Bill C-12 (Historical)

I too want to thank you for giving me the opportunity to present to you. I apologize for the lack of a written submission. I only got the call last week to present, but I will be providing some other written material for your review.

I want to give you a context for my remarks. I work at the Advocacy Centre for the Elderly. I'm the senior lawyer. I'm a legal practitioner. As you can tell from my grey hair, I'm an old lawyer. I've been a lawyer now for 35 years, and I've been at the Advocacy Centre for the Elderly for 27 years.

The Advocacy Centre for the Elderly is a community legal clinic that provides legal services to low-income seniors across the province of Ontario. All of our practice is focused on legal problems experienced by older adults. Almost all of our litigation is related to various forms of abuse. The majority of our casework and client representation involves advice to and representation of older adults who are victims of abuse, primarily by family or close friends, people they expected to trust but who then took advantage of them. We've dealt with the full range of abuse, primarily financial abuse. But unfortunately, we've dealt with cases of sexual abuse, physical abuse, and emotional abuse, many of which were Criminal Code offences.

We also deal with a lot of abuse in the systems that are meant to assist seniors. We call this systemic abuse, and it's all those services that are supposed to provide the supports but that don't necessarily follow the law. We often call this “good law, bad practice”. We see this, for example, in hospital discharge policies. We actually take the position that almost every hospital in Ontario, and I would say across the country, probably has an illegal discharge policy that ignores seniors' legal rights in respect of choice and their role in decision-making in the health system.

In Ontario there's an effort to try to get seniors to pay high per diems that are outside the OHIP ranges. This is just an example that we see in practice, but we see this across all kinds of practice. The diaper example is a good one. The law in Ontario, and I would say, again, across the country, in each province, is that people are intended to be kept clean and dry at all times; having 75% on the diaper isn't necessarily clean and dry. It victimizes the workers and the seniors involved.

We have had experience with hundreds, if not thousands, of abuse cases, and have had experience seeking remedies for our clients. We also have experience doing public legal education on elder abuse prevention and the various legal issues, such as power of attorney. It is a key tool that in fact is not supportive of seniors but is used to financially abuse seniors, even though doing a power of attorney is often promoted in provincial and federal elder abuse campaigns.

I have actually had a lot of contact with the federal-provincial-territorial committee that has been working on elder abuse issues, and I was very pleased that I was asked to contribute to the review of the pamphlets. The pamphlets were amended to reflect that you have to use caution when using powers of attorney. I think those are important messages that come out through those campaigns.

Our primary focus in the education is to seniors, for knowledge of prevention, but also to service providers of all types--health professionals, police, home care workers, and front-line staff in various service agencies--so that they'll know the law, develop their own policies and practice on elder abuse prevention, give a response that is within a legal framework, and challenge their own misconceptions about aging and abuse. Those misconceptions often contribute to the abuse.

Please note that the law on elder abuse is not only about the Criminal Code or adult protection. Krista James, from the Canadian Centre for Elder Law, is actually a friend of mine, and she shared with me her submissions. She ably outlined all of that kind of legislation. I encourage you to look at the materials she's produced.

I can tell you that in practice, we actually use the law across the board. We use family law, privacy law, health law, law in capacity and decision-making, real estate law, and consumer law, all in providing elder abuse response.

What I'm really pitching to you is to look at the broader scope of elder abuse. That's what we use to help our clients. The federal response to elder abuse also needs to look beyond the Criminal Code and elder abuse awareness in a narrow sense. You need to look at the federal role in health funding, housing, legal aid, and privacy, as a few examples.

Because there's limited time, I'm going to go right to some recommendations. The theme I'm going to give you is about training, tools, and time, not necessarily law reform.

First is criminal law. The Criminal Code itself, in my opinion, works quite well. It's good law, but I think some of the practices in respect of the implementation of the law are the real problem.

The Criminal Code includes various sections that respond well to elder abuse. We don't need a special offence of elder abuse. In fact, if you had a special offence, that actually would divert attention from the theft and physical assault and all the different core crimes and would end up limiting a response and create barriers to prosecution.

The Criminal Code also includes sections to accommodate special needs of older victims of abuse in giving testimony and in giving evidence in advance of a trial to both preserve the evidence and to ensure that the prosecution can continue, even if the older witness is unable by physical or mental disability to testify at the time of trial of the accused. There are provisions in the code for audio and video taping of evidence—they're called “KGB statements”—that can be used as evidence.

The Criminal Code sentencing provisions are also good in the sense that if the victim is an older adult, that is taken into account and could be a factor in considering the sentence.

But as to the challenge in the criminal justice system, I would go, again, training, tools, and time. With respect to the training of police officers, I've been involved in a great deal of training at the Ontario Police College and the Toronto Police College. There's a need for training in dealing with investigation of crimes against the elderly in different settings. The police need to know the law related to long-term care, privacy, capacity, retirement homes, home care, and resources in the community to support older victims, especially to help them address the reluctance of older witnesses to testify, or to even complain.

In the course of the education that we do, I frequently have the officers chant “Talk to the senior”, just to get the message across that they need to focus on the senior. Many times in investigations in the past, some officers have told me that they talked to everybody around the senior, but not the senior. It's more challenging to deal with the senior. There may be a communication challenge, or the person may appear more frail than they are. Although they may be still very capable, very able, people will still talk around them. So it's looking more from the senior's perspective.

The next is tools. I have one simple example of tools that the police need. We have provisions about videotaped evidence. I have been told by a number of police officers that they don't have the videotape equipment so they can't take the evidence. How are you going to use those provisions? That's a very important thing. There was a recent Supreme Court of Canada case, Regina v. Khelawon, that dealt with this particular issue. The evidence was thrown out, I think partly because the officers didn't do the whole gamut of things they were supposed to do in order to preserve the evidence. They may not have been supported; they may not have had the tools.

The next is time. We need time to ensure that the police are given time to do investigations of abuse cases. Some of these crimes are very challenging, I know. I've had a lot of contact with the Ottawa police, who have an elder-abuse unit. I can think of one of the offences that the police investigated. It was a case of multiple offences by a PSW who was financially abusing seniors. They were all small amounts of financial abuse. Cumulatively, she had stolen thousands. To do that investigation on all those small bits, the police don't necessarily get the supports to do that. This unit did. But if you're a police officer in Toronto and other cities, they might not get the supports and the time to do that. They would simply say they don't have the time to do it.

So that's training, tools, and time. I now want to go on to privacy. I'm going to say, respectfully, there's a need to amend Bill C-12. This is a bill that's now on the table to amend the privacy legislation, because the amendment to proposed subsection 7(3) will open the door to increased financial abuse of older adults, not increased protection.

This amendment will permit disclosure by federally regulated financial institutions, such as a bank, to the client's next of kin, or the authorized representative of the client, in the belief by the bank personnel that the senior, who is the client of the bank, is a victim of financial abuse. So it's giving permission to the bank to disclose private information about the senior's account on the assumption that the senior is a victim of abuse. Disclosure is to the family members of the senior. It also says to other governmental organizations.

This amendment, to permit the disclosure to next of kin and authorized representatives of the seniors, I think needs to be changed, because those are the abusers. Almost every single case we've had over the years on financial abuse is abuse by family and friends.

This amendment will permit the banks to tip off the potential abusers, to inform them of the abuse. What can the banks do now? The banks actually can talk to their customers. They can start with the senior. If the senior is incapable, they can then contact the governmental institutions. That amendment is fine.

For example, in Ontario, they would contact the Office of the Public Guardian and Trustee, who could investigate the allegation that the senior is not capable. Then, if the senior is capable, they can help provide supports to that senior through assistance in going to the police or a legal organization to address the abuse. Or they could become their guardian to regularize the situation.

So the reports to the public—

I think the issue is not necessarily whether one jurisdiction's way of approaching security is better than another's. Bill C-12, which is on the horizon and I hope will be passed, is certainly going to require businesses to turn their minds to security and security issues. But particularly with respect to small and medium size businesses, that's going to be a problem, I think.

I guess I would follow up with what several people here have said, including Mr. Bergeron, for example, that smaller firms need help in investing in ICT. Part of that would be security. First of all, there has to be an awareness and, secondly, they have to have the infrastructure in place. And that means dollars.

All of the studies I've seen seem to indicate that small and medium size businesses, at least at this stage, are not turning their minds adequately to the security issue. That's going to be to their detriment. Frankly, Canada is a little bit behind the ball here. We do have Bill C-12 on the horizon. Other jurisdictions have passed legislation that, for example, requires businesses to have certain security measures in place and, if they don't, to report security breaches. That is something, I think, that is going to come.

It begs the question, though, what small and medium size businesses can do about that. First of all is the awareness issue, and second of all is the financing to put things in place so that they are able to meet the requirements of the legislation.

Thank you.

My comments are going to focus on some legal aspects of e-commerce, in particular, privacy and security issues that have been, I think, impediments to both business and online consumers.

My message, in a nutshell, is that business needs to get its act together with respect to privacy and security of data. You don't have to look too far, I think, so see why I say that.

Now, some of what I'm about to say, I know, has already been heard to some extent by Industry Canada in earlier consultations, but I think the message merits reinforcement because the problem still exists and Bill C-12, of course, is not yet law.

Back in September of 2004, a report of the Canadian e-Business Initiative identified privacy and security practices as integral parts of a successful e-business adoption strategy. That report came out at a time when Canada implemented the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA, which legislated a model code for the protection of personal information. An element of that code is that personal information must be protected by security safeguards appropriate to the sensitivity of the information gathered.

Seven years later, where are we? Well, we continue to hear about large-scale data breaches, and small and medium size businesses in particular are unsure about what they need to do to comply with the privacy legislation—and I'll briefly mention some studies in relation that—and consumers may be excused for wondering if their personal information is being protected at all, given some of the media reports we hear.

In almost every poll or study taken on the barriers to e-commerce—and I've looked at quite a few of these online over the past few days—the principal concerns raised have been privacy and security of personal information. Consumers want some assurance that their information is going to be protected. Businesses want that assurance as well, and they want to know whether they're meeting adequate standards to protect that information and to protect themselves against possible liability.

Unfortunately, there's not been a shortage of significant data breaches over the past few years. According the Privacy Commissioner of Canada, too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, including a failure to implement the most basic security measures. Sometimes breaches are reported; sometimes they're not reported at all; sometimes they're reported only after the business gets an indication that the data may be being used for illegal or unscrupulous purposes. Despite the increased frequency of security breaches, a recent Environics Research Group study of small and medium size businesses indicates that most are complacent about their company's IT safeguards and underestimate the consequences of a security breach.

I just want to share very briefly some of those findings with you, if I may. The small and medium size businesses surveyed were divided about the reasons for their complacency. Most, however, acknowledged that they were not taking adequate security measures or that their existing software protection was not adequate. Many were ignorant of cloud computing. The limited number of SMEs that had adopted cloud computing was driven by their desire to spend less money on IT infrastructure, and they were not confident at all that the provider was ensuring any safety of the information they provided.

Believe it or not, people and organizations still care about privacy and security of information. One estimate is that over 35% of Internet users will not give their credit card information online because of security concerns. That's a large chunk of people who are just not engaging in e-commerce and who could be.

It's also interesting to note that a 2011 study indicated that online consumers, largely thought to be motivated primarily by savings, are often willing to pay a premium for purchases from online vendors who have clear protective privacy and security policies. I think this illustrates a couple of things. First, even in the Facebook era, when personal information is willingly disclosed and when some industry executives have declared privacy to be dead, privacy and security are still identified as major factors in a consumer's decision to do business online. And second, those businesses that do take privacy and security seriously can profit from it.

Our experience shows that sometimes legislative intervention is required to ensure adequate data protection mechanisms are in place, otherwise there may be little incentive to remedy the problem. The downside of that is that any attempt at legislative intervention is sometimes reflexively labelled as costly regulation by some in the business community.

For example, one of the issues to be examined is red tape, which creates barriers to growth. The question is whether regulation is red tape or whether it's actually doing something important.

In the current situation, it's been argued that mandatory disclosure of security breaches may cause unnecessary panic in situations where the chance of the fraudulent use of compromised data is minuscule. If you get too many notifications, that then leads to what one writer calls notification desensitization. What's missing from this rationale is that the aim is to encourage business to have adequate security measures in place so that the frequency of data breaches diminishes. If that happens, there can be no oversensitization, because the event is infrequent. In any case, whatever argument is raised against notification, the priority has to be the giving of notice by the custodian of the information to those affected, so that they can take preventative measures.

I want to turn briefly to Bill C-12, currently before the House of Commons. That bill will require an organization to report to the Privacy Commissioner any material breach of security safeguards involving personal information under its control. Factors related to materiality will include the sensitivity of the information and the number of individuals affected. The organization will also be required to notify an individual of the breach if it's reasonable to believe that the breach creates a real risk of significant harm.

I don't mean to go into any great detail on the mechanics of that legislation, but it seems to me that it at least strikes somewhat of a balance—

Thanks very much.

Good afternoon.

As you heard, my name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I appear before the committee today in my personal capacity, representing only my own views.

I want to congratulate the committee for launching the study of e-commerce in Canada. It's a critically important issue, deserving of greater attention.

While the committee has identified some excellent questions, I would boil the issue down to a single one: why have Canadian consumers embraced e-commerce but Canada has failed to produce many significant global e-commerce success stories?

The Canadian consumer success story is well known. We're among the global leaders in Internet use and online video consumption. For several years, Canada was the world's largest per capita user of Facebook. Netflix launched online only, first in Canada, and quickly grew to one million subscribers. And digital music sales have grown faster in Canada than in the United States for each of the past five consecutive years.

Yet despite the growth on the consumption side, we punch well below our weight in creating global online companies, an issue recognized by a McKinsey study prepared for the G-8 meeting in France earlier this year. There are exceptions, of course—Club Penguin, Flickr, AbeBooks, and StumbleUpon, among them—but most are bought out by larger U.S. companies before they have the chance to grow into global players.

Canada does have its share of e-commerce SMEs, but the multinationals that employ thousands and generate billions in revenue have largely eluded us. The question is why. There are no doubt many factors—venture capital, market size, appetite for risk—but as they say, when you're a hammer, everything looks like a nail. When you're a law professor, you see legal and policy failures.

Over a decade ago, Canada established the e-commerce law basics, including enforceability of online contracts, privacy rules, and some online consumer protections. But these were just the price of admission. The success stories often lie in countries that went further. I believe companies like YouTube, Google, and Facebook could have been Canadian, but legal rules made it less likely.

For example, YouTube could have been Canadian. The company would have been called iCraveTV, a Toronto-based online video startup that launched in 1999. It streamed television programming, supported by advertising along the bottom of the screen. It was YouTube years before YouTube was YouTube, and it relied on Canadian law to do it. The U.S. objected, and within months of launch the service was shut down, and Canadian law changed as we caved to the U.S. pressure.

Google could have been Canadian. The company would have been called OpenText. OpenText is, of course, Canada's largest software company, based in Waterloo. Before Google was even a Stanford graduate student project, OpenText was providing the search technologies for companies like Yahoo. U.S. copyright law has a fair use provision that Google later relied upon to index the web and become a multi-billion-dollar company. Canada still has a more restrictive fair-dealing approach, and OpenText opted for managing content in the corporate market, which doesn't raise the same legal issues.

Facebook could have been Canadian. The company would have been called Nexopia, which is now an Edmonton-based social network that is still active. It was founded in 2003, a year before the launch of Facebook, but unlike Facebook and thousands of other U.S. companies, Canada does not have a rule that grants legal immunity to intermediaries for the postings of third parties. In the U.S., the Communications Decency Act, section 230, has been used by all the giants—Facebook, Amazon, Google, and eBay—to limit risk and liability for the postings of their users. In Canada, we don't have the same protections, and the risks faced by anyone operating online are far greater.

I could go on. We could talk about why Skype was unlikely to be Canadian because of the regulatory and competitive environment for telecom companies. We could talk about how Zillow, the online real estate giant, couldn't be Canadian because of restrictive rules over the use of listings data. We could talk about how Amazon couldn't be Canadian because of foreign investment restrictions.

Canada has failed to build the competitive legal and policy e-commerce framework, and we now live with the consequences.

So what comes next? There are numerous policy issues that ought to be put on the table, not all of them a matter for the federal government, as some fall within provincial jurisdiction. I'll quickly highlight four, and perhaps we can discuss more during the question period.

First are the privacy and marketing rules. We should move ahead with the anti-spam rules, not diluted through regulations, as some are calling for. Ensure swift passage of the just introduced privacy measures in Bill C-12. Moreover, the next round of privacy law review is due this year. We need tougher enforcement measures put on the table and retention of the principle of court oversight for mandatory personal information disclosure.

Second is copyright flexibility. Today and tomorrow's e-commerce businesses rely far more on the flexibility of copyright law, not the digital locks that form a cornerstone of the current copyright bill, Bill C-11.

Third, other countries have adopted fair use, and yet more are considering the issue. Canada should do the same. An equivalent of the CDA section 230, which I spoke about earlier, for Internet intermediaries is absolutely crucial. It would, however, require provincial cooperation.

Fourth, and finally, is removal of foreign investment restrictions and other competitive barriers in many sectors that touch on e-commerce. Foster a more competitive Internet environment with a set-aside for new entrants in the forthcoming spectrum auction.

Note that Canada may have been the first with an online-only Netflix, but we also hold the dubious distinction of having had Netflix offer bandwidth-reduced versions of its content due to Internet data caps and high costs. The impact extends well beyond the consumer market, as it directly affects e-commerce businesses as well. Canada may have missed out on a generation of e-commerce leaders. We must not miss out on the next one.

Thank you very much.

Your committee will be undertaking a study on e-commerce in Canada. I would like to take this opportunity to provide your members with Industry Canada's perspective on e-commerce and related issues.

First, I will briefly explain e-commerce and where Canada ranks in relation to other countries.

Second, I will give you an overview of the main activities underway at Industry Canada to stimulate e-commerce, that are a part of the digital economy strategy.

The OECD's internationally accepted definition of e-commerce states that

An e-commerce transaction is the sale or purchase of goods or services, conducted over computer networks by methods specifically designed for the purpose of receiving or placing of orders. The goods or services are ordered by those methods, but the payment and the ultimate delivery of the goods or services do not have to be conducted online. An e-commerce transaction can be between enterprises, households, individuals, governments, and other public or private organisations.

While this definition is useful for guiding international comparisons and data collection efforts, from a more practical perspective, payments, online banking, and bill payments are often considered key elements of electronic commerce.

In this definition, one thing is clear: the first prerequisite for e-commerce is that it must be online. More and more Canadians are online.

According to the CRTC's Communications Monitoring Report 2011, 96% of Canadian households currently have access to broadband services at a speed of at least 1.5 megabytes per second. It is estimated that that percentage will reach 98% by 2012.

A transmission speed of 1.5 megabytes per second encourages e-commerce by increasing the number of households able to buy and sell goods and services online.

In 2010, 70% of Canadian households subscribed to broadband Internet services. Statistics Canada's 2009 Canadian Internet use survey found that nearly 22 million Canadians, or 80% of people over 16 years of age, used the Internet for personal reasons--from home, the office, or some other setting.

Once online, Canadians used the Internet for a variety of activities, such as electronic banking and bill payment, searching for information, and communicating with Canadian municipal, provincial, and federal governments. They undertake education and training online, and also access information on weather, travel, health, and investments.

Canadians are also increasingly purchasing online. About 39% of Internet users indicated they engaged in e-commerce in 2009, and the total value of these online purchases was $15 billion. To give you a sense of the magnitude, total retail sales by Canadian firms were $415 billion in that year.

From the perspective of Canadian firms selling online, total online sales, both retail and commercial, were almost $63 billion in 2007--and this unfortunately is the last year in which data was collected. Of these sales, 59% were commercial, business-to-business transactions. The remaining 41%, or $25.5 billion, were retail sales, business-to-consumer transactions. And despite the relatively large value of online sales, only 8% of firms reported selling online in 2007.

The difficulty of encouraging more Canadian businesses to make the transition to e-commerce and the low overall take-up rate of digital technologies by Canadian businesses are closely linked. Investment per worker by Canadian businesses in information and communications technologies is 60% of investment per worker by American businesses.

Digital technologies play an important role by supporting innovation and productivity. Digital technologies greatly contribute to online transaction processing, electronic funds transfers, supply chain management, computerized data exchanges and automatic data collection.

Increasing the take-up rate of all digital technologies—not only those that support e-commerce—is critically important to ensure the vitality and competitiveness of the economy.

Last fall Minister Clement articulated the government's vision for a digital economy in his interim report. This is a quote:

By 2020, the Harper government sees a Canada that boasts a globally competitive digital economy, characterized by innovation, enhanced productivity, and enduring prosperity—a nation where businesses, communities and individuals have the skills they need to use digital technologies to their advantage and where a globally competitive ICT sector supplies more markets with more innovative products and more new services.

For greater adoption of digital technologies or for e-commerce to be successful, the legal framework governing it must be clear. Industry and consumers alike must understand what is expected of them and what the rules of engagement are. For consumers to engage in the online marketplace, they need to be confident that it is a safe place to shop, that consumer protections are in place, and that personal information is secure.

Minister Paradis confirmed in his speech this May to the 2011 Canadian Telecom Summit that the government is committed to ensuring there is a robust legal framework to increase confidence in and security of online transactions.

Canada's anti-spam law received royal assent in 2010 and is expected to come into force in early 2012. This law will protect Canadian businesses and consumers from the most damaging and deceptive forms of online threats and will deter spammers from operating in Canada. The anti-spam regulations were published last July, and the official consultation period ended on September 7. The department is currently analyzing the input received.

Bill C-11 the Copyright Modernization Act,An Act to amend the Copyright Act was tabled in Parliament last week. The phenomenal popularity of social media and new technologies, such as tablet computers, mobile devices and e-readers, has dramatically changed the way Canadians create and use copyrighted materials.

Copyright modernization allows creators and rights holders to have the tools they need to protect their work and ensure the growth of their companies, especially as Canadians consume and buy more copyrighted material online.

Furthermore, amendments will be made to the Personal Information Protection and Electronic Documents Act under Bill C-12, also tabled last week. One of the main amendments relates to the notification requirement for data breaches. It is an important tool for increasing the security of online markets.

A second prerequisite for e-commerce is access to high speed networks, that is an affordable connection. In order to participate in e-commerce, you have to be connected to the Internet. Therefore, it is clearly in the government's interest to ensure that consumers have enough choice in accessing different affordable Internet services.

In recent years, thanks to government measures to increase competition in the wireless market, Canadian consumers have seen new companies enter the market and have benefited from lower prices and a greater selection of packages.

Increasingly, wireless networks are offering high-speed Internet access and the benefits of a mobile economy. To help meet the increasing demand of Canadian businesses and consumers for access to mobile broadband, Minister Paradis has confirmed that the government will be auctioning off the 700 megahertz spectrum and the 2,500 megahertz spectrum.

The third prerequisite is to increase private sector adoption of digital technologies. Targeted efforts are needed to raise the awareness of businesses, particularly small and medium-sized businesses, of the benefits of adoption. Industry Canada's small-business internship program provides small and medium-sized enterprises with financial support to hire a post-secondary student intern to assist them in their adoption of e-commerce strategies.

The government has taken two additional steps to promote awareness and adoption. In the spring of 2011, the Business Development Bank of Canada announced an array of new efforts to support ICT adoption among small and medium-sized enterprises. The BDC helps firms with web strategies, sales, customer management, and choosing the technologies best suited to the firms' needs.

Budget 2011 also announced the creation of an $80-million pilot project over three years involving the NRC's industrial research assistance program and Canadian colleges, to promote the take-up of advanced digital technologies among small businesses. More details on the pilot will be available once it has been formally launched.

The growth of e-commerce also requires a workforce with the requisite digital skills. In budget 2011, Human Resources and Skills Development Canada will reallocate $60 million over three years to encourage an increase in the number of students enrolled in key disciplines linked to the digital economy.

Citizenship and Immigration Canada also plays a major role by attracting to Canada foreign workers who have the skills to ensure that digital economy and e-commerce thrive, and by encouraging them to stay in the country.

Granting councils have also played a big role over the years by creating research chairs and by financing centres of excellence to face the brand new issues and opportunities.

Promoting the acquisition of digital skills is a responsibility we share with the provinces and industry, which play a leading role. That is why Industry Canada continues to work closely with all of its partners.

Thank you very much for this opportunity to come before you today. I and my colleagues would be happy to take questions at your leisure.