Skip to content

TRCM - Standing Committee

Transport and Communications

Past Session: Past Session:
41-2 41st Parliament, 2nd Session (October 16, 2013 - August 2, 2015)
Select a different session
 

Proceedings of the Standing Senate Committee on
Transport and Communications

Issue 5 - Evidence, April 29, 2014

OTTAWA, Tuesday, April 29, 2014

The Standing Senate Committee on Transport and Communications met this day at 9:30 a.m. to hear testimony from representatives of BCE Inc. (Bell Canada) and the Privacy Commissioner of Canada regarding the practice of collecting and analyzing data from Bell Canada customers for commercial purposes including targeted advertising.

Senator Dennis Dawson (Chair) in the chair.

[Translation]

The Chair: Honourable senators, I call this meeting of the Standing Senate Committee on Transport and Communications to order. Today will be the first of two meetings regarding the practice of collecting and analyzing data from Bell Canada customers for commercial purposes including targeted advertising.

Our witnesses today are Ms. Chantal Bernier, Interim Privacy Commissioner, the Office of the Privacy Commissioner of Canada; and Mr. Regan Morris, Legal Counsel, Legal Services, Policy and Research Branch, the Office of the Privacy Commissioner of Canada.

[English]

Before I invite Madam Bernier to begin her presentation, I would like to advise all senators that her office has undertaken a review of the practice of Bell Canada and any disclosure of the details of the investigation would breach the Personal Information Protection and Electronic Documents Act. Therefore, we have asked her to appear to speak about the broader question relating to the collection of data from the telecommunications industry as a whole. I ask senators to refrain from requesting any comments on the specifics of this program or on the status of the current investigation.

[Translation]

Chantal Bernier, Interim Privacy Commissioner, Office of the Privacy Commissioner of Canada: Thank you Mr. Chair and members of the committee for your invitation.

Joining me today, as you indicated, Mr. Chair, is Regan Morris, one of our legal counsels. Today I will address the three issues raised in the Committee's invitation, our views on the practices of the telecommunications industry when it comes to protecting personal information, the responsibilities of telecommunications companies in this regard, and, safeguards.

As you know, my Office is responsible for overseeing compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy law. Telecommunications companies, therefore, fall under my Office's jurisdiction.

As you remarked, Mr. Chair, we are currently investigating the recent changes to Bell Canada's privacy policy. However, as required under section 20 of PIPEDA, our investigation must be conducted in confidence.

While this means we cannot talk about this investigation specifically, I would like to discuss a few privacy issues as they relate to telecommunications companies.

[English]

A key issue relevant to telecommunications companies' practices arises from advances in technology that often involve organizations using personal information to create detailed profiles of consumers in order to personalize products and services according to inferred interests.

Of course, wanting to know about your customer is nothing new, but what is new is the fact that businesses now have the tools to paint increasingly detailed pictures of individuals.

Telecommunications companies' practices are evolving in the face of competition in the online and digital environment. In the online world, for example, our investigation of Google and online behavioural advertising, which was released last January, revealed a business model that uses personal information of individuals' Internet activities to target advertisements. The more targeted the advertisement is, the more lucrative it is.

Consent in marketing is one area that we have examined over the years. Other practices of telecommunications companies that have raised privacy concerns involve the collection of personal information for verification and authentication, the disclosure of personal information to family members, and the disclosure of personal information to law enforcement.

In the face of complexity and competition in the digital age, transparency and the role of privacy policies are key in ensuring valid consent and individual control of personal information.

Last spring, our office, along with 18 other global enforcement data protection agencies, conducted an online sweep examining the meaningfulness and transparency of privacy policies. The results indicated that many websites had no privacy policies. Some had overgeneralized statements offering no details on how they were using customer information. As a result of the sweep, some of these organizations have improved their privacy policies.

We have published the full list of observations from the sweep on our website, which also includes best practices that were observed.

Telecommunications companies must also have appropriate safeguards to protect consumers from inappropriate access to their personal information. Digital technology has enabled organizations to collect and retain vast amounts of information, which can be vulnerable to security breaches. Robust procedures to authenticate individuals and up-to-date technological measures to protect customer information from attacks are key to protecting personal information.

[Translation]

In addition to investigating complaints and breaches, my Office addresses privacy challenges through a number of other activities. For example, we have developed tools to help businesses benefit from technology while respecting privacy, such as guidelines and a policy position on online behavioural advertising, guidance on household accounts, and guidance on online consent and privacy policies to be issued soon.

Earlier this year, we made recommendations to Parliament to reform existing privacy legislation to require private-sector entities, such as telecommunications companies, to publicly report on their use of provisions under PIPEDA to release personal information to national security entities without court oversight.

I would like to conclude by emphasizing that compliance with privacy legislation does not present a barrier to innovation. The privacy issues that telecommunication companies need to address are challenged by issues such as the changing nature of technology.

Respecting privacy within the technology ecosystem is vital. Addressing transparency, obtaining valid consent, and putting in place appropriate safeguards, are key components of maintaining consumer trust.

I would like to thank the committee again for their time and I am happy to take your questions.

The Chair: Thank you, Ms. Bernier. Senator Housakos will ask the first question.

[English]

Senator Housakos: Thank you to the commissioner for being here this morning, as well as Mr. Morris.

I have a series of questions. The first one is that we have heard critics of Canadian telecommunications companies allege that carriers have more information on users than anyone else, including companies like Facebook and Google, for example. I find this to be a bit of a stretch, given that these global companies have access to details such as users, friends and family, their personal relations, lifestyle, their personal pictures, the specific bands they are interested in, the movies they like or even their career aspirations and skills.

I trust that when you look at this issue, you realize that this is also a competitiveness issue and that our laws and policies should not put Canadian companies at a disadvantage. Do you agree that PIPEDA applies equally to all these companies and should apply in the same way? How do you apply these things to international companies that are outside of our jurisdiction?

Ms. Bernier: You're quite right that the premise of PIPEDA, which is the English acronym for the legislation, is the reconciliation of the right to privacy with an organization's legitimate need for certain personal information to meet its objectives, and that includes the capacity to compete.

PIPEDA applies to all companies equally. If you look at the span of investigations that we have undertaken, they do apply to Facebook. We actually have published the findings of our investigations on Facebook. They apply to Google. We've shown that. But they also apply to small- and medium-sized enterprises.

The great strength of PIPEDA is that it is principles based, which gives at the same time a clear framework to protect personal information and yet a flexible framework. The principles included in Schedule 1 to the act speak of transparency, consent and limitation of use, for example, but they are adaptable to each circumstance. It is clear from the case law interpretation that these principles must be applied and interpreted taking into account the practical realities of business, which is what we do.

Senator Housakos: Many companies who operate in this space are trying to find ways to deliver online ads that could be more relevant to their users and subscribers. Some companies ask their users to opt into their programs, while others give their users the ability to opt out. Yet other companies don't even give their users the ability to opt out. In Facebook's case, I believe that users cannot opt out of the relevant advertising program. Is the fact that Facebook is free the reason why it's okay for Facebook to not have an opt-out option? Fundamentally, how would PIPEDA apply to Facebook, for example, or to Google? Could you explain that to the committee?

Ms. Bernier: It applies as it applies to any company that does business in Canada or that has an impact in Canada. There has to be a substantive link. Obviously, considering the amount of Facebook users in Canada, it does apply, and we have exercised our jurisdiction over Facebook.

In relation to "opt in and opt out," the position of our office is that opt out can be acceptable, provided that it is not on sensitive information. We also feel that it is not adequate for children. There has to be total transparency on the uses of the information so that consumers, individuals, are empowered so that they do know what happens to their information and why.

Senator Housakos: Commissioner, some say it's okay for Facebook to do it because their users don't pay Facebook. Do you think that the price of the service should determine the appropriate level of privacy protection for the user?

Ms. Bernier: Mr. Morris has given me a note that I'd like to elaborate on.

Can you talk about Facebook?

Regan Morris, Legal Counsel, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada: As to your question as to Facebook, it's true that Facebook doesn't have an opt-out mechanism for all of its advertising. My understanding is that it is part of their terms of service.

One distinguishing factor is that a social network like Facebook is free to join. You can look at the terms of service and decide whether you want to be part of the social network or not, whereas for a lot of Canadians, telecommunications services are a necessity. That might be one distinguishing factor between the two types of services.

Senator Housakos: Can you also tell us what comparable legislation exists in the U.S. when it comes to privacy issues? Do they have anything comparable to PIPEDA? In your opinion, would you say the Americans are as rigid or less rigid than we are? Are there any conclusions we can draw from the United States and other international countries in dealing with privacy issues?

Ms. Bernier: I would say that obviously the United States has a different approach. First of all, they do not have a Privacy Commissioner. The FTC, the Federal Trade Commission, is the body that investigates various trade practices, including that which would be akin to our jurisdiction, which is in relation to deceptive practices that would include deceptive use of personal information. They also have different sectoral laws, rather than one comprehensive law. They have a specific piece of legislation on children.

They have a different approach. They have one that, if I may, I certainly would not want to see Canada emulate, for various reasons. First of all, they do not have an independent body that is specifically mandated with protecting privacy, which I believe is a great strength in our country. Their system is seen as fragmented. I prefer a more comprehensive approach.

Since you were also alluding to other countries, the Europeans also have a different approach from ours in the sense that they have one privacy law for both the public sector and the private sector stemming from an approach that sees privacy as a fundamental human right, whether it is exercised in relation to a private company or in relation to the government. Different principles apply in the sense that necessity is the pivotal notion in relation to the government and consent is the pivotal notion in relation to the private sector. However, they have a comprehensive and some would say more rigid approach to personal information protection.

I may sound nationalistic when I say this. I would put my bias on the table. Obviously, I am a proud Canadian. I believe that the recognition around the world of the qualities of our system, which is at the same time clear and yet flexible, makes me think that we have the right balance in relation to allowing competitiveness, allowing the economy to grow and yet protecting the personal information and privacy of consumers.

Senator Housakos: I'm wondering how much of a black market exchange exists right now in personal information being pedalled by corporations. As much as we are committed as a government to dealing with these privacy issues and making sure that Canadian companies have the capacity to compete from an advertising perspective globally and against some of these global giants, there has to be protection of fundamental privacy issues.

I want to give a specific example. Last October, I was travelling with a parliamentary committee. As we landed at the airport in Zagreb, Croatia, and got off the plane, there was myself and four other colleagues. Within a 15-minute period, we all received a text message from a local company in Zagreb basically saying, "Welcome to Zagreb. If you have any requirements for help while visiting our city, please don't hesitate to call us in terms of identifying outstanding restaurants, hotels and tourist tractions."

I got this and found it very odd. My other colleagues got it. What did we all have in common? We were all under Rogers' system as clients. We were shocked. I found that incredible.

I've looked through the various media releases through the last year and a half, and Rogers in particular has said publicly that they don't engage in any privileged advertising programs and that they do not in any way, shape or form sell their information. Either they are doing it and they don't admit it, or somebody has pirated their system, or there is a leak somewhere.

When something like that occurs, what can we do to deal with issues like that?

Ms. Bernier: You're quite right; that is clearly an issue. More than putting the burden on Canadians, I believe the burden rests on regulators — ourselves and other relevant government regulators. Let me tell you about concrete steps we are taking. The issue you are raising is one of globalized privacy risks and, therefore, the need for globalized privacy protection.

Among the number of steps we have taken, we are co-chairing, with my counterpart in the U.K., a working group on international enforcement cooperation precisely so that data protection authorities come together to face these international threats. For example, with our counterpart in the Netherlands, I co-led the first international investigation of a company. That one was a legitimate company, a U.S. company, but one that still had issues in relation to safeguarding information.

The issue you are raising is coming more and more to the fore. I will point you to recent media reports about a company called Globe24h that is based in Romania and trolls the Internet to pick up particularly embarrassing legal decisions and post them. When the person concerned sees the posting and phones the company, the company says, "Oh, sure we'll take it down for a certain amount of money."

I believe that speaks exactly to the concern you have raised, and I can tell you that that is one of the many examples that have brought us to join forces with other data protection authorities.

I told you about this committee that I'm co-chairing, but I should also mention that we have specific memoranda of understanding with five other countries, being Ireland, the U.K., Uruguay, the Netherlands and Germany, precisely to enable us to exchange information with them and to try to address these global privacy risks in a concerted fashion.

[Translation]

The Chair: I will hand the floor over to Senator Mercer. However, I would like to add that this is one of the reasons why these hearings are so important. They provide you with an opportunity to disseminate this kind of information. I consider it important that Canadians have access to such details on a more regular basis. This is evidence of the interest in this topic.

[English]

Senator Mercer: In your presentation, you talked about the 18 other global enforcement agencies conducting an online sweep examining meaningful transparency. You also say that you published a full list of these observations from the sweep on your website, which also includes best practices that were observed.

Have you gone the next step and measured Canadian companies' compliance with those best practices that you published? Have you looked at the industry and said, "Here are the best practices, but here's where our companies are"?

Ms. Bernier: The results of our sweep are posted, somewhat facetiously, under the good, the bad and the ugly list. So you have the full range of those who were truly exemplary and those that were lackadaisical. Let's say their privacy policies were way too long, not easy to read, not accessible. The ugly was where, for example, there was no privacy policy at all.

In the name of public interest, we actually gave the names of the companies that were particularly problematic and those that were particularly good. In the following weeks, we were happy to see compliance among the ones that were problematic. Some, in fact, clarified their position, and we were comforted by the changes that they made.

Senator Mercer: Did you move them from the ugly column over to the good column?

Ms. Bernier: If you go on our website, yes, there is an account of how we gave them credit for reacting promptly.

Senator Mercer: That's good. I'm glad to see that you are being proactive.

You also indicated that earlier this year you made recommendations to Parliament to reform existing privacy legislation to require private sector industries, such as telecommunications companies, to publicly report on their use of provisions under PIPEDA to release personal information to national security entities without court oversight. How has government responded to your recommendations?

Ms. Bernier: We haven't heard yet. We made our recommendations. We have followed up with a letter to each minister who is particularly concerned with some of the recommendations, hoping to have a response, and we're still waiting to see movement on that.

Senator Mercer: I hope you keep us posted as, obviously, you made serious recommendations. We assume the government will respond seriously.

One problem that we have is the opt-out option. Many customers are told, "If you don't want us to use your information for any of the purposes described above in an agreement, you can opt out," but then it is really unclear to many customers what they're actually opting out of when they choose that opt-out option.

Should you and should others be trying to define what "opt out" really means? When I say I don't want them to use my information, period, I'm assuming that they're not using my information. It's like the National Do Not Call List. When I want to be on the list, I expect not to be called, other than by those groups that are exempt from the list, such as charities and political parties. Should we be going this route?

Ms. Bernier: We are about to issue guidelines on precisely how you get valid consent online. I hear in your questions a lot of the issues that we see. It is technologically complex, so how is the consent valid? The use of the information is multi-layered and implicit, not readily seen. It's invisible. The devices are small. How do you make sure that there's a valid consent expressed in a very small format?

All of these challenges are addressed in these guidelines to help industry to address precisely the issue that you are bringing forward. How do we make sure that when the consumer exercises "opt in" or "opt out," it is meaningful? Those guidelines will address that.

Senator Mercer: How long will it be before those guidelines are available and in effect?

Ms. Bernier: We will release them in May. We have a specific event in May where we will make them public.

Senator Mercer: Good. Thank you very much.

The other issue is with companies where you opt out, but you have a whole bunch of other companies that are part of the stable, if you will, of a larger company. The issue is: If I opt out with company A — I'm not allowed to ask about a specific company; I'm avoiding using the words — those specific companies have, underneath them and affiliated with them, a whole bunch of other companies. It's important that if I'm opting out at the beginning with company A, company Z that's part of their stable also does not have access to that information. Is that true?

Ms. Bernier: That is what a reasonable person would expect, and therefore that is the test that must be met.

Senator Mercer: I am a reasonable person.

Senator Plett: The jury is out on that.

Senator Eggleton: What precipitated this was the specific complaint about Bell Canada, but I understand that you're restrained in your comments on that because of the matter being under investigation by your office. I take it that your broader concern is that all of the players need to be treated in an equal fashion, whether it's Google or Facebook or Rogers or Bell or whoever, and that this issue should apply to all, not just to some. I just wanted to make that clear because it is precipitated by the Bell action here before us.

Let me ask you about these agreements. I think Mr. Morris talked about agreements. When somebody signs on to Facebook, among a lot of other things, they flash this very lengthy, legal-language agreement in front of you. You scroll down, and they ask you to agree or not agree. Does that cover this kind of thing in this particular case? Is it highlighted in any way, or is it just one of the many little legal phrases used in there that they use to send this information to advertisers?

Ms. Bernier: One of the principles that I was referring to that underlies PIPEDA is transparency. Transparency means that the privacy policies must be very clear, readily accessible and therefore detail precisely what the consumer is buying into, so to speak, by offering personal information to a service. It should be made very clear by law. It is a requirement by law.

Senator Eggleton: Most of these agreements are very legal-language, and they cover a lot of things. I'm not sure people would understand all of it.

Ms. Bernier: You're quite right, which is why, when we look at privacy policies, we look at whether they are readable in addition to being accessible technologically.

Further than that, if you look at our report of findings in an investigation on Nexopia, which is a website geared at youth, we drilled down further and said that the language must be accessible to the audience. If you are gearing your audience as youth, then your privacy policies must be written taking into account that this is your audience.

Senator Eggleton: Would it be better to single it out and have it dealt with separately? People have different reasons for wanting to be on Facebook. The way these agreements are read now, you take it all or you're not on at all. Wouldn't it be better to have that part of it singled out?

Ms. Bernier: What do you mean, singled out? I'm trying to see what you're envisaging.

Senator Eggleton: A separate agreement, perhaps, that one could say no to, but still get the other services.

Ms. Bernier: What we want is for the user to have control. That is truly the essence of privacy. It is to have control over the personal information that is collected or used about you. We would want in each circumstance that this control be ensured, and that will depend on the circumstances. For example, on a small device, we will be very specific and say you need to have a very easy opt-out button. For children, you've got to make sure that there is a hyperlink that immediately takes them to a site, and it can be with a little person, a little image, something that will make it clear to the user. You are asking if we should make it separate. Definitely the privacy policy must be a separate hyperlink that is very clear, very accessible and that results in the user remaining in control.

Senator Eggleton: That's good.

These recommendations that you sent, were they sent to the government or to Parliament?

Ms. Bernier: To Parliament, the special report to Parliament. It's called Checks and Controls, specifically on oversight of surveillance in the name of national security.

Senator Eggleton: It doesn't really cover this component of things.

Ms. Bernier: There is one recommendation that refers to the modernization of PIPEDA to create an obligation for private entities to give statistics of the number of requests that they accede to without a warrant to give personal information. Let's say a police service goes to a telecom's company and says, "We have an emergency; we need personal information now; we do not have time to go through a court." The telecom will, indeed, to protect life, for example — we believe these statistics should be made public to give Canadian an idea at least of the scope and nature of those activities without compromising obviously the activities, because all it would be would be statistics.

Senator Eggleton: This is a legislative amendment that is required as opposed to being regulatory?

Ms. Bernier: We would like it to be enshrined in law.

[Translation]

Senator Demers: What are the main concerns of the Office of the Privacy Commissioner of Canada regarding the use of modern information and communication technologies, and of large quantities of consumers' personal information, which is very valuable?

Ms. Bernier: I have a number of concerns. While listening to you, I have been trying to formulate a list of priorities and determine which one takes precedence.

First, your question speaks to the power of technology. A power that creates asymmetry between companies and consumers. Consumers have limited power and sometimes a limited understanding of technology. They relinquish their information to companies that have extremely broad powers to analyse, disseminate and share information. The main concern is the growing asymmetry between consumers' power to protect their information and companies' power to use it.

Another concern — and this has become clear based on our investigation of Google — is that a business model has now been developed around the use of personal information. What we discovered from our investigation of Google — and you will see this in Google's financial report — is that over 90 per cent of its revenue comes from advertising. Moreover, target advertising brings in 2.6 times more revenue than regular advertising and is thus more lucrative — almost three times more lucrative — as non-targeted advertising.

So you can understand the economic incentive of using personal information to conduct targeted advertising. This, in return for "free" Internet access — I say "free" in inverted commas because consumers end up paying for it by surrendering their personal information. This new business model is worrying and really needs to be looked at.

A third area of concern is the vulnerability of technology, as evidenced by the black market. Coming back to Senator Housakos' question, there is the issue of vulnerability, piracy, and also, human error. It is therefore crucial that safeguards be developed to protect against this vulnerability.

Consumers are also faced with an additional layer of complexity, which is worrisome. You mentioned earlier how important it is to provide Canadians with information. It is crucial that Canadians be informed so that they have the tools they need to confront this problem. There is a lot of money to be made from the use of personal information, which obligates us as regulators, as a government, and as policy makers, to ensure that there are appropriate safeguards in place.

Senator Demers: We are speaking today about protecting privacy. You both seem extremely well informed.

A few months ago, somebody said to me: "Jacques, I know where you live. You can see your house on the Internet." We are talking about major violations of privacy. There are people who need protecting. But just how far can we go? You can see my house and my address. Does my question resonate?

Ms. Bernier: Absolutely. When Google developed the program, Google Maps, a number of privacy commissioners around the world voiced exactly the same concerns that you raise today, and ended up securing a number of protections from Google. For example, it was important to ensure that nobody could be identified, or associated with a particular address. And yet, addresses are there; they are easy to find and available to the public. Now, Google has to ensure that it does not reveal any more information than is already accessible through Google Maps.

Senator Demers: This is troublesome for a lot of people who, as you point out, work in the public domain. In any event, I appreciated your answer. Thank you, Mr. Chair.

[English]

Senator Plett: I have one question. You've talked a number of times today about opting out, and you suggested icons for children to opt out of things. Should we not do things the opposite way? If somebody wants something, they opt in rather than opting out? We get stuff all the time, and it says, "If you want to be taken off of this mailing, say you want to be taken off of the mailing." I think I should first rather ask to be put on the mailing list as opposed to having to suggest that I be taken off.

Ms. Bernier: This goes back to, as I said, the premise of PIPEDA, which is to ensure a fair balance between economic growth — allowing organizations to collect what they need to do business — and privacy. Opt in and opt out can be modulated according to that balance. We would not want to see opt out for information that is sensitive. We would want to see a specific, explicit consent for anything that is sensitive and for, as we said, children. However, there are other areas where, taking into account what companies call consumer experience and taking into account the level of sensitivity of the information, we feel that opt out can be accessible. Even then, transparency must be met, and it must be very clear to the consumers what opt out leads to in terms of what is collected, what they are going to do with it and who they are going to share it with. The consumer must be in control of all of that.

Senator Plett: I appreciate that, and I'm sure you're taking this as seriously as you are suggesting. I have no doubt about that. However, I do have a concern, especially when we hear all of the horror stories about what happens with children, that we develop something very clear. I think we should err rather on the side of having to specifically want to get at something. Kids are not going to opt out. They're going to say, "Well, I wonder what that is; let me get a little more information." I even have that problem.

Ms. Bernier: It is absolutely a fair concern, which is why we actually developed guidelines on online behavioural advertising and address exactly the issue of when opt out is acceptable or not, and we specifically mention children. Children should be treated as vulnerable, as they are.

[Translation]

Senator Housakos: Ms. Bernier, as a regulator, it is evident that your primary function is to protect the personal information of Canadians. But do you also make it a point of ensuring that telecommunication companies are able to capitalise on this economic resource? Are the communication lines open between you and the private sector, that is, Canadian companies? This is clearly a substantial economic resource and it is vital, from the government's perspective, that Canadian companies enjoy a competitive environment. We need to find a way of reconciling these two competing interests.

Ms. Bernier: Indeed. My last answer demonstrated the extent to which we consider what companies are looking for when it comes to individuals' experience. To be competitive, it is crucial that these needs be factored in.

If you want to get a sense of what our relationship with the private sector is like, you should also ask the sector itself. From our standpoint, it is a very healthy relationship. And how do we ensure that the relationship remains strong?

For a start, by holding regular meetings with various sectors. For example — and this is removed from the investigative process with telecommunicators — we say to them, "Here is what we have observed. What are your thoughts? How are you handling this particular issue?" It involves nurturing an ongoing relationship that goes beyond the matter of specific cases of compliance.

Secondly, by showing that we are receptive to their needs. Receptive to what the act stipulates: that their business needs be taken into account.

Thirdly, by enforcing the act, in a pragmatic way, by considering only what is feasible.

Consider, for example, investigations that have attracted widespread media attention, such as the investigation into Google and its online advertising, a story that broke on January 15. You may have noticed that Google cooperated with us. Google was receptive as a result of truly constructive dialogue. Why? Well, for a start, companies realise that protecting privacy gives them a competitive edge. Our surveys show that this is not only true in Canada, but also worldwide. Consumers want to do business with companies that protect privacy. In fact, consumers say they have shunned companies known for not adequately protecting privacy.

We continue to strive, and to engage in dialogue with these companies, with the common goal of protecting personal information, a concept that is integral to any dynamic and modern economy.

Senator Housakos: Are there tools that you do not have, which you need to meet this challenge? Also, could you please share your thoughts on Bill S-4?

Ms. Bernier: Absolutely. In terms of tools that are wonting, let me reiterate what I said to Senator Demers earlier. The asymmetry that has developed between consumers, individuals, and big corporations can only be rectified, in our opinion, by according tremendous power to regulators that can then address the asymmetry.

Bill S-4 expands our powers. First, it gives us one year, rather than 45 days, to refer an investigation to the courts. This is far more realistic in terms of our investigatory timeline, which is very complex and, as a result, time consuming.

Our authority to appoint a nominee in the public interest has also been expanded. In the words of the chair, that gives consumers the tools they need. By extension, it is a power that enables us to actually make a difference.

Third, Bill S-4 responds to another demand to enshrine in law the possibility to enter into agreements, thereby enabling companies to show how responsible they are. For instance, were a company found to have breached a provision of the act, it would be asked to conduct, within one year, for example, an audit demonstrating that it had implemented all of our recommendations. This provision would be enshrined in law were Bill S-4 enacted. Those are three examples of additional powers that assist us.

There is another provision in Bill S-4 that accedes to demands we have been making for many years requiring companies to report an intrusion or an incident. We believe that this provision strengthens the privacy protection regime in Canada.

Senator Housakos: Thank you very much, Ms. Bernier.

The Chair: Thank you, senator.

[English]

Ms. Bernier, Mr. Morris, thank you very much for your presentation.

Tomorrow, we will be receiving as witnesses the representatives of Bell Canada on this issue.

Over the next month we will be studying, in a pre-study, Bill C-31. The Motor Vehicle Safety Act will be sent to us. Railway Safety Act amendments will be sent to us. Transportation of dangerous goods will be sent to us, as will roaming charges for phone companies and, finally, the bridge from Montreal. All of these items will be sent to us, so most of the month of May will be spent studying those issues. We will get back to the CBC/Radio-Canada legislation after that, depending on where we are at that time.

Senator Mercer: On a point of clarification, I appreciate Ms. Bernier's difficulty in addressing questions to specific companies because of her position and ongoing investigation. I assume that we will be able to be specific in our discussions with the witnesses tomorrow evening.

The Chair: I would imagine that Bell will not be talking, in particular, about the case of the complaint. They will be talking about the issue of data collection, not of a complaint that was made against them.

Senator Mercer: It is kind of hard to separate them.

The Chair: After that meeting, we will have to decide what we want to do about the subject.

Tomorrow night, we have Bell, and then, after that, we will be studying, until adjournment in June, the pre-study of the budget.

(The committee adjourned.)

Back to top