INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Tuesday, March 2, 1999

• 0908

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): I'm going to call the meeting to order pursuant to an Order of Reference of the House dated Tuesday, November 3, 1998: consideration of Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

I am very pleased to have with us as witnesses today: Mr. Robert Keyes, senior vice-president, international, the Canadian Chamber of Commerce; Mr. Phil Saunders, vice-president, commercial relations, Northern Telecom Limited, who is also from the Canadian Chamber of Commerce; Jayson Myers, senior vice-president and chief economist, Alliance of Manufacturers and Exporters Canada; Mr. Mathew Wilson, policy analyst, who is also from the Alliance; and last, Mr. Colin J. Bennett, who is an expert in the area of privacy and legislation.

I'm going to begin with opening statements. I know the clerk has advised you that you each have five minutes, so I'll start with the Canadian Chamber of Commerce and Mr. Keyes.

Mr. Robert J. Keyes (Senior Vice-President, Canadian Centre for International Business, Canadian Chamber of Commerce): Good morning and thank you very much for the opportunity to be here this morning to talk about Bill C-54.

As you mentioned in your introduction, I'm joined by Phil Saunders from Nortel. I also have with me Mr. Lou Lederman, a lawyer from Fraser Milner, who has a practice that is becoming increasingly e-commmerce oriented.

• 0910

Bill C-54 is an important piece of legislation. The Canadian Chamber of Commerce is increasingly interested in the potential that electronic commerce holds for Canada. For our 170,000 members across the country, e-com has the potential to really fundamentally change the way these businesses operate. For some companies, it's a new way of interacting with their customers. Other companies are going to have to embrace e-com to be competitive. Canada is in an excellent position to be a world leader in e-com, for a variety of reasons, which we talk about in our brief.

We recognize that full credit is due the Government of Canada for playing a crucial role in helping to ensure that electronic commerce potential can be realized. Industry Canada's leadership in this area has been complemented by Canada's private sector technical leadership and capability.

I'm sure you're familiar with the OECD conference that took place in Ottawa last fall. It was a real coup to have this conference here because it was a significant event towards the branding of Canada as a good place in which to do electronic commerce. That meeting demonstrated three things: the capabilities of the private sector, the progress the Government of Canada has made in creating the legislative framework in which e-com can grow and the benefits of collaboration between the public and private sectors. That conference also addressed a number of the key issues pertaining to e-com: taxation, digital signatures, authentication, privacy and security, for example.

The chamber agrees with many aspects of Bill C-54, but that's not to say that there are not areas where improvements could and should be made, especially in the parts of the bill dealing with personal information.

Part 2 of the bill, which is really the facilitating part from the e-com perspective, sends out some important signals. The concept of the government as a model user will help the widespread adoption of electronic service delivery mechanisms. It will help to promote the widespread acceptance of secure digital signatures, which is a critical point. The bill is also a significant piece of the government's electronic commerce strategy. As the nature of the business changes, the legal and the regulatory environment must keep pace. Through this bill, it does.

Let me turn to the privacy section of the bill. We have a number of suggestions for technical and substantive improvements to the provisions for the protection of personal information. We are anxious and willing to work on this with the government and its officials.

As a general comment, might I point out that this bill—and indeed, any legislation—needs to take into account the potential cost impact on the business community. We've not seen any analysis of this potential cost impact, but we do think it's something that the government needs to do. We suggest that if such information is available it should be made available to this committee.

Let me turn to five specific comments about how we think the bill can be improved.

We're hearing from some of our members about the impact of this legislation and its wide net—that it may include information on employee-employer relationships—and about the scope of the various clauses to affect employee information and records of various types. We hope the committee will listen closely to the concerns that are and will be expressed by businesses appearing before you on this issue. Employee-employer relationships are already subject to a large amount of law and regulation, and the bill must dovetail closely with that body of legislation.

My second comment concerns the role for industry self-regulation. At the OECD ministerial conference, there was a lot of discussion about industry self-regulation, and this has been largely accepted by the government as a cornerstone of our e-com strategy. The business community recognizes that it has to assume a large responsibility for affairs in this area. The CSA code was a good starting point for this bill, but there are other codes in place, like, for example, the privacy code of the Canadian Association of Internet Providers.

• 0915

If there is any way that legislation can encourage more of these voluntary codes to be used and can encourage the business community to take these voluntary approaches, we think that would be helpful.

Publicly available information is one of the key areas of business concern. There's no disagreement from the business community: the inappropriate use of personal information should not be allowed. The difficult aspect is to find the right balance between information that is not sensitive and is being used for legitimate purposes and the need to guard against inappropriate uses.

Just what is “publicly available information”? It doesn't seem to be clear in the context of the bill. We would like to see, if possible, a clear definition of this. For marketing purposes, for example, businesses need to know that the use of customers' names, addresses and titles in the daily context of business activities won't be an illegal act. We just want to make sure that the privacy aspects of Bill C-54 do not have a negative impact on sales, retailing and marketing activities.

Another issue that has come to the fore is the knowledge and consent requirement under subclause 7(3) and the ability to share information in certain circumstances. A specific example is whether subclause 7(3) would restrict or prevent the sharing of information in the case of internal fraud or theft and infringement of intellectual property investigations, where a company might want to share information about individuals with colleagues, private investigators, witnesses or other companies.

Some of our members are also asking whether subclause 7(3) might even prevent disclosure to a court. We have a suggestion in our brief as to how this might be remedied if the clauses are interpreted in this way. The words that could address this are in our submission.

In clause 2, on the “use” of information, there is a concern that this could include the transfer of personal information from one division to another within an organization and would trigger a consent requirement. Again, this would seem overly restrictive.

My final concern is about the role and powers of the Privacy Commissioner. Nobody wants more regulation, but if it's to happen, we would hope that the regulatory burden would be minimized.

In our brief, we talk about various aspects of the role of and the powers to be ascribed to the Privacy Commissioner. We also make the suggestion that before the Privacy Commissioner moves into a very detailed and potentially administratively heavy investigation of a company, the Privacy Commissioner should be required to put the case to some outside agency. We're suggesting that perhaps that responsible body could be a judicial authority. Our brief has suggested wording for this. In fact, we've had one member question whether the rights being accorded to the Privacy Commissioner might in fact violate the right to be secure against unreasonable seizure, as enshrined in the charter.

A final point: we are well aware that across Canada there are varying views from a jurisdictional perspective. We just state that from the business community's point of view it's essential that we have a coordinated framework across the country. Canada has long been plagued by difficulties on the internal trade front and we hope there's not going to be a repeat of this history.

In summary, Madam Chair, Bill C-54 is an important legislative step forward in creating the right framework. Our members strongly support the efforts to boost the environment for electronic commerce. We also support the light-handed approach that the federal government has advocated in terms of its general approach to e-com matters to date.

Our comments are presented as constructive suggestions to make Bill C-54 work better. With these improvements, the bill can contribute to getting the regulatory environment right and providing an environment in which e-commerce can flourish and privacy concerns can be accommodated. We want to help the government improve this bill. We hope these comments are received in that vein.

Thank you.

The Chair: Thank you very much, Mr. Keyes.

I'm now going to turn to the Alliance of Manufacturers and Exporters Canada, with Mr. Jayson Myers.

Mr. Jayson Myers (Senior Vice-President and Chief Economist, Alliance of Manufacturers and Exporters Canada): Thank you, Madam Chair. Let me echo many of the same comments and concerns that Bob has just summarized. Certainly the importance of electronic commerce today is changing the way business is done, not only in Canada but around the world.

• 0920

We, too, applaud the federal government's objective of making Canada a world leader in electronic commerce by the year 2000. I think this is extremely important. We see Bill C-54 as part of the government's drive to strengthen the regulatory legislative infrastructure in which e-commerce takes place. That, too, is important.

Our members, 3,500 of them, today represent about 95% of the country's exports, 90% of the R and D effort in the country and 75% of the country's industrial production activity. They know the importance of the use and protection of sensitive information and see that as a very important strategic advantage in their businesses.

We see parts 2 to 5 of Bill C-54 as a constructive approach. In fact, we're fully in support of that part of the bill. We as well have as our main concern part 1, which deals with the treatment of personal information. I'll be very brief in going through our concerns. They're outlined in our submission.

First of all, part 1 of the bill goes well beyond the treatment of electronic commerce. The implications of the regulatory approach to the treatment of personal information that has been adopted in part 1 touches on the way businesses operate, not only electronically but in terms of the sharing of information, the collection of information and the dissemination of information. One of our main concerns is this lack of clarity between what information is sensitive and what information is not sensitive on a personal level.

We have a concern that the federal government is emulating the European Union's regulatory approach, which is already creating significant concern among businesses in Europe. It is a regulatory approach that has taken three years to finally implement but is still creating many problems in terms of the use of personal information, in the collection, in the dissemination and in the securing of consent on a personal level. In fact, we're not at all convinced that this regulatory approach puts Canada in a very favourable light in terms of international competition—and the location of electronic business in particular—when it comes to businesses that are operating worldwide today.

Certainly, we again echo what the chamber has said with regard to a caution about adopting a regulatory approach in legislation. We very much favour the adoption of voluntary standards and a degree of flexibility in the implementation and application of those standards to business practices.

One of the problems, I think, especially in enshrining regulations or standards in legislation, is that there is a lack of flexibility. There are costs that are not always equal across companies, given what various companies are doing in the use of personal information or, for that matter, given the size of companies. One of our particular concerns is that the regulations embodied in this bill would be a particularly onerous cost to smaller businesses.

Certainly we support the voluntary principles for the use of personal information that are enshrined in the CSA standards. We certainly support other types of voluntary standards, and there are many of them, many codes of conduct with regard to Internet business and e-commerce business.

We would very much like to see the government encourage that type of development of best practices, of world-class standards. A part of that practice in world-class standards, particularly in electronic commerce and the use of the Internet, is the adoption of standards that reflect the flexibility that is also part of electronic infrastructure.

In fact, with Industry Canada and with a number of consumer groups, including the Public Interest Advocacy Centre, the Consumers' Association of Canada, the Retail Council of Canada and other business associations, we've spent quite a bit of time working at developing a number of principles affecting consumer protection in the area of electronic commerce.

• 0925

We would very much like to see these types of voluntary standards adopted. From the perspective of our companies, I can say that most businesses today do respect the fact that information of a personal nature has to be protected. It's good business to do that.

As well, it's certainly a part of the recognition of consumer groups that some information collected by a business can be shared or disseminated within the business, and it may not be practical or appropriate to ask for consent before using or sharing information of that nature.

The regulations that would be embodied in the legislation, from what we can see, dismiss the part of the CSA standards or the voluntary principles that we've supported. The legislation forgets the flexible approach. It overlooks the parts of those principles that put a lot of emphasis on the appropriate sharing of information or on the practicality of doing this. Again, it would apply a regulatory standard across all companies that may simply not be practical, particularly in an age of electronic business.

We've heard a number of concerns expressed by our companies about the implications of part 1 of this piece of legislation, specifically around this issue of what sensitive personal information is and is not and what is appropriate for companies to do in sharing information and what is not. That is simply not specified in the legislation.

We have a number of concerns arising from that with regard to employer-employee relations, product development, product and service improvement, servicing customers, marketing services, marketing products, sales, advertising and retailing. As it now stands, the bill would affect all of those business practices.

Again, there's certainly a lot of concern that an overly restrictive approach would be inimical to the adoption of e-commerce and would in fact change considerably the way that businesses operate now, even outside the realm of electronic commerce.

We also have concerns about the broad range of powers that has been given to the Privacy Commissioner: broad powers to audit, investigate, fine and try organizations and broad powers of investigation. We would certainly like to see the committee take a close look at those powers with an eye to looking at whether those powers are indeed essential. As well, we would certainly support an amendment that would allow companies to present their case to a court before an investigation proceeds.

As well, I think it's extremely important that government understands the full impact of the regulatory measures and legislative measures that are being proposed in this bill. We haven't seen any economic or business impact analysis either, and I would suggest that it be carried out before the bill is put into effect.

In summary, Madam Chair, we certainly support the objective of making sure that there's a strong competitive framework for electronic commerce in this country, but it has to be a competitive framework, it has to be practical from the point of view of business and it certainly, I think, has to take a very close look at whether this is a regulatory approach or a voluntary standards approach to the protection of personal information, which I think all businesses in this country themselves have—at least to some degree—a stake in protecting.

The Chair: Thank you very much, Mr. Myers. I'm now going to turn to Dr. Colin Bennett.

We look forward to hearing you today, Dr. Bennett.

Mr. Colin J. Bennett (Individual Presentation): Thank you very much. I'm very grateful for the opportunity to speak here this morning.

I'm an associate professor in the political science department at the University of Victoria. For nearly 20 years I've been researching the issue of personal privacy protection in different western societies. I consequently have a perspective that is rather different from those that have been presented by the other speakers this morning. I'm the author of a couple of books on the subject.

I have also been a privacy advocate over the years and have served as a consultant to international organizations and to Industry Canada, as well as to one or two organizations in the private sector.

• 0930

Most recently, I've been the co-author of a report on the adequacy standards in the European Union's data protection directive, which I'd like to speak to you about briefly.

This committee has received a great deal of advice about the wording of Bill C-54, about its scope, about the definitions and about the various exemptions. While legislative language is of course very crucial, I believe that the effectiveness of the Canadian policy on information privacy will be dependent on some other factors, and it's those factors that I'd like to talk to you about in relation to Bill C-54: firstly, on the ability of the regime to encourage voluntary adoption of privacy principles; secondly, on the use of the entire repertoire of possible approaches and instruments to privacy protection; thirdly, on the ability of the Privacy Commissioner to apply what I call “an ounce of prevention” or proactive measures; and finally, on the level of policy harmonization within Canada and between Canada and international standards.

In the light of those lessons, I'd just like to make a few comments on the relationship between Bill C-54 and the CSA standard, the powers and responsibilities of the Privacy Commissioner and the international implications.

Like many people, I fully support the grounding of Bill C-54 and the principles within the CSA's model code. The privacy standard is an innovation, it being the first certifiable privacy standard in the world that I know of, and we need to keep that in mind. It can be cited in contract nationally and, more importantly, internationally. Without the negotiation of the standard, the Canadian debate would be far less advanced than it is.

I've written elsewhere that Canada has been building a data protection regime from the bottom up, as it were. The CSA standard is built upon existing codes of practice, and the legislative framework should build upon the CSA standard. I believe this regime has a chance of encouraging a more effective system of data protection than would a top-down, command-sanctioned model through “law or learn”.

It's very important, therefore, to avoid the conclusion that the CSA standard in the sectional and organizational codes it has encouraged can now fade into oblivion. It may be too tempting to think that the standard has done its job by providing a template upon which the legislation is based, but I think that view is short-sighted, because it ignores the crucial role that the standard can play in the implementation of Bill C-54.

Mechanisms are currently in place to ensure that organizations' data users—not sectoral trade associations, but organizations—actually say what they do and do what they say. Registration to the Q-830 standard can be encouraged now and it can be encouraged after Bill C-54 is proclaimed.

Once that organization has registered to the standard, the CSA code ceases to become a voluntary mechanism. The organization has to produce a code, a related set of operational guidelines and be subjected to regular and independent audit of compliance practices by an accredited registrar.

The sanction becomes not only a fine, therefore, but an obligation to change practices. That technique has been used to enforce environmental regulation and there's no reason why it cannot be used properly to contribute to the enforcement of Bill C-54. This is an important technique, which I think is somewhat overlooked in the current drafting of Bill C-54. An under-resourced Office of the Privacy Commissioner—and let's be clear about it, the Privacy Commissioner's office will not have the resources it needs in order to enforce this legislation—can be used to ensure a good level of compliance to the legislation.

As currently drafted, I think Bill C-54 regards the CSA standard as a template rather than a method of enforcement. I would like to see a more explicit recognition, probably in clause 24, that the commissioner may encourage registration to the Q-830 standard through an accredited registration body. That may also be stated more explicitly in subclause 18(2), in which the commissioner is empowered to delegate his powers of audit. Moreover, I would have thought that any organization that is registered to the standard would have a powerful argument in the case of any investigation of its practices by the commissioner.

I do make a distinction between registering to a standard and just developing a code, a voluntary code. There's an important distinction there. The demonstration that a code of practice is indeed complied with throughout the organization should have powerful evidentiary force. A few far-sighted companies have already begun that process. That should not exempt them from the provisions of Bill C-54, but it should carry evidentiary weight in any investigations by or proceedings before the commissioner and the courts.

Secondly, as drafted, Bill C-54 gives the impression that the most important responsibilities of the commissioner under this legislation relate to complaints resolution and investigation and redress. In my view, this is the least important function of a privacy or data protection commissioner.

• 0935

The complaints investigation process is largely a reactive one, performed only after privacy problems arise. The implementation of privacy protection law is as much an educational effort as it is a regulatory one. Much can be achieved in anticipation of policy and system development if privacy protection is built in at the outset rather than added on afterwards. I believe Bruce Phillips emphasized this point to you in his own testimony.

I am pleased that the commissioner is given the power of audit. One of the major conclusions of the comparative studies of privacy protection law done by David Flaherty and by myself is that proactive auditing is one of the most important functions that a privacy commissioner can perform.

But other crucial educational and advisory functions and responsibilities are buried within clause 24 of this legislation, and I think the success of this law will be largely dependent upon whether a commissioner can in fact encourage self-regulation. If these proactive and general responsibilities are successfully performed, the number of complaints and investigations should be reduced and the need for auditing minimized. Commissioners in other jurisdictions are as much educators and consultants as they are investigators, judges and enforcers.

Bill C-54 does not place sufficient emphasis, in my view, on those powers and responsibilities that are general rather than specific and anticipatory rather than active. I would suggest that clause 24 be moved to the beginning of division 2 and placed before the provisions concerning remedies.

Under the same ounce-of-prevention rationale, commissioners have acted and can act as consultants to organizations wishing to introduce new products and services that may have implications for the protection of personal information. Privacy impact statements can be used as an effective tool for the analysis of these implications to anticipate future problems and to encourage a consideration of privacy and security issues at the outset.

It would make sense to formalize this responsibility, granting the Privacy Commissioner the power to advise on the privacy implications of new information systems in both public and private sectors. Linked to this responsibility is the advice that may be given about the use of privacy-enhancing technologies. In clause 24, would suggest the addition of the responsibility to:

advise any organization about the privacy implications and new products and services and to recommend the use of privacy-enhancing technologies where appropriate.

There's nothing in the law that prevents him from doing this, but I would like to see it made more explicit.

Finally, I'd like to just mention the international implications of this legislation. Bear in mind that Canada is one of the only advanced industrial states that does not at the moment have a comprehensive legal regime for the protection of personal information.

In 1998, I was the co-author of a report to the European Commission on the assessment of the adequacy standard under articles 25 and 26 of the European Union's data protection directive, which has already been mentioned. You'll be aware that this directive attempts to prevent the flow of personal data on European citizens to jurisdictions that do not have an adequate level of protection. You will know that the concerns about how this provision will impact international commerce have been one of the driving forces behind Bill C-54.

The research we did focused on empirical examples of international data flows from the European Union to six different countries, including Canada. I was responsible for the Canadian case. The categories of transfers studied were sensitive data in airline reservation systems, human resources data, personnel files, electronic commerce, subcontracted data processing and medical data. The conclusions about the Canadian case study can be briefly summarized as follows.

There's an increasing amount of personal data flowing from Europe to Canada even though the European Union is not our leading trading partner. Bill C-54 renders Canadian society adequate. There's no question that this law meets the provisions of the European directive, but only in some respects, only to the extent that it covers federally regulated sectors, etc.

In our study, only the organizations that were studied for the airline reservation systems and for the electronic commerce cases would be covered by Bill C-54 immediately. Much international data traffic therefore arrives within organizations that are under provincial jurisdiction. Finally, adequacy cannot be determined by examining only the content of legal and professional rules. There has to be compliance auditing, and registration to the CSA standard offers that opportunity to demonstrate a good level of compliance, not only nationally but internationally as well.

This study does expose the need for consistent and harmonized privacy legislation at the provincial levels, based on the same CSA principles. It supports the overall strategy of Industry Canada in its belief that an enforceable private protection regime is a necessary condition for and not a barrier to electronic commerce. It reinforces the importance of a standards-based approach to this issue so that adequacy can be clearly demonstrated by Canadians and to Canadians.

Thank you very much.

The Chair: Thank you very much, Dr. Bennett.

I'm now going to turn to questions. Just so witnesses know, if a question is not directed to you but you have a comment you'd like to make, just signal the chair and we'll allow that to happen.

Mr. Pankiw, please.

Mr. Jim Pankiw (Saskatoon—Humboldt, Ref.): Thank you, Madam Chair.

• 0940

Mr. Myers, you mentioned that the regulatory approach in the EU is causing problems. Do you have any concrete examples of what types of problems are arising?

Mr. Jayson Myers: In terms of the degree to which electronic businesses are looking at establishing a presence in Europe, the fact that—according to the European directive—there is a more onerous regulatory system from the point of view of a business operating there has been flagged as a problem by some—largely American—e-commerce users. It has been flagged as a problem in terms of the use and dissemination and the requirement for consent in the collection and the sharing of information.

The best source of that information is in fact a study that has been published and was printed in Business 2.0. It does go through some of the complaints that have been raised by e-commerce users. Now I'm the first to recognize that this publication is probably one that reflects the interests of the e-commerce community, but it's probably an important one in terms of reflecting their concerns about the European directive. I think the article was in the December issue of Business 2.0. Take a look at it.

Mr. Jim Pankiw: You also suggested that the powers of the Privacy Commissioner will perhaps be too broad and that there should be recourse to the courts when a complaint arises.

Mr. Jayson Myers: We're very concerned that the powers in terms of investigation are fairly far-reaching and we think those powers should be limited, like any other power of investigation. There should be some ability for a company to appeal the need for an investigation in the first place and just simply ask for the same type of official check on the powers of the Privacy Commissioner that a company would expect from any other type of investigation.

The Chair: Mr. Keyes.

Mr. Robert Keyes: Thank you, Madam Chair.

Just on that last point, perhaps especially from the perspective of small business, there's a bit of a fear of the unknown here. The Privacy Commissioner, who is part of an institution that is probably not that well known in the minds of a lot of Canadians, is going to be given some pretty far-reaching powers.

The point is, in terms of checks and balances in the system, is there some way that it's not an unlevel playing field here, especially for smaller businesses that don't necessarily have the ability to respond to inquiries from a government agency in the same way a large company may? It has many more cost implications. There are some alarm bells going off and people are saying, “Whoa—let's think about this for a moment.”

I think Mr. Myers and I are on the same wavelength. We're hearing the same kind of concerns.

The Chair: Thank you, Mr. Keyes. Mr. Lastewka.

Mr. Walt Lastewka (St. Catharines, Lib.): Thank you, Madam Chair.

I want to first refer to the Chamber of Commerce's number one item: employee-employer relationships. Have you summarized and prioritized the feedback on this item from your organizations? You seem to have written a paragraph saying that we shouldn't work with you, that we should contact other chambers. You're leaving me with that impression. I thought you should be coming here with your chamber's viewpoint rather than leaving it open.

• 0945

Mr. Robert Keyes: That paragraph is rather brief. What I am foreshadowing for you is that you are going to be hearing from—as I have heard from—companies, especially those federally regulated companies, that are concerned this bill potentially catches a lot of internal, personal information. Their concern is with employee investigations and sexual harassment disputes and things like this, matters that are really internal to employee discipline. They're concerned that their ability to manage and to do what they have to do could be affected. Negotiations for settlements with their employees is another example. For example, FETCO has a lot of our member companies, and some of these companies have told us that they have these concerns. That's why I put it in there.

Yes, it is rather cryptic, but I think that in the future you are going to be hearing from companies with these concerns. I'm just flagging the fact that this is an issue and that if the committee has not considered it, you should think carefully about these implications.

Mr. Walt Lastewka: I would ask that you be more specific in that area with regard to the feedback you have so that we as a committee can do our job.

Mr. Robert Keyes: I'm happy to provide some further information for you.

Mr. Walt Lastewka: You talked about estimated costs of the bill and so forth. At the same time, you said earlier that most companies apply, leaving me with the thought that the companies that don't apply voluntarily that are the problem—and that's the case. Where are the additional costs? Have you done an estimated cost of this bill?

Mr. Robert Keyes: We have not done an estimated cost. I'm expressing a general business concern about any increase in the regulatory burden, which is seen to add costs. Whenever there is a new law and, indeed, whenever there are voluntary industry codes, there are inevitably costs involved. The ability of some companies to cope with these is greater than the ability of other companies.

Again, perhaps there's a certain fear of the unknown as to what these requirements might turn out to be. The issue is, what will this impact be? Every piece of legislation and every law or regulation that is put through in Canada should have some assessment of competitive impacts. We're asking because we have not seen it. Has there been a competitive impact assessment done by Industry Canada, which has been responsible for part of this?

Mr. Walt Lastewka: I haven't seen it. Also, you haven't done it—

Mr. Robert Keyes: No.

Mr. Walt Lastewka: —but Canadians have told us very clearly that they have a great concern about privacy and the way that companies—maybe not 80% of the companies, but maybe 20% of the companies—don't respect the privacy of individuals. I think you would also agree that legislation and regulation usually come about as a result of people not doing things in the proper manner.

Mr. Robert Keyes: We understand the concern that Canadians have and why the legislative and regulatory system wants to respond to it. What we are saying is this: is there a way this can be responded to that does not unduly affect cost structure? That's a concern for business any time there is a new requirement or procedure. For smaller businesses, having to comply with things may be more difficult than it is for larger companies.

Mr. Walt Lastewka: I was looking for both of you to be coming forward with those recommendations. If you have a better way of doing things, then bring it forward.

Mr. Robert Keyes: This morning we talked about the voluntary codes and the role for voluntary codes, and this is a way in which the yardsticks are moving forward in many sectors, not only on the privacy issue. This is where industry associations are taking on a voluntary approach that is germane to their particular circumstances and is flexible and meets their needs.

• 0950

Whenever you impose law or regulation, it's a one-size-fits-all template. But it should not necessarily be the be-all and end-all. Maybe it becomes a base from which particular circumstances in certain industries.... Companies may well want to go further, and that's fine.

Mr. Walt Lastewka: But isn't that the value of using the CSA code, which was put together by business?

Mr. Robert Keyes: Yes.

Mr. Walt Lastewka: We're also being criticized for using that trade-off code. On the other hand, some people are saying there's a voluntary code that's been agreed to and it's something that a large percentage of industry has been doing voluntarily. I think both of you have said that.

Mr. Robert Keyes: Yes.

Mr. Walt Lastewka: It's the fact that we want to make sure that all industry uses it—

The Chair: I think Mr. Myers would like to respond, Mr. Lastewka.

Mr. Jayson Myers: I think one of my concerns about part 1 of the bill is that the bill does not necessarily reflect the principles of the code itself. For instance, there's a principle of consent in the code:

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Under safeguards, it says:

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

I'm not so sure that's reflected in the legislation that's before us. If these requirements are going to be legislated, I think we certainly should be looking for some definition of what sensitive information is and what it is not.

Yesterday we had a call from a local auto dealer who was concerned about this bill, concerned that he would not be able to go to his customers in Markham and carry out a survey or use the information that he had collected from customers, translate that into a report and disclose to the company the findings on customer preferences and the types of cars they like and whatever.

The concern is out there that standard business practices in terms of surveying customer preferences, doing marketing and advertising and just sharing information about customer preferences within an organization would be restricted by the bill in its current form—without the code's degree of flexibility. The bill does not reflect the flexibility of the code itself.

Mr. Walt Lastewka: On the other hand—

The Chair: Last question, Mr. Lastewka.

Mr. Walt Lastewka: —when I buy a car from a dealer, I don't expect him to sell the information I've given to him to insurance companies, rustproofing companies and other companies so that I get bombarded with congratulations for buying a new vehicle. It works both ways.

Mr. Jayson Myers: No, but you may expect him to be a little more sensitive in terms of your preference. I'll tell you that electronic commerce is moving very much to sharing information about design specifications across businesses.

Our concern is that if there are restrictions.... All we're asking for is a little flexibility and the recognition of the flexibility that is in the code itself. I think that's the point. If there is information being used inappropriately or if that information is sensitive, that then is an issue, but sharing information, collecting information and using it for the purposes that the information is being collected for is part of the code of practice there, and we would like to see that. If it is going to be enshrined in the legislation, we would like to see that flexibility there as well.

The Chair: Thank you, Mr. Lastewka.

[Translation]

Ms. Lalonde.

Ms. Francine Lalonde (Mercier, BQ): Good morning and thank you for your presentations.

As you no doubt know, since 1994, Quebec has had legislation in place to protect privacy in the private sector and Quebec companies have been subject to these legislative provisions.

Quite frankly, I was expecting you to give us an analysis of what Quebec companies that belong to your organizations have experienced. I don't doubt that such an analysis has been done. You would likely have reported on some of the inconsistencies in the legislation, but you would undoubtedly have noted that many companies are complying with this act. British Columbia's privacy commissioner told us that as a result of the legislation, insurance companies in Quebec had adopted a practice which was now being embraced by all of Canada, thereby benefitting all Canadians.

• 0955

First of all, do you acknowledge the need for privacy legislation in Canada?

[English]

The Chair: Mr. Keyes?

Mr. Stan Keyes (Hamilton West, Lib.): Yes.

Some hon. members: Oh, oh.

Mr. Robert Keyes: Thank you, Mr. Keyes!

Yes, on balance we do, because this is clearly the international direction. Through our international work and with the nature of the electronic commerce business being so international.... I think that for Canada to be consistent with the way things are happening in the rest of the world, this is the way it will be. We are getting on board. The United States is perhaps the exception, but I think the long view is that even in the States there are going to be directions. You do see voluntary measures in the U.S. Certainly from an international harmonization perspective, for Canada to be in the game we have to be in the same boat as everybody else.

The Chair: Mr. Myers.

Mr. Jayson Myers: We've had significant discussion about the legislation in Quebec, both among our division members in Quebec and in our business legislation committee. Certainly the larger companies are aware of the flexibility in the provincial legislation as well as the degree to which requirements are placed on them. But most of our members in Quebec are not aware of the requirements that are being placed on them. In that legislation, especially for smaller companies, there's a question about how this practically applies to them and a question about the extent to which they themselves recognize the requirements. That's an issue.

Another issue, of course, is that if we're trying to encourage electronic commerce or business in general, the last thing we need is a patchwork and a duplication of overlapping regulatory structures, private standards and legislative frameworks. That would only complicate what businesses are doing. I think there has to be national framework legislation, but I don't think our members are convinced that we need a framework at the national level that is either a duplication of or incompatible with what exists at the level of Quebec or of the other provinces.

Again, to the extent that there is some flexibility or recognition of best practice in this legislation, recognition that if companies meet a certain standard, are certified to a certain standard or meet the requirements of provincial legislation that meet the objectives of this bill.... I think that's the type of flexibility that should be a part of the legislation.

The Chair: Dr. Bennett, do you have anything to add?

Mr. Colin Bennett: Yes, thank you. On the issue of Quebec, I don't see any major incompatibilities between the Quebec legislation and Bill C-54.

Your question is correct in that companies that have been operating in Quebec have had to comply with that legislation for the last five or six years. There is a different enforcement structure. The Quebec commissioner has regulatory power.

• 1000

It was asserted earlier that the powers of the Privacy Commissioner in Bill C-54 are overly broad. I do not agree with that view. If you look comparatively at the powers that he's given here, which are basically ombudsman types of powers, advisory powers, they are in fact not so strong as those of privacy commissioners in Quebec and in the rest of Europe. There are no doubt some minor differences between the bill in Quebec and Bill C-54, but there is nothing that should really cause problems for companies.

[Translation]

Ms. Francine Lalonde: Thank you. As far as I know, that's not what some business organizations who will be coming before the committee to give testimony or to disclose their position are saying. Companies in Quebec will find themselves confronted with two different sets of standards and two different laws. Even when the same principles are invoked, the end result can be two very different legislative provisions. There are substantial differences between theses acts and this will pose a problem for Quebec companies which, before collecting certain kinds of information, will have to ask themselves if this information will remain in the province or be disseminated beyond provincial borders.

I'd like to come back to something you said, Mr. Bennett. You mentioned the European Union and noted that the directives or laws in force within the community grant broader powers to the individual who is the counterpart of our federal privacy commissioner. As in Quebec, the decision-making power rests with the commissioner. In light of what Mr. Myers and Mr. Keyes said, I think it's preferable to have it this way. Small businesses will need time to acquire the necessary means to apply the legislation, but ordinary citizen must also have some recourse under the law.

I believe you said you had no doubts that Bill C-54 was in compliance with the European Union's directive. Many people in Quebec, including myself, would disagree. Since the European Union only speaks out once a text has been passed into law, there is reason to believe that this bill has some major shortcomings, particularly section 3, the purpose of which is stated as follows:

3., The purpose of this Part is to provide Canadians with a right of privacy...

Would you care to comment?

[English]

Mr. Colin Bennett: Firstly, on the issue of Quebec and Bill C-54, I take your comments very seriously, but I remind the committee that the level of privacy protection in an organization or in a community is not just dependent upon what the law says. It's dependent on a whole range of other factors. It is dependent upon the actions of the citizenry, of consumers. It's dependent on the responsibility of the organization itself.

It seems to me that if a company were really responsible and believed very truly that their clients and their customers took privacy seriously, it would comply with the strongest possible standards for the protection of personal information. If there's any discrepancy between Bill C-54 and the Quebec bill, choose the one that is stronger.

I understand that this legislation raises a whole range of difficult constitutional questions. My understanding, however, is that certainly under contemporary circumstances, Bill 68 does not apply to the federally regulated sectors, so to the extent that this can apply legislative privacy principles to the banks, the transportation companies and the telecommunications companies in Quebec, the level of privacy protection in Quebec will be raised.

On the issue of the European Union's directive, one of the things our study found was that it's indeed extremely difficult to determine who is adequate and who is not adequate. It would be a mistake to think the Europeans now have a clear standard by which to check which laws are adequate and which are not. These issues will be resolved over time. They will be resolved on a case-by-case basis.

• 1005

My sense is that the principles enshrined within Bill C-54 are, broadly speaking, generally in compliance with the directive. Whether or not those principles are in fact going to be enforced and complied with across the entire Canadian economy is another question, one that can only be resolved as and when cases arise through the further directive and through the challenge of specific international data flows to specific organizations in different provinces in Canada. That's what our study tried to address.

The Chair: Last question, please.

[Translation]

Ms. Francine Lalonde: I'm sure you're familiar with the Owens report prepared for the task force on the future of Canada's financial services sector. Mr. Owens maintained that in the absence of federal legislation, the Quebec law applied to all companies operating within Quebec. Many companies feel that the same set of rules and standards should apply within the province. Do you intend to adapt to these legislative provisions, regardless of their nature?

[English]

The Chair: Mr. Keyes.

Mr. Robert Keyes: The law of the land is the law of the land, Madame.

The Chair: Thank you. Mr. Stan Keyes.

Mr. Stan Keyes: No, I'm all right for now.

The Chair: Mr. Bellemare.

[Translation]

Mr. Eugène Bellemare (Carleton—Gloucester, Lib.): Thank you, Madam Chair.

[English]

Are you representing the Canadian Chamber of Commerce?

Mr. Robert Keyes: Yes, sir.

Mr. Eugène Bellemare: In your mind, what should be prime: the business unit or the family unit—or, if you prefer, the individual unit? In making laws in Canada or any of the provinces, what should be prime in the mind of legislators? Should it be the individual—or families—or businesses?

Mr. Robert Keyes: I think legislators have an important responsibility to consider all elements of Canadian society—individuals, families and business—and achieve a balance. That—

Mr. Eugène Bellemare: When there is a conflict—

Mr. Robert Keyes: —by definition, is government.

Mr. Eugène Bellemare: That's a nice goody two-shoes answer.

Mr. Stan Keyes: It's a very political answer.

Voices: Oh, oh.

Mr. Eugène Bellemare: If there is a conflict, which group should be prime as far as making laws goes?

Mr. Robert Keyes: That suggests that you're looking for a winner and a loser, and I think everybody wants winners all around, if you can achieve it. I agree that it can be very difficult to achieve.

Mr. Eugène Bellemare: In your experience, are there more crimes committed by businesses towards individuals than by individuals towards businesses?

Mr. Robert Keyes: I have no comment on that, sir.

Voices: Oh, oh.

Mr. Robert Keyes: That's a judgmental issue, which I could not—

Mr. Eugène Bellemare: Are there more abuses by individuals contacting different businesses than there are by businesses abusing individuals, like, for example, in telemarketing?

Mr. Robert Keyes: Again, sir, you're into a judgmental issue here that I think is difficult to provide an answer for. There is the perception in society that businesses have powers that individuals don't have. Those are views and opinions, but I'm sure as well that there are many businesses who feel that their legitimate business right to do certain things should not be impeded.

At the end of the day, businesses are composed of individuals.

Mr. Eugène Bellemare: I get the answer between the lines that you're pro-business, and you will answer “family” and “wife” on any problem whenever it occurs—

Mr. Robert Keyes: No, I'm not saying that, sir.

• 1010

Mr. Eugène Bellemare: Should the right to privacy be flexible?

The Chair: Mr. Bellemare, are you addressing all your questions to the Chamber of Commerce?

Mr. Eugène Bellemare: No. I think Mr. Myers also falls into my net.

A voice: In the crosshairs.

Voices: Oh, oh.

Mr. Jayson Myers: I find it really difficult to answer such abstract questions at that level. I think if you look at the standards there that I would encourage most businesses to adopt.... In legislation that reflects standards, that information should be used for the purposes for which it is collected. Information should be provided to the consumers as to why that information is gathered.

You're talking about telemarketing and the fact that people are calling and maybe bothering consumers. I'm bothered all the time by telemarketers. Telephone numbers are in the telephone book. Surely you're not going to stop someone from calling me. That surely isn't what this bill is intended to do, is it?

Mr. Eugène Bellemare: I don't mind the calling; it's the tenacity in the call that bothers me. Then I get really annoyed if that particular phone line is unlisted but has been given to a particular business. Purchasing a car is an example. The auto industry has standards. Within the auto industry you do have second-hand car dealers who range over the total spectrum of ethics in the way in which they interpret the standards. Should they not have laws that would protect the consumer? Or should it just be “consumer beware” all the time?

Mr. Jayson Myers: There are a number of laws already out there that could protect the consumer—to the extent that it is possible. Again, there has to be some distinction here. We're not arguing that the free use of personal information of any sort for any purpose is okay. We're not arguing that at all. We're arguing for some degree of flexibility in recognizing what sensitive information is and what it is not and in recognizing that the information be used for the purpose for which it is being collected and that safeguards be applied, but again, reflecting what is appropriate and, above all, what is practical. The last thing—

Mr. Eugène Bellemare: Who decides that?

The Chair: Mr. Bellemare, I have another person who would like to respond to your previous question.

Dr. Bennett, please.

Mr. Colin Bennett: On this question of sensitive versus non-sensitive information, I know of few legislative regimes in the world in which there's been an attempt to define up front what is sensitive and what is not. Beginning in the 1960s, most laws have failed to define what is sensitive and have second-guessed the interests of consumers and individuals.

The example I always give is that my name in the telephone directory might be to my advantage, but my name on a blacklist is not to my advantage, because that's sensitive. It's the same information, but it's the context that's important.

As was said earlier, this is giving individuals the right to control the circulation of that information and to make sure that it is used only for the purposes for which it was originally provided. I see that as the central principle behind the CSA standard and Bill C-54.

The Chair: Mr. Bellemare, your last question.

Mr. Eugène Bellemare: One of you said it was onerous to comply with privacy issues. Which one of you said that? If you can, please identify yourself and answer that.

Mr. Jayson Myers: It's not onerous to comply to the standards affecting privacy or, for that matter, to the regulations affecting privacy, unless they are written in a way that would catch every single use of personal information regardless of the context of that information.

• 1015

Speaking in theoretical terms, I would think that the effectiveness of any regulation or of any piece of legislation is going to be determined by the extent to which businesses can comply to that regulation. If you're asking businesses to ask for the consent of consumers for every single transfer of information within the business or for every time information is being collected, regardless of the context, then, I think, you really run up against the problem that businesses simply cannot comply with that type of regulation. It's not that all standards and all regulations affecting privacy are bad or onerous, but there is a question of the practicality from a business point of view, from any organization's point of view.

The Chair: Thank you, Mr. Bellemare. Mr. Jones, please.

Mr. Jim Jones (Markham, PC): Thank you.

Given that 90% of all the e-commerce transactions today in Canada are with the U.S., given that 85% of our trade is with the U.S. and given that the U.S. has not implemented data protection legislation and appears to be relying on the voluntary code sector, do you think Bill C-54 would put our Canadian businesses at a competitive disadvantage relative to their American counterparts?

The Chair: Mr. Keyes.

Mr. Robert Keyes: Mr. Saunders will answer.

Mr. Phil Saunders (Chairman, International Telecommunications Policy Committee, Canadian Chamber of Commerce): I'll just make a couple of comments about that. I'm not sure if I can specifically answer your question concerning Canada versus U.S.

Your point is well taken about the current imbalance of trade between the two countries, but if I may, I would like to make the point that electronic commerce is by definition a global service. There is the opportunity for Canada to be very competitive and take the lead in providing a very attractive business environment in order for Canadian businesses to be competitive in the global marketplace. I would be concerned not only with the comparison between Canada and the U.S. but with any kind of legislation that would impose uncompetitive conditions or conditions on Canadian business that would make Canada a less attractive place for the performance of electronic business.

Perhaps the other relevant thing to keep in mind is that the nature of electronic commerce also means that businesses can quite easily relocate to a more attractive business environment. That again raises some concerns about the comparative competitiveness of businesses. I'm addressing your question in a roundabout way, but I think the short answer is this: yes, there is some concern, not only with the U.S. but with being vigilant in seeing how our legislation compares with and imposes obligations on business relative to world markets.

Mr. Jim Jones: I'm more concerned, though, with what the impact is on Canadian businesses in conjunction with the U.S. only, with respect to being out in front of them. It's nice to be a leader, but when the European market is about 2% to 5% of all of our activity and we're trying to be out in front.... Why aren't the Americans doing the same thing? We shouldn't be trying to be ahead of the Americans when the U.S. is where all our business is.

The Chair: Mr. Saunders.

Mr. Phil Saunders: If I could just add one more thing before I give Mr. Keyes a chance, let me say that I think the answer is that the U.S. is holding back because it is getting a lot of pressure from its businesses and their natural concern about over-regulation of business.

I think there is also a general theme: they are very conscious of electronic commerce as a fairly new area that needs to be understood in terms of the nature of the impact on business that electronic business brings with it.

• 1020

We've seen something like this in other legislation, in taxation and tariffs, for example, where a moratorium would be agreed to while more experience is gained, and in this case, so that we can understand the impact of electronic commerce on business.... I think that's one of the reasons why the U.S. is holding back. The Europeans, on the other hand, tend to be more comfortable with a more regulatory environment, so they have moved ahead and now we have great concerns between those two blocs.

I will let Mr. Keyes put some more common sense behind that.

Mr. Robert Keyes: I have just a brief thought. The regulatory approach is one side—where the U.S. is officially going—but I think it would be worthwhile to see where various industry sectors are on a voluntary basis in terms of codes, because I think that also has to enter into the equation. They may well be moving well down the road on a voluntary basis, because a lot of companies know that if they don't do things in the right way the market is going to punish them. The marketplace is just too fierce, and if it gets known in the market that you're a bad actor, you'll pay for it and consumers will shun you.

The Chair: Mr. Myers, do you want to add something?

Mr. Jayson Myers: Yes, only to say that the implications of part 1 of this bill go way beyond electronic commerce. Again, the treatment of personal information affects companies outside of the electronic marketplace, companies that have operated and are operating here in Canada and are doing so reputably, and are, I think, very sensitive to the concerns of consumers and the treatment of personal information.

Again, without some recognition of building some flexibility into this piece of legislation, one thing that we do risk here is putting an undue and onerous regulatory system of compliance requirements on companies. Certainly the competitiveness impact is going to hit small businesses as well as large businesses, but it may not even have anything to do with electronic business.

The other aspect of this, though, is that of course electronic commerce is global today. I really have to question to what extent a piece of domestic legislation in Canada is really going to be all that effective in protecting consumers from access to personal information, which, by the very nature of the technology itself, may provide them with a certain degree of information.

Certainly it may have an effect here in Canada, but I think that Canada should be championing in an international forum some of the very same principles that are enshrined in the business principles that have been developed by consumer and business groups in Canada, which Industry Canada has aided and assisted in. We should be championing those principles at an international level. We're not going to do this alone here in Canada.

The Chair: Thank you, Mr. Myers. Dr. Bennett.

Mr. Colin Bennett: An unfortunate implication of this bill is that people outside seem to think that it's solely concerned with electronic commerce. In many ways, it isn't. This represents an attempt to catch up. The first data protection law is dated from the early 1970s, so it does apply a lot.

On the international question, there's no question in my mind that there's now a ratcheting up of the international standard for personal data protection. The standard, like it or not, is that which is included in the European Union's data protection directive, which is not inconsistent with previous international guidelines from the OECD, the Council of Europe and so on.

Regarding the trade issue in the United States, it's important to realize that it's not just the Europeans that we should be concerned about commercially. Many other countries are following the European lead, such as Australia, New Zealand—which already has—Hong Kong and other countries in the Pacific Rim. The sum total of trade with countries that have data protection laws and, indeed, have the powers to prevent flows of international data to Canada, is in fact a lot higher than the 5% or 6% that you cited.

• 1025

On the question of relocation, I don't know of any company that's moved out of Quebec because of the legislation there over the last several years. I may be corrected, but I don't see that it has ever been a barrier to doing business. Essentially, when we come down to it, the case study that we did on electronic commerce, this work.... The principal implications of this bill for electronic commerce are: one, you keep information such as credit card numbers secure and confidential—who can quarrel with that?—and two, if you're going to pass this customer information on to somebody else, you make sure that there's a notification and you give the customer the opportunity to opt out. These are exactly the rules of the Canadian marketing association.

On balance, I see that the advantages of privacy protection and the benefits of securing greater consumer confidence in the electronic commerce environment far outweigh the business costs of complying with these rules.

The Chair: Thank you. Mr. Peric.

Mr. Janko Peric (Cambridge, Lib.): Thank you, Madam Chair.

Mr. Keyes, how old are you?

The Chair: That's a personal question.

Voices: Oh, oh.

Mr. Janko Peric: Are you married?

Mr. Robert Keyes: Yes.

Mr. Janko Peric: Do you have children? What is your income?

Let's say that I am a car dealer. You come to my office looking for a car. I'm going to gather all the information from you and you're going to walk away and get back to me. The information is still in my computer. Or I'm a banker and you're looking for a loan of $2,000 or $5,000. I'm going to get every bit of information from you. Or I'm an insurance agent. It's the same thing. You're going to walk away. You're shopping around for the best deal, but that information is still there with me—or with anybody else.

You mentioned that the Privacy Commissioner would have too much power, but at the same time, as an individual giving that information, that information stays on.... One constituent of mine called me and said he went to the bank a couple of days ago looking for a small loan. He didn't get the loan, but when he went back the information was still in the computer. He asked them to erase that information and they said no. They said they couldn't. According to you, the commissioner would have too much power, but according to me I'm not protected enough.

Do you feel that as individuals we have a right to be protected, as Canadians, as taxpayers? What information I'm going to give them—to whom and what it is—is up to me. If I don't like it, if I walk away, I'll ask you to erase that information from the computer and you're arguing.... I don't know what you're going to do with that information. Where are you going to pass on that information? Let's say my dentist has just retired and has sold his business to a young dentist. Let's say I don't like that particular young dentist. My information stays with that young dentist. I have no right...or I don't know what the young dentist will do with that information. Do you have any comment on that?

Mr. Robert Keyes: I think we absolutely have a right to privacy. I don't know the extent to which all those uses that you cite would keep that information. If you go to another dentist, they will probably send the file down the line. There's a balance to be found, and I think this is the business concern.

There are probably certain non-sensitive types of information, like your name, your address and your telephone number, which are in any directory. Perhaps even your occupation is in a lot of the city directories you can find in the library.

• 1030

Where the bridge, the balance, is between that kind of information and some of these other personal details that you may have provided and were clearly intended for that purpose only.... As an individual, I wouldn't expect the people to whom I was talking to use that information for other purposes or to pass it on.

On the other hand, a view might be that if they develop a new product a customer was looking for, that customer should have the opportunity to hear about that product, so the company uses that information for quite legitimate marketing purposes. I think the difficulty is to find the balance between what is or is not a legitimate use of that kind of information.

Mr. Janko Peric: There could be two different opinions about what is legitimate and what isn't.

Mr. Robert Keyes: As Mr. Bennett said, that's the difficulty in trying to define it. At some point, are we going to be asking the Privacy Commissioner to try to make that judgment—

Mr. Janko Peric: But if I can't come up with—

Mr. Robert Keyes: —and giving him considerable leeway and power to do that?

Mr. Janko Peric: Where would my constituent go if the bank would not erase that information in the computer and there is no commissioner with the proper tools to act with? What choice does this constituent have?

Mr. Robert Keyes: Pardon?

Mr. Janko Peric: What choice do constituents have? Where would they turn?

Mr. Robert Keyes: Any time you make any sort of contact on any sort of level, I guess, you are offering information.

The Chair: Mr. Peric, we're having a meeting with the banks this afternoon, I think, or at another time. You can ask them directly about your specific case, but you may also want to take a look at the code to get some ideas of what's covered and what's not.

Mr. Janko Peric: Thank you, Madam Chair.

The Chair: Thank you.

Mr. Myers, do you wish to reply?

Mr. Jayson Myers: Again, I will just say that we're not necessarily arguing against a set of standards or, indeed, regulations that would affect the collection and dissemination of sensitive information.

But are there not also areas—and I'm throwing this out for discussion more than anything else, as something to think about—in which information could be shared within a business and which might actually protect consumers, such as sharing information about credit risk, sharing information about...? I don't know, but I think that's one area that would stand out. I'm not sure that all types of information dissemination, even for what I would think is information of a highly sensitive nature, such as my income or my assets.... I don't know if requiring the consent of the individual before sharing that information within an organization or across organizations is or is not in the best interests of consumers.

The Chair: Thank you very much, Mr. Peric.

We're going to run out of time. I have a number of people still on the list for questions, so I'm going to ask everyone to try to be as brief as possible.

[Translation]

Ms. Lalonde.

Ms. Francine Lalonde: Mr. Bennett, you concluded by stating that your study had exposed the need for harmonized privacy legislation at the provincial level. A process had been launched and Quebec fully expected the federal government to look to the Quebec act, to draw on the province's experience in this area and to recognize the role it and the other provinces play. Instead, the federal government decided, for reasons only it knows, to fast- track this initiative.

• 1035

In your view, hasn't this caused a serious problem?

[English]

Mr. Colin Bennett: Let me say to begin with that I've been a supporter of the Quebec legislation from the beginning. I believe that Quebec deserves a great deal of respect and congratulations for having legislated in this area before any other jurisdiction in North America. Because I only had five minutes to speak, I wasn't able to discuss the Quebec legislation in any detail. There's no question in my mind that the existence of that legislation in Canada has been one of the primary reasons for why we now are where we are today. By “harmonized privacy legislation at the provincial level”, I did not mean to suggest that Quebec should re-legislate and pass another law based on the CSA principles.

Essentially I'm in agreement with the strategy of Industry Canada here, which is to say that Bill C-54 will apply to some businesses initially and will apply in three years' time to provincially regulated businesses unless substantially similar legislation is in place. I think that's an effective strategy.

Had they not said that, provinces such as British Columbia, where I come from, or Ontario would not have taken this issue so seriously and we would still have been in the position where large numbers of businesses in Canada would not need to comply with privacy rules. You'd have a large number of free riders. What I'm saying here is that it makes no sense for other provinces—except Quebec—to legislate to a standard that is different from the one in Bill C-54, the CSA principles.

[Translation]

Ms. Francine Lalonde: Should the current legislation, in your opinion, continue to apply to all of Quebec? I'm not talking here about how we should apply the legislation. Don't you think that having two sets of standards will create a problem? I agree that the main problem is getting companies to apply the law. Won't it be even more difficult if there are two different laws on the books? Bill C-54 may be somewhat vague when it comes to what companies must do, but the fact is that there will be two separate pieces of legislation, the objective being to protect privacy and promote commerce. That doesn't make a lot of sense.

[English]

Mr. Colin Bennett: Given the complexities of our Constitution, I think—

[Translation]

Ms. Francine Lalonde: I wasn't talking about how the legislation should be applied.

[English]

Mr. Colin Bennett: —that in some respects there's going to be a certain amount of nonconformity anyway.

The difficulty is in defining what information is in Quebec and what information is outside Quebec, given contemporary technologies and given the complexity and the dynamic network nature of the international economy. It may make a great deal of sense internally to have the existing Quebec Bill 68 apply to the banks, to the telecommunications industry and to transportation. But what happens when that information is processed externally? What happens when it's transferred interprovincially or internationally?

Finally, I will just say this. To repeat what I said earlier, we could talk about specifics—and probably this is not the time to get into that kind of detail with the comparison of the two laws—but I don't see an enormous problem or an enormous difference between Bill C-54 and Bill 68. Both of them are based on commonly recognized privacy principles.

• 1040

The first book I wrote tried to trace the harmonization or the convergence of international privacy principles around the world. Of course, those principles have to be applied within different jurisdictions—such as Quebec—with different legal traditions and with different methods of enforcement. At the end of the day, I'd say that when you actually come down to examining the rules with which companies have to comply, the distinctions between Bill 68 and Bill C-54 are not that great and can be worked out over the period in which this law has to be enforced.

The Chair: Thank you very much, Madame Lalonde.

Mr. Lastewka, briefly, please.

Mr. Walt Lastewka: Thank you, Madam Chair. I have just a couple of questions.

One is for the alliance of manufacturers. You said that there must be a “clear distinction”. You've talked about what's sensitive and what is not sensitive, but from whose point of view? Similar to the request I made to the chamber in regard to their first item, I would ask that you give us more information, collected from your companies in a prioritized way, and that you tell us what the items are more specifically rather than making a general comment, so that the committee could go forward on it.

Mr. Jayson Myers: I could respond to that.

We had the opportunity of meeting with Industry Canada officials and our business legislation committee. The concern comes from the lack of assurance that this bill would not restrict the ability of a company to carry out fairly regular business practices, such as keeping track of your clients' telephone numbers and sharing that information within a company. There is no assurance. A number of issues—

Mr. Walt Lastewka: Maybe I want to stop there, because I have a limited amount of time.

Could we go beyond that one? That one has been discussed. Do you have any other examples?

Mr. Jayson Myers: We have a lot of concerns out there and I would be glad to document them.

In terms of what is sensitive and what is not sensitive or what is an appropriate use of information and what is not an appropriate use of information, again, it very much depends on the context. I'm using telephone numbers just simply because it's an easy example. If information is publicly available from some other source, then, I think, that's a rule that could apply to a non-sensitive type of information that might be of a very personal nature—

Mr. Walt Lastewka: That's why I asked you to go beyond that. We've had a lot of discussion on the telephone number, the address, the e-com number and so forth. Are there any other items that you have brought forward?

Mr. Jayson Myers: There is the collection of information from customers about, for instance, what type of design specifications they like to see in their cars. Today especially, as more of that information is being translated around the supply chain of companies dealing with car design and engineering, I'm not so sure that it's necessary for the consumer to give his or her consent to Lear Seating because there is personal information that someone likes leather seats, with that then being translated down the supply chain.

We have not received any assurance that the transmission of information like that would be outside of the legislation as it currently is.

Mr. Walt Lastewka: My next question—

The Chair: Thank you, Mr. Lastewka. I have to move on because I'm running out of time. I'm sorry.

Mr. Murray.

Mr. Ian Murray (Lanark—Carleton, Lib.): Thanks.

I want to come back to this question of transfer of personal information within a corporation or a group of related companies. That's recommendation 4 in suggestions for improvement in the chamber's presentation . I really want to know how carefully you've thought this through.

It's interesting that Mr. Myers, in response to a previous question...[Technical Difficulty—Editor]...that, for example, information on creditworthiness may be of some value to consumers if one were able to transfer it within a company.

• 1045

I met just yesterday with senior representatives from a multinational company that's actually involved in the collection of information dealing with creditworthiness. They were quite pleased to let me know—I hadn't asked them about this—and they wanted to assure me that at this time they have very strict controls on the transfer of that information within their company.

Then I saw this recommendation 4 in the chamber's presentation, which says:

The legislation should allow this type of personal information transfer, within a company or group of related companies, without triggering the need for additional customer consent.

My first reaction was, how carefully did you think this through when you were drawing up your “wish list”, let's say—not to make light of this—of recommendations for change? I think the bias of many members of this committee is that of protecting personal information, protecting people's privacy, rather than trying to facilitate commerce, if the question is about which should have privacy. I just wanted to ask you about how important that recommendation is to you. Do you have some examples of why it should be changed beyond blanket controls that might impede business? Do you have a suggestion?

Mr. Robert Keyes: I've reflected comments that I've received from several companies. In part, I guess, it's the uncertainty about how the law might or might not prevent them from doing this and whether information that's received in the course of purchasing a product could be used in the credit division of that same company without the customer's consent. Is it going to mean that if you go in to buy the car and you apply for credit from Ford Motor Credit, or whatever it might be, the customer has to give consent for some other part of the same company or even within a dealership?

People are looking for clarity and searching for answers here, and to the extent that the legislation can be as specific and clear as it can be, I think it'll really help clear away some of the fog there. Again, we're dealing with a bit of the fear of the unknown.

To assume that all businesses are going to use information illegitimately is not right and to assume that it's always going to be abused is not right, because business has an interest in making sure that the information they are entrusted with is used in the right way. If not, the marketplace is ultimately going to punish them. Again, it's back to this balancing. If there are practical things you need to do in the course of your business, let's just make sure that we're not going to hinder those operations.

Mr. Ian Murray: Mr. Myers.

Mr. Jayson Myers: I think that all business is asking for is some clarification of the types of information and the types of circumstances that would or would not be covered by this legislation. I'm sure that credit managers do have their own code and adhere strictly to it, but I wonder if that code itself would be recognized as sufficient within the current legislation.

Mr. Ian Murray: Thanks.

Mr. Robert Keyes: I have just one final point. These definitions in the bill are very broad and all-encompassing. One can understand that, since they have been drafted from that perspective, but people are asking if they are perhaps a bit too broad.

The Chair: Mr. Shepherd.

Mr. Alex Shepherd (Durham, Lib.): I'll be brief because I know we're running out of time.

I have a general comment. One of the government's orientations to this legislation was to enhance electronic commerce. I'm wondering why you didn't address that in your brief in the sense that there's a real concern among the public: they don't trust using electronic facilities.

• 1050

I was surprised in some ways. I would have thought that because of its efficiency and its ability to reduce business costs, your organization would embrace the ability of more people to enter the system and to do more of their business using electronic commerce. That's really the whole thrust of why the legislation is here.

I'm surprised. Most of your brief, to my mind, is defensive; it's about how business is going to be inconvenienced by this. You didn't seem to take the positive approach, and that is, how our business is going to be enhanced because of more people using the information highway and conducting their business on the Internet.

Mr. Jayson Myers: May I speak first? We fully support parts 2 to 5 of the bill. We think this is a really good step forward. It's in part 1, I think, that there are a lot of questions. With the way the bill is structured right now, with the lack of clarity and the inflexibility that might be there, I think it would impede the development of electronic commerce infrastructure.

Also, I'm not so sure that it really does meet the concerns of consumers. I would rather see a code of standards. Again, we certainly have been working along with consumer organizations to develop a code of standards treating not only the way that personal information is shared but the way that electronic transactions are actually carried out on the Internet. We support the development of a program that would encourage a greater degree of awareness about what some of the problems are in terms of the use of the Internet.

The issues about electronic commerce certainly go well beyond the issues of privacy themselves. I totally agree with you. We should be putting in place an infrastructure that would promote both the use of electronic commerce by consumers and the development of an electronic commerce infrastructure by business, but I don't think this bill gets us there at all in terms of that one part of the bill.

Again, parts 2 to 5 are quite good and very progressive, but the area in which we have the greatest problems is this sort of blanket approach to issues of privacy, in a way that really doesn't reflect, I think, where business or consumer groups have been coming from in the development of standards and codes of conduct related to the Internet.

I think the codes themselves are far more progressive than the requirements that this legislation would put in place. I refer you to—I don't know if they're public yet—the principles that were developed by Industry Canada for the treatment of electronic commerce and consumer protection.

Mr. Alex Shepherd: So do you think that rather than using a holistic approach we should be more selective? Are you saying that it should be non-governmental?

Mr. Jayson Myers: There are certain standards, certain regulations, in place that are probably much more progressive. I think a part of the flexibility of this legislation should be a recognition that.... The objective of this bill is the protection of personal information in electronic commerce. We agree with that objective. I think it's an important objective. I'm just not so sure that trying to regulate the minutia of the types of information and the uses of information and building up a super-regulatory requirement to be placed on businesses will get you to that very flexible type of business that would protect consumers.

The Chair: Mr. Saunders, do you wish to reply as well?

Mr. Phil Saunders: Thank you. If I may, I will just add to that.

From a business point of view, we are very strongly supportive of the general intentions of the bill. We think there's a significant opportunity here for Canada to show some leadership and demonstrate that there is legislation being put in place to make Canada the location of choice for both business and consumers. We are very supportive of that and that is not inconsistent with our desire to have the opportunity to work with you on some of the areas, which we think will make it more effective and better in regard to areas of some concern.

Hopefully everybody would agree that there's room for some improvement and would see some value in a collaborative effort between business and government to just see if we can add some clarity and address some of the areas of concern without giving up the main principles that we jointly are trying to drive towards.

• 1055

The Chair: Thank you very much, Mr. Shepherd.

I want to thank our witnesses for being here today.

I've watched the questions go back and forth. I have one final question for the three of you. It relates in particular to a number of things that Mr. Myers said: that information should be used for the purpose for which it is collected and that information for the consumer should be there.

We've had witnesses before us in the past few weeks who have talked about the fact that—and some of our members have talked about it as well—Crayola, as one example, has a cookie on its screen that children are to respond to.... It's the type of thing that says, “this information will be used for other purposes: yes or no?”.

I'm just not sure if I would even consider it onerous. I don't see the difficulty for businesses in having to ask consumers the question. I've seen it on surveys before and I've answered yes or no, depending on my preference at the time. I don't understand the fear. I don't understand the fact that you can't just ask to ensure that your colour and your type and the type of cars go on there and are provided to manufacturers. I think it's simple. You say, “This survey is being conducted for this purpose. Do you agree that this information will be provided? Yes or no?” If they say no, you don't continue with the survey. If they say yes, you continue with the survey. Is that an onerous thing for business?

Mr. Jayson Myers: I don't think that's onerous at all.

The Chair: That's the consent. That's the whole basis of the bill.

Mr. Jayson Myers: But it's not so sure about whether the consent is required for any transfer of information and for the use of that information afterwards within or between companies. That is a concern. We—

The Chair: Mr. Myers, with all due respect, my point is this: if you ask a question, you spell out the purpose to the consumer and the consumer says yes or no, then you have the right to continue to use that information for the purpose identified. That's my point and that's my understanding of the legislation.

If that's not your understanding, then perhaps we need to have some officials sit down and review the bill with you. I've watched the conversation go back and forth, Mr. Myers, and the whole premise is consent. If you get consent and I, as a consumer, say yes, you can use this information for the purpose identified, which is to go to the manufacturers and say that this many consumers like this type of car or want this in their vehicle, fine. But if I say no, I don't want that information passed on.

As an individual, I actually believe there are certain things right now.... I'll give you my example. I come home and my mailbox is full of what I consider to be junk mail. Do you know what that means? It means my mail-person won't put any more information in my mailbox, so I don't get my bills, I don't get my important information because I'm gone for five days and I come home to a stack of stuff I didn't ask for.

I think that as a consumer the question is consent. Some things I've asked for. Some things I want information on, like the information from clothing stores I shop at where I tell them I want to be on their mailing lists. It's a question and the answer is yes. Or it's no, and I say I don't want to be on their mailing lists. It's a box. It's a one-step question as part of your survey. The bill doesn't prevent you from going forward with that information and using it for the purpose identified. My concern is—maybe, Mr. Keyes, you'd like to respond—whether it is onerous.

Mr. Robert Keyes: No, I don't think it's onerous. I think we're going to run into some practical questions about how often you have to ask this, about what information it will cover, about whether there are certain pieces of information you would be quite happy to pass on or have passed on and not others. There are practical questions in terms of how often, when it's asked, how it is asked and, then, how this will fit within the goals of the legislation that people are scratching their heads over?

The Chair: Well, again with all due respect—

Mr. Stan Keyes: It's not rocket science.

The Chair: It's a yes-or-no question every time you do a survey. If Crayola can do it for children—which is another issue for this committee, whether children have the ability to consent—I think businesses in Canada should be able to ask consumers 18 years of age and above to say yes or no and ask them if they consent every time they do a survey, every time they fill out an application. You'd be surprised at what's on the back of your credit card applications when you actually read the print. There are a lot of things there that people don't read. You'd be surprised how many times you consent to certain things. It's an issue of consent, of yes or no, and—

Mr. Robert Keyes: After the first time you use your credit card at a store, you may get something from that store down the road. They send it to you because they have a credit card record of you, so every—

The Chair: But again, I think the legislation is allowing for a certain time period for people to adjust their applications, their services, etc.

• 1100

It's very similar to other pieces of legislation. This applies first to federally regulated types of operations and then to others, and there's a time period involved.

Again, I'd appreciate your comments and your feedback from meeting with the officials on this issue, because from what we've been hearing in the different examples that have come forward, I don't see that as onerous. Maybe other members of the committee do.

Mr. Myers.

Mr. Jayson Myers: Madam Chair, if it's that simple, I don't think that it's onerous at all. The problem comes when it's not that simple and when information that may be gathered with the consent of a consumer, for instance, at the level of an auto dealer, is passed, for instance, to a car company and then is used for product improvement. It's transmitted within the branches of the car company to their engineers and their design companies, and that type of information, at the beginning, may be covered by a consent on the original survey.

You asked us about whether or not we met with officials. We have met with officials and we had a meeting of a number of companies that were raising very specific problems with officials. The officials were not able to tell those companies how that legislation would apply to those specific issues. In fact, in a lot of cases, they said they didn't know, that the companies would have to figure it out for themselves. That's where the real uncertainty arises.

Mr. Robert Keyes: Yes.

Mr. Jayson Myers: Again, if there were some clarification, that would be fine. I'm sure that in the end that's exactly what—

The Chair: Mr. Myers, we'll be meeting with the officials again. The officials are here listening to the testimony and the evidence. I'm sure questions will come up.

I want to thank you all for being with us.

Dr. Bennett, we appreciate you coming from Victoria—and everyone else who has travelled a distance. We look forward to the future results of this bill.

Members, we have another item on our agenda. We'll have to deal with it this afternoon at 3.30, when we'll be meeting in room 536 in the Wellington Building. We'll then deal with Mr. Pankiw's motion first.

The meeting is adjourned.