Information & Ethics Committee on June 3rd, 2008

Mr. Chair, honourable members, the Canadian Bar Association is pleased to be here today to present our brief on the reform of the Privacy Act.

The CBA is a national association of over 37,000 lawyers, law students, notaries, and legal academics. One aspect of the CBA's mandate is improvement in law and the administration of justice. It's from that perspective that we appear before you today.

My colleague David Fraser is the treasurer of the national privacy and access to information law section of the CBA and a privacy law specialist from Halifax.

I am the chair of the national criminal justice section within CBA and a lawyer in Vancouver.

Mr. Fraser will address the issues of your review that pertain specifically to the Privacy Act. I will focus on the issue of cross-border sharing of information with foreign governments, particularly in relation to law enforcement and security.

Mr. Fraser will begin the opening remarks.

Thank you for the opportunity.

We're looking at the Canadian federal Privacy Act, which when it was passed in 1982 was undoubtedly on the cutting edge of privacy legislation. But it's starting to show its age. It was built based on what are referred to as the OECD guidelines, which was a consensus of members of the Organisation for Economic Co-operation and Development with respect to changes in the way that governments collect, use, and disclose personal information.

In 1982 the federal government led the way in Canada. It was one of the first jurisdictions to implement legislation that regulated the information governments could collect, how they could use it, and to whom they could disclose it. Since then, every single province and territory in Canada has followed by implementing privacy legislation, often in combination with access-to-information legislation.

This committee has been tasked with taking a look at the Personal Information Protection and Electronic Documents Act. We've recently seen privacy laws extended to the private sector in Canada, so that now, a number of years later, we have comprehensive privacy protection from coast to coast to coast, covering both the private sector and the public sector.

Since 1982 a lot of water has passed under this bridge. We have a lot of experience in dealing with privacy legislation. We've seen it implemented in a number of different jurisdictions, and we know how it works. It's not implemented everywhere in exactly the same way, and we have had the opportunity of seeing how it works in certain implementations.

We are also living in a different world from that of 1982. Probably the paramount difference has to do with technological change. This growth in technology wasn't even foreseen in 1982. It certainly wasn't in place. We now have issues related to data matching, biometrics, genetic information, the decoding of the human genome, portable electronics, surveillance, video surveillance, GPS, and so on.

We've also seen a significant change in the environment within the public sector as information is collected, used, and disclosed. We see more joint delivery of programs by the federal and provincial governments. We also have a significantly different security environment from what we had in 1982, in the post-September 11 world.

Since 1982 we've also seen an enormous consultation among a wide range of stakeholders, primarily in the private sector. It arrived at the remarkable consensus embodied in the Canadian Standards Association's model code for the protection of personal information, which is the nucleus of PIPEDA, a piece of legislation that this committee has recently spent a lot of time looking at.

Also, there's a significant increase in concern on the part of citizens with respect to how information is collected, used, and disclosed. This is not limited to the public sector or the private sector. One cannot ignore the breaches of security related to personal information that are coming out of the private sector. But since the passage of the Privacy Act in 1982, we're also seeing significant breaches in the public sector. One hears stories of stolen servers from government departments, misdirected mail, missing tapes and backup CDs.

We're now living in the age of identity theft, and it's a significantly changed environment. In the same year that the Privacy Act became law, we also saw the Canadian Charter of Rights and Freedoms come into effect, which has changed the expectations of citizens with respect to their own personal information, their intimate details.

In our consultations with the members of the Canadian Bar Association, we have seen the growth of a consensus that in many cases guidelines—and many of the points we address are the subject of guidelines—are not enough. They may be helpful interim measures, but they're very often ignored, very easily overlooked, and don't provide sufficient accountability when it comes to the potential misuse of personal information. Legislation and therefore amendments to the Privacy Act are the only way to make sure that this happens.

Accountability is the touchstone of two of our recommendations, in concurrence with the Office of the Privacy Commissioner of Canada, which would be to extend Federal Court oversight with respect to privacy, and enshrine the necessity of having privacy impact assessments in legislation. Doing so ultimately leads to accountability to court and also goes hand in hand with the recommendation, which we're happy to speak to in greater detail later, with respect to the ability of the Privacy Commissioner to make public interest disclosures that are in addition to the Privacy Commissioner's obligations in reporting to Parliament on an annual basis.

Some of these measures relate directly to the significantly different criminal climate, in a sense. We're now informed that identity theft is one of the fastest growing crimes in the world, if not Canada. The Government of Canada, with its many departments and crown corporations, is the repository of significant databases with what's often referred to as “foundation information for identity theft”: full names, dates of birth, social insurance numbers, and information like that, which if disclosed and misused can lead to identity theft. There are any number of government databases that contain that information.

Currently there's no statutory requirement that government safeguard that information, and there's currently no obligation that government notify affected individuals if their information is lost or disclosed. And it's not just a matter of individuals wanting to know what's happening with their information, which may in fact be their right or should be their right, but it's a matter of giving individuals the opportunity to take steps to mitigate any harm that might happen with respect to the misuse of that personal information.

An important additional maxim that's been developed with respect to best practices for the collection, use, and disclosure of personal information since 1982 is something called the “necessity test”. Simply put, it's to collect only that information that is reasonably necessary, which safeguards against the natural tendency, or what appears to be a natural tendency, to collect more information than is required, which then of course requires that it be safeguarded. And if it's collected and is not necessary, it increases the likelihood that information can be misused.

We also talk briefly on the topic of data matching in our submissions, which ultimately probably does amount to, at least constructively, an additional collection of information, more than was necessary, and certainly an additional use of that personal information.

There are some other matters that are probably not as controversial but that we think are important as well.

There is a distinction between recorded and unrecorded information. There doesn't seem to be a rational reason to make that distinction. More recent privacy laws in Canada, provincial and federal, don't make that distinction. We don't think that the transient images and transient information, for example live video feeds and things like that, should necessarily be excluded from the ambit of the Privacy Act.

We do agree that five-year reviews should be necessary, and that the Privacy Commissioner should also have a public education mandate, and ultimately, in order to try to increase the efficiency of the Office of the Privacy Commissioner of Canada, discretion to refuse to investigate or to produce reports on complaints or inquiries that might be simply mischievous or vexatious or frivolous.

In the end, we do believe that ultimately the Privacy Act is due for significant reform and significant overhaul. At the Canadian Bar Association's annual meeting a couple of years ago, the national sections council did endorse a motion, which passed without dissent, calling for a complete review of the Privacy Act. But since we're at this stage, we're only given the opportunity to comment on incremental improvements. We couldn't sit idly by and do that.

With respect to our final issue, I'm going to pass it back to Greg just to touch on the cross-border information-sharing issue.

Mr. Chair, the Arar commission report illustrated the risks and complexities associated with intelligence-gathering by law enforcement agencies, the sharing of data between different agencies within Canada and abroad, and the great harm that can arise when the system fails. What is now referred to as intelligence-led policing has a potential to result in a vast amount of information being collected, not all of which is verified or even verifiable as to its accuracy.

It is our position that the existing statutory framework lacks a mechanism for effective and ongoing oversight by the Canadian government and its institutions in relation to transborder data-sharing. The existing statutory framework also does not provide an adequate mechanism for assuring compliance and accountability.

In our view, effective ongoing oversight should be mandatory, given the enormous trust that is placed in and the power that is accorded to government and its institutions in relation to law enforcement and data-sharing.

The reasons for this oversight include the following: that an individual will have no opportunity to know when a law enforcement agency has collected data about the individual; if the data has been collected, the individual will have no opportunity to learn what the data is or whether it's accurate; an individual will have no opportunity to know if data has been shared with a foreign government or institution, and if so, what foreign government or institution the data's been shared with; an individual will have no opportunity to know the uses for which the data will be used by a foreign government or institution; an individual will have no opportunity to know if the foreign government or institution will have shared the data with other governments or institutions; an individual will have no way of knowing whether the foreign government or institution that has received data will comply with any terms or arrangement under which the data was transferred by the Government of Canada; and the data may be used by a foreign government or institution in a manner or for a purpose that significantly jeopardizes the individual, the individual's family, or friends.

Further, even if an individual knows that a foreign government or institution has breached the terms of an arrangement under which the data was shared—and it is virtually impossible to know whether that is so—the individual is left with basically no recourse or remedy.

It's for that reason that the CBA has recommended what is set out on pages 18 and 19 of our brief, and in particular that:

arrangements for disclosing personal information to a foreign government be written, formal, detailed, and public; arrangements with foreign governments or institutions that do not respect the fundamental principles of democracy, human rights, and the rule of law be very carefully considered; and a full record be made of all personal information disclosed...and the arrangement under which it is disclosed and the purposes....

In summary, it is our position that the present scheme lacks a sufficient or effective mechanism for accountability. We fully recognize—and I understand that Chief Superintendent Paulson has testified before this committee—the needs of law enforcement, the complexities of an effective law enforcement. But we urge, despite those needs and complexities, that the rule of law be maintained and upheld, and that is done through an effective mechanism of accountability.

Thank you.

I think there may be a little bit of confusion, because we have PIPEDA, the private sector legislation, which has been in force and was just subject to its five-year review. When it was passed, PIPEDA didn't have a breach notification requirement explicitly stated in it, but among the recommendations put towards this committee was that a balanced regime of breach notification be implemented and be amended into PIPEDA.

There is currently an Industry Canada consultation going on to determine the exact parameters of that and exactly how a balanced approach would be implemented in PIPEDA.

The Privacy Act passed in 1982 does not have any sort of breach notification. The Treasury Board, obviously to their credit, has implemented policies, procedures, and guidelines to deal with security of information, including breaches related to that information.

The Canadian Bar Association is advocating on both sides—within PIPEDA, the private sector legislation, and in the Privacy Act, the public sector legislation—that there be breach notification guidelines. We have not taken a specific position on the specifics of them in terms of what information would have to be disclosed in order for the individual to be notified, because it is a matter of balance. You don't want people to be bombarded by notifications about trivial breaches, but you do want to make sure that individuals whose information is compromised in a way that could actually have a significant impact on them are notified. So we're advocating in both pieces of legislation that there should be balanced notification.

We don't specifically say within the brief, so I'm kind of moving into my own views on this, but yes, I would say those are not trivial.

Sure, and it does—

It's our view that the government should be controlled with respect to the security safeguards and notification rules to standards at least as strong as will be in the private sector.

It's an important maxim—at least in the more modern principles of personal information protection—that information needs to be treated according to its sensitivity, and some information is more sensitive than other information. The information on your tax return or my tax return would be considered to be more sensitive than the information that's on my annual pass to a national park. So one needs to take into account the sensitivity of the information in order to determine what measures and safeguards need to be implemented, and at the same time take that information into account as to whether one needs to notify.

On the philosophy or the difference, you've really hit the nail on the head with respect to the principal differences between the private sector legislation, where it concerns a consensual relationship, and the public sector legislation. When you're dealing with a bank or dealing with your local video store, you have the opportunity to go elsewhere, so consent is really the bedrock of it. It's about informed consent, and that links to principle two and principle three within PIPEDA.

A citizen does not have a voluntary relationship with the government. Perhaps when it comes to certain services and whether the individual chooses to take advantage of those particular services, there is a bit of the voluntary, but a citizen's relationship with Revenue Canada, the employment insurance commission, or other departments is not voluntary whatsoever. The individual has an obligation. One can't necessarily ask for consent.