I'm a little tired of transported data flows, because the Open and Shut report in 1987 recommended that we should really be studying transported data flows of personal information, and nothing much was done about it. They commissioned a study, which I didn't get to do. A bunch of scholars at UQAM, Université du Québec à Montréal, did it, and nothing happened legislatively.
I gave a talk about electronic health records in Vancouver on Tuesday afternoon. I was talking about the U.S.A. Patriot Act and what it costs the taxpayers of British Columbia to comply with the special laws that were brought in in British Columbia because of Patriot Act concerns. Contracts that had already existed were grandfathered.
The credit bureau of Equifax, the credit reporting company, to the best of my understanding is in Atlanta. My Visa card every month is processed in Atlanta, and the Privacy Commissioner said that was okay. We actually have massive flows of personal data that we've approved of, that we think make sense. Some of it's now going to India and is being outsourced and all this kind of stuff.
My point is that we have to know what these data flows are. I point out in my paper that I was an advisor to the commissioner on her audit of the Canada Border Services Agency and of the flow of information on us across the border to the Americans. I have a PhD in American history. I taught it for many years. I'm not vaguely anti-American, so that's not where I'm going with this, but we simply can't be handing over our personal information across the border to the Americans without data-sharing agreements about how it's going to be used and for what purposes.
We need a record of what's happening, and that doesn't exist at the moment. The commissioner said her power was limited by the border. The Canada Border Services Agency, if it's going to engage in data exchanges back and forth across the border, should know what they're doing.
Mr. Dhaliwal mentioned the United States. No country in the world has more privacy law than the United States, but nobody has a collection of more meaningless privacy laws than the United States. That's only a small exaggeration. There's no enforcement except in the courts. There's no privacy commissioner in almost any of the American states or federally. The Federal Trade Commission is doing some useful work in consumer rights.
The American model is highly decentralized, very court-driven, very expensive, very difficult to influence. Our data's going over there. We don't know what's happening with it, and nobody's minding the shop. I certainly don't think the director or the president or whatever he is called of Homeland Security is a good custodian of my personal information when he doesn't even think fingerprints are sensitive personal information.