Justice Committee on Feb. 8th, 2007

Thank you very much, Mr. Chairman.

Good morning to you, and good morning to all members of the committee. Thank you for allowing me to appear before you today on my private member's bill, Bill C-299. This is with respect to the general issue of protection of personal information.

I want to acknowledge the work of some members on this committee, both in the debate in Parliament—I appreciate that—and also in helping me to move this bill forward.

The purpose of this bill, Bill C-299, is to protect individuals against the collection of personal information through fraud and impersonation. This practice is often known as “pretexting” and is a widespread problem in the growing market for personal information.

This bill aims to close some of the loopholes in Canada's data protection law that allow data brokers to exploit people's personal information for commercial gain.

Specifically, this bill seeks to do three things. First of all, it seeks to make the practice of pretexting illegal through changes to the Criminal Code and to the Competition Act. Second, it seeks to provide a remedy for victims of this kind of invasion of privacy through legal recourse in the courts and compensation. Third, it seeks to tackle the cross-border aspect of pretexting by holding the Canadian affiliates of foreign companies liable for invasions of privacy committed against Canadians.

Mr. Chairman, information is one of the most valuable commodities in the new economy typified by the growing data brokerage industry. Data brokers buy and sell information, usually for commercial or marketing purposes. Sometimes this information is personal. Some of this industry is legal and consensual; however, there is mounting evidence to suggest that many aspects of the data brokerage industry are poorly regulated and that pretexting is a recurring problem.

Broadly speaking, there are two kinds of data brokers with the potential to invade people's privacy. First, there are the larger companies that trade in data, often for commercial or marketing purposes. Much of this is aggregated and not particular to individuals; however, individual information may sometimes be extracted from these databases. Second, a range of smaller companies offer to target individuals for a fee. These companies may simply sell personal information, or they may offer more invasive services, such as private investigation.

At the federal level, as you know, data protection falls under the Personal Information Protection and Electronic Documents Act, known as PIPEDA.

Privacy Commissioner Stoddart submitted a report in May 2006 to the privacy and ethics committee detailing possible improvements to this act. Notwithstanding possible changes to PIPEDA—and I welcome those—there are three major loopholes in Canada's data protection framework.

First, though fraud and impersonation are crimes under the Criminal Code, they do not apply to personal information such as phone records, consumer preferences, or purchases. This bill includes this type of information.

Second, while these actions violate PIPEDA insofar as it says that information cannot be disclosed without express consent of the consumer or a court order, this does not guarantee a remedy. For instance, the commissioner's rulings are not legally binding without a federal court order, and the transgressors are not named. Bill C-299 would change that by making it a crime under the Criminal Code to collect, or to counsel to collect, personal information through fraud, impersonation, or deception.

Third, the Privacy Commissioner has no jurisdiction to pursue complaints outside of Canada. This was a problem in Ms. Stoddart's own case, the case in which her own phone records were obtained by Macleans magazine from a data broker in the United States. This bill would allow Canadian victims of privacy invasion to seek compensation from Canadian affiliates of foreign companies that had invaded their privacy.

Mr. Chairman, I know this bill passed second reading with the support of a majority of the members of the House of Commons, but members at that time raised with me, in a very responsible way, the fact that amendments were needed to this legislation in order to pass it through three readings and through committee stage. I have discussed this with some of you here and I want to indicate that I am very open to amendments, as I was at second reading. I understand there are many concerns regarding elements of this particular bill and that some of you will not support the bill as drafted.

That being said, I believe in the need for this bill to address this issue—one part of privacy, one part of identity theft--and I have undertaken, with members of Parliament and with the offices of both the justice minister and the industry minister, to seek amending advice to improve the bill's effectiveness while alleviating many of your concerns.

So what has been proposed, which I would support as a two-pronged approach, is that this committee entertain significant amendments to tighten the scope of the legislation; and secondly, that a motion be passed referring certain clauses of this bill to the Standing Committee on Access to Information, Privacy and Ethics for consideration under the current legislative review of PIPEDA.

If it is the will of this committee to entertain significant amendments within the scope of the bill, I am informed that the government is prepared to bring forward amendments seeking to, first of all, delete the clauses seeking to amend the Competition Act and the Canada Evidence Act; and secondly, tighten the Criminal Code amendments to criminalize the collection of personal information with the intent of committing fraud or impersonation; the use of deception to obtain personal information from a third party for the purposes of committing fraud or impersonation; and the passing on of personal information of a third party to be used to commit fraud or impersonation.

I certainly welcome comments from the members, but my understanding is that these amendments will address most of the practices currently utilized to obtain, circulate, and execute identity theft and fraud. These amendments, the departments believe, are necessary, as the Criminal Code provisions as currently drafted in this bill might not pass a charter challenge and could also jeopardize current investigative practices used by some of our law enforcement agencies.

I strongly believe in the amendments I have proposed for the Competition Act, Mr. Chairman, but I understand that there are some serious concerns about these. Therefore, I would respectfully ask that the committee refer these to the Standing Committee on Access to Information, Privacy and Ethics, to be studied as part of the PIPEDA legislative review. I have the assurance from both the chair and the vice-chair of that committee that the referral would be welcomed by them.

Mr. Chair, in conclusion, I do want to say that the issue of identity theft is a serious and growing problem in Canada. This bill attempts to deal with one small part of that. I understand that the justice department has been looking at this issue for some time. I welcome that.

I look forward to a more comprehensive piece of legislation to deal with the issue of identity theft in general, but I believe it's important to move forward on this issue in terms of protection of personal information at this time. I would welcome this committee to study this bill and to amend the bill in the fashion I outlined, or I'm certainly willing to entertain any other reasonable amendments.

At this point, Mr. Chairman, I'd like to conclude. I look forward to your comments and the comments from other members of this committee. Thank you.

Thank you, Mr. Rajotte, for your flexibility, your clarity, and your brevity.

Just to recap and clarify, it is your suggestion that you would not object if the committee did not adopt clauses 4, 5, and 6 of the bill. We can't strike them. The House has sent the bill to us. It is your suggestion that the committee not adopt those clause, but actually, in a separate report, refer this subject matter to the other standing committee that deals with privacy matters.

You are correct, Mr. Chairman.

In clause 4, with respect to the Canada Evidence Act, I understand the concerns that have been brought forward.

With respect to the changes to the Competition Act, which are in clauses 5 through 9 of the bill, I'm still of the view that this needs to be looked at seriously, but I don't want that to hold up the changes with respect to the Criminal Code. If this committee so wills it, I'm prepared that we send the intent of those sections to the committee currently conducting the PIPEDA review.

That's very helpful.

Members are not bound by this, but if we took the approach proposed by Mr. Rajotte, we wouldn't have to ask too many questions about clauses 4, 5, and 6 of the bill, if members felt that way. I'm just trying to give some focus. There are still clauses 1, 2, and 3 of the bill, which are the core focus.

I'll go to questions now, if that's all right, looking to Mr. Murphy for the first round.

Thank you, Mr. Chair.

Just to clarify your clarification, it would be clause 4, under the Canada Evidence Act, that Mr. Rajotte is suggesting he won't proceed with, due to charter issues, and he suggests that clauses 5 through 9--or a few more clauses there—should be sent to the ethics committee because they deal with the Competition Act and the interlay with the PIPEDA.

Really, all we're going to talk about here, or ask about, are clauses 1, 2, and 3, dealing with the Criminal Code of Canada. Is that what you were clarifying? Is that right, Mr. Rajotte?

Yes, but that's if it is the will of the committee to send those clauses to the legislative committee on PIPEDA. You're free to ask about the intent of those clauses, but obviously the committee would focus on the first three.

I obviously can't speak for everyone, but I've read all the speeches. I gave a speech myself. To be quite blunt, Mr. Rajotte, it seems to me that the flavour of it all is that clauses 4 through 9 might not have a great chance of success here. However, everybody seems to be excited about the tightening up of the Criminal Code, which you cover in clauses 1 through 3.

Without prejudice, I suppose, to my colleagues on subsequent rounds in terms of discussing how many angels are on the point of the needle with respect to the Competition Act and PIPEDA, I am just going to proceed with Criminal Code talk, if you like.

As you know, Mr. Rajotte, there were a few problems brought up with respect to the Criminal Code amendments. Are you prepared to be specific on your comments about tightening up the Criminal Code? Do you have any specifics on the changes of definitions of things like false pretence under section 361, for instance? Do you have any specifics, or are we going to work our way through this?

Is this subsection 362(1) or 362(3)?

Yes.

With respect to specifics, the first one that was raised with me by the justice department was the fact that we need mens rea, which I believe you and I discussed in Parliament as well. I'm not a lawyer by trade, but my understanding is that we need to add “knowingly” in at least one clause or perhaps two clauses of the bill. I'd obviously rely on legal counsel for that.

The second bit of information that I have to admit I'm not completely certain about is the definition of the term “personal information” in clause 1. In your speech in the House, you had mentioned that perhaps the personal information definition should be broader than the one in PIPEDA. I'm open to a discussion on that. I'm not completely wedded to the definition in PIPEDA. I used it to be consistent with that statute, obviously.

With respect to other issues, there are people who have approached me—not law enforcement agencies, but private investigators and others—and said that they often use this as a method and therefore need some tightening up of the bill in that aspect. What specifically needs to be done in that area I can't say for sure, so obviously I look to the committee. I believe there may be other witnesses coming forward—not only Justice officials, but others—who will have specific amendments on those issues.

As a result of this bill being spoken to, we received a couple of briefs, one from the CBA, which clearly you've read and listened to, because their major concern was that the Competition Act is not really about criminalizing activity but promoting competitive prices, essentially, and choices for consumers. They make other comments about the Criminal Code, and I think you've taken those to heart as well. You and the committee are going to get some help from legislative people, and I think that's great.

There is, however—and I'll call it what it is—a fairly vested interest brief from the private investigators, who talk about pretext. What comments would you have about their position and how you might protect their position as far as it goes? I'll be quite blunt. Many of the case studies that they refer to are indeed laudable goals for the protection of society, both directly and indirectly. But one could see that if your amendments to the Criminal Code aren't strong enough, some of the pretext language could in fact be used to go against the purpose of your bill.

What comments do you have in general about the private investigative association brief?

To talk to you about the CBA brief, frankly I found it very helpful in terms of guidance. The Chamber of Commerce also had some very helpful comments about both the Competition Act and the amendments.

With respect to the bill, my specific direction to the Private Members' Business Office in drafting this was not to impede any law enforcement agencies in any appropriate measures that they may take in their duties. With respect to private investigators, it is a vested interest. Obviously it's their employment; it's what they do. So they're concerned about it from that point of view.

Frankly, I'm unsure as to whether their arguments are valid or not. I've read through the information they sent to me, and perhaps it will be clarified further in committee. But the brief from the Canadian Bar Association, for instance, was very specific about what it found objectionable in the bill and what recourse it wanted changed.

In terms of the private investigators, it seems that some of their changes would almost gut the bill entirely in terms of impersonation or false impersonation. So I am a little concerned about adopting their brief entirely, but I look forward to their being more specific in what they would actually change in the legislation.

They didn't talk much about the Competition Act; it was more about the Criminal Code. But I look forward to their bringing forward specific amendments to the first three clauses of the bill.

Good. That's all I have.

Thank you, Mr. Murphy.

Monsieur Ménard.

Welcome, Mr. Rajotte. Sponsoring a private member's bill is always an important part of our work as a member. Moreover, as I've had occasion to tell my party, I hope we set aside more hours for private members' business, because I believe it's important.

Your bill poses a problem for me. I understand its intent, but I find it hard to understand how you are going to define, for example, personal information. That expression is already defined in another act. Consequently, I think that can be fine for this definition. However, the specific types of offences that you want to create and for which you would like people to be prosecuted aren't clear in my mind.

I'd like you to give us some very specific examples on the subject. We have some fear about the entire matter of telemarketing. Some companies exercise a form of solicitation that is increasingly common in our consumer world, with all the advantages and disadvantages that that entails. I agree that it's not always pleasant to be solicited.

Some private companies use information brokers to conduct telephone solicitations and buy data bases. Explain to us how marketing works and how information is transmitted in that context, and, more specifically, what type of behaviour you want to criminalize.

Monsieur Ménard, that's a very good question, as well as the one you raised in the House about why section 403 of the Criminal Code would not address the problem that I'm raising. The best illustration is the situation in 2005 when Macleans magazine actually obtained the personal phone records of our current Privacy Commissioner from a data broker online—purchased those records. Now, if you look at that as a problem, in my view, obtaining her personal phone records is obviously a serious invasion of privacy. The commercial transaction in and of itself is an issue, but the fact that these records were obtained by someone through fraudulently impersonating someone else as a means to obtain these records is the problem that I looked at. In my view, section 403 did not adequately address this.

So the fact that I could obtain her phone records by presenting myself as someone else, obviously with an intent of either making commercial profit, which is one issue, or using these for instances that may then transgress the Criminal Code—obtaining that personal information was fraudulent, which my intent was to try to stop with this bill.

What exactly happened in the Maclean's case? Telemarketing, telephone solicitation and the people who use data bases containing personal information are not at issue. However, you're saying that Maclean's magazine obtained information. I don't understand the legal aspects of the example you've cited. Be more specific.

Sure, I'll clarify. It's not telemarketers; I hope I didn't use that term. I'm not talking about telemarketers who phone your home and try to sell you a product. It's actually someone who is trying to obtain personal information.

There are data brokers in the United States—in Canada as well—who have aggregate information, and they also have personal information. There are data brokers who obviously obtain information legally and consensually. If I fill out a form and voluntarily check a box and say yes, I want to receive updates or you can share my information with other companies, I have no problem with that whatsoever. My concern is when persons or businesses or whoever try to obtain yours or my personal information by fraudulently impersonating someone else. That is my concern.

What does “impersonate” mean? Give me an example. Is it someone who says he works for Household Finance, when in fact he works for another company? What does “fraudulently impersonate someone” mean, apart from pretending you're Céline Dion when you're Roch Voisine? I can understand that. Give me a specific example of companies that you want to target.

I wouldn't want to name a specific company. For instance, it would in my view be legal and justified if, say, your financial institution calls and says, “Monsieur Ménard, we have a new product that we'd like to inform you about” or ”We'd like to put you on our electronic mailing list” or “We'd like to have you as part of a study. Would you consent to do that?” If you consent to those three things, or more, then they have accurately done that.

If someone phones and says, “Monsieur Ménard, this is your financial institution”, and in fact it is someone who wants your personal information, of any type, to use for their own means or to sell online or to sell to someone else, that is the problem the bill was trying to address. So if someone phones you and says “Monsieur Ménard, I'm from the Bank of Montreal”, and in fact they are not, that is the problem I was trying to address.

Do you know the present extent of this problem in Canada? If your bill had an application and we were to implement it, how could we detect those companies?

All indications I have, both from the business community and individual cases such as Commissioner Stoddart's, are that this is a growing problem in Canada and the United States. Especially with the ease of the Internet and more products being sold online, more personal information being stored and collected, and more personal information being shared, this is an increasing problem that we will have to address. I think it's very much a growing problem.

Implicit in your question is how the bill will address that entire problem. The bill would address collection of information and improper sharing of it, but that's just one of the problems with identity theft.

That's the purpose of the bill. Obviously the bigger issue of identity theft does need to be addressed by a broader piece of legislation.

Do you have the support of consumer associations? If we asked them to appear before us, do you believe they would agree on this bill?

My indication from consumers associations—I don't have any written support with me—is that they would certainly support it. I have a lot of support, as well, for the legislation from companies that deal with information. I would encourage you to call consumer groups before the committee too.