Information & Ethics Committee on Nov. 20th, 2006

Thank you, Mr. Chairman. I'm delighted to be here today to discuss this legislation with you.

You've already asked me probably the afternoon's toughest question. The answer is that we call the bill “PIPEDA”, but I too have heard all kinds of variations. Whether or not you want to adopt our pronunciation is up to you.

You may wonder why Industry Canada is responsible for this particular piece of legislation. Let me tell you that we started worrying about the digital economy long ago. We anticipated the creation of databases and electronic commerce, the whole digital economy that goes with the Internet. We thought there should be pretty reasonable and clear rules of engagement in the marketplace in the so-called digital economy, particularly online. That's why we introduced this bill way back, after many years of trying to get consensus on what the provisions of this particular legislation might be.

As you know, a lot of people on the outside are very eager to appear in front of you to share with you their advice on how this legislation has been performing, and perhaps to give you their suggestions for improvement; you can always improve things.

With your permission, then, I would like to have Richard Simpson take you through a slide deck. I believe you all have copies of this particular deck. It tries to lay out what this act is about and the provisions in it. After that, maybe we can open up the discussion.

A lot of it is to take away and read. We will go very quickly through it.

Richard.

Thank you and good afternoon.

You have received copies of the document that we will refer to as we provide an overview of the legislation.

I'll go through the individual slides, as you've suggested, Mr. Chairman, quite briskly. Please stop me if you want to ask a question at a particular point.

If you look at the first slide, which shows in graphic format the size of the online marketplace in Canada, the key point is that the protection of personal information is a core element in the legal framework for a global networked economy.

The next slide gives you a brief chronology of work that has been under way for a number of years on privacy protection, both here in Canada and internationally. Some of the key dates are 1984, when the Organisation for Economic Co-operation and Development, the OECD, issued guidelines for the protection of privacy and transborder data flows. This is quite important, because it has formed the base for privacy protection laws in several jurisdictions, including Canada and many European countries in the European Union.

The second date, 1996, the CSA Model Code for the Protection of Personal Information was released. You'll see in a moment that this is a core component of Canada's national legislation on privacy and the privacy regime in Canada generally.

The other dates really take you through the phased implementation of PIPEDA. It initially came into force in January 2001. It was extended to the health sector in 2002, but only came into full force in January 2004.

PIPEDA has two main parts, as slide 4 points out and as you've already pointed out, Mr. Chairman. The first provides the privacy protection obligations under the act. Parts 2 to 5 comprise the section dealing with electronic documents, and this part has a number of provisions that enable more effective use of electronic technologies within the federal government administration. It amends the Canada Evidence Act, the Statutory Instruments Act, and other legislation, and has a number of provisions that allow government departments to make use of e-business and electronic commerce techniques in their day-to-day administration.

Part 1, for privacy, actually sets the rules for the private sector in protecting personal information. If you look at the summary statement of the purpose of part 1 on slide 5, you can see that part 1 establishes these ground rules governing “the collection, use and disclosure of personal information”. You'll hear those words used quite often. The different rules regarding collection, use, and disclosure of personal information are set out quite clearly in the act.

The act balances two central considerations that are also contained in that statement of purpose: the need to protect the privacy of individuals and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. This really reflects the business reality that personal information is routinely used by consumers, businesses, and other organizations to conduct trade and commerce, and even more so in an online world.

On slide 6 we have tried to outline for you the key features of PIPEDA. First, it applies only to personal information and only to personal information that's used for commercial purposes. This is quite important in terms of defining the area and scope of the legislation.

Second, a very important feature is that this is built on a private sector code. It's a self-regulatory initiative, as it were, taken from the Canadian Standards Association. It's built on the CSA Model Code for the Protection of Personal Information, which, as I mentioned, was adopted before the legislation came into force. It's technology-neutral, although it certainly relates a lot to the way in which electronic technologies are now using and manipulating personal information and data generally. It applies to personal information in all formats, electronic and non-electronic. It applies across the economy as a whole; therefore, it has a broad marketplace scope and does not apply just to individual sectors. It's not based on criminal law and enforcement, but is enforced through the Privacy Commissioner of Canada and the Federal Court.

There are other key features. Just as important is what PIPEDA does not apply to. It does not apply to non-commercial activities or to non-personal information. There's a lot of data out there in electronic and non-electronic form that is not personal information and is not captured by the legislation. It doesn't cover any government institution that is subject to the federal Privacy Act. That's a different act; it is within the scope of this committee's interest, I know, but it is separate from the rules in PIPEDA. It does not cover employee records in the provincially regulated private sector. And there are a number of other areas that are not captured by the legislation.

The essential requirements and obligations under the act, as slide 8 points out, are cited in sections 3 to 5 in the law, but the real obligations are laid out in schedule 1, which, as I mentioned, is the CSA Model Code for the Protection of Personal Information. Subsection 5(3) has a further qualification about the need for a reasonable purpose test. You'll hear about that from many people.

The model code, schedule 1 of the act, has 10 basic principles. I won't go through all the details of those for you, but I think probably first among equals on that list is the need for consent. All privacy legislation, not just in Canada but in many other countries, is founded on the principle of consent.

There's also a number of principles--purpose, limiting collection, limiting use--which really points to the need to define purpose and limit the use of personal information when it is collected. That is sort of a matching set to the requirement for consent.

There's a number of provisions relating to access to ensure the reliability and accuracy of information that is maintained on a person.

If I may interject, Mr. Chair, it took about 10 years to get consensus of all parties--private sector, consumers, government--to come up with these ten commandments of privacy. I have to tell you this is the core understanding of the big policy issues that are embedded in this particular act.

Slide 9 points out that the act contains a number of exemptions relating to the consent requirement, which is contained in section 7, and also to the individual's right to access personal information, which is contained in section 9, and the bullet points out what those exceptions are.

The responsibilities and powers of the Privacy Commissioner, outlined in slide 10, are consistent with the role of ombudsman that the legislation assigns to the Privacy Commissioner. The Privacy Commissioner does not have the authority to make binding orders. She investigates complaints that are received or acts on her own initiative. She has a number of other powers, including an audit power. She publishes an annual report that comes to Parliament, as you know, since she is an officer of Parliament, and she has a number of responsibilities for both promoting the act, privacy protection, and educating the public. How the Privacy Commissioner's responsibilities are undertaken is a very important element of the legislation.

Slide 11 points out that the Federal Court acts as a backstop to the Privacy Commissioner with a number of responsibilities, eventually including the need to deal with an appeal by a complainant or the Privacy Commissioner on a particular finding. It also has some other powers, as you go to slide 12. As issues are taken before the Federal Court, there are some powers that the court can use to take action against organizations in violation of the act. But you can see that the number of points here make it clear that this is aimed at intentional and deliberate behaviour in violation of the law, such things as obstructing a commissioner in an audit or an investigation, rather than a regular exercise of power by the court.

In slide 13, PIPEDA also sets out—

That's correct; they're offences that are specifically contained in the act on which the court can take action.

Slide 13 sets out responsibilities for the Governor in Council. Some of these are very important to the functioning of the act. One of these powers is to make regulations to specify investigative bodies. A number of steps have been taken over the last few years to recognize private sector organizations that, by virtue of their responsibilities in legislation or in law, have to investigate and therefore have to both collect and disclose personal information

A second regulation power is to specify or define publicly available information. These are measures we can talk about in more detail. They're all contained in the regulations that have been distributed to the committee. You can find in there the operating definitions of publicly available information as well as all our investigative bodies' regulations.

The Governor in Council may also, by order, bind agents of the Crown to the act. This was really just a housekeeping measure, Mr. Chairman, in 1998 to ensure that certain crown corporations that were not subject to the Privacy Act would be subject to PIPEDA. This was to make sure there weren't gaps in federal crown corporations' being governed by privacy rules in one domain or the other.

The second power is to exempt from the act organizations that are deemed to be subject to substantially similar provincial privacy rules. The policy published in the Canada Gazette in August 2002 on that is also contained in your documentation, I believe.

Substantially similar, as we go to slide 14--and this may be worth focusing on for a moment--was a means Parliament put in place for aligning federal and provincial privacy laws around a single set of ground rules for data protection. Those rules would be the CSA model code, and they would apply across the economy as a whole.

In paragraph 26(2)(b), you see a power whereby the Governor in Council can exempt organizations that are subject to provincial laws considered “substantially similar”. In this case, the provincial regime for privacy protection would apply within that province, rather than the federal law.

The established criteria for “substantially similar” were to incorporate the CSA model code—those 10 principles—to provide for independent and effective oversight, and to restrict the collection, use, and disclosure of personal information to purposes that are appropriate or legitimate.

You'll see on the bottom of the slide that four provinces now have substantially similar provincial laws in place, and therefore those provinces have exemptions from PIPEDA: Quebec in 2003; the provinces of Alberta and British Columbia in 2004; and Ontario, in respect to their Health Information Protection Act, in 2005. So four laws have been recognized as substantially similar.

Essentially what this does is accommodate provinces that choose to legislate in respect to privacy protection, while allowing the federal law to apply in those provinces that choose not to do so.

As I mentioned, the Quebec privacy law was recognized as substantially similar in 2003. The Province of Quebec, however, has given notice of a constitutional challenge to part 1 of PIPEDA, which has to do with the clarification of the federal trade and commerce power in relation to provincial jurisdiction over property and civil rights. Although some documents have been filed, Mr. Chairman, the court still has not heard the constitutional reference. We expect that will occur sometime later in 2007.

That's correct.

There have been documents filed. The court asked for affidavits to be filed by...I forget what the original date was. Initially the federal affidavit was filed in early 2005, I believe. Or was it earlier? Yes, it was in March 2005. That was then followed by a request for an affidavit from the Government of Quebec, which filed its affidavit in July 2006, and we have filed an affidavit in 2006.

You're right to think about the amount of time that has transpired since the original reference. I think that's partly because essentially it's business as usual in the province of Quebec, since their act has been recognized as substantially similar. The provincial privacy commissioner does exercise authority as beforehand within the province. It has been mainly the time it has taken for some of the litigants to put the material together.

Yes, and we're informed, Mr. Chair, that they've asked for another extension.

That's correct.

The Quebec government.

The Department of Justice.

The Department of Justice.

Yes, it is.

No.

We can make our affidavit available to the committee, if you wish. It's quite a good read, I have to say, in terms of the history of privacy legislation in Canada.

In the next slide, slide 16—

Really, we meant the word in the sense of clarify the federal government's power in respect to trade and commerce in relation to provincial jurisdiction over property and civil rights.

That's correct.

Slide 16 points out, and the committee should be aware, that there have been several modifications to the original law that have occurred since 2001. They're outlined there. Most of these respond to public safety requirements post 9/11, but there is also one revision that relates to the Public Servants Disclosure Protection Act, which will be amended by the Federal Accountability Act, which is now before Parliament, as you know.

That takes us to the parliamentary review itself, and if it's helpful, Mr. Chairman, we can share with you and the other committee members some of what we heard during informal consultations that we conducted over the last couple of years as the date for the review approached. These are outlined very briefly in the next couple of slides.

Overall, the consultations we undertook confirm that the privacy community basically believes that the act is working quite well. You'll see two quotes there that we picked up during our consultations, from the Information Technology Association of Canada and the Canadian Bankers Association, that confirm that.

Some minor amendments were suggested during those consultations, and some issues have been drawn to our attention relating to the state of privacy in Canada, not just to PIPEDA in the strict sense. The capsule summary of those comments is in slide 20, followed by slide 21.

No, we do mean both. Certainly there's very strong support from the business community. As we get to talk about the powers of the Privacy Commissioner, you'll see that in the privacy community, generally speaking, the business community is very supportive of the existing role of the Privacy Commissioner, and you will hear from other members of the privacy community that even though the act is a good basis for protecting privacy in Canada, they have advocated some stronger powers for the Privacy Commissioner. You will hear that discussion, I think, as you call more witnesses.

Most of the input was about improving the act rather than saying what is not working, but there are different opinions as to what the input might look like.

Absolutely.

As I mentioned, if you go to slide 20, one of the key issues is the role and powers of the Privacy Commissioner. You will hear from the commissioner herself quite soon, and she will certainly talk about that.

Another issue that has been brought to our attention will be called transporter data flows by some people. It's really the international dimension to the protection of privacy and the need to look at issues surrounding the increasing outsourcing and offshoring of data processing and therefore personal information. But there are a number of technical and definitional issues that have been brought up. The Canadian Bar Association has made a number of suggestions along those lines.

Looking at slide 21, continuing with some of the areas that will come to your attention that we have heard about, the employee-employer relationship and personal information having a different dynamic in an employer-employee relationship than it does in the commercial marketplace is certainly one issue that will be raised. There have been calls to remove privacy protection for employee e-mail and fax numbers, and this goes to the definition of personal information and whether or not it's like a telephone number and you need to protect employee e-mail numbers. Isn't it contact information, much as a telephone number is?

As for mergers and acquisitions, you'll certainly hear from witnesses regarding the need for flexibility in terms of due diligence relating to mergers and acquisitions. Again, you'll probably hear different views on that.

There'll be many suggestions regarding the definition of work product as something distinct from personal information. This is a technical issue that does have some significance in a number of sectors of the economy, and we can talk about that if committee members wish.

These are very likely the issues on which you'll hear a lot more from others, starting with the Privacy Commissioner, who has views on some of these issues. As the final word, the bottom line so to speak, the last slide points out some of the commendations or testimonials on the privacy regime in Canada that have received very high grades internationally from the business community, as you'll see in those quotations. Some of you may have seen The Globe and Mail article about two or three weeks ago that reported on a study by Privacy International, which is an international group advocating stronger privacy protection across a number of countries. It ranks Canada and Germany with the best grades for privacy protection in the 30-plus countries they examined. So we do have a good basis on which to work, in our opinion.

Thank you.

Let me say it this way. Five years sounds like a lot of time, but I have to tell you the actual law experience is only very recent. It look a long time to operationalize, for example, what is consent, how do you get consent, etc. The health sector didn't come on board until 2004. So it's only one and a half years, and that was a big carve-out.

Last but not least, that's not the way we normally operate. What we look for in this committee is to do this public consultation and provide advice to us, where then we'll take this through our internal processes, and if there is going to be any amendment following up, it has to go through our internal processes, go up to cabinet and legislation.

So I'm not trying to duck the question. I'm just trying to look for your guidance and advice after a formal hearing of inputs into our processes.

It does not apply with respect to the collection, use, and disclosure of personal information within those provinces. So the cross-border aspect of data protection still remains within the federal purview. So for example, the Privacy Commissioner in British Columbia has full authority to investigate complaints there and exercise all of his powers in relation to any privacy issues within the province of British Columbia. If it was a complaint about a collection of personal information from a B.C. resident, but it had taken place by an organization in another province, then that would go to the federal Privacy Commissioner and she would exercise her authority.

I should mention that there's very close cooperation between the privacy commissioners across the country. All four privacy commissioners in Ontario, Quebec, B.C., and Alberta, but particularly the three that have comprehensive privacy protection laws, collaborate very closely on an operational level with the federal Privacy Commissioner. She will tell you more about how that works. But that's one of the ways in which they ensure that there are no gaps between their respective jurisdictions.

Mr. Chair, if I may, our original intention was to make sure that the business community doesn't have a patch of different rules across provinces. Business is more and more becoming national and international. In fact, we did emphasize that nowadays if you want to do business in Europe you have to have a piece of legislation that's acceptable to Europeans about protecting personal information. In fact, they went through our bill and they actually deemed it to be acceptable. So you can do cross-sharing of databases and information. They are quite happy with our legislation as is.

The same thing goes within a province. We didn't want one business to have onerous requirements in one province that are different from those in another province. That's why we established this national minimum standard, those 10 code provisions to try to put a national standard without imposing the specific on individual provinces in terms of the way they manage their own privacy issues.

There's a two-key system here. It has to be personal and it has to be commercial for this act to apply. If it's not commercial, then the act does not apply.

Right. Both.

There was a big debate. We use the example of whether a physician's prescribing patterns are private information for the physician or if they're private for the patients? There's a big debate about that, and presumably the court will determine what the outcome is.

To go back, the premise for the legislation is based on the idea that it has to be personal information and it has to be commercial. There are a number of exceptions. Information that's collected for journalistic and artistic purposes, for example, is not captured by the act. It's exempt from the act. There are also a number of exemptions for particular types of research activity, even though scholarly activity is exempt from the act as well, correct?

There's a much broader definition of research for most people. Some research may be commercial. For that purpose, there are certain exceptions in the act for what I'll call commercial research purposes.

To get back to work product, I think you're right, it's a central issue around some questions in the health sector about the extent to which personal information is either protected individual information or work product information. You'll hear from witnesses that some provinces have looked at defining work product in such a way that it takes it out of the domain of personal information.

With respect to PIPEDA, a series of court judgments have defined personal information in such a way that certain types of data—like prescription information, if I'm correct—have been defined as not being personal information. In the federal law, we have not yet defined work product so that this area was exempt from the definition of personal information. Some provinces have. You will hear from some witnesses that there is merit in that approach. Others may have a different view.

So that's one approach. In terms of PIPEDA, essentially we in the health sector, at least, have gotten to a similar position due to court interpretations of the law.

I don't know if any of my colleagues want to elaborate, but that's how I see it working right now.

I'm also told that the Privacy Commissioner deemed work product like this not to be personal.

We also have a carve-out for purely research data; that is, for pure research that is not in the commercial domain. Again, the act doesn't apply to it.

Yes, the Privacy Commissioner reinforced that.

We have no difficulty with that. It's the law.

Again, I'm going to sound like I'm trying to duck the question, but what I'm trying to say is that we are looking for advice on some of these issues. They are difficult issues. There is not necessarily a consensus on how they should be treated, and as you'll find out, there will be a difference of opinion about them. Therefore, at the end of the day, we will look for your advice and take this under your advisement.

Mr. Chair, just to add thirty seconds to the point, it is part of how PIPEDA works. The definition of personal information was left broad by Parliament, giving the Privacy Commissioner the opportunity to make some of these definitional interpretations in the context of his or her work. That's how it has unfolded. So it is important to know that the act is built around flexibility in terms of how the Privacy Commissioner defines personal information.

In some cases, that could refer to lists of names and addresses for Christmas cards or invitations.

Exactly.

I can give you an example as provided by the courts, namely prescriptions written by physicians.

Yes.

A report written by a person or employee as part of his work is considered a product.

We mentioned prescriptions because they were identified by the courts as a work product. That example comes to mind. It's one area in which jurisdiction is shared. The act covers personal information regarding the health sector.

When data is forwarded to another hospital, for example, a hospital in Ontario—

That's right.

We have an agreement with the Europeans. An international standard has been set based on OECD-approved guidelines. This standard provides us with a level of privacy protection comparable to that of European countries.

I'm not familiar with all of the studies that have been carried out, such as the one done by Privacy International. According to that study, we currently measure up very well to other countries.

Not really, because the standards that we have adopted are based on the CSA Model Code and they are the same as the ones adopted by European countries. We are almost at the same level.

Comparisons are always being drawn between ourselves, the Europeans and the Americans. The latter take a different approach to privacy protection. They have passed legislation for each sector, whether the financial sector or the health sector. Their approach is completely different. We feel that ours is the best method, because the economy as a whole is treated the same way. It's interesting, because Mr. Gates, for example—

Yes. The time has come for the United States to adopt an approach similar to ours, that is to pass legislation that applies to all sectors of the economy.

If I may, we've heard a lot about that particular topic. There are those who are absolutely recommending strongly—and you will hear them in front of you—that the Privacy Commissioner name names. They may also make the suggestion to amend this legislation to force the disclosure of breaches of privacy.

That's correct. That's the recommendation you'll hear a lot about. In fact, I think the Privacy Commissioner will be here, so you can ask her. She is deemed to have no power right now in the legislation to actually name names, so to speak, and to force the particular issue. This would probably require a legislative amendment.

I can jump in.

You probably can complain right now to the Privacy Commissioner if you have reason to believe your personal information was somehow accessed by someone without your knowledge or consent, even if it was purely accidental or an act of someone with deliberate intention to subvert an information system. The reason you can do it is due to the ten principles of the CSA code, which the Privacy Commissioner is responsible for enforcing and companies and organizations are responsible for administering. It requires organizations to take proper security, proper steps to secure the personal information that is in their hands. Negligence, or an inability to protect that information, is really no justification or excuse for not complying with the act.

The issue you're raising is one that I think the committee is going to hear about from other people. It has risen in the United States, as your researcher has pointed out. There are a number of states in the U.S. that have adopted duties to notify, or breach notifications. There are various terms for it, I think quite a few—over 30. They have different approaches. One of the difficulties is that it is state by state, and therefore quite fragmented, across the U.S.

That's an issue that has come up in our consultations and that I think will come up before the committee. But it's not black and white that there is nothing there versus a duty to notify. In fact, there are a number of obligations under PIPEDA that organizations should comply with. In your case, to take that example, you would be able to go to the Privacy Commissioner. The difference is, as Michael Binder pointed out, that there is no obligation to notify everybody in a public way, which is what most of the laws in the U.S. do require.

The way PIPEDA works now under an accountability arrangement, as they call it, is that the Privacy Commissioner will investigate that situation from the point of view of the Canadian organization that first allowed your information to leave the country. So what—

The organization that provided your personal information—

Well, if you're talking about Manitoba Data Services, that's a little more difficult as an example because that's governed by a provincial privacy act. If we can take a private sector organization, though, that would have personal information that it collected from you, with your consent, for a particular purpose, the obligation on that organization, no matter how it decides to process that information and use it in the conduct of its business, which you have consented that it could do, is to protect that information in contractual form with any other organization that has access to it.

It's an obligation that is transferred from the Canadian organization that is following PIPEDA and the principles under PIPEDA to make sure that a third party, no matter where that third party is located, must, by contract and therefore by law, respect the same principles as are in PIPEDA. So it's by extension.

The Privacy Commissioner will outline the same approach for you when she appears, I think, but she may have issues to discuss with you in terms of whether that covers all situations and how effectively it covers it in relation to a situation of public safety, for example.

I hate to repeat myself, but you have to ask the minister to do this, because it's only the minister who can actually propose amendments and changes after the internal due process.

I'm not authorized to give you what I personally think is the amendment here.

From what we understand, this proposal was removed from the last version of Bill C-2, and now only the Enterprise Cape Breton Corporation is scheduled to be moved over to the Privacy Act.

This was originally done by an order in council on August 31, in which the Enterprise Cape Breton Corporation was removed from PIPEDA. It had originally been brought under the act by an order in council at the end of 2000. It was removed by an order in council in August 2005 and brought under a schedule to the Privacy Act at the same time.

Now, as we understand it, Bill C-2 is only proposing to formalize this in law for the Enterprise Cape Breton Corporation. We understand—

I don't want to appear—

I want to tell you about a verification at council that I did with different versions of that bill. From what we understand, the version that went to first reading had those organizations in there. Upon reading the version that went to the Senate, we didn't see them anymore.

Oh, oh!

As a good bureaucrat will tell you, there's never enough money.

You will have to ask her. We're not in a position to—

Maybe I don't understand the terminology. I thought it was quasi-judicial now. They have some legal powers or authorities—maybe in certain minds not enough.

You're going to hear some people say yes and some people say no.

Oh, oh!

I would have to ask my minister about this.

We are the policy people, if you like, in overseeing the order in council, the provisions, and the act's ability to create regulations—for example, to deem substantially similar pieces of legislation in the provinces, to deem investigative bodies. We deal with a lot of regulatory issues.

The actual administration of the act is run by the Office of the Privacy Commissioner.

We work very closely with the Office of the Privacy Commissioner in a number of areas, including the Governor in Council's responsibilities that were just mentioned.

If you look at the policies for considering laws as substantially similar, the Office of the Privacy Commissioner has a specific role in terms of her point of view on those issues, as well as on investigative bodies. So there is a relationship, both informal and formal, to the extent that these are incorporated in policy guidelines.

We also work very closely with her on international issues. As I mentioned before, the OECD is very active in this area, and it continues to be very active. It's one of those bodies--to get back to the question raised by Madame Lavallée--where it's not so much that new norms are being established for privacy protection, but that areas of cooperation for cross-border enforcement of privacy laws and some of these international issues are being addressed. The Privacy Commissioner has actually been active with the OECD, working with us to look at some of these issues on an international basis.

Yes, we have. As we mentioned earlier, there are really two points of view on the question of order-making powers or the Privacy Commissioner as a quasi-judicial body.

By the way, I'm sure you'll hear from the Privacy Commissioner herself on this issue. I think that should be the first point of contact about whether the powers are—

Yes, there are.

Actually, the provincial legislation creates a comprehensive standard for protecting privacy across private and public sectors in those provinces. It really strengthens privacy protection in a way that either the federal law on its own or individual provincial laws could not do. Therefore, that was something—

PIPEDA would not protect all elements of personal information. There are elements that are outside of the federal government's constitutional authority under trade and commerce—

Yes, such as the health sector. There are a number of areas. Any area where information is not defined as commercial cannot be captured by PIPEDA. Therefore, there are areas that—

There is no duplication; it's either one or the other. The moment they pass their law, we are out of it.

Some of them wanted a more comprehensive approach to what's happening in their own jurisdiction. Some provinces have decided to go with PIPEDA, and so far they have no intention of passing a provincially based law.

There could be, and I guess they'll cross that bridge when they come to it. Right now, they're quite happy to not enact it.

There's no law like PIPEDA that's economy-wide, independent of various sectors. There you have health privacy, financial privacy, and those kinds of bills. I think there's also—

They're national?

They're national, yes. But then I think there's some provision in various states. So you're really talking about complexity. It's very complicated there.

Approximately twenty, and that includes individuals and groups.

We have a list. We can make that available to the clerk.

That's correct. This was more the personal element to that. On one side of this argument was the doctor making the prescription, and his name was there. As I understand it, the key issue was whether that was personal information and should be protected or whether it was a work product, because this is in his capacity as a physician.

We have a specific carve-out for investigation purposes and crime fighting. Quite honestly, we have not had any complaints. Anytime there was a deficiency, it was amended. There was an anti-terrorism kind of provision that was passed.

There are quasi-judicial bodies with different powers, like AMPs--administrative monetary penalties, I think they're called, which can actually impose penalties, severe penalties, directly. You would have to have a legislative change to do that.

Not right now. You would have to amend the act to actually provide it with that particular power. There are going to be some advocates who come in front of you and suggest strongly that this should be done.

So there would be a fundamental change to how the act operates, because it does operate now under the ombudsman model, with the Federal Court being the instrument the Privacy Commissioner uses to go after, as I said before, very deliberate and intentional violations of the act. So it's very much the order-making or oversight and redress issue that we talked about earlier.

The one issue that will come up under a scenario of order-making powers is whether you still need to set up some kind of independent body that would actually apply the penalties. For example, the Canadian Human Rights Commission has a tribunal. The Competition Bureau has a tribunal. So you ensure that the investigative body does not have the right to be both judge and jury.

In some cases there is an issue around what constitutes lawful authority. As we said earlier, the act is pretty clear that if you have lawful authority for that information as part of an investigation of criminal activity, national security, or whatever, those requirements are above the protection of personal information. In operational terms, there's sometimes a question about what is lawful authority. Is it a warrant? In some cases on the Internet, when you're moving very quickly, law enforcement cannot produce a paper warrant. Sometimes they're contacting you electronically.

So these are the kinds of issues I think you would hear about if you talked to both privacy advocates and to the law enforcement community in terms of an operational requirement. How do you define lawful authority in a way that ensures that the balance is struck?

We've just discussed that point. You are correct. The expression “will confirm” is significant. It will clarify the situation.

Or “will clarify”.

That question has to do with the federal act. If a provincial law was not considered

substantially similar,

the federal act would continue to apply within the province and organizations would not be excluded from the federal act's application. If I can continue in the other language, I would say that

it's more a question of the federal law and whether it would exempt organizations, rather than whether the provincial law would continue to apply. It would continue to apply regardless.

No. We're dealing with a hypothetical situation. This law was drafted using the Quebec model for inspiration. The policies and ideas are derived from the Quebec act. Quebec was the first province to adopt similar legislation. If Quebec wanted to amend its legislation and remove, for instance, the provisions respecting consent, then we would object because personal information on Canadians must be protected by law. In this instance, they will be protected by two separate laws.

Yes. A table and a summary are available and we can send them to you.

We may have misunderstood the requirement, but we were told very specifically that we were called here to provide an overview of the bill. It's like PIPEDA 101.

If you had asked for a recommendation, we would have reacted by either seeking authority to give you a recommendation, or by telling you we could not do it and seeking your guidance on inviting the minister. But this was to be a purely academic overview of the meaning of the act, its provisions, etc.

We took notes. If you want, we can go back and see what we can tell you about our personal views, and then get back to you on this.

Yes, we believe that the support witnesses you have on your list will probably propose some of those amendments. So we'll give you a heads-up. That's our understanding of what's coming in front of you.

We certainly can provide some indication of where provincial privacy acts--except for Quebec's, of course, which came after the federal law--have addressed some issues, like the work product issue, in interesting ways, which you might want to look at, based on what you hear from other witnesses. We're also suggesting, in response to your request for people who should be called before the committee, that provincial privacy commissioners are excellent people to discuss not just the application of their legislation, but also privacy protection in general and the way in which the regime for privacy protection works in Canada generally.

So I think in both ways we can provide some help ourselves in terms of some of those areas. But I think you'd best get it from the horse's mouth, so to speak. If provincial privacy commissioners are going to appear before the committee, then they'll give you an excellent review of how elements of their legislation are substantially similar to the federal law, and areas where they have a couple of ideas that you might want to consider.

Always! You are correct.

We know about the study that you mentioned, and yes, if I had enough hair, mine would stand up on end also. It is discouraging to hear the results of the poll like that, or the study.

What it points to, though, is not only the definition of consent, because that's certainly part of it, but it's also a question of how aware organizations are of their responsibilities under the legislation, whether it's provincial or federal, and that's something we need to address. I'm sure the Privacy Commissioner, because she has done it, she has addressed it in her annual report to Parliament, would want to talk to you about the educational component.

Yes, it does.

Yes, the federal act applies to banks, broadcasters, and so forth.

That's right.

Yes.

Oh, oh!

The way I understand it, when you do a merger or an acquisition, you need to have some data and information about officers, about the business they're in, and so on, and some of this information needs to be—the argument goes—“access without consent”, because otherwise they'd become aware of what's going on. So there are those kinds of issues here. Again, you're going to hear the other side of the argument, that it's because of this personal information that you don't want to share those arguments.