STANDING COMMITTEE ON INDUSTRY
COMITÉ PERMANENT DE L'INDUSTRIE
EVIDENCE
[Recorded by Electronic Apparatus]
Tuesday, March 9, 1999
• 1531
[English]
The Chair (Ms. Susan Whelan (Essex, Lib.)): I
would like to call this meeting to order.
Pursuant to an order of reference of the House dated
Tuesday, November 3, 1998, we now have consideration of
Bill C-54, an act to support and promote electronic
commerce by protecting personal information that is
collected, used or disclosed in certain circumstances,
by providing for the use of electronic means to
communicate or record information or transactions and
by amending the Canada Evidence Act, the Statutory
Instruments Act and the Statute Revision Act.
We have two sets of witnesses today. First, we have
TELUS Corporation from 3.30 p.m. to 4.30 p.m., and then
at 4.30 p.m. we'll have Bell Canada. We have with us
Ms. Lorna Higdon-Norrie, the vice-president, public
policy and government affairs, and Mr. Makaryshyn, senior
advisor, industry policy. I'm not sure who will be
doing the opening statements, so I'll turn it over to
you.
[Translation]
Ms. Lorne Higdon-Norrie (Vice President, Public Policy and
Government Affairs, BCT.TELUS): I would first like to thank you,
Madam Chair, for this opportunity to take part in the hearings of
the Industry Committee on the consultation process with respect to
Bill C-54.
[English]
Thank you very much for this opportunity to appear
before the committee. My name is Lorna Higdon-Norrie
and my title has actually changed since the merger. I
am now vice-president of government and community
affairs for BCT.TELUS, and I have with me our senior
adviser of industry policy, John Makaryshyn. It is my
sincere hope that John will be able to address any
technical questions the committee may have.
[Translation]
Formed recently following a merger between TELUS and BC
Telecom, BCT.TELUS is the second largest telecommunications company
in Canada..
[English]
Through wholly owned subsidiaries and joint ventures,
we employ 25,000 Canadians and manage assets of nearly
$9 billion. BCT.TELUS companies provide voice data,
visual communications, information and advertizing
services.
We welcome this opportunity to comment on the draft
legislation. We believe that Bill C-54 is an important
and much needed legislative initiative in order to
build trust and confidence in the digital marketplace
and to protect the privacy rights of Canadians. It's
absolutely critical to have a clear federal legislative
privacy framework within Canada to promote the growth
of electronic commerce and to provide the level of
privacy protection that Canadians seek. Bill C-54, in
our view, provides a balanced and consistent framework
for privacy protection in Canada.
The bill is based on the Canadian Standards
Association model code for the protection of personal
information, and we think it's an excellent model for
federal framework privacy legislation. The CSA
standard recognizes individual rights to control and
limit personal information use. It reflects the
legitimate needs of companies to use information for
business purposes and establishes obligations for
companies to be accountable, to obtain informed
consent, to safeguard personal information and to make
policies and practices transparent to individuals.
We therefore applaud the government for introducing Bill
C-54, and with the few specific amendments that we're
proposing to you, we fully recommend its passage.
Before I make some specific suggestions in areas of
improvement to this important initiative, I would like
to briefly highlight some of the initiatives that
BCT.TELUS companies have undertaken to address the
privacy issues that we're all concerned about. I would
also like to briefly share with the committee some of
the perspectives of our customers, based on what we've
learned from conducting customer focus groups. As you
know, electronic commerce is growing at an enormous
rate, and in response to new technologies and new ways
to collect, use and disseminate information, issues
related to privacy, security and consumer protection
have emerged.
• 1535
We think that in order to succeed in the
marketplace, Canadian businesses must be attuned to the
new privacy-related issues that new technologies have
caused to arise. Business relationships, in particular
those on the Internet, are made successful by
establishing trust. Personalized interaction becomes
possible through the implementation of comprehensive
privacy codes and technology solutions that inspire
customer confidence.
BCT.TELUS is very active in addressing these
policy issues that are of concern to Canadians. We
understand the need for security and protecting
consumer information and privacy rights, and I believe
we've demonstrated our commitment to privacy.
As a responsible corporate citizen, we believe it
is good policy to protect the personal information of
consumers and employee data. Customers value
protection and make a choice to deal with service
providers that respect their privacy. I think
that's a very important point. Especially in today's
high-tech world is this especially true.
Privacy issues are very important from our customers'
perspective as well. We have conducted customer focus
group sessions to find out what our customers have to
say about privacy and about the CSA standard in
particular, which is what we were considering at the
time.
One key message we received from our customers
when we conducted these sessions is that they did, at
the time, want us to adopt a privacy code that is based
on the CSA standard. In exercising choice, customers
choose to deal with companies that have adopted a
privacy code and they view the CSA standard as a very
important standard to safeguard their rights. We have
worked hard with other industry members to produce the
Stentor privacy code and we intend to fully implement
that code through the BCT.TELUS group of companies.
In the package that we've brought along today we've
included copies of the BCT.TELUS privacy code and
information on the electronic commerce services
we offer, which enhance both privacy and data security.
Furthermore, our corporate web sites contain very clear
statements about the company's privacy practices.
Adoption of a privacy code demonstrates to both
residential and business consumers that we are
responding to the growing public concerns about the
privacy of information. The 10 principles in the CSA
standard represent a balanced and comprehensive set of
information management principles and practices to
govern the use, collection and disclosure of personal
information. Our customers have told us that they
understand and see value in a corporate privacy policy
that is based on this standard.
Another important message our customers told us is
that they are comfortable with our sharing information
within our corporate family so that we can offer them a
full range of communication services. The ability to
freely share information within an organization is
critical to serving customer needs. Our customers know
this and demand that we serve them to the best of our
ability.
It is as a Canadian communications company that has
been and will continue to be active in addressing the
privacy rights of its customers and employees that
we're pleased to come before you today to offer our
support for this draft legislation. In particular,
BCT.TELUS supports the adoption in Bill C-54 of the
CSA standard as the benchmark for protecting privacy
rights in the private sector.
We've carefully reviewed the draft legislation and I
would now like to offer for your consideration a few
specific comments on what in our view would help improve
the draft legislation to ensure that it meets the
interests of Canadians and Canadian businesses.
There are two areas of the draft legislation I
will comment on. The first area relates to the powers
of the privacy commissioner. The second area relates
to some housekeeping amendments to the bill to
recognize the concept and use of publicly available
information and to ensure that the bill does not create
barriers to internal corporate information transfers.
• 1540
With respect to the powers of the privacy commissioner
as set out in Bill C-54, we seek two specific
amendments.
The first amendment we seek in this area relates
to the power of the privacy commissioner to conduct
audits over alleged violations of recommended business
practices, as set out in schedule 1 of the bill.
Subclause 5(2) of Bill C-54 states that the word
“should”, when used in the schedule that contains the
CSA standard, indicates a recommendation and does
not impose an obligation on a corporation. In our
view, corporate audits should be reserved for situations
where there are reasonable grounds to believe that a
violation of the law has taken place, but shouldn't go
beyond that to cover disputes over recommended business
practices. In our view, audits are intrusive, and they
place an administrative burden on the business
operations of companies. The audit power should
therefore be used judiciously to cover alleged
violations of mandatory obligations set out in the
bill, but should not be expanded to permit a
micromanagement of recommended business practices.
For example, clause 4.7.3 in schedule 1 states that:
The methods of protection should include
(a) physical measures, for example, locked filing
cabinets and restricted access to offices;
(b) organizational measures, for example, security
clearances and limiting access on a “need-to-know”
basis; and
(c) technological measures, for example, the
use of passwords and encryption.
Clause 4.7.2 states that “More sensitive information
should be safeguarded by a higher level of
protection.”
The exact procedures that are used to comply with
these business practices will vary probably a great
deal, depending on a number of factors such as the
nature of the business, the type of information in
question, the adequacy of existing procedures, etc.
These are very useful recommended practices that will
help guide Canadian companies in complying with the
law, but in our view the audit power should not deal
with recommended practices.
Let me be absolutely clear. We regard it as very
important to ensure that proper business practices are
being followed. However, the privacy commissioner
already has the tools needed to ensure that these
business practices are being followed in other sections
of the draft legislation. Clause 11 allows an
individual to file a complaint if the individual feels
that an organization is contravening the legislation or
not following a recommended business practice.
Additionally, under clause 12, the commissioner has
the power to investigate all such complaints, including
complaints that an organization is not following a
recommended business practice. And the privacy
commissioner has the power to work to resolve any such
issue.
Therefore our specific recommendation in this area is
to amend the audit section, specifically subclause
18(1), to delete the words “or is not following a
recommendation set out in Schedule 1”.
The second area relates to a concern we have about
ensuring due process, specifically whether there should
be a requirement to obtain prior court approval before
the privacy commissioner—
The Chair: Could I ask you to summarize the
rest of your brief? The clerk had advised everyone
there was a five-minute time limit to present, and anyone who
wanted a longer brief should have submitted it in
advance. So I would ask you to summarize the
rest.
Ms. Lorna Higdon-Norrie: I'm sorry, we must have
miscommunicated. I was working to 10 to 12 minutes. I
certainly will. I'll try to summarize very quickly.
The second substantive area regarding the powers of
the privacy commissioner is our concern about whether or
not in fact an exercise of due process should be
followed before the privacy commissioner exercises his
search and seizure powers. Right now the
commissioner's discretion to enter an organization's
premises is not subject to any prior judicial
authorization. It is quite a strong power, and we
would like to discuss further with the committee
whether or not there shouldn't be a requirement for the
privacy commissioner to obtain a warrant before
conducting a search and seizure.
I'll go very quickly through the two housekeeping
amendments we wanted to mention, because in fact
the federal government's amendments that were tabled last week
have addressed both of the ones we had a concern
about. They were on the use of publicly available
information and the internal use of information, and
we fully support those measures as they were tabled.
I apologize for having gone over time with the
opening remarks. Let me emphasize that we see Bill
C-54 as an integral part of a sound electronic commerce
framework, and we do urge its passage with those
recommendations.
• 1545
The Chair: Thank you very much. I apologize. I
know there are going to be several questions and we
only have a limited time for questions as it stands.
Mr. Jaffer.
Mr. Rahim Jaffer (Edmonton—Strathcona, Ref.):
Thank you. I have a couple of questions
here. I'm going to try to figure out which ones are
the best, given the time restrictions we're under.
I would like to make a comment on behalf of TELUS.
Thank you for being here today and thanks for your
recommendations. I think you've brought up a very
serious issue with the power of the privacy
commissioner, and I think we've overlooked that to some
extent.
My colleague and I on this committee have asked
previous privacy commissioners whether under the CSA
standard there has been empirical evidence of
complaints of privacy violations that they could bring
to the floor. We haven't really been provided with
this information, or it's not very plausible yet.
There doesn't seem to be any justification that there
have been many violations of privacy. The only one
that was brought up was last Thursday by the person
representing AOL, who said she was aware of one
complaint under the CSA standard currently.
My question is this. We're all in favour of this
legislation on this committee, and I think obviously
you've stated that you are as well, but with regard to
privacy—
Ms. Francine Lalonde (Mercier, BQ): [Editor's
Note: Inaudible]
Mr. Rahim Jaffer: I guess my colleague from
the Bloc says not the Bloc. Is there really a need for
this legislation if the current CSA code is obviously
meeting the requirements of most people when it comes
to privacy intrusions?
Ms. Lorna Higdon-Norrie: I think there is. In
fact I believe that as an industry we're probably pretty
convinced areas. Companies like our own, very large
companies who have substantial resources and are
handling a great deal of sensitive data, have
demonstrated our commitment, I think. We've published our
codes, and I think that goes a long way toward
engendering trust among our customers and our
employees. Nonetheless, the world is changing very
quickly, and even people dealing with companies like
ours will have an added measure of trust, especially in
the electronic commerce domain, if there is also a
fallback, if there's somewhere for them to go to
complain about us.
Even more serious, I think, is that there are a lot of
companies who perhaps don't have those resources, who
have not quite addressed the sensitivity of these
issues to the extent that one would like, and I think a
federal legislative framework is helpful, not to say
essential, in guiding their practices and giving their
customers a place to go.
Mr. Rahim Jaffer: With regard to the powers of the
privacy commissioner.... I know, being from Edmonton
and dealing with TELUS, they take privacy quite seriously,
especially when it comes to dealing with information.
It seems to me one of the concerns you've raised is
that if we do keep this portion of the bill the way it
is, we're giving a lot of power to an unelected body
who could be quite obtrusive, in fact, when businesses
are trying to carry out their obligations and their
commitments to customers.
First, there is obviously a potential of violating
fundamental rights if this section is not amended the
way you suggest.
Second, what are the costs to your business that could
potentially be associated with a privacy
commissioner having the amount of power that you've
suggested and we've identified if this clause isn't
amended?
Maybe I could address this to John. Since
you're a lawyer, you could address that.
Ms. Lorna Higdon-Norrie: I'll speak to it first.
I don't think our recommendations in any way
weaken the power that's provided in this bill to the
privacy commissioner. We're suggesting, in effect, an
element of due process with respect to obtaining a
court order because we feel it's fair, it's a
standard that's applied elsewhere in legislation.
It's difficult for us to contemplate a situation where
the privacy commissioner, or anyone else for that
matter, has the power to conduct a search and seizure
without necessarily having anywhere for us to go to
determine whether or not that's fair or
warranted in the situation.
Obviously, if it is fair and warranted, such a court
order is going to be forthcoming. It happens all the
time in other commercial investigations, so we don't
see that it's going to withhold any power from the
privacy commissioner.
• 1550
Obviously, to your question of cost, this is new
legislation, this is new terrain for all of us. Who
can know? I think there is an express intent to make
the bill subject to review after some time. I
understand those times are under debate.
That may be an issue that's raised at the time,
if in fact it's costing the privacy commissioner, the
private sector, or individuals more than anybody really
intended. I couldn't presume to judge except to say the
actual practical costs to a corporation are one thing,
and the potential costs to a reputation are another.
The potential cost to a corporate reputation from a
search and seizure is something we care deeply about.
Mr. Rahim Jaffer: Did you have anything to add to
that?
Mr. John Makaryshyn (Senior Adviser, Industry
Policy, BCT.TELUS): Thank you.
I would just add it's important to understand that in
our proposal we're just talking about the search and
seizure powers under either investigation, clause 12,
or audit, clause 18. The privacy commissioner has
broad powers beyond search and seizure to compel
witnesses and documents, administer oaths, or converse
with any person in any premises—all without ever going
to a court.
But it's at the point where a determination is made to
enter a private dwelling, like the offices of an
organization, that we believe due process should
require not just reasonable grounds but a decision by
a neutral and unbiased party who is not also charged
with the investigation under the legislation, or
proposed legislation.
The Chair: Thank you very much, Mr. Jaffer.
Mr. Lastewka.
Mr. Walt Lastewka (St. Catharines, Lib.): Thank
you, Madam Chair.
I'm a little bit surprised about some of your comments,
but let me approach it this way. When you talk about
the powers of the commissioner and the ability to enter a
premise and so forth, we have other inspectors and
commissioners who have that power today, whether it be
agriculture inspectors or, for the provincial codes, the
labour inspectors.
What I heard you say is that you didn't want to have
that same type of power given to the commissioner who
is concerned about the privacy of Canadians. You want
to go through the various procedures before he or she
can inspect. Under a privacy item, where it's so
important to all Canadians, why would you take that
approach?
Ms. Lorna Higdon-Norrie: Let me clarify, first of
all. I certainly did not intend to convey that we were
suggesting putting roadblocks in front of the
commissioner before he investigates or before he
exercises the vast majority of the powers that have
been given.
The only issue we're raising, where we would like to
see a further element of due process, is when he is
going to exercise a search and seizure power. And
that's where a simple court order, an ex parte
application—which is usually granted, if circumstances
warrant it, very swiftly—is all that we're asking for.
We don't feel it would introduce undue delay or
an undue impediment.
Mr. Walt Lastewka: I guess I would agree with you.
Other commissioners under the privacy acts
across the country have similar powers as those
we've put into this legislation, and I'm just trying to
figure out what the difference is.
Ms. Lorna Higdon-Norrie: I think one important
difference is that most of the privacy commissioners
across the country are government bodies investigating
themselves.
• 1555
When a public sector official is examining documents
from elsewhere in the government, I think that's one
situation. When you're actually talking about coming
into a corporation, a small business or
a large business, for a search and seizure of
documents, that's another case all together. I don't
believe the search and seizure power will be
exercised very often by the privacy
commissioner; at least, I certainly hope it wouldn't
be. I would hope the vast majority of issues
could be resolved well in advance of that,
and when he appeared before the committee,
I think the privacy
commissioner seemed to hope so as well.
Given all of the other investigative powers, the
powers to consult will all parties and so on, it would
seem that it's going to be a very serious situation.
There will probably be a lot of complex elements at
hand before such a situation arises, so we're asking
for due process there.
Mr. Walt Lastewka: Knowing that it would be used
very sparingly because of what the privacy commissioner
said, and because of what I think the theme of this
committee has been on the concerns of privacy, it would
be the real abusers who would have to be moved on.
What I heard you say is that the real
abusers need to go through that due process
too, so I guess we can disagree.
The other thing I want to talk about is the definition
of collecting information for use in other parts of a
corporation. Of course, corporations are getting
bigger and bigger all the time now. But if data is
collected for a specific purpose in one part of the
corporation, in terms of moving that information to
another part for something it wasn't intended for, are
you saying that should be okay, or that consent should
be received again when that information moves?
Ms. Lorna Higdon-Norrie: No, it's
our belief that if the information is moving to another
part of the company for a use for which it was not
originally collected, then express consent should be
obtained.
In our situation, I suppose there's an element of
definition involved. We would define ourselves as
being in the business of providing telecommunications
services. If you have a cellular telephone from us, a
local telephone from us, an Internet service, a pager
and so on, those are all related to the same essential
purpose, that being the provision of telecommunications
services. Moving back and forth across the company
information that is related to all of these seems to
be a reasonable interpretation of what should be an
allowed flexibility. If, for reasons that would
currently elude me—but heaven knows—we decide to go
into the vacuum cleaner sales business, that's a
different purpose.
Mr. Walt Lastewka: Your example to me was that it
was collected for that specific reason. The way it's
written today, are you reading that the bill doesn't
allow you to do that?
Ms. Lorna Higdon-Norrie: With the amendment the
government has put in around the definition of “use”,
it would now allow us to transfer the kind of
information. But without that amendment, we have some
concerns.
Mr. Walt Lastewka: We're all trying to get caught
up to the amendments to make sure we understand what is
different, what has changed.
Thank you, Madam Chair.
The Chair: Thank you very much, Mr. Lastewka.
[Translation]
Ms. Lalonde please.
Ms. Francine Lalonde: From what I have read in newspapers from
Eastern Canada and Quebec, the company's competitors are a little
disturbed about the merger of TELUS and BC Telecom. If, as some
people suggest you intend to, you decide to do business in Quebec,
will you respect Quebec legislation on personal information?
[English]
Ms. Lorna Higdon-Norrie: I think I'll ask Mr.
Makaryshyn to speak about the jurisdictional issues
that are inherent in your question.
• 1600
Mr. John Makaryshyn: In terms of
federal undertakings like telecommunications companies,
my understanding is that they're subject to the federal
laws. Insofar as there is an application of provincial
laws, we're not currently operating within the province
of Quebec, but if we were and if the laws were to apply
to a particular division or subsidiary, we would
definitely comply and would work with the government
and the privacy commissioner to comply with those laws.
[Translation]
Ms. Francine Lalonde: If I were to tell you that one of your
potential competitors in Quebec, without asking whether it was
constitutionally required to do so, agreed to comply with the
legislation, would you still give the same answer?
[English]
Ms. Lorna Higdon-Norrie: I would have to say yes,
we would. We do respect the federal jurisdiction that
extends across telecommunications. A number of our
companies currently operate under provincial
jurisdiction. As John has said, if there were those
that were under Quebec provincial jurisdiction, we
would operate within the Quebec legislation.
I also have to point out that we, as well as many
other companies, regard the provisions in Bill C-54 as
a minimum, not a maximum. To the extent that it is
possible to provide even greater privacy protection
according to the expectation of customers in a given
location, obviously we would respond to the
requirements of our customers.
[Translation]
Ms. Francine Lalonde: Thank you.
I would like to talk to you about Part 2 of the Bill and
particularly about the definitions of “electronic signature” and
“secure electronic signature”. I would like hear your viewpoint,
particularly as the definition of “secure electronic signature”
refers the reader to a schedule which is not there and to
regulations which are not there either.
[English]
Ms. Lorna Higdon-Norrie: I will speak in general
about that part of the bill, and then I'll ask John to
follow up on the issue of the annexes.
In general, we think the digital signatures piece of
the legislation is well grounded. We see no problems
with it. It has been drafted in a way that is quite
comforting to us. It is technology neutral, and it
essentially provides the same protection for
individuals in a contract as any other type of contract
legislation.
With that, I'll ask John to respond to the issue that
you raised.
Mr. John Makaryshyn: Thank you.
We definitely support the part in part 2 and the
others in part 5 of the proposed legislation in terms
of both the electronic signatures and the secured
electronic signatures. We recognize the need for the
federal government to require, for certain purposes,
something more secure in some cases. We are again
thankful that the proposed legislation is
technologically neutral, so that a number of different
technologies can be used to satisfy the criteria set
out in subclause 48(2) for a secured signature. In
terms of application for the private sector, my
understanding is that this proposed legislation doesn't
dictate, for example, the types of signatures that
would be used in the private sector. It respects
freedom of contract, and it basically deals with the
federal government empowering itself to get into the
digital age.
[Translation]
Ms. Francine Lalonde: Have you studied the various
technologies available for making signatures secure, and could you
talk to us about them?
[English]
Ms. Lorna Higdon-Norrie: We could certainly
undertake to have some information provided to you by
people who are more adept at the technology issues than
either of us, but let me again speak about it in
general terms.
• 1605
Again, we are very pleased that the Canadian
government has seen fit to allow the use of strong
encryption technology. This is one of the types
of.... As I mentioned in our document,
[Translation]
we have published a brochure on solutions regarding electronic
commerce,
[English]
and that may provide you with a bit of an overview of
some of the types of technologies we're offering
in our company. We're using encryption technology if
customers want it for the protection of their data.
There are many different types of secure solutions.
Companies can offer one or two or many, depending on
the demands of their customers. These will change over
time, and that's one of the reasons we're really
glad the bill doesn't fall into the trap of getting
stuck in today, with what technology is available
today. Rather, it sets out some principles for
contracted digital authorization going presumably well
forward into the future.
The Chair: Last question, Madame Lalonde.
[Translation]
Ms. Francine Lalonde: In your introduction, you said that you
want the Bill to be clear to ensure security for consumers. I was
therefore expecting you to express some very tough criticism of the
legislation. I am far from being the only person to have pointed
out that this Bill is based on the CSA code, which is appended and
not designed to serve as legislation. It is then interpreted within
the body of the legislation, in clause 7, and as a result the
position of someone with rights or someone with obligations is far
from clear.
[English]
Ms. Lorna Higdon-Norrie: In our one
suggestion, I think we are certainly seeking a bit more
clarity. Right now, the bill does seem to blur the
lines a little between what is required, what is
recommended, and what the penalty might be for not
adopting a practice that is in fact in the bill. It's
simply a recommendation, and that's why we've suggested
the amendment that we have.
That matter is an issue. Overall, however, I think it
does provide a pretty clear framework. It gets very
close to being as close to perfect as a piece of legislation can
be, given that we're looking forward to the future in a
lot of ways with this piece of legislation. We're not
legislating issues of the past.
So imperfections may well arise, but that doesn't mean
the bill is fundamentally flawed in the first place. We
don't believe it is. We'd like to see a bit more
clarity in those areas that we've suggested, but I
think it provides a pretty clear framework overall for
businesses and for consumers to know what the
acceptable level of protection is that they're entitled
to.
The Chair: Thank you, and thank you, Madame
Lalonde.
Mrs. Barnes, please.
Mrs. Sue Barnes (London West, Lib.): Thank you,
Madam Chair.
I think what we're trying to get to here is a place
where we can feel happy both in commerce and in
privacy, and feel balanced. The hand we're using
legislatively is not a heavy-handed criminal law; it's
more of a light, flexible approach, with as much
possible informality as can be there. It is judicious
and limits use of some of the powers the commissioner
would have.
Now, I heard my colleague from the Reform Party
mention a concern about fundamental rights being
violated under this legislation. I'd just like to ask
the policy adviser if that's the way he sees it.
Mr. John Makaryshyn: I'm not sure
about fundamental rights. If we're talking about
warrantless search and seizures—
Mrs. Sue Barnes: That's what we're talking about.
That's what he raised.
Mr. John Makaryshyn: Okay.
When we're dealing with warrantless searches and
seizures, they are prima facie unreasonable. This has
been established in a number of cases, including the
Supreme Court of Canada case Hunter v. Southam
Inc. They are subject to being rebutted. Our
proposal is therefore probably for the benefit of not
only the party being searched but the commissioner
himself. When you're taking the steps to that level,
one on which you're looking at going into a private
premises, that's a fairly intrusive and serious action
within the private sector. Getting an ex parte
application—
• 1610
Mrs. Sue Barnes: Maybe I'll just stop you here,
because I think that's the problem. There are two
exceptions in the bill already written in, where they
can't access private dwelling-houses. It's a very
explicit exception.
Mr. John Makaryshyn: I understand.
Mrs. Sue Barnes: I would understand your point,
because then you'd be into charter issues, but
under clauses 12 and 18 we've
specifically excluded that. So I would like to see
where this argument is going.
Mr. John Makaryshyn: Basically, whether or not the
search is reasonable will depend on the
circumstances of the case. So I can't say
definitively, yes, it's a violation of the charter at
this point, or no, it's not, but it would really be
fact specific. We're talking not about private
dwelling-houses but private sector organizations. It
could be a small business in northern Alberta that's
running as a sole proprietor. It could be those sorts
of situations.
Mrs. Sue Barnes: I think I'd better clarify, Madam
Chair, that in clauses 12 and 18 the subclauses
specifically exclude private dwelling-houses, and I
think that has to be clarified and made very clear.
I'll move on to another point, because I think you're
wrong on this point. But I will take your cases, if
you like, afterwards. Maybe they can be given to the
chair if they're applicable. But let's go on to the
cost when we're trying to put in a flexible system, the
bureaucratic process that would have to be involved.
Do you see getting the warrants that you're
asking for in a non-criminal situation where you're
trying to follow agreed-upon standards that industries
have accepted and that I think you're a model user
of...? We're not saying that.
I think you do very well in your industry, as do many
of the corporations across the country. I don't see
why we would want to move into an area that would have
the expensive court proceedings here when we're not
talking criminal law, we're not talking litigation,
we're talking protection of privacy to a standard that
industry has accepted and will be the law. I'm having
difficulty understanding the idea of approving and saying you're
supportive, but then you want blocks that would be
financial blocks. We're talking about limited
resources here from both sides, and I think that's the
balance too.
Ms. Lorna Higdon-Norrie: May I speak to that?
Mrs. Sue Barnes: Yes.
Ms. Lorna Higdon-Norrie: I hear your concern. If
one were to try to lock down this power and introduce
maximum restraint on its use, I think there are steps
you could take that are substantially further than the
one element of process that we're asking for. We
certainly don't want to see it evolve into that,
because, you're right, it would undermine the bill
if you were to create enough roadblocks that you could
be mired in the courts for months; you know, the
investigation gets stalled.
Generally speaking, it seems, yes, it's costly and
time-consuming and a deterrent to the effective
application of the legislation, and we are not
suggesting that you go there. All we are suggesting is
the type of—it seems, in experience—relatively swift
kind of action that can take place.
It's a simple question. It's kind of the principle
that if it can be avoided, one shouldn't be both judge
and jury. The privacy commissioner presumably will
have taken an investigation quite far down the road by
this point and will have a particular view. Presumably
the other party will also have another view, and if I
imagine our own case getting to a point like this, as I
said earlier, there would probably
be some issues around this that it would be a good
idea for an impartial third party to hear before a
search and seizure, which is really quite an extreme
measure, should be undertaken.
The Chair: Do you have any further questions,
Mrs. Barnes?
Mrs. Sue Barnes: No, that's fine. I've heard the
comments, and we'll take them into consideration.
The Chair: Thank you very much.
Mr. Jaffer, did you have any more questions?
Mr. Rahim Jaffer: As one sort of question/comment
to follow up on my colleague Mrs. Barnes, one
of the things that it seems to me this issue is
bringing up, at least the concern you've brought up, is
in fact that you're again, as you've stressed, not
trying to take away any power from the privacy
commissioner but simply adding a check and a balance to
the process. I think that's fair on all sides.
It doesn't seem to me that
it's suggesting anything different.
• 1615
My colleague Mrs.
Barnes cited clause 12, it does say
private dwelling, or dwelling-house, or something
along those lines. You made a clear distinction,
obviously, between when it comes to the privacy
commissioners with regard to their mandate in public
institutions and when that crosses into a private
institution, and I don't think this legislation seems to
be very clear on that note, according to what you're
saying.
So would you agree that basically what
you're trying to put forward is the fact that
that check-and-balance process may be missing
currently, which your amendment would address,
at least with the privacy commissioner?
Ms. Lorna Higdon-Norrie: I think it is a balance
that we would like to see introduced at a point in the
process before the most extreme measures are taken.
That's really all we are suggesting. It would be our
expectation, as I say, that the vast majority of
situations can be resolved long before things ever get
to that point. But the possibility of a warrant with
search and seizure is one that gives us great
pause, and we would like to see that extra measure
of impartiality introduced at that stage.
Mr. Rahim Jaffer: I'm sure no one would
disagree...to give anyone powers above the law in any
area of our society.
I appreciate your comments.
Thank you.
The Chair: Thank you, Mr. Jaffer.
Mr. Shepherd.
Mr. Alex Shepherd (Durham, Lib.): I
differ somewhat from my colleague. I find it difficult
to see why we're empowering a privacy commissioner to possibly
invade people's privacy, which is your point, is it
not?
Ms. Lorna Higdon-Norrie: What is “people” and
what is “privacy” when you're discussing a
corporation, I suppose?
Mr. Alex Shepherd: Anyway, what I really want to
look at is this. You used as a part of your argument the
fact that these were recommendations and not
obligations of the corporation. First, the question
that comes up is how significant is that? All we're
doing is making recommendations in the first place.
The corporation hasn't complied with them. So what?
Ms. Lorna Higdon-Norrie: I think the “so what”
is an issue of clarity for us. As I say, the bill sets
out certain things that are clearly obligations, and the
privacy commissioner has audit powers, and certainly
other powers, if an organization is not meeting its
obligations under the bill.
Our concern on that point
you're raising is that a commissioner seems to also
have essentially the same powers over recommendations,
so it's left unclear to us whether that transforms the
recommendation into an obligation, because if you don't
do it, you're going to be subject to the full audit, the
full weight of the powers, anyway. The bill really
ought to make it clear what you can be held accountable
for and what are recommendations that, again, he can
investigate. We're not proposing to hold back any of
those sorts of issues, but the audit is something where
you're supposed to demonstrate what you've been
doing.
It is a time-consuming process on something
that is not an obligation in the first place, and I do
have visions—in fact, it has been reality—of lawyers
sitting around boardrooms for hours on end trying to
figure out exactly what we might have to conceivably do
to comply here, and when you're in that situation,
that just might not be good legislation. You might
want to take the opportunity up front to engage in a
little more clarification for us.
Mr. Alex Shepherd: I have two more questions, one
on your code of fair information practices. You don't
use the word “should”; you use the word “shall”.
You say BCT.TELUS “shall adhere to the ten
principles as a whole”. So you have actually
placed an obligation on your corporation that is
stronger than the act, correct?
Ms. Lorna Higdon-Norrie: Yes.
Mr. Alex Shepherd: So you wouldn't really have
that much of an objection, then, because you've taken
those recommendations and made them obligations, have
you not?
Ms. Lorna Higdon-Norrie: I see John wants to
comment.
Mr. John Makaryshyn: Actually, at the end of the
day, what we're saying here is that this is true, they
interpret it and comply with the highest level of
security and privacy.
But if a
privacy commissioner is conducting an investigation and
comes to the conclusion that there is a dispute
potentially over recommended business practices, but
everything is secure at the end of the day, there's no
violation of a mandatory obligation, all we're saying
then is that there shouldn't be at that point any
ability to trigger a requirement for a full-blown audit
over these sorts of recommendations.
• 1620
Mr. Alex Shepherd: I don't want to spend a lot of
time on that.
I want to get into this issue about implied consent,
because you raised that as well in your code of fair
practices. You made the definition: “Implied
consent is consent that can reasonably be inferred from
an individual's action or inaction.” What does that
mean?
Ms. Lorna Higdon-Norrie: John.
Mr. John Makaryshyn: I think at the end of
the day it gets down to reasonableness,
and informed consent must be obtained from individuals
for all purposes, for collection, use and disclosure.
So what is reasonable within a circumstance is going
to vary depending a bit on the circumstances. But I
think the bottom line, the hallmark, is that consent
must be obtained irrespective of...the form may vary.
Mr. Alex Shepherd: Wouldn't it be better if the
act just said that everybody had to have positive
consent and did away with the whole concept of an
implied consent?
Mr. John Makaryshyn: No, I don't agree with that,
only because it takes away a lot of flexibility. It
may well be reasonable in certain circumstances to have
different forms of consent. Not everything has to be
signed, sealed and delivered in writing on a piece of
paper. In some cases you may have verbal consent; it
may be reasonable, and other forms of consent may well
be reasonable. As long as the customer or
the individual understands and has knowledge and gives
informed consent, or it's reasonably inferred from the
circumstances, then that's acceptable.
Mr. Alex Shepherd: So if it was a requirement
under the act to have express consent, how would it
hinder your business?
Mr. John Makaryshyn: I'll give you an
example with respect to potential terms of service
where express consent meant express in
writing. If a customer phones up and says, “Provide me
with Internet services, and you have my consent for
the marketing of those services to me”, and for some reason
we had to have it in writing, we'd then have to tell
the customer, “Come on down and sign a contract,
because your verbal consent is not valid.” That
would be an artificial restriction.
Mr. Alex Shepherd: When he signs on to the site
he could consent; he doesn't have to physically go to
your premises.
Mr. John Makaryshyn: Sure, in this
circumstance maybe that would be reasonable, but
it's a type of consent that's not in writing.
But we can call that implied consent or express—
Mr. Alex Shepherd: I would think that it's
express consent. Somebody is doing something to say,
“I agree to consent that you use this information on me as a
condition of the contract for you to provide me
Internet service.”
Mr. John Makaryshyn: Certainly I think in
the Internet environment a lot of what I call opt-in
clauses are quite reasonable. You know for a fact that
somebody is giving you consent for the particular
purpose, so it's unequivocal.
But again, circumstances vary depending on whether
it's express or implied in a given circumstance. So I
think the legislation and the CSA code are built with
enough flexibility and some guidelines in the schedule
to help guide businesses, but at the end of the day
I think that's also a strong point of the
proposed legislation, because in clause 24, with the strong
education mandate for the privacy commissioner, if
there are grey areas we don't understand, we can work
with the privacy commissioner to help resolve these
issues.
The Chair: Thank you very much, Mr. Shepherd.
[Translation]
Ms. Lalonde, do you have any other questions?
Ms. Francine Lalonde: No, thank you.
[English]
The Chair: I want to thank our witnesses from
TELUS for being with us this afternoon. We appreciate
your taking the time to prepare the brief and to be
here, and we will definitely take your concerns into
consideration.
We're going to take three minutes while we change
witnesses. We're going to ask TELUS to move and Bell
to join us.
So I'm going to suspend for about three minutes.
• 1624
• 1627
The Chair: We
are going to reconvene. I'm very pleased to welcome to
our table this afternoon Bell Canada. Appearing on
behalf of Bell Canada is Mr. Bernard Courtois, chief
regulatory officer, and Ms. Suzanne Morin, senior
counsel. Welcome.
Mr. Bernard A. Courtois (Chief Regulatory Officer,
Bell Canada): Thank you, Madam Chair.
[Translation]
Madam Chair, we have brought French and English versions of
our brief, which have been distributed to you. I do not intend to
read the brief to you in whole or in part. I will just make a few
comments, following which I will be pleased to answer any questions
you may have.
[English]
I'll simply emphasize that we represent six telephone
companies, Bell Canada and the major telephone companies in
the Atlantic provinces and Manitoba. Also, in my role
as chief regulatory officer and privacy ombudsman for
Bell, I'm also in a position to speak for a number of
our affiliates, including the Sympatico operation. As
well, Suzanne has worked with the Stentor group that
worked on the Stentor industry code and the CSA code,
with all the representatives who worked on that.
From our standpoint, while we support the bill as a
whole, we will concentrate our comments on part 1,
dealing with privacy matters. We come with extensive
experience in these questions. It is inherent to the
operation of a telephone company to be quite sensitive
from the very start to matters of security and
protection of customer privacy both in the handling of
calls and in customer information. We've also operated
under regulatory requirements covering this for many
years. So we've actually lived with regulation and
privacy protection for many more years than most
industries.
We welcome this bill. We think it strikes a good
balance between the various approaches that can be
taken. As you've heard, no doubt, from many industry
representatives, trust, particularly in the era of
electronic commerce—and electronic commerce, by the
way, started long ago with voice transactions over the
phone—is extremely important, otherwise electronic
commerce will not take off. In order to achieve that,
because our industry is now global in nature and you
need to build trust, it's important to have something
that consumers and customers will recognize. It's
important, it's useful, that this bill capitalize on the
work done by various groups to produce the CSA code,
and capitalize on the OECD guidelines, which can become a
global standard that customers will recognize and
inherently associate a good degree of privacy
protection to.
• 1630
It's also good this bill will then take the process of
a CSA code and spread it to various industry sectors so
we achieve, as well, broader coverage of privacy
protection to again build public trust on it. At the
same time, it avoids some approaches that might have
been perceived as rather difficult to do in this day
and age, which would be to impose a whole heavy new
regulatory mechanism and bureaucracy on the process.
So the bill does strike the right balance in that
respect, and we think it'll be a very good contribution
to the success of electronic commerce and the
appropriate protection of privacy for Canadians.
In our submission we've listed some minor amendments
that would help to ameliorate the bill. I'll draw
attention to the one on public information, which is
that we
support the proposed government amendments that will
make it clear that the collection, use and disclosure of
publicly available information, such as that which is
found in telephone directories, doesn't have to get
caught up in any complicated processes.
The other topic is the one that was discussed
earlier with the TELUS people, and we think it would
be a little ironic if a bill intended to protect the
privacy of Canadians allowed government officials, or
someone delegated by them, to walk into business
premises and search and seize without the very simple
protection of having a third party having
a look at that to authorize it.
[Translation]
In conclusion, Madam Chair, I would like to say that we
support the main points in this Bill. We have made some comments in
our brief and suggested a few amendments. We will now be pleased to
answer any questions.
[English]
The Chair: Thank you very much, Mr. Courtois.
I'm going to turn it over to Mr. Jaffer for questions.
Mr. Jaffer.
Mr. Rahim Jaffer: Thank you.
Thank you to both people from Bell Canada for their
submission.
I just received the submission, so I hope
to go through it in a little more detail after the
committee. However, there are two questions I'd like to
ask, and one is pertaining to your opening comments when you
talk about trust with electronic commerce and the
amount of trust on behalf of consumers wanting to use
the services provided.
It seemed to me last Thursday when we had some people
from various Internet providers making presentations to
the committee that the actual industry currently is
in its growth stage, but we have, I think they said, close to
$100 million worth of business being done on the
Internet currently. For me, that's outstanding, given
the fact it's a growing area and the fact that we still have
a long way to go to build that trust.
My question to some of the people last Thursday—and
I'm going to pose the same question to you—is about the fact
that we have an industry that's been built already without
any real legislation, without any real protection. In
fact, it's been strictly the companies that have been
providing these services, through education and through
various other forms of bringing customers on board...that
this growth has actually been enhanced.
You talked about the issue of striking a balance in
this bill. I'd like to hear your comments on what
are the consequences if some of the amendments
you put forward aren't made. Could the bill become
heavy-handed, or in fact could it restrict the growth
of this industry as opposed to when this legislation is
introduced? Without the legislation,
currently there seems to be much growth in the
industry.
I would appreciate it if you could comment on that.
Mr. Bernard Courtois: Yes, I think again that's
where the bill strikes a good balance, because
electronic commerce, even though it's growing very fast
and it seems to be big amounts of money, is still only
a tiny fraction of the retail sales, for example.
As well, there's the whole area of dealing
between businesses and their suppliers.
The concern would be that trust would build in favour
of the recognized brand names, the big players in the
industry. It would not necessarily build for the
smaller players. One of the great things about the
Internet is that it democratizes everything and
everybody can play; everybody can be a global player
and get into commerce. What would happen is that the small
ones would be left out because people would recognize
and trust the big names, the IBMs of this world, not
the small retailer.
• 1635
Secondly, you only need a few horror stories about
someone dealing with someone disreputable and causing
all kinds of concerns and you find yourself, instead of
progressing, going backwards. The interactions with
customers and surveys show that a lack of confidence or
a fear of what happens to personal information on the
Internet, for example, is a barrier to the development
of electronic commerce. So a bill like this, which really
capitalizes on the cooperation of interest groups and
industry that built the CSA code and then spreads that
through various industry sectors, with a government
official there for oversight and guidance, I think is a
very ingenious balance compared to the fights that are
going on in other parts of the world about more
extreme solutions on one side or another.
Mr. Rahim Jaffer: That clarifies it. Thank you.
My last question is with regard to the issue that
was brought up with TELUS and the one you referred
to with the privacy commissioner. I think you mentioned
just now the importance of the reputation of companies
when it comes to customers wanting to deal with
them. It was brought up by our previous
witnesses that an audit process on
a company or, in its current form, the privacy
commissioner powers could really affect the reputation
of a company if there's not that check or balance being
brought to the current powers of the privacy
commissioner.
So my question would be, do you
believe that in the current sense the privacy
commissioner is almost elevated above the law,
or do we need to really address the
issue of putting that check into place on the privacy
commissioner, to allow yourselves to feel
safeguarded to some extent in this whole
privacy process?
Mr. Bernard Courtois: Yes, I guess companies have
concerns in that area as well, not just individuals in
their homes. For example, the Supreme Court judgment
involved the Competition Act, and that usually is search
and seizure of companies and company information. The
fact that, as I say, a government official can come in
and search and seize documents is
pretty impressive to people. It's not something that
goes off very smoothly and very easily.
Just the concept, also, that it's not
going to be used often...and
I think the expectation is that it's not going to
be used often, the experience to date with various
commissions that have that is that it's not going to be used
often. But conversely, if it's not going to be used
often, why not have a third party cast independent eyes
on it to give that degree of protection? The degree of
protection extends to businesses as well as
individuals, so I think it's a very simple thing.
It's not going to
prevent the use of the power at all and it's just going
to give something that I think would be more in line
with a law that is intended to protect privacy.
The Chair: Thank you very much, Mr. Jaffer.
Mrs. Barnes, please.
Mrs. Sue Barnes: I'm going
to follow up on this point directly, and you've heard
the previous witness.
In Canadian legal framework we have had different
standards throughout history between criminal and
civil. In this bill, in your own brief—which I just
received and glanced at after I'd questioned the last
witness, by the way—I commend you for showing the
difference between a criminal standard and a civil
standard. You've pointed out on page 8 of
your brief that Bill C-54 already meets the third test on
the criminal standard of requiring reasonable grounds,
so that is a limiting factor.
Now, most people in this
world aren't lawyers, so I'm going to keep it down to a
simple premise that most people in Canada would
understand, because they're aware of the differences in
proof required, the burden of proof between a civil action and
a criminal action. Maybe Ms. Morin could just explain
the differences of burden of proof. What level would
be needed to prove a criminal charge, the burden of
proof?
I'll make this simpler. It's beyond a
reasonable doubt. Beyond a reasonable doubt is a
stronger burden on a system than the civil one of a balance
of probabilities. I mean, that's a basic tenet.
Mr. Bernard Courtois: Yes.
Mrs. Sue Barnes: The only case you have cited here
is the same one cited by the previous witness, which is
a criminal case. What you're asking for is a criminal
standard here, and I have real problems with that
because I see a limited resource.... Most
corporations—and I'm not saying your firm but most
corporations—have
more massive resources. This privacy
commissioner is going to have
to resource from a limited amount of funds to educate
the public, which I think is a significant role for this
commissioner to attempt to do
in a very complex world.
• 1640
What I see, if you get into a search warrant situation
on a different level—the criminal level in a sense is
the standard you're asking for here, not the civil
level in the trade and commerce area, which is a
lower level—is that you're going to be able to wind this
guy up forever. I don't mean you personally, I'm not
trying to be directive here. I'm trying to look at the
reality that every time there's a document needed,
search warrants.... What are we trying to accomplish
here?
It's like any other situation where the good
actors are going to be able to not have to worry, as you
know, and the bad actors are going to be able, if we do
this, to tie up in expense, in delay, in bureaucracy....
This is not unlimited funding that's envisioned in
this thing. It's supposed to be light, flexible; that's why
we went with a code that is precatory for the most
part.
I think there were some valid points made
between the “shalls” and the “shoulds”, but often, even if you
take the example that was used earlier today—and I
rarely like to cross-reference—the “should” actually
led into a section that “shall” had an obligation on,
keeping documents private. So for a lot of these things,
even though there could be some clarification in that
area, I think in this area I see them emasculating the
act.
First of all, my question to you is about what you've
pointed out in your brief. Do you want that standard,
do you want that here, and how reasonable from both
sides do you see it would be in accomplishing the
goals?
Mr. Bernard Courtois: The standard as to whether
you've proved something beyond a reasonable doubt or
according to a balance of probabilities or whatever
determines what happens to the evidence once you have it—
Mrs. Sue Barnes: Yes, that's right.
Mr. Bernard Courtois: —and once you go through a
trial or something like that; it doesn't apply to the
notion—
Mrs. Sue Barnes: It's a differentiation.
Mr. Bernard Courtois: Yes. So it
doesn't apply to what's at issue here. What's at issue
here is that a person is on your doorstep wanting to come in
and go through your files and your papers, and that's
very different from whether in the end the evidence
will convict you of something or not. It doesn't
have anything to do...and the Competition Act, for
example, has civil sections as well as criminal sections.
What we're talking about here is someone who could be a
small company, and even though the privacy commissioner
may not have huge funds it's still the government, and
for a small business it's government coming to your
door or sending someone they've delegated to come
in your door and look at your papers. The fact that
a third party will have cast eyes over that ahead of
time to make sure there's no abuse going on is an
extra degree of protection that I think is entirely
consistent with something called an act to protect the
privacy of Canadians. So I think it's reasonable for
that process.
Now, there are not going to be warrants
issued by the privacy commissioner every day. He's not
going to spend a lot of money doing these things. He's
not going to exercise these powers except in the rarest
of circumstances, so the fact of having to show that to
a judge before doing it shouldn't have any impact on
the financial ability to fulfil his duties.
Mrs. Sue Barnes: My point, Madam Chair, was
specifically that there are different standards, which
are different in the law.
Mr. Bernard Courtois: For the decision at the end,
but not for whether someone's taking your papers
without your consent.
Mrs. Sue Barnes: Well....
The Chair: Thank you.
[Translation]
Ms. Lalonde.
Ms. Francine Lalonde: Good afternoon.
Mr. Bernard Courtois: Good afternoon.
Ms. Francine Lalonde: In the past you complied with the Quebec
legislation, Bill 68. What are you going to do in the future?
Mr. Bernard Courtois: We will do as we have done in the past.
We will have a federal Act and, as you know, we were already
covered by federal regulations. Moreover, we have always been
governed by some regulation or other. Some of our subsidiaries
operate under provincial jurisdiction, just as Bell and some
companies operate at the federal level. As you heard us say, we are
interested in focusing more on protecting the privacy of our
customers and of our employees. If the Quebec commission asks us
for information, we are not interested in getting caught up in
issues of jurisdiction. We prefer to cooperate. We have never gone
so far as to consider whether we should challenge the jurisdiction
of the commission or not. As we indicated, our company has perhaps
had to deal with jurisdictional complications and we would prefer
that these companies not get involved in such complications.
• 1645
This Bill clearly applies to companies operating under federal
jurisdiction. It leaves a place for the Quebec legislation within
its particular area of responsibility. That seems to us to be quite
a clever way of not getting involved in needless jurisdictional
disputes.
Ms. Francine Lalonde: You seem to be saying two things at the
same time, and I find it difficult to follow you.
When someone continues to complain to the Quebec access to
information commission, will you respond to the said commission or
will you say that the matter does not come under Quebec
jurisdiction? This is very important because in the past you did
not ask that question.
I have made a few inquiries of my own and identified cases
where lists were sold. The Quebec legislation prohibits the sale of
lists of names without offering the people concerned the right not
to be included. It seems that you have found a regulation, but it
is very important that you indicate whether you are going to apply
the federal legislation, which does not provide for such cases, or
whether you will not trouble yourself, as you say, and respond to
the Quebec access to information commission when it tells you it
has received a complaint.
Mr. Bernard Courtois: As a lawyer I could certainly tell you
that, from a purely legal viewpoint, there are certain companies
reporting to me which are subject to provincial legislation and
others which are not, but our record to date shows that in such
cases we do not raise questions of jurisdiction. Rather we try to
get to the heart of the problem and cooperate. That will not change
the issue of jurisdiction, in other words which legislation should
have precedence in law, but in practice it is obvious that if a
situation were to arise where we believed we were being treated
unfairly or there was a problem with the legislation, we would be
able to deny the jurisdiction of the Quebec commissioner. In
practice we do not expect to raise this kind of problem; we expect
to cooperate both with the federal commissioner and the provincial
commissioner.
Ms. Francine Lalonde: I should not have to remind you that
Bill 68 was adopted in Quebec in 1994, when a federalist Liberal
government was in office, and it was supported by the Parti
québecois. As I know you appreciate, we in Quebec would have
preferred that this Quebec legislation be used as the basis for the
federal Act.
There is a value judgment in that the federal legislation
would create a new approach between two extremes, namely the
European directive, with which in any event you will probably have
to comply at some point, and the United States. Do you consider the
Quebec legislation to be at one extreme?
Mr. Bernard Courtois: No. There is a whole range of
possibilities and the Quebec legislation is somewhere between these
two extremes. You have to appreciate that the electronic commerce
industry, which we expect will grow significantly, was subject to
strong US influence and was very reticent about the idea of any
government involvement in the Internet. There was also concern that
some people from big business would rely on it and others would
not. All I am saying is that Bill C-54 seems to address the subject
very well and deal with the various interests quite cleverly.
Ms. Francine Lalonde: The only people who have expressed that
viewpoint here are corporate representatives. The other groups do
not feel that this is a balanced piece of legislation. You can
decide for yourself.
Let us come back to the Internet, to this knowledge-based
economy. We are at the dawn of a new era. Isn't this proposed
legislation far too soft to reassure people?
• 1650
Every day we hear disturbing news. This morning we learned
that Windows 98, which many of us have installed in our computers,
may disclose personal information, and nothing can be done about
it. We are told that it is not directly connected but it is. Not a
day goes by without us hearing this kind of thing, and really the
legislation before us does not do much to address these issues.
Mr. Bernard Courtois: You are correct in pointing out that
companies don't want to create doubts or worries in the minds of
the public, and this has a direct negative impact on us. We want
the legislation to operate effectively and efficiently. The CSA
code was developed through the cooperation of public interest
groups. Perhaps our experience is more extensive than that of other
corporate consultants or representatives who have appeared before
you.
If technology such as Intel's Pentium 3 or something on the
Microsoft system could collect information against the will of the
clients concerned, there would be an outburst of protest in the
market. But the legislation would apply to such situations, and
companies would not be allowed to use that information. So the
result is neutral: technology has no effect in this case. The
legislation prevents people from doing that kind of thing. People
are not afraid of the machine, but rather that the machine may
gather information which someone will use. The legislation applies
to that kind of use.
Ms. Francine Lalonde: Information that people won't be able to
recover.
Mr. Bernard Courtois: That's right. The legislation will apply
to such cases.
Ms. Francine Lalonde: But a member of the public does not have
the right to demand.
[English]
The Chair: Thank you very much, Madame Lalonde.
Mr. Lastewka, please.
Mr. Walt Lastewka: Thank you, Madam Chair. I
appreciate the witness.
I want to ask a couple
of items. Mrs. Barnes covered the one area.
This bill grants and expects to have a lot of
education for Canadians. A number of witnesses have
come forward, and various commissioners and reports by
commissioners—all provinces—on the importance of
education. It will be a large mandate.
So I'd like to get your input on how you would like to
see the commissioner, or do you have suggestions as to
how to educate Canadians on privacy? You've had a lot
of experience on that from the various years,
especially in your business. How do we educate
Canadians to understand privacy and what they should be
expecting from large corporations like yours?
Mr. Bernard Courtois: I think one of the things
you get, for example, with this law, which I mentioned,
is that by using the OECD guidelines you get more bang for your
buck, in a way, because you eventually have a set of
principles that becomes generally recognized. If
every industry or every business were to have a very
complex set of privacy principles that differed from
one to the other, then educating the public about that,
or for the public to find out what it all means, would
be a monumental task. It's made easier by the
fact that they recognize something is pervasive and
will become the global standard.
Education, then, I think, is not so much a formal....
I don't have any suggestions or any views as to how
someone could formally educate Canadians, but
you need discussion around it. I don't think Canadians
need to be educated into every little detail of a code,
of how it works. They have to have an inherent
understanding that they have certain rights, where they
can go if they want to complain, and what the basic
principles are, and that comes from public debate.
It could come from coverage in the media, discussions
on various kinds of shows. On the Internet
there are sites where people go to talk about privacy
and can get to find out about it.
I think you'll need a diversity of means. I'm not
necessarily thinking therefore of formal education—get a
bunch of people in a room and give them a
lecture for two hours.
Mr. Walt Lastewka: No, I didn't expect that
either.
I guess when this bill is approved and the commissioner
is doing his work and so forth, there is
also an expectancy of large corporations to be part of
the education process, first with their own clients and
customers, and second with potential clients and
customers and other Canadians. Can I have your
comments on that?
• 1655
Mr. Bernard Courtois: Yes, I think that's another
thing that will take place. As you've probably heard
and you'll hear from a number of industry
representatives, we need that sense of security to be
built up out there, and we need people to know it's
out there and that these principles are operational. So in
our various means of communicating with the public,
it's in our interest to participate in getting this
better known. Yes, I think you can count on
our capitalizing on that.
The Chair: Ms. Morin, do you wish to respond as
well?
Ms. Suzanne L. Morin (Senior Counsel, Bell Canada):
We can actually provide copies, but one of the
educational tools that the telephone companies,
including BCT.TELUS, helped sponsor was the
development of an Internet game, a CD-ROM called
Privacy Playground: The First Adventure of
the Three Little Cyberpigs, and it's being distributed to
schools across the country. Minister Manley was there
for its launch in May.
We've sent copies to Hong Kong. New Zealand has asked
for copies. It's tailored to children 7 to 10 years
old. It's something we're really proud of, and it has
gotten a lot of mileage, and if anyone has 7- to
10-year-olds, I would be glad to supply you with
copies.
That was done with the Media Awareness Network, which
has done a lot of work on the Internet. Actually,
even when the discussion paper for this particular bill
was issued last January, Media Awareness Network had an
on-line forum where you could provide comments on it.
So we were very happy to be associated with them
in that particular educational tool for children.
Mr. Walt Lastewka: I have another question. What
do you consider the biggest threat to privacy in
telecommunications in your field today?
Mr. Bernard Courtois: Nothing comes to mind as one
single thing. I think the biggest threat is to not
take off with the degree of trust that the public will
require in order to use the new technologies. I think
it's a threat of something not happening as
opposed to one individual type of threat.
Mr. Walt Lastewka: I suppose those large
corporations who, I guess I'll say, get in the game
properly and promote properly are going to gain a trust
advantage very quickly and a competitive edge. Would
you agree with that?
Mr. Bernard Courtois: Yes, and in that sense, there
are various certification processes taking place.
For example, Bell Canada was the first to obtain the
WebTrust seal, which is run by Ernst & Young, a
major accounting firm. You'll see a lot of that, where
people are really trying to gain a competitive edge.
As I mentioned, the reputable brand names will go for
that and maybe be able to get that early.
We still have an interest because we are a carrier and
we benefit from everybody using these new technologies.
We still have an interest in this degree of trust
spreading throughout the economy and throughout
businesses, but there's no doubt that the reason
we, for example, go for this, to be first to have the WebTrust
seal, and others have various forms of
certification is that it's viewed as a very useful
enhancer of our business success.
Mr. Walt Lastewka: Thank you, Madam Chair.
The Chair: Thank you very much, Mr. Lastewka.
Before I move on to further questions, I want to
clarify something from Mrs. Barnes' question. Mrs.
Barnes was talking about two different standards.
You're asking for a standard—and I'm not a criminal
lawyer, so correct me if I'm wrong here—that you would
normally see in criminal proceedings for search and
seizure.
Mr. Bernard Courtois: No, we're not. To
clarify what I was talking about, the criminal standard
has nothing to do with what we're proposing here. That
applies to what you do with information once you have
it.
We're saying that civil or criminal, the concept of a
search and seizure should be subject to a third party
having a look at it, whether it's for purposes of civil
proceedings or criminal proceedings.
The Chair: My understanding was that Mrs. Barnes was
citing examples for other civil proceedings that would
have the same search rights as those being proposed under
this bill, and you're asking for a higher standard that
you would normally see for cases that could end up in
criminal matters. I'm trying to be clear here.
Mr. Bernard Courtois: Just to be clear, no, we're
not—like the Competition Act, for example.
The Chair: But the Competition Act has both civil
and criminal sections to it, so are you suggesting in
this act we should have both civil and criminal
sections?
• 1700
Mr. Bernard Courtois: No. I'm just saying that—
The Chair: You want part, but not all, of the
Competition Act.
Mr. Bernard Courtois: Yes. Whether it's the civil
part or the criminal part of the Competition Act, if
there's going to be a search and seizure, they have to
get prior authorization. So it has nothing to do with
civil or criminal. It'll apply to civil and it will
apply to criminal under the Competition Act. And
that's why we don't make the distinction here.
The distinction that perhaps has more value is that in
some other instances urgency or safety might not make
it practical to go through the prior authorization. It
might be food safety, airplane safety, drunken drivers,
or whatever. Then it doesn't fit to go through a
process. Here there is no reason you wouldn't go
through the protection of having someone look at it
first.
The Chair: I know that recently, as an example, I
received a call in my office from a constituent who was
very upset about the fact that he'd been trying to
contact Revenue Canada and every time he dialled the
number a busy signal would come on, and Bell would
come on with that telephone message that if you press
whatever for 30 minutes...and he found that very
intrusive. He was trying to call Revenue Canada and he
wanted to know why that was happening.
Mr. Bernard Courtois: Yes. We have a lot of
automated messages, perhaps because the line is
overloaded or it could be, as for Industry Canada, an
automatic voice answering system. Those are sometimes
quite annoying to the public and sometimes quite
useful. Obviously those systems allow people to deal
with the government, their bank, or whatever 7 days a
week, 24 hours a day. They can be quite convenient.
They're cost saving and they can be effective. But
we're still learning how to work those things to make
them simple and customer friendly, and in some cases
they're not. But I don't think it's any more than that.
The Chair: Most people would assume that local
calls are not known—not tracked—because local calling
is free from your home. When you do this, is that
phone call then tracked?
Mr. Bernard Courtois: No. The switch, which is a
big computer, collects the information, whether it's a
local call or a long distance call, but there's no
system in place to extract and collect that
information, because we don't use it for billing or
whatever. So it just doesn't get used. But the
calling number is available, and that's how you get
caller identification, or you can trace a call after
the fact if a person has tried to block it. So there
is some information there.
The Chair: Thank you. Mr. Jaffer, do you have any
more questions?
Mr. Rahim Jaffer: Yes, I do.
Given the amendment that you're
asking for, which Madam Chair just wanted some
clarification on, when it comes to a check or a
balance, I'm curious whether right now, under the
current legislation, there's any provision in the law
that gives you recourse if the privacy commissioner
launches an audit or wants to go through the process of
search and seizure and you feel that's completely
outlandish. Is there any recourse currently you could
use to bring light to that?
Clause 22
of this legislation says that if the commissioner is
acting in good faith and going through a process, he
or she is literally untouchable. So I'm curious, in
that given circumstance, without the provision that
you're suggesting in the amendment, is there anything
you can do to bring light to something you think is
unfair?
Mr. Bernard Courtois: Yes, but the awkwardness with
something like that is that when it's done, it's done. You
can't go back. If for example someone were to come
upon privileged information, solicitor-client
privileged documentation, you could try to pick up on
that after the fact. But if they've looked at things
they should not have looked at, well, it's too late.
They've looked at it, they've already been in your
premises, they've already come in whether you
consented or not. So in practical terms you can't
really undo that after the fact.
Mr. Rahim Jaffer: My last question is to follow up
on what Ms. Lalonde was asking, with regard especially
to provincial jurisdictions of privacy and this federal
legislation. When it comes to privacy laws being
established within the provinces, Quebec is the only
one currently. But if that continues and other
provinces start to implement changes to privacy and to
build something in line with this or their own
concerns, could it not become somewhat cumbersome in
the end? Or do you see it as a positive thing if
different provinces have different laws and, as you're
operating a business, you have to overcome those
challenges that different provinces put in front of
you?
• 1705
Mr. Bernard Courtois: Yes, it could become
quite awkward if they're substantially different. That
is again a good thing about this bill, because it has
some mechanism to assure that they're not wildly
different from one to another. You're
talking about an industry that, by nature, is even
global. If Canada can take a lead and can cover at
least that, we have a good base and we'll have a brand
and image out there that can be trusted in matters of
privacy.
As long as the legislation is fairly similar, then
businesses should not have much of a problem. We've
been living with that very situation, being subject to
federal regulatory requirements. Section 11 of our
terms of service is very detailed about privacy
protection of customer information, and we've lived
with the fact that some of our affiliates are subject
to the provincial law. As you've heard, even when
the provincial commissioner asks for such information
from the company that's not subject to the provincial
law, we cooperate in any event.
So as long as the laws are generally comparable, it's
going to be quite liveable for business. But if you
didn't have a mechanism like the one you have in this
law, and if you just let the provincial laws prevail in
provincial jurisdiction and they were quite different,
then it would become quite awkward for business. I
think we'd then be missing out on the objective of
giving Canadians a sense that there's a certain degree
of privacy protection out there.
The Chair: Thank you very much, Mr. Jaffer.
Ms. Barnes.
Mrs. Sue Barnes: Thank you, Madam Chair.
Having just listened to the answers to those
questions, I'm going to take you to your own brief on
page 7, because it's now very confusing to me. It
seems that you've said the opposite to what's on page 7
of your brief. Here you say, “In criminal matters,
the Supreme Court of Canada has established three
preconditions for a valid search and seizure”.
You cite the Hunter case, and you set out items
i), ii) and iii), with iii) being the
reasonable grounds.
I'm now going to read you the
paragraph that you have in your brief:
While we appreciate that this is not a piece of
criminal legislation, we would submit that the same
preconditions
—the ones that were just cited above in the criminal
case and are the standard-bearers in this area—
should exist when the Privacy Commissioner wishes to
exercise his or her search and seizure powers in the
context of conducting an investigation or an audit.
Now, correct me if I'm wrong, but I heard you answer
in reply to the chair's question that you didn't want
the criminal level on the search and seizure.
Mr. Bernard Courtois: I think it's good that we
clarify that. The reason we said it here is that the
Supreme Court decision applied in a criminal matter.
The object of what we're saying in our brief is that it
should also apply when it's not a criminal matter. In
fact, the Competition Act was subsequently amended
so that the same protection applies to actions under
the civil portions of the Competition Act as well as
the criminal. That's the point we're making. We're
saying that even though that judgment pertains to a
criminal matter, we think it should apply here even if
it's not a criminal matter. And the Competition Act is
another example.
Mrs. Sue Barnes: That's my point. You do want it
to apply in this thing where we don't have criminal
protection—
Mr. Bernard Courtois: That's correct.
Mrs. Sue Barnes: As I heard it, that is opposite
to the answer you gave a couple of minutes ago.
Mr. Bernard Courtois: Oh, I see, I'm sorry. I
thought I said that whether it's criminal or not
criminal, we want this protection to apply. So here's
a law that's not criminal, but we want this protection
to apply. Here's a court case that was a criminal
matter, and that protection applied. The Competition
Act was then amended for non-criminal matters in order
for the same kind of protection to apply.
So just to make it clear, whether the question is a
criminal one or a civil one, we think you still need
protection against unauthorized search and seizure.
Mrs. Sue Barnes: The criminal standard.
Mr. Bernard Courtois: No, I'm sorry, protection
against search and seizure is not a criminal matter,
it's protection against search and seizure. It can
apply in a criminal case or it can apply in a civil
case. We're saying this is a civil case, and it should
apply in a civil case.
Mrs. Sue Barnes: Okay, now we're clear on what
you're saying.
The Chair: Thank you very much, Ms. Barnes and Mr.
Courtois.
[Translation]
Ms. Lalonde please.
Ms. Francine Lalonde: I would first like to indicate that the
CSA code was not designed to be an integral part of the proposed
legislation. I know people who would never have helped implement it
if that had been the case.
You say that you are appearing before us to speak only on Part
1 of the Bill. Nevertheless, I would like to ask you what you think
about the definition of “electronic signature” and “secure
electronic signature”. I have in front of me the report of the UN
task force which states that the term "signature" should not be
used because in the cases in question these are not signatures.
As the copy of the report I have is in English, that is the
language in which I will read it to you:
[English]
...rather, [they are] techniques that enabled the
identification of the sender of a data message and
identification of the message that was sent.
Accordingly, there was no rationale for using the term
“signature” to describe such techniques, and in
fact to do so could create confusion as the term
“signature” carried with it meanings closely
associated with its use
in the paper environment and with the legal effects
of its use in that environment.
• 1710
[Translation]
Like Mr. Lastewka, I also would like to hear your views on
that point.
Mr. Bernard Courtois: As I said, it is because of our
experience in the protection of privacy that we commented on that
aspect. I have not studied in detail the other aspects of the Bill,
which I find very helpful.
Clause 31 provides a definition of “electronic signature”.
Another term may be preferable, but I believe that, once an
expression is defined in the legislation, all doubt is removed and
problems are not likely to arise. For reasons of style, the person
drafting the Bill might choose a different expression, but since it
is in this Bill that the expression is defined, any doubt will be
removed. The term will have the desired effect since it is defined
expressly.
Ms. Francine Lalonde: But the problem is that what is a
signature is already defined in the civil code or common law. We
will be faced with two undesired legal consequences if there are
two types of signatures. I have listened to the opinion of the
legal specialists on this matter. I would put the same question to
the members of the committee. This definition certainly has to be
examined.
Mr. Bernard Courtois: The courts apply at the same time common
law, civil law and statute law, and they will apply this
legislation, including the definition contained therein. Could the
legislator have chosen a better term? I don't know. I have no
alternative term to propose, but I believe that legally speaking
the Bill could be applied without problems since the said
definition is contained therein. The courts may apply a definition
from the civil code, from a provincial or from a federal piece of
legislation, as the case may be, so long as the Act is clear.
Ms. Francine Lalonde: I would like to go back to an expression
you used earlier. Some people may perhaps not agree with you. Thank
you anyway.
[English]
The Chair: Thank you very much.
I want to thank you both for being with us. We
appreciate your detailed presentation and your
participation in the hearings.
Committee members, just before you go, I want to raise
an issue about what's happening with Bill C-54. We've
had a number of witnesses call us. We said at the
steering committee meeting last week that we would only
entertain briefs. I just want to make committee
members aware that about five more groups have asked to
appear. As it stands right now, next week we're
sitting Tuesday morning, Tuesday afternoon, Wednesday
afternoon, Thursday morning and Thursday afternoon. The
only way to accommodate another meeting would be to
meet either in the evening or to meet Monday afternoon.
Monday afternoon would probably create the least
conflict for people. I don't know what the
committee's feelings are on that, though, so I'll raise
that with you.
Ms. Francine Lalonde: Is that March 22?
The Chair: No, March 22 is the following Monday.
A voice: That's the day we go to Montreal.
The Chair: No, we're talking about next Monday,
not March 22.
[Translation]
Ms. Francine Lalonde: No problem.
[English]
The Chair: All right, so I'm thinking that we'll
try to entertain the rest of them on Monday afternoon,
if everyone's in agreement with that.
Mrs. Sue Barnes: For how long?
The Chair: All the meetings are scheduled for two
hours.
Mrs. Sue Barnes: Two hours? So it would be after
QP on Monday.
The Chair: Yes, it could be Monday afternoon.
That's what I'm thinking.
Mrs. Sue Barnes: Okay.
The Chair: All right.
The meeting is adjourned.