
One of your other amendments talks about biometric and biological samples.
Ms. Ann Cavoukian: Yes, we wanted that included in the definition of “personal information”.
Mr. Alex Shepherd: Records?
Ms. Ann Cavoukian: Records, yes.
Mr. Alex Shepherd: What do you mean by that? DNA samples?
Ms. Ann Cavoukian: Biometric samples could include DNA, fingerprint analyses, retinal scans. This is the way of the future. There's no question in my mind that in the next century you are going to have many biometric samples somewhere and that they should certainly be afforded the same protection that other personal information records are.
Mr. Alex Shepherd: This legislation, at least the theme of it, is to deal with commerce, as I understand it. That's the basic theme. How does DNA privacy extend to that?
Ms. Ann Cavoukian: Well, if you think of electronic commerce and the need for security and being able to authenticate the identity of the person with whom you're engaged in a remote transaction on-line, you as the vendor need to assure yourself that they are who they say they are. One way of doing it is by digital signatures, for example.
Another way in the future might be biometrics. They might have a finger scan on their PC, which you can get right now, and that finger scan would be conveyed to you for a match. So you'd have a database, a finger scan, possibly. I'm hypothesizing. In the event that you do, you as a company want to make sure that information is highly protected, as much as anything else. It could be subject to enormous abuse.
Mr. Alex Shepherd: Okay, so you think people will use DNA testing or samples as a method of identification?
Ms. Ann Cavoukian: They're certainly using biometric samples right now in the United States. Many banks, for example, and many different institutions are using fingerprints to authenticate identity. It's being done now, yes.
Mr. Alex Shepherd: Okay.
My final question is in this area of the province coming in within this three-year period and bringing in their own legislation. I sometimes wonder if that's.... I know it's thought of in the legislation that that would happen, but aren't you creating confusion in the public's mind? The first question you're going to have to ask somebody is, “Is that a federal issue or is that a provincial issue?” Wouldn't it be more appropriate not to be part of this field and allow just one privacy commissioner to occupy that?
Ms. Ann Cavoukian: We ask that question all the time now. The public routinely.... Actually, I don't know that the public asks it.
Let me put it this way. Perhaps it's proximity. If you're remotely in the Toronto or peripheral area, you call our office if you have a complaint relating to privacy or access. We get the complaint, we determine jurisdiction, and we might say, “Oh, that's a matter of federal jurisdiction. Here's the number of the federal Privacy Commissioner.” That's not unusual.
Let's say you're in B.C., for example. Certainly the residents in B.C. are going to have a harder time interacting with Ottawa, which is going to be taxed truly in terms of resources for how to do this. It's a big country. So the theory is that you are better off having the oversight agency, for example, or the person with whom you're dealing, closer in terms of physical proximity.
In our province, people call us routinely, and have for many years, on provincial and municipal matters. As I mentioned earlier, we also get hundreds of calls relating to private sector issues, which unfortunately we have to turn away.
I expect the same pattern will prevail. Let's say we do have a law. The federal Privacy Commissioner will get calls that he'll refer to us and vice versa. I don't think it will be any different from now.
I actually think, though, there will be greater confusion on the part of the public, who routinely call us now for all of their privacy and access issues—one-stop shopping—if we have to turn them away and say, “No, sorry; we can't deal with that. We don't have jurisdiction.” They'll say, “What are you talking about? It's a business down the street. They're not a multinational; they're just a little company. I want you to do something.”
Mr. Alex Shepherd: It seems odd to me that you're arguing the issue of geography while at the same time we're talking about the Internet. What difference does it make that the person is in British Columbia? They could access only one privacy commissioner, or there could be some way that the provinces could be part of one organization instead of creating a multitude of organizations.
Ms. Ann Cavoukian: Because, sir, when people are filing a complaint, they want to look at you. They want to come in if they can, meet with the investigator, and talk one on one. They don't want to do it over the Internet; they don't want to do it by mail if they can avoid it. They want to eyeball you face to face. The value of face-to-face interactions should not be underestimated just because—
Mr. Alex Shepherd: So if it's a federal issue, they won't get the—
The Chair: Make this your last question, Mr. Shepherd.
Ms. Ann Cavoukian: Well, that's what the federal Privacy Commissioner does now, with many investigators who have to physically travel to the site where they're investigating a complaint. I don't want to speak for them—I don't know what proportion of the time they must do that—but certainly some of the time, travel is involved. There's no question.
If you think all of this is taking place on-line, it's not. Not to mention the security-related issues of dealing with sensitive information on the network, where probably most of it is not encrypted. You wouldn't do that. How do you transport a record physically on-line? We have to examine physical records a lot of the time to determine whether the personal information in question should be released or not, if it's in dispute. You need to physically examine these things. Proximity is a great advantage.
The Chair: Thank you.
Thanks very much, Mr. Shepherd.
Ms. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.): Thank you.
It was very interesting listening to your report. I have a question.
My understanding is that one of the reasons this legislation also talks about electronic commerce and the privacy issues joined to that is precisely that we're using our jurisdiction in commerce and trade in order to bring in part of the issue of privacy and personal information.
If I look at part of the suggestions you're making for changes, you're saying we should extend the jurisdiction of this legislation to trade unions, professional bodies, and non-profit organizations. I think we would have a real problem. Do you recognize that as well?
Ms. Ann Cavoukian: You may be very right in pointing that out.
What we often say when we negotiate with whomever is you strive to get more than perhaps you can, but in the process, you end up getting more than you would have had otherwise. In suggesting that, we were aware of the fact that it's the commerce aspect of the federal government's authority that allows them to bring in the provinces. But we felt an argument could be made that even if a particular organization's primary activity isn't commercial, if they engaged in some commercial activity, perhaps that would be the way in which you could capture them.
That has yet to be tested. We have to talk to Industry Canada. It may not be viable. But we thought it was worth trying, because we didn't want to have these pockets of organizations that have personal information but aren't captured anywhere. So that was our attempt to do that.
Ms. Marlene Jennings: Okay. I understand that, and I am sympathetic, but I personally don't see that suggestion being realistic.
As one of my colleagues mentioned, I am from Quebec. Commercial activity within the province that does not go interprovincially or internationally is regulated by provincial law. We do have a civil code. We have whole sections that deal with commercial activity, law of contracts, etc., and I myself would be very hesitant to see the federal government moving into that.
What I do like about your suggestions—and some of them are very good—is the issue of the primacy of the legislation. That's a very important issue that needs to be looked at more closely. Your suggested wording for the purpose is a lot broader than what actually exists, and I think it's a better attempt at bringing in the issue of privacy as a fundamental human right.
Ms. Ann Cavoukian: Thank you very much. We struggled with that, recognizing that this was the Minister of Industry and that under trade and commerce we had a certain framework within which to work. But we thought if we could expand the purpose to include some language on human rights and purposes, that would better allow later interpretations of the act.
Ms. Marlene Jennings: I think it would also allow for the kind of budget—not billions, but a serious budget—
Ms. Ann Cavoukian: Just millions.
Ms. Marlene Jennings: —that would allow the Privacy Commissioner to fulfil his mandate of education and information.
Ms. Ann Cavoukian: And as I've said repeatedly, in my mind, nothing could be more important than that.
Ms. Marlene Jennings: Yes.
Thank you very much. I really did appreciate your presentation, and I wish you good luck in convincing the Ontario government to enact its legislation before the three-year deadline is up.
And I do not share the concern of my colleague on the other side of the table that this would create all kinds of confusion within the private sector. Most Canadians are quite bright.
The Chair: Thank you, Ms. Jennings.
Mr. Pankiw, you wish to clarify?
Mr. Jim Pankiw: I was only asking her opinion on that.
Voices: Oh, oh!
The Chair: Thank you very much, Mr. Pankiw, for that clarification.
Mr. Lastewka, you had one final question. We must finish by 5 p.m., so make it one final question.
Mr. Walt Lastewka: During the hearings last fall, when Assistant Commissioner Mitchinson was here, we talked about the various lists that provinces presently sell through a third party and so forth. I know he said you were going to take a look at that. I just wanted to see if there was any update on that.
Ms. Ann Cavoukian: Actually I spoke to Ms. Whelan before we met.
We initiated an investigation shortly after with the ministry involved. The investigation is under way and I had hoped to have the report today to present to you. It's been a little difficult, but we expect to have the final information that we need from the ministry at the end of this week, and I'm hoping that by next week I will have that to Ms. Whelan.
I apologize for not having it today. We were on it right away, but sometimes it takes a little bit of convincing to get what you need.
Mr. Walt Lastewka: My concern when we first decided on the bill and had some discussion was that all of a sudden it came to the table that various provinces are now selling lists and that's part of their revenues. Now the problem comes: why would provinces want to put in legislation that would exclude that, if it's going to take away from their revenues? All of a sudden there seems to be some interference. That's why the question came up in the fall.
Ms. Ann Cavoukian: It's a good question.
If I can add one thing, I think the greatest threat to privacy in the next millennium will be limiting the secondary uses of personal information. The use limitation principle is, to me, the most fundamental fair information practice, because it's the principle that allows individuals to exercise some control, true control, over the subsequent uses of their information.
The Germans have a saying: “informational self-determination”. It's a wonderful saying. It's in their constitution. What it says essentially is that individuals should be able to determine the fate of their information, the uses of their personal information.
The problem is, in the context of the world of the Internet, rapidly accelerating information technology, and information being gathered and disseminated at unbelievable exponential speed, the temptation to use information for purposes for which it was never intended is enormous.
Here you have this information. It was intended for purpose A, it will solve the answer to question B, and you have it—it's in your holdings—but you have to not use it. It's extremely difficult for companies, for the government, for anyone, to resist the temptation to use this information, which is exactly what they need to answer this other problem, which they never contemplated at the time of the data collection in the first place. That, I think, is going to be the greatest challenge we face. And to be quite truthful, I don't know how successful we'll be in reigning it in. It's extremely difficult. It's the basis for data-mining, data-warehousing.
But the issue of consent and notice will go a long way if, at the first instance of the data collection, you have some meaningful consent and notice requirement. That is the challenge before us, and that's why it is so incumbent upon us all to get business to buy into this at some meaningful level, beyond the fact that they must comply because it is a law. They are the ones who have to implement this, and it's the successful implementation of this that will determine whether our privacy is protected in the private sector, not whether you have a law or not.
Thank you very much.
The Chair: I want to thank you very much for being with us today, Dr. Cavoukian. We appreciate your taking time out of your busy schedule to join us and prepare the brief. We welcome your experience. It was great. And we look forward to your report to come in the next few weeks.
We apologize again for the delay in our start, and we wish you a safe journey back to Toronto.
The meeting is now adjourned.