LS-337E
BILL C-54: PERSONAL INFORMATION PROTECTION
Prepared by: LEGISLATIVE HISTORY OF BILL C-54
TABLE OF CONTENTS B. Definitions, Purpose, Application, Schedule 1 References (Clauses 2 to 5) 1. Definitions (Clause 2) C. Exemptions from the Requirement of Knowledge or Consent (Clause 7) 1. Exemptions with Respect to Collection (Clause 7(1)) D. Rules Governing Access to Personal Information (Clauses 8 to 10) 1. Rules regarding Time Limits, the Requirement to Retain
Information, 2. When Access Could Be Refused (Clause 9) E. Filing and Investigation of Complaints, Commissioner’s Report (Clauses 11, 12 and 13) 1. Filing of a Complaint (Clause 11) F. Court Hearing and Remedies (Clauses 14 to 17) G. Other Duties and Powers of the Commissioner (Clauses 18 to 20 and 23 to 26) 1. Audits (Clauses 18 and 19) G. Exclusion of Application of Part 1 within a Province (Clauses 30 and 26(2)(b)) 1. Regulation-making Power of the Governor in Council
(Clause 26(1)) 1. Accountability COMMENTARY:
Amendments to Bill C-54 adopted by House of BILL C-54: PERSONAL INFORMATION
PROTECTION Bill C-54, introduced in the House of Commons on 1 October 1998, was referred to the Standing Committee on Industry after second reading. The Committee held hearings commencing 1 December 1998 and ending 18 March 1999. On 12 April, the bill was reported back to the House of Commons, with 39 amendments. On 19 April, during the report stage, the Minister of Industry proposed 10 further amendments to the bill. Bill C-54 would introduce measures to protect personal information in the private sector, create an electronic alternative for doing business with the federal government and clarify how the courts would assess the reliability of electronic records used as evidence. Bill C-54 is a one of several components of the Canadian Electronic Commerce Strategy announced by Prime Minister Chrétien on 22 September 1998, which is aimed at "recreating in cyberspace the same expectations of trust, confidence and reliability that now exist in everyday commerce." The government’s stated goal is for Canada to become a world leader in electronic commerce by the year 2000; this bill is one of the measures to be used to achieve this goal. The bill contains six parts, the most prominent of which is Part 1, "Protection of Personal Information in the Private Sector." Together with Schedule 1, which contains the CSA Model Code, Part 1 would establish rules governing the collection, use and disclosure of, as well as access to, personal information in the private sector. Part 2, entitled "Electronic Documents," would provide for the use of electronic alternatives where federal laws now contemplate the use of paper to record or communicate information. The other parts would provide amendments to other federal statutes to facilitate the use and legal recognition of electronic documents.(2) Currently, no federal legislation protects personal information in the private sector. The federal Privacy Act provides such protection to the public sector only. Part 1 of Bill C-54 is designed to fill this gap. The Province of Quebec is the only jurisdiction in Canada, and indeed in North America, to have enacted legislation applying to data protection in the private sector. Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, also known as Bill 68, came into force in 1994. Part 1 of Bill C-54 also responds to recent privacy initiatives in Europe. In 1995, the European Union passed its Directive on Data Protection which introduces privacy protection applying to the private sector. The Directive required member countries to adopt national data protection laws that meet the standards of the Directive within three years (by 1998). Notably, Article 25 of the Directive prohibits member countries from transferring personal information to a non-member country or to a business located in a non-member country, if the non-member country’s laws do not provide adequate protection for personal information. The Directive could, therefore, have a negative impact on Canadian businesses engaged in commerce with companies in European Union countries, unless adequate privacy legislation is introduced in Canada. In Canada, a voluntary, private-sector privacy code has already been in place for three years. Under the auspices of the Canadian Standards Association (CSA), from 1992 to 1995 a committee comprising consumer, business, government, and labour representatives developed a code for the protection of personal information. The CSA Code, which is entitled the Model Code for the Protection of Personal Information, sets out ten privacy protection principles with supporting clauses. The CSA Code was approved as a national standard by the Standards Council of Canada and was published in 1996. Bill C-54 incorporates the CSA Code, which is appended as Schedule 1. To the extent that many of the substantive provisions on privacy protection are located in the Schedule rather than in the main body of the bill, Bill C-54 is unusual in design. During the hearings of Standing Committee on Industry, witness testimony focused almost entirely on Part 1 of the bill. The following description of the bill reflects this focus. The new Act would be called the Personal Information Protection and Electronic Documents Act. Part 1 of Bill C-54 contains clauses 2 to 30. The provisions in Part 1 contain definitions, the purpose of Part 1, scope of application, a "purposes limitation" requirement, and the exemptions whereby an organization could collect, use and disclose personal information without the knowledge or consent of the individual concerned. Part 1 also contains provisions regarding access by individuals to their personal information, grounds for refusing an access request, the manner in which a complaint could be brought forward, the Commissioner’s powers of investigation and audit, the Commissioner’s report, court hearing and remedies, other duties and powers of the Commissioner, the regulation and order-making powers of the Governor in Council, "whistleblower protection," an offences and punishment clause, and a transitional clause. B. Definitions, Purpose, Application, Schedule 1 References (Clauses 2 to 5) The most notable definitions in clause 2 are those for "commercial activity," "organization" and "personal information." The definition of "commercial activity" is imprecise, simply providing that commercial activity means "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character." The definition of "organization" is inclusive, stating that an organization "includes an association, a partnership, a person and a trade union." "Personal information" is defined as "information about an identifiable individual but [that] does not include the name, title or business address or telephone number of an employee of an organization." Clause 3 states that the purpose of Part 1 is "to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." As an interpretive aid to Part 1, clause 3 would appear to require that the rights of individuals to the privacy and security of their information be balanced against the reasonable needs of organizations for information in today’s high-technology and information-based economy. Clause 3 would also require that the purposes for which information was collected, used or disclosed be limited to those that "a reasonable person would consider appropriate in the circumstances." This "reasonable purposes" limitation is also found in clause 5(3). 3. Application of Part 1 (Clause 4) Pursuant to clause 4(1), Part 1 of the bill would apply to organizations in relation to personal information that they collect, use or disclose
However, pursuant to clause 4(2), Part 1 would not apply
Clause 4(3) contains a "primacy clause," whereby the provisions of Part 1 would apply despite any other Act of Parliament, unless that Act declared otherwise. According to an amendment to clause 4(3) introduced by the Minister of Industry at the report stage, the provisions of Part 1 would apply despite any provision, enacted after this clause came into force, of any other Act of Parliament, unless that Act declared otherwise.
4. Provisions referring to
Schedule 1, Including Use of "should"; Division 1 of Part 1 is entitled "Protection of Personal Information" and contains clauses 5 to 10. Clause 5 contains three subclauses, which provide that:
As noted earlier, according to clause 5(3) the purposes for which information could be collected, used, or disclosed would be limited to those that were reasonable. The European Union’s Directive on Data Protection and the Quebec Civil Code contain similar "purposes limitation" provisions, with stronger wording. C. Exemptions from the Requirement of Knowledge or Consent (Clause 7) Clause 7 is a key provision of Part 1. This clause sets out the exemptions under which an organization would be allowed to collect, use or disclose personal information without the knowledge or consent of the individual concerned. Clauses 7(1), 7(2) and 7(3) respectively list the exemptions available regarding collection, use, and disclosure. Each of these three categories of exemption includes an exemption for personal information that is publicly available and is specified by the regulations (clause 7(1)(d), 7(2)(c.1), and 7(3)(h.1) respectively). 1. Exemptions with Respect to Collection (Clause 7(1)) An organization would be exempted from obtaining consent with respect to the collection of personal information only where:
2. Exemptions with Respect to Use (Clause 7(2)) An exemption with respect to use would only be allowed where:
At the report stage, the Minister of Industry introduced an amendment to clause 7(2)(a). The new clause 7(2)(a) would allow an organization to use personal information without consent, where it had reasonable grounds to believe the information could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that had been, was being or was about to be committed, and provided the information was used for the purpose of investigating that contravention. 3. Exemptions with Respect to Disclosure (Clause 7(3)) An exemption with respect to disclosure would only be allowed if disclosure was:
The Minister of Industry introduced three amendments to clause 7(3) at the report stage, which would expand the exemptions for disclosure. The first amendment would allow an organization to disclose personal information to a government institution or part of a government institution that had requested the information, identified its lawful authority to obtain the information, and indicated that:
The second amendment would extend the application of clause 7(3)(d) to government institutions. The newly worded clause 7(3)(d) would allow an organization to disclose personal information to an investigative body, or to a government institution or part of a government institution, where the disclosure was made on the initiative of the organization and the organization
The third amendment would allow for disclosure by investigative body. Specifically, the new clause would allow an organization to disclose personal information where the disclosure was made by an investigative body and it was reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province (clause 7(3)(h.2)).
4. Conditions Attached to the
Exemptions for Statistical, or Scholarly Study or Research An exemption for the use of personal information for "statistical, or scholarly study or research, purposes" would be allowed only if all of the following conditions were met (clause 7(2)(c)): (i) the purposes could not be achieved without using the information; (ii) the information was used in a manner that would ensure its confidentiality; (iii) it was impracticable to obtain consent; and (iv) the organization informed the Commissioner of the use before the information was used. An exemption for disclosure for statistical, or scholarly study or research, purposes would be allowed only if conditions analogous to (i), (iii) and (iv) above were met (clause 7(3)(f)). D. Rules Governing Access to Personal Information (Clauses 8 to 10)
1. Rules regarding Time Limits, the
Requirement to Retain Information, and Costs Clause 8 would provide procedural rules respecting an individual’s request for access to his or her personal information. An organization would be required to respond within 30 days of receiving a request (clause 8(3)), but would be able to extend this time limit:
Under clause 8(4), an organization that extended its time limit would be required to send a notice of extension to the individual, stating the reasons for the extension, and the individual’s right to complain to the Commissioner about the extension. Similarly, an organization that responded within the time limit but refused a request would be required to inform the individual in writing, setting out its reasons and any recourse available under Part 1 (i.e., the right to file a complaint with the Commissioner, pursuant to clause 11(1)). If an organization failed to respond within the time limit it would be deemed to have refused the access request (clause 8(5)). An organization would be able to respond at a cost to the individual only if the individual had been informed of the approximate cost and had advised the organization that the request was not being withdrawn (clause 8(6)). Finally, clause 8(8) would require that an organization that possessed information that was the subject of a request would be required to retain it for as long as necessary to allow the individual any recourse available under Part 1. Clause 10 states the conditions under which an organization would be required to give access in an alternative format, where the individual requesting access had a sensory disability. 2. When Access Could Be Refused (Clause 9) Clause 9 sets out the conditions under which an organization would not be required to provide access to personal information. Clause 9(1) would prohibit an organization from providing an individual with access to information that would reveal personal information about a third party, unless the third party information could be, and was, severed from the record. If the third party consented, however, or if the individual needed the information because an individual’s life, health or security was threatened, the third party prohibition would not apply (clause 9(2)). The Minister of Industry introduced amendments at the report stage which would allow an individual to be informed about, or provided access to, information about
Clause 9(2.2) would require an organization to which clause 9(2.1) applied to notify the institution concerned without delay of the request made by the individual. Under clause 9(2.3), the institution would be required to notify the organization whether or not it objected to the organization’s compliance with the request. The institution could only object if it was of the opinion that the request could reasonably be expected to be injurious to:
If an organization was notified that the institution objected to the organization’s compliance with the request, the organization would be required to refuse the request, to notify the Commissioner of the refusal, and not to disclose to the individual
Pursuant to clause 9(3), an organization could refuse to give access to personal information in the following circumstances:
None of the grounds for refusal under clause 9(3) would be permitted, however, if the individual needed the information because an individual’s life, health or security was threatened. E. Filing and Investigation of Complaints, Commissioner's Report (Clauses 11, 12 and 13) 1. Filing of a Complaint (Clause 11) Under clause 11, a complaint could be brought forward in two ways: by an individual who would file a complaint with the Commissioner, or by the Commissioner on his or her own initiative. An individual would be able to file a complaint against an organization either for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1(7) (clause 11(1)). The Commissioner would be able to initiate a complaint only if satisfied that there were reasonable grounds to investigate a matter under Part 1 (clause 11(2)). Clause 11(3) would require a complaint resulting from a refusal to grant an access request to be filed within six months, or any longer period that the Commissioner allowed. Pursuant to clause 11(4), the Commissioner would be required to give notice of a complaint to the organization. 2. Investigation of a Complaint (Clause 12) The Commissioner would be required to investigate a complaint, and for this purpose would be authorized to do as follows, pursuant to clause 12(1):
Pursuant to clause 12(2), the Commissioner would also be authorized to attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation. In addition, the Commissioner would be authorized to delegate any of the powers set out in subclauses (1) or (2), (clause 12(3)). 3. Commissioner’s Report (Clause 13) Within one year of the filing or initiating of a complaint, the Commissioner would be required to prepare a report, and send it to both the complainant and the organization. According to clause 13(1), the report would contain:
The Commissioner would not be required to prepare a report if he or she were satisfied that:
If a report was not prepared, the Commissioner would be required to inform the complainant and the organization, and provide reasons (clause 13(2)). F. Court Hearing and Remedies (Clauses 14 to 17) A complainant could, after receiving the Commissioner’s report, apply to the Federal Court – Trial Division for a hearing in respect of any matter reported by the Commissioner and that was referred to in any of the clauses listed in clause 14(1).(8) In respect of a complaint that the Commissioner did not initiate, he or she would be authorized to:
The Court would be able, in addition to any other remedies it could give:
The Minister of Industry introduced an amendment at the report stage regarding the disclosure of personal information in a court proceeding pursuant to clauses 14 or 15. Clause 17(2) would require the Court to take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any other person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1. G. Other Duties and Powers of the Commissioner (Clauses 18 to 20 and 23 to 26) Under clause 18(1), on reasonable notice and at any reasonable time, the Commissioner would be able to audit the personal information practices of an organization if he or she had reasonable grounds to believe that it
The Commissioner’s powers for the purpose of conducting an audit would be identical to those for conducting an investigation. Specifically, the Commissioner would be able to compel and receive evidence and administer oaths, enter an organization’s premises, carry out inquiries, and examine and obtain copies of records containing matters relevant to the audit (clause 18(1)). The Commissioner would also be authorized to delegate any of these powers (clause 18(2)). The Commissioner would be required to provide a report to the audited organization with the findings of the audit and any recommendations (clause 19(1)). Clause 19(2) is particularly notable, in that it would provide the Commissioner with discretion to include an audit report in his or her annual report to Parliament.
2. The Commissioner
Could Make Public the Personal Information Management Practices Clause 20(1) would protect confidentiality in respect of an audit or investigation, by prohibiting the Commissioner or any person acting on the Commissioner’s behalf from disclosing information arising out of the performance of any of the Commissioner’s powers or duties. However, subclauses (2) to (5) would allow for a number of exceptions; the most notable of these (subclause (2)) would allow the Commissioner, where he or she considered it to be in the public interest, to make public any information relating to the personal information management practices of an organization. 3. Consultation with Provincial Authorities (Clause 23) Clause 23 would provide authority to the Commissioner to consult with provincial authorities. Specifically, the Commissioner would be authorized to consult and enter into agreements with any person who, under provincial legislation substantially similar to Part 1, had similar powers and duties. The Commissioner would also be authorized to co-ordinate activities, undertake and publish research, and develop model contracts for the protection of personal information that was collected, used or disclosed interprovincially or internationally. 4. Commissioner’s Public Education Mandate (Clause 24) Clause 24 would give the Commissioner a public education mandate whereby he or she would be required to develop and conduct information programs to foster public understanding of the purposes of Part 1, undertake and publish research related to the protection of personal information, encourage organizations to develop policies and practices including codes of practice to comply with the provisions of Division 1, and promote the purposes of Part 1. Clause 25 would require the Commissioner to submit an annual report to Parliament concerning the application of Part 1, the extent to which the provinces had enacted substantially similar legislation, and the application of such legislation. G. Exclusion of Application of Part 1 within a Province (Clauses 30 and 26(2)(b)) Except where this was in connection with the operation of a federal work, undertaking or business, under clause 30(1), Part 1 would not apply with respect to personal information that was collected, used, or disclosed by an organization exclusively within a province – and whose collection, use or disclosure could be regulated by the legislature of the province. Clause 30(2) would provide that the exclusion of the application of Part 1 within a province would cease to have effect three years after clause 30 came into force. Otherwise stated, under clause 30, Part 1 would initially apply to the federally regulated private sector (for example, the telecommunications, broadcasting, banking, and airline industries) and to federal Crown corporations operating in these areas. Part 1 would also immediately apply to interprovincial and international flows of personal information for commercial purposes. Three years after coming into force, Part 1 would apply more broadly, to cover private sector commercial activities within the provinces. Under clause 27(2)(b), however, the Governor in Council would have the power to exempt an organization, class of organizations, activity or class of activities from the application of Part 1, if the Governor in Council were satisfied that a province had adopted legislation that was substantially similar to Part 1 and applied to the organization, class of organizations, activity or class of activities in question. This exemption would be limited, however, to the collection, use or disclosure of personal information within the province. 1. Regulation-making Power of the Governor in Council (Clause 26(1)) Under clause 26(1), the Governor in Council would be empowered to make regulations:
The Minister of Industry introduced two amendments to clause 26 at the report stage. Under these amendments, the Governor in Council would be empowered to make regulations specifying, by name or by class, what would be considered a government institution or part of a government institution, and what would be considered an investigative body. 2. "Whistleblower" Protection (Clauses 27 and 27.1) A person who had reasonable grounds to believe that another person had contravened or intended to contravene, a provision of Division 1 would be protected, provided he or she notified the Commissioner and requested that his or her identity be kept confidential (clause 27). Where the Commissioner provided an assurance of confidentiality, the whistleblower’s identity would not have to be disclosed. Clause 27.1 would provide protection specifically for employees who, acting in good faith and on the basis of reasonable belief:
or, where the employer believed that the employee would do any of the above actions. The protection provided would be against dismissal, suspension, demotion, discipline, harassment, disadvantage or other denial of a benefit of employment by the employer. Under clause 27.1, the definition of "employee" would include an independent contractor. Clause 28 would provide for a fine for any person who knowingly took action against a whistleblowing employee. Clause 28 would provide for a fine as the penalty for three types of contravention under Part 1, specifically in respect of every person who knowingly:
The amount of the fine would be limited to $10,000 for a summary conviction offence, and $100,000 for an indictable offence. 4. Parliamentary Review (Clause 29) Clause 29 would provide for a review of Part 1 by Parliament every five years. The full title of Schedule 1 is "Principles Set Out in the National Standard of Canada entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96." This code is commonly referred to as the CSA Code. Schedule 1 contains ten overarching principles (Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance), each of which is supported by a number of more specific clauses. Some of the provisions in Schedule 1 contain language not typically found in legislation. While most of the clauses in the Schedule contain the word "shall," thereby imposing an obligation, other clauses are merely explanatory, while still others contain the word "should," reflecting the fact that the CSA Code was originally drafted to provide voluntary, rather than legally mandated, standards. The provisions containing "should" or wording such as " organizations are encouraged to" were intended to provide "best practices" guidance. It is noted, however, that clause 11(1) of Part 1 would allow an individual to file a complaint against an organization for contravening a recommendation set out in Schedule 1. Similarly, clause 18(1) of Part 1 would authorize the Commissioner to audit an organization upon reasonable belief that the organization was not following a recommendation in Schedule 1. It is also noted that a number of the clauses in Part 1 would override, modify, or provide exceptions to some of the clauses in Schedule 1. The most notable examples of legislative override in Part 1 concern Principles 3 (Consent) and 9 (Individual Access), both of which are followed by explanatory notes. However, clause 7(1), (2), (3) and clause 9(1) and (3) of Part 1 would provide exemptions to replace those set out in the explanatory notes. The statements that head each of the ten principles in Schedule 1 are provided below; the clauses and explanatory notes are not included. Principle 1 states that an organization would be responsible for personal information under its control and would have to designate an individual or individuals who were accountable for the organization’s compliance with the following principles. It is noted that clause 6 of Part 1 would elaborate on Principle 1 to say that, by designating an individual under Principle 1, an organization would not be relieved of complying with the obligations set out in Schedule 1. The purposes for which personal information was collected would have to be identified by the organization at or before the time the information was collected. The knowledge and consent of the individual would be required for the collection, use or disclosure of personal information, except where this was inappropriate. The collection of personal information would have to be limited to that necessary for the purposes identified by the organization. Information would be required to be collected by fair and lawful means. 5. Limiting Use, Disclosure and Retention Principle 5 states that personal information could not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. The Principle also states that personal information could be retained only as long as was necessary for fulfilment of those purposes. It is noted that the statement above referring to use or disclosure would be subject to override by clause 7(4) and (5) of Part 1, whereby an organization could use or disclose personal information for purposes other than those for which it was collected, and which are set out in clause 7(2) and (3). Personal information would have to be as accurate, complete and up-to-date as was necessary for the purposes for which it was to be used. Personal information would have to be protected by security safeguards appropriate to the sensitivity of the information. An organization would be required to make specific information about its policies and practices relating to the management of personal information readily available to individuals. Upon request, an individual would have to be informed of the existence, use and disclosure of his or her personal information and be given access to that information. The individual would have the right to challenge its accuracy and completeness and have it amended as appropriate. An individual would be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance. According to clause 32, the stated purpose of Part 2 of Bill C-54 is to provide for the use of electronic alternatives where federal laws contemplate the use of paper to record or communicate information or transactions. This Part would permit federal departments, agencies or other bodies to communicate and deliver services electronically. Enabling and interpretive provisions under Part 2 would introduce a degree of equivalency between paper and electronic formats. A key component of Part 2 is the concept of "secure electronic signature," whereby federal government departments would ensure the integrity and reliability of electronic transmissions. Under the proposed legislation, individual government departments would be able to opt into the legislative scheme when they had developed the appropriate technological and operational capacity to do so. Clause 48(1) of Part 2 would authorize the Governor in Council, on recommendation of the Treasury Board, to make regulations prescribing technologies or processes for defining "secure electronic signature." Other provisions in Part 2 would assist the courts to recognize secure electronic signatures and how they would be used in relation to electronic documents. A related element of the proposed legislation concerns electronic documents used as evidence in legal proceedings. Usually, evidence in the form of an original document is required to satisfy a court that the terms and conditions of an agreement have not been altered since it was signed. This requirement is known as the "best evidence" rule. In the case of electronic documents, however, this rule is difficult to satisfy because the original cannot be distinguished from an amended document and because the document is not authenticated by hand-written signatures. The federal government would, therefore, require the use of secure electronic signatures for electronic documents whenever the law required original documents or statements of truth. Part 3 of the bill would provide amendments to the Canada Evidence Act to give notices and Acts published electronically by the Queen’s Printer the same legal authority as notices and Acts published on paper. Part 3 also contains provisions to clarify how the courts would assess the integrity of an electronic document introduced as evidence. Part 4 would amend the Statutory Instruments Act to allow an electronic version of the Canada Gazette to have official status. Part 5 would authorize the publication of revisions of the statutes and regulations of Canada, as well as the consolidated version of the statutes and regulations, in either print or electronic form. The amendments in Parts 4 and 5 would be brought into force when the appropriate technology was in place for ensuring the integrity of the electronic versions. This commentary focuses on the amendments to Bill C-54 adopted by the House of Commons Standing Committee on Industry. The Committee held hearings on the bill, beginning on 1 December 1998 and ending on 18 March 1999. Sixty groups or individuals appeared before the Committee, including the Minister of Industry, the Minister of Justice, the federal Privacy Commissioner, and two provincial privacy commissioners. Witnesses included representatives from public interest groups, historical research and archival associations, the Canadian Standards Association, the Canadian Bar Association, privacy and constitutional experts, journalists’ and writers’ groups, and health sector groups. Witnesses from the business sector included representatives from the banking, insurance, credit reporting, direct marketing, telecommunications, broadcasting, and information technology industries, and employer and employee associations. During the Committee’s clause-by-clause review of the bill, 39 amendments were carried. The Committee presented the report of its amendments to the House of Commons on 12 April 1999. No significant amendments were made to provisions in Parts 2 to 5 of the bill, and no amendments were made to Schedule 1. A number of significant substantive amendments were made in committee to provisions in Part 1, however; the most notable of these are set out below.
The deletion of the words "that is recorded in any form" could be interpreted as having the effect of broadening the scope of "personal information" to include information that was not in any recorded form, such as DNA or blood samples.
After some witnesses had submitted that this broad exemption left a "gaping hole" in the legislation, clause 7(1)(b) was amended by the Committee and its scope narrowed. Under the amended provision, an exemption with respect to collection would be available if:
As amended, clause 7(1)(b) would provide an exemption where it was necessary to collect personal information without informing the individual concerned, most notably in the circumstance of fraudulent activity. Witnesses representing insurance groups expressed concern about the effect that the amendment to this clause and other related clauses could have on their ability to combat insurance fraud.
(1) As passed by the House of Commons, the full title of Bill C-54 is "An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act." (2) Parts 3, 4, and 5 would respectively provide amendments to the Canada Evidence Act, the Statutory Instruments Act, and the Statute Revision Act. Part 6 contains a coming into force provision. (3) As described further below, Part 1 would apply immediately to interprovincial or international commercial activities, but would not apply to commercial activities exclusively within a province for the first three years after the bill came into force (clause 30). If a province enacted legislation "substantially similar" to Part 1, the Governor in Council would be empowered to exempt organizations or activities within that province (clause 26(2)(b)). (4) The expression "federal work, undertaking or business" is defined in clause 2 and is identical to the definition provided in section 2 of the Canada Labour Code. (5) As noted earlier, paragraph 4(2)(c) would provide an exemption from the application of Part 1 for "journalistic, artistic or literary purposes." The exemption for the collection of personal information in clause 7(1)(c) would ensure that an organization that collected information for, for example, journalistic purposes, and subsequently used this information with consent for a non-journalistic purpose would not be in breach of the bill in respect of the original collection. (6) If the organization were to refuse access on this basis it would be required to notify the Commissioner (clause 9(5)). (7) Therefore, an individual would be able to file a complaint concerning the contravention of a "should" provision in Schedule 1, notwithstanding that clause 5(2) provides that the word "should" in Schedule 1 would not impose an obligation. (8) Clause 14(1) lists the clauses pursuant to which a court application could be made. The list includes the following clauses: clauses 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7, and 4.8 of Schedule 1, clauses 4.3, 4.5 and 4.9 of Schedule 1 as modified by Division 1, and subclauses 5(3), 8(6) and (7) and clause 10 of Division 1. Any of the following issues would therefore provide grounds for a court application:
(9) Clause 4.3.3 provides a minor exception. This clause would prohibit an organization from requiring an individual’s consent for the collection, use or disclosure of information as a condition of the supply of a product or service, beyond that necessary to fulfil explicitly specified, and legitimate purposes. | ||||||||||||||||||||||||||||||||