STANDING COMMITTEE ON INDUSTRY
COMITÉ PERMANENT DE L'INDUSTRIE
EVIDENCE
[Recorded by Electronic Apparatus]
Thursday, March 4, 1999
• 0908
[English]
The Chair (Ms. Susan Whelan (Essex, Lib.)):
Pursuant to an order of reference of the House dated
Tuesday, November 3, 1998, we are considering Bill C-54,
an act to support and promote electronic commerce by
protecting personal information that is collected,
used, or disclosed in certain circumstances;
by providing for
the use of electronic means to communicate or record
information or transactions; and by amending the Canada
Evidence Act, the Statutory Instruments Act, and the
Statute Revision Act.
I'm very pleased to welcome our witnesses here this
morning. We have three different groups of witnesses.
From the Information Technology Association of Canada, we
have Ms. Carol Stephenson, who is from Bell Satellite;
Mr. Wayne Scott from IBM; and Mr. William
Munson from ITAC. From the Canadian Association of
Internet Providers we have Ms. Margo Langford, the
chair, and Ms. Julie Garcia. And we have our expert
today, Professor Michael Geist, professor of Internet
law from Ottawa University.
I'm pleased to welcome all three different groups here
today. I propose that each of you go through your
opening statement for about five
minutes, and then we'll move to
questions.
With that, I'll begin with the
Information Technology Association of Canada. Is it
Ms. Stephenson who will be doing the presentation?
Ms. Carol Stephenson (Chair, Information Technology
Association of Canada): Yes. Thank you.
Good morning. I am Carol Stephenson, president
of Bell Satellite Services and also the chair of ITAC.
ITAC is the Information Technology Association of
Canada. With me are Wayne Scott, who is from IBM
Canada and also is a member of ITAC; and Bill Munson,
who is from the ITAC staff.
ITAC is the voice of information technology in Canada.
We represent about 200 of the largest information and
communications companies in Canada, and 1,300 companies
if we include the nine affiliates across Canada.
Together these companies
account for about 80% of 418,000 jobs, $70 billion in
annual revenue, $3 billion in annual R and D, and
expenditures and annual exports of about $20.7 billion.
From hearing those numbers, I think you know the
industry cares about this issue and that we
do contribute to the Canadian economy.
• 0910
We have naturally worked very hard on a policy
framework for Canada that protects and promotes those
enormous contributions. Our members and the clients
they serve are pioneering some of the new
frontiers of electronic commerce and electronic
service delivery. Canada is off to an
excellent start, and ITAC believes that if we do get
this formula right, Canada has an excellent chance
of becoming a leader in the world in the emerging
electronic era.
Maybe some of you witnessed Canada's leadership
last October when we held the OECD ministerial
conference on electronic commerce. I had the
privilege of representing the Canadian business
community and was very gratified by the compliments
I received from people across the world about
the value and clarity of Canada's contribution to
the dialogue in the conference and the various forums
that preceded it.
Certainly business in Canada and around the world
understands that electronic commerce will never achieve
its tremendous potential without a shared set of
principles that establish consumer trust.
Customers venturing into the virtual marketplace need
assurances that their interests will be carefully
protected. One of the most fundamental things we
must do is protect privacy and personal
information.
Therefore, independent of legislation, there is
a growing awareness amongst the private
sector organizations, certainly those in our
industry, that personal information should not be seen
or treated as a commercial commodity. Bill C-54
provides a very valuable complement to that new
awareness.
Here I would like to stress that among Canada's
industry associations, ITAC has been in the forefront on
privacy issues. In fact we called for privacy
legislation as far back as October 1994, in a submission
to the federal government's information highway
advisory council. We've been working on it actually
since the early 1990s.
We've consistently advocated
that legislation be based on the CSA model code for the
protection of personal information, which was developed
by a committee of industry, consumer, labour, and
government representatives. ITAC was among
them. There was a very broad
cross-sectoral representation on
the CSA privacy committee, and that gives great moral
strength to the CSA model code and also to Bill C-54,
which, as you know, is founded on the model code.
While different people around the CSA table had some
different views, our dialogue was fruitful. At the end
of a long, generative process of give and take, the
committee felt we had achieved a strong and workable
solution. We believe that solution adequately
addresses the range of interests that were represented
there.
ITAC therefore applauds the introduction of Bill
C-54 and recommends its passage through Parliament for
three fundamental reasons.
First, as I've just said, the bill is based on
the CSA model code.
Second, the bill positions the Privacy
Commissioner as a positive force for compliance.
Adopting the ombudsman model, where the Privacy
Commissioner acts as an arbitrator rather than as
police, judge, and jury, is very commendable. This
positions the Privacy Commissioner as a positive
force to work with, rather than an enforcer to defend
against.
And third, the government has shown initiative in
attempting through this bill to create uniform law
applying to all companies, wherever they are
located across the country.
We would, however, in the spirit of continuous
improvement—which certainly drives our industry—take
this opportunity to support four positive changes to
the legislation as it's currently written.
Here I'll note that we do fully support part 2 of the
bill, which is intended to modernize the existing
statutes so as to recognize electronic documents, and we
won't suggest any amendments to the schedule to the
bill, which is essentially the hard-won compromise that
the CSA model code represents.
• 0915
Our first suggestion addresses the powers of the
commissioner to investigate or audit. As I
mentioned earlier, we see the positioning of the Privacy
Commissioner in an ombudsman-like role as very
positive. However, we are uncomfortable with the
notion that the Privacy Commissioner, under
subclause 18(1), would have the power to audit for and
report publicly on compliance with what
are clearly intended
to be recommendations as opposed to obligations.
In most cases, best practices will dictate that
companies incorporate in their privacy policies the
“should” statements contained in the
schedule. We are comfortable in saying that the
few exceptions will be companies with
valid and well-recognized reasons for choosing to meet
their legal obligations in other ways. They should
not risk being penalized for doing so.
Our second suggestion relates to the opportunity to
respond to a complaint. We recommend that the
legislation allow an organization some minimum amount
of time to correct the situation that has been brought
to the commissioner's attention before the commissioner
may commence his investigative and reporting
activities. We recognize that this may occur for
practical reasons, but we would prefer to have the
formal assurance of it in the legislation.
The third suggestion we'd like to make
deals with the transfer of
information within an organization. We recommend that
the legislation explicitly allow organizations to
transfer information internally. We recognize that
organizations must be responsible for maintaining the
security of information in their possession,
particularly when that information is sensitive, but
the law must recognize the nature of the multi-access
database technologies already in everyday use both in
government and in industry.
Our last suggestion deals with publicly available
information. We note that Bill C-54 is silent on the
issue of an organization's right to use publicly
available information. To facilitate electronic
commerce, companies should be free to use, collect, and
disclose some information that is publicly
available—for example, phone numbers listed in a
telephone book. We should note too that the
legislation should also recognize, as we do, that some
kinds of publicly accessible information are more
sensitive than others.
These are, we hope you will agree, recommendations to
really fine-tune a piece of legislation that we support
in general. ITAC members and staff will be pleased to
work with this committee and departmental staff to
incorporate any necessary amendments to Bill C-54 prior
to its passage.
We also look forward to working with
departmental staff and the Privacy Commissioner's office
on efforts to get the word out to our constituents.
Aside from its protective qualities, we must recognize
that Bill C-54 is also a solid starting point for
education and organizational development by the Privacy
Commissioner. We're pleased to understand that the
Privacy Commissioner has similar views and intends to
pursue such activities.
With that, I'd like to thank the committee for allowing
our association the opportunity to speak to you today.
We'll be pleased to answer any questions you may have,
either now or in the coming weeks or days ahead. Thank
you.
The Chair: Thank you very much, Ms. Stephenson.
I'm now going to move to the Canadian Association of
Internet Providers. Ms. Margo Langford, please.
Ms. Margo L. Langford (Chair, Canadian Association
of Internet Providers): Thank you, Madam Chairman.
I'm going to start with an overview, and if
you're looking for documentation that backs this up,
it's this particular set of documents. I apologize for
the fact that it's not in French. Most of it is in
chart form, and it's just meant as a general overview
for framing the industry. Ours is a very new industry, as
Internet providers, and therefore I wanted to give you
a bit of background before I turned it over to Julie
Garcia.
On personal Internet usage, about 40% of
Canadians now have access to the Internet, about
20% from home and about 14% from work, and about 10%
have it at both places. Also, 70% of our university
students now have Internet access, which is an
incredibly high figure. Thanks to Industry Canada and
their SchoolNet program, almost all of the
schools—and certainly the goal is 100% of the
schools—will have access by the year 2000. So we are
getting to the point of critical
mass in personal usage on the consumer side.
On the industry side, a number of industries of course
have jumped on-line. The next chart, on industry
distribution, deals with the various sectors
that are actually using the Internet. These are not
necessarily those who are selling on-line, but in fact
those who are using the Internet in some way to conduct
their business. And of course there are a variety of
ways that businesses do use the net, including
business-to-business activity.
• 0920
As you can see by the next chart, the percentage
on-line by company size,
small and medium enterprises are very much the growth
part of Internet use by companies, and they are adopting
the Internet in leaps and bounds.
In the next chart and next page I want to talk
briefly about ISPs themselves. No two Internet service
companies are alike. There are a
variety of different business models, and many of them
are unknown to us.
Industry Canada did a survey and discovered there were
675 of them. Those are companies that identify
themselves as in some way providing services for the
Internet. I would suggest that many of those are just
access providers or some other kind of related
service.
CAIP itself now has upwards of 100 member
companies that actually are more
full-service companies, so they offer not only access
to the Internet but also some of the value-added
services, such as e-mail, hosting content, training,
consulting, and those kinds of additional services.
Right now it's estimated the industry represents about
$1 billion in revenue, and the typical ISP growth is
between 5% and 8% per month. CAIP members
represent about 80% of the traffic in Canada and about
90% of the users at the moment, so we feel
significantly entitled to be here speaking on behalf of
the industry.
The next chart shows you that the most amount of
revenue is obviously coming out of the large companies,
although none of them are making a profit on straight
access, so that's a really important part of our
story. The industry is diverse in its structure, and at
the moment our membership includes major telephone
companies and their affiliates, cable companies and
their affiliates, and independent ISPs. There are
three major consumer providers—AOL Canada, Netcom
Canada, and PSINet—and some network providers, such as
Teleglobe, MetroNet, UUNet, WorldCom, and AT&T,
who also carry smaller ISPs on their network.
Then of course there are lots of regional, local, and
specialized services.
The majority of revenue from the industry comes at the
moment from residential subscriptions and business
subscriptions, so we're not yet at the stage where a
significant amount of money is coming from electronic
commerce transactions or even housing or hosting the
content, but that is certainly the area that everyone
wants to get into. It's just a much better margin.
Lastly, we are as an
industry obviously extremely concerned about privacy
and consumer concerns about using the Internet. Our
business will not succeed without addressing this
issue. I give you this chart to demonstrate that
we do know about our membership, our subscribers, and
their concerns. We are in touch with them and we are
working very hard to build confidence.
CAIP itself
has done a number of things to try to address this
over the last three years.
We started with a code of conduct in 1996, which
addressed some things at a very high level, and
privacy was one of the principles in that code. We
refined that code this past fall with an on-line privacy
code, which I believe has been distributed to you, and
some user tips. And we are continuing to address those
through something we're calling the fair practices
program, which is an opportunity to go out and educate
our users, our member companies, and indeed our
merchant subscribers—the people whose web sites
we host—to try to get them to all understand their
obligations in the privacy chain.
On that note, I'm going to turn it over to Julie
Garcia, who by the way brings additional value. Not
only is she responsible for the legal affairs at AOL
Canada, but she's also worldwide policy director
for AOL, America Online, as a whole.
Ms. Julie Garcia (Chair, Privacy Committee, Canadian
Association of Internet Providers): The Canadian Association of
Internet Providers, as Margo indicated, is comprised of
approximately 150 companies involved in all aspects of
the Internet and Internet-related services. Many of
our members are small regional and local Internet
service providers, or ISPs, but we also include among our
members such companies as IBM Canada, Bell Canada, and of
course AOL Canada.
• 0925
CAIP is committed to the protection of the personal
privacy of individuals on-line. We know consumers
are wary of new Internet technology as regards the
collection, use, and disclosure of their personal
information. CAIP knows the appropriate protection of
that personal information is a necessary prerequisite
of consumer trust, and consumer trust and confidence
are necessary prerequisites if the world of the Internet
and electronic commerce is to reach its full potential.
Our businesses won't flourish unless we have that
confidence of our consumers.
To foster that sense of
trust, CAIP has established its own model code of
privacy protection that's tailored to the on-line
industry. The model code is based closely on the CSA
standards, taking what is best from those standards
but blending it with the technical reality of the
on-line environment.
CAIP prefers a self-regulatory
model, particularly in the area of personal data
protection.
While Bill C-54 and the CAIP model code are both based
closely on the CSA standard, CAIP's self-regulatory
code is written in the language of our industry and
reflects the unique technical environment.
Our privacy
guidelines, which I believe you have a copy of, also
feature user tips. Those user tips encourage
individuals to do what they can to protect their own
privacy.
The CAIP approach emphasizes that the protection and
safety of personal data are the responsibility of all
parties to a transaction, not simply the obligation
of one industry.
CAIP would like to work with this
committee on four areas of potential improvement and
clarification of Bill C-54.
The first area is the collection, maintenance, use, and
disclosure of personal data by an ISP. In an on-line
transaction, whether it be signing on to an Internet
service provider, buying books from Amazon.com, or
whatever, an individual user almost always has to
provide what we call header information
and billing information.
That would be your name, your address, and normally a
credit card number so that the transaction can proceed.
That information is required on the part of the
business to process billing, just as it is in the
off-line world, and it's part of our business function.
The user affirmatively provides that information, and
they know that's going to be used to process the
business transaction, and in the case of a service
provider, an ongoing business relationship.
As the user navigates around an on-line service and
around the Internet, however, an access provider, just
through the process of providing access, will
automatically collect information such as the length of
time the individual is on-line and potentially, if
it's a proprietary network, where the user is going
within that network.
That information is collected automatically by
computers. It may be used for billing purposes, if
users are billed based on time spent on-line. But
sometimes it isn't used for any purpose; it just exists
in an unreadable form in the storage system of the
access provider. That information is not stored in a
personally identifiable way, it's not kept in a
dossier or a file about individuals, and therefore we
believe it should not be made accessible for review and
correction by the individual.
The way the bill is presently written, any information
about an individual needs to be made available to them
to review and to correct. While access providers—I
don't even want to say “theoretically”—have
this information about the individual, in terms of where
they've been and how long they've been on-line, it's
very difficult to get at. It would be possible to get,
but it would be an incredible burden on the business.
It's not something that in the normal course of
business is kept in a personally identifiable way.
So privacy is better protected by
leaving that information in the databases, where it is
never accessed and where it eventually disappears over
the course of time, when the servers get full and the
older information just falls away. It is that type of
information—which is automatically collected and stored,
not retrieved in useable form, and not kept in a
personally identifiable way—that should not be subject
to the notice, access, and correction requirements.
The CAIP code, using the CSA standard, is able to
reflect that reality of the on-line world and use the
best of the code in a way that our industry can
effectively implement it.
Again, different industries have different information
management needs, so CAIP believes it's critical
that Bill C-54 allow some flexibility for
industry-specific approaches to provide the best
privacy protection for Canadians.
• 0930
A second area of clarification that's very important
to CAIP members concerns previously collected
information. A company's obligations regarding
personal information that it already holds are not
clear under the bill. My company, for example, has 16
million members worldwide. All of those members have
already provided to us their names and
addresses, we know their screen names, we know their
credit card or debit account information, it's
already been aggregated in the database, and in many
cases that information has been moved outside
Canada. We need some clarification on those
subscribers. It would be an incredible burden to have
to go back to 16 million individuals and try to
“re-get” that information under a new circumstance.
Another example is employee information within a
company that was collected in some cases many years
ago. We would suggest a standard of implied consent
for business uses for both employee information and
existing customer information to date. This is
similar to the ITAC view on the internal transfer of
information, which, I'll state for the record, we agree
with.
A third issue I'd like to address is the issue of
oversight. The oversight and the remedies currently
available in Bill C-54 seem quite broad. CAIP agrees
with ITAC's view that industry should have the first
responsibility and opportunity to respond to a
complaint about privacy and to correct the situation as
necessary. I would be more than happy, as would other
CAIP members, I'm sure, to provide
specific examples of how industry is doing this already
anyway.
The commissioner then would have to ensure that this
avenue of going first to the company for redress has
been exhausted prior to initiating that investigation
and audit. That type of method is particularly
appropriate for an industry such as the ISP industry,
which has adopted a privacy code that's very close to
the CSA standards to guide its members.
Our final issue of concern is a uniform regulatory
environment. The jurisdiction issue is one that raises
unique problems in an on-line environment, for our
industry in particular. With the Internet and with
on-line access service providers, it's unclear where
information is gathered, where it's transiting, and
where it may be collected. Certainly companies store
information all over Canada and perhaps even outside
Canada.
CAIP understands that in Bill C-54 there's going to be
shared jurisdiction between the federal and provincial
governments, but we'd like to emphasize the importance
of having uniform legislation, if not between Canada
and the rest of the world, certainly within Canada. We
need to have some kind of harmonized regulatory system.
It's imperative so that it can provide certainties for
ISPs.
Allowing each jurisdiction to tailor
additional laws could create a patchwork of legislation
that effectively would prevent electronic commerce from
crossing provincial borders. I don't think that's what
anyone intends and I don't think that is the result
anyone wants.
To provide a base level of privacy protection to all
Canadians as well as to foster the growth of electronic
commerce, data protection laws should be uniform across
the country.
CAIP appreciates the opportunity to appear before this
committee and to share its views on Bill C-54. We
applaud your efforts to protect the privacy of
Canadians and we join those efforts. We hope we
can work together to ensure a solution that works for
all parties.
The Chair: Thank you very much, Ms. Garcia.
Professor Geist.
Professor Michael Geist (Individual Presentation):
Good morning, and thank you
for inviting me to appear before this committee to
provide my views on the intersection of the privacy
protections afforded by Bill C-54 and the Internet.
I'm a professor of law at the University of Ottawa law
school, and I specialize in Internet law. Unique to
Canadian common-law schools, I teach two Internet law
courses, one on the regulation of Internet commerce and
the other on the regulation of Internet
communication, which focuses on
speech and privacy. I've written several law
review articles on Internet law; I'm co-editor of
JURIS Canada, which is a legal education web
portal; and I'm creator of the Canadian Internet law
resource page, a web site dedicated to Canadian
Internet law issues.
Let me begin by congratulating the government for this
privacy initiative. Given the alternative of
self-regulation, Bill C-54 is a major step in the right
direction. In fact one need only look at activities
this week in the United States, where the Online Privacy
Alliance, the country's leading self-regulation
advocacy organization, is pleading with on-line
enterprises to post privacy policies.
The reason? Next week the Federal Trade
Commission begins their second annual privacy audit, and
the fear is that such little progress has been made in
the widespread adoption of privacy policies that the
government may move towards some form of
regulation. As the U.S. experience illustrates,
legislation is needed to effectively protect the
privacy of individual citizens.
• 0935
The focus of my remarks today will be on the
application of Bill C-54 to the Internet. I certainly
recognize that the bill's application extends well
beyond just the net, but it's fair to say
the growth of the Internet has been the major
driving force behind the growth of electronic commerce
and, by extension, this bill.
From an Internet law perspective, nothing is more
important than strong and effective privacy
legislation. As you are by now no doubt aware, in
several surveys, Internet users have cited privacy as
their primary concern. However, I would submit that
the issue is even more serious than these polls
indicate. As more and more people gravitate to the
Internet, I see a widening gap between what might be
called the haves and the have-nots.
The haves are aware of the privacy implications of
Internet activity: the collection, use, and sale of
their data. They frequently take steps to combat privacy
concerns by using anonymizing technologies or, in other
instances, providing false information when data is
requested.
Sadly, there are far more have-nots than
haves. The have-nots are simply unaware of the privacy
concerns raised by the Internet. These users are more
likely to think that cookies come in oatmeal or
chocolate chip as opposed to being a source of
potential privacy concern.
Given the large number of have-nots, there are really
two sources of protection. One is education, and I
certainly applaud Bill C-54 for recognizing the importance
of increased public education with regard to the issue
of privacy.
The other protection is this bill, so when all
else fails, the have-nots must be able to rely on this
law to protect their private data.
The question, then, is whether it does. With your
indulgence, I'd like to spend a couple of minutes
tracing the experience of a typical Internet user,
highlighting the privacy concerns and speculating as to
whether Bill C-54 provides sufficient protection.
Our typical, and some might
say fortunate, Internet user uses her new computer,
equipped with a Pentium III chip, and has
cable modem access using the cable provider @Home
to access the web. She visits a site that offers some
interesting content or maybe free e-mail, and in return
for the content, she's asked to fill out a form that
asks a variety of personal questions.
Consider the
privacy implications of this simple and very
common experience.
The Internet service provider, in this case @Home,
has access to information, as we've just heard, on where
the user has visited. ISPs in Canada have tended to
protect the user's interest, but consider a recent
controversy in the United States involving TCI@Home.
Several weeks ago they announced they were amending
their terms of service policy to allow the company to
reproduce, publish, distribute, and display worldwide
any content that was published, transmitted, or
distributed over the TCI@Home Network. This
was seen to include users' e-mail correspondence and
their browsing habits.
The haves became aware of this change and a
protest ensued. Earlier this week, TCI@Home
announced they were rescinding the change, characterizing
the entire incident as a misunderstanding.
Would Bill C-54 protect a user from this sort of
circumstance? Well, maybe, but by no means for certain.
Consent would clearly and reasonably be assumed as part
of agreeing to a service contract, and of course consent
is at the very heart of the CSA code. However, clause
4.3.3 of the CSA code provides
that you cannot make supply of a
service conditional on consent to data collection
beyond that required for an explicitly specified and
legitimate purpose.
It would have been interesting to have a user
challenge the policy on the basis of that provision in
the CSA code.
Let's move on to the P-III chip
found in the computer. As I believe you
have heard, the P-III chip contains a
digital identifier that allows sites to identify which
computer is accessing their site. Since each computer
contains a single identifier, it's possible for
different web sites to share their information and
thereby obtain a detailed consumer profile.
Initially,
Intel activated the identifier as the default setting,
and computers that are currently shipping—they just
began shipping over the past week or so—retain that
configuration. When the haves learned of this, yet
another protest ensued. Intel partially backed down by
providing a software utility that allows for a change
in the default setting and a promise that future
shipments would set the default setting as an inactive
identifier.
• 0940
But consider that last week, Intel released the
technical specifications on the P-III. Within 24
hours, a German software developer had designed a
utility that allows the identifier to be switched on and
off by an external user; someone else can control it.
Now assume an organization wants to collect and use
the identifier information. The question: Would Bill
C-54 protect that user? If the identifier is off,
they can't collect the information, so there isn't a
problem. If they were to
condition service on turning it on,
clause 4.3.3 would kick in,
and they would have to justify the
use. If they turned it on themselves, using something
such as the German software utility, they would probably
violate Criminal Code provisions for tampering with
computer data.
But if the identifier were on—let's say the
user bought a new computer with the default setting
turned on, or perhaps an unscrupulous web site happened
to use that same utility to turn on the identifier
unbeknownst to the user—then the user might not be
protected. Clause 4.3.6 of the CSA code provides for
implied consent, and given that the default of the
identifier is off, it might be reasonable to argue that
consent can be implied by virtue of the fact that the
identifier has been turned on.
Finally, let's review providing data to the web site.
On this site, the forms for the private data are
contained right at the top of the web page, below is
some general information, and then right at the very
bottom is a negative-option check-box that
requires the user to check if they do not consent to
collection and use of their private data. Many users
will never see this check-box, since they will never
make it to the bottom of the page. They fill out the
form, they hit the accept button, there's no reason for
them to even make it to the bottom of the page. For
these users, Bill C-54 is of no assistance. Paragraph
4.3.7(b) of the CSA code expressly provides that this
form of obtaining consent meets the CSA standard.
Furthermore, consider a situation where the site
doesn't even include a check-box. There is no
indication that the personal information is going to be
used. Does Bill C-54 protect against this? One would
certainly hope so. However, an exception contained
in paragraph 7(1)(b) of the bill, not in the CSA code,
may provide an argument that nothing wrong has
occurred. The paragraph provides that information may
be collected without knowledge or consent if it is
reasonable to expect that collection from the
individual would compromise the accuracy of the
information. Combined with paragraph 7(2)(d) of the
bill, which covers use, a company might look to this
provision to justify its actions.
As I noted, many Internet users have taken to
providing false data to protect their privacy. As
the bill is
currently drafted, companies might be able to rely on
this fact to justify an absence of obtaining consent,
since to do so might reasonably result in the receipt
of inaccurate information.
In summary, Bill C-54 is much better than the
alternative of no legal privacy protection. However, I
would submit that for the sake of the have-nots who
are new to the Internet, the bill should be
strengthened to remove some of the weaknesses I've
articulated here this morning.
The Chair: Thank you very much, Professor Geist.
I'm now going to move to questions. Mr. Jaffer.
Mr. Rahim Jaffer (Edmonton—Strathcona, Ref.):
Thank you, Madam Chair.
First of all, I'd like to thank all the presenters for
being here this morning. A lot of the
information being presented is useful to us, and I
agree with many of the recommendations.
I'll start with Mrs. Langford, if I may.
I was looking
through your presentation, with the charts and all the
information pertaining to usage on the Internet
currently and so on. I'm in favour
of this legislation and looking
forward to its passage. However, just
from my own experience in using the Internet
and from seeing some of these figures...
The issue of security has obviously been
identified, and that's something people are
concerned about.
However, to some extent, the issue of security
is also the job of companies to make their customers
feel confident. Part of this process of
being confident on the Internet is one of awareness.
People are starting to learn more about the Internet
and are
starting to look at what's available on the Internet.
So even though I agree that Bill C-54 is an important
framework to make security and privacy an issue,
I don't know if that's going to have as much of an
effect on the public and issues of security
as, say, private companies such as yours promoting the
security features on your own web sites and
giving the confidence to consumers that you guys take
that seriously.
Ms. Margo Langford: Thank you for
your question.
We address these things not as a separate issue but in
an integrated approach. Privacy and the collection
of personal information in the context of Bill C-54 are
one aspect of consumer confidence, but of course
secure systems are the way you actually implement.
• 0945
It's fine to have a
policy and/or a piece of legislation, but you have to
drill down a level to getting not only business
practices at best practice level, but also systems.
So we actually have to do some things at the hardware
and software levels. There are three processes
of both education and implementation.
On the user information side,
because we have subscribers and we have an e-mail
account for every one of them, we have a lot easier
time touching our customers than the average business
does. So we do have the opportunity to give them user
tips and to teach them as they come on-line.
Even
though 40% of Canadians are on-line, every day people
are buying computers for the very first time and we're
setting them up from scratch. These are people who
need a lot of education. We have help desks that
cost a fortune, quite frankly, but they're critical to
the business right now, because they work with people
and explain to them how to use the Internet and how
to protect themselves. So we do have a really good,
close relationship with the users themselves.
We also have the opportunity obviously to touch the
customers whose sites we host. We have a contract with
them, which can be used in a very
positive way. We can choose not to put up a site that
doesn't meet both security and privacy standards. We
can do that, as best practice. That's certainly, for
instance, IBM's policy. We just simply will not
commerce-enable a site that doesn't use our best
security systems.
From an IBM perspective, we have
spent a lot of time, money, and research developing
security systems, but we've now made some of those
publicly available to the other ISPs and merchants,
because we are so critically concerned to make sure
there is at least a base level of security. This
is a “weak link in the chain” syndrome. Anybody at any
point in the transaction can be the security breach,
so we have to uniformly approach security in systems.
We're all taking it very seriously.
That brings me to the P-III chip. Its
intent and Intel's intent in developing it in their
labs was in fact to make sure we could
authenticate users more effectively so that we could
actually avoid unauthorized use and hacking. It had a
higher purpose. It wasn't to collect
personal information on a particular computer, but to
be able to in fact identify that you are you, and from
an electronic commerce perspective, that that user is the
person who's authorizing the transaction. So it was
intended with all the best motives in mind. It does
now have an ability to disengage it, but I would
guess that many people would actually want that
protection.
We always have this balancing act between
systems that are designed to nail down and tighten up
things and the flexibility to be able to do
what people want us to do.
Mr. Rahim Jaffer: I just have one more follow-up
question for Ms. Garcia.
I noticed that you talked about
the jurisdictional issues within Canada.
One of the concerns I've been thinking about
recently is the position we've heard
from many Europeans approaching this issue of
regulation and security and building a
framework.
The approach seems to be a little
bit different when it comes from, say, North America,
as opposed to
Europe. There seems to be more of an emphasis
here on allowing more
flexibility, based on the CSA code, and allowing
companies to be able to work within a framework so that
they can deal with some of these problems, while in Europe
it seems a little bit more of an effort is placed
on putting heavier government regulations on this
framework of the Internet.
In your opinion, is there a potential for trade
disputes and so on, as Internet transactions
increase? Or is there a way to be a
little bit more global in scope, so to speak, in allowing
a little bit more flexibility? What are your thoughts
on that?
Ms. Julie Garcia: We would certainly love to
see a more global scope. You've really hit
the nail on the head.
It's interesting. The European
perspective has always been the opposite of the North
American perspective. The concern in Europe is not
whether or not government has information about you,
but whether or not private industry has information
about you. The directive is aimed at protecting
individuals from having their information used by
private industry.
Whereas in North America the attitude
has been, “Anyone in the world can know what
I've done with my American Express card, but I don't
want the government knowing where I go for health
care”, or whatever the issue might be. It has
been a different approach.
• 0950
We've seen the potential for difficulty
between the United States and Europe in trying to
negotiate data transfer. The European Union is saying
the United States doesn't have legislation in
place and data can't be transferred. You're probably
aware of the talks that are ongoing right now.
Actually it looks as though
some progress has been made this
week on what would be a safe harbour, so that certain
industries in the United States that do have strong
self-regulatory and enforcement mechanisms would be
exempt from the directive.
So while there are the differences
you've identified and there is the potential for that
to cause a problem, I've also seen a good willingness
for governments to work together to make e-commerce
work. There has been and continues to
be a growing recognition in every country that no one
country or one group of countries such as the European
Union can impose exactly what they want on the rest of
the world, because they would be cutting off their nose
to spite their face.
If the directive were
enforced as it stands and no data could pass between
Europe and the United States, everyone would lose.
That's not what they want. They just want to know
that there's an adequate level of protection. So to
the extent that they have a comfort level with the data
protection, I think we'll be able to move forward.
Mr. Rahim Jaffer: Thank you.
The Chair: Thank you very much, Ms. Garcia.
Thank you, Mr. Jaffer.
I should have mentioned that if a question is not
addressed to you and you have anything to add,
just let me know. We're more than happy to allow
others to participate in the discussion.
Mr. Shepherd.
Mr. Alex Shepherd (Durham, Lib.): Thanks very
much.
I just want to ask a quick question and then I'll go
on to a more substantive one.
Mrs. Garcia, I guess this would be for you. I'm
interested in the concept of the Internet
viewer, someone who would actually access the
information that's flowing over the Internet by having
a little key.
I was interested in this happening, because I
was talking to an American company,
Schwab Online, and they claimed that as long as I had
a corporation's U.S. ID account and I used the Quicken
system or something, I could simply go into their
investment account and see all of their
investments. I thought that was pretty profound.
Anybody could go to a local bank and clear out the
wastepaper basket and find everybody's ID numbers. How
are we protecting those people's privacy?
Ms. Julie Garcia: A
financial institution or a bank actually has a
built-in level of protection in the States.
If you're talking about Schwab,
they can legally use a
higher level of encryption. They can encrypt the
messages back and forth so that they're more secure.
In terms of simply having a password, that is an area
where ISPs really need to work with—I'll call them
the have-nots—to educate them. You would always
have an opportunity to change your password, and it's
probably never a good idea to use your dog's name or to
use your address. There are passwords you can
choose that can't be cracked. If it's a combination of
letters and numbers, for example, instead of just
letters, then a code cracker won't be able to get at
your access number and get into your account.
Am I addressing your question?
Mr. Alex Shepherd: Not really, because this was
done by setting up a PIN number, and it was a
combination. You could view the
account, but you couldn't trade it. It was the person
who had the actual password who could trade the
account, but it was possible that anybody, if they had
that corporate ID number, could set up a PIN number
and visually see it.
Ms. Julie Garcia: So you could see, for example,
my account.
Mr. Alex Shepherd: Yes.
Ms. Julie Garcia: And see how much money I had.
Mr. Alex Shepherd: They just said that's the way it
is. If you had a Quicken system or something, you
could do that.
Ms. Julie Garcia: If you had the PIN number.
Mr. Alex Shepherd: You could go in and create another
PIN number once you had the
corporation's ID number.
Ms. Julie Garcia: I see. I'm sorry I'm being
slow. So the
idea would be, for example, if I were in the accounting
department of my organization, we would have an
organizational ID number, and then there might be six or
seven of us who could view the account.
• 0955
Mr. Alex Shepherd: Well, I would think a U.S.
corporate number is widely known, no different from
in Canada. That's
something I really find strange and something that
should be addressed here.
Anyway, I'm getting off topic. The real issue
I'm interested in—
Ms. Margo Langford: Schwab is actually an IBM
account. Perhaps we could undertake to find out more
about that system and provide you with—
Mr. Alex Shepherd: Well, I talked to their IT
department, and they said that's just the way it is. I
thought it was kind of strange.
Ms. Margo Langford: It's not something I'm
familiar with.
Ms. Julie Garcia: Yes, it does seem strange.
Ms. Margo Langford: It does, yes.
Mr. Alex Shepherd: Okay.
You used the words “implied
consent”. This bothers me
as a position of law. You're saying that because I
come to one of your user sites and I give them my
social insurance number or I give them my Visa card
number, I have consented not only to do business
with that user, but also to allow them to take my data.
You're telling me they're storing it in some kind
of form. Obviously they go through the process of
storing it for a reason. I don't think they store it
for... Storage costs money too, right?
Ms. Julie Garcia: But it does happen
automatically.
Mr. Alex Shepherd: I know, but there's a
reason for it. So isn't it more appropriate to ask
people up front for their consent, to say, “We want
to use your information for these purposes. Do
you consent?”
Ms. Julie Garcia: I absolutely think that is more
appropriate. I used
“implied consent” in the context of existing
data, the data that already exists in our database.
Going forward, there would be implied consent that
everyone to whom this bill applies would not have to
backtrack with all of the information
they already had to make sure that those people...
That was the context in which I used “implied
consent”.
Mr. Alex Shepherd: I understand the
grandfathering idea, but from this day forward,
when I go on one of your organizations'
sites, what is going to give me the assurance that I
consented or did not consent to the use of that
information?
Ms. Julie Garcia: It's the disclosure
requirement. We fully support
the part of the CSA standard that
indicates that you provide notice of your policies and
disclosure of your policies, and that anyone who
comes to your site can choose to not have their
information shared. We agree completely with those
aspects of the code.
Mr. Alex Shepherd: So you see that all of the people
who are your members are going to change those sites.
In other words, when I go into whoever's site now and
they say, “Fine, we'll let you use the service for
free; just give us your e-mail number and some other
statistics about you”, I'm also going to see a
little box saying, “And by the way, you are consenting
to us using this data somehow”.
Is that what they're going to
do?
Ms. Julie Garcia: That's what we would like to
see.
Could I say a couple of things about that?
We certainly don't want to regulate what the privacy
policies of our companies are. We just want to make
sure they provide notice to members.
It might be interesting for you
to know that in England, the
second-largest ISP and probably soon to overtake AOL in
England is Freemail. They provide free Internet
access and free e-mail accounts in exchange for user
information, and users love it. People flock to that
service by the hundreds of thousands. They know
that in exchange for getting free Internet access,
they're giving their name and address,
they're checking a box on what their interests are,
and they're going to get junk mail
and e-mail and off-line mail, and they do it. They
love it. There are hundreds of thousands of
subscribers.
So our point is simply that
you have to have notice. People
have to know what they're getting into. If someone
says it's worth it to them to have lower-priced or free
Internet access in exchange for getting junk mail, so
be it. It's their choice.
Mr. Alex Shepherd: The argument is that in this
legislation, we don't see where it demands consent,
where it's clearly stated that anybody accessing this site
gives positive consent. Would you agree with that?
Prof. Michael Geist: As I indicated,
there is a problem with the use of implied consent
here, because in many instances, it's open for a
company or a collector of data to rely upon standards
that have been set in the CSA code to say they've
received implied consent,
where the user really hasn't been aware of the fact
that they've been providing consent at all.
• 1000
It's important in some respects to distinguish
between information someone provides to a web site
and an agreement they might have with an Internet
service provider because the ISP is providing them with
service to access the various sites.
Certainly my colleagues on
the panel can correct me, but it seems to me that the
boundaries in terms of data collection will be
set by the terms of service—the contract,
effectively—that you sign with the Internet service
provider. The contract may say
the data can be collected,
transferred, and whatever, and by
signing the contract or signing up for the service, you
effectively agree to those standards. That's somewhat
different from when you go to a web site and provide
information, and somewhere on that site, at the bottom of
the page, you have to check to tell the person you
don't want them to use your information.
Ms. Julie Garcia: Could I interject?
Something that is important to think about is the
distinction we seem to be making between what is
appropriate in the on-line world and what is
appropriate in the off-line world.
When I subscribe to a magazine in the off-line world, I
give implied consent to that magazine to bill me and to
send me information about other magazine subscriptions.
So it's unclear to me why, when I sign on to an
access provider and provide that same information,
we would want to put a different standard on that.
Prof. Michael Geist: We wouldn't. We want to
set the same standard that they have to obtain consent.
That's the point. It isn't exclusively for the
Internet; it's for everybody. You have to get consent.
Ms. Margo Langford: The challenge
here is that in the first three years, all
of the businesses are not captured by this legislation.
ISPs are captured, because they're telecommunications
services and therefore federal entities. We
developed our policy with that in mind. We can't take
responsibility for every merchant who goes on-line or
every other business that's on-line, except through
contract.
The Chair: I'm going to move on to Madame
Lalonde now, and Madame Lalonde probably will speak to
the Quebec legislation that already exists. They
already have this problem in Quebec.
Madame Lalonde.
[Translation]
Ms. Francine Lalonde (Mercier, BQ): Perhaps it's Quebec that
has a problem with Bill C-54.
[English]
The Chair: You already have laws in Quebec, but how
can you argue that? Go ahead, Madame Lalonde.
[Translation]
Ms. Francine Lalonde: Yes, I certainly would like to comment.
Thank you for your presentations. You are experts in this
field and you represent companies in a constantly evolving sector
of the economy. I'm sure you can understand why a member,
particularly one from Quebec, may be somewhat concerned by your
comments.
I'd like to speak directly to the representatives of ITAC. In
your fact sheet, which hasn't been translated into French, you
argue that there is a need for uniform legislation in Canada. As
you undoubtedly know, Quebec enacted privacy legislation which
extends to the private sector back in 1994. My colleague Jaffer
referred to Europe where requirements are much more stringent. He
could also have mentioned Quebec because its legislation is more in
keeping with European tradition, in that we believe protecting
personal information is a cultural issue. Moreover, that's what Mr.
Cleghorn states at the beginning of his paper on personal
information. If you were the Quebec government, or someone in
Quebec who had been involved in the drafting of this legislation
and had helped to... I'm sorry, but we seem to be having problems
with the interpretation.
Therefore, I'm somewhat concerned to hear you talk about the
need for uniform legislation.
• 1005
At the outset, we in Quebec thought the federal legislation
would draw its inspiration from the Quebec initiative. This would
have resulted in closely harmonized laws. However, the federal
government chose to go off in an entirely different direction,
which raises an important question in Quebec. If we go along with
your recommendation, are we then saying that Quebec should accept
a weakened law? In my view, that wouldn't be right, particularly
since the effectiveness of the provisions of Bill C-54 are being
called into question quite a bit, not just as they pertain to the
protection of personal information in sectors other than electronic
commerce, but also, as Mr. Geist and others pointed out, as they
pertain to electronic commerce. A number of questions have been
raised.
Since this sector is still in its infancy and since there is
a risk that the less fortunate or uninitiated could be taken
advantage of, shouldn't the legislation take a more preventive
approach in terms of setting out obligations for protecting
citizens? For instance, Quebec's consumer protection legislation
stipulates that consumers have a certain period of time during
which they can change their mind after signing a contract. A
business contract may be something else, but shouldn't citizens
have the benefit of this grace period? Shouldn't there be a box on
the agreement that can be checked off, where they are asked: "Do
you really want to purchase this item?" or some such thing?
Some people are new to the field of electronic commerce. Not
everyone spends ten hours a day on a computer. It's possible that
someone could quite inadvertently purchase an item or disclose
information and there's nothing that can be done about it. Service
is a problem. It's not always easy to contact one's Internet
provider, even if that provider goes by the name of Sympatico. This
requires time as well as patience. Shouldn't the legislation be
more stringent, precisely to protect consumers who are likely to
encounter major problems?
[English]
The Chair: Ms. Stephenson.
Ms. Carol Stephenson: Let me start with the
ITAC comment that legislation should be as uniform as
we can possibly make it. The reality in this
country is that over the last hundred years, business
has effectively operated in Canada. Quite frankly,
sometimes we have to operate a little differently in
some places from the way we operate in others. But
we have found ways to make that work, and I am
absolutely confident that we are going to find a
way to make this work, because this business
is so important to consumers and businesses. So I have
a lot of confidence that ITAC member companies
will find ways to make it work.
What we were saying is if we can minimize the
amount of differences in legislation across the
country, then it helps to make us work more
effectively. It helps to make it less likely that
someone will make a mistake in one province versus
another. So it certainly eases our business
transactions. Therefore we would want it to be as
similar as it can possibly be, though we recognize
that there are companies doing business across
Canada and there is different legislation today,
and we find ways to make that work.
I'm going to pass it to Wayne, because Wayne is from
a company that does business across Canada, and he can
probably give you some examples of how his company has
had to do this.
Mr. Wayne Scott (Executive Director, Government Operations,
Information Technology
Association of Canada): Let me start with our
approach to a matter such as protecting
personal information. We're actually very actively
involved in this, not only in Canada but on a
global basis right now.
• 1010
What we do is set a norm that
is consistent with our values as a company, which we
want to use as the baseline for operations wherever we do
business. That's globally as well as across provinces.
I'll tell you that in terms of personal information,
that norm is a pretty high standard for us right
now. Having set that norm, we look, jurisdiction by
jurisdiction, to understand whether we have any
additional obligations, because another
founding principle for our operations is that we will
always comply with the law.
The situation in Canada right now is that Quebec has
legislation that governs our operations, so when we
want, from a business point of view, to send personal
information outside the country—in fact, outside
Quebec—then we're conscious of the consent requirement
to do that, and we build that into our business
operation.
As we implement a uniform standard, we will make sure
that gets harmonized across Canada and in fact
globally. That's just one example of the kind of
thing we're aware of and the kind of practical
approach to this that Carol is talking about.
To the extent that the standards we're asked to
meet are similar in jurisdictions, it's a benefit to
everyone. It's a benefit to us as a business and
consequently a benefit to our customers, who have a
simpler set of expectations to learn and a simpler
standard set of interfaces to deal with. It just
works for all parties, companies and individual
consumers alike.
Ms. Margo Langford: Could I add to
that?
You raised the issue of jurisdiction in
a consumer context as well, and some of us are also
working with the consumers' groups to try to come up
with some guidelines for consumer policies in a
harmonized way. It's a complete conundrum for all of
us who are trying to deal with it on a variety of
different subjects, whether it's taxation or any of the
aspects of doing commerce in a global market.
Canada has to be careful to lead and to develop the
thought leadership in particular, but not to get too
far ahead of everybody else, or we will find ourselves
with this very mobile business. And it is. It is so
easy for companies to take their business someplace
else, and we are constantly threatened by this.
Literally, if you make too many regulations and add to
the costs, it is very simple to house sites in the
United States, Bermuda, or someplace else.
So the
challenge from our side is to always have this
balancing act between the need to protect people and
the need to compete with organizations such as
Amazon.com, which is collecting personal information, and
people are going to that site in droves because they
have personalized service. So to just tell someone in
Canada they can't compete—
[Translation]
Ms. Francine Lalonde: Precisely...
[English]
The Chair: Just a second. Professor Geist has
a comment before you.
Professor Geist.
Prof. Michael Geist: Thank you.
I have a comment on consumer protection. If
anything, Canada is
not leading or moving far out ahead on this issue. If
anything, we are far behind on this issue. The
government, in its framework for electronic commerce,
noted that consumer protection was one of the areas of
priority and suggested that they would have something
prepared by the end of 1998. They still do not have
that.
I contrast that with the European Union, which
has a directive in place on distance contracts that
provides for a cooling off period along the lines
you were just suggesting.
The Australians have produced a proposal for consumer
protection that calls for a triple-click, with the
knowledge that it's very easy to click a button once
and suddenly you've consented to something that you
may not have meant to consent to. Their proposal is
that you actually have to ask three times, to ensure
that you are fully aware of what you are
consenting to.
So with all due respect, if anything, Canada has some
catching up to do with other jurisdictions on the issue
of consumer protection.
The Chair: Madame Lalonde, your last question,
please.
[Translation]
Ms. Francine Lalonde: First of all, I have a brief comment to
make. These same concerns were voiced in Quebec prior to 1994, back
when the government decided to proceed. I recall that the Parti
Québécois supported the federal Liberal government on this issue at
the time. The many fears voiced at the time never materialized. If
some companies had relocated because of the privacy legislation, we
would have heard about it.
You are all informed persons and no doubt you know that the UN
task force on electronic commerce, as I recall, spoke out several
weeks about expressions like "electronic signature" and "secure
electronic signature" which were defined in legislation. Its view
was that such definitions should be avoided because
[English]
inappropriate in the light of the diversity of the
concept of “signature” in the different legal traditions.
[Translation]
This would also hold true in Canada. Have you heard anything about
this? Since you have indicated that you support Part 2 of the bill,
I'd be interested in hearing your views on this subject,
particularly since the definition of "secure electronic signature"
refers us back to section 41 which in turn refers us to the
schedules and regulations which we don't have.
• 1015
[English]
Mr. Wayne Scott: Our focus this morning has of
course been on the privacy aspect of Bill C-54, as
you've heard. In terms of digital signatures, we've
expressed our support for part 2 of the bill in
enabling the same kinds of transactions electronically
that we're all used to on a paper basis.
We are involved, both as an organization, ITAC, with
our sister organizations in other countries, and as
individual companies, in the global discussion to ensure
that standards supporting electronically based business
transactions are in fact uniform and will work across
country boundaries. We are aware of the work
sponsored by the United Nations. That's only one group
that's working on this.
Our goal collectively,
working with private sector organizations and
governments around the world, is to work towards an
environment in which we can with confidence exchange
documents, make commitments, and know that we have in
fact transacted something that works.
The Chair: Thank you.
Ms. Langford.
Ms. Margo Langford: Moving a web site is an
insignificant activity. It's a question of where
they choose to host the site. The business doesn't have
to move. There are many Ottawa companies, for
instance, that already host their site in some other
country, primarily the United States. That's an
important part of the ISP business that we don't want to
lose.
That's the perspective we're taking: we
can't make it so costly. Having different
legislation in different jurisdictions adds to the
administrative burden. That was just a cautionary
note. It does in fact already happen that companies
are choosing not to host their sites in Canada. They
can still ship from Canada, they can still have their
business in Canada, but they have their web site in
another country.
Therefore the money involved in hosting that
site, in staffing that site, and in the
telecommunications costs of that site is going to
another country.
The Chair: Thank you, Ms. Langford.
Thank you,
Madame Lalonde.
Mr. Lastewka, please.
Mr. Walt Lastewka (St. Catharines, Lib.): Thank
you, Madam Chair.
I just have a few questions.
First, to the
ITAC group, in your second suggestion, you
requested that there be a minimum period of time
to correct a situation. You yourself reported that
this would probably happen because it was just a
practicality and so forth, but you're almost suggesting
that we want to identify a complaint and give a company
time to change, rather than assisting the commissioner.
I use the example of receiving three or
four complaints about a company. In your case, we'd
have to give 45 days or a time limit all the
time. The commissioner couldn't go in and say,
“That's enough. I'm not going to give the time,
because that company is not responsible.” And you and
I know there are companies that will take that
route.
Ms. Carol Stephenson: We're really trying
to take a practical approach here, so
we're talking about maybe 30
days. Who knows the number of complaints? But we
expect that a customer should go to a company first.
Perhaps a mistake has been made.
If it's intentional,
though, and there are repeated examples of the kind you
gave, where a company is clearly not following the rules
and there are repeated mistakes and a file is
building up on that company, then by all means, I see
no problem with the Privacy Commissioner taking action
quickly.
What we were really talking about was that
you might get the
odd complaint, so just give some practical time for a
company to respond and investigate. Certainly we
weren't suggesting that we wouldn't work with the
Privacy Commissioner. We're just trying to be a little
bit practical in our approach to a complaint.
• 1020
Mr. Walt Lastewka: But when
the commissioner was here, the commissioner expressed
that in the legislation, the first
step is to have the complainant deal
with the company.
Ms. Carol Stephenson: We agree with that.
Mr. Walt Lastewka: Right. Therefore the complaint
would never get to the commissioner.
Ms. Carol Stephenson: Is it in the legislation
clearly?
Mr. Walt Lastewka: It's implied that way to me.
Ms. Carol Stephenson: Then we're in violent
agreement on that point.
Mr. Walt Lastewka: Okay, I understand.
The Chair: Ms. Garcia has a comment.
Ms. Julie Garcia: I just want to give a
perspective on the number of privacy complaints. My
company has been in business in Canada since November
1995, and since that time we have not had
one single privacy complaint. That's just to
give some perspective on the volume.
Obviously when
there is a problem, it gets a lot of publicity. There
have been maybe two or three cases in the United States
that have gotten a lot of publicity. I know of at least
two or three in Canada over the past few years that
have gotten a lot of publicity, but I would say those
two or three are probably two or three out of maybe a
dozen. That's just to give a little perspective
on the size of the problem.
The Chair: Ms. Langford, you guys are going to have
to decide which one wants to answer. I can't allow you
both to answer every question, because we're running out
of time.
Ms. Margo Langford: I was just going to give an
example of what we thought we would do in a
practical sense, which was to create an on-line system
where complaints could go more efficiently. The telecom
foundation does this now for all kinds of complaints,
including consumer complaints. If we could have the
opportunity to resolve it at that level, that seems to
be working in the telecom world. Then if it doesn't work
there, it goes to the commissioner, who clearly
is going to have a variety of
different kinds of privacy complaints from all
sectors.
Mr. Walt Lastewka: My next question will be
to Ms. Langford and Ms. Garcia.
I have a little problem with previously collected
information. If that information was collected
without consent, you seem to be saying it should be
deemed to have been provided with consent.
I realize you're talking about millions of people,
but isn't the concern of millions of people also that
maybe their privacy has been affected and somehow that
should be corrected?
I'd like the professor to also answer.
Ms. Julie Garcia: I have a few points to
make on that.
If this legislation is enacted, the
millions of people, and certainly the Canadians who are
affected, will know it is in existence and will
understand. At that point, going forward, companies
will have to provide that kind
of disclosure and access and
the ability to choose whether or not to have their
information used. A little bit of education
would go a very long way for the previously existing
users, and they would certainly all have the
opportunity, as they do on many ISPs, including
ours right now, to say, “I don't want to receive any
mailings. Don't use my information. Take me off your
list.” So a little bit of education would take care
of the information that was previously collected.
Also, as a legal matter,
information was collected during a time when this law
did not apply, and to apply the law retroactively just
places an incredible, unfair burden on companies that
were acting lawfully at the time they collected
information.
Prof. Michael Geist: It's my view that it
would be unfortunate if information that had been
collected, in some instances unfairly, without
actual consent or consent with full knowledge,
were then able to be used by ISPs under the guise
that it was collected at that time in a legal fashion.
Certainly it's the position of Internet service
providers that they have no intention of using any
information they obtain on a go-forward basis. I
don't see any reason they can't at that same time
inform people that they have no intention of using
information that has been previously collected and make
that very clear to them at that point in time.
Mr. Walt Lastewka: My only other question is this.
I wasn't quite clear on your retention-disposal
guidelines. I heard you say information is
collected and then drops off. I wasn't sure if you
said that happens over time. Could you explain that
again?
Ms. Julie Garcia: Yes. It would be a little
bit different for each ISP, depending on their
technical capacity and their service space, but at my
company, for example, in different countries we bill in
different ways.
• 1025
In Canada we have packages where people
will get a certain number of hours for a certain price
and then they will pay an hourly fee for using the
service beyond that number of hours. So for billing
purposes, we have to know how many hours they've used
the service. That information is collected and
generated automatically, and a bill is generated for
that individual.
No one in my company ever looks at
that information and says, “Oh, Margo Langford was on
for seven hours, and she went to the Catholicism forum.
We know where she's been and what she's been
doing.” That information exists on the databases
because we need it to bill her, but it's not personally
identifiable in that we don't have a dossier on her; no
employee of my company could go and find that
information and see where she's been.
Then, after a course of time—it might be a matter of
30 days; it might be a few months—that information
just gets bumped off the server, because new information
about her new usage and other people's new usage comes
on. Just by date, the older information gets
erased as the new information replaces it.
It
would be different depending on functionality and
depending on company.
For example, e-mail will stay on your system for
three days. We have probably 28 million e-mail
messages transiting our system every day, and we can't
store them all. So if you don't look at it over a
period of a couple of days and save it on your hard
drive, it's going to disappear off our server, because
there's just not enough space to keep it there. It's
the same with all information.
Mr. Walt Lastewka: Well, you just scared me with
what you just said.
Ms. Julie Garcia: I didn't mean to.
Mr. Walt Lastewka: If I'm a company that works
on the edge, right against the wall, or maybe a foot
over the wall, I have all that information. That's
the problem we're trying to overcome.
Legislation is never put through for good
corporate citizens and effective companies, such as
the one I used to work for. It's the
5% or 10% or 20%, depending on what sector, that causes
all the problems. So how do you come up with
legislation in order to cover that? That's the balance
we're trying to achieve.
Ms. Julie Garcia: I certainly
didn't mean to scare
you. I actually meant to ease your mind, so perhaps I
didn't explain myself as well as I should have.
I agree with you that legislation and laws should
target the wrongdoers. The difficulty that the ISP
industry is having in Canada and around the world is
that rather than being the wrongdoer, in most cases we
are the easy target. We're the easy target for the
music industry; we're the easy target for copyright
infringement. We're not the wrongdoer. We're like the
telephone system, but everyone looks at us and wants us
to solve the problem.
So as I said, I'm agreeing with you that I
want a law that addresses the wrongdoing.
I wish I
had an answer for you. I would love and our industry
would love to work with you to make sure that is the
kind of law that does get enacted. It just will be
very unfortunate if the entire industry gets caught up
with expensive and onerous regulation when the entire
industry either is not the wrongdoer or has nothing to
do with the wrong being committed; it just happens to
be able to stop it, if you understand what I'm saying.
Mr. Walt Lastewka: And life goes on.
Ms. Julie Garcia: For example, the phone
company doesn't make the bad calls; it just...
The Chair: Thank you, Mr. Lastewka.
Before we move on, I just want to clarify something.
Ms. Garcia, you said that for an Internet user, you
know which sites they've been to. I don't really
understand the reason for that. I pay for my Internet
use based on the time I'm there, so I'm either on or
off the Internet. Why do you need to keep or store
the information of where I've been, and why do you do
that?
Ms. Julie Garcia: We don't.
The Chair: You just told me you could tell me that
I spent seven hours on the Catholicism site, which I
find very offensive. I don't understand a need for
that, because I pay based on the time I'm on, not where
I go.
Ms. Julie Garcia: Right, and obviously I either
misspoke or have been misunderstood. We do not keep
track of where people go on the Internet, and we can't.
As far as I know, there's no technological ability.
AOL has a proprietary on-line service as well as
providing access to the Internet. We do not keep track
of where people go on our proprietary on-line service.
It is possible to do that, because it is all within our
proprietary network.
Once somebody goes out to the Internet, you're
exactly right, we don't care where they go and
we don't want to know where they go. We don't
charge them for it. It's not us; it's not our
proprietary service.
• 1030
In terms of where people go
on-line, what I intended to say is it is possible
to know that, but we do not keep track of that and it is
not something that any employee anywhere in my
organization would be able to find out about
Margo. I was giving that as an example of what we
do not do.
Ms. Margo Langford: If you look at our policy,
you'll see that's called click-stream data, and we don't
want to keep click-stream data, nor do we want to have
to be able to provide it to the
individual user asking, “Can I see
where I was?”
Ms. Julie Garcia: Right.
The Chair: But you say it is possible to know
that, so why can you not stop it from being possible
to know that? With all the things we can do with
technology, with this Intel P-III chip
that we can turn
on and turn off, you should be able to stop
that from even being possible. I find it very
offensive, to be perfectly honest, that you have the
ability to do this without my permission.
I also have some difficulties with negative-option
billing, which Professor Geist
addressed. I have tremendous problems with that, as a
consumer and as an individual, and I have heard nothing
from any of you that tells me why it's a great thing.
I have tremendous difficulty.
I also have concerns, Ms.
Garcia, with your comments about the 16 million bits of
data that you already have. It's a yes-or-no question.
When I come on to use your service again, you can just
ask me, “Do we have permission to use your
existing data, yes or no?” If I
say no, it's a no, and it's not a big deal; it's not a
difficult thing, in this day and age and with the technology
we have. So I disagree with you that there's
anything onerous here in asking for consent.
But I
have real difficulty with the code itself, as
Professor Geist pointed out, which has negative-option
billing. I have real difficulties with it. So
there are some real problems that we have to resolve
still.
Mr. Jaffer.
Mr. Rahim Jaffer: Yes, there are problems to
follow up on, Madame Chair, but one of the things
that we have a habit of doing in this country is, when
there is a successful industry that hasn't been meddled
with by government, we like to regulate and tax the
hell out of it. I don't know why.
Professor Geist was saying
Canada has a lot of catching up to do when it comes
to other countries. Again, as I said, I support this
legislation, but when I look at some of the figures
coming out of this industry, with very little
government interference currently, I see that close to
$100 billion worth of business is being done on
the Internet. There's obviously some sense of security
for people doing business on the Internet currently,
and many of the companies are obviously doing a decent
job in providing those services right now.
I would like anyone to respond to my question, which
is this: What are the potential costs to the industry? This
is a growing industry, and I don't think it's tapped into
its growth at all yet. A lot is still
going to happen. If some of the restrictions
you've mentioned become quite heavy-handed and aren't
flexible, what could be the potential effects on the
industry right across the board?
Ms. Margo Langford: I'll take that question.
There are so many different effects. As
Julie said, ISPs
right now are seen as the gatekeepers, so we have to
balance also the interests of law enforcement and the
tax department, who want us to keep these logs and want
us to be able to find out where people went. There are
these challenges to balance all over the place. People
want us to pay for piracy on the Internet. Right now
we have a proceeding before the Copyright Board, which
is asking for 3.2% of our gross revenues, because there's
pirated music on the Internet.
Again, if they're successful and if everyone is
successful...
In France right now there's a proposed
bill to make ISPs keep their logs and the
click-stream data for three years so that the police can
get access to it.
Mr. Rahim Jaffer: So for
instance, some of the information that our chair was
asking about, in fact you're forced to keep it because
of government regulation.
Ms. Margo Langford: We haven't so far been, but
everyone is seeing us as
the gatekeepers. In the same way
that people go to the telephone company logs for
illegal activity, they're looking at the opportunity
for us to be a Revenue Canada tax collector kind of
record of what kind of business people are doing and
keeping electronic commerce transactions and so forth.
The challenge of regulation comes at us from about a
hundred different departments right now. Even trying
to manage the number of policy issues
that have to be developed
at the same time is a cost burden to our industry.
We're also trying to manage the telecommunications side
and the regulation there, which is not yet perfect in
terms of getting access for ISPs. We're fighting on
at least fifty different files right now.
• 1035
So even the
cost of trying to sort out the problems is extensive,
but you can imagine that if everybody did
get their piece of the pie along the way... There
are 13 rights collectives. If everybody got 3.2%, there
wouldn't be too much left over.
All of our commissions—the Human Rights Commission
and so forth—have proven to have lengthy and
expensive proceedings. So we're just concerned that
having to maybe match to a privacy commissioner in
every province, for instance, would be untenable in the
context of this particular hearing.
The Chair: Ms. Stephenson.
Ms. Carol Stephenson: I'd like to elevate it a
little bit. I know we're talking about privacy at this
committee, but the issue you're really raising
is e-commerce and whether Canada can be a leader in
e-commerce globally.
I'd also like to
address the leadership
issue, and I go back to the October OECD ministerial.
I would say, including people from Europe and from the
U.S., they were very impressed with the leadership
Canada has shown in developing e-commerce.
I also am
very impressed and I do applaud government, because
they have taken a very balanced approach, one
that lets e-commerce flourish, lets us take a
leadership approach, and also doesn't make it so
restrictive that business will just pick up—and as
you say, it wouldn't physically pick up; it would
electronically pick up—and go elsewhere.
The position on taxation has been commendable.
We are showing that we are the model in Canada for
those around the world.
So I take exception to the
comment that
we are not leaders. Everything I'm hearing from my
global contacts is that we are leading, and I would just
hate to see Canada lose its leadership position, because
it's such a growth industry and a lot of us
depend upon it in Canada.
The Chair: Dr. Geist.
Prof. Michael Geist: Just to return to the issue
of Bill C-54, which is one of privacy and the cost of
the privacy legislation, it's my view that the cost of
not having this sort of legislation is far greater than
the cost of the legislation itself.
Look at the fact that e-commerce,
particularly at a consumer level, while growing, is
still quite insignificant in the overall scheme of
things. In order for e-commerce to grow to the
ubiquitous level that the companies involved in the
area would like it to be at, consumers need to know their
privacy is being protected. They say it again and again
in policies.
Frankly, I'm frequently surprised when I see the
opposition, in the United States in
particular, where they argue quite strongly for
self-regulation. It seems to me that having no
regulation is going to cost them far more than the
regulation that's on the table here and that would
be in place in other jurisdictions.
Mr. Rahim Jaffer: Again, I agree with you and
I agree with this framework, but surely you
agree there needs to be flexibility to some extent.
You can't impose restrictions on many of these
companies that have
pioneered a lot of this technology and have pushed it
forward. There has to be a balance. Otherwise both
sides lose.
Prof. Michael Geist: Oh, without question. My
fellow panellists started raising issues about
copyright, and there are issues about defamation and
issues about taxation. There are all
sorts of issues, and certainly a balance will need to be
struck in each one of those.
I'm concerned today with the balance that's being
struck on privacy.
The Chair: Thank you.
Thank you, Mr. Jaffer.
Mr. Shepherd, please.
Mr. Alex Shepherd: Ms. Langford, you mentioned
Revenue Canada, and I'd like to zero in on
that. What are they asking you to do?
Ms. Margo Langford: Right now they're in an
investigation stage of what we can collect
and how long things can be kept and whether or not they
are entitled by law. I don't know if they're entitled
to access to those logs, but they are certainly asking
questions about what is kept and for how long, in
the same way that the justice department is asking to
try to coordinate internationally on police
initiatives.
So in the context of this legislation, again, it's
that kind of balancing act between not collecting data
and being forced to collect data through other pieces
of legislation, potentially.
Mr. Alex Shepherd: I presume this hasn't
developed this far, but presumably they could simply
go to you and say, “Look, I know Mr. Shepherd, and I
know his e-mail address. Would you give us his
records, or let our forensic people go in
and view those records and see what transactions he's
been doing over the Internet?” Is that what they're
saying to you?
Ms. Margo Langford: ISPs right now have taken the
approach that you need a court order in order to be
able to access anybody's records on anything. So if
the taxation department were able to get a court order, it
wouldn't stand in good stead for the ISP to refuse.
Mr. Alex Shepherd: But that flies in the face of
your original comment that the information is
unreadable. You said the stuff you have is unreadable.
• 1040
Ms. Margo Langford: And that's part of our
challenge: to explain to them what we keep that can be
isolated, versus what is kept and flushed.
Mr. Alex Shepherd: Are they asking you to make it
readable?
Ms. Margo Langford: I hope the exercise is
going to be one of educating them that to do so would
cost...
For instance, in France, where they are thinking about
making them keep it for three years, that would put ISPs
out of business in France. Quite simply, they
couldn't store that much data for that long. So
we're trying to work with the authorities on the
realistic principle that if you make us do that, you
will actually drive the business out of Canada, because
we can't possibly afford to keep the click-stream
data, for instance, if that's what they're demanding.
Mr. Alex Shepherd: But that flies in the
face of the legislation we're talking about right here.
Ms. Margo Langford: Sure it does.
Mr. Alex Shepherd: So if this legislation is
passed, we're saying Revenue Canada should not
have the access to it.
Ms. Margo Langford: But whose legislation will
prevail? Do the police have the right to go and get a
search warrant and come in, even if there is this
legislation?
Mr. Alex Shepherd: So we need exempting provisions
under this act.
Ms. Margo Langford: Yes. And as to whether the
Income Tax Act gives them the right to get a court order,
I am not sure.
Mr. Alex Shepherd: Professor, you made a comment
in the press. You said the law is too narrowly
constructed to target this fast-moving and broad
technology. Do you have proposed amendments to make
to this?
Prof. Michael Geist: To the bill itself?
Mr. Alex Shepherd: Yes. You talked about consent.
Prof. Michael Geist: Yes. Consent would be the
first order of business.
Mr. Alex Shepherd: Do you have any
amendments that would achieve those goals?
Prof. Michael Geist: I'd like to see the
negative-option check-box removed as a method of
consent. I'd like to see implied consent either
removed completely or limited to very specific
situations. So I would like to see, particularly
on consent, that it is truly informed
consent in every
instance. There's no reason that someone should not
have the opportunity to properly consent to the use of
their private data.
Mr. Alex Shepherd: Thank you.
The Chair: Thank you, Mr. Shepherd.
Madame Lalonde, please, briefly.
[Translation]
Ms. Francine Lalonde: I've heard the argument about the need
to balance the various interests several times. In my view, the
scales are tipped largely in favour of business and citizens are
left mostly to fend for themselves. I took part—and I'd like to
thank the minister for the opportunity—in the conference on
electronic commerce and I was impressed by the Europeans' stand, in
particular the position of the French minister. He argued that
companies should enact their own regulations and the government, or
state, should be on the side of citizens. If businesses don't go
far enough, if they disregard their own regulations or fail to
enact any at all, then the state must be on the side of the public.
The rights of citizens must be clearly established and the recourse
available to them must also be clear.
Apparently, you have some concerns about the powers granted to
the commissioner under Bill C-54. What happens in reality is that
citizens must first take up their case with the company and then
ask the commissioner to investigate and make a recommendation.
Subsequently, if the citizen's complaint has not been resolved to
his satisfaction and he stills wants to pursue the matter—often
the remedy sought is not enough to warrant lengthy delays—then he
must take his case to court. Do you really think this bill is well-
balanced?
[English]
Ms. Carol Stephenson: I just want to make it
clear that we do support the powers of the Privacy
Commissioner, so in no way was I trying to suggest, by
putting a small timeframe there... We were trying
actually to make it more efficient, but it's not a big
deal.
Quite frankly, we are very much supporting
the powers of the Privacy Commissioner.
We very much support the bill. We think that some
regulation and some legislation is positive.
So I agree.
The question is, how far do you go in making sure
we do have this balance, as you call it? Quite
frankly, my experience, if I go back to the telephone
business and your earlier point, is that the scam
artists very quickly go out of business. We're all
smart enough in business to know that if we don't have
consumer trust and we don't have consumers wanting to
use our system, we're toast. So it's very much on our
minds to make sure our customers are properly
treated, as customers should be.
The Chair: Ms. Garcia.
Ms. Julie Garcia: I'm just agreeing.
The Chair: Okay.
Madame Lalonde, do you have a further question?
• 1045
[Translation]
Ms. Francine Lalonde: I'd like to put the same question to you
again about Quebec. Do you think Quebec should agree to weakened
legislation for the sake of harmonized legislation elsewhere in
Canada?
[English]
The Chair: Ms. Garcia.
Ms. Julie Garcia: I'll address that in terms
of e-commerce rather than in terms of all consumer
protection laws, because that's really the area
I'm familiar with. I would say if the federal
government and the members here decide this is the
way to protect Canadians' privacy and that these are
the standards to use in terms of electronic commerce,
then I would like to see those be uniform. So I
guess bluntly, the answer would be yes, Quebec should
come in line.
Electronic commerce is unique, because of the
transborder flow of information and services.
To walk into a Chapters bookstore
and buy a book in Quebec or in Toronto and
have different laws apply is very different
from going on-line to the Chapters web site. Should
different laws apply if I have ordered the book over
the web as opposed to walking into the
bookstore?
[Translation]
Ms. Francine Lalonde: We have already anticipated situations
like this in Quebec.
[English]
The Chair: Professor Geist.
Prof. Michael Geist: Thank you.
With due respect, I absolutely disagree. It's far
preferable to see a race to the top as opposed to a
race to the bottom. The idea that we'd come up with
some standard that, at a minimum, meets some lower
threshold and everybody must reach that level flies in
the face of what this is all about. The European Union
privacy directive sets minimum standards and then
allows countries to exceed those standards if they see
it necessary. I don't see any reason we wouldn't
want to have the same thing in Canada.
The Chair: We'll have the last comment
from Ms. Stephenson.
Ms. Carol Stephenson: We do want them to
be as close as possible, but I can assure you that
the businesses we deal with are going to respect the
legislation wherever we do business.
[Translation]
Ms. Francine Lalonde: Thank you.
[English]
The Chair: Thank you very much.
[Translation]
Ms. Francine Lalonde: The provisions of the federal
legislation could therefore be more stringent.
[English]
The Chair: Thank you very much, Madame Lalonde.
I just want to clarify something with Professor Geist
before we end the meeting.
Mr. Shepherd asked you
about possible amendments. Is it your opinion that we
could amend division 1 to solve your concerns? The
schedule with the code contains your concerns. Could
it be done
through amendments in division 1?
Prof. Michael Geist: It would make an already
complicated bill even more complicated, which would
pose a problem.
Frankly, I have a problem with
attaching the CSA code as a schedule, as opposed to
having tried to draft the provisions contained within
the CSA code into the legislation itself. I understand
the desire to use the CSA code as the basis for the
legislation, but I just don't understand why it wasn't
seen fit to try to use those principles as a starting
point and create legislation that meets the needs of
Canadians. In some instances, the CSA code, which
is, as you are aware, a compromise document, may not
meet the needs of Canadians.
The Chair: Okay. Thank you.
I want to thank all of you for being with us and for
braving the weather this morning to get here. I want
to commend all our witnesses for arriving on time.
I also am glad committee members got here as quickly as
they could. We appreciate that. We appreciate all
your comments and your presentations, and we want to
thank you. We'll let you know what we do.
The meeting is adjourned.