Chair:	* Rick Kasper (Malahat-Juan de Fuca NDP)
Deputy Chair:	* John Weisbeck (Okanagan East L)
Members:	* Pietro Calendino (Burnaby North NDP) * Glen Clark (Vancouver-Kingsway NDP) Gerard Janssen (Alberni NDP) Steve Orcherton (Victoria-Hillside NDP) * Erda Walsh (Kootenay NDP) * George Abbott (Shuswap L) * Geoff Plant (Richmond-Steveston L) * Katherine Whittred (North Vancouver-Lonsdale L)
Clerks:	Craig James Kate Ryan-Lloyd
* denotes member present

[ Page 5 ]

The committee met at 10:34 a.m.

R. Kasper (Chair): I'd like to call the committee to order. We have an agenda before us. This agenda was prepared on the basis of our last meeting. We have a presentation by the Information, Science and Technology Agency of the Ministry of Advanced Education. They're going to give us an overview of "A Discussion Paper: Protecting Personal Privacy in the Private Sector." That's our first item of business. In the second, we're going to get a presentation from the information and privacy commissioner, Mr. David Loukidelis. We're also asking him to give us an overview of the discussion paper. Then our last items of business are our meetings and public hearings schedule, the review of the draft advertisement, the new Canadian privacy bill conference in Toronto and any other business.

Could I have approval of the agenda as submitted?

[1035]

Meeting agenda approved.

R. Kasper (Chair): Okay. If we could just start out. We have Mr. Stuart Culbertson, Mr. Byron Barnard, Mr. Chris Norman, and Jacquie Edwards from the ministry. I'll turn it over to you, Stuart. Would you like to lead off the discussion?

S. Culbertson: Good morning, everybody. I welcome the opportunity this morning to discuss this very important issue with the committee and, hopefully, provide some good background for the work that you're going to be undertaking over the next couple of months on this.

In addition to the presentation which I'm giving, we've prepared a fairly extensive binder for your reference. It has a whole bunch of information in it about a number of the things that we're talking about, ranging from the status of privacy protection internationally or in Canada and the status of the federal government's initiative in this area, right down to the costs that you might associate with webcasting and videoconferencing your hearings. I'll occasionally be referring to material in this, just to tell you where it is rather than to summarize. I'll try to summarize it as we go through.

Under tab 2, you will see overhead slides of what I am going to go through this morning, and we're projecting it up on the screen now. First of all, just to position our organization and by way of a background, we have responsibility within the government for the administration of privacy protection in the public sector through administration of the Freedom of Information and Protection of Privacy Act. We are also responsible, corporately and throughout government, for providing policy advice and coordination to public bodies, assisting public bodies in evaluating privacy issues relating to the act, liaising with ministries and providing statistical reporting on the act, and providing training on privacy and information related to the act. We also were one of the first organizations in North America to create a privacy impact assessment form, which we use quite often within the government in addressing privacy issues in the public sector.

The overview that I'm going to present this morning is going to start with a look at some of the international activities in the area of protecting privacy in the private sector. We'll look at some of the national activities related largely to the CSA code and the federal government's Bill C-6, as it's called now. We'll survey some of the activities that we have underway here in B.C., move into some outstanding expectations that at least we have laid out there, perhaps in our meetings with various private sector and interest groups over the last couple of months on this, and then focus a bit on the questions that we have raised in the discussion paper. Again, I invite anybody to ask any questions at any time that my colleagues and I might be able to assist with.

First, on international activities, a lot of this whole initiative around protecting privacy in the private sector began in the early 1980s with the Organization for Economic Cooperation and Development recognizing the growing need for the protection of personal data that was contained in computer systems. Certainly since the early eighties, things have increased on that front quite dramatically. We have very extensive data banks and information about people held in data banks and easily accessible. I think the concern has grown internationally about what happens to all this data. Is it used the right way? Is personal information protected?

[1040]

Most jurisdictions in the world have responded positively to this, and some have drafted legislation that parallels the European Union one. I guess, in the North American context, the United States is probably the one that's opposed it the most. The United States never seems to like any other country or organization trying to have some legislative oversight into what they do. From a Canadian perspective, Quebec -- and we'll talk a bit about this being the only jurisdiction in Canada that has legislation that protects privacy in the private sector -- is the only place, of course, in Canada recognized by the European Union as having acceptable privacy codes.

We tried to do a little spectrum here -- which is under tab 1 in your binder -- just to try to kind of position where everybody is on this issue of privacy protection. With the U.S. at, really, one end of the spectrum saying, "Well, we'll put up some safe harbours for some information," but tending to view that this is the job of industry self-regulating and making sure that it's showing good practices in approaching personal

[ Page 6 ]

The next thing I want to survey fairly quickly is the so-called Canadian Standards Association fair information practices code. There's a piece in the binder under tab 4, for your review, which I think gives a fairly good analysis of what this is all about. I think it's important to maybe spend a little time on this, because this is kind of the bedrock in a Canadian context of thinking around protecting privacy in the private sector. In 1994 the Canadian Standards Association, becoming aware of a growing requirement in Europe and the growing concern about what happens to personal information that could be flowing around in private sector transactions, pulled together a group of representatives from business, consumer groups and government to discuss the need for privacy protection here and to develop a consistent set of standards around privacy protection for businesses in Canada. In 1996 the group codified ten fair information practices and a package that was approved by CSA.

The code is sort of like a Good Housekeeping seal of approval type of approach -- good practices, best practices. I'll go through them individually, but you'll see they're very much focused on trying to do two things, really: constraining the collection, use and dissemination of personal information in the private sector for very tightly defined purposes and also ensuring that the individuals who have this information collected from them have some consent in doing so and have access to that information. We're spending a bit of time on this because this code is very much embedded in the middle of the federal legislation that's in the House now. We're of course assuming it will pass and will become a bit of a driver on this throughout Canada.

The first of the ten principles relates to accountability: "An organization is responsible for personal information under its control, and it shall designate an individual or individuals who are accountable for the organization's compliance with the following principles." The second deals with identifying purposes: "The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected" -- why do we need this data?

[1045]

The fourth principle relates to limiting collection: "The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means." The next principle, the fifth, looks at limiting the use of disclosure and retention of this information: "Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual. . . . Personal information shall be retained only as long as necessary for the fulfilment of these purposes." This sort of looks at how long you need the information and whether you should really be accumulating big data banks of information about people.

The sixth principle deals with accuracy: "Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used." The seventh one relates to safeguards: "Personal information shall be protected by security safeguards appropriate to the sensitivity of the information." So this is compelling companies collecting this data to ensure that they have security systems in check.

The remaining three really deal with the individual's right to the information that is collected about the individual. The eighth says: "An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information." Perhaps members have seen this. It's sometimes now on applications for credit cards or grocery store cards or whatever. There is sometimes a little clause on the bottom that maybe talks about the company's privacy protection principles: where they are, where they can be accessed.

The ninth deals with individual access: "Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate."

The last deals with challenging compliance -- that if an individual isn't happy about the way that the information is being used, stored, collected or secured, there should be within a company a mechanism concerning compliance to address that. It may be an appeals commission or an ombudsman with a company to ensure that the designated individual can sort of challenge this collection. So these are the ten fair information practices that are, I think, very widely and deeply accepted within Canada and are at the heart of the federal legislation.

We now want to do a quick survey of what's now called Bill C-6. It used to be called Bill C-54. We have quite a bit of information for your review under sections 5 to 9 in the binder that I've handed out. This will give you a perspective of the legislative history behind this bill. An overview of the bill will talk about how Bill C-6 may be a bit different from Bill C-54. It will give you our assessment -- having read through the briefs and talked to some of the organizations that have presented information about Bill C-6 -- about where various public interest groups and sectors are coming from. We anticipate that as this committee engages in public consultations on this front, you may perhaps be facing some of the very same questions and concerns that have come out on the federal bill.

First, in terms. . . .

[1050]

[ Page 7 ]

R. Kasper (Chair): Could I break in?

Does anyone have any questions on what's been presented to date?

G. Clark: I'm not sure of the significance. Are you going into what the implications are for the implementation of the bill?

S. Culbertson: Yeah, we'll be covering that shortly. When we talk about Bill C-6, I'll also talk about the provincial position on Bill C-6.

G. Clark: This CSA code -- it's embodied in the bill.

S. Culbertson: It's right in the bill. As I say, I think the CSA code is widely accepted by business communities in Canada. You'll see that some sectors actually say that this is good enough, the CSA code -- that we should sort of self-regulate against the code; we don't need legislation to tell us to do it. So there's a bit of tension there.

G. Clark: We'll get into the implications of it in a minute -- right?

S. Culbertson: Yeah.

R. Kasper (Chair): Any other questions?

Okay, carry on, Stuart.

S. Culbertson: Canada's drafting of Bill C-6 was, again, I think, partly in response to the European directive, but it's also very much a centrepiece of Industry Canada's electronic commerce strategy. I think it's being framed in a way that addresses the sense of public reluctance to trust electronic commerce if they can't be assured that their personal information is protected.

We've all seen the projections of what electronic commerce could grow to be in terms of a business sector internationally. I think it's flying at a faster pace than anybody anticipated. A real barrier that's seen to the continued growth of electronic commerce is around personal consumers using electronic commerce. The way I characterize it is: how many people have been on Internet buying sites just about to press their Visa number into cyberspace and then say: "Wait a second. I'm not sure what happens to my personal information that I've provided here or my Visa card before I make that purchase"?

The federal government and Industry Canada have a fairly ambitious plan to make Canada a real leader internationally in electronic commerce, and they have addressed the need to put some legislative security around electronic commerce and public trust for protection of privacy in this bill.

Industry Canada began with a series of consultations with the public and the business community, which culminated in a White Paper. Then, with the introduction of Bill C-54 in October of 1998. . . .

G. Clark: Stuart, can I ask a question on that -- if it's okay, Mr. Chairman?

S. Culbertson: Yeah.

Let's take Amazon.com, for example. Is it the federal government's intention that if I were to buy a book on Amazon.com and use my MasterCard number -- which I have -- Amazon.com Inc., an American company on the Internet, would have to comply with this law before they could sell here? Does that lead ultimately to some attempt to regulate the Internet vis-à-vis Canada?

B. Barnard: Not immediately, but eventually, yes. It has to do with transborder information flows. The immediate implication of the passage of Bill C-6 covers the commercial domain -- and that would be banks, transportation, airlines, that type of thing -- but the direction is certainly that, yes, it would. But provinces would be given some time. Your question has to do with transborder data flows.

G. Clark: That's what I mean. It's all very well to say that a domestic Canadian company that's doing electronic commerce with Canadians perhaps can be regulated. How do you regulate a Swedish or a German company that's doing business with individuals living in the basement of their homes in Vancouver and purchasing over the Internet?

B. Barnard: That question gets right to the nut of: why Bill C-6? The federal government introduced Bill C-6 to take a national position and to basically raise the bar nationally so that companies would not have to deal individually with complying with the European standard, let's say, in terms of privacy protection. To date, the United States has not yet taken the approach, and there are a lot of eyes on the United States to just see how they're going to address this issue.

G. Clark: Well, let me ask this question. If Germany and Sweden have the toughest privacy legislation, by your definition -- or by anybody's definition -- if someone in Germany were buying a book through Amazon.com, is there a mechanism in Germany to ensure that Amazon.com does not use that information in a way which would violate the German legislation?

B. Barnard: I think the answer is no, today.

G. Plant: If a company in Germany wanted to purchase the supplier list of everyone who had bought from Amazon.com. . . .

[1055]

G. Clark: These Internet companies are not really site-specific, are they?

S. Culbertson: No. A lot of it is built on the assumption that working through mechanisms like the OECD, where all of the major developed countries are involved, everybody is going to eventually get this kind of level of protection in place.

I mentioned earlier that the United States often doesn't like this kind of extraterritoriality -- another government sort of purporting to have jurisdiction over the practices of its companies. The United States, from our information, has tra-

[ Page 8 ]

G. Clark: But is that for commercial reasons and in order to ensure that their companies can have access to the OECD. . . ?

B. Barnard: Both domestic pressure and commercial.

C. Norman: What the legislation can do is regulate the activity of companies or organizations within their own jurisdiction. But they can't regulate or legislate what an individual might choose to do with a company outside of their territory.

G. Clark: That's what I mean. Where is the transaction deemed to take place when I buy a book through Amazon.com? Is it deemed to take place in the notional headquarters of the computer of Amazon.com -- in Tacoma, Washington, in this case? Or is the transaction deemed to take place at my home?

B. Barnard: Interesting questions.

G. Plant: Some of those questions are questions that I have. What I'm hoping we'll get a picture of over the next few minutes is a sense of what this is doing in the real world -- what kinds of things it's applying to and then, by implication but I hope also expressly, what kinds of things aren't being covered yet. For example, we all want to pull out our Safeway card and ask what the heck Safeway does with this information. I sense that we have a long journey to go in understanding what is happening legislatively and regulatorily, and we're going to find out that we're actually nowhere near Safeway cards yet. That's going to be one of the issues for us, but I want to figure out what it is that Bill C-6 covers.

G. Clark: Yeah, me too.

R. Kasper (Chair): Okay. Carry on, Stuart.

S. Culbertson: Just in terms of the passage of C-6, there's some information on that. Bill C-54 didn't pass when the House was prorogued in the summer, and the federal government introduced Bill C-6 again. There are some amendments to it, and we'll deal with those in the coverage. In the House itself, the only significant opposition that's been seen to the bill to date has been with the Bloc québécois, for two reasons. One, which we share, is the purported override of the federal government into provincial jurisdiction. Secondly, Quebec, as a province, has its own privacy laws, which I think some people feel to be stronger in fact than what Bill C-6 puts forward.

G. Clark: Just very quickly, then -- not to belabour it -- what is the position. . . ? Clearly it is provincial jurisdiction, unless it is in this form I just mentioned -- Amazon.com or international or interprovincial trade. Is it not provincial jurisdiction under the constitution?

S. Culbertson: With the Amazon.com example?

G. Clark: No. If it's international trade or interprovincial trade, it's clear that the federal government has some role, but intraprovincial is exclusively provincial jurisdiction.

B. Barnard: Maybe this will help clarify it. In the first three years when this act comes into force, it will apply only to organizations in the federally regulated private sector, including employee information in those organizations, and to international and interprovincial trade in personal information where the information itself is the subject of the trade.

[1100]

G. Clark: Anything covered by the Canada Labour Code would be federally regulated and therefore covered by this.

Interjections.

G. Clark: Yeah -- banks, telephone companies.

A Voice: The airline industry.

G. Plant: So I need to know what that means. What kind of information does that. . .in the case of a bank or an airline?

G. Clark: Or a telephone company.

G. Plant: Yeah.

S. Culbertson: Well, let's spend some time on a bank, because that would be covered by the federal act. It's a relevant example, since there are some banks in Quebec that are operating under the Quebec legislation which have chosen to extend that throughout Canada. So banks collect an enormous amount of data about personal information, and they would be signing up not only to the CSA code, which they've supported, but to legislation that makes the CSA code law. If a bank violates the use of that information, then they are violating a law now instead of. . . .

G. Clark: It's interesting, though. In some cases. . . . Banks might be the worst example, because they already have quite strict privacy legislation -- the four pillars, etc.: not being able to exchange information between insurance companies, brokerages and banks, although they seem to get around that. But that is probably not the best. . . . Telephone companies would be a better example probably, because it's common practice, it seems to me, to sell telephone lists. Is it not? I mean, that's how telemarketers and. . . .

G. Plant: Whether it is or it isn't, there's a good example.

B. Barnard: But that's the purpose of C-6. Bill C-6 is getting right into the issue that that practice, even though it happens today, admittedly, would not be lawful in the future, without your consent.

G. Plant: May I, for a moment? What about the situation of someone applying for a loan from a bank? Now, we're not talking about the bank making available to. . . . I don't know. I'm trying to think of what a good example would be in the context of telecommunications, and I can't right now. So I'm going to stick with banks. If I make a loan application from a bank, does the same code apply to whatever the bank does in respect to testing my creditworthiness?

[ Page 9 ]

G. Plant: You waive all your privacy rights, probably.

A Voice: You give them consent.

C. Norman: No. Well, you give them what's called informed consent. They're required to explain to you what they need to collect from you. That's why the principles are important, because there is an issue of reasonableness and informed process here. When you go to fill out a loan, you can expect that you're going to have to give the bank information for them to verify that they should give you the loan, and you sign at the bottom. It should explain on a form that you are consenting to do this. It's an informed consent.

Now, the next step is that the bank uses that information for those purposes, and only those purposes. You would not expect that when you give the bank that information, they then take that along with other people's personal information and send it to insurance companies or for some other type of business. That's a reasonable expectation on your part. You've only consented to that one kind of activity. That's where the law will start to address those kinds of issues, which do occur now and in many instances occur without your knowledge.

G. Plant: If I can return to my theme, at any rate, that transaction -- that is, the borrowing transaction between me as an individual and a bank -- is the kind of transaction that would be subject to C-6. . .

A Voice: Absolutely.

G. Plant: . . .which is, I guess, more consumer-directed, perhaps, in some ways than the issue of the purchase and sale of customer lists.

B. Barnard: And that would apply when the federal legislation is enacted -- that practice would come into force.

G. Clark: But from our committee's perspective, perhaps the more important issue is that banks will be covered by a certain set of rules, and credit unions will not.

A Voice: Correct.

A Voice: That's an example.

G. Clark: Unless we bring in companion legislation.

B. Barnard: That's the reason that the federal government is looking to the provinces for harmonized legislation.

G. Clark: That's why we're here.

P. Calendino: Byron, going back to Mr. Plant's example of making a loan and signing a consent that allows the bank to take some information, now, sometimes the wording in that consent is in a way that the customer doesn't realize that he is signing all his information and personal details away, because it's legalese, and not everybody understands that.

Does C-6 make language clear for everybody to be able to understand that they're not signing away, and then there is something hidden in that consent that allows banks or other companies to do whatever they want?

[1105]

C. Norman: One other component to Bill C-6 is that it does create an oversight mechanism. One of the responsibilities assigned to that overseer, the commissioner in this case, is a public education process which would be to try to help individuals understand their rights within the process. There will be a responsibility on individual businesses to inform you as to what they're going to do.

Now, your experience about perhaps not having it explained in a way that everyone can understand is probably a fair one, and that would be something that an individual might have reason to complain about -- if in fact they felt this wasn't clear to them. But what it does for the first time is give you a mechanism to address your concern, whereas sometimes, with the sectoral codes, you are essentially talking to the entity that you might have the problem with. That's been a big issue with regard to a legislative approach and providing some kind of oversight mechanism.

E. Walsh: Is there something under that bill that addresses, right now, alcohol- and drug-testing, which is starting to be required throughout the different provinces by different companies? Is there anything in the bill that addresses how the information is gathered and collected in one province? I think this probably goes back to some of what we have been discussing about banks, when the information is gathered in one province and the company is, say, in another province -- how the collection of that information can be protected. Or does the individual know, because their job depends on actually following through with this that now they have to consent? Otherwise, they have now lost their job. So they're being forced to consent to an action that they would not normally consent to. And the gathering of this information. . . . They still have no way of knowing where this information is ultimately going to end up. Is there anything in the bill that's going to address those kinds of issues that are going to be coming out?

B. Barnard: Yes, this gets to the issue of international and interprovincial trade in the personal information, where the information itself is the subject of the trade. That's the key issue. But certainly this is an issue that the B.C. Federation of Labour brought up when we had some initial discussions with them: employee information and what happens to this information.

C. Norman: What the bill would do with regard to, say, something like drug-testing or activities of that type. . . . They would be considered collections of information, which would mean that you couldn't surreptitiously collect information about an employee. But it wouldn't necessarily prevent you from collecting information about your employee if you were up front about it or made it a requirement of hiring -- that

[ Page 10 ]

E. Walsh: For federally regulated. . . .

C. Norman: Yes.

G. Plant: I have a question arising out of Erda's question.

R. Kasper (Chair): Geoff, go ahead.

G. Plant: You initially put Erda's example of a drug test into the category of collection of personal information. There is a provision in Bill C-54 that was, I think, section 5(3): "An organization may collect information only for purposes that a reasonable person would consider are appropriate in the circumstances." Now, on the face of it, I could see a discussion taking place in the context of mandatory drug-testing in the employment world about whether or not that would in fact be a collection of personal information for a purpose that a reasonable person would consider is appropriate. Is that provision continued in Bill C-6?

B. Barnard: It's probably best at some point in time to get the Industry Canada specialists here. But section 27(1) of Bill C-6 says: "No employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny an employee a benefit of employment by reason that. . . ." And there are several issues there.

[1110]

Can I ask one other question on Bill C-54? One of the issues we have to consider is not simply that bit about us now looking at the provincially regulated private sector but whether Bill C-6 as it now is, in its regulation of the federal public sector and private sector, is adequate. There's this very strange thing in Bill C-54 that I don't think I've ever seen in a piece of legislation. Also, in section 5 it says: "The word 'should,' when used in schedule 1, indicates a recommendation and does not impose an obligation." Do you know if that language is continued in the federal legislation? And does the province -- the government -- have a position on what the heck that means?

B. Barnard: The language is continued. The province does not have a position.

C. Norman: The language is continued. The "should" and "shall" are a counterpart to what exists, say, in our public sector legislation, where there are requirements, and there is discretion. So in essence it's their way of addressing the sort of discretionary or mandatory requirements in our public sector act. They're doing it by different words, but the intent is the same.

G. Plant: But "should" is not the same as "may." I mean, I don't. . . .

G. Clark: Yeah, it doesn't have. . . . Why doesn't it say "may"? That's the question.

C. Norman: Well, the federal drafters had preferences, apparently.

G. Plant: All right. That's helpful; thank you.

R. Kasper (Chair): Okay, Stuart. You could just carry on.

S. Culbertson: I want to talk a bit, because I think we're getting into this discussion about what the so-called override into provincial legislation. . . .

G. Clark: I guess it was excluded from the. . . .

S. Culbertson: Yeah.

As we say, we've covered that the bill purports -- and this is our position -- for coverage in provinces in three years if the provinces have not enacted substantially similar legislation. We've included in the binder for your reference some of the correspondence that has gone back and forth between our minister and Minister Manley on this, as well as a resolution that was passed by all of the provincial Attorneys General in January. So it sort of sums up positions.

[1115]

We also noted, as has been discussed earlier, that we felt the bill to be a bit unclear on this whole issue about transborder data flows, which we talked about in the Amazon.com example, and that we saw no provision in here to differentiate between small and large companies. The discussions we've had on this in the private sector in B.C. showed significant concern, particularly from small companies, that this could impose onerous costs and red tape in doing their businesses.

You'll see, in the last piece in tab 6, the resolution that was passed by the provincial Attorneys General at their meeting -- I believe it was in October 1998 -- which covers the same sort of material and speaks quite strongly around the provincial incursion. So all provinces are concerned about this incursion into provincial jurisdiction.

G. Plant: Speaking for myself, this is, I guess, one of the big issues here. The substance of it all, I hope, is going to occupy more of our attention in due course, but this is the second question in my mind, and it's a big one. You know, to

[ Page 11 ]

S. Culbertson: Yeah, they do. But also, when challenged on that front, as I have with the federal deputy minister, saying: "Then you have the constitutional authority to strike down the interprovincial trade barriers. Why have we all been sitting around negotiating this stuff for ten years? You either have it or you don't; you can't be selective about it. . . ." But they would argue that they've got it. I haven't seen any legal opinions that they have to suggest they have that. Our assessment from our own Attorney General's ministry is that we have a fairly strong case against this particular proposition.

G. Plant: That was a good answer. That answers what would have been my second question.

S. Culbertson: That's then reinforced in the Attorney General's resolution. I think everybody has come to the same conclusion.

G. Clark: It's probably kind of a bully pulpit kind of approach, really, to try to get the provinces to move quicker on legislation. I agree with my colleague. At the end of the day, who really cares, if we can develop legislation that is sufficient in British Columbia and that can be ideally a model for the rest of Canada? That would be good. We should pursue the substance of the question here in British Columbia to the best of our ability, and the jurisdictional one will solve itself.

S. Culbertson: I think there are two elements of that. One is the jurisdictional question, and the feds are clearly using that approach to try to drive everybody in that direction. But the second -- and it's a significant one, in my view -- is that if provinces all independently went out and legislated in this area, there's a good chance that we would legislate in different ways and that we would create our own sort of patchwork quilt of regulation throughout the country, which certainly the business community is highlighting in any of their discussions around this thing. If you're going to do something, do it in a way that harmonizes across the country rather than creates ten or 11 different ways of doing it -- when we go into one province, we have to comply one way, but we don't comply that way in another province. I think the feds are probably looking at that too.

G. Plant: I think there is tremendous force in that. I guess, without having an answer to the problem, I feel that it's important to identify the problem. Mr. Clark's examples earlier show us where we're going. That is, he hypothesizes the transaction that looks like it occurs in someone's basement -- purchasing a book from Amazon.com. Increasingly that is going to be how we as consumers do business. And increasingly it is going to be an esoteric exercise to figure out where this transaction has taken place. If the federal government is of the view that it has the constitutional authority to regulate all of these transactions, then any semblance of provincial control over the market -- you know, the commercial economy -- is going to become purely theoretical and not very practical, because virtually all of the transactions in that economy are going to take place in what we now call the e-com world, which is going to be federally regulated. It may be that there is no alternative, because that's what is happening in the marketplace and because of the points that you make, Mr. Culbertson, about the difficulties that would be presented if there were 11 significantly different privacy codes. But boy, I just think we ought to be really alive to. . . .

G. Clark: Although the bigger question is whether Canada can regulate international commerce -- let alone British Columbia.

R. Kasper (Chair): Katherine, now you can get in here.

K. Whittred: I've almost forgotten what my question was. I think it was tied to this general question of the scope of this issue. I was really interested in knowing, from the examples that have been given, about the commerce. What discussions have taken place internationally about jurisdiction? It seems to me that ultimately we don't know where this book is being bought from. It could be Grand Cayman, it could be Timbuktu, it could be the Shetland Islands. We don't know, when we buy something on the Internet, where that e-mail is from. We don't know where that transaction is taking place. I'm assuming that at some level, someplace, somebody is discussing this. I would like to know what the background is, if any, on that.

S. Culbertson: Again, going back to the OECD -- which brings together, I think, 27 countries in the world that have been working on this whole thing -- I myself expect that this probably is the next new frontier for international trade negotiations, as well, which start next week in Seattle. It is very much going to have to address those questions. To add to the complication, you could be sitting in your basement buying a book from Amazon.com in Tacoma, but they may ship the book from Australia. It could engage more than one country in the transaction before it shows up at your house.

[1120]

K. Whittred: Can I ask. . . ? In a more direct sense, we've talked about using telephone companies as an example, because they are federally regulated. Again, I go back to my example that with today's technology, we don't know where that telephone call is even coming from. I can give you an example. One day I phoned a technical troubleshooting thing for my computer. I phoned what I thought was a Seattle number. I thought I was talking to a guy in Everett. We got chatting, and it turned out that this guy was in South Carolina. I mean, I don't know. . . . Well, we know about how it can happen, but. . . .

[ Page 12 ]

I'm going to quickly get into what various sectors think about Bill C-6 and where their positions are going to be -- just a quick status report, which is pretty current. It passed the House on October 26, passed second reading in the Senate on November 16 and is now heading to the Senate Standing Committee on Social Affairs and Science and Technology. The next couple of slides I have are talking about the issues that have been raised by some of the sectors around Bill C-6. I'm spending some time on this because I think these will be the same ones that you're likely going to be hearing.

At the moment, the health care sector is the one that's probably doing the most work at the Senate level to try to get some sort of exclusion for it under the legislation. It's not totally opposed to having some coverage here but is probably looking at more of a CSA code type of coverage adopted by health practitioners rather than having legislation in place. Their concerns, as we've seen them expressed, are basically threefold.

Firstly, collecting or having these securities under this legislation is going to be prohibitively expensive. It's going to require significant administrative change on the part of health businesses in Canada to comply.

Secondly, the critics of the bill in the health sector are arguing that it would be better to cover the health care industry under laws developed by health care professionals. You'll see this kind of notion in a couple of comments from sectors.

Finally, they are worried about the need to be able to collect and transfer personal information in an identifiable form for research purposes, so they can contact patients with results. A doctor sending a file over to a research lab within the province or somewhere out of the country, needing to have a patient's consent to send the file around for doing research purposes around a patient's case, is something they have some difficulty with. The federal government is saying that Bill C-6 addresses all the administrative concerns in this respect. No compelling argument that are put forward. . . .

In general -- and we discussed this -- all sectors that we've surveyed. . . . In the binder we've tried to do an assessment of a whole bunch of sectors that have been engaged in this activity, so that you can see where they're coming from. All sectors are equally concerned, I think, on two fronts: that there's sort of equity of treatment in Bill C-6 and that there's harmonization across the country -- the patchwork quilt example.

[1125]

R. Kasper (Chair): I'd like to jump in here, Stuart. I have a copy of a letter that was sent from the Deputy Minister of Industry Canada. It says -- and I'll just paraphrase here -- that there remain areas of activity that involve extremely sensitive personal information, public health records and employee records being good examples; for these areas, only the provinces can legislate privacy protection; we encourage you to consider broad coverage in your legislation.

Wouldn't concerns that were raised by those people, both those who want tighter restrictions and those who want more freedom, now become redundant because of what the bill lacks as far as protection in those areas that I've mentioned?

S. Culbertson: Would the federal bill become redundant?

R. Kasper (Chair): No. Well, those concerns now. . . . In order to deal with the examples that I've read here, it would in fact have to be done by the provinces as opposed to by Bill C-6.

S. Culbertson: The first response is that the federal government is not leading with an argument that in three years they're going to swoop down on you. They're actually encouraging provinces to get on with similar legislation. I haven't seen the letter that you're referring to, but perhaps that's kind of the tone in which it's offered.

C. Norman: One thing that didn't come up in our discussion a few minutes ago is the issue that even if a province chooses to let Bill C-6 be their private sector legislation. . . . Let's say that in B.C. we decide we're not going to do anything, and in three years Bill C-6 applies to us. To use the example cited earlier about a bank and a credit union, the credit unions would be covered for their commercial activities, but the employee records -- the employee information -- would not be covered. So you could have a bank on one side of the street having employee records covered with some form of privacy protection. The credit union employees would not have that protection. The same would apply with health care information. So if Bill C-6 applies to the provinces, it won't be total coverage; there will be some fairly big holes in the net.

G. Clark: Mr. Chairman, I don't want to be obstreperous, but I don't accept that if we do nothing, Bill C-6 will apply to provincially regulated jurisdictions. With respect, Chris, I don't think we should make that assumption in our conversations. I think that if we do nothing, then they can purport it to apply, but it would be a very big legal debate as to whether it would apply or not.

B. Barnard: The federal government would purport that their legislation apply under the trade and commerce act in the commercial aspects of the transaction. That would be the issue.

G. Clark: Your point is still valid, Chris.

B. Barnard: So it would be the commercial aspect of the trade in personal information. We need to be pretty clear about that.

[1130]

[ Page 13 ]

B. Barnard: Provincial, commercial. . . . I mean, to set the record straight, you might want to have provincially, commercially regulated transactions and employee information.

R. Kasper (Chair): Okay. I'm sorry for jumping in. It's just that I wanted to get that off my chest. Carry on.

S. Culbertson: We've already covered the journalist and artistic activities exemption. The information technology sector -- again, looking at the briefs that were presented -- is generally supportive of the need for legislation based on the code. They obviously have some very strong interests in the way that this will be applied in electronic commerce for Internet providers.

The banking community is generally supportive of the legislation, although they are arguing for a light level of oversight obligation and are generally saying that the sector codes that they have developed -- which were referenced earlier -- are more than adequate and perhaps not needed. I did mention that chartered banks operating in Quebec are already operating under the Quebec privacy legislation and often have just simply, for the purposes of doing business effectively, extended that across the country in their own practices.

G. Plant: Surely the banks must trip over the EU directive. They're having to live with a bunch of different regulatory regimes already.

S. Culbertson: The telecommunications sector is generally supportive of the concept of legislation. Again, they would prefer sector code controls that they would develop themselves, and they felt that voluntary responses were a better way of doing it.

The insurance sector, in the representations they made, emphasize, too, the strength of their voluntary codes and their success record in adhering to those codes across Canada. They show some concern around the lack of clarity and some of the terms of the legislation and its enforcement, and they requested that the legislation essentially legalize sector codes, as opposed to trying to create a new framework and dropping it on top of a sector that already has that in place.

The accounting profession is generally supportive, again arguing that they have codes of ethics in their practice that require accountants to keep information confidential.

Direct marketers, who obviously have a huge interest in this area, being both the purchasers and sellers of large banks of information and address lists, actually requested legislation in this area to establish, I think, the best practices of their members and to ensure that their members were not blighted by poor practices on the other side.

G. Clark: I'm puzzled by that.

S. Culbertson: I guess, not having looked through the brief in detail, that a direct marketer who is buying and selling address lists subscribes to a code of practices set up by the association that would say: "Look, I'm going to tell consumers my practices are open, etc., about how this information is passed back and forth."

G. Clark: Yeah, but when I buy a Maclean's magazine subscription and suddenly I'm getting pitched to buy -- whatever -- Time magazine or Runner's World or something, they got that name from Maclean's magazine, who sold my name. I assumed -- falsely, I guess -- that when you look at that code, that would no longer be allowed -- in which case, direct marketers wouldn't be very happy.

G. Plant: No -- they have to ask your permission.

G. Clark: But they never have.

G. Plant: No, but that would be the change.

G. Clark: I don't believe it. I would be surprised if direct marketers would support that issue.

B. Barnard: The direct marketers' interest. . . . They actually did support the CSA code, but their interest was in getting rid of some of the bad actors in their own organization. They were interested. . . .

G. Clark: They have high standards there, do they?

A Voice: Yeah.

B. Barnard: And getting higher, they claim.

G. Clark: Ah.

G. Plant: If I could maybe give specific examples. . . . I need to, for my purposes anyway, and it helps a whole lot more to try and be concrete. I get a new piece of software, and I'm installing it on my computer. At some point, of course, you have to register. At some point during that process, you get asked the question: would you like more information about similar products from, you know, XYZ Corp.? Then the next question is: would you like information about related products? Presumably that passes for consent in whatever world those people are living in now. Am I getting that right?

[1135]

G. Clark: Yeah, and I agree with that. I don't want to be provocative -- and maybe you can't answer this question -- but the old-fashioned direct marketers -- the bulk-mailing direct marketers. . . . Is anything different going to happen to them after Bill C-6 passes than what happens today?

B. Barnard: Yes, absolutely.

G. Clark: They're not going to be able to buy and sell lists like they used to.

[ Page 14 ]

G. Plant: The law will change. Whether the law is enforced and all of that other stuff is. . . .

B. Barnard: The law will likely change over time, and the practice will likely change over time.

S. Culbertson: You can see on the slide here that some of the direct marketers, while in principle supporting this, have already flagged how onerous it would be for them to comply with that very part -- the expense.

G. Clark: Well, I'm kind of surprised that it says "generally supportive."

S. Culbertson: I really believe it is the good apples-bad apples argument that they're supportive on. You know, whether they would phone every person in the Victoria phone book and say, "I'm about to give your address away," or whether you'd be subscribing to Maclean's and -- almost to Mr. Plant's example -- there'd be a little check box that says, "Would you mind if we gave your address to other organizations. . . ?" That might be a way of asking for consent.

G. Plant: One of the things I was going to say in the context of the issue that Mr. Clark raised is that technology now makes it a lot easier to design systems that can be one check of the box and then a couple of clicks on the computer, and the whole thing goes. Conversely, you could scan the phone book of any major jurisdiction about as quickly as you can feed the pages into the machine. So direct marketers who want to do that may be able to use that, subject to the way that Bill C-6 would apply or the way that anything that we might recommend would apply.

S. Culbertson: Yeah. And there is an amendment in Bill C-6 that says that information could be used without the knowledge and consent of the individual if the information is publicly available.

P. Calendino: Just a moment. Taking that example of a name in the phone book. . . . To have your name in the phone book, you have to give your consent to the phone company to print it, and you can withdraw your name from the phone book. Now, if a direct marketer makes use of the phone book to do mailing to your house without you having consented to that, are they violating the law?

B. Barnard: The Canadian Direct Marketing Association has a provision where, if you are getting unwanted mail from marketing companies, you can register with the CDMA -- Canadian Direct Marketing Association -- to have your name removed from lists.

P. Calendino: Does that mean that all the direct mail I'm getting today that I never consented to -- and it's tons every day. . . ? Bill C-6 will not regulate existing lists, will it?

P. Barnard: That's the theory. The Canadian Direct Marketing Association was one of the organizations that originally came up with and participated in the development of the CSA code. What they wanted to happen, which did not happen. . . . They wanted it to be more or less sectorally policed; they wanted to have it self-regulated. The federal government, of course, had its own agenda.

E. Walsh: Who, then, is responsible for the monitoring of the information that's being released, if the individual isn't aware of it? Is it the association? Who is responsible, then, for the enforcement of non-compliance?

P. Barnard: First of all, the law comes into place, and then it really is up to individuals to notify the organization or the privacy commissioner -- the oversight mechanism once the law comes into effect -- that their privacy rights have been abused. The expectation is that over time, it's not going to be with the major banks or the telephone companies or whatever -- and probably not even the major companies. It's largely going to be with. . . . To answer your question, the individual has to raise an objection, very much in a similar fashion to what they do right now with public sector legislation and the public sector process.

R. Kasper (Chair): I just remind you that it's -- what? -- 18 minutes to 12.

G. Plant: And I only have 17 more minutes of questions.

S. Culbertson: Well, it's been a pleasure making the presentation. Why don't we move to the status of provincial activity across the country? I think the rest of it. . . . You're seeing pretty well the same reactions coming out of the business community.

A Voice: Which section?

S. Culbertson: First of all, under section 8 in the binder, you've got our summary assessment of where the sectors are coming from and their briefs.

[1140]

I should tell you that there's been considerable interest, among provinces, in our discussion paper that was released as a summary of the information. I would expect that to be sort of replicated in a number of provinces as they go through.

What have we been up to? We've been involved in various advisory groups and discussions with the federal government on Bill C-54 and Bill C-6, and I've surveyed our position as expressed by the minister. We've actually had some preliminary meetings with the business community -- at least with Industry Canada; we did that last year. Then,

[ Page 15 ]

Under tab 11 in the binder, we've tried to summarize for you who we met with and kind of what they were saying in these general areas. We had planned to have further meetings in the North Coast, Vancouver and Vancouver Island, but we delayed doing that when this committee was announced, because we felt that since you'd expressed consideration of having public hearings, it was better that we stopped that process at this point. We then moved from the discussions that we had had in our assessment of the federal legislation to produce the discussion paper that was released a couple of weeks ago, and of course, the response to the discussion paper is to be filed with this committee to help your work.

I guess I'd say that there are some outstanding expectations, I suppose, since we've been out on the road and that the profile of private sector privacy has been raised, particularly in the business community, as a result of some of these preliminary discussions. I think you'll find the chambers of commerce fairly engaged on this and will probably want to meet with you, and there are some specific sectors that we can almost guarantee will be seeking specific consultation.

I think we can end now. These are just some of the key questions that are in the discussion paper, and we've all seen that and where we're coming from on it.

R. Kasper (Chair): Okay. Does anyone have any further questions of Mr. Culbertson or his staff?

G. Plant: One of the things that's often said in this area is that no matter how leading-edge we think the legislation that we're talking about is, we're just way behind technology already. I wonder whether what is proposed in Bill C-6 and what we might do here if it's. . . . For example, the suggestion was made earlier that we just recommend that the province put in place companion legislation that essentially mirrors what the federal legislation does. With the continuing development of encryption technology, for example, is the federal legislation going to become antique the moment it's enacted? Or do you think that the CSA principles are going to be workable and endurable, even as technology's ability to influence the dissemination and sharing of information outpaces whatever we think we're at right now?

[1145]

G. Plant: One way of answering it would be to say that if you. . . . I mean, ISTA tries to keep up with what's happening in technology, if for no other reason than to figure out how technology can be used to help the business of government. Does ISTA have the sense that there are things happening out there in the technological world that aren't going to get caught by whatever we are looking at in terms of regulations and laws right here and now? In other words, we may do this process, and then someone's going to come back immediately afterwards and say: "You've fallen behind. We need to go back into this area, because technology has changed." Maybe I'm not putting the question very clearly.

S. Culbertson: I think you could think of examples. The legislation, Bill C-6, is drafted to be technology-neutral, although there's an important component of it which I think we have to work on too, which is going to work on encryption and electronic signatures, etc. But my example of where this may outpace government's ability to do it. . . .

Let's go back to the Amazon.com example. At the moment, you buy a book from Amazon.com on the Internet, and it gets shipped to your house. It passes customs, and it goes through these various provisions. What happens when the next generation comes out, and you buy something on the Internet that's actually downloaded onto your computer? So your VISA card goes out, you buy a piece of software, and it's actually downloaded from the Internet onto your computer.

G. Clark: It happens now, yeah.

K. Whittred: You can do that now.

S. Culbertson: It doesn't ask the questions; it doesn't get shipped somewhere.

G. Clark: But you could buy books, theoretically, on line.

S. Culbertson: On line -- and get dropped onto one of these soft-book things. So these are examples, I think, of what all governments are struggling with, because that transaction technically has not encountered any government agent or regulator.

G. Clark: No tax, even.

S. Culbertson: Or tax, yeah.

A Voice: Especially no tax.

G. Plant: What a shock!

S. Culbertson: Heaven forbid! Some people like it for that reason.

G. Clark: But I think Geoff has made a good point, of course. This is an obscure question maybe. But cookies, for those who don't know, are the ability to find out who the browser is by technological means. So it seems to me that that information. . . . If you're even looking at a particular site, then they're going to know who that is, or they're going to find your address. It's a short period of time before they accumulate a lot of information on you for marketing. It's a marketing person's dream. I mean, I have to say that Amazon.com, especially if you're a busy person. . . . When I look at it, it says: "Hi, Glen Clark. We have some recommendations for you; here they are." And they tend to be pretty good.

[ Page 16 ]

G. Clark: What is interesting now, of course, is that they have recommendations for me on music. I've never bought any music, but people who like these books tend to like this kind of music, I guess. I don't know. So the question, then, is not just the selling of the information to third parties but the use of the information by an individual company. Amazon.com's success -- on their stock, at least -- is their ability to expand their product list. Of course, it wouldn't be long before. . . .

Safeway is an even better example. They know now exactly what I buy or my family buys every week. It wouldn't be very long before they could very easily market to me -- I think very successfully -- knowing exactly what I eat, what I read and what my tastes in music are. Pretty soon they'll develop a psychological profile of me for marketing whatever they want.

That, it seems to me, is the question we're trying to get at here. The fundamental question is their use of information about me in that case. It's not just the sale of that information but their use of that information. It does pose some very tricky questions, not just on the substance but on the jurisdiction of a subnational government on this question. I don't know the answer to it. But I think that Geoff's point is true, that no matter what answer we come up with -- and I think we should -- it will likely have to be kind of an iterative process over time. It may be changing all the time, it seems to me, based on new technology.

[1150]

There is one other, I guess, substantive question. That is, we generally have been talking about large commercial organizations and the commercial organizations, like Amazon.com, that exist in the Internet world. I would like to be able to see how these principles might work in the life of the operator of the 7-Eleven in Quesnel or the small business person. Clearly you're already hearing that there are apprehensions here. For my purpose, if we could see what this would do in their lives -- or their businesses, more particularly. . . . We may find, for example, that some of the concerns are not real or that others are real and that we do need to in fact make sure that we don't create an unreasonable burden of regulation.

G. Clark: Right. Or just to follow up on that, whether we would provide required regulation on domestic companies which doesn't apply to their competitors internationally. . . . So is Indigo going to be treated differently than Amazon.com and therefore put at a competitive disadvantage in this marketplace? Some very tricky questions.

R. Kasper (Chair): I just have one comment, because this issue has been raised, and there doesn't seem to be clarity on it as far as Bill C-6. In '98 the federal government commissioned a survey, and it showed that 86 percent of the respondents were very concerned about giving out their personal information on the Internet. And 91 percent of respondents were concerned about giving out credit card information on line. Well, knowing that information, why does it appear that Bill C-6 is so weak in that particular area, because of comments that members have made and the response from your office? I don't want to belabour it, but I find it odd. If the public at large, from the federal government's own commissioned survey, shows there's concern, why isn't it addressed in the legislation in a more binding fashion?

S. Culbertson: I think they would argue that the legislation would at least put some oversight in there to do that. It's not done in a binding fashion, as you say.

R. Kasper (Chair): But it doesn't give anybody in this room any comfort.

G. Clark: Well, it may be because it's Industry Canada and it's touted as an e-commerce initiative. There may be a conflict between the promotion of e-commerce and the regulatory burden that you'd impose to protect privacy of individuals. It seems to me that they're touting this as legislation which will assist in the growth of Internet-based businesses.

R. Kasper (Chair): But it may not be reality.

S. Culbertson: An example of that is that in Bill C-6, the commissioner that would be established would be a separate commissioner for privacy in the private sector and doesn't have order-making powers, doesn't have -- some would argue -- teeth to make some of the infractions that are brought before that commissioner stick.

G. Clark: There are no sanctions. Are there penalties?

C. Norman: Criminal sanctions for some activities.

G. Clark: Criminal sanctions for some activities. Fines? Administrative sanctions?

B. Barnard: They would have to go to court.

G. Plant: Is it truly a separate commissioner, by the way?

C. Norman: It's an extension of the responsibilities of the current federal privacy commissioner, but they have a separate information commissioner and a separate privacy commissioner. The difference between their model and ours is that our information and privacy commissioner has binding order-making power, with just limited judicial review functions. Theirs performs more as an ombudsman-type activity. They can report out and make recommendations. If an individual's still unsatisfied, then they would have to take it to the court.

[1155]

C. Norman: Yes.

[ Page 17 ]

C. Norman: It just adds responsibilities to that commissioner.

R. Kasper (Chair): Noting the hour, I'd like to thank you, Stuart, and your staff for the information. If members have any questions that come to light later on, then I'm sure that your good offices will entertain any requests for additional information.

Could you stick around, Stuart -- there is some additional information that you've supplied in the binder -- when we deal with our committee process in the latter part of the agenda, if that's okay?

G. Clark: Can I ask one question? Have you prepared draft provincial legislation in your shop?

S. Culbertson: No.

G. Clark: It seems to me that from the committee's perspective, Mr. Chair, we may want to -- if we wish to see this move quickly through the process -- prepare draft legislation as a committee, in which case we'd need to enlist the support of staff and the AG's technical people who can write legislation. It's up to the committee, but personally my preference would be that we embark upon, at least, model legislation for the government's consideration.

R. Kasper (Chair): Being proactive.

G. Plant: I think the time may come where. . . .

G. Clark: We don't have to make the decision now.

G. Plant: That's right. It's a little early yet.

G. Clark: I'm just curious whether they. . . .

G. Plant: If Mr. Clark has the ability to ensure that the Chair can get access to the necessary resources from government, that would be a really interesting step forward.

G. Clark: I don't know if I can anymore.

R. Kasper (Chair): Well, just to give the committee comfort, I've been advised by ISTA that they will make resources available to this committee, if needed, and work with us closely.

Okay, thank you very much.

Now, our next witness is David Loukidelis, the information and privacy commissioner. David wears his hat in dealing with the issues around the public sector, but because of his past life before becoming the commissioner, he's a very strong advocate around this issue. David, it's good to see you here, and I hope you're enjoying your new job.

D. Loukidelis: I am indeed. Thank you very much, Mr. Kasper.

I'm pleased to be able to appear in front of the committee today. Perhaps I should have given you the heads-up. My remarks will be quite brief. Perhaps I should have warned you, because I wouldn't want to deprive any of the hon. members present of their opportunity to ask more questions of the representatives of ISTA.

If I may say, I'm especially pleased that this committee has taken on this task, because I think that as you proceed in your work in this area, the knowledge base that you've gained in the four-year review of the Freedom of Information and Protection of Privacy Act will stand you in very good stead. I think that, as we've seen already in the comments made during the ISTA presentation, there are many issues that are complex and troubling and that are not susceptible to easy or clear answers. If I may say, I certainly wish you luck as you carry on with your endeavours.

A Voice: Not very inspiring, is it? [Laughter.]

D. Loukidelis: What I propose to do today is. . . . Much of it will be by way of a coda to what you've already heard from ISTA. I would like to make it clear at the outset, though, that the perspectives I will offer today are very general perspectives that come not so much from my role as commissioner but from my experience over the years, as Mr. Kasper said, in the private sector, both in working in this area but also in following the issues as they've developed over the last few years.

I will begin, I think, with a general perspective on privacy -- what it means and what its content is as we find ourselves, to use a cliché, increasingly enmeshed in an information technology-driven society and economy. Then I will touch on the experiences that our office has had with private sector issues that arise, because we do find ourselves literally fielding calls daily from the public, who have concerns about private sector practices in this area.

[1200]

One author in particular -- if you'll indulge me to quote at some length -- has characterized that concept or value of privacy in the following way. This is a 1997 book on the value of privacy, written in the United States by Janna Malamud. She says in the prologue at page 11 that:

"Privacy is linked with individuality because it offers a space in which a person might become more fully him-or herself. The elaboration of love, intimacy, thought, sexuality and friendship requires some privacy -- so too the development of one's own point of view. But the temporary separateness that privacy supports is often confused with isolation, and the sheltering that privacy sanctions is not the same as secrecy. So, too, the interest in promoting situations that allow people to live more fully as individuals is not the same as advocating individualism.

"To state it briefly, individualism tends to minimize interdependence and shared communal obligation, while respect for individuals tries to guide institutions, laws and communal rela-

[ Page 18 ]

tionships in directions that help people live fairly and with dignity. The virtue of privacy, as I have come to understand it, is not in isolating people but in allowing them temporary space in which they may accomplish important human tasks that are otherwise thwarted."

In the legal sphere, certainly, beginning in the eighteenth century, the courts began to establish for individuals to be secure against unreasonable search and seizure on the part of government agents. In the age of attempts to suppress sedition -- in the form of people who were advocating enfranchisement and democracy -- the courts stepped in as a bulwark against the exercise by the Crown of its right, as it saw it, to enter into people's homes without warrant and without cause. Certainly, you know, in the succeeding two centuries, we've come to a place where the United States constitution and the Canadian constitution both recognize privacy rights as constitutionally entrenched, to varying degrees and in different ways between the two constitutions.

I think another offshoot of the sort of bedrock importance of privacy is the development over the last 20 years, especially -- in the ways that have been outlined already in ISTA's presentation -- of legislative initiatives throughout the western world that are intended to protect individual privacy, both in the public sector and in the private sector. I think that, again, as was already touched on in the previous presentation, there is a very widespread, deeply held conviction on the part of individual citizens, if you will, and legislators that the protection of privacy is sufficiently important to move into regulating even in the private sector. This is, again, an international trend; I don't think there can be any denying that the initiatives beginning with the OECD guidelines in 1981, the 1998 European Union directive on private sector transborder data practices and developments elsewhere in the western world are anything other than a ringing endorsement of this kind of initiative.

Certainly I think, in fact, when you look at what's been done in Europe. . . . I'm not speaking just of the European Community directive but of things like the Data Protection Act of 1984, which has recently been re-enacted as a 1998 piece of legislation in the United Kingdom. If you look at what's been done in Germany, Sweden, France and in other European Community countries, Canada and the United States are somewhat out of step. The initiative of Bill C-6 is, I think, a laudable response to the European Community actions that came into force last fall. But it remains the case that, generally speaking, the U.S. and Canada are out of step.

[1205]

I would note that not only are the Americans seeming to come around on this point, as it relates to commercial use of personal data, but they also are showing signs -- I think because of public support within the U.S. and international pressures as well -- of coming around in other areas. President Clinton, for example, issued an executive order about three weeks ago, having given Congress a three-year warning that it should act, or he would do something about it. That executive order, as I understand it, will regulate close to a million so-called users of personal health information in the private sector. So health care organizations that are not within the public sector will now, under this directive, be subject to comprehensive, detailed rules on the collection, use, disclosure and destruction of personal health care information. Certainly the Democratic side of Congress is apparently supportive of a bill that will soon be put before the House to back up the directive with the right to sue, which of course is a quintessentially American approach to ensuring compliance with public laws -- a private right to sue, in other words.

The idea that regulation of private sector practices as regards personal information collection, use and disclosure, again, is broadly accepted. It's broadly accepted that that's necessary. Some comment was made awhile ago about the reason behind the federal government's initiative with Bill C-6. Is it really an e-commerce-enabling initiative, or is it really about consumer protection -- or protection otherwise -- of personal information? I think it's a bit of both. I think it's safe to say, though, that any initiatives that are taken at the provincial level can equally serve both objectives. I think that there's probably room for being able to not unduly burden the private sector while at the same time providing an appropriate level of privacy protection for individuals.

Turning to our office's experience with private sector issues, as I said at the outset, we daily have contacts from the public with our office. It's somewhat anecdotal, but I'm advised by the staff in our office that roughly half a dozen phone calls come in every day from individuals who are calling about what they perceive to be a private sector abuse with regard to their personal information.

A lot of the calls have to do with insurance companies. Some have to do with other financial organizations: banks, credit unions and other credit-granting institutions. A lot of the calls have to do with the credit reporting agencies -- the Equifaxes of this world. The issue there may be a lack of consumer awareness that the Credit Reporting Act already has regulatory effect with respect to certain aspects of the personal information practices of those kinds of organizations.

A lot of the calls apparently have to do with complaints from patients who have asked their physicians for access to their own personal medical files, and the doctors have

[ Page 19 ]

[1210]

P. Calendino: David, can I ask you a question at this point?

D. Loukidelis: Sure.

P. Calendino: If a credit agency or a bank or a loans company has a client who has been delinquent and hasn't been paying for some time, what authority do they have to sell that information to a collection agency? Then the collection agency goes after the client. Is there something to prevent that? You were alluding to something there.

D. Loukidelis: This touches nicely, I think, on one of the key issues that will arise out of legislation such as Bill C-6. I think Mr. Plant speculated that when one applies for a loan from a bank, you basically sign away any privacy rights that you have. I think it is the case, generally speaking, that with most loan applications -- my sense is, at any rate -- you consent at the outset to your lender using your personal information for the purpose of collecting on the debt if you renege on it. So they're then at liberty -- because you've contractually, in effect, consented to their doing so -- to disclose that information to whatever collection agency they want to choose to follow up on the debt, if you will.

That, then, leads to the general question with Bill C-6 about consent. Is the collection of information to which you're purported to have consented truly a consent that was freely given? The role of legislation of this kind, I think, is to try and set some sufficiently generous -- i.e., not unduly restrictive -- parameters within which businesses can operate in getting your consent to use of your personal information for whatever purpose they think is appropriate.

The experience that we have -- returning to the contacts that our office gets daily -- I think, really just echoes the kind of data that Mr. Kasper alluded to just before I began my remarks: results of opinion polls, for example, as to consumers' concerns about disclosure of personal information over the Internet, results of opinion polls in the United States which, by the way -- and I alluded to this a minute ago -- echo that kind of conclusion. Polling that's been done in the States recently shows that consumer concern is running at least as high as it is in the Canadian polling data when it comes to disclosure of one's information over the Internet. Similarly, concern about personal health care information is running very high in the United States. It is also the case that it's running high in Canada.

G. Clark: But they're not concerned enough not to buy, though.

D. Loukidelis: That's right.

G. Clark: I mean, the rate of growth of Internet sales is phenomenal.

R. Kasper (Chair): Their hands shake when they push the button to enter.

G. Clark: But they still push the button.

D. Loukidelis: On that point, a lot of consumers apparently do take the option of. . . . They get to the point of making the selection. They'll note down the toll-free number and all of the other data, and rather than actually ordering over the Net, they will use the toll-free number and give the credit card number to a stranger who answers the phone at the correct phone number, which is interesting. There is some of that avoidance behaviour. The assumption is that when you can talk to a human being or an individual, you're taking it on faith that that number is the right number and that the person who's answering will use it for the right purposes and not for personal purposes. There seems to be a higher comfort in doing that than in actually entering the data on the Net. I guess the security about interception in transit is the big concern. This comes to the encryption comment that was made earlier and the development of encryption software that will certify the security of your personal information when you transmit it over the Internet for commercial purposes.

Again, I think there is a very high level of public concern, and that all goes to my concluding remark, I guess, on this point. I certainly think that the public demand or expectation is out there that something be done about this; that this kind of legislation should be viewed, as well, in the context of the developments in the western world over the last 20 years; and that we'll soon see a relatively uniform, one hopes, set of laws that will deal with legitimate privacy concerns when it comes to private sector practices, without unduly disadvantaging -- to touch on another point that was made -- British Columbia or Canadian businesses when it comes to doing business using the Internet or other data transmission means, when it comes to transborder data flows.

[1215]

[ Page 20 ]

The story goes on for about four pages about what was found out about this journalist -- with his consent, in effect; he initiated it. I'll just read to you one or two of the things that were found out about him within a matter of days. The investigator found out readily, over the Internet and within a matter or days:

". . .how much cash I burn in a week, $400; how much I deposit twice a month, $3,061; my favourite neighbourhood bistro, the Flea Market Café; the $720 monthly cheques I write out to. . .my psychotherapist. . .my latest phone bill, $108; and a list of long distance calls made from home, including late night fibre-optic dalliances, which soon ended, with someone who travelled a lot.

"[The investigator] also divined the phone numbers of a few of my sources, underground computer hackers who aren't wanted by the police but probably should be.

"Knowing my social security number" -- which he easily found out, it appears -- "and other personal details helped [the investigator] get access to a Federal Reserve database that told him where I had deposits" -- and how much they were.

It appears that he even found a number of bank accounts that this journalist had forgotten existed, so he found some money for him, in effect.

"A few days later. . .he located my cash management account, opened a few months earlier at Merrill Lynch and Co. That gave him a peek at my balance, direct deposits from work, withdrawals, ATM visits, cheque numbers with dates and amounts, and the name of my broker."

R. Kasper (Chair): Great. Thank you, David.

Members?

J. Weisbeck (Deputy Chair): I was curious to know. . . . We talked earlier about creating draft legislation, and I was wondering: do we require separate legislation for this, or could we incorporate this into our current act?

D. Loukidelis: Certainly in Quebec they really just extended the existing legislation to cover the private sector. It would take some amending, obviously, but theoretically it's possible -- sure.

P. Calendino: David, an interesting question we're facing in two weeks in Seattle is the big meeting of the WTO. Of course, the push in the WTO is the liberalization of trade and the movement of capital, etc. This kind of legislation seems to be contrary to those principles, because decisions in the WTO or in any international trade will be made by an international panel. Any subnational or national government laws will have no effect at all in the decision, because they will not look at subnational or national laws. Are we wasting our time?

D. Loukidelis: I think not. I do accept that the drive towards trade liberalization will have an impact on strictly national -- or, as you put it, subnational -- legislative initiatives in this area. I think that notwithstanding the general American dominance of the WTO, the initiatives of the European Community and the principles that were adopted by the OECD will ultimately go a long way to ensuring that there is international recognition through trade organizations and trade agreements of a certain basic set of privacy protection principles when it comes to transborder data flow. That then, I think, would drive initiatives in each country or within each jurisdiction to ensure that the local laws adhere to those same standards so as to have a transparency there that would comply with any international obligations on the trade front.

[1220]

D. Loukidelis: They're in gambling.

G. Clark: Well, gambling is what's happening. I must say, though, that there are probably some NAFTA considerations with respect to rules that we might impose in Canada on companies doing business here which previously was not covered by rules, which might trigger some compensation claims by individuals.

P. Calendino: That is the issue; that's exactly what I'm trying to point out. NAFTA is a serious consideration in any protection-of-privacy legislation. But what's happening now. . . . The MAI seems to be dormant, but it's about to be reawakened under a different name. All it is, is an extension of NAFTA internationally. If there are serious concerns in terms of the NAFTA agreement, obviously there would be concerns with any other international agreement.

D. Loukidelis: Yeah. That's right. But if I could just reiterate, I think that, again, the OECD and European Community initiatives will, despite the American dominance, be pushed towards a WTO adoption of those kinds of standards. One can hope, at any rate. I think that Europe will, by all accounts and all appearances, stand pretty firm on that.

G. Plant: When I listen to those statistics about the percentage of people who have concerns about conducting transactions on the Internet and then I listen to your opening comments, I wonder whether there are almost two discrete universes here. One is a sort of post-Enlightenment conception of the autonomy of the individual which becomes this

[ Page 21 ]

G. Clark: As opposed to the privacy argument.

G. Plant: As opposed to the privacy argument -- exactly.

D. Loukidelis: Sure. I agree that there is a personal commercial security component to it. Having said that, though, I think there is ample evidence that individuals are concerned about the kind of information gathered about them and made available over the Internet and through other means. That's the sense in which I was using the term "information privacy," if you will. But you're right; personal information is also a commodity. You might consent to sell your commercial information -- your Visa number, and I'm not quite sure why you would do that, but other information about yourself that you think has value. You might be willing to treat that as a commodity and sell that. But again, that depends on your consent and your having the choice to do that. So that's a point of nexus, I think.

G. Plant: But that comes back to the point. I mean, I was listening to you, thinking about the issue of whether my name and my social insurance number are a species of property. Or are they something else? I'm not sure what the something else is -- an aspect of my identity which is not a commodity.

G. Clark: Right -- the commodification of privacy.

G. Plant: Yeah, that's the tension which I think is interesting.

D. Loukidelis: I don't want to detain you, but one other example, if I could, that was experienced by one of my colleagues in my office years ago. . . . A job application form for employment with an insurer, an insurance company, included amongst other things questions about how many times you vote. "How many times have you voted municipally, federally, locally? What are your personal political views?" was basically what it was coming down to -- some very far-reaching questions. That obviously goes much closer to what you're referring to as the post-Enlightenment idea.

G. Plant: Let me give another example. If you are a new business in British Columbia -- this touches on the public sector side of privacy rights, but it comes back to something I said earlier about trying to figure out what private sector regulation will mean for businesses -- the form you get from the WCB, which is the way in which you get enrolled in the WCB, asks you, among other things, what kind of business you're in. That's fair enough, because they have to categorize you. It asks you who your competitors are. Now, I suppose that from the WCB's perspective, they're looking at making sure they can find out exactly what kind of business you're in or whatever. But from the private business's perspective, I could see real apprehension about saying: "Well, hang on. I understand I have to have a safe workplace and have to pay out a form of insurance premium around that. But what does the WCB need to know about who I think my competitors are?" I mean, it's a complicated business.

[1225]

Thank you very much, David. I'm sure you'll be watching closely.

D. Loukidelis: Yes, I'll be very keen to play the role of observer and follow your work.

R. Kasper (Chair): Our next item of business deals with our proposed public hearing schedule. Wynne, do you have that? If you could hand that out to members. In conjunction with that is the review of the draft advertisement. What we've done is that we've stencilled three dates on the draft advertisement. Those are January 20, 21 and 24. It has been felt that because of the closeness to the Christmas season and, more importantly, that perhaps we would not give enough lead time if we were to start the process in early December, we should hold off until January and do it during that time frame.

Could I ask members to refer to section 13 in their black binders. What I did was to take it upon myself to ask ISTA to prepare a proposal which would perhaps give us some flexibility. Because this issue perhaps has more heightened interest in urban British Columbia as opposed to the more remote or semi-urban areas of the province, mainly because of the business interests, I had asked ISTA to give us an indication as to whether or not we could solicit input or views or witness hearings by way of webcasting or videoconferencing for the committee. I thought that would perhaps be an example of where we could utilize some of the technology that is available and at the same time try to keep the committee's travel down to a limited matter. It would also be an opportunity to invite those in other parts of the province who are interested to participate in a meaningful fashion.

So anyway, we've got that. Stuart, did you want to elaborate on what you've laid out to us?

G. Clark: Webcast. Can we webcast?

S. Culbertson: Yeah, we can work a little further on it. I guess when I saw the results of the analysis and sort of compared it against what your travel costs to individual towns might be, it didn't suggest to me that there was a great saving. . .

G. Clark: Cheaper travel.

S. Culbertson: . . .with webcasting. Certainly with videoconferencing you really are limited by the number of people you can get into a room to interact with you, although there are a significant number of videoconferencing facilities available throughout the province.

R. Kasper (Chair): Right -- and you've listed those?

S. Culbertson: Yes.

R. Kasper (Chair): Behind the itemized sheet, you list locations that could accommodate 30 people or more.

S. Culbertson: Right.

R. Kasper (Chair): Okay. You know, I just throw it out to members that if that's agreeable, then the Chair and Deputy

[ Page 22 ]

G. Clark: I think there is a small problem with having two in Vancouver, essentially, one in Victoria and nothing outside the lower mainland.

R. Kasper (Chair): Well, would you like to suggest we change that? It's up to you.

G. Clark: Well, I guess it does depend on interest. Kelowna, for example, is a major centre, or Prince George. I mean, I'm not looking for travel; I'd rather not. But it seems to me that it's very hard to be representative of the province if we're only in this little corner of B.C.

G. Plant: Is there a way of determining what the level of interest would be before we went?

G. Clark: Yeah.

R. Kasper (Chair): Maybe I could turn to Stuart. Based on your previous consultations earlier this year with representatives or interest groups -- be it from the business community or public interests -- do you have any indication of where else outside of Vancouver or Victoria there would be interest?

S. Culbertson: Well, first of all, I think that we did a lot of the work through chambers of commerce. In a sense we almost heard the same message, I think, throughout all the different chambers of commerce, which could be represented by the provincial chamber. Chris Norman, who was at some of the sessions, may give a bit of a flavour of who actually came.

[1230]

G. Plant: It shows you how often the government goes to Nelson. [Laughter.]

R. Kasper (Chair): Oh, settle down.

C. Norman: We told them we were there to help.

Interjection.

C. Norman: The individuals we met in both Kelowna and Penticton were there to learn. But once we had spent some time with them, they were actually quite enthused about it and expected, sort of, follow-up. We intimated that. Initially, Prince George had a large planned attendance, but apparently it wasn't that heavily attended. The Fort St. John one, I think, got. . . .

J. Edwards: There were about 20 in Prince George and 20 in Fort St. John.

C. Norman: Now, these would be people affiliated with the chambers, so this isn't even gauging, necessarily, what kind of public interest you would have. But they seemed to be indicating that there would be interest in their areas.

G. Clark: The other way of doing it, Rick, would be just to agree to these three but acknowledge that it is only the first three and see if there's any. . . .

G. Plant: That has another advantage, by the way. Travel to any place outside the lower mainland and Victoria in the middle of January carries with it the risk that we won't get there, and that's very disappointing for everybody.

A Voice: Or back.

G. Plant: Or back.

K. Whittred: That's even more disappointing. [Laughter.]

A Voice: Not if you're from the interior.

G. Plant: No, exactly -- not if you enjoy the rest of British Columbia, as I certainly do. But I think that actually was the experience of the predecessor of this committee. On one occasion, I think, they didn't get into Kamloops.

K. Whittred: No, we didn't get into Kelowna -- not Kamloops.

G. Plant: So maybe the advantage is that, if nothing else, the trips to other places might happen a little bit later in the spring, when travel is more reliable. I think that given those numbers, if you could get 20 people to Fort St. John really just by touching the chamber of commerce, that suggests to me that there is an interest in this issue outside the lower mainland. We would not be doing our job as a committee, given the mandate, if we didn't make some effort to be sure that people outside the lower mainland could come and speak to us.

I mean, I don't like to oversell the business of how tremendously important it is that we listen to people in person, because sometimes what they say in writing is just as important. But on the other hand, it's a big province, and maybe we should do a bit of travel.

K. Whittred: I was just going to say that something we learned from the other committee -- drawing on that particular experience -- is to be sure that we canvass those businesses and organizations that are affected by the substance of this committee. Before, at the end -- no matter how careful we were -- we still found some that felt they had been left out of the process.

R. Kasper (Chair): I agree. ISTA has supplied a contact list in our binders. We also have a list of people who made submissions when we did the review of the public legislation, because there were people who actually raised the private matters. There are contact lists available, and I would look to the committee's advice as to whether or not we should invite them for submissions -- which is what you've perhaps suggested, Katherine.

It's agreed, then, that our first schedule of hearings will take place on those dates as proposed, and the members agree with the outline of the advertisement.

[ Page 23 ]

[1235]

R. Kasper (Chair): I would agree. Both Geoff and I will work with the Clerk's office to define that schedule so that it is not. . . . Because it can be onerous -- right? I think all of us would agree. We would clearly define as to when the committee would sit and hear those submissions, because, naturally, there would be a break time. We should indicate that, because there would be a public expectation that we would be sitting from start to finish with no break -- right?

Some Voices: Yes.

G. Clark: Right. Can I make one more suggestion? I don't have proper wording, but I think that the language used here is not quite as provocative as it could be with respect to the growing use of the Internet for commerce. I mean, there's no reference to the Internet or e-commerce or the changing nature of consumer behaviour or any of that. It seems to me that what has heightened people's concerns about this issue, when you get down to it, is the new technology applied to old businesses, if you will. Maybe it's just me, but when I see "personal information in the private sector," my mind doesn't automatically move to putting my MasterCard on the Internet.

G. Plant: Similarly, my mind might automatically move to telecommunications, banks and other areas.

G. Clark: I wonder whether there couldn't be some reference in one of the bullets to the changing nature of commerce and the Internet, whatever -- something that gives it a bit more flavouring.

R. Kasper (Chair): If I could make a suggestion. . . . On page 9 of the discussion paper, item 6. . . . These are questions that deal with "What does privacy mean to you?" Question 6 asks: "If you are using the Internet in your dealings with businesses, are you comfortable with the personal information you are being asked to provide?"

G. Clark: Right. Perfect -- that's good.

R. Kasper (Chair): We could just throw that question in as an item.

G. Clark: Something minor -- okay?

R. Kasper (Chair): Would people agree with that?

Some Voices: Yes.

R. Kasper (Chair): Great. Okay.

G. Plant: I don't know how you write that -- what did you say? -- "provincially regulated private sector." Nobody will know what we're talking about.

G. Clark: Just leave it as. . . .

R. Kasper (Chair): Just leave it as private -- right?

G. Plant: I think if you tried to limit it, it would make the ad unreadable. The problem is that if all we hear about are banks and telephone companies, we're not going to be actually getting. . . .

R. Kasper (Chair): I know. Okay. Is that fair enough? Both John and I will work on that.

G. Clark: Whatever. Work on it.

R. Kasper (Chair): Could I have a motion, then, just to approve what we've outlined and agreed to?

P. Calendino: So moved.

G. Clark: As amended?

R. Kasper (Chair): Yes.

Motion approved.

R. Kasper (Chair): Okay, great. On the question of perhaps looking at the webcasting or videoconferencing, should we leave that option open, once we gauge what type of interest there is?

G. Clark: I wonder if I could just ask a question of Stuart. What if we just put out a really quick little tender, if anybody was interested, to see what it would cost -- maybe test the market for web. . . ?

G. Plant: Oh, I thought that was there already.

G. Clark: Oh, was it? I'm sorry.

G. Plant: That's just a guess as to how much. . . .

S. Culbertson: Yeah. We didn't put out an RFP, obviously.

G. Clark: Is that too much work? I just thought if you had a few companies bid on it, maybe you would get these little guys. . . .

A Voice: Some work.

G. Clark: But if it's too expensive, then let's not do it. I just thought maybe we could explore whether people would be interested, that's all.

J. Weisbeck (Deputy Chair): I think that in lieu of our expanded travel we're talking about, maybe I would feel more comfortable with doing that at this point in time -- maybe leave the videoconferencing till later on.

[ Page 24 ]

R. Kasper (Chair): All right. We'll hold off on that.

Our last item is dealing with the conference in Toronto. Geoff, I understand you're going to be attending.

G. Plant: I am.

G. Clark: Toronto in November -- good for you.

G. Plant: I don't know what happened to me.

R. Kasper (Chair): Are there any other members? Pietro, you're going to be attending?

Interjection.

R. Kasper (Chair): Okay, and John might be. I might.

K. Whittred: I'm attending.

R. Kasper (Chair): You are? Okay, Katherine -- great. I may be. I just have to convince the other members in my household. Anyway, I just throw that out for information. If you haven't made arrangements through the Clerk's office or made your own arrangements, please do so in a timely fashion -- and I'm in that category.

Is there any other business or any additional information? Hearing none, I'll call for adjournment.

The committee adjourned at 12:40 p.m.

[ Return to: Legislative Assembly Home Page ]

Copyright © 1999: Queen's Printer, Victoria, British Columbia, Canada