STANDING COMMITTEE ON INDUSTRY
COMITÉ PERMANENT DE L'INDUSTRIE
EVIDENCE
[Recorded by Electronic Apparatus]
Thursday, December 3, 1998
• 1531
[English]
The Chair (Ms. Susan Whelan (Essex, Lib.)): I call
this meeting to order, pursuant
to an order of reference of the House, dated
Tuesday, November 3, 1998, with regard to
consideration of Bill C-54,
An Act to support and promote electronic commerce by
protecting personal information that is collected, used
or disclosed in certain circumstances, by providing for
the use of electronic means to communicate or record
information or transactions and by amending the Canada
Evidence Act, the Statutory Instruments and the Statute
Revision Act.
We're very pleased to have two witnesses before us
this afternoon. We have, from the Office of the
Information and Privacy Commissioner of British Columbia,
Mr. David Flaherty, the information and privacy
commissioner for British Columbia, and Mr. Tom
Mitchinson, the assistant information and privacy
commissioner for the Province of Ontario.
My proposal would be that we hear both opening
statements and then move to questions.
With
that, I would like to begin with Mr. Flaherty,
please.
Mr. David Flaherty (Information and Privacy
Commissioner for British Columbia): Thank you
very much, Madam Chair. I'm
very pleased to be here.
I would remind you
that I'm both the information commissioner and the
privacy commissioner in British Columbia. You have two
separate officials at the federal level, but in the
provinces they tend to be the same person.
As well, I don't
represent the Government of British Columbia. I'm an
officer of the legislature, much like your privacy
commissioner is an officer of parliament, and I don't wish
to have what I have to say taken as representing the
position of the government, although, as I will tell
you, their position on this bill is one that I think I
share, and so forth.
I've given you a written submission. I regret that
it's not in French. I will try to answer questions in
French if anybody wishes me to respond to them in that
way.
In opening, I want to establish some
credibility on this issue with you. I would
like to say that I had
the good fortune, when I was a young
graduate student at Columbia University in 1964, to be
hired for a week by Alan Westin, who was
writing a book called Privacy and
Freedom. Published in 1967,
this was one of the seminal works in this
field. I was his research assistant for awhile.
In 1973 I was teaching at the University of Western
Ontario. I'm still a professor of history and law,
despite my current job. I began international work on
the privacy issue. I've worked since then, until my
current position, which began in 1993, in all of the
European countries, in particular, and in Canada and
the United States on privacy protection matters,
particular in the public sector.
From 1984 to 1987, I had the privilege of being one of
the two staff consultants to the Standing Committee on
Justice and Solicitor General in its five-year review
of the Freedom of Information and Protection of Privacy
Act, which produced a report in March 1987 called
Open and Shut.
It was interesting for me to read
two days ago one of the recommendations
of that report,
to extend the Privacy Act to the federally
regulated private sector, which is one of the things
you're doing, wisely, in Bill C-54.
Over the course of my career, I've had the privilege
of testifying on these kinds of issues in various
provinces in Canada, in the House of Commons, in the
Senate, in the United States, in Australia and so
forth. I was appointed the first privacy
and information commissioner for British Columbia
five
years ago. I have a six-year, non-renewable term
that ends August 1 of next year.
So I think I have
both some
independence and some credibility in talking to you on
the privacy issue.
I feel I'm here basically as a cheerleader for Bill
C-54. I'm very enthusiastic about it. I think it's
long overdue. I think it's in the best interests of
Canadian business. I certainly think it's in the
interests of taxpayers and the residents of this
country.
I want to encourage members of this
committee to feel, as I suspect you already do, that
you are doing something very important in promoting
this legislation for the private sector in Canada. I
share with Minister Manley the notion that it's very
important to facilitate electronic commerce in Canada,
that we're very well positioned to take advantage of a
heavily wired country in promoting electronic commerce,
but we well know a variety of Canadians have various
anxieties about privacy as they try to use the
Internet. Often in groups of this sort, you find that
no one actually purchased anything on the
Internet previously. One of the reasons is fear for
privacy in even giving their credit card over the Net.
I believe Bill C-54 is good for business.
• 1535
I also want to emphasize to you, from my perspective as
a privacy advocate and as a privacy commissioner, that
it's even more important to protect privacy as a human
right, through Bill C-54, as you are proposing to do.
I'm delighted by the bill's potential application to
the provinces and areas of provincial jurisdiction.
Because I'm an academic by background, I've never been
particularly shy about speaking for other provinces or
commenting on developments in other provinces. I try
to remember I'm a government official now and be less
bold in that regard, but I still feel I can say
that I think this is good for all Canadians.
I'll let Mr. Mitchinson, my colleague, speak for
Ontario. So I'll say it's good for all Canadians
except Ontario, but I hope he'll tell you
in a few minutes that it is
good for Ontarians as well.
I think this bill is a wake-up call to all of the
provinces, except Quebec, which, as you well know,
already has its own legislation. This bill gives
other provinces a choice whether to act to simply
accept Bill C-54 or to do legislation on their own.
Your work is really important for all Canadians
in a
bill that I regard as having truly historical
significance, trying to be all things
to all persons, including
myself. I'm also an historian, so I think I bring some
historical judgment to looking at certain pieces of
legislation and saying this is a very important
one, not least because it's been
so long in coming.
You're going to hear some natural anxieties and fears
expressed by the private sector about the burden of
this legislation, the complexity of the law, and so
forth. I would point to the Quebec experience in
1993-94, when certain businesses argued that if
Quebec
regulated the private sector, business would come
to an end. That has certainly not happened.
European countries have had years of national
experience and state experience in Germany in
regulating the private sector. The United Kingdom did
so in 1984; Sweden, 1973; and the Germans and
the French,
mid- to late seventies.
Many of our leading Canadian and American
companies have been doing business in Hong Kong and New
Zealand and European
nations for a number of years, and living quite happily
with even stronger legislation than you are proposing
in Bill C-54. So by a European standard, by a Quebec
standard, there's nothing terribly novel about this
legislation.
I certainly can speak for myself, and I think I can
speak for my fellow commissioners, that we adopt a
practical, common-sense, down-to-earth approach to the
implementation of privacy protection. We are not a
bunch of zealots. We try to work out deals with
the public sector. In the course of regulating the
private sector, we would work on deals as well.
I
hope “deals” is not too sordid a term to use with
you, but that means we would balance competing
interests. Our role is
to articulate the privacy interests that
are at stake in any particular situation, then to hear
from the public sector or the private sector on what the
other interests are in that particular situation so
that we
can balance competing interests.
None of us believe privacy protection is the only
value worth protecting in our society, even though our
job is to be upfront on this particular issue.
In question period, I'd be happy to talk with you
about my experience in regulating, for the last five
years, B.C. Hydro, the Insurance Corporation of
British Columbia, B.C. Ferries, all of which are big
companies, all of which have outlets all around the
province and the equivalent of a business in
terms of my working with them.
I also have jurisdiction, unlike many other
provinces, except Quebec, over all the hospitals,
the universities, and all the municipalities.
We've managed
to make our privacy act work in exactly the same way
that I expect to be able to make it work with respect
to the private sector, if and when Bill C-54 and any B.C.
contribution to that debate comes into place.
I was here for an hour or so of your discussion
yesterday, due to the glories of plane flights in the
west, so I heard some of the questions you asked.
Anticipating one that you might like to ask me as
well—that is, “Isn't Bill C-54 rather
complicated?”—I thought I'd pass around to you
the B.C. Freedom of
Information and Protection of Privacy Act,
a
very modern piece of legislation, just so you can look
at it and see that it's no more or no less
complicated than what you're doing in Bill C-54.
All of these pieces of legislation are complicated.
We certainly don't expect the average citizen
to read this once a week, and there's
no requirement for them to do so. What
we provide is one-stop shopping. If you have a
privacy problem, just like when you need a plumber, you
look in the phone book and find out who does privacy in
your jurisdiction, and then you give them a call.
Speaking from the British Columbia perspective, it is
certainly my position that in response to Bill C-54, we
need a made-in-B.C. solution for our
private sector, one that is responsive to the fact, for
example, that, as I'm all too well aware, it's a five-hour
flight from here to Vancouver and Victoria and the
west coast and there's a three-hour time
difference.
In terms of working with my fellow privacy
commissioners, it's a difficulty for me that both my
Quebec and Ontario colleagues are out to lunch—not
figuratively, but literally—by the time I get to work
in the morning.
• 1540
So we have some special problems in terms of how
we best
serve residents and citizens of British Columbia.
I
think there's a likelihood that we will come up with
something that will be complementary to Bill C-54 but
will also reflect the needs of the people who live in
British Columbia.
Our first consultation with the private sector
occurred last Friday morning in Vancouver, under the
auspices of the Chief Information Officer and Industry
Canada. Industry Canada was very well represented
in talking about the needs of electronic commerce and
how that fits in with the high-tech interests of the
Government of British Columbia.
So the process of consultation by the government—as
opposed to me—with the private sector has begun.
What are our choices? One of the things we could do is
extend our existing privacy act
to the private sector. It would
need some modification.
Another thing is for the Province of British Columbia
to take account of the goal of business in promoting
national harmonization of legislation in the
interests of business across the
country, which would mean
letting Bill C-54 prevail. The kind of standards-based
approach it represents through the Canadian
Standards Association model privacy code is a tool for
harmonization. That will be up to the government
itself. I'll simply have one voice in that
particular debate, at least until my term
ends.
Going back to my first annual report, in the
summer of 1994, in response particularly to the European
Union's directive on data protection, I called for
action to regulate the private sector in British
Columbia in terms of the privacy interests of
individuals.
One more issue I'd like to address is that
at the end of the day, even if you are wise enough—as
I hope you will be—to put Bill C-54 in law in
the foreseeable
future, there are real problems in making data
protection and privacy protection
effective in practice,
whatever a law says.
I'm very well aware, being both information and
privacy commissioner, how limited our financial and
human resources are. These are very tough jobs to do.
I regard the budget of the federal privacy
commissioner
as pathetic, even compared with our provincial
budgets. It's certainly going to need
considerable enhancement
if he or his successor can do the job they need
to do in terms of making Bill C-54 a reality, even if it
simply means further work with the provincial
commissioners.
I think having legislation of this sort and then
having underfunded commissioners' offices runs the risk
of giving the illusion of privacy protection. I hope
your committee will say some strong things to both
Justice and Industry Canada about the need to
adequately fund the privacy commissioner's office if
you're going to impose significant new tasks on him and
his colleagues, as Bill C-54 definitely
does.
I think the auditing powers, as
newly placed in the hands of the privacy commissioner
in Bill C-54, are very important. I'd be happy to
tell you during the discussion how I've turned that into
site visits, where I go around to most parts of the
province visiting hospitals, police stations,
municipalities and various government ministries as kind
of a friendly visit, trying to raise the flag and
promote privacy consciousness.
I believe at the end
of the day that most of the work of privacy commissioners is
privacy consciousness. It's promoting awareness of
privacy interest and fair information practices among
members of the general public, including members of
the legislature, or the parliament, in this particular
case.
I also believe at the end of the day that the way this
Bill C-54 legislation is going to work is through
cooperation between privacy commissioners and the
private sector. That will largely be done through
industry groupings.
I'll use the Canadian Direct
Marketing Association as a good example of that.
They've been a leader in the privacy field the last
number of years in terms of promoting
self-regulation. They have a privacy and ethics
code, which I have framed
on the wall in my office. They have a dispute
resolution mechanism that is very effective.
All they lack in terms of their privacy code is
enforceable, legal rights to privacy.
What people like
Bruce Phillips and I and my other colleagues have
been calling for over a number of years is
enforceable, legal rights to privacy
that go beyond self-regulation. But at the
end of the day, even when Bill C-54 is law,
I still believe, if you have a problem with a bank or
with a retailer of some sort, you'll deal, as you do
now, with the retailer, with the bank, then go from
there perhaps to the Canadian Bankers Association or
the Canadian Banking Ombudsmen or to the Canadian
Direct Marketing Association—and I notice it will
change its name next year to the Canadian
Marketing Association—and they will try to solve the
problems.
So the privacy commissioner will only be charged
with specific complaints when industry can't solve it
for itself, whether it's Stentor or any other business.
• 1545
The privacy commissioner's main role, in my view, will
be a proactive one of looking at the ways in
which industry groupings, whether small business, large
business, telephone companies or whomever, are
addressing compliance with Bill C-54. I assume
most of these industry groups will in fact
be giving guidance
to their members—for example, here's how you're
a good citizen, and here's how you comply with the
Canadian Standards
Association model privacy code, in schedule 1
of Bill C-54—and the privacy commissioner and his
or her staff will be engaged in ongoing dialogue as to
how you do this sort of work.
For example, what's the appropriate
trade-off between preventing fraud in the credit card
business or whatever else the competing value may be?
What are the interests of law enforcement? How would
they be balanced against the privacy interests of
individuals?
I should have said to you that I wasn't particularly
following my prepared submission in what I've chosen to
say to you.
There's one additional issue that in the
interests of time I will simply not pursue here—that
is, the fact that there is another model of privacy
protection that has developed since the mid-1970s, when
our current Privacy Act at the federal level
originated. This is the model initiated in Quebec in
the early 1980s; in Ontario in the late 1980s; in
British Columbia in 1992; and then imitated by that
great radical, Ralph Klein, in Alberta in 1993-94,
in the adoption of the Ontario-Alberta-British Columbia
model of privacy protection. All of us as
commissioners—and we're all information commissioners
and privacy commissioners—have order-making power.
I heard Mr. Phillips yesterday talking about the
effectiveness of the ombudsman approach. All I would
say is that I've never really had to order anybody on
the privacy side to do anything except in response to
specific decisions I make—and I've made close to
300 in the last five years—but it helps the discussion
if they know, at the end of the day, I can tell them
what to do, subject to review in the courts.
I think we can all work with and live with the federal
model as created by Bill C-54, but it will certainly
lead to some jurisdiction shopping. Someone with a
privacy problem in Burnaby, British Columbia, can look
around and say, well, where am I going to get better
justice, from the privacy commissioner in British
Columbia or from the Privacy Commissioner of Canada?
That's one of the kinds of things that will need to be
worked out over time.
Thank you, Madam Chair.
The Chair: Thanks very much, Mr. Flaherty.
I'm now going to turn it over to Mr. Mitchinson from
the Province of Ontario.
Mr. Tom Mitchinson (Assistant Commissioner,
Information and Privacy Commission of Ontario):
Thank you
very much.
I'm here on behalf of Ann Cavoukian, the
information and privacy commissioner for Ontario. She's
very disappointed at not being able to come here herself
today. She's actually out of the country this week,
in Washington, at
some other meetings.
We realize now that this committee is meeting again in
the winter months, and certainly if there is any interest
in having Ann Cavoukian come at that time, I'm sure she
would be more than pleased to come back if there was
anything any of the committee members wanted
covered.
This is an issue that I would say is one of the most
important issues as far as Ann is concerned. She's
been an advocate for the extension of privacy protection
to the private sector for many years. Although she's
not always in sync with my buddy here, she's perfectly
in sync with him on this one.
Ann had prepared some remarks, and I'm going
to deliver those remarks for you today
so that you can get a sense of what Ann's position
is on Bill
C-54. And I will certainly respond to any
questions that
come up from the Ontario context.
Before I begin the remarks specifically on
Bill C-54—it should take me
less than 10 minutes—I would like to
take a moment to place them in the
context of Ontario's current access and privacy scheme
and the role of the information and privacy
commissioner in her office.
As probably quite a number
of you know, Ontario's Freedom of Information and
Protection of Privacy Act applies to all provincial
government ministries and most provincial government
agencies. There's also a second statute, the Municipal
Freedom of Information and Protection of Privacy Act,
which covers local governments across the
province—municipalities, school boards,
police forces, public
utility commissions, and other local agencies.
The information and privacy commissioner is an officer
of the legislative assembly, reporting to the house through
the Speaker. She and her office have four broad
statutory responsibilities.
First, we're the appeal
body under both pieces of legislation, responsible for
reviewing decisions by government organizations
regarding access to general government records as well
as access to your own personal information records.
These freedom of information responsibilities are
somewhat similar to those of the federal information
commissioner, although we act as an administrative
tribunal with final and binding order-making powers on
the freedom of information side of our business, in a
sense combining the role played by the information
commissioner's office and the role played by the
Federal Court.
• 1550
Second, we're responsible for ensuring that government
bodies comply with the privacy requirements of the
acts. Obviously, this is the role that's
most relevant to
today's discussion, as is the next one—that is,
that
we're responsible for ensuring that members of the
public understand their rights under the statutes as
well as how to go about exercising those rights.
Lastly, we have a statutory mandate to comment on
proposed government initiatives or legislation that
have access and/or privacy implications. In this role,
we believe we serve as an advocate for access and
privacy more so than we do in some of the other parts of
our business, given the tribunal nature of our
responsibilities.
Returning to our second role, the acts create a system
that protects the privacy of personal information and
sets out rules that cover the way in which government
organizations collect, retain, use, disclose and
dispose of personal information.
The scheme also
provides a right of access to your own personal
information and to correct inaccurate information in
government-held records.
Both the provincial and
municipal acts base their privacy protection rules on
the widely acclaimed code of fair information
practices. These fair information practices were
developed by the Organisation for Economic
Co-operation and Development, the OECD,
and are the basis for
privacy legislation in most jurisdictions.
My purpose here today is to address the issue of the
potential privacy implications of Bill C-54. In the
context of our roles and responsibilities in Ontario,
I'd like to share with you some of the issues that we
feel should be addressed during consideration of the
bill.
It's our view that Bill C-54 is an excellent
first step in extending the protection of personal
information held by organizations in the private
sector. As you know, the vast majority of the broad
public sector is already covered by corresponding
federal or provincial legislation. However, it's only
in Quebec that legislation extends to the private
sector. Bill C-54 represents a new beginning at the
federal level, and we commend it.
Canada has a long history of working to develop
measures to protect the privacy of its citizens. The
federal government is a signatory to the privacy
guidelines developed by the OECD in 1980. The federal
government also participated in the development of the
Canadian Standards Association Model Code for the
Protection of Personal Information,
which forms much of
the basis of Bill C-54.
The Ministry of Industry has noted that Bill C-54
forms an important part of the Canadian electronic
commerce strategy, announced by the Prime Minister on
September 22. In order to promote and encourage
the development of electronic commerce, initiatives
such as this legislation are greatly needed to
establish the necessary degree of trust and consumer
confidence that will be essential if on-line business
is to become a mainstream part of commercial activity
and daily life in Canada.
Canada is not alone in seeking to establish stronger
measures to protect the personal information of its
citizens. Indeed, it's incumbent on Canada to take the
types of measures outlined in this legislation in
order to address the European Union directive on the
protection of personal data, which came into force in
late October. The directive sets out rules to
ensure that personal data is only transferred to
countries outside the European Union when its continued
protection is guaranteed so as to ensure that the high
standards of protection introduced by the directive
within the EU are not undermined.
It's important to note that while Bill C-54 has been
perceived as a 21st century response to realities of
electronic commerce, it is actually grounded in a core
value that we, as Canadians, hold dear. We believe
the protection of privacy is a fundamental human
right that must be upheld by our governments.
However,
as I touched on earlier, with the exception of the
province of Quebec, privacy legislation only covers the
public sector. It's right and proper to extend these
protections to the private sector. Indeed, we urge the
government to extend the coverage of the legislation
beyond the currently envisioned limits to include all
private sector activities, not just commercial
activities.
We are aware of the concerns raised by some regarding
the possible application of federal law to the
provinces—challenging the constitutionality of such
measures. However, we do not believe attention
should be diverted to this issue. The focus should
remain on the issues that are pivotal to this
bill—namely, the need for privacy protection
in the private
sector.
Let's not get caught up in a debate relating to an
issue that will serve to shift our perspective away
from where it properly belongs—how to protect our
citizens' privacy.
We fully support the enactment of corresponding
provincial legislation, harmonized wherever possible,
and we've written to the Government of Ontario
expressing this view and offering our assistance during
the development of such legislation.
We see this as a solution to any potential
constitutional difficulties.
• 1555
It is also important to note that a number of
businesses themselves have called for privacy
legislation for the private sector, one example being
the Canadian Direct Marketing Association. CDMA has
called for clear rules through legislation to govern
business practices. While the CDMA voluntarily
subscribes to the CSA privacy code, roughly only 80% of
its marketers are members, leaving a significant number
who do not follow the CSA privacy code. Private sector
legislation would solve this problem by creating a
level playing field, with privacy protected across the
board.
The general public is also very much in favour of
strong protections for their privacy and the
protection of their personal information. Surveys have
consistently found that an overwhelming percentage of
Canadians believe their personal information
should be kept completely confidential, except in very
special circumstances. I believe the most recent
survey showed that approximately 80% of people were
in this
category.
In response to these public concerns, many companies
are developing and publicizing their own privacy codes.
As information becomes an increasingly valuable
commodity, and technological developments enable
inexpensive data-mining and facilitate easy access to
all types of information about individuals, it's more
important than ever to ensure that the personal
information of Canadians is strongly protected through
legislation.
Both the public and many in the business
community are supportive of laws that clearly detail
measures for the protection of personal
information. Provided that organizations
are all on a level playing
field, no one group faces unfair burdens that could
put them at a competitive disadvantage.
We recommend that the coverage of the law be expanded
to include other groups in the private sector, such as
non-governmental organizations, the not-for-profit
community, and self-governing bodies and associations,
regardless of whether they are involved in conducting
commercial activities. A person's right to privacy
should not depend on whether or not
their personal information
is being used for commercial purposes.
We're also supportive of the government's specific
initiatives to adjust the legal framework for
electronic commerce. Changing existing legislation to
allow for the use of a secure electronic signature will
go a long way towards furthering the goals of
conducting
on-line business with government and promoting the
goals of electronic commerce in general.
We're very pleased to see that the role of the federal
privacy commissioner will be expanded under Bill C-54.
This will be much needed in order to perform the
required functions. If and when our province
introduces its own legislation, our agency will be
ready to perform the comparable oversight function
in Ontario.
We're also pleased to see that the proposed
legislation gives the federal privacy commissioner
a mandate to develop and conduct
information programs to promote public understanding of
privacy issues. Our agency has this role as a
statutory mandate, and we know from experience that
it's an extremely important one. Only informed
citizens are able to truly understand and consent to
activities involving their personal information.
This committee is engaged in highly important work,
and we appreciate the opportunity to appear before you
today.
In closing, I'd like to leave you with a request. In
your deliberations, I ask members of the committee to
not lose sight of the fundamental issue at the heart of
this legislation—namely, the protection of privacy for
all Canadians. It's not only important for the
government to enact this type of legislation in order
to satisfy European regulations regarding data
transfers but it's
also critically important, in the future
world of electronic commerce and network
communications, to ensure the public
that individual privacy need not
be compromised.
Only legislation adequately
meets this
challenge.
Legislation that extends the protection of personal
information to the private sector is the right thing to
do for Canadians, and we in Ontario lend our support to
both the government and this committee in making sure
that Bill C-54 works.
Thank you very much.
The Chair: Thank you very much, Mr. Mitchinson.
We're now going to go to questions, beginning with
Mr. Jaffer, please.
Mr. Rahim Jaffer (Edmonton—Strathcona, Ref.):
Thank you, Madam Chair.
I was interested in Mr. Flaherty's comment about the
radical Ralph Klein. It's because of
that radical Ralph Klein, it seems to me, that there's
a mass
exodus from that great socialist republic of British
Columbia to the province of Alberta. But that's neither
here nor there, Madam Chair.
• 1600
I would like to say, to begin with, that
I've heard a lot about the
differences you've outlined within the privacy
protection legislation. One thing that
concerns me—and I think it's
been brought up as well with some of
the provincial justice ministers—is with regard to
the
privacy legislation that's outlined in Bill C-54,
if, first of all, it's in fact going to conflict
with some
of the provincial jurisdictions and the mandates of the
provinces.
As well, specifically, because of the scope
of Bill C-54, and the fact
that it's trying to deal with such a big issue of
Internet commerce and privacy in an increasingly
global world, how do you in fact provincially fill in
the gaps that maybe to some extent Bill C-54 will not
be able to fill in, when it comes to consumer
protection, when it comes to issues of medical records?
I'd like to hear your thoughts on those two areas, if I
may.
Mr. David Flaherty: I'm
obviously not in a position to talk with you about the
constitutionality of Bill C-54, which is in part what
you're asking about. Many of the
provincial commissioners, including my colleague from
Quebec, Paul-André Comeau, were fortunate
to be here in early October, when we had a
briefing from Justice and Industry Canada
on these issues.
We were reassured to learn from
their lawyers that they weren't just taking a flyer
with Bill C-54.
I've since gone and read this 1989
decision of the Supreme Court of Canada that sets out
the two parts of the trade and commerce power.
To
the extent that my opinion is worth anything, I think
you have good reason to act on
Bill C-54, to act federally on this
matter.
In fact, that's tied in with the second part of
your question.
Many of the large American, foreign and Canadian
companies operating in commercial business in this
country are operating across the country. All you have
to do is walk through the shopping centres across the
country; the same stores are there, whether you're in
Montreal or Vancouver or Victoria or Halifax. So
there needs to be a national approach to this issue.
It's my view that in Bill C-54, by incorporating the
Canadian Standards Association model privacy code, which
was developed by the private sector over a period of
years, in cooperation with Industry Canada, Justice,
and even the office of the privacy commissioner, you
have kind of a self-regulatory code. All you're
effectively
doing is taking this form of self-regulation and giving
it the force of law, which is something I've been
advocating for a long period of time.
There are still companies that only do business in
British Columbia, for example, that don't move personal
data for commercial purposes across the country. There
are small operations that are local in character. But I
also know that a magazine like Beautiful British
Columbia Magazine, which you would have seen, moves
data around the country. It rents lists through an
American list broker. It has subscribers and
consumers
in Germany and France and the United Kingdom. People
who come to British Columbia and who love it so
much—I'm
not from the tourist agency, by the way—want
to have this magazine. So there's trade in personal
data.
At the moment, a company like Beautiful B.C.
Magazine is at risk of one of the national
European privacy agencies, in any one of the 16 or 18
member nations, saying, sorry, but you can't move
personal
data back to your headquarters in British
Columbia, because you do not have adequate
or equivalent data
protection legislation in British Columbia, never mind
Canada as a whole.
My colleague, Colin Bennett, a professor at
the University of Victoria, whom I
hope you will have here to testify in due course,
has
just finished a series of case studies for the European
Union as part of a research team from four countries. He
actually has a series of case studies looking at the
specifics of Canadian businesses trying to move data
from Europe, in particular, having to do with airlines,
banking, and companies like this magazine I'm talking
about.
The Chair: I just want to make our witnesses
aware that we're under five-minute time blocks for
questions and answers, so if everyone could try to
keep their questions and answers relatively brief,
it
would help things.
Last question, Mr. Jaffer.
Mr. Rahim Jaffer: I was going to ask Mr.
Mitchinson if he had a comment on that as well.
Mr. Tom Mitchinson: As to the question of
whether one system is better than another system, or
whether one system works or one system doesn't work,
I don't think that's what it's all about, really.
I think the system as designed in
Bill C-54, assuming it's constitutionally valid, can
probably work. I think the question is whether it's
most effective for members of the public.
You identified the issue of health information. I think
this is something we've experienced in Ontario, not
fully regulating the health sector in Ontario. We are
restricted to the ministries of health as
opposed to the public hospitals.
I think what the
public is looking for is a system they can
understand. So if they are complaining about their
personal information that's held in a provincial context,
they're going in a certain direction, and they're not
worrying about whether this is part of the federally
regulated area or whether it's part of
the provincially regulated area.
• 1605
I think it's compounded to some extent by the
fact that although no one system is the right
system—and the extent to which the ombudsman
model federally
works, I have no dispute with—when you
introduce a common national system where you have
different effective schemes at play, I think it does
run the risk of creating some confusion.
Was that the type of thing you were getting at
with your
question?
Mr. Rahim Jaffer: Yes. To put it simply,
how can you bridge
that somewhat relationship between the provincial
jurisdictions, to some extent, and the direction
they're going in with the national scope?
I think
they've answered my questions.
The Chair: Thanks, Mr. Jaffer.
Ms. Jennings, please.
Ms. Marlene Jennings (Notre-Dame-de-Grâce—Lachine,
Lib.): Thank you.
It's very insightful, listening to both of you. I have
a couple of questions, though.
Mr. Mitchinson, you've
said very clearly that you think Bill C-54 is definitely
in the right direction. However, you seem to have some
hesitancy as to the effectiveness of the legislation in
the form it is now in because of the differences at the
provincial level and at the federal level—those
provinces that do have information and privacy
commissioners who have order-making powers, for
instance.
Are you suggesting that this should exist at the
federal level?
Mr. Tom Mitchinson: No. I think maybe you're
reading a little bit too much into that. We're very
supportive of Bill C-54, and in fact quite supportive
of the approach that's been taken, which David
described as a bit of a kick to the provinces
to get their act
together on privacy.
While we will argue with our government
that perhaps an Ontario-made solution might be
preferable to what would otherwise be the case under
Bill C-54, I don't want you to read into it that we
would think nothing would be better than Bill
C-54. Far from it. We would make Bill C-54 work,
if that's the model that was left.
Does that clarify it a
bit?
Ms. Marlene Jennings: Sure.
Mr. Flaherty, you
talked about how, given that under this legislation the
information and privacy commissioner at the federal level
is going to have a very expanded role, you
would hope that the government departments would
recognize that in terms of increasing resources to that
agency.
I'd like you to expand on that a little bit, because I
think that's an issue that sometimes
governments don't realize when they put into place new
agencies, and sometimes set them up to fail by not
providing them with adequate resources.
Mr. David Flaherty: I'm pleased that
Mr. Phillips took me to a good lunch, because I now
feel better about advocating a larger staff for
him.
You can't do this kind of work without professional
people working with you who become specialists in the
various aspects of existence.
In my office, where we have broad health
responsibilities, we have a family and children area,
health
area, human resources, we call them, and the forest
industry, which is more freedom of information. We have
specialists in all of those things. They cross over.
We mix them up. There's never only one person. We
have specialists on the municipal government.
The federal privacy commissioner is going to have
people who understand credit reporting well, understand
banking well, understand telecommunications well,
and understand retail better than we do right now.
If you don't, you can't talk to the industries,
and you
have to understand it well enough to know how the
system works.
That's the sine qua non of doing privacy or data
protection, which is what we're doing here.
He or his
successor needs the kind of staffing that will allow
that to happen, just as the provincial commissioners, if
and when they acquire jurisdiction for Bill C-54, or
some made-in-their-own-province solution—or their own
territory, for that matter, because the existing
territories have information and privacy
commissioners—they will need additional
people to do it.
We are not bureaucratic in character. I have 25
professional staff, 15 of whom are professionals. We
do a thousand freedom of information inquiries
per year.
Cases are brought to us. We are driven by the freedom
of information act. In fact, one of the reasons to
keep the privacy commissioner separate from the
information commissioner at the federal level is that
those of us who are both are swamped by freedom of
information issues, and we have trouble getting the
privacy work done, never mind having short staff.
The Chair: Last question, please, Ms.
Jennings.
• 1610
Ms. Marlene Jennings: To Mr.
Mitchinson, you're suggesting that the coverage of the
law be expanded to include other groups in the private
sector who do not necessarily collect, use, retain,
dispose of, etc., personal information for commercial
purposes, such as NGOs, such as charitable organizations,
and such as not-for-profit and self-governing bodies.
I'd like you to
expand just briefly on that, because I would like Mr.
Flaherty to address that issue of whether or not he
also thinks the legislation should be expanded in
order to cover this other sector.
Mr. Tom Mitchinson: Unlike freedom of information,
which is really founded on the basis of public
accountability and open government, privacy is
universal in its application, as far as we're
concerned.
If you have privacy concerns about how organizations
collect and use and dispose of your personal
information, those concerns are equally valid, no matter
who has that personal information.
So although Bill
C-54 is brought in a commercial context, in the
sense that it's about electronic commerce and
facilitating access to electronic commerce,
in our view the same basic values of privacy
protection exist whether or not there's
a commercial context to the
information.
Mr. David Flaherty: The point I would make, Ms.
Jennings, is that we need this bill. It's not a
perfect bill. The original Privacy Act wasn't perfect.
The federal freedom of information act wasn't perfect.
My legislation isn't perfect. We need it, and I
really
don't want to spend a lot of time fine-tuning it.
There are some issues that can be dealt with by the
provinces. It doesn't cover employee data. A major
privacy issue within The Bay would be the privacy
interests of the people who work there, the thousands
of people across the country, or at T. Eaton's,
or Equifax, or big insurance
companies, or whoever it is.
As far as I can see, that's not covered by this
legislation, but it's an area where the provinces
should act.
As Tom has said, this bill is a wake-up
call. The provinces are meeting regularly with
Justice and Industry Canada—in fact, they're meeting
next week—on, “What are you going to do about it?”
And I applaud Industry Canada on that kind of
initiative, to
try to make this thing work.
Mr. Tom Mitchinson: Could I just add one very
brief comment to that?
One difference between the Ontario model and the B.C.
model is that we do not cover self-regulating
bodies, and David's jurisdiction does. We have
more problems
with that, because of the fact that people are operating
under different rules, than David would have, where
people are used to the rules. I think the extent to
which there's some consistency just benefits
everybody.
Ms. Marlene Jennings: Thank you.
[Translation]
The Chair: Go ahead, please, Madame Lalonde.
Mrs. Francine Lalonde (Mercier, BQ): I will resume where
Mr. Mitchinson left off, saying that a problem arises when there
are two sets of rules. That is one of the main problems that will
come up in Quebec, that bitterly regrets that the process did not
take into account Quebec legislation which, in its present
application, covers all organizations, even those that are said to
come under federal jurisdiction and that are subject to the Labour
Code. The Supreme Court has already rendered a decision, that has
been appealed, and we are awaiting a decision from the court of
appeal, so as to know whether the provisions apply or not to things
other than working conditions.
Over time, Bill C-54, that constitutes a second set of rules,
weaker than those set out in Quebec's legislation—and I will give
you numerous examples of that—will apply to a growing number of
businesses and create serious problems, on top of weakening the
protection provided overall.
What I have been saying since the beginning is that it is
unacceptable for Quebeckers to see their rights diminished,
especially since they were the first to venture onto this new
ground that was, as you will recall, quite slippery when they first
stepped upon it.
I would like to hear comments from both our witnesses.
Mr. David Flaherty: Please forgive me if I answer in English.
I express myself more quickly in English than in French.
[English]
I had the privilege of being brought up in Quebec, and
I have great admiration for the Quebec Civil Code, which
gives Quebeckers explicit rights to privacy that don't
exist in other parts of Canada. Our Charter of Rights
and Freedoms does not include the right to privacy.
• 1615
Mr. Phillips and I had the privilege, in 1991 or 1992,
of trying to make the argument that privacy should be
put into the charter—and Mrs. Finestone, I think, would
support that—so that everybody could go to court in
this country
and argue for a general right to privacy, whatever
he or she thinks it might be.
The Quebec legislation, which I much admire, is a
product of the Quebec Civil Code. It's a response to
the Quebec Civil Code, it's extremely progressive in
North America, and I envy it, but at the same time,
the Quebec commissioner works with the other
Canadian commissioners at present, in a cooperative
fashion—we have annual meetings,
and lots of interaction—to make
his legislation work and to work with us on common
problems.
For example, we've been meeting regularly on
the advisory council on the health infrastructure,
an advisory council to Health Canada, which is
due to report
at the end of the month. Obviously, we have great
concerns in that kind of privacy issue. We work
cooperatively together, even though his bill is
slightly different from my bill, from Tom Mitchinson's
bill, or from Bill C-54.
There clearly are some issues to be
worked out between Bill C-54 and the Quebec
legislation. On the other hand, it's arguable that the
federal government should regulate the federally
regulated private sector, which is banks, transportation
companies, radio companies, transportation and so
forth. That's kind of plausible, to me. They're
clearly industries and organizations, to use the
language of Bill C-54, that are in operation across the
country and all the territories. How you then take the
clearly stronger provisions of the Quebec act and not
have the protections for privacy rights in Quebec
dragged down
by Bill C-54 is a matter for cooperation. But the
federal privacy commissioner is accustomed to working
with Mr. Comeau on these issues, and I'm confident
things can be worked out.
The Chair: Mr. Mitchinson, do you have any
comments?
Mr. Tom Mitchinson: I think it's a valid point to
make. What we have to not lose sight of,
though, in this whole process, is that the success of
these schemes is based on the attitudes of the
participants in the schemes, not necessarily the
enforcement processes.
I think Mr. Comeau would
support that view, with his experience in
Quebec in regulating the private sector.
So although compromises always have to be made, I
guess, in dealing
with these seemingly, on some levels, incompatible
schemes, I don't think it necessarily
needs to compromise the overall success
of the privacy
business.
The Chair: Mr. Flaherty.
Mr. David Flaherty: I should have said, Madame
Lalonde, that I have read the avis of the
Commission d'accès à
l'information in Québec, and I agree with it. It
poses some very fundamental issues that need to be
worked out.
Mr. Comeau was with me at the briefing from
Industry Canada and Justice a month ago. We had
an opportunity to ask questions, and we both did plenty
of that. He has even more questions. I understand
he's going to testify before you at some point, and he
can make his own pitch.
The Chair: Madame Lalonde.
[Translation]
Mrs. Francine Lalonde: Exactly. In his avis, Mr. Comeau stated
that the commission has quasi-judicial powers in the following
situations:
a business refuses access to personal information to a person
affected by this information;
a business refuses to respond to a request to correct information
that is incorrect, incomplete or ambiguous;
a business disregards the request by a citizen that his or her name
be removed from the list of names provided for purposes of
commercial or philanthropic protection.
I have studied Bill C-54 and I will continue to do so. It is
not only complex—and one understands that bills are complex—, but
it is also confusing and has some serious deficiencies, notably
relating to the two last points brought up by Mr. Comeau. There is
no way of protecting a citizen if there is no cooperation on the
part of the business. Past experience in Quebec however shows that
overall 66 to 50 percent of complaints, depending on the year, are
resolved through mediation, whereas the remainder are resolved by
decision and the citizen is entitled to immediate compensation. I
am not talking here about fines, but the citizen should have access
to information and be able to have his or her name removed from a
list. It seems to me that any citizen should be entitled to these
rights and that these rights shouldn't be the exclusivity of
Quebeckers. Similar forms of recourse should be available from one
end of the country to the other.
[English]
Mr. David Flaherty: Madame Lalonde, I favour
having regulatory
power. I have regulatory power. In general, I've
rarely had to use it.
When I tell a psychiatric
hospital that their physical security for their records
of out-patients is completely inadequate, they do what I
tell them to do. Hospitals have reconstructed where
they keep alcoholism and drug addiction records because
I've recommended that they do it. I've never had to
say to them, “You must do it”.
• 1620
I agree that I don't know what will happen with the
private sector. We're doing a lot of outsourcing
in British Columbia, despite the allegation
that it's a
socialist regime. IBM, ISM-BC, BC Tel,
and MacDonald Dettwiler are all running
very sensitive
developmental programs for sensitive, personal,
government databases. They have to comply with the
Privacy Act.
My role is to tell them what that means. We have
a checklist we put into the contracts: Here's
what it means. And then I tell them: Here's
what else it means. You have to prove to me, to
demonstrate to me, why you, American Express
Canada, or the Stentor group in Canada, think
you are privacy-sensitive. Where's your privacy code?
Where are your confidentiality agreements? What are
your training programs for your employees?
They're all bellying up to the bar and trying to
keep me happy, because they want to do business with the
Government of British Columbia. So those are examples.
I visited MacDonald Dettwiler, which is an
extraordinary company in the aerospace business,
and it is doing a lot
of linking to locational
information. They're going to be running one
of our major
types of databases, BC OnLine. I spent Friday
afternoon with them in Richmond, British Columbia,
and they are extraordinarily sensitive to
these issues already. They want to become even more
sensitive.
The Canadian Standards Association has their western
headquarters across the street from them, and they're
going to work to an ISO 9000 certification, because
they're already...on privacy, and your standard,
that's
already in
Bill C-54. The president of the company said to me
in public on Friday afternoon, at a seminar, that they
also wish to learn
to comply with Bill C-54.
So that's an example of a progressive company
that wants
to make business doing link-ups of various kinds of
personal data, and they're getting ready for this
legislation.
Mr. Tom Mitchinson: I think in our experience,
where
we do not have anything but fairly limited order-making
authority in the fair information practices side
of our privacy business, we do have order-making
responsibility in appeals of decisions to deny access
to personal information. I think we do have a
fair bit of business in that field, so I think
that might be perhaps distinct.
In our world of combining freedom of information and
protection of privacy, we often think of requests for
access to your own personal information being more like
an FOI-type issue than we do about regulating fair
information practices. I think that's where you may
find some more difficulty in the value of
persuasion, because we too
have great success in persuading people
to deal with their information management practices
properly. But requesting your personal information
is a
different issue.
The Chair: Merci, Madame Lalonde.
Mr. Murray, please.
Mr. Ian Murray (Lanark—Carleton, Lib.): Thank
you.
I have just one question, and it relates directly to
provincial privacy commissioners. Clause 25 of the bill
would allow the Minister of Industry, with cabinet
approval, to delegate to, as I understand
it, essentially the federal privacy commissioner's
provincial counterparts “any of the Commissioner's
duties or powers
under this Part” of the act.
I'm not clear on what that would involve. Is this
saying, you know, absent a provincial act, that the
minister would be able to delegate powers to a
provincial authority, or is this almost a housekeeping
thing to manage something easier?
I'm assuming that during the consultation phase this
was discussed with you as provincial authorities.
So that's what I'm asking. I'm just not clear what it
means.
Mr. David Flaherty: Perhaps I can go first,
Tom.
I think it's actually a wise recommendation to the
Minister of Industry to tell the privacy commissioner
you have to cooperate with these other people, but it
won't come as any great surprise to the Privacy
Commissioner of Canada. We already meet regularly,
semi-annually probably, on these kinds of issues.
We finally use the Internet effectively
to communicate with
one another, including the territories and provinces.
We've already talked about the fact of getting ready
for just Bill C-54, no matter what our provinces do. We
should start getting together, perhaps as early as
February, to start saying how we're going to deal with
this stuff.
I think our view would be that the Privacy Commissioner
of Canada will have difficulty, unless he has a
sub-office in British Columbia, dealing with everything
that happens out there.
I've rarely seen an investigator of the
privacy commissioner in the Lower Mainland of British
Columbia. There's one out there right now, but that's
because
we have problems with tonnes of material that was
suppose to be shredded but wasn't.
• 1625
May I say that's
the reality of privacy protection today? We're not
dealing with the
most sophisticated issues of electronic commerce. When
you have a paper-shredding contract, you would
think that
people would actually do the shredding rather than
shipping it to China to make paper out of it. I would
think that even if the Province of British Columbia did
nothing there would have to be co-operation between our
respective offices, and the fact that the legislation
says there should be co-operation is, from my point of
view, a good thing.
Mr. Ian Murray: I read it as more than just
that there should be co-operation. I read it as you,
actually, in your
position, having the powers of Mr. Phillips because
the federal minister of industry has decided that you
should. Maybe I'm misreading this, but that's the way
it reads to me, and that raises further questions of
whether you want the power or not and also whether
you have
the resources, therefore, to do whatever it is you are
supposedly being asked to do. As I say, I may be
misreading this entirely, but...
Mr. Tom Mitchinson: No, I think you're reading it
accurately. My reading of it is that it's
a companion piece to the provision which defaults to
provincial coverage in three years if there's no
equivalent. It has to go along with that in order to
actually implement it. That would be my biggest fear
in that circumstance. All of a sudden there would
be this expectation of provincial privacy commissioners
discharging those additional responsibilities, yet our
funding source comes from the province, which would have
no role to play. We would be in quite a pickle
in that circumstance.
Mr. Ian Murray: Hence the need for us, as the
federal government, to encourage the provinces to move
quickly on this.
The Chair: Mr. Flaherty.
Mr. David Flaherty: Could I add that there is not
a great history of devolution of federal obligations to
the provinces, although I read the newspapers and I see
what's going on with the social union talks at the
moment? I would think that if a province had no
privacy commissioner we
could end up with people in those provinces having
privacy rights in the commercial sector and none in the
public sector, and I regret to say that three
Canadian provinces don't—Nova Scotia, Prince Edward
Island and Newfoundland—which is regrettable.
I have
to believe that the ministers of
justice, in the course of the next three or four
years,
are going to wake up and smell the roses in this
regard. And I would think that the Province of British
Columbia would be reluctant to see my successor saddled
with federal responsibilities if, in fact, the province
believes
strongly that a lot of this is within provincial civil
jurisdiction. This is where I am pleased that Andrew
Petter, the minister responsible, as part of
the consultation
process, was quoted in
interviews last week as saying that British
Columbia needs privacy
legislation for the private sector.
Mr. Ian Murray: Thank you very much.
The Chair: Thank you very much, Mr. Murray. Mr.
Jaffer.
Mr. Rahim Jaffer: I just have one short question.
[Technical Difficulty—Editor] in fact in favour
of this legislation. My question, though,
is whether the legislation is in
fact moving from a voluntary regime
to a compulsory one. I'd like to hear that
from you, Mr. Flaherty. You mentioned that in
the role you have as a privacy commissioner in B.C.,
you
have a decent relationship with various organizations,
whereby you make suggestions and there has never been a
real necessity to enforce anything. I would like to
hear your comments. If there is no real problem as
it stands currently, is there a real advantage
in moving from that voluntary type of CSA code
to a mandatory
one?
Mr. David Flaherty: Absolutely. I do not believe
that Canadians or residents of Canada should have
privacy rights that are weaker than those
of every member of the European
Union or residents of Hong Kong. Hong Kong has a
privacy commissioner with complete jurisdiction over
the public and private sectors. We do a lot of business
with Hong Kong from British Columbia. We have a lot of
people who move back and forth. Why should people of
Chinese extraction, of whom there are a lot in British
Columbia, have lesser privacy rights than the people
they left behind in Hong Kong?
At the end of the day,
with all of the anxieties the public has about
privacy as we enter the twenty-first century, they
should have enforceable, legal rights to information
privacy, which is what you're doing here. I believe
you should also give us a more enhanced constitutional
right to privacy by putting privacy in the charter of
rights and freedoms, the way the Quebec charter has
already done.
The Chair: Any comments?
Mr. Rahim Jaffer: Just one follow-up question,
out of
curiosity, because I'm not familiar with how the privacy
protection laws in Quebec have actually worked. You
must obviously follow that. I'm curious. In your
own opinion, has it helped the situation in Quebec? How
many complaints have come forward? What's the
situation there that you can reflect on?
Mr. David Flaherty: I think you'll really have
to ask Mr. Comeau those questions when he appears
before you.
Mr. Rahim Jaffer: Okay.
The Chair: Thank you, Mr. Jaffer.
Ms. Finestone,
please. Do you have any questions?
• 1630
Hon. Sheila Finestone (Mount Royal, Lib.): Yes, I
do. Thank you very much.
I have a question for the chair first. Do we have a
graph that describes the differences between the nine
or ten provinces that have such legislation—and the
territories—and a comparative analysis against the
federal bill, Bill C-54?
The Chair: The only one that has privacy
legislation that affects the private sector is Quebec;
the other provinces don't have it right
now. They're talking about the different legislation
they have with regard to the public sector within
their provinces.
Mrs. Sheila Finestone: You're saying there's no
privacy protection in any other province but Quebec?
The Chair: For the private sector.
Mrs. Sheila Finestone: For the private sector.
I
still think it might be a very good evaluative tool,
Madam Chair, to have a design graph in front of us so
we know that, because
my next question to the chair was going to be to see
the comparison between what Quebec has and what's in
this federal piece of legislation.
My question goes to you, Mr. Flaherty, and you, Mr.
Mitchinson. How are you going to handle the shopping
about that's going to happen with corporations that may
have offices across the country? It would seem to me
that with the lack of concordance you're going to have
a competitive environment.
Mr. David Flaherty: Basically, as Mr. Mitchinson
has pointed out, everybody has fair information
practices. The same fair information practices were
invented in the early 1970s in Britain and the United
States at the same time and, in an extraordinary
process, have
been copied around the world. Even Malaysia, Korea,
Japan and Hong Kong all have the same fair
information practices we have in Canada.
Most of the time, as the privacy commission, we don't
spend our time looking at section 22.2
or clause 4.3.2 of the first schedule of the
CSA code; we talk simple things, like consent and, in
particular,
transparency.
I've had a run-in with Safeway in
British Columbia. I wanted to save 10% on my groceries
when I went to buy—not drugs, thank God—laundry
soap and things like that, and I didn't like what I
would have to fill out to join the Safeway customer
club. So on a particular morning, I took it upon
myself to call Victoria, then Vancouver, then
Calgary, and then I got a California operator
who told me
they had great privacy laws there, which
I'm highly
suspicious of. Eventually, I talked to public affairs
in Calgary. The first thing they told me was that the
customer data is stored in the headquarters computer of
Safeway. Guess where? Salt Lake City. Now, that
doesn't give me many enforceable legal rights.
And unfortunately, Safeway doesn't operate
in Quebec, where
it would be caught up by the existing legislation.
And the argument I had for them is that they're not
transparent with me, as a customer, when I want to join
their club. Where is my data going to go and what legal
recourse am I going to have and so forth?
Now, I can't resist mentioning a table, which will be
somewhat unpopular with some of the people in this
room. As part of my submission to the four-year review
of our legislation in British Columbia, which is taking
place at the moment, I prepared for our legislature a
comparative table of the fair information practices in
our B.C. act, in the European Union directive and in
the CSA model code. It's about seven or
eight pages. I'd be happy to leave it with
you, especially for your staff to look at.
I still
subscribe to the refrain of the former Prime Minister
of Canada, who said, “You dance with the woman that
brung ya.” As far as I'm concerned, I came in here
with Bill C-54 and I'm happy to leave with it. I'm not
trying to throw a monkey wrench in here, but I
think it is worth comparing, given the fact that
the first
Privacy Act was enacted in the mid-1970s and has
basically
hardly changed in response to Open and Shut in 1987.
It's like Parliament addresses
these privacy issues every 25 years, and if
by a little bit of
fine-tuning by the committee and its staff, you can make
some little bit better, then God bless you. I think
you ought to do it, as long as we get this bill into
law in the next six months or so. That's the need the
privacy commissioners feel.
The Chair: Thank you. I'd appreciate that, Mr.
Flaherty. The clerk will take that and
copy it.
Mr. Mitchinson.
Mr. Tom Mitchinson: The only thing—
Mrs. Sheila Finestone: Before you answer, Mr.
Mitchinson, and before I forget—it depends on the day
and the age—to add to the list of evaluative
undertakings which I would find necessary, I
think we should add the European
Union and the newest piece of work they've done, which
would prevent business from coming to Canada if we
don't make these changes that are important in Bill
C-54.
The Chair: Mrs. Finestone, I know you've just joined
us today. A number of
papers have been distributed to the committee for
background information. I have asked the researcher
to inquire into
what comparisons are already available and to perhaps
undertake this as her January project in getting ready
for our meetings in February. Okay?
• 1635
Mrs. Sheila Finestone: Thank you very much.
I
still didn't get an answer about the problem with
shopping around with concordance and the legislation.
Perhaps, Mr. Mitchinson, you could answer that.
Mr. Tom Mitchinson: Yes, just very briefly,
I'll say that I do feel the same way David does
about the need for Bill C-54. I think some of the
purpose behind the design of the three-year period
before the extension to the provincial jurisdictions
kicks in is for the very reason of trying to sort out
some of these jurisdictional issues that go beyond
simply the privacy element here. We're not the ones
who designed the bill, but we feel confident that
during that period of time we can sort things out and
come up with the best national system.
Mrs. Sheila Finestone: Do you think that having
the regulations and standards written outside of the
bill, but in a regulatory part of the bill, is an
effective way to work? Do you not believe it should be
in legislation?
Mr. David Flaherty: I know there are trade reasons
for putting the standards in as a schedule to the bill.
It has to do with Canada's interrelationship with the
United States under NAFTA and what American companies
might try to do to us before the World Trade
Organization. That's as far as my expertise goes on
that issue.
Let me give you an example, since I know you felt I
ducked your question initially. I think I may go into
politics based on that skill.
Mrs. Sheila Finestone: You'd be darn good at it.
You know that, though.
Voices: Oh, oh.
Mr. David Flaherty: Thank you.
Look at the credit
reporting area, the credit information area.
These are
regulated provincially. All of us have credit
reporting acts in our provinces.
Long before I knew what the scope of Bill C-54
would be, I told our legislature that our
credit reporting
act needed to be looked at, whatever else may happen.
I think the legislature of British Columbia
and all the provinces and territories are going to have
to decide what to do about credit reporting, but at the
same time, there's one big national credit reporting
company, Equifax—
Mrs. Sheila Finestone: Oh, yes.
Mr. David Flaherty: —and I think Equifax is quite
good at looking after itself.
I will say to you that I did some work for them
before I
became commissioner, so I should put that on the
record. I was starting to look at their fair
information practices. I stopped when I became
commissioner in British Columbia.
They're going to
have to make some choices too. And they're quite capable
of looking after themselves. This is not a mom-and-pop
grocery store near my home in Victoria. This is a big
powerful organization with a lot of commercial
interests, and I think they're going to work it out with
the federal commissioner and with the provincial and
territorial commissioners as to how this is going to work.
Plus, you have all these provincial legislatures that
may want to sort of keep their jurisdiction over credit
reporting.
The Chair: Ms. Finestone, last
question, please.
Mrs. Sheila Finestone: Do I understand you to
say, then, that it would be too rigid for this
bill to carry standard rules and
regulations for practices, that you need this as a
statutory regulatory matter—the standards and the
regulations?
Mr. David Flaherty: I think this is a question for
Industry Canada and the Department of Justice. I'm
satisfied with the questions I posed to them as to why
the standard is in the schedule. It's very much like
the British Data Protection Act, where the principles of
fair information practice are in the schedule. This
was Margaret Thatcher's famous 1984 Data Protection
Act,
which, by the way, has just been revised in response to
the European directive.
So here we have Canada, which hasn't looked at the
Privacy Act since
1975 except for some tinkering in the late 1980s,
and
we have the British act, which is only from 1984 and
has just been
revised to comply with the European directive. It may
be a bigger task, actually, to take another look at the
Privacy Act for the public sector and see whether
that's strong enough, but that's not really what we're
doing here today.
The Chair: Thank you.
Thank you, Ms. Finestone.
[Translation]
Madame Lalonde, please.
Mrs. Francine Lalonde: The question that comes to my mind when
I listen to you is this: why, in Canada, should we be content with
less than the Quebec legislation? Let's improve the bill. Why not
have a legislation just as strong in the first place?
We, in Quebec, do lots of trade with the United States and we
also have very large businesses, including Equifax Canada Inc.,
Alcan and many others. I never heard that they have major problems.
We trade with the United States and our legislation complies with
the European Union directive.
I should say that since this bill has been introduced, I
talked to a lot of people who have been active in the privacy area.
Many were very surprised that the federal bill is not based on the
Quebec legislation, which is already in place and which has already
been tested. We could benefit from this experience, look at its
strengths and its weaknesses. I agree that we need to deal with the
coding issue, but why not?
• 1640
It is rather ironic that we find ourselves somehow being
accused, while the issue is to write a bill that will protect
Canadians.
[English]
Mr. David Flaherty: I have one simple
response, Madame Lalonde, and that is, if you look at
most areas of civil law, there is a difference between
what Quebec does because of the Civil Code tradition
and what we do in the other provinces and territories
because of the common law tradition.
Now, at the end of the day, I would like, from a
privacy point of view, to have the level rise rather
than be diminished, so I'm with you on that
point.
The Chair: Mr. Mitchinson, do you have any
comments?
Mr. Tom Mitchinson: I just agree with David's
comment. I think we just can't lose sight of the fact
that there are different ways to be effective in
protecting privacy. In Canada, in all
of our meetings that we have all the time when we
compare how we approach privacy protection, we've been
used to trying to look at how different people handle
the same issues in a different context successfully,
and I just encourage people not to lose sight of that
as we work through what is realistic.
[Translation]
Mrs. Francine Lalonde: I could repeat the example I gave
yesterday of an Air Canada employee who insisted on getting access
to her health file. She filed a complaint against Air Canada with
the Access to Information Commissioner of Quebec. The High Court
issued a decision that has been appealed. Contrary to what I said
yesterday, I have not been able to obtain a copy of the decision of
the appeal court. Air Canada refuses to provide the information the
employee is seeking, although this large business is supposed to
comply with these fair practices you talk about. This is a serious
issue for individuals, citizens and consumers. Sometimes even large
businesses cause problems.
So how about all the other SMEs who may not even have an idea
of what it all means. We know the difficult situation they are in.
As Mr. Pierret mentioned during the conference on electronic
commerce, businesses have to do their part. They have the means to
do so. But, at specific times, when the consumer needs support, the
state has to step in. I think that in common law, it is...
The Chair: Please ask your question.
Mrs. Francine Lalonde: I would like to have your comments. Is
it not possible to make the common law tradition evolve?
[English]
The Chair: Mr. Flaherty.
Mr. David Flaherty: That's why, Madame Lalonde,
Bill C-54 gives Canadians a right to access to their
personal data in the commercial stream, just like our
laws, provincially, give British Columbians an absolute
right to their personal data held by government,
by hospitals,
by whatever. The kind of situation that has arisen in
Quebec, where there's litigation taking place between
Air Canada and the Commission d'accès à
l'information is not unusual.
To the best of my knowledge, the data inspection board
in Sweden has taken American Airlines to court in
Sweden over the SABRE airline reservation system, a
issue similar to what's happening with Air
Canada here.
The Chair: Mr. Mitchinson.
Mr. Tom Mitchinson: You're describing the model in
Quebec, which is probably closer to the model that
David and I are used to working with in Ontario and
British Columbia, so we're not supportive of the
concept of that model working.
Ms. Francine Lalonde: You are not supportive?
Mr. Mitchinson: We are not supportive.
Ms. Francine Lalonde: Okay.
Mr. Tom Mitchinson: It could work very well, but
I think there are
wrinkles in that model as well. There are models
that work more
effectively. In the Quebec model, things are going
to court all the time for a final determination,
whereas in Ontario things are kept out of the court for
final determination. There are different wrinkles in
it that we could talk about when you get into
the fine-tuning of a particular model as well.
The Chair: Thank you. Merci, Madame Lalonde.
Mr. Lastewka, please.
Mr. Walt Lastewka (St. Catharines, Lib.): Thank
you, Madam Chair.
First of all, I want to thank the witnesses for their
presentations and their Qs and As. I think it's
important that we have a lot of discussion on this
bill with
stakeholders and people across the country.
• 1645
I think it's a bill that we don't need to rush. But
as Mr. Flaherty mentioned, I think, we
need to get it done and not delay it, because it's long
overdue. I think Mrs. Finestone, who worked on
this many years ago, sighed with a little bit of
relief at the fact that
finally we're getting to the point of making it happen.
I just want to go back to the discussion
about strengthening the bill. Could you tell us
what the
areas are in which the CSA standard maybe
should be modified to
strengthen the protection of privacy?
The Chair: Mr. Flaherty.
Mr. David Flaherty: I was critical of the CSA
standard when it was being finalized. I sent them some
relatively technical points. They chose, in their
wisdom, not to accept all of them. That's fine. It's
a free country. Can I live with it? The standards
are now nine pages, practically single-spaced. That's
a lot of standards.
That's more than we have in our British Columbia bill
in the terms that spell out our fair
information practices.
I think it's quite detailed.
The academic in me would always like to make things
perfect. I'm worried that if we start playing with the
CSA standard, there are so many competing interests
here that then we get the CSA unhappy. I would prefer
to move forward with the bill the way it is, and then
we—consumer groups and others—can continue to
pressure the CSA on any particular area in which
we find
problems, just like you have a five-year
review built into this legislation.
I'm in a kind of ironic situation to argue that
five-year reviews are wonderful, because I helped do
the five-year review for the Freedom of Information and
Protection of Privacy Act, and the Mulroney
government did nothing for us on freedom of
information. They did a few things for us on privacy.
So I'm a little skeptical of how well these four- or
five-year reviews are going to work.
But you can take another look at how well this bill is
working after a few years, and if the lack of regulatory
power is causing real problems for the privacy interests
of Canadians in those areas that are solely of federal
jurisdiction...and we can also work with the CSA to make
sure that the standards are up to scratch. That's
my personal preference.
The Chair: Mr. Mitchinson.
Mr. Tom Mitchinson: This doesn't relate
technically to the CSA standard, but there
is an area within the
bill which, from our experience, I think, could be
improved, and that is the area of audit power. Right
now, the audit power in the bill is reactive to the
existence of a problem.
We have found over the years that we are most effective
in providing a consultative, co-operative role with
government, and I don't see any reason why this would
be different with industry if we are more proactive in
the kind of work we do, in helping people without the
context of a problem, in trying to design information
management systems that would work most effectively.
We in Ontario don't have a specific audit authority
within our act, and that causes us problems. We
want it so that we can be proactive about the help that
we do, like a risk management kind of audit function.
I do support David wholeheartedly on the issue of the
five-year review. We had two three-year reviews
in Ontario, and
committees conducted very comprehensive reviews of both
the provincial and the municipal statutes. Reports were
made and no action was taken, and I would suggest that
you take a look at your clause on the five-year review,
or whatever period there is in here, and see if you
would feel comfortable with expanding it to require a
response from the government after a three- or
four-year review, rather than just requiring
the three-year
review itself. That was an experience that we've had,
which wasn't the best one in terms of reviewing
legislation.
The Chair: Mr. Lastewka.
Mr. Walt Lastewka: In the legislation there are
areas of exception—culture, artistic and journalistic
items. Do you have any comment on that?
Mr. Tom Mitchinson: That was part of the CSA
process, which I was not directly involved with, so
I'll defer to David on it.
Mr. David Flaherty: I agree with them.
The Chair: Last question, Mr. Lastewka, please.
Mr. Walt Lastewka: Thank you.
Yesterday, we had Commissioner Phillips here. We
asked him what he considered the single
biggest threat to privacy. His answer was
“ignorance”. I'd like to ask both of you
that same question.
Mr. David Flaherty: I heard the answer yesterday
and
I knew the questions. I wondered overnight what I'd
say if you asked me the question.
Voices: Oh, oh.
Mr. Walt Lastewka: There it is.
• 1650
Mr. David Flaherty: I think I'd want to put more
high tech... Ignorance is clearly a problem: lack of
sensitivity to one's privacy rights. People don't
realize how important privacy is to the conduct of
daily life, whether as individuals, as
friends, as members of families, or as
members of societies.
I think the sophisticated issues that are
relevant to commercial information are things like
data mining. The kind of software that has
been developed,
particularly by banks internationally, has an immense
capacity to go through the digital footprints that we
leave every day as we're going through our lives.
I
teased Mr. Phillips as he drove into his parking garage
at one of the big buildings around here. There was
another digital footprint. And it was: it said he
entered
the parking garage at such-and-such a time. It's
another
form of surveillance.
Some data mining is done for beneficial purposes, but
a lot of it is out of control. It's not transparent
to us that it's happening and we have not consented to
it. Consent, as shown in schedule 1 of your bill, in the
CSA standards, is crucial to the privacy business.
Many of us would be quite happy to have a great banking
enterprise, take complete account of all of our
“relationships” with it and tell us what we need more
of in the way of home insurance or auto insurance or
having a million bucks sitting around in your
savings account—a problem that most of
us don't have—not being properly invested.
But if I want that, I want to ask for it. I don't
want to be the beneficiary of direct marketing or
telemarketing or something else that I really don't
want on the basis of data-mining algorithms
that are essentially
quite sophisticated. I think it's this problem of
not knowing
where you're getting approached from, whether
it's a phone call, direct mail, or a bank suddenly
displaying a great interest in your savings account and
wanting to invest it for you without you ever asking.
That's the kind of thing that bothers people and,
in everybody who has commercial relationships
in our society—and that's all of us—it
arouses anxieties
about privacy.
The Chair: Mr. Mitchinson? You've had a
couple of minutes to think.
Mr. Tom Mitchinson: Yes. Building on Bruce's
comment about ignorance, I think it's in the
technological context: it's making sure that we are
using technology to enhance privacy rights as opposed
to running the risk of having a technology invade your
privacy.
One of the real challenges
we're facing in the next little while is
the level of sophistication that is
required in order to really understand that a
fingerprint on a pad is one of the most privacy-invasive
things that can happen but a finger scan into a
biometrically encrypted database can be perhaps the
most privacy-enhanced kind of technology you could
have.
The Chair: Thank you very much.
Mr. Lastewka, Madame Lalonde, and then Mr. Bellemare.
Madame Lalonde, please.
[Translation]
Mrs. Francine Lalonde: Thank you. We have banks in Quebec and
since bill 188 was passed, they are subject to even more stringent
privacy rules. But they have accepted them and this has not been a
problem. So I have to ask again: why be afraid of asking more? I
don't think the explanation about our trading relationship with the
United States holds water. If that was an issue, it would already
have arisen in Quebec. Bernard Landry pays a great deal of
attention to our trading relationships.
We are extremely concerned that the Quebec legislation will be
weakened because we have every indication that this will indeed
happen. You said that Bill C-54 is an improvement on the common law
tradition but in fact it doesn't protect the rights of individuals
as well as the Quebec law.
What concerns me, and this I felt even as the Minister made
his presentation, is that this bill is aimed mostly at promoting
electronic commerce. Indeed, this is what the title says: an Act to
support and promote electronic commerce by protecting personal
information. So, business is behind this. I don't need to repeat
everything that has been said about the footprints we leave.
• 1655
I learned recently that when you buy something from a business
that provides air miles premiums, all transactions are linked up
and the data are used to establish marketing lists. Again, why not
have greater requirements? The bill is vague and the rights are not
clearly spelled out. If businesses object to a specific rule, they
can easily go to court. I would have expected you to ask for more
stringent requirements. I tell you this frankly, in all friendship.
[English]
The Chair: Mr. Flaherty.
Mr. David Flaherty: If I could speak very briefly
on this, there has been a ripple effect and benefit
from
the Quebec legislation on privacy right across the
country. Quebec insurance companies sell across the
country. I know that they don't want a different set
of forms to collect information on a life insurance
application form, so by the mere fact that Quebec has
legislated, a person who wants to do business with
Laurentian Bank or the Laurentian insurance company in
Prince George, British Columbia, will have the benefit
of the fact that the form has been approved by the
Quebec privacy
commissioner.
There will always be areas that are completely within
provincial jurisdiction and affect the daily lives of
many people. And the result of the Quebec law
may very well be that Quebeckers will continue to have,
even in the privacy of information or data protection
field,
better rights to privacy than I have in British
Columbia. I would hope that by the time British
Columbia acts within areas of primarily civil and
provincial jurisdiction, they will rise to the Quebec
standard. I will certainly encourage them in that
fashion.
I regret to say that you and I can't rewrite the
Canadian federal Constitution. And there's something
called “areas of federal jurisdiction”.
Ms. Francine Lalonde: Yes.
Mr. David Flaherty: Airline
companies, railways and banking are areas of
federal jurisdiction, and it's up to the federal
government, I guess, at the end of the day, to set
the standards,
which is what Bill C-54 does.
The Chair: Mr. Mitchinson.
Mr. Tom Mitchinson: When Quebec was
expanding public sector access in
privacy legislation to the private sector, it tried
to model, as much as possible, on what it already had
and was doing well with. And that certainly is the
approach that we'll be taking in Ontario, where we have
a model which is much more like the Quebec model than
the federal model. We, too, would want
to take what we have, which we think is a very good and
very effective access and privacy scheme and argue why
the privacy sides of that—as they are—can't be
expanded to the
private sector. So we're not at all at odds
with your views.
The Chair: Mr. Flaherty.
Mr. David Flaherty: Could I say one more thing?
I did a
book in 1989, which was called Protecting Privacy in
Surveillance Societies and deals with Germany,
France, the United Kingdom, Canada and the United States.
At the end of the day, I could be here saying to you,
“Why don't we adopt the 1977 law of the
Commission Nationale de
l'Informatique et des Libertés on
l'informatique et
des libertés? It's the French way of doing
things—in this
case, France rather than Quebec.
At the end of the
day, it's a question of how well any law that
incorporates fair information practices is
incorporated, how it's brought into common
parlance, as reflected in best practices of Equifax or
the Royal Bank or the Sun Life Assurance Company.
And
since all of these laws are based on fair information
practices, there are not that many differences in
practice. I would not be able to say to you that
because of the French law in France they have stronger
privacy rights or lesser privacy rights than Germans or
Swedes or Scandinavians in general.
I think the fact that Quebec is doing it in a
different way reflects broad cultural differences.
[Translation]
Mrs. Francine Lalonde: This is why we would like to continue
in this direction, and not be forced to change.
Mr. David Flaherty:
[Editor's Note: Inaudible]... on this
point.
The Chair: Thank you, Madame Lalonde.
Mr. Bellemare.
Mr. Eugène Bellemare (Carleton—Gloucester, Lib.): I would
like us to have a look at section 4 of the bill.
[English]
This bill would not apply, in paragraph 4(2)(c),
to any organization in respect of personal information
that the organization collects, uses or discloses for
journalistic, artistic or literary purposes
I have
some concerns about that. Maybe I'm misinterpreting
something, but I'm afraid of, for example, newspaper
people, an organization. Not just a newspaper person
but a whole organization could be gathering data from
any organization—it could be a commercial
organization in this case—and then using it for their
own purposes, which could be misused or “mal-used”.
• 1700
What are your views on this particular piece of the
bill? Then I'll
go to paragraph (b).
The Chair: Mr. Flaherty.
Mr. David Flaherty: It's been my view
that—reflecting the words of Mr. Phillips
yesterday—the
charter of rights and freedoms supports a free press,
and if journalists are collecting personal information
for journalistic purposes, it should not be covered by
our legislation.
But let us say that The Vancouver
Sun decides to get into the database business of
selling information commercially across the country,
which they may very well be into. U.S.A. Today
runs big databases of various sorts, information
services that are not directly related to the work of
publishing a newspaper communication. If a big
journalistic enterprise is running databases, running
information retrieval services or doing other things that
are purely commercial, then, I would think, Bill
C-54 should and would apply to them. But in the purely
free-speech-publishing-a-newspaper business, with
respect to collecting
sources for writing newspapers, Bill C-54, in my
opinion, wisely excludes that from the scope of
the act.
Mr. Eugène Bellemare: Do you feel that it's very
clear here? As a layman, I read this and I don't see
that it is clear. I see that it could be
an interpretive
issue.
Mr. David Flaherty: I think, Monsieur Bellemare,
that
all of the words in all of our pieces of legislation
are subject to potential interpretive disputes, and
this will be no better or worse than any other type of
language. I suspect you will have representatives of the
Canadian Daily Newspaper Association before
you in the months
to come, and if they don't think this is specific
enough, I'm sure they'd be quite happy to tell you.
However, having looked at journalistic exemptions in
other pieces of data protection legislation, this seems
to be a reasonable effort to address the problem.
Mr. Eugène Bellemare: I'm not clapping my hands
because I was hoping for a different answer. I was
thinking of where it could be done in an abusive yet
legal way, whereby a journalist or a journalistic
organization would gather data, not through accessible
information that everyone can get, by going to
the court, for example, and getting information that is
public, getting documents that anyone has access to,
but by going into commercial computer information or
database information services, building up a case
and then attacking someone in an article. Don't you
see that there could be abuses there?
Mr. David Flaherty: Are you familiar with the fact
that there are privacy tort acts in many of the western
provinces? There is actually a privacy act in British
Columbia—and probably in all the western
provinces—a
provincial act that is the tort of
invasion of privacy, the civil wrong of invasion of
privacy. If someone comes into your house when it is
for sale under the
guise of being a legitimate purchaser but is in fact
a gossip
columnist with a camera trying to take a picture of the
inside of your house because you're Mick Jagger and
you're incredibly wealthy and prominent, and does take
pictures of your house, you would then attempt to sue
this person, this alleged journalist, for invasion of
privacy under the British Columbia privacy act, which
is a tort act, completely different from the Freedom of
Information and Protection of Privacy Act, which I'm
charged with administering.
We are dealing here with Bill C-54, and in the work
that Mr. Mitchinson and my Quebec colleague and I do,
we're dealing with data protection or information
privacy. I have an article—and of course I personally
believe
that anything I've written should be paid attention
to—coming out in a forthcoming book which argues that
all privacy issues should be given to privacy
commissioners. It's ridiculous that the Privacy
Commissioner of Canada has such a limited jurisdiction.
If you're concerned with eavesdropping or peeping Toms
or wiretapping, why can't you have one-stop shopping?
I think Mrs. Finestone's report of two or three
years ago addressed privacy more broadly as a human
right. And I would like her to think
about—preferably after this
particular Bill C-54 is law—seeing
more done for the general protection of Canadians'
privacy rights, including specifically the kinds of
issues of invasion of privacy by the media that Mr.
Bellemare is talking about. Looking at all the
countries in the world, every advanced industrial
society has this kind of legislation for privacy
protection. None of them would be able to address the
kind of issue you're talking about, the issue
of malfeasance on the
part of a journalist. You'd have to depend on the
Civil Code in Quebec, on our provincial privacy acts,
or on the common law privacy protection, which isn't
much of a common law.
The Chair: Mr. Bellemare, your last question.
Mr. Mitchinson.
• 1705
Mr. Tom Mitchinson: I just have one comment
in response
to that. I think the last phrases in that clause are
meant to address, to some extent, what you're concerned
about, where the use, disclosure and collection
is for another purpose, arguably not
the purpose for which it was collected.
Mr. Eugène Bellemare: Thank you.
The Chair: Before I go on to one last question
from Madame Lalonde and Mr. Lastewka, I just want to
pose something to both of you and bring it back to
a provincial level. My understanding is—and
I will assume this applies in British Columbia, as
well, but I'm not sure—that in the Province of
Ontario there are a couple of registries, which I'll refer
to.
In particular, there is the land registry system,
whereby my mortgage is recorded and, as a
consumer, my mortgage is technically public record.
However, as a
consumer, I can guarantee that 95% of consumers don't
realize their mortgage is public record. I'm a lawyer,
so I'm aware of that.
I didn't know that my motor vehicle record was public
record. My understanding is that the Province of
Ontario is presently selling this information on lists
with respect to when my mortgage comes up for renewal,
with respect to
things about the type of car I drive and how old it is.
As a consumer,
I personally find that offensive. It is
an invasion of my privacy.
And I would think the majority of people in Ontario,
that
95%-plus who don't realize their mortgage is public
record to begin with, would find it offensive that the
Province of Ontario is selling what they would consider
very private information. I guarantee you that
if you had
a room of ten consumers, nine out
of ten of them would not be willing to tell you what
their mortgage information is, not being
aware of the fact
you can look it up at the registry office.
Nine out of ten would consider that
to be extremely private
information—maybe ten out of ten.
Mr. Mitchinson, I throw that out to you because it's my
understanding that now that it's available in electronic
format it's being sold, very easily, and I'm
a bit concerned.
Mr. Tom Mitchinson: I'll speak to the driver
registration database, which is a publicly accessible
database in Ontario. Over the years, we have tried to
to put some structure around how the use of that
information is handled in an electronic world. What
we succeeded in doing is—not interfering with
the one-off request for access to driver record
information,
which is a statutory right that people have access
to—trying to limit, by contract, who can have access to
bulk data out of the driver registration system and
trying to limit what subsequent
use they can make of that data.
That was as far as we were able to succeed in dealing
with the use of the information, but it does control
it,
so that if a legitimate insurance company or a
private investigation company should have
access, for their own reasons, to the information from
that source, they are at least controlled on the
use they can make of that information subsequently.
But I think that personal information in electronic
format, as all of us who are involved in this field
know, is one of the major gaps in the legislative
structures that we're required to administer, because,
generally speaking, they were designed in a world that
did not accommodate or did not reflect the massive
growth in potential for electronic record use and
disclosure that's happened since the legislation was in
place.
The Chair: What I'm throwing out at you is this:
is that
considered to be public information under the
public responsibility of the Province of Ontario or is
this in the private sector responsibility? I
consider the land registry system a government
registry system, and government has control of that
information, so how could that information be sold to
the private sector?
Mr. Tom Mitchinson: As far as I know, what's
happened
with the land registry system in Ontario is a
public-private partnership that was established through
a company called TerraNet, which set up the land
registration system. I'm unaware of the Government of
Ontario selling a database of personal information
drawn out of mortgage records on assessment rolls. Are
you talking about the TerraNet
partnership?
• 1710
The Chair: My understanding is that someone is
making a lot of money on the sale of this information,
so that, for example, when my mortgage comes
up for renewal,
I'll receive solicitations not only from my bank but
from several banks, and I'll wonder why I'm getting them,
because, as a consumer, I'm not aware that
they have access to this information. I might just
think it's timely. I personally find that offensive,
and I'm assuming that as consumers a number of
others would. That is an invasion of my
privacy.
Mrs. Sheila Finestone: Is it covered in the new
Bill C-54?
The Chair: No. To begin with, I'm trying
to find out if they consider
this provincial or federal. I
consider it provincial, so technically, because
the Province of Ontario doesn't have any...it has
government laws, but is this provincial-private or is
this provincial-public?
Mr. Tom Mitchinson: I think the sale of
that data is not being done directly by the
government. The sale of the data, if it's being done,
would be done through the private sector arrangement
they have, which is a contractual thing that should
be controlled. I agree with you.
Mr. David Flaherty: My recommendation to you is
that you complain to the Privacy Commissioner of
Ontario.
Voices: Oh, oh.
The Chair: In fact, Mr. Flaherty, I will be doing
that.
Mr. David Flaherty: Oh, good. Please—
The Chair: I'm raising this because I want to
get some clarity in this issue. I, as a lawyer, am
very confused here. My understanding is that
the Province of Ontario is making money, so whether they
have an agreement with TerraNet or whether it's
TerraNet
that's making the money, it's something we need to
resolve. I have been informed that the Province
of Ontario is actually making a lot of money on
the sale of
private information—or what I would consider
private. Maybe you don't or they don't
consider it private. I shouldn't say “you”; you're
not here on behalf of the government.
That being said,
I'm just throwing that out there because I
think it's a real
issue as to what is provincial, what is federal, what
is
commercial, what is government and who is responsible.
And
how did this happen? How did it go from being a
registry system whereby you had to go and
look up my mortgage? And nobody was going to do
that for purposes of selling
it to mortgage companies. No one was going to waste
time and go down there. How did it go from that to
putting it on the electronic
system so that all of a sudden, en masse, everyone
has access
to my own—and everyone's—commercial records?
Mr. Tom Mitchinson: I think David has had
adjudications on
this. We have as well. We will deny access to
electronic bulk data of personal information that is
otherwise accessible on a one-off basis through a
statutory right of access. We treat electronic
personal information in bulk as a whole different
product from a hard-copy single record.
We have given as much direction as we can to
the government through our adjudications—that
this is
our interpretation of it—but we have to be quite
creative within our statute in order to do that.
The Chair: Mr. Flaherty.
Mr. David Flaherty: I'm not bothered by any sense
of limitation in dealing with any publicly available
data in British Columbia. In the last four or five
years, I've been making strong efforts to make the
practices of these databases transparent. I'll go back
next week and find out what happens with our land
registry, but I have one success story to recount to
you.
We have a highly automated system of real estate
assessment records for the entire province. For $10
you can go into a library and you can have an
account. I found, after practice, that
I could look up Mike
Harcourt's name and find out what property he owned and
where he lived. I did it for Vicki Gabereau once, just
to entertain her on her show.
I found it
unacceptable that this kind of automated database could
be used as a locational device in British Columbia. I
had very little support initially, but last spring,
co-operatively with the B.C. assessment authority,
we
published a report on it. Jenny Kwan, the
Minister of Municipal Affairs, took our recommendations
and made them part of the Municipal Act, much to my
surprise, although the practice would have improved
just
with what I was saying anyway, and now you cannot find
on the automated database in the province any single
person.
I live in Saanich. If you want to know what
property I own you can go to the city hall and get my
property record, but you can't pay $9 and find
out where I live because I happen to own property. If
you want to find out who owns my personal address—which
I'm not going to give you at the moment—you could look
it up and you could get the information. That is
very important, not just for abused spouses but also
for psychiatrists, police officers, some elected
politicians, some privacy commissioners, and other
people who have legitimate interests in not being
found.
Now we're working on the personal property registry,
which is even more significant. People have no
idea that if they buy $1,000 worth of furniture from
the Brick with no money down for 32 years they're
in the personal property registry.
Voices: Oh, oh.
Mrs. Sheila Finestone: Is that where they are?
Mr. David Flaherty: Yes. They are in the personal
property registry. So the battering spouse who wants one
last lick at the woman who's just left the battered
women's
shelter can find that individual through a private
detective, or, if they're smart enough or devious enough,
through the personal property registry. That is not
transparent. We're working on that literally right
at this moment.
But as a male—I'm happy
be called
a feminist—I was surprised when I started this
issue four years ago that I didn't even
get as much support as I
expected from the Ministry of Women's
Equality, as it's called in British Columbia. Now
things are improving in that domain.
That's an
example of what privacy commissioners have to do on a
proactive basis in this area of stuff that is
totally within
provincial jurisdiction.
The Chair: Thank you.
• 1715
Madame Lalonde, and then Mr. Lastewka.
[Translation]
Mrs. Francine Lalonde: I would like to finish by dealing with
the very detailed directive on the European Union. I would still
like the bill to be withdrawn in order to put in place a different
and coordinated legislative process. If this bill, which purports
to protect the rights of Canadians, were to be passed, it seems to
me, on its face, that it would depart from the spirit of the
European Union directive. Excuse me for mentioning once more the
Quebec legislation, but it says that any personal information,
whether it belongs to a citizen of France, of Japan or of the
United States that transits through Quebec is entitled to the same
protection and to the same rights. It seems to me that, at the
minimum, the bill should do the same. However, I know that the
European Union requires the protection to be effective and to be an
enforceable right.
I am convinced that we need to discuss this further because in
my reading of the bill it does not satisfy the requirements of the
European Union.
[English]
Mr. David Flaherty: I'm going to hone my political
skills, Madame Lalonde, in response to your questioning.
If I'd done better in
answering your questions, I wish I could get a doctorate
after surviving this
struggle with you.
[Translation]
Mrs. Francine Lalonde: Thank you.
[English]
Voices: Oh, oh.
Mr. David Flaherty: But I haven't done well enough
to get a doctorate, you see, that's the trouble.
I'd like to think that the Europeans regard Bill C-54
as a very progressive step forward. It will be up to
them and the national data protection authorities
in the 18 or 16 member countries, whatever the number
is, to
decide whether our legislation is adequate. As far as
I know, they've regarded the Quebec legislation as
adequate for the public and private sectors, which is
quite good for Quebec.
My colleague, Professor Bennett, I understand,
may testify before you. In his case studies and those of
another three professors, an American, an Australian
and a British one...they have done a set
of studies at the European
Union on all of the questions of adequacy from various
countries, including Japan. They're supposed to be up on
the European Union's web site this week. I'm not sure
that they are, but that will be something for your
staff to look at. And I would be happy to put them in
touch with my colleague. I have the Canadian
case studies
with me, but I'm not at liberty to give them to you.
If he appears before you, you can also ask him these
kinds of questions.
[Translation]
Mrs. Francine Lalonde: Thank you.
[English]
The Chair: Mr. Mitchinson, do you have any
comments?
Mr. Tom Mitchinson: I have nothing to add.
A voice: You don't want a degree?
Voices: Oh, oh.
[Translation]
The Chair: Thank you, Mrs. Lalonde.
[English]
Mr. Lastewka.
Mr. Walt Lastewka: Thank you, Madam Chair. I'm
going to be very brief.
With Canada legislating Bill C-54 and the fact
that we have
the Province of Quebec with its legislation—and
hopefully the other provinces will quickly get into
their legislation too—but with the U.S. taking the
attitude of having everything on a volunteer basis,
would this be a penalty to Canada? Will this be a
competitive benefit to Canada? Or will it be neutral?
Mr. David Flaherty: I regard Bill C-54 as a
tremendous competitive advantage for Canada in
electronic commerce.
I also happen to be a historian of the United States.
My first book was on the history of privacy in early
America, believe it or not, and I've testified a
number of times in the 1980s and early 1990s in the
U.S. Congress on the inadequacies of American federal
privacy protection.
I like pointing out that in the United States your
video privacy rental records are protected by statute,
whereas your health records are not, and they have no
privacy commissioners. A lot of states have privacy
laws, but no one is in charge of the shop.
I'm pleased that the European Union indicated this
week that the effort by the United States to argue this
safe harbours approach was not going to meet the
European standards. In fact, a wag said, “Pearl
Harbour was suppose to be a safe harbour too.” That
points out some of the inadequacies of the American
approach.
• 1720
I don't understand why the United States, which
invented the legal constitutional right to privacy
in the 1870s and 1880s and had the famous law
review article on the right to privacy,
by Warren and Brandeis, in the Harvard Law Review
in 1890, doesn't get with the program
on privacy and go along with European standards.
As an historian, although my work in is the seventeenth
and eighteenth centuries, I'll make a twentieth
century comment. The United
States has been accustomed to running the world for the
last 50 years or so. I'm quite pleased, as a Canadian,
that the European Union now has countervailing power to
the point where they can say in the privacy field,
“We want to
have the European Union a nation of shopkeepers, but we
also want a nation of shopkeepers that's very
sympathetic to human rights, including personal
privacy.”
I really don't understand why the American government
doesn't get that point. I can tell you that with
respect to the kinds
of things we're saying to you here—and I regard
myself as an academic in this regard—the American
academics, of whom there are about five or six
who made formal comments to the Department of Commerce
on the safe harbours business, were as critical as I
have been of the whole conception. I
don't think self-regulation is going to work. I'm
quite grateful that
the European Union has provided a stimulus, to
Canada in particular, to act in this area of protection
of human rights.
The Chair: Thank you, Mr. Lastewka.
Mr. Flaherty and Mr. Mitchinson, I want to thank you
both for being here. Your colleague, Professor
Bennett,
has contacted the clerk. We don't have anything in
writing yet, but we anticipate we'll be scheduling that
meeting at some later date.
Just to clarify things for committee members,
on Tuesday
afternoon, we'll be meeting again with the public
interest advocacy groups with regard to Bill C-54. In
the morning, we have one final meeting on Y2K,
municipalities, waste water sewage, and the retail council.
As well, just to clarify this for the record, we will be
continuing our hearings on Bill C-54 in February and
probably into March, depending on the number of
witnesses we have before us. We intend to
thoroughly review this bill and hear as many witnesses
as we possibly can. Hopefully that will clarify the
record: we're not going to rush the bill through.
I will thank our witnesses and adjourn the meeting.