Bill S-4 (Historical)

Thank you very much, Mr. Chair.

Ladies and gentlemen of the committee, thank you for the opportunity to appear before you to discuss the 2017-18 Main Estimates.

In the time allocated, I will first discuss the sustained demands on our office and the management of our financial resources. Secondly, I will talk about our policy agenda for this coming year.

In recent years, the Office of the Privacy Commissioner of Canada has maintained its efforts to find efficiencies and make optimal use of existing resources of slightly more than $24 million to be as effective as possible in addressing the privacy risks of an increasingly technological world.

Fiscal year 2017-18 will be no exception. Amidst competing demands, we will not lose sight of our mandate: ensuring that the privacy rights of Canadians are respected and that their personal information is protected.

In 2017-18, we will continue to fulfill our core mandate, which includes conducting investigations, examining breach reports, undertaking audits, reviewing privacy impact assessments or PIAs, providing guidance to individuals and organizations, and offering advice to parliamentarians.

On the investigations side, we have become more efficient in part through increased use of early resolution to find appropriate solutions. In 2015-16, 38% of complaints were resolved in this manner under the Privacy Act and 50% under the Personal Information Protection and Electronic Documents Act or PIPEDA. As a result, our response time on average was seven months for both public-sector and private-sector complaints.

However, the number of complex files is growing, which is creating a backlog of complaints that are not resolved after 12 months. In the coming year, I intend to devote temporary resources to address this situation.

In 2015-16, we received 88 new PIAs and completed 73 PIA reviews, in addition to opening 13 new consultation files. As you know, we would like to receive more PIAs and draft information sharing agreements, as we believe reviewing programs upstream is a good way to mitigate privacy risks.

In addition, we are taking steps to prepare for the coming into force of the breach provisions of Bill S-4. These new provisions will require private-sector organizations to report certain breaches to my office.

Public education and outreach are important activities to ensure Canadians are empowered to exercise their privacy rights and organizations are able to comply with their obligations. Last year, we revamped our website both in its structure and content to make it more user-friendly. This year, we will continue to update its content to provide helpful advice to Canadians.

We will continue to offer guidance to specific industry sectors deemed to be in need of greater privacy awareness, as well as vulnerable groups such as youth and seniors. We will also provide new guidance for individuals, and we will continue to advance our privacy priorities on issues such as online reputation, the body as personal information, the economics of personal information, and government surveillance.

Despite these efforts, we need to do much more to ensure that privacy rights are truly respected, a key condition for consumer trust and growth in the digital economy. Our goal is to complete all investigations within a reasonable time, to engage in some proactive enforcement, to give proactive advice to government, and to issue research-based guidance on most current and upcoming privacy issues.

In my annual report to be tabled in September, which will include our conclusions on improvements to the consent model and recommendations to amend PIPEDA, I will be able to bring more specificity to our compliance and proactive strategies. This, in turn, will inform a discussion on what might be an appropriate level of investment in OPC activities for the next few years.

I will now turn to some of the policy issues that we're seized with.

First is consent. Last May, my office released a discussion paper on issues related to privacy and consent. We then, through an extensive consultation process, sought input from industry, privacy experts, and Canadians. As mentioned, our final report will be released in September, and we will then work to implement the chosen solutions.

Second is online reputation. My office has also launched a consultation and call for submissions on the issue of online reputation as part of our efforts to address one of our strategic privacy priorities: reputation and privacy. We will share our policy position on online reputation before the end of the calendar year.

Third is legislative reform. My office has long stressed the need to modernize Canada's legal and regulatory frameworks. While the introduction of Bill S-4 was a positive development, Canada's federal private sector privacy law is now more than 15 years old. Technology and business models have changed. Our work on both consent and reputation will help inform the recommendations we will make to Parliament on reforming the law.

On the public sector side, I would like to express my gratitude to members of this committee for supporting my office's recommendations for modernizing the Privacy Act. My office now looks forward to participating in the government's review of the act to ensure that it meets the needs and expectations of Canadians, and in our view this work should proceed without delay.

On government surveillance, issues related to government surveillance will also form an important part of our policy agenda in the coming year. We note your recent report on SCISA, and we thank you for it. We also note the report just made public by SECU, the committee on national security, which also touched on information sharing under SCISA. We now await the measures the government will put forward to modify Bill C-51 to ensure that Canada's national security framework protects Canadians and their privacy.

We also have a number of investigations related to national security and government surveillance, and we are seeing heightened concerns from Canadians about privacy protections at the border and in the United States. Further to the adoption by President Trump of executive order 13768 of January 25, which deals with security in the interior of the United States, I had written to ministers to ask for confirmation that administrative agreements previously reached between Canada and the U.S. will continue to offer privacy protection to Canadians in the United States. Upon receipt of the government's response, which I expect shortly, I will inform Canadians of my conclusions.

In closing, to face the sustained volume but increased complexity of our work, we will continue this year to make the most efficient use of our resources as we have tried to do in the past.

Thank you, Mr. Chair. I look forward to questions from the committee.

Thanks.

Good afternoon. My name is Michael Geist. I'm a law professor at the University of Ottawa where I hold the Canada research chair in Internet and e-commerce law. I appear here today in a personal capacity representing only my own views.

There's a lot that I would like to discuss given more time: stronger enforcement through order-making power; the potential for Canada's anti-spam legislation to serve as a model, at least on the issues of tougher enforcement and consent standards; and the mounting concerns with how copyright rules may undermine privacy. But given my limited time, I'll focus at least for these opening remarks on three issues: privacy reform pressures, consent, and transparency.

First, on the issue of reform, I had the honour of appearing before both the House and Senate committees on Bill S-4, which was ostensibly the effort to update PIPEDA by implementing recommendations that were first made in 2006. At the time it was obvious that further changes were needed. In fact, the ongoing delays in implementing even aspects of that bill, security breach notification, for example, shows how painfully slow the process of updating Canada's privacy laws has been.

I believe there's an increased urgency to address the issue. You've already heard from some and may hear from others about developments in Europe with the GDPR, which could threaten Canada's adequacy standing with European privacy officials.

But there's another international development that I think could have a significant impact on Canadian privacy law that bears attention. That's our trade deals and trade negotiations. The upcoming NAFTA renegotiations seem likely to include U.S. demands that Canada refrain from establishing so-called data localization rules that mandate the retention of personal information on computer servers located in Canada. Data localization has become an increasingly popular policy measure as countries respond to concerns about U.S.-based surveillance and the subordination of privacy protections for non-U.S. citizens and residents under the Trump administration.

Now, in response to those mounting concerns, leading technology companies like Microsoft, Amazon, and Google have established or committed to establish Canadian-based computer server facilities that can offer up localization of information. Those moves follow on the federal government's own 2016 cloud computing strategy that mandated that certain data be stored in Canada.

If we look at the Trans-Pacific Partnership, the TPP, we see that it included restrictions on the ability to implement data localization requirements at the insistence of U.S. negotiators. It seems likely that those same provisions will resurface during the NAFTA talks.

So too, I would argue, will limitations on data transfer restrictions which mandate the free flow of information on networks across borders. Those rules are unquestionably important to preserve online freedoms in countries that have a history of cracking down on Internet speech. But in a Canadian context they could restrict the ability to establish privacy safeguards. In fact, should the European Union mandate data transfer restrictions, as many experts expect, Canada could find itself between the proverbial privacy rock and a hard place, with the European Union requiring restrictions and NAFTA prohibiting them.

Secondly, I want to focus on consent. As you know, privacy laws around the world differ on many issues, but they all share a common principle: collection, use, and disclosure of personal information requires user consent, an issue that has become increasingly challenged in a digital world where data is continuously collected and can be used for a myriad of previously unimaginable ways.

Now, rather than weakening or abandoning consent models, I believe the Canadian law needs to upgrade its approach by making consent more effective in the digital environment. There's little doubt that the current model is still too reliant on opt-out policies in which businesses are entitled to presume that they can use their customers' personal information unless those customers inform them otherwise. Moreover, cryptic privacy policies often leave the public confused about the information that may be collected or disclosed, creating a notion of consent that is largely fiction not fact.

How can we solve some of the problems with the current consent-based model? I'd identify at least four proposals. First, we should implement an opt-in consent approach as the default approach. At the moment, opt-in is only used where strictly required by law or for highly sensitive information, such as health or financial data. That means that the vast majority of information is collected, used, and disclosed without informed consent.

Second, since informed consent depends upon the public understanding how their information will be collected, used, and disclosed, the rules associated with transparency must be improved. The use of confusing negative-option check boxes that leave the public unsure about how to exercise their privacy rights should be rejected as an appropriate form of consent. They never know if they should be clicking or unclicking a box to protect their privacy.

Moreover, given the uncertainty associated with big data and cross-border data transfers, new forms of transparency and privacy policies are needed. For example, algorithmic transparency would require search engines and social media companies to disclose how information is used to determine the content displayed to each user. Data transfer transparency would require companies to disclose where personal information is stored and when it may be transferred outside of the country.

Third, effective consent means giving users the ability to exercise their privacy choices. Most policies are offered on a “take it or leave it” basis, with little room to customize how information is collected, used, and disclosed. Real consent should mean real choice.

Fourth, stronger enforcement powers are needed to address privacy violations. The rush that we saw in Canada to comply with Canada's anti-spam laws was driven by the inclusion of significant penalties for violation of the rules. Canadian privacy law today is still premised largely on moral suasion or fear of public shaming, not tough enforcement backed by penalties. If we want the privacy rules to be taken seriously, there must be serious consequences when companies run afoul of the law.

Finally, I'll say a word on transparency and reporting. As many of you will know, in recent years, the stunning revelations about requests and disclosures of the personal information of Canadians—millions of requests, the majority without court oversight or warrant—point to an enormously troubling weakness in Canada's privacy laws. Simply put, most Canadians have no awareness of these disclosures and are shocked to learn how frequently they occur.

There's been a recent emphasis on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports. Twitter released their 10th annual report today, and they've been joined by some of Canada's leading communications companies, such as Rogers and Telus.

Despite the availability of a transparency reporting standard that was approved by the government and the Privacy Commissioner, there are still some holdouts. The problem lies with the non-binding approach with respect to transparency disclosures.

I obtained some information under the Access to Information Act, and learned that after an industry-wide meeting organized by the Privacy Commissioner in April 2015, Rogers noted the following:

It was indicated at this meeting that any guidelines adopted would fall short of regulation, but would be regarded as more substantive than voluntary guidelines.

Yet, if the non-regulatory approach does not work, it falls to either the federal Privacy Commissioner or the government to take action.

The most notable company to refrain from meeting these transparency standards is Bell Canada, Canada's largest telecommunications company. Bell initially claimed that it was waiting for a standard from the Privacy Commissioner, but now, almost a year after that standard has been released, they still have not released the transparency report. Millions of Canadians still don't know when, under what circumstances, and with what frequency Bell discloses their subscriber information. In my view, that's simply unacceptable.

If the current law doesn't mandate such disclosures there is a problem with the law, and reform requiring transparency disclosures with real penalties for failure to do so is needed. I don't need to tell you that scarcely a day goes by without some media coverage of a privacy-related issue. I think it is clear that the public is concerned with their privacy, and it is also clear that the business community has come to recognize the value of personal information. It is time for the law to catch up.

I look forward to your questions.

Federally, we would be looking for something stronger than what's currently in PIPEDA, but of course there is breach notification right now as a result of Bill S-4 from the last Parliament.

That's part of Bill S-4, which will come into force soon.

In a recent presentation I made I highlighted some of the shifts in moving from being regulated to being a regulator. It's been an interesting learning curve for me and I've become more sensitive to some of the issues.

Specifically I'll talk about mandatory breach notification. When I was in the private sector, we worked very hard to come up with voluntary breach notification guidelines, and we worked with the privacy commissioners across the country to implement those as guidelines for organizations. I now see those embodied in the federal privacy legislation, Bill S-4. When the regulations are implemented, we will see that for federal private sector organizations. We see it in Alberta, and we've recommended it in B.C., and the B.C. government has accepted that.

What was once voluntary in the private sector is now becoming de facto standard of being mandatory. We also note that in Europe the general data protection authority has come out to indicate that mandatory breach notification is required. I'll also note that they've taken a few steps further than that, and it's going to be significant for Canada to continue to be substantially similar with the requirements of GDPR for the free flow of information as it relates in the private sector for organizations that operate multinationally.

Thank you very much for the invitation.

My office provides independent oversight and enforcement over B.C.'s access and privacy laws. The enforcement and oversight extends to over 2,900 public bodies, including ministries, local governments, schools, crown corporations, hospitals, municipal police forces, and more. They're subject to B.C.'s public sector privacy law, the Freedom of Information and Protection of Privacy Act or FIPPA.

It extends to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, trusts, and more that are subject to B.C.'s Personal Information Protection Act or PIPA.

Today I am going to focus my comments on three areas that are part of the deliberations of this committee to which the B.C. experience may be informative: commissioners order-making powers, an explicit obligation to safeguard personal information, and mandatory breach notification. Under order-making power and mediation and consultation, in British Columbia the mandate of the office includes the promotion of access and privacy rights, public education, advice to public bodies and businesses, investigation of complaints, mediation, and independent adjudication. These functions are complementary, and in my opinion, best delivered under one roof. It would be extremely difficult for another administrative tribunal or court to attain the same level of expertise and provide for efficient and timely resolutions for citizens.

Privacy and access to information issues are dynamic in the modern digital world. It's in the interests of organizations, individuals, and public bodies that the individuals making legal and binding decisions have the requisite skills and up-to-date knowledge about what is happening on the ground. Having the responsibility for adjudication plus advocacy, education, and investigation ensures the necessary expertise in the law. Our adjudicators receive the same technical training and professional development as our investigators, and are routinely exposed to new technologies, emerging ideas, and global trends affecting privacy and access to information law.

Combining the investigation and adjudication into one office provides clear benefits to citizens. Combining those provides one-stop shopping for citizens. This clarity and convenience is important. There is no confusion about which oversight agency or tribunal citizens need to direct their complaint to. They need merely to address our office. Citizens don't feel as though they are caught in or bounced around an unnecessarily bureaucratic system.

We have not found that the public education or the advisory functions of a commissioner pose a risk of undermining the adjudicative function. We do take steps to protect the integrity of the adjudication process. For example, no information about investigative files or attempts at informal resolution are ever disclosed to the adjudicators. The adjudicators do not report to the same supervisor, and they are not located on the same floor as the investigators.

When providing the public with advice and consultation, we clarify that our view is based on the information provided at the time, and that it is not binding on the commissioner with respect to making a formal finding in the event that we receive a future complaint.

In our consultations, we communicate about general principles and recommend best practices without prejudging individual cases. We are able to perform these various roles effectively because our legislation also explicitly gives us these powers and spells them out in detail.

Adjudication enhances our ability to resolve issues through mediation. The adjudicative function lends greater authority to our investigators by focusing the minds of the parties, and it provides an incentive to both parties to avoid formal adjudication. As a result, we resolve 90% of our complaints and reviews in mediation. In the last year we had 1,056 complaints and requests for review, of which only 109 went to inquiry. Of those that went to inquiry, only a little over 1% were judicially reviewed.

The fact that we have public education and advisory functions, complemented by investigative powers, with the ultimate ability to order compliance through our adjudicative function, gives us a level of authority that can influence the public and the government. Without that complete suite of functions, we would not have that same level of influence.

B.C.'s public sector privacy law has an explicit requirement for public bodies to safeguard personal information. We consider this legislative requirement as being fundamental to a public body's responsibility for the personal information it collects from citizens. Given the negative repercussions that can occur to citizens in the event of a breach of their personal information, it's almost unbelievable that a privacy protection statute would not incorporate this requirement.

Section 30 of our act states:

a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Citizens rely on this section and expect that a public body is taking adequate measures to protect their personal information. It's the legislative requirement in most jurisdictions across Canada and internationally. Having this requirement in legislation is important from the perspective of public trust, as a clear and binding requirement on public bodies. It indicates the importance that governments place on this requirement.

While B.C.'s legislation does not explicitly address physical, organizational, and technological measures commensurate with the sensitivity of the data, our office has set out similar expectations in investigation reports and orders. In my view, placing this language explicitly in the legislation would be consistent with international standards regarding the protection of personal information.

Also, we have been clear that, as our province's regulator, we evaluate “reasonable security arrangements” on an objective basis, and that the determination of what is reasonable is contextual. The standard is not one of perfection but varies based on the sensitivity and the amount of personal information in question.

On breach notification, a privacy breach occurs when there is unauthorized access, collection, use, or disclosure of personal information. It is unauthorized if it occurs in contravention of one of our privacy laws. An important element of safeguarding personal information is ensuring that the privacy commissioner and affected individuals are notified when a privacy breach occurs.

Privacy breaches can carry significant costs. They put individuals at risk for identity theft and serious financial or reputational harms. They can also result in a loss of dignity and a loss of confidence in public bodies. We trust public bodies with some of our most sensitive and comprehensive personal information: social security records, tax data, health information, financial information, and the list goes on. We have no choice but to provide that information to the public bodies.

It seems every week that privacy breaches are reported in the media. We hear about laptops and portable storage devices being lost or stolen, human error resulting in disclosure, unauthorized access, or snooping as well as cyber-attacks.

Breach reporting in B.C. is currently voluntary in both the private and public sector. However, my office has recommended that it be made a mandatory requirement, and let me explain why. In British Columbia, we examined the government's privacy breach management process and we published those results in 2015. We learned that nearly 3,000 breaches were reported to government during the period of 2010 to 2013, but only 30 of those had been reported to my office. This told us that, under a voluntary reporting requirement, my office was receiving reports of only about 1% of all the breaches that occur within government ministries. Of those, the majority, 72%, were classified as “administrative errors”. The breakdown of other types of breaches included unauthorized disclosures at 16%, lost or stolen at 4%, unauthorized access at 3%, and cyber-attacks or phishing at less than 1%.

It shows that it's important to set out a clear threshold where notification must occur. We don't want to hear about every breach, but we need to know about the important ones. In B.C., we have recommended that the threshold be where the breach would be reasonably expected to cause harm to an individual, or where the breach involves a large number of individuals.

Mandatory breach reporting to a privacy commissioner also means that the commissioner's office can work with public bodies to learn from their mistakes and implement lasting preventative strategies. Mandatory breach notification also ensures that affected individuals are made aware of breaches without unreasonable delay, so they can take the important steps to protect themselves.

For these reasons, my office has recommended to the legislative committees reviewing B.C.'s privacy statutes that mandatory breach notification be added as a requirement. Both of these committees agreed and recommended in their final reports that the privacy laws for the public and the private sectors be amended to require breach notification to the commissioner and to affected individuals in the event of a privacy breach. The B.C. government has stated that it is committed to addressing mandatory breach notification at the next available legislative opportunity.

The federal Bill S-4 added breach notification requirements to Canada's private sector privacy law, and it is difficult for me to understand why the government would not hold itself to the same standard as it holds the private sector.

That concludes my remarks.

Thank you.

Good morning, everyone. As you heard, my name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law.

My areas of specialty are digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada's external advisory board, and I have been privileged to appear before many committees on privacy issues, including things such as PIPEDA, Bill S-4, Bill C-13, the Privacy Act, and this committee's earlier review a number of years ago on social media and privacy.

I appear today though, as always, in a personal capacity representing only my own views. As you know, there is a sense of déjà vu when it comes to Privacy Act reviews. We have had many studies and successive federal privacy commissioners who have tried to sound the alarm on legislation that is viewed, as you just heard, as outdated and inadequate. I think that Canadians rightly expect that the privacy rules that govern the collection, use, and disclosure of information by and within the federal government will meet the highest standards, and for decades we have failed to meet that standard.

I would like to quickly touch on some Privacy Act concerns, but with your indulgence I'll talk a bit about some of the other broader privacy law environment issues in Canada that I think are really directly related to the Privacy Act.

First though, on the Privacy Act—and this is going to sound familiar as I have flagged some of the same issues that David did—I think the Privacy Commissioner of Canada has provided this committee with many very good recommendations, and I endorse the submission. As you know, most of those recommendations are not new. Successive commissioners have asked for largely the same changes, and successive governments of all parties have failed to act.

I want to highlight four issues in particular with respect to the current law, and as I say, David has flagged some of them already. The first is education and the ability to respond. The failure to engage in meaningful Privacy Act reform may be attributable, at least in part, to the lack of public awareness of the law and its importance. I think the Privacy Commissioner plays an important role in educating the public, and has done so on PIPEDA and broader privacy issues. The Privacy Act really needs a similar mandate for public education and research. Moreover—and you just heard this—the notion of limited reporting through an annual report, I think, reflects a bygone era. In our current 24-hour, social-media-driven news cycle, restrictions on the ability to disseminate information, particularly information that can touch on the privacy of millions of Canadians, can't be permitted to remain outside of the public eye and left for annual reports when they are tabled. Where the commissioner deems doing so to be in the public interest, the office must surely have the power to disclose in a timely manner.

I also think we need to think about strengthening protections. As you've heard, the Privacy Act falls woefully short of meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be a model, it instead requires far less of itself than it does of the private sector. A key reform, in my view, is the principle of limiting collection, a hallmark of private sector privacy law. The government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities.

I'd also flag, as David did, breach disclosure, which has been commonplace in the private sector privacy world, and it has long been clear that similar disclosure requirements are needed within the Privacy Act. The Treasury Board guidelines are a start, but legal rules, in my view, are essential. In fact, the need for reform is even stronger given the absence of clear security standards within the act. Provisions that establish such standards and mandate disclosure in the event of a breach are crucial to establishing an appropriate level of accountability and ensuring that Canadians can guard against potential identity theft and other harms.

The final issue is privacy impact assessments. As you all know, privacy touches us in many ways, and it similarly is implicated in many pieces of legislation. I recall that during the last session of Parliament, the Privacy Commissioner regularly appeared before committees to provide a privacy perspective on many different pieces of legislation. This approach of coming in after the legislation has been drafted at the committee, I think, runs the risk of rendering privacy as little more than just an afterthought. It's more appropriate to conduct a privacy impact assessment before legislation is tabled, or, at a minimum, at least before it's implemented.

Those are some of the issues on the Privacy Act side, but as I said, I wanted to talk about three bigger picture issues that I think are some of the moving parts in the federal privacy world.

The first has to do with Bill C-51's information-sharing provisions. I realize the government is currently consulting on national security policy, and there's, as you know, a particular emphasis on Bill C-51. From my perspective, one of the biggest problems was the information-sharing provisions. The privacy-related concerns stem from an act within the act in Bill C-51's Security of Canada Information Sharing Act. As you may know, the sharing of information went far beyond information related to terrorist activity.

It permits information sharing across government for an incredibly wide range of purposes, most of which have little to do with terrorism. The previous government tried to justify the provisions on the grounds that Canadians would support sharing of information for national security purposes, but the law now allows sharing for reasons that I think would surprise and disturb many Canadians, given how broadly those provisions can be interpreted.

Further, the scope of sharing is very broad, covering 17 government institutions, many of which are only tangentially related, if at all, to national security. The background paper on the national security consultation raises the issue, but in my view appears to largely defend the status quo, raising only the possibility, it seems to me, of tinkering with some clarifying language. If we don't address the information-sharing issue, I fear that many of the potential Privacy Act improvements will be undermined. I think this requires a wholesale re-examination of information sharing within government and the safeguards that are there to prevent misuse.

Second, I want to talk about transparency and reporting from a slightly different perspective. As many of you may know, in recent years, there have been stunning revelations about requests and disclosure of personal information of millions of Canadians, millions of requests, the majority of which are without court oversight or warrant, which I think points to a real weakness within Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used.

Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports, and they have been joined by some of Canada's leading communications companies such as Rogers and Telus. There are still some holdouts, notably Bell, but we have a better picture of requests and disclosures than we did before. However, these reports represent just one side of the picture. Public awareness of requests and disclosures would be far more informed if government also released transparency reports. These need not implicate active investigations, but there is little reason for government to not be subject to the same expectations on transparency as we expect of the private sector. Indeed, the Liberal Party focused on transparency in its election platform. Improvements to access to information are absolutely critical, but transparency is about more than just opening the doors to requests for information. Proactive disclosure of requests for Canadians' information should be part of the same equation.

Third and finally, I want to talk briefly about government-mandated interception capabilities and decryption. The public safety consultation that I referenced, which was launched earlier this month, has been largely characterized as a C-51 consultation, but it's much more. The return of lawful access issues threatens to scrap the 2014 lawful access compromise, and I think raises some really serious privacy concerns.

For instance, the consultation implies that “lack of consistent and reliable technical intercept capability on domestic telecommunication networks” represents a risk to law enforcement investigations. Yet left unsaid is that the prior proposed solutions in the form of government-mandated interception capabilities for telecommunications companies were rejected due to the enormous cost, inconsistent implementation, and likely ineffectiveness of standards that would exempt many smaller providers. Creating government-mandated interception capabilities for all providers represents an enormous privacy risk that I think runs roughshod over both PIPEDA and the Privacy Act.

Further, the consultation places another controversial policy issue on the table, noting that encryption technologies are “vital to cybersecurity, e-commerce, data and intellectual property protection, and the commercial interests of the communications industry”, but lamenting that some of those same technologies can be used by criminals and terrorists.

Given its widespread use and commercial importance, few countries have imposed decryption requirements. This year's controversy involving access to data on an Apple iPhone that was owned by the San Bernardino, California, shooter revived debate over access to encrypted communications. The consultation asks Canadians to comment on circumstances under which law enforcement should be permitted to compel decryption. A move toward compelling decryption, in my view, would place more than just our privacy at risk. It would also place our innovation strategy and personal security in the balance.

In conclusion, fixing the Privacy Act is long overdue. There is little mystery about what needs to be done. Indeed, there have been numerous studies and a steady stream of privacy commissioners who have identified the problems and called for reform. What has been missing is not a lack of information, but rather, with all respect, a lack of political will to hold government to the same standard that it holds others.

I look forward to your questions.

Thank you very much.

Thank you for the opportunity to speak about this statute, which is one of the most important statutes we have to regulate the interaction between individual citizens and their government.

The Privacy Act was great for the 1980s, but much has changed since then. This committee has heard a lot about changes in technology, but I think one overarching consideration is changes in people's expectations. We have seen developed, in a number of different jurisdictions across Canada, much more modern privacy laws. We have the Personal Information Protection and Electronic Documents Act, which regulates the private sector and is based on fair information practices. I believe this committee has also heard a lot about the new ATIPPA statute in Newfoundland. You had the benefit of speaking to the committee responsible for the report that led to its complete revamp.

One thing worth noting, when you are looking at this statute compared with other more modern privacy statutes, is that consent generally does not work in the government context. Individual citizens don't choose, for example, the government with which they deal, compared with choosing which bank they go to, and things like that.

One thing I want to emphasize, first and foremost, is that I have had the opportunity to review and actually contribute to the Canadian Bar Association's submissions over the years. Although I am speaking in my own capacity, I generally agree with everything that's in there. Also, I am in general agreement with what has been noted and asked for in the Privacy Commissioner's submissions to this committee over the course of a number of years. There are a couple of things I would like to specifically highlight that I think are important to look at.

One is what could be a basic technical fix, which is to remove the requirement that personal information be recorded in order to be subject to the statute. Information that is just stated orally, that is handed over.... The statute can be interpreted such that the disclosure of information orally is not captured within the statute, and that is a significant gap.

I also think that there should be a provision in the statute to clarify that the work product of public servants should not be considered to be personal information of those public servants. This statute should work hand in hand with the Access to Information Act to encourage transparency of government operations. Unwarranted calls for privacy standing up in the face of government transparency are problematic and something that can be quite easily addressed.

The rest of my recommendations or suggestions would probably be lumped in under three different categories: accountability, transparency, and overall making the statute effective.

Under the accountability banner, I would think that we need more clarity, as citizens, about how government manages the personal information of its citizens. We have the personal information banks and info source systems, which I don't think are entirely effective. There needs to be more proactive disclosure to citizens about how their information is used, who is responsible for it, and which government department is using it.

There should also be a necessity test, which is something this committee has heard about, with respect to the collection of personal information. The government institution should collect only information that is necessary for its functioning activities.

I think there should also be an element of personal accountability within the statute, which is missing. Many more modern privacy laws, particularly health privacy laws but also others across the country, have an offence provision that if an individual or even an institution, unlawfully and usually with knowledge, is in violation of the statute, they can be charged under that. We have seen a large number of privacy breaches across the country related to individuals just browsing through large databases for their own entertainment, and charges being brought against those individuals in various provinces. I think that's something that should be introduced into the Privacy Act.

Under the heading of transparency, fair information practices are generally based on notice and consent. As I said, consent isn't something that generally works in the public sector context, but I do think that there needs to be more proactive communication to citizens about what the information is going to be used for in order to justify its collection. Other jurisdictions regularly include privacy notices on the forms that they require citizens to complete, letting them know and setting their expectations with respect to why the information is necessary, how it is going to be used, who is going to be the custodian of that information, and how they can get access to it and have it corrected, if necessary, to exercise their other rights under the statute.

Also in connection with transparency, I think that the Privacy Act should specifically give the commissioner an education mandate, but along with that it should also give the commissioner the ability to publish reports of findings of investigations under the Privacy Act.

Currently the commissioner publishes such findings for private sector investigations, but we need more guidance. Transparency about what the government is doing with respect to personal information would be significantly served if there were such an obligation, or at least the mandate and the ability for the commissioner to report findings. In the annual report that the commissioner issues each year, there are summaries of some notable cases, but I think we would all benefit from understanding what government departments are doing with people's personal information. Having that information out there, particularly if it's found that the government department has not acted properly, would serve a significant education mandate for all government departments, but also for citizens generally.

I do think we need to have breach notification if there's a breach of security safeguards, similar to what was added to PIPEDA in the Digital Privacy Act, an obligation on the part of the government institution to notify both the Privacy Commissioner and notify affected individuals if a proper threshold has been met. I think the one in the Digital Privacy Act is a reasonable one.

Then ultimately, there's making it effective. I'm not a fan of order-making powers. I think the ombuds model works, but I have come around to see the wisdom of the Newfoundland hybrid model, where if a government department is not going to follow a recommendation with respect to any obligation under the Privacy Act—collection, use, disclosure, or other safeguards—the department should have to stand up in front of a court and justify it and explain why it doesn't have to. In effect, that puts the onus on the government department, and we would end up with a body of case law that would be more clear. That could be by an expedited application process, which is already the procedure under PIPEDA, so that these don't turn into significant, huge federal cases.

Those are the highlights of my recommendations for the statute. It is really outdated, really antiquated, and I don't think it accords with the evolved expectations of individuals about how their information is going to be collected, used, and disclosed. We shouldn't tolerate a quasi-constitutional statute that's at least two generations out of date.

Thank you very much.

The notice that we currently receive voluntarily, which will be mandatory once Bill S-4 comes into force, comes into our PIPEDA investigation group. There is one person who receives these notices. In the notice from the organization, the company describes certain facts and tries to assess the impact. We review that. We give advice to the company.

When the case is particularly of concern, as we have seen in some cases, we can actually start an investigation, which is in the broader group of investigators within the PIPEDA group.

The vast majority of breaches will lead simply to reading the report given to us by the company in question and giving advice—or not, depending on the situation. In a minority of cases, a full investigation will occur.

Sure. I would start with the fact that very few of these cases lead to court action. I'll distinguish between the public and the private sector again.

Under the public sector rules, there is now a directive from the Treasury Board that mandates departments to notify my office and the Treasury Board when there is a significant or material breach in a department. We've not been funded to do that work, so we had to reallocate from other places. Essentially there is one person in the office who deals with these cases.

We receive reports from departments. In the public sector there are roughly 300 of these breach notifications every year. There is one person to review these reports at the office. We look at what the department tells us in terms of the nature and the potential impact of the breach. We give some advice, but with few resources the examination is relatively superficial.

On the private sector side, there is no obligation at this point for companies to notify us. Some companies notify us voluntarily. Under Bill S-4, which was adopted by Parliament last year, when regulations are adopted, there will be a legal obligation for companies to notify us, but again, there will be no funding. We're talking about hundreds of notifications per year given to our office. We have one person on the public sector side and one on the private sector side to look at these. By necessity we review fairly superficially what the departments tell us or what the companies tell us.

To add to this, as you know, there are other statistics out there that suggest there are many more breaches than those our office is actually notified about.

I think the issue of breaches is a significant problem. We do what we can with these two people who are devoted to these analyses. Given the importance of the issue of breaches, it's a concern for me that we have as few resources as we do to devote to these issues.