A BRIEF CONCERNING ASPECTS OF THE ACT TO AMEND THE COMBINES INVESTIGATION ACT BILL C-42
BACKGROUND ON THE COMPANY
Systems Dimensions Limited (SDL) is a Canadian company formed in 1968. SDL is a publicly-owned company with shares traded on the Montreal and Toronto Stock Exchanges. The company is independent, with no single major shareholder.
The shares of SDL are about 99% held in Canada by some 3,300 shareholders from coast-to-coast.
SDL is the major independent supplier of computer services in Canada. It is from this point of view that we are presenting this Brief.
PURPOSE OF THE BRIEF
As an independent Canadian enterprise, SDL is concerned that a state of healthy competition be maintained in the Canadian marketplace. However, SDL is equally concerned about any proposed legislation which will seriously affect its operations in Canada or, in general, encroach on the ability of companies, in general, to operate effectively.
We are also concerned about any proposed legislation that may expose individuals or corporations to arbitrary actions by administrative bodies without adequate protection through the Courts for the rights of those individuals or corporations.
In view of the short time allowed for the presentation of briefs, we have largely restricted our comments to those matters that are of immediate relevance to our industry. We have also touched upon some other general matters of concern which, I am sure, will be brought to your attention by many other organizations.
THE CANADIAN DATA PROCESSING SERVICE INDUSTRY
The data processing service industry provides, on a commercial basis, remote and local batch computer time, conversational time-sharing facilities, systems design, analysis programming and implementation of computer-based systems, feasibility studies, consulting and educational services related to computer activities, input services such as keypunching, key-to-tape, optical character recognition, and similar services necessary to the use of computer and/or peripheral equipment.
Statistics Canada indicated that operating revenue for the data processing service industry, by itself, in 1974 amounted to $211 million dollars. There are now approx imately 300 firms in the data processing services industry. The industry is clearly highly competitive.
Our concern in this brief is not that the industry lacks competition but, rather, that one particular section of Bill C-42 could have a very serious effect on the development of the industry in Canada. The following comments should put this in perspective:
SECTION 10.2 BUSINESS DATA STORED IN COMPUTERBANK SUBSECTION (1)
This subsection requires that “every one who stores in a computer databank, wherever situated, data relating to a business carried on by him in Canada and who occupies premises in Canada shall maintain on premises in Canada an extensive record of the data so stored.”
SDL maintains that this is an unwarranted imposition on many businesses. It is an example of a universal regulation that may entail expenses for all corporations when the possibility of such information being required by the Competition Policy Advocate (CPA) is very slight. This is quite unlike the requirements of the Income Tax Act that all companies keep certain minimal records. In the Income Tax case, all companies are, or might be, expected to pay taxes and, therefore, be subject to audit.
It may be that such information is of benefit to the company but this Act makes it an offence not to keep such information.
One might reasonably ask if organizations are required at the present time or under the proposed Act to retain similar records of all other information that might be required from time to time by the CPA, e.g. are companies expected to keep such voluminous records for all their manual files?
Beyond this general point, we are very concerned about the impact of other implications of subsection (1). It is now common practice for organizations to use outside service bureaus for the storage of data. The advantage to our clients is that they are able to share the resources of a very large computer and pay only for the time used. The further implication is, however, that the “data sets” (programs and information records of various kinds) are normally stored on shared devices.
For example, it is common practice for organizations to share magnetic disk files. It is implicit in this process that the security of access to these files is vital, both to the owner of the data sets and to the data servicer organization that is acting as a temporary custodian of the data sets.
Data sets are usually accessible only on the presentation to the computer of a password or other security safeguard. Subsection (1) requiring that all companies commit in hard copy the access codes for their data could compromise the security of such data.
If the passwords leave the possession of the company, then either the files would be insecure or the company would have to change the passwords in which case the information provided to the CPA would be useless.
In summary, we doubt, under Section (1) that the procedure proposed is either necessary or practical.
This subsection requires that anyone who stores in a computer databank, wherever situated, data relating to a business, may be required to provide printouts or other information.
We believe that it is absolutely essential that the Act be clear that this refers to the owner of the data sets and not to the data servicer.
A data servicer’s business depends on the integrity with which he handles a client’s data sets. If a client felt that his data could be arbitrarily investigated or seized by the CPA or anyone else through the data servicer, then the entire data services industry in Canada could be seriously compromised.
The principle must be established that the investigation is a matter between the CPA and the client.
Requests for data must be directed to the company being investigated and not through a third party.
There may be some similarity here to the data services industry and the Post Office. Both organizations act only as temporary custodians of someone else’s information. We are not at liberty to give up that information without our client’s permission anymore than the Post Office could turn over mail to a third party.
Our present approach is that nothing less than a Court Order would cause us to release data sets held in trust.
Beyond this fundamental matter of principle, however, are many practical problems:
First, it is not common practice for the data servicer to know the nature of the data being held for the client. The implication of this section of the Bill is that the data servicer could be forced to give up such data. This may be impossible. For example:
• at the customer’s option, data held may be scrambled or otherwise coded
• it is common practice to use passwords not known to the data servicer
• in all likelihood, the format of the data will not be known to the data servicer
The data servicer can usually only determine that a certain number of data sets are being held and the name of the client on whose behalf they are being stored.
Secondly, even if a Court Order were given directly to a data servicer, a “dump” of the data would likely be unintelligible. Considerable work would have to be done to “format” the printout or otherwise analyze the data to make it meaningful.
The costs for dumping, copying, or processing records, can be substantial. If special programming is involved to make sense of the data, the costs will almost certainly be non-trivial.
The question of who pays these costs must be addressed. It may be either the CPA or the client. In fairness, it should not be the data servicer.
Thirdly, it should be borne in mind that the acceptance of the computer printout as evidence “without further proof” is a questionable practice. Whatever may be the deeper implications for the common law of evidentiary proof, the practical consideration is that computer data can be accidentally, or purposefully, manipulated by either the investigator or the owner of the data. We point this out because we believe it is an area that requires much deeper examination before the concept is accepted into law.
This section gives CPA the right to “enter any premises on which the Competition Policy Advocate believes there may be any record or description referred to in Subsection (1)”. Once again, we believe that this extensive ‘search and seize1 approach should be questioned on a matter of principle, as well as practice.
Even with a Court Order allowing the CPA to examine records held in trust by a data servicer, the power of entry as described is not practical. The data servicer is responsible for the safekeeping of the records of hundreds of clients. As noted earlier, these data sets are often stored in the same physical file devices and are accessed through the same computer and communications equipment. The data servicer would, on a matter of principle, have to take steps to protect the security and the availability of other client’s data regardless of the demands of the CPA for the data belonging to a single client.
There is the implication that ‘other things’ could involve the seizure of an entire disk file containing data for many clients just because that disk file contained data for the client in question. There might even be the implication that a data servicer’s entire computer could be seized under extreme circumstances. Selective copying and other procedures may be an answer, but the broad powers granted to the CPA under this section are simply not reasonable when an outside service organization is the custodian of the data.
There is further the practical problem of actual physical access. Most computer rooms have very strict rules about personnel who may enter. This is for reasons of file integrity, as well as possible damage to the equipment. Further, the physical environment of most computer rooms is rigorous in their needs for air-conditioning, dust control, humidity control, etc.
The granting of the right to enter any premises could lead to the serious disruption of business for both the data servicer and its other clients.
In general, this section gives the CPA authority to . “take away for further examination” any description, program, or printout. This raises the question of how the data servicer will be able to continue to fulfill his contractual obligations to provide processing for his clients if some of these items are physically removed.
The question must be resolved as to who would be responsible for the legal consequences of the data servicer being unable to fulfill his contract because of the unavailability of the needed data, e.g. magnetic tapes, punched cards, operating instruction books, etc.
Further, if such items as magnetic tapes or magnetic disks are removed, the responsibility for the physical safety of these magnetic media must be addressed.
BUSINESS NEEDS AN OMBUDSMAN
August 6, 1976
PRESS RELEASE: Toronto, Ontario August 6, 1976. George Fierheller, President of Systems Dimensions Limited of Ottawa, today told a Toronto audience that Canada’s business community needs an Ombudsman.
Mr. Fierheller told the Third International Conference on Computer Communication at its Royal York meeting that “the time has come for those of us who believe in the free market system to establish an Ombudsman to protect the system from encroaching government interference”. Mr. Fierheller realistically noted that for such a position to have any meaning it would have to be given constitutional powers. He further noted that the default option must be to the private sector with government required to justify any moves to take over or closely regulate a new sector of the economy.
The ICCC is a U.S. based council established to foster scientific research, development and applications of computer communications. Previous conferences have been held in Washington D.C. and Stockholm.
Systems Dimensions Limited (SDL) is Canada’s leading independent publicly-owned computer services organization.