Information & Ethics Committee on Feb. 22nd, 2007

Do I have a little more time, Mr. Chair?

You have one minute.

Like Mr. Pearson, I have smaller businesses as one of my biggest concerns. It became evident very quickly that PIPEDA seemed to be more of an issue with larger corporations than with smaller corporations. In terms of cost, can your office give us some detailed information? We're looking at the small multinationals versus the small businesses. Are we going to have an enforcement problem? I really see that as a looming area of concern--that we are putting big business requirements on small businesses.

On your end of the stick, are we going to have an enforcement problem? Can we have some type of cost analysis breakdown as to what it is going to cost to enforce?

In all these recommendations.

Thank you.

Just to be clear, so we're not talking about apples and oranges and so the committee is clear, your concern on the security issue is paragraph 7(1)(e), which was added by the Public Safety Act. Is that correct?

You want the act to go back to the way it was, which, as I understand, included subsection 7(3), including paragraph 7(3)(c.1), which was added by the committee.

It's paragraph 7(3)(c.1) that the RCMP addressed, not paragraph 7(1)(e).

Do I take it then that you have no problem with subsection 7(3), and in particular paragraph (c.1), remaining in the act, since you're calling for it to be pre-Public Safety Act?

I guess Mr. Van Kesteren then was really asking about your comments on paragraph 7(3)(c.1) that the RCMP and others commented on, namely the words “may disclose”, for example, and the meaning of “lawful authority”.

I'm not going to take up other members' time. I just want to be clear on what we're talking about.

If you want to address that later to someone else's question, possibly mine, we'll do it.

I'll probably ask that question.

We'll now go to Madame Lavallée.

Thank you.

I will come back to my wonderful question. There are some companies that are responsible enough, including those that deal with mutual funds. For the moment, legislation does not require that businesses notify clients. A friend of mine received this type of letter. I do not know if he has the same mutual funds as Mr. Wallace. In the letter, that I saw with my own eyes, this person was told that they simply wanted to let them know that they had more or less lost their personal information, but that the risk due to the loss was not very high.

Nothing is very clear. We are not aware of the consequences of the loss, nor of the theft of which they were a victim. People are not quite sure what to do either. Mr. Wallace decided to throw his notice into the garbage, but some people filed that information in their heads under worry and anguish.

Do you not believe, Ms. Stoddart, that the legislation should oblige all businesses to notify their clients, according to reasonable conditions? I know you put forward some proposals in your document. Let us presume that the consumer's financial security is at stake, that the risk is serious enough. I know that you have the necessary resources to identify such situations. Do you not believe that first and foremost, there should be a duty to notify the client? In this notice—and it would be a good idea to have that formula drafted by the people in your office—the risk that the consumer in question is facing could be clearly set out, along with the lost or stolen information. I think that the client should know that. It is not enough to tell him that a little problem has cropped up.

There should also be the possibility of some remedy. You mentioned that in Quebec, it is possible to launch a class action. The fact remains that the legislation we are discussing here was designed for the consumer who receives this kind of letter at home. When one considers a class action suit, it is not easy to know where to begin. The business should be responsible for specifying the type of remedy. It should also—and it was one of our witnesses that put forward this suggestion, which I found interesting—compensate in whole or in part the damages that were caused. How could that be done? By taking certain steps itself, for example by sending out the kind of fraud warning to businesses that collect credit information. Indeed, taking those kinds of steps themselves represents a lot of work.

In short, should businesses not have that duty?

And they even talk about compensation for the damages caused?

That process will be based on the model you're developing, correct?

Otherwise, we run the risk of ending up with all manner of weird and wonderful permutations.