INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Tuesday, March 2, 1999

• 1534

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): I call the meeting to order pursuant to an order of reference of the House, dated Tuesday, November 3, 1998, consideration of Bill C-54, an act to support and promote electronic commerce by protecting personal information that is collected, used, or disclosed in certain circumstances by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act, and the Statute Revision Act.

• 1535

We have a number of witnesses with us this afternoon. From the Certified General Accountants' Association of Canada we have Mr. Mark Boudreau, vice-president, public and government relations, and Mr. John Yu. From Bennett Gold Chartered Accountants we have Mr. Robert Gold. From Equifax Canada we have Mr. Jackson Chercover, secretary and barrister and solicitor. From the Canadian Bankers Association we have Andrew Finlay, senior counsel, and Allan Young, vice-president. From the Western Forum of Credit & Financial Executives Association we have Mr. Paul Cook, legislative committee chairman.

I'm very pleased you're all able to join us this afternoon. We have another item of business on our schedule from this morning; however, again, we don't have nine. So until we have nine, Mr. Pankiw, I propose that we hear the witnesses first, and then hopefully when they're finished their presentations, if we have nine, before we entertain questions we'll move to your motion. Is that okay?

Mr. Jim Pankiw (Saskatoon—Humboldt, Ref.): Thank you.

The Chair: So unless you have a different order I don't know about, I'll just begin as listed, from the Certified General Accountants' Association of Canada, Mr. Mark Boudreau or Mr. Yu.

Mr. John Yu (FCGA, Certified General Accountants' Association of Canada): Thank you, Madam Chair. We're very happy to be here this afternoon.

I'll give just a brief word on who we are. The Certified General Accountants' Association of Canada was formed in 1908 and chartered by an act of Parliament in 1913. We're a self-regulating professional body with over 60,000 members and students. Our members are professional accountants. About 20% of our members are employed in federal, provincial, and public services.

We are internationally active. We are a voting member of many international accounting bodies. Our program of studies is well known internationally and exported to many countries. There are CGAs in various parts of the world. So our interest in e-commerce is obvious. Our program of study is delivered by electronics using an Internet model.

Now, speaking on Bill C-54, we believe the bill is a very important bill to protect privacy and enable e-commerce. We believe it's needed for trade, particularly with OECD countries and in the e-commerce area. This is a two-part bill. We believe the bill would be better if it were broken up into two parts—into two actual separate bills. One would deal with protection of privacy in the private sector. Then the electronic document bill, which is really a housekeeping bill, ought to be a separate bill. That's our opinion.

Regarding the privacy protection part of the bill, we believe it's a good beginning for protecting privacy for Canadian consumers. It has a narrow commercial focus. I think as Canadians we need better privacy protection in all sectoral activities, including non-commercial activities.

The bill provides for a privacy commissioner. We believe this is a weak provision. Because the bill provides a complaint resolution mechanism only, the commissioner has investigative power but no authority. The privacy protection is a reactive rather than proactive provision. Individuals can only complain if their rights are violated. The difficulty often for consumers is knowing that their rights have been violated.

The limit of punitive damages of $20,000, as provided in the bill for courts, is way too weak. Particularly in the e-commerce area, violators would simply discount this as a cost of doing business.

I have just a few specifics on the bill. We're going to keep our presentation very short and to our time limit. So we're going to speak briefly on division 1, clause 7, and part 2, clause 31.

Division 1, paragraph 7(1)(a), enables data collection without consent if such data collection is clearly in the best interest of the individual. Well, who decides what “best interest” is? Individuals should have the right to make that determination to protect their privacy.

• 1540

Division 1, paragraph 7(1)(c), provides exemptions to journalistic, artistic, and literary work. We believe this exemption is not justified unless these occupations have the same strong code of ethics as the CGAs do to protect the public.

Division 1, paragraph 7(2)(d), provides no safeguards against the use of the information collected without consent. Without safeguards, individuals really have no protection, because their data can be disseminated at the click of a button.

Lastly, we want to talk about part 2. Part 2 is generally a housecleaning part of the bill, and we're happy with it. In subclause 31(1) we would like to see the definition of electronic document made more general, as we know that electronic data will exist in many forms and in many types of equipment other than computer systems or other similar devices as provided for in subclause 31(1).

With the exceptions noted, CGA Canada supports Bill C-54. We commend the government for moving ahead with much-needed privacy protection for Canadian consumers. A copy of our brief is available at the back.

Thank you very much.

The Chair: Thank you very much, Mr. Yu.

Mr. Gold.

Mr. Robert Y. Gold (Managing Partner, Bennett Gold Chartered Accountants): Thank you, Madam Chair.

My name is Robert Gold. I'm a chartered accountant and a managing partner of a local Toronto firm known as Bennett Gold Chartered Accountants.

The Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants in partnership initiated a program called WebTrust. WebTrust requires a web site to disclose its business practices and to follow those business practices. It requires a web site to maintain effective controls over the integrity of the transactions and, most importantly, WebTrust requires a web site to maintain effective controls to protect private customer information.

I'm here wearing a couple of hats. I'm the managing partner of a CA firm. I'm the managing partner of the first WebTrust licensee firm in Canada, and our firm was the first in the country to post a web site seal on an e-commerce business-to-consumer web site.

I don't take issue with Bill C-54, and I don't propose any amendments.

The one hat I'm wearing is as a WebTrust licensee, certified and trained by the Canadian Institute of Chartered Accountants to do WebTrust audits and e-commerce certifications.

I want to make a major point, and then I want to move on to the two documents I've handed to you. What we're really looking to present is the belief the committee must consider WebTrust principles and criteria as a vehicle for protecting the public interest and creating consumer confidence in the Internet. Specifically, the privacy commissioner must consider using the principles and criteria of WebTrust as the basic methodology for auditing the personal information management practices of organizations conducting business on the Internet. That's my one hat.

The other hat has to do with privacy and consumers. We're all consumers, we all deal on the Internet to some extent, we all send e-mails, and we all purchase things.

Along with our submission, which I will leave with you to consider, I've also handed out three pages of newspaper headlines. These are all current headlines.

This is the hat that I think is the most important. It's well and good to be a chartered accountant and a WebTrust licensee and to understand how to audit the privacy protection issues of an e-commerce web site, but it's something else to be at home working on my computer, while my family and my colleagues work on theirs, and to be concerned about the privacy protection on the Internet.

Hopefully you'll get a chance to look at these pages we've give you. All of these headings are from recent newspaper articles: “Security breach exposes private Air Miles data”; “Personal data of Air Miles users available on the Web”; “Surfer stumbles on credit card cache”; “Beware of fraud when selling on Net”; “Web security breach ignored”; “Canadian police confounded by information-highway robbery”; “Trust is key in web shopping”; “Internet scams spur charges”; and one that is pretty scary, “Patient records on Web 2 months”.

We have mounted this web site using a play on the term “air miles” to retain consumer recognition, and we've called the site Scare Miles. At Scare Miles we've also built an important resource link for e-commerce privacy, trust, and assurance. That's all on the web site, and we've listed them on page 2 of this coloured handout. Every one of the 13 or 14 web sites we've listed there are privacy pages, privacy forums, privacy organizations, Internet fraud organizations, all the things that are the most important to a consumer.

• 1545

Without some form of standards of principles and criteria in Bill C-54, standards that are not set in concrete, as legislation is likely to be, but are evolving, such as CA WebTrust, where privacy protection changes and our criteria change as the technology and the Internet change, whatever the committee and the privacy commissioner do in 1999 will not be good enough in 2002.

The version of WebTrust we're working with now is version 1. Version 1.1 is out in draft form to our profession. It addresses on-line banking and electronic trading. Version 2 is coming out in the summer. Version 2 is expanded privacy disclosures.

I've had meetings with Ann Cavoukian, the Ontario privacy commissioner. Her issue is that privacy disclosures must be posted everywhere that is obvious, everywhere a consumer would go on a web site where information is taken or exchanged. That is the area WebTrust is evolving in its principles and criteria. Right now we audit the protection of information. By this summer we will insist that our client base post all the privacy disclosures, the cookies, and the exchange of information on the web site.

So in conclusion, the hat I'm wearing here today is to ask you to please take these headlines seriously. They scare me, and they should scare you. They should scare you if you have children or if you do any business on the Internet. Only with a good solid methodology and principles and criteria for reviewing e-commerce practices can we assure that Canada can become what our Prime Minister wants it to be by the year 2002, that is, a leader in e-commerce around the world.

Thank you.

The Chair: Thank you very much, Mr. Gold.

Now I'm going to turn it over to Mr. Chercover.

Mr. Jackson L. Chercover (Secretary, Barrister and Solicitor, Equifax Canada Inc.): Thank you, Madam Chair and ladies and gentlemen.

I understand that the written submission is available on Industry Canada's web site, so I will not repeat it. But I will inform you that Equifax Canada is the country's largest credit reporting agency, collecting and storing credit information on some 19 million Canadian consumers. This information is disseminated in accordance with provincial law to its members, which include, of course, credit card issuers, financial institutions, major merchants, and agencies of government. In the last year 28 million such reports were issued.

In that submission Equifax has tried to demonstrate that it is unique among all Canadian businesses to which this legislation will apply, for two reasons. Firstly, unlike a host of business organizations that use information as an adjunct to the products and serves they sell, in the case of Equifax or consumer reporting, information is the product. Secondly, although clearly within the constitutional jurisdiction of the provinces and therefore subject to their regulatory regimes, this legislation will apply immediately to Equifax. There will be no three-year hiatus, since this legislation refers to the exchange of information interprovincially. So Equifax will face in effect double compliance, as it were, from day one.

Equifax has served Canadian businesses and consumers through the facilitation of credit transactions for about eight decades. As the industry evolved, Equifax's responsible steward of sensitive personal information has developed complex and sophisticated security procedures designed to protect the privacy and confidentiality of that information, systems which comply with and in fact exceed the requirements of the provincial legislation.

By contrast, governments are relative newcomers to the privacy field. Consumer reporting legislation was first introduced in the 1970s, public sector privacy legislation in the 1980s, and now the private sector in the 1990s.

In the process of the development of the procedures that I've mentioned, Equifax has successfully struck the delicate balance between the privacy interests of consumers and the legitimate need to know of businesses in the credit adjudication process. The task the federal government is undertaking with this bill, and which we earnestly hope the provinces will follow in enacting harmonized legislation, is no less a search for balance.

Despite the criticisms your committee has heard from various interest groups, we believe in large measure Bill C-64, while perhaps imperfect, goes far towards achieving that balance. It's flexible, and to the extent that may be required, it's reviewable. There are no draconian provisions—such as are supported by many—that would enable the commissioner intrusively to audit an organization's information practices without some reasonable grounds for doing so. Absent are mandatory registration requirements. They may be fine for New Zealand, but they are not for Canada. It is essentially a complaint-driven process, yet in appropriate cases the commissioner has the authority and power to initiate against an offender proceedings that the consumer himself or herself might be too unsophisticated or lacking in financial means to do.

• 1550

The major problem that Equifax sees arises from the fact that it will apply to our business immediately, from day one. The simple solution that we have proposed in our brief is to include in the statute now an exemption for licensed or registered consumer reporting agencies functioning under the existing consumer reporting and constitutional consumer reporting legislation of the provinces.

I'll anticipate a question if I may: Why should one business only be singled out for such an exemption? The answer is that, as I have argued in my brief, it is totally unique. To borrow a phrase from other briefs that you will hear from, it's because the credit reporting and granting system is the engine of Canadian commerce. Anything that may compromise or impair that system would be a disservice to Canadians.

Thank you, Madam Chair.

The Chair: Thank you very much, Mr. Chercover.

Mr. Young.

Mr. Alan Young (Vice-President, Policy Division, Canadian Bankers Association): Madam Chair and members of the committee, thank you for this opportunity to present our views on Bill C-54. With me is Andrew Finlay, who is senior counsel with the Bank of Nova Scotia. We also have on the order paper and in the audience Mr. George Dessaulles, who is vice-president of corporate compliance with the Royal Bank of Canada; and David Braidwood, senior manager, smart card security and standards, with the Royal Bank. They will be assisting us with responses to questions that may fall under their areas of expertise, Madam Chair, so we may have to play a bit of revolving chairs at the front.

The banking industry has long occupied a position of leadership in protection of customer information. The CBA's 1991 model privacy code was the first industry privacy code to go beyond a statement of principles. Our current code, which was updated in 1996, was the first industry code to be independently confirmed as complying with the requirements of the Canadian Standards Association's model privacy code. The CBA code focuses on full disclosure and customer control of information. To that end, it gives customers the right to decline uses of personal information that they do not feel are desirable, either at the time of application for bank services or products or at any time thereafter. The CBA code commits the banks to obtaining customer consent before information is shared with subsidiaries.

When developing the CBA code, the banks recognized the special sensitivity of personal medical information. The code commits that this type of information will not be shared between banks and subsidiaries. The CBA code also provides for redress. It sets out how customers can obtain redress through the banks' complaint handling processes, including the banks' individual ombudsman process, with ultimate recourse to the independent Canadian banking ombudsman.

The CBA code and the individual privacy codes of our bank members are testaments to how seriously we take our responsibility to protect customer information. We were quite pleased when Minister Manley's 1998 discussion paper on privacy promised light and flexible legislation. Bill C-54 started in that direction with the use of the principles from the CSA model privacy code. The CSA code is a product of many years of collaborative work on the part of consumers, businesses—including the banks—and government. We support its inclusion in the bill, and we stand by our industry's commitment to the CSA code as reflected in the CBA's code.

The banking industry believes the government is on the right track with Bill C-54. However, we have some suggestions that we think may improve the bill, and those are covered in our written submission to you. I would like to highlight in my briefing marks just three of those for you today.

First, clause 7 sets out the only circumstances under which an organization can use or disclose personal information without the individual's consent. We believe this list of exceptions is not comprehensive enough. It does not include many situations in which disclosure without the need to obtain consent is both appropriate and currently allowed under existing law.

• 1555

For example, the common law case of Tournier allows banks to use personal information where there is a duty to protect the public interest. A significant example of this in the banking context is related to money laundering. Based on the current bill, banks would be prohibited from disclosing the suspicion of money laundering, as they would only be permitted to disclose if they met the standard of having reasonable grounds to believe that a crime has been or is about to be committed. Other examples arise in the context of elder abuse and fraud prevention, both of which we have described in detail in our submission.

This duty to protect the public interest by no means absolves a bank of a need to treat its customers' personal information responsibly. In addition, we believe clause 7 of the bill should be clarified to provide a clearer link between collection, use and disclosure. If one organization obtains consent for disclosure to another party for a certain use, it should be accepted as permission for the other party to collect information and use it for that purpose. For example, if an organization buys a list of names from another organization, the purchasing organization should be able to obtain assurances that the individual consented to be on that list for the purpose of the list being sold to companies wanting to market their products to the individual. The purchasing organization should not have to ask again for consent.

Our second overall concern with Bill C-54 was with the oversight provisions of the bill. We believe the role and powers accorded the privacy commissioner by this bill exceed what is necessary to meet the stated purposes of the act. We don't believe such powers can be described as “light and flexible”. The commissioner's investigative powers include the ability to enter premises without notice, and to examine and extract records without a warrant. The commissioner can compel witnesses to appear and to give evidence under oath without benefit of legal counsel. We suggest that these may be contrary to sections 7 and 8 of the charter.

We suggest that the roles and powers of the commissioner be reviewed. We recommend proceeding on a complaints-driven basis until the first review of the act. At that point, there will be a clearer track record with this legislation, and the need for a stronger oversight mechanism—such as audits of personal information practices—can be determined. We believe such changes would recognize the progress with sectoral codes and complaint resolution mechanisms already accomplished by the private sector in Canada. We believe the investigation and publicity of complaints, combined with the privacy commissioner's role in educating the public, will effectively highlight and discourage any unacceptable personal information handling practices by organizations.

Third, in instances where fraudulent activity is suspected, where the person is under investigation or where the law prohibits access, we believe the bill must include some limits to an individual's right of access to information held by organizations.

We believe parts 2 and 3 of this bill, dealing with electronic commerce and the use of digital signatures, will be valuable tools to assist the continued development of electronic commerce.

We have commented in some detail on these sections in our submission. Today, what we wish to do is to stress the importance of wide consultation in the development of regulations contemplated under these sections. Open and early consultation will ensure that the concerns of industry, consumers, and other stakeholders with the proposed technological standards are considered.

Obviously, we would be pleased to answer any questions that you have once the floor is open to questions.

The Chair: Thank you very much, Mr. Young.

Mr. Cook.

Mr. M. Paul Cook (Legislative Committee Chairman, Western Forum of Credit & Financial Executives Association): Thank you very much, Madam Chair. I'd like to thank the committee, and particularly the clerk of the committee, for arranging this opportunity for me to come up from Vancouver.

The group I represent is the Western Forum of Credit & Financial Executives. This organization is made up of senior credit management personnel from Alberta and British Columbia. I personally hold a professional designation of FCI from the Credit Institute of Canada, which was created by a special act of Parliament in the 1920s. It concerns the training of credit management people in the mercantile credit-granting area. The gist or the drift that I will be going at will therefore not so much be from the consumer point of view, but will be dealing with the business-to-business relationship of the statute.

• 1600

We are quite happy with moving ahead under Bill C-54, and the forum strongly agrees with the comments and direction taken in terms of e-commerce. We're also very concerned, as key stakeholders in the use of personal information, that good legislation be developed.

The comments I'm going to be making are in relation to the statute as currently written, as was introduced in October. I'm given to understand there is work underway to look at possible amendments that would help clarify some of these issues, so I hope my comments are given in that context.

Personal information has a very broad definition under Bill C-54. There are no exemptions that take into account the everyday use of personal information for real, reasonable and legitimate reasons. As an example, business credit applications will often ask for names and titles of individuals who work for a company applying for credit. This will often entail asking for the names and titles of an accounts payable supervisor, purchasing manager, order desk staff and so on, so that people may be contacted in the normal course of business. These people are often not directors, officers, or even shareholders of the company. Asking for forms of consent from employees in these examples would add a totally unnecessary and wasteful level of bureaucracy.

Another example is that the existing wording of the bill would require government bodies, private businesses, etc., to gain a separate consent form from each employee, volunteer, etc., in order to comply with the legislation so they could produce an internal phone directory.

I understand there are discussions going on versus nominal lists such as they have in Quebec. I'm not quite sure how people are going to define “nominal lists”, but possibly there is going to be some give and take here so we can come up with a solution that will help us out of this predicament we find ourselves in.

We've developed some wording under clause 7. This came as a consequence of testimony I gave before the B.C. legislative committee on privacy, and it is in terms solely of the forum's direction or interest, because I don't for a moment state that we speak for all Canadian business interests. But from our perspective, we believe that where personal information is gathered in the form of a person's name, their business title, the person's business, mailing and physical addresses, the person's telecommunications addresses, but not limited to their business telephone and e-mail addresses, and to the person's business activities, as long as those criteria are limited to business transactions, we believe there should be a specific exemption for that everyday normal feature.

Retaining of personal information is very important, and one of the concerns I have as a consumer is that in the legislation there is nothing as to retention of databases within Canada. Once you've physically removed that data offshore, you have de facto lost control of that data. So I was rather concerned when I saw that consumer credit reporting organizations would have absolutely no requirement to store that data here in Canada. It's the same thing with financial institutions and other organizations that have sensitive personal information.

In terms of number three, restrictions on use of government records, we've had some problems already in British Columbia with access, if I can use that term, in relationship to government withholding information that directly impacts on credit granters. And credit granters are not simply the big banks; it's mom-and-pop operations, it's medium-sized corporations, and of course it's large corporations.

We believe there is a real interest in public safety in keeping information limited regarding government access of areas such as motor vehicle branches, because we obviously don't want to be allowing stalkers to go out and obtain people's personal information. At the same time, we want to ensure that credit granters who obtain security have the ability to use government registries so that they can track the security for which they advance their moneys.

• 1605

In regard to the privacy commissioner's position, we believe there is far too much authority given to the privacy commissioner. The fact that a person who has a complaint registered against him is being required under oath to give testimony which could be self-incriminating, I believe, causes us to pause if for no other reason than from a Charter of Rights and Freedoms point of view.

We believe that in any effort to obtain evidence, if the privacy commissioner believes there are legitimate reasons for obtaining records, then that should go through a normal judicial process where the court, as an outside arbitrator, can decide whether there are reasonable and probable grounds for the privacy commissioner to proceed.

We're also very concerned about the liability of employees. For a person who is put in charge of “personal information” with an organization, who may very well have tried their best to ensure their organization is complying with the statute, nevertheless there are no exemptions for them from a liability standpoint, from what we can see.

I think it's very important too that the sharing of credit information amongst mercantile credit granters, as currently allowed under the Competition Act, not be impugned in any way.

Thank you very much.

The Chair: Thank you very much, Mr. Cook.

I want to thank all the witnesses for their opening statements and for the very detailed briefs they've provided us.

Before we move to questions, I'm going to move to the item that was on the agenda from earlier today, which we didn't have the opportunity to deal with before the meeting was finished this morning.

Mr. Pankiw.

Mr. Jim Pankiw: Thank you, Madam Chair.

You received notice of this motion last Wednesday, that as a result of a recent World Trade Organization interim ruling, the industry committee immediately conduct hearings concerning the effects this decision will have on the Technology Partnerships Canada program.

The Chair: Thank you, Mr. Pankiw.

Mr. Lastewka.

Mr. Walt Lastewka (St. Catharines, Lib.): Madam Chair, I personally think this is out of order at this time. There have been some leaked reports, and discussions are continuing in WTO and we don't react to that. Let's wait until the final report, and let's understand what the final report is and let's find out where TPC stands on it. I think it's totally out of order that we should suspend everything else to deal with this.

The Chair: Mr. Lastewka, I promised Mr. Pankiw that we would deal with it earlier, so I apologize. But you're correct, and I felt the same way at first. However, the motion itself is properly drafted, but I think members should be aware there is a final report coming and any discussion prior to that could be seen as a violation of WTO rules and guidelines.

So that being said—

Mr. Jim Pankiw: If I could address that, all I'm saying is that it would be prudent for us to be prepared. Indications are that the interim ruling is likely to be upheld in the final report, which is only going to be a couple of weeks away, and this would have far-reaching implications.

The Chair: Mr. Pankiw, again I would ask there not be any discussion on the ruling itself or possible implications because it's before the WTO and there is no final ruling. The reality is we should not be discussing what that possible ruling could be, because we're interfering with the process by having public discussions on it.

I've entertained the motion. Mr. Lastewka.

Mr. Walt Lastewka: In regard to the leaked report, I'm really surprised that the standpoint of the Reform Party is to try to protect TPC; they've been trying to get rid of it all the time. I find it of no value to continue the discussion.

The Chair: Okay.

Mr. Walt Lastewka: I call the question, Madam Chair.

The Chair: Call the question.

[Translation]

Ms. Francine Lalonde (Mercier, BQ): Madam Chair, I think that the motion is in order. Mr. Lastewka, everything has been done. We apologize to our guests.

Like everyone else, I was concerned when I read the WTO interim report and I would like to have more information. I would like the people from the department to tell us what they think of it. If you allow me to continue...

[English]

The Chair: Madame Lalonde, no, I won't. Madame Lalonde, I said very clearly that I will not discuss the contents of the interim ruling or any further discussion on that because we would violating public....

Mr. Lastewka has called the question. I will ask for a vote on the question.

Mr. Jim Pankiw: Can we have a recorded vote?

• 1610

The Chair: Sure.

[Translation]

Ms. Francine Lalonde: Madam Chair, I had not finished my intervention. I wanted to speak about procedure. I simply wanted to voice my agreement with this motion, while indicating that I am reserving it for later. I would like to get more information from the officials of the Department of Industry and I would like them to come and give us their assessment of the situation. Let us wait for the decision first, and then we will be able to deal with Mr. Pankiw's motion.

[English]

The Chair: Thank you, Madame Lalonde. I apologize. I thought you were going to discuss the contents of the interim ruling.

We're going to take the vote now.

(Motion negatived: nays 6, yeas 2)

The Chair: The motion is defeated. Thank you. I apologize to our witnesses, but unfortunately we ran out of time this morning to deal with that at the end of our meeting.

We're now going to move to questions on Bill C-54. We have a number of interesting suggestions before us as a committee, and I'll begin with Mr. Pankiw.

Mr. Jim Pankiw: I have no questions right now.

The Chair: No questions at this time.

[Translation]

Ms. Lalonde, do you have any further questions?

Ms. Francine Lalonde: Yes, Madam Chair. I thank you all for your interventions.

I will begin with the brief from the Certified General Accountants' Association of Canada. Are you also speaking on behalf of Quebec accountants?

[English]

Mr. John Yu: Yes, we do.

[Translation]

Ms. Francine Lalonde: Your brief corroborates some criticisms that I made as well as some criticism expressed in Quebec. One important critical point, among others, dealt directly with the business world. We are told that Quebec, which was the first to do anything about this and with whom most of you have either direct or indirect business dealings, is now being penalized. If Bill C-54 is passed, companies that have followed the Quebec law will have to obey two sets of rules, according to whether the data is transmitted outside Quebec or not. Have you studied this issue? Do you think that it presents a problem, as many have told me?

[English]

Mr. John Yu: Madam Chair, this is not an area that we have looked at closely. We will take it into advisement, and if necessary we could consult our Quebec body and respond back to the committee.

[Translation]

Ms. Francine Lalonde: All right. May I put another brief question, Madam Chair?

[English]

The Chair: Yes, certainly.

[Translation]

Ms. Francine Lalonde: On page 7 of your brief, you state that the complaint process might be very expensive and very long. You also stated, even though you did not include this in your brief, that companies could consider the sum of $20,000 as part of the cost of doing business. Did I understand you correctly? Would you give us some further explanation of this statement?

[English]

Mr. John Yu: In the Internet business, particularly the on-line business, the buying and selling of information is the blood of the business, so a penalty of $20,000 for violating the right of the individual, and the individual has to complain before they're even aware.... First they have to be aware and then they have to complain. I think the process is so long that the protection is just not effective for an individual. Then with the very minimum penalty, the violators would just look at it and say, “That's the cost of doing business, we'll take the chance.” So that's our position on the limitations of the penalty.

• 1615

[Translation]

Ms. Francine Lalonde: Thank you. Do you think that other witnesses would like to state their point of view on this matter?

[English]

The Chair: Does anyone else have anything to add to it? Mr. Gold.

Mr. Robert Gold: I tend to agree that the $20,000 fine and penalty is not significant. The issue that we bring to the table with a WebTrust certification is that if the on-line business passed the business practices, information protection, and transaction integrity audit, they're entitled to post a specific seal on the site that is supported by a digital certificate that tells the consumer right up front—on the web site, on the order page, or anywhere information is being exchanged—that this is a company they can feel comfortable doing business with. If a company does not pass that audit—and we update our work every 90 days—the seal is removed. That addresses, in fact, the situation of $20,000 not being a significant penalty.

The Chair: Mr. Chercover.

Mr. Jackson Chercover: Madam Chair, I'd like to refer to Mrs. Lalonde's reference to compliance with two systems.

[Translation]

I'm sorry, madam, but my French is not very good. I will have to continue my intervention in English.

Ms. Francine Lalonde: Please use the language of your choice.

[English]

Mr. Jackson Chercover: This is the most significant problem, from the perspective of Equifax. For Equifax, there will be no three-year hiatus because, due to the nature of its business, Bill C-54 will apply to Equifax from the gun. On day one, we will be faced with (a) compliance with provincial statutes, which are constitutional in the consumer reporting field, and (b) compliance with Bill C-54. This is an open invitation to certain elements of society—whose credit, perhaps, is not what yours and mine might be—to complain both to the commission or a registrar in one of the English-speaking provinces, and to the privacy commissioner. This is the basis for our recommendation for an exemption. Failing an exemption, we will be in a position of awaiting the passage individually by those provinces that pass what the bill calls “substantially similar legislation”, and then applying for an exemption.

Now, it's my understanding there may be a blanket exemption for Quebec as soon as the bill comes in, because of the existence of Bill 68, and because it has demonstrably functioned in the manner that you want Bill C-54 to function. But apart from that, we have nine other provinces. And we are unique in that it will apply to us immediately. There is no other industry that I'm aware of that will not benefit from the three-year hiatus.

Thank you, Madam Chair.

The Chair: Thank you very much, Mr. Chercover.

Mr. Yu, you wanted to add something else?

Mr. John Yu: Madam Chair, I just want to make a comment on Mr. Gold's comment about WebTrust. I'm actually a Canadian representative on the information technology committee of the International Federation of Accountants, and we have looked very closely at WebTrust internationally. Our conclusion is that WebTrust is the wrong model for e-commerce. If you want further information, I can provide that separately.

Also, the AICPA and SECA model is not effective to the point that they are rebuilding the model. We believe the WebTrust model is too expensive, particularly for SMEs, which are the backbone of Canadian industry and commerce. I believe the model is defective. If you look at two years of deployment, the number of WebTrust seals deployed around the world is very minimal.

Thank you.

The Chair: Thank you very much, Mr. Yu.

Mr. Robert Gold: Can I respond to that?

The Chair: Mr. Gold.

Mr. Robert Gold: There are a few points that are worth addressing. First of all, Canada, the United States, England, Scotland, Ireland, Wales, the Netherlands, Australia, and New Zealand at this time are training and licensing their chartered accounting professionals to practise in the WebTrust area.

WebTrust was first introduced to the profession in late 1977. Licensees only started appearing on the world stage in mid-1998, so I agree 100%, there are not enough seals up there yet. We are only now rolling it out in a significant way. But E*TRADE and Bell Canada both have WebTrust seals, which is a fairly high level of client base.

I also agree it may appear to be an expensive procedure, but I don't think this is the forum to discuss professional fees. The reality is that a WebTrust engagement can be performed on an economic basis, it's affordable by most e-commerce and Internet businesses, and more importantly, we put a lot of the onus of the documentation of the information protection and transaction integrity onto the client when it comes to doing a lot of the basic work. They build the audit file, and we go in and do the audit.

• 1620

If you're dealing with a reputable and intelligent client, this is not an onerous procedure. I don't know how somebody can say it's a bad model when companies disclose their business practices and we audit them, and when we check that they're delivering what they say they deliver and who they say they are. We audit the protection of personal information. That is not a bad model, that is the model.

The Chair: Thank you very much, Mr. Gold and Mr. Yu.

Why don't we talk about Bill C-54—which is in front of us—and any proposed amendments?

Madame Lalonde, do you have a final question?

[Translation]

Ms. Francine Lalonde: Yes. We should also meet Mr. Gold's competitors.

I would like to put a question to the venerable representatives from the banks. You will see that I will also be mentioning Quebec. In Quebec, with Bill 68, banks did not try to find out whether or not they were covered by the Quebec law; to the contrary, they decided they would apply it if it were adopted.

Moreover, when we had Bill 188 on the reorganization of financial services, which places much greater requirements on financial services, the CBA also agreed that companies and financial institutions operating in Quebec would adapt to the new, more stringent regulations.

Have the members of the CBA thought of the burden imposed on banks doing business in Quebec by the fact that they will have to follow two sets of laws and regulations?

[English]

Mr. Alan Young: Thank you for the question.

I would just say at the outset that, for the record, we don't have a view on WebTrust. But with respect to Madame Lalonde's very serious question, our hope has been—and the CBA has long stood for—a system of national regulation of financial services. That doesn't mean federal, it means national. It refers to cooperation between the federal government and the provincial governments in the regulation of financial services, including the very important issue of privacy protection.

Because we have a division of authority in the Constitution between various types of financial institutions, and as those institutions are engaging more and more in each other's businesses, overlaps do arise. We hope the advent of Bill C-54 and its passage will prompt a program of cooperation and harmonization that builds towards a system of national regulation, because we think that is really the answer at the end of the day in terms of making sure all consumers have at least a minimum, base level of protection for privacy and other consumer protections.

[Translation]

Ms. Francine Lalonde: Sir, if what you're hoping for did not happen soon, or even if it did happen and the Quebec rules were more stringent, would you still continue saying the same thing? I want you to be specific on this point because Bill 68 exists and if Bill C-54 is adopted as it stands—and I fervently hope that it will not be—the banks doing business in Quebec will have to make a choice. If they continue respecting the requirements of the Quebec law, they will have to follow two sets of rules, standards and laws. This is true, sir; you will have to deal with that.

• 1625

[English]

Mr. Alan Young: If I can reply to that, I would say that as far as I'm aware, all banks do have operations in Quebec as well as in other provinces. It's quite clear that banks and banking are a federal undertaking, so we must comply with the provisions of Bill C-54 as a federal business.

We do note that clause 27 of Bill C-54 gives regulation-making power to the cabinet, to the Governor in Council, to perhaps deal with issues such as the one you have raised, when there may be some confusion about which level of law would apply to an organization. I think what we'll have to do is have some practice with the practical application of Bill C-54 in order to see whether it is working effectively and whether regulations under clause 27 may be required. I think we need to see how it unfolds in practice.

The Chair: Thank you, Mr. Young, and merci, Madame Lalonde.

Mrs. Barnes, please.

Mrs. Sue Barnes (London West, Lib.): Thank you, Madam Chair.

Thank you very much for all of your input. I know it took a lot of work to come here to be present today.

I want to cover a couple of grounds. One of them is that the bill presently requires one five-year review. In view of what we think will be an explosion in the field of electronic commerce, I'd just quickly like to run down the line to see what your opinions would be on a periodic five-year review on something in this area. Maybe we can start with the Canadian Bankers Association.

Mr. Alan Young: The banks have historically been subject to regular reviews of the Bank Act legislation. Those reviews have been one of the benefits, quite frankly. It had originally been that the Bank Act would be reviewed every ten years in order to allow the government to bring things up to date as markets evolve. In 1992 the federal government made a decision to shorten that ten-year period to a five-year period just because of the rapidity of change in the marketplace. Going forward, the Bank Act and other federal financial legislation is now being reviewed every five years, so we think it's appropriate that it be done just because of the rapidity of change in the market. It's important for the government policy-makers to stay up to speed with market developments as much as possible.

Mrs. Sue Barnes: Thank you.

Mr. Jackson Chercover: I would adopt the answer of Mr. Young, and I would add that the proof of the pudding is in the eating. An excellent example of a five-year review was Quebec's Bill 68, which has now given rise to Bill 451, which will improve it. Therefore, my answer to your question, madam, is that I'd be in favour of a review every five years.

Mrs. Sue Barnes: Mr. Gold.

Mr. Robert Gold: The way e-commerce is changing the rules of technology privacy legislation, let alone privacy realities, I don't think five years is anywhere near enough. I would look more for...two is not realistic, three certainly makes sense.

As another comment, I don't want the committee to think I'm here pushing CAs and CA WebTrust.

Mrs. Sue Barnes: I think we've got that.

Mr. Robert Gold: My concern is that the criteria and the principles that we've adopted need to be considered. I don't really care who the privacy commissioner uses to do the audits. I don't care if it's someone in the room or my colleague from the CGAs. Our issue is that the criteria are up to date, modern and evolve rapidly.

Mrs. Sue Barnes: Mr. Yu.

Mr. John Yu: Madam Chair, I actually agree with Mr. Gold regarding the review period. We may disagree on WebTrust, but I'm actually personally involved in e-commerce. The pace of change there is so fast it's breathtaking. A five-year review may be too long in this regard, so I would recommend a two- or three-year review period. It's more sensible and more practical.

Mrs. Sue Barnes: Thank you.

I want to talk about the relationships—

The Chair: Mr. Cook didn't get a chance.

Mrs. Sue Barnes: Oh, I'm sorry.

Mr. Paul Cook: Thank you.

I would suggest one-, three- and five-year review periods, and not solely for the e-commerce technical speed with which technology is moving, but also to find out if there are any unforeseen or unintended impacts of the legislation. You don't want to have years and years go by during which damage occurs to firms or during which difficulties are caused. We really want to have a good piece of legislation. If there are some problems, let's fine-tune the legislation. I therefore think the standing committee should be in place at the one-, three- and five-year marks to review the legislation.

Mrs. Sue Barnes: Thank you.

In the brief of the Canadian Bankers, I think you touched on one of the areas I'm concerned about—and you mentioned this as well, Mr. Gold. Really, the bill is relatively silent with respect to children. The bankers are dealing with them with their accounts, as you put in your brief. Have either of you thought of some way we can strengthen the message that we don't want negative impacts on children through electronic commerce? If you haven't addressed this, that's fine. I'll go on to the next person.

• 1630

Mr. Alan Young: We have mentioned in our submission a concern about making sure we can rely on the consent or direction of a guardian or parent of a minor, but we haven't looked at it in the context of electronic security.

Mrs. Sue Barnes: All right. Mr. Gold, maybe you could address cookies and children.

Mr. Robert Gold: Cookies and children, as opposed to cookies and milk.

The issue I take with that is who is the business and what are their information protection regimes. The way we look at it is that you must get parental permission, and that's difficult to do when you're over the Internet. One of the best examples on the Internet right now is Disney.com. They have extensive disclosures as to privacy for children over 18, under 18, what they do with cookies, whether they take them or they don't. That's a great example.

There are issues coming in technology as we speak. The new Pentium III chip that was announced is serial numbered. It was going to come turned on when it was first announced, and all kinds of privacy organizations in the United States made very loud noises about that. Now the chip comes turned off. But if, inadvertently, you turn it on or if a vendor site somehow through its software turns it on, they can start tracking you all over. If you go to my headline piece, the last web address on there is a site that will tell you exactly what it knows about your computer, and it's pretty scary. By clicking on there it tells you what cookies you have, what you're running, even the resolution of your monitor.

This is a very tricky area, and I'm very concerned about the protection of children.

Mrs. Sue Barnes: Back to the Canadian Bankers Association, in your brief you mention the subcontracting agencies the bankers utilize currently and in conjunction with each other. Do you feel the bill strongly delineates for you what the responsibilities of your subcontractors are vis-à-vis the restrictions in the bill or just in your relationship itself? You've touched on it, but you didn't expand very much.

Mr. Alan Young: We'll ask Mr. Dessaulles from the Royal Bank to respond.

Mr. Georges Dessaulles (Vice-President, Corporate Compliance, Royal Bank of Canada; Canadian Bankers Association): The CSA code sets out the agency relationships. What we at the Royal Bank do in our code is when we're dealing with a subcontractor, we will do a certain amount of due diligence to ensure that the practices they're following are at a minimum consistent with what we have in our code. That is basically what we're actually doing, which I think is consistent with what is in the CSA code.

Mrs. Sue Barnes: Madam Chair, how much more time do I have, if any?

The Chair: This will be your last question, Mrs. Barnes.

Mrs. Sue Barnes: I'll just make a comment, then. I think most of us around the table agree we don't want a penalty clause, that it's just the cost of doing business. The other thing is that there is going to have to be a balance between commerce and privacy, and neither at the expense of the other. We have to go forward in this world and recognize that Canadians do care significantly about their privacy and, I would say, even more so about health privacy, including personnel records that could contain that information. I would like to see that even more significantly addressed than we are doing now. But I think clamours for getting out of this legislation are difficult.

Thank you.

The Chair: Thank you very much, Mrs. Barnes.

Mr. Shepherd.

Mr. Alex Shepherd (Durham, Lib.): Mr. Young, in your opening remarks you said that you believe there should be limits placed on the access to private information being held by presumably financial institutions. Why?

• 1635

Mr. Alan Young: For example, if there is somebody who we suspect is engaging in fraudulent activity and an investigation is underway, if that person asks for all their information or their file, there may be something on that file that would indicate that they are under investigation. That would obviously tip them off. That's one example. It's to deal with fraudulent behaviour, which is a significant problem for the financial sector as a whole.

Mr. Alex Shepherd: In other words, if you proposed an amendment, it would deduce criminal activity. Your ability to deny access would be based on pure suspicion of criminal activities, is that what you're saying?

Mr. Alan Young: One of my colleagues has something to add here.

Mr. Andrew Finlay (Senior Counsel, Employment Law Group, Bank of Nova Scotia; Canadian Bankers Association): The issue is not just criminal activity, but I realize there seems to have been some confusion in the discussion around this bill. Clearly, if we are involved in a criminal investigation, the police are involved. There are certain aspects of that situation addressed in the bill. But it could also be an internal investigation into what might be described as irregular practices that are not necessarily criminal frauds. It could be an employee, for instance, who is leaking personal information. That is not a criminal act.

Mr. Alex Shepherd: So you mean within a corporation. It has nothing to do with outside criminal investigation.

Mr. Andrew Finlay: That's right. It would be a customer or an employee involved in improper acts, improper use of accounts. It could be something like kiting, which may or may not be a criminal act because of the tests of intent. I'm not sure if people understand what kiting is, but it's what most university students do to get through university—except for me; I'd like to make that point. Kiting can be a form of fraud. It's a form of using your accounts and instruments improperly, so we might be investigating that involving a customer. Or we might be investigating an employee who is releasing information or who is....

Mr. Alex Shepherd: What is the problem with the individual having access? It didn't stop your investigation. He was just getting a copy of the information that you currently have on him or her.

Mr. Andrew Finlay: In the middle of an investigation?

Mr. Alex Shepherd: Yes. What's the problem?

Mr. Andrew Finlay: As Alan said, in the middle of an investigation, it would tip off the person who's being investigated, allowing them to take action to frustrate the investigation.

Mr. Alex Shepherd: Okay, so where do you put the limits on that? If you are just using this power to coerce me from getting my own information that you have, how do we draw those lines?

Mr. Andrew Finlay: Once an investigation is complete and decisions are made on the basis of that investigation, at that point it would obviously make sense that the person would have access to the information.

Mr. Alex Shepherd: Okay, I don't really understand it, but anyway....

To Mr. Cook, in your submission, you were talking about this incident in British Columbia. What are you alleging? Are you saying the government is intentionally using the privacy laws to thwart creditors from realizing on their security?

Mr. Paul Cook: I'll tell you about the activities that have occurred. The Government of B.C. passed a piece of legislation under the Social Services Tax Act that is a nice euphemism for provincial sales tax. Under the provisions of that legislation they are able to create what they call a superpriority lien for retroactive back taxes on PST. They are then able to go in and seize the inventory that's under the security of a supplier.

For example, I'm supplying you with product and I know there are some problems, but nothing is in the credit bureau or Equifax or Dun & Bradstreet. No one provided notice that you are in tax arrears. I say, I'm going to take due diligence here and I'm going to file a PMSI, a purchase money security interest; I'm going to give you that $50,000 or $100,000 worth of product. The very next day, the B.C. government can walk in, seize my security, seize my inventory and sell it off to liquidate to provincial sales tax, at the same time as the B.C. government, under the guise of privacy, is withholding the very fact that this company is in arrears on its provincial sales tax.

• 1640

That creates a lose-lose situation for investors who want to invest into the province or into the country, and a lose-lose situation for the creditors, because on the one hand you're saying, okay, I'm doing due diligence; I'm doing my corporate search; I'm doing my personal property registry search; I'm doing all the things I'm supposed to be doing to find out what the risk is, because I'm managing risk when I'm extending credit or when that investor is wanting to invest money into this country. And then, after they've made the leap of faith, to have a government body come and say, “Sorry, we didn't bother telling you that this guy is behind $100,000 in tax arrears and we can retroactively go in and seize this material”—that is exactly what is occurring now in British Columbia.

That's one of the concerns we have vis-à-vis privacy and government overregulating the release of information.

Another example we used was that we had a dispute with the B.C. government in terms of the land registry. The land registry will record liens. Liens are court actions whereby a judge has made a decision to file an encumbrance on a property. What occurred is that some of the managers within the department originally stated, no, they were not going to release this information because it was subject to privacy laws. And we had one heck of a fight trying to get that changed.

So, no, you can't censor information that is part of public record, that's part of a court action. And these are actual circumstances we've run into.

Thankfully, saner minds prevailed and we got that decision reversed. But what immediately followed it is that the government more than tripled the fees for pulling down lien information, which in the construction industry virtually forced a company that was putting out...as a weekly tabloid for the construction industry who has had liens filed, to be virtually knocked out of the business.

So the intent of our paper is to say we fully concur that sensitive consumer information should be protected, but there is a point where we have to be very careful in the wording of the legislation so that we don't have some unintended things occur.

The Chair: Thank you.

[Translation]

Ms. Lalonde, please.

Ms. Francine Lalonde: Thank you. Madam Chair, I would like to come back to the CGA-Canada brief, because its first part is very interesting and specific. It says:

Rather than being general in scope and ensuring the protection of Canadian citizens, Bill C-54 unfortunately focusses on commercial aspects. In our view, Canada needs a law that is general in scope and that does not merely regulate commercial activity, but also ensures the protection of personal data in every sector of the Canadian economy...

Can you explain this statement?

[English]

Mr. John Yu: Madam Chair, I concur with Madame Lalonde wholeheartedly. That's exactly the point. We find the bill to be ineffective because the bill narrowly focuses on commercial activities only and yet there are many issues regarding individual privacy, particularly with respect to government acts, for which we need to protect the individual.

However, we do understand why the Minister of Industry needs to put this bill out, because of commitments to OECD and to promote trade. So there's the balancing act of supporting the bill, which we do support, and wanting more privacy protection for Canadians in general.

Thank you, Madam Chair.

The Chair: Thank you very much.

Madame Lalonde, I wasn't sure if you were waiting for others to answer.

• 1645

[Translation]

Ms. Francine Lalonde: No, I was taking my time before reacting.

Mr. Chercover, you don't seem to be too unhappy with Bill 68.

[English]

Mr. Jackson Chercover: We complained bitterly when the original discussion draft came out—

[Translation]

Ms. Francine Lalonde: I know that.

[English]

Mr. Jackson Chercover: —and happily, saner minds prevailed and we have lived with Bill 68. It is far from perfect, but again, not unlike this proposed legislation, it's not draconian. The second reason is because we believe that with certain exceptions the commission has taken a very rational and practical approach in interpreting the legislation. The one message we would like to deliver to the Quebec government, and this may not be the forum in which to do it—

Some hon. members: Oh, oh!

Mr. Jackson Chercover: The perfect place, perhaps.

The bill conferred upon the government the right to pass regulations that deal with the purge of information. Every other province that regulates consumer reporting—for example, for bankruptcies it's six years in B.C. and seven years in Ontario.... Equifax applies the most stringent standards and deletes bankruptcy information six years later across the country. But the Quebec government has not acted upon that right and the commission has arrogated to itself the right to determine how long information could be retained. As a result, you have inconsistent decisions, so all we say—thank you, Madam Chairman—is, Quebec, do your job and pass regulations.

[Translation]

Ms. Francine Lalonde: So I will be able to pass the message on.

[English]

Mr. Jackson Chercover: Thank you.

[Translation]

Ms. Francine Lalonde: I do find Mr. Chercover's judgment interesting, because Equifax is a company that had problems in Quebec for some time. There were bad files. Finally, I know that there were discussions, you made changes and... Recently, I have not heard any complaints about you.

I'm insisting on this point because here the Quebec law has sometimes been described as too stringent. Now I have constantly tried to emphasize the following point. Large companies in Quebec easily adapted to Bill 68. Large companies can do it, like banks, which followed Bill 68. You're telling me that they are going to change, but they did follow the law.

For SMEs, it is always longer and more complicated. This applies to all laws, for instance what was done in health and safety in the workplace; big companies fall into line more quickly and small ones take a longer time to do it.

So, when a citizen makes a complaint and the Commissioner has the power to make a decision in his favour, it helps to have justice done in the citizen's favour. Otherwise, the law only serves consumers in a very general way. Anyone facing a real problem wants to see an end to it.

As for you, the CGAs, you said that you found the complaint procedure very long and very costly for individuals. A company has money, but an individual... So, insofar as this bill must also protect personal data, my plea on which I would like to have your opinion, is that the Commissioner should have real power to hand down decisions.

[English]

The Chair: Mr. Yu.

Mr. John Yu: Madam Chair, what else can I say? I agree completely.

• 1650

Mr. Jackson Chercover: I thought it was a question directed to me, to start with.

Voices: Oh, oh!

Mr. Jackson Chercover: With the greatest of respect, I do not agree, and I will tell you why if the chair will permit me to do so.

The Chair: Certainly, Mr. Chercover.

Mr. Jackson Chercover: As I understand it, the bill is drafted in the manner in which it is drafted in order to permit the discretion of the privacy commissioner when a complaint comes in from a Quebec resident. He will be able to say to the person lodging the complaint that it is not a complaint against a federally regulated corporation, the bank, it is a complaint against Equifax. He can then tell the complainant to please go to the Commission de l'accès à l'information, because that is the provincial body that is empowered to deal with it under Quebec legislation. Is that a perfect situation? Certainly it's not.

You are defining, Madame Lalonde, the greatest problem in Canadian history. Our system of multiple levels of government and of multiple, inconsistent pieces of provincial legislation is one of the biggest costs that industry and business must face in Canada today. It was fine in the horse-and-buggy days of 1867. It is inappropriate in the e-commerce days of 2000. We cannot get the provinces to agree on anything. When the premiers meet, they can't even agree on a definition of what the environment is.

[Translation]

Ms. Francine Lalonde: Madam Chair...

[English]

The Chair: Please, but this is your dernière question.

Ms. Francine Lalonde: If I can say it in English, it will be a commendable first. You know, we have tried a lot to help you.

Voices: Oh, oh!

Mr. Jackson Chercover: Some people might well say that with that kind of help and those kinds of friends, who needs enemies?

Voices: Oh, oh!

The Chair: Thank you very much.

[Translation]

Ms. Francine Lalonde: Now for my question.

[English]

The Chair: No, we'll come back to you.

[Translation]

Ms. Jennings, please.

Ms. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.): Thank you very much, Mr. Chercover. You explained, sometimes better than we, the elected politicians, were able to explain the real situation that has been our daily lot for many years. But I will leave things where they are.

Mr. Jackson Chercover: But we must understand that it is... [Editor's note: Inaudible]

Ms. Marlene Jennings: Yes, yes. First I would like to apologize to you for having missed a large part of your presentations; I had another rather urgent commitment. I will not be putting questions to the interveners whose presentations I missed.

Nonetheless, during the session I had a chance to skim through your written brief and I also heard Mr. Young state that the Commissioner had too much power. So I have a question for you on this point. But first I would like to deal with your question about the exemption of your industry.

If I am not wrong, paragraph 27(2)(d) already provides the possibility of exempting an organisation or activity that is governed by provincial law which is either similar or better. Hence, I must presume that Equifax could very well have been exempted. So why are you insisting so much that your industry be exempted under this law?

Secondly, despite this, when you saw that your recommendation for an exemption made to the officials of Industry Canada before the bill was drafted had not been accepted, did you then contact the officials to ask them for an explanation? That is my first question.

My second question is addressed to the Canadian Bankers Association and to the Western Forum of Credit and it deals precisely with their opinion whereby the bill as it stands gives too much power to the Commissioner. You know that there are several quasi-judicial organisations with the very same powers that are in this bill. Let's just take, for instance, commissions of inquiry, police commissions that have existed in Canada for the past 30 years and committees for investigating complaints in various sectors that have this very power.

• 1655

So I am asking you why you want to exempt personal data from the type of protection that an organisation such as the Privacy Commissioner's Office could provide if the Commissioner had powers to search, to subpoena sworn witnesses, etc. Why?

[English]

The Chair: Madame Jennings, you had two questions.

[Translation]

Ms. Marlene Jennings: Those are my two questions.

[English]

The Chair: The first question, I believe, was to Mr. Chercover.

[Translation]

Ms. Marlene Jennings: Yes.

[English]

The Chair: Mr. Chercover.

Mr. Jackson Chercover: The first question, as I understood it, was about why I didn't ask the officials who were involved in drafting the legislation—

Ms. Marlene Jennings: I understood that you had already asked the officials prior to this draft legislation. When you saw the draft legislation and realized that they had not acted on your recommendation, did you go back to them to ask them why?

Mr. Jackson Chercover: We discussed it.

I don't want my comments to be considered critical of them. If you stop to think of the number of stakeholders in this process, with one side saying the privacy commissioner should have more power and the other side saying he has too much power—which is why I referred to this process as one of balance—it strikes me that their response was that they've done the best they can in juggling all these different things, but for heaven's sake don't hesitate to come and speak to the industry committee. So I'm here repeating my request.

But your second point—and then I'm finished—is that if consumer reporting is, as we all know, governed by existing constitutional provincial legislation, why am I asking for an exemption now, when the Governor in Council has the power to exempt? His power to exempt, if you read the wording of the section, is to exempt for a province that has legislation that is “substantially similar”. Bill C-54 is specifically dedicated towards privacy, whereas consumer reporting legislation is specifically dedicated to consumer protection. There are no references to the word “privacy” or “confidentiality”, even though we know that's what they're all about. If you could give me some assurance that the Governor in Council, in his wisdom, would agree with you and me that consumer protection legislation is privacy legislation, I would withdraw my request.

Ms. Marlene Jennings: Thank you.

The Chair: Did you want to address the second question, Mr. Young or Mr. Finlay?

Mr. Andrew Finlay: As I understand the question, it's about why we're hearing conflicting views on the amount of power the commissioner and the commissioner's investigators have.

Ms. Marlene Jennings: No, I did not hear conflicting views. I heard one view expressed by Mr. Young and then by Mr. Cook, and it was the same view: that the legislation, as now drafted, gives the commissioner too much power. Under the legislation, he has the right to summon and enforce the appearance of persons during the investigation, and to compel them to give oral or written evidence. That's too much power.

The point I made is that in Canada we have administrative bodies that have quasi-judicial powers, and we have had that since the institution of our Confederation and the adoption of the British legal system. There are many sectors of activities in Canada that have been under governance organizations that have those powers, and I gave the example of police commissions, which have had that. Police have been subject to the exact same kind of thing. So I ask why you would want to exempt organizations that deal in the collection storage and diffusion or transmission of personal information from those kinds of investigative powers.

• 1700

Mr. Andrew Finlay: Another organization that has somewhat similar powers is the Canadian Human Rights Commission, which deals with rights. I think some people do see what's being created here in the context of privacy as rights. But if you look carefully at the powers of an investigator under the Canadian Human Rights Act, it doesn't come close to the powers of an investigator under this legislation. This legislation allows the commissioner, in the conduct of an investigation, to summon and enforce the appearance of people, to administer oaths, and to receive and accept evidence. One of my favourites is conversing in private with any person in any premises entered. We're not sure whether this person has the right to counsel or some advice in counsel.

If you turn to the Canadian human rights legislation, this is about rights. The Canadian Human Rights Act has actually been administered very well over a number of years. There isn't a great deal of criticism about the powers of the investigators or concerns on any side, and they don't have any of those powers. If they want to go in to speak with people or go in to look at documents, they have to get a warrant, and the warrant has to be based on reasonable grounds. It's almost a twist to say that this is rights legislation, therefore we can violate basic procedural rights and procedural fairness.

So if you want to look at other organizations, I don't know that I would look at the police, because the police and rights...the criminal process is one thing, but if you want to look at a model—

Ms. Marlene Jennings: I'm talking about under administrative law.

Mr. Andrew Finlay: Administrative law? I think the Canadian Human Rights Commission is an excellent model to look at it, and it's very fair.

Ms. Marlene Jennings: And there are many other models that exist in Canada and have existed in Canada that have exactly the same powers as those described in this legislation.

When I talked about the police, I didn't mean about the police power to enter into premises. I was talking about commissions that have the authority to investigate public complaints against the police. Those types of organizations have existed in Canada since the 1960s and have precisely these kinds of powers. The point I was making was that under administrative law, we have many different types of administrative organizations and tribunals that have quasi-judicial powers that are exactly the types of powers as this legislation would give to the commissioner, and you have many different sectors in Canada that are governed by those laws.

The Chair: Thank you, Ms. Jennings. How about a reply from Mr. Finlay and Mr. Cook?

Mr. Andrew Finlay: I would like to make note that under the Income Tax Act there's a great deal of power vested in Revenue Canada to do that very thing. Whether you agree—and the courts certainly don't, because there's a divergence of opinion—that their powers are constitutional or consistent with the charter is one thing, but what's interesting is the huge amount of jurisprudence and litigation around that piece of legislation, and the virtual non-existence of litigation around the Canadian Human Rights Act. You have to ask yourself whether we are trying to design legislation that's going to encourage litigation, or whether we are trying encourage legislation that's going to encourage compliance with the legislation. I think somebody has chosen to go the wrong way. That's basically what the banking industry is saying.

Ms. Marlene Jennings: Thank you.

The Chair: Mr. Cook.

Mr. Paul Cook: Thank you.

I concur with the CBA's point of view on this issue. I think I have a unique perspective, because for 25 years I served either as a full-time or part-time police officer in the province of British Columbia. Under this statute, we're giving powers that we don't give the police when there's a murder involved. When we go to the collection of evidence, the investigative process is definitely separate from the judicial process that decides on the matter. I don't think it is reasonable—

Ms. Marlene Jennings: I'm going to interrupt you. Go and look at the powers of the B.C. police commissioner. I know that legislation, and that individual has these powers.

• 1705

Mr. Paul Cook: I understand that, but what we're talking about here is government—and I will read right from the copy of the statute. One of the powers stated reads:

at reasonable time, enter any premises, other than a dwelling-house, occupied by an organization, on satisfying any security requirements of the organization relating to the premises

I think it's improper that we use administrative actions under different statutes to throw out our charter rights and freedoms, one of the basic ones being that people, whether they be individuals or in companies, have the right to not be intruded upon by government.

I think it is very dangerous in today's world that we have a situation in which the investigating body also is given inordinate levels of power. In this day and age, I don't think it's a justification to say that because one body does something, it's okay that we trample on rights and freedoms.

Again, they're asking the person under oath. That person will give, under oath, evidence that could be self-incriminatory. At a minimum, in the case of an employee whose family is totally dependent upon the salary that employee gets from his or her employer, I think this kind of course of authority or use of authority is incorrect.

The Chair: Thank you, Mr. Cook.

I have to move on, Madam Jennings.

Ms. Marlene Jennings: Very quickly, under the rules of evidence, if someone has been compelled to testify either before a police commissioner or, in this case, before the privacy commissioner, the evidence cannot be used in any other proceeding if that person has self-incriminated. So on your concern about rights being trampled, I think the point I was making is that we already have systems like the one here, and the Charter of Rights. They have been found not to trample on the Charter of Rights, because we have other protections like the law of evidence, just as an example.

The Chair: Thank you very much, Ms. Jennings.

Ms. Marlene Jennings: Thank you.

The Chair: Mr. Lastewka.

Mr. Walt Lastewka: Thank you, Madam Chair.

I'm conscious of the time element here, but I was very interested in what Ms. Jennings was covering. It was one of my questions also.

The Chair: That's good, because you'll have lots of time.

Mr. Walt Lastewka: I'd be glad to give her my time, but I want to back it up a bit.

The comment by the CBA was that the bill was supposed to be light, but the framework is now more severe and so forth. I think what's been missing is that the wish was to have the complainant and the company resolve the issue and not get government involved. I could give other examples for the CBA if you need them. We would have preferred that the bank and the business resolve their problem rather than getting bank ombudsmen involved and all that. I think the record has proven that the ombudsmen procedure has been good for everyone, though. I think the CBA will prefer that.

Doesn't it get down to the fact that the complainant and the company need to resolve their differences and not get a third party involved? Isn't that light framework?

The Chair: Who's that question to? Everyone?

Mr. Young.

Mr. Alan Young: I think subclause 13(2) of the bill does anticipate, for example, that a complainant would try to exhaust the grievance review procedures that exist prior to going to the commissioner. As you have identified, Mr. Lastewka, we suspect that if they had a concern about their privacy, we would obviously want our customers to first raise the concern with the individual bank and have the individual bank ombudsman deal with that concern. If that concern is not dealt with to the customer's satisfaction, it would then be elevated to the Canadian banking ombudsman's office.

So yes, I think the bill does recognize that customers would first go through the ombudsman process, at least in our instance, in which we do have a very effective self-regulatory process to deal with concerns.

• 1710

Mr. Walt Lastewka: I think that's the intent of the bill. When the commissioner was here, he made it perfectly clear that education and knowledge is needed first on the part of the Canadian people, and that the problem should be resolved at the first level.

Let me ask you a question on privacy. What do you consider the biggest threat to privacy in the banking industry to be now?

Mr. Alan Young: I can't think of any specific instance that is a concern about privacy. We do have procedures built in for us to deal with fraudulent activity. Defrauding on credit cards and debit cards, for example, is a serious business. We want to make sure we have procedures in place to allow us to deal with people who are perpetrating fraud. So from our perspective in terms of the banking industry, I think that would probably be the most important.

Mr. Walt Lastewka: You might want to take on my next question, but I'll lead it to Equifax first.

You've gone to great lengths to explain why you should be exempt from certain provisions. The thing that comes to mind for me is marketing firms that buy and sell lists interprovincially. Should they be exempt? Should credit card issuers who sell customers' purchasing information be exempt? Where does it start and stop on being exempt?

Mr. Jackson Chercover: That's a valid question. Equifax does not buy and sell lists. I would very strongly recommend that you direct that question to the representative of the Canadian Marketing Association. I'm not personally familiar with the interprovincial sale of lists, but it would strike me that an exemption granted in that situation would be inappropriate.

Mr. Walt Lastewka: Don't you make up various credit reporting lists and information lists on millions of people and then provide them to members?

Mr. Jackson Chercover: Yes, so long as they have permissible purposes under provincial legislation, that's exactly what we do. But they're not lists, they're individual credit reports. Are you talking about list editing?

Mr. Walt Lastewka: No. You're providing some service to various people, right?

Mr. Jackson Chercover: Yes.

Mr. Walt Lastewka: You're providing that information to them that you've collected on people.

Mr. Jackson Chercover: Yes.

Mr. Walt Lastewka: Can I get what you collected on me?

Mr. Jackson Chercover: Are you a member of Equifax? If not, I'll send you an application.

Mr. Walt Lastewka: No, I'm a private member, and I want to know what you collected.

Mr. Jackson Chercover: Oh, you want to know what I've collected about you. Yes, absolutely.

[Translation]

Ms. Francine Lalonde: The Quebec law

[English]

gives you that right.

Mr. Jackson Chercover: The right exists in every provincial statute that I'm familiar with. Not only are you entitled to know what's there, you are entitled to know what's there at no cost to you, and you are entitled to object to the accuracy of any item of information. We are then statute-bound to verify that information from the credit granter who furnished it. In the event that it cannot be verified, it may be deleted. In the event that it's proven to be inaccurate, it must be amended. Having amended it, we must then send the amended report to everyone to whom we have sent the erroneous report in the previous six months.

Mr. Walt Lastewka: So the only thing that's missing is—

[Translation]

Ms. Francine Lalonde: We will have to check into the federal law regarding this.

[English]

Mr. Walt Lastewka: —the fact that you haven't asked me.

Mr. Jackson Chercover: I haven't asked you for what?

Mr. Walt Lastewka: Whether or not you could collect that—

Mr. Jackson Chercover: I have no contractual nexus with you, sir, but when you went to the bank and asked the bank for a loan, they asked you to sign a document. The document said that you consented to the extraction of a consumer report so that they could decide whether or not they really wanted to lend you money, and that you consented to the exchange of that information with credit bureaus so that other persons to whom you apply for credit could determine whether or not you're creditworthy.

If you read my document, it does explain that there is no contractual nexus between Equifax and the consumer. We have to rely on the consent you gave to your financial institution, Visa, or whomever.

• 1715

Mr. Walt Lastewka: This is where the education needs to be on this bill, so when I go to the bank I'll be able to check off on the form that I don't want that to go any further.

Mr. Jackson Chercover: Absolutely. This is an interesting perspective. If you check off and say “I do not wish you to exchange information on my credit with the consumer reporting agencies”, the bank must have the right to say to you, “Fine, but please go somewhere else for your loan”.

Mr. Walt Lastewka: Is that the attitude of the bank?

Mrs. Sue Barnes: Yes.

Mr. Alan Young: Certainly banks are in a situation where they have to protect the deposits of the depositors, and so on. It would be inappropriate in most respects to make a loan without having done a credit check.

The Chair: Thank you, Mr. Lastewka.

[Translation]

Ms. Lalonde, have you any further questions?

Ms. Francine Lalonde: I will continue. We see how important it is to have a provision that allows one to view one's file and to correct it if need be. Well, there is no such provision in Bill C- 54. None at all.

Mr. Jackson Chercover: Excuse me, but it is in there. If you read the schedule, you will find it.

Ms. Francine Lalonde: Yes, but it is not included for the CSA code.

[English]

Mr. Jackson Chercover: Yes, it does.

[Translation]

Ms. Francine Lalonde: You do not have the power to withdraw or change...

[English]

Mr. Jackson Chercover: I'll find it.

Ms. Francine Lalonde: Okay, find it.

[Translation]

I know that I am dealing with people for whom a weaker law than the Quebec law could be an advantage, but I am not really sure that that will be the case because Bill C-54 has an important flaw, namely the confusion with the CSA code which was never meant to be a law and which involves a number of obligations and also recommendations—all those conditional statements are not obligations—and section 7 which makes a number of specifications for interpreting the CSA code. A large company that has an office to deal with this could come up with a definition of a company strategy, whether it be easily or with difficulty. However, for small and medium-sized enterprises, it is extremely difficult to figure out where the obligations lie. Without knowing what the obligations are, it is rather difficult to respect them. At least, if you know what the obligations are, you know what you are doing or not doing; at least you know.

It gets even more complicated for citizens because even if the law is clear, they cannot know what their rights are. You agree with me, don't you?

[English]

The Chair: Madame Lalonde, the question was on item 4.9 in the schedule.

[Translation]

Ms. Francine Lalonde: Yes, but the demonstration is nonetheless important. If citizens cannot find out what their rights are, they cannot have those rights respected. So, it is essential for this kind of law to clearly define obligations and rights, and I say that Bill C-54 is flawed because it is unclear.

[English]

The Chair: Mr. Chercover.

Mr. Jackson Chercover: I don't believe that was a question; it was a statement. But if I may respectfully respond to it, I'm sympathetic to the argument you make, but it applies to each and every law of each and every country, state, province and municipality. There are people who don't understand them; perhaps that's why we lawyers make a living.

• 1720

First of all, to respond to your original point where you say Bill 68 and the Ontario Consumer Reporting Act have teeth because they require that people have access, and where there's an error it be amended, that is included in the schedule. Principle 9 says:

Upon request an individual shall be informed

—that's law—

of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amend as appropriate.

So the first portion—

[Translation]

Ms. Francine Lalonde: Continue, because this is not really precise: “will have the opportunity to contest”. That means that the company...

[English]

Ms. Marlene Jennings: Item 4.9.5 addresses that precisely.

Mr. Jackson Chercover: I believe it does. But in any event, let's not lose track of what's really important here. What's really important is the balance between the kind of precision and public understanding you would promote and I would support, and the kind of practical element we're dealing with, where we want to give Canadians what they are entitled to and what they deserve. You're saying the CSA code doesn't do it. You may be right, but look at it from the point of view of Industry Canada and Justice Canada. They made a commitment to come up with something by 2000.

The CSA code, not unlike Bill 68, has been very widely examined in Europe and Australia and given an A-plus rating almost all around. I think this is an extremely innovative approach, Madame Lalonde, to actually import into legislation something that, for example, satisfies the requirements of the European directive. We have to do it. We have to keep business rolling and still offer protections. Is it perfect? No.

The Chair: Thank you, Mr. Chercover.

[Translation]

Ms. Francine Lalonde: [Editor's note: Inaudible]... you will end up getting your exemption, I am sure of it.

[English]

The Chair: Madame Lalonde, Mr. Young also wishes to reply. Mr. Young.

Mr. Alan Young: Thank you.

I would just like to address another part of Madame Lalonde's question on educating consumers. We agree that's a very important element of raising awareness of one's privacy and the rights people have.

There are two comments I'd like to make. First of all, Bill C-54 does build that in. Education is a very important role for the federal commissioner to play, and we applaud that. We think educating consumers is very important.

The second point is the CBA itself, in a booklet called Safeguarding Your Interests, which I believe has been provided to all members—if you don't have one, I'd be happy to make it available to you—addresses the issue of privacy and gives people information about bank practices. So we too, on a voluntary basis, have assumed a role of responsibility to help educate consumers, and 85,000 copies of this document have been requested by Canadians and thousands more have been downloaded from the CBA's web site.

So education is important. We're doing our role and we think the privacy commissioner also has a role to play.

The Chair: Thank you very much, Mr. Young. We'd be happy to receive copies of that booklet. We don't have it.

Mr. Murray.

Mr. Ian Murray (Lanark—Carleton, Lib.): Thank you, Madam Chair.

We haven't heard about WebTrust for awhile. I'd like to hear from whoever would like to respond to this. Perhaps Mr. Gold would have some thoughts. I don't need to refer to WebTrust, but it could be anything that fulfils the same goals as WebTrust.

It occurred to me that perhaps market forces are going to prove to be more powerful than the legislation in terms of governing how business is done on the net. We're talking about reviewing this act every one, three or five years and the speed of change in industry, but it strikes me that something like WebTrust may be more powerful in terms of protecting people's interests than legislation, and something people would be more aware of than the legislation and what's involved in the legislation.

• 1725

I'd just like your thoughts on whether at some point in the future it'll be essentially a commercially available product that will protect us, with that overlay of legislation behind it.

The Chair: Mr. Gold.

Mr. Robert Gold: I think you're absolutely right. What we're seeing in the United States, and we particularly saw it over this past holiday shopping season, is a multiplier effect of people shopping on-line. Two things are happening. There's a grassroots momentum, where people are just getting more comfortable with it, and we have an Internet generation of people under 25 who don't necessarily have this fear of using their credit cards on the Internet and exchanging that type of information. We have those 25 and older who hold back and say “Well, wait a minute, my credit card has been counterfeited before; where is that information going?” So you have a split in generations between those raised on computers and those raised on television, as a lot of us were.

In Canada, though, you're not seeing those huge numbers of e-commerce transactions. In this week's Report on Business Magazine it says: “Recent surveys indicate that privacy is becoming the No. 1 concern among netizens, ahead of even censorship”.

Until consumers on the Internet and users of the Internet in Canada see there's some level of privacy disclosures or some level of assurance, I don't think they will go there in big numbers.

In the U.S., even with the hundreds of millions of dollars being spent in the month of December on-line, it's less than 1% of the total retail market, which is trillions of dollars.

Do we think e-commerce means anything? Sure, it means hundreds of millions of dollars. At this time, in the grand scheme of things it doesn't really mean all that much. I define e-commerce as the exchange of any information, not just financial transactions. If you give your name, phone number and mailing address, that's an e-commerce exchange.

I believe the grassroots movement, as the Internet generation gets older, will overcome the hesitancy. But in Canada we're trying to leapfrog over the rest of the world in an e-commerce environment. This is what the Prime Minister has set out to do; it's what the pending legislation seems to want to do. Let's get ahead. We're a very wired environment right now. We have more satellites, cellular and cable connections per capita than any other country in the world. I think we're attempting to go to the next step.

Consumers need to see something on-screen, be it WebTrust or something else, that implies to them their privacy is being protected and they needn't fear using the Internet for information exchange. Then we will see the numbers we need to really leapfrog and move Canada forward. But I don't think legislation buried in the backwoods of government, where the public does not know what's going on, is the answer. The answer is something they can see on-screen.

The Chair: Thank you.

Mr. Ian Murray: The market will take care of itself that way, eventually.

Mr. Robert Gold: I agree.

The Chair: Mr. Yu.

Mr. John Yu: In the U.S. particularly, you see a lot of seals issued by the Better Business Bureau, called “BBB On-line”. There are thousands of seals like that on web sites, so the market is actually speaking.

I don't think the e-commerce issue in Canada has anything to do with trust by consumers. I think the problem we have—and I'm going to speak out of order for a minute here—is that our taxation system is out of order.

Mr. Jackson Chercover: Hear, hear!

Mr. John Yu: Absolutely.

The Chair: Thank you, Mr. Murray.

This has been a very interesting meeting this afternoon. Just before we all go.... Mr. Lastewka.

Mr. Walt Lastewka: I would like to table about 29 amendments to the legislation for distribution by the clerk in both official languages—part of our continuous improvement.

The Chair: Thank you.

Mrs. Sue Barnes: But not limited to—

The Chair: It's the beginning of amendments.

[Translation]

Ms. Francine Lalonde: A quote from the Act.

[English]

The Chair: The clerk will distribute them tomorrow when she has the opportunity to make copies. Then they'll be available for people to review.

I'll just remind other members that if they have amendments, the earlier they're in the quicker we can all see them, review them, discuss them, and see what other changes we might want to make.

I want to thank our witnesses again.

I just want to clarify something for the record. Mr. Chercover said if you wanted to change something on his record you could do so. Is that the same for the banks, Mr. Young? If I want to change something on my record with the bank, can I correct it or have something removed?

Mr. Alan Young: Yes, you can seek to have your records looked at.

The Chair: Thank you. A committee member raised that question earlier today.

• 1730

[Translation]

Ms. Francine Lalonde: This is not in Bill C-54. With Equifax, that can be changed.

[English]

The Chair: No, it was a question that came up earlier today by Mr. Pankiw. He'll be here this afternoon, so I just wanted to clarify that with the banks; the banks weren't here earlier today.

Again, thank you very much to all of you for taking time out of your busy schedules. The meeting is now adjourned.