Bill C-51 (Historical)

Mr. Chair and members of the committee, good morning. My name is Tamir Israel, and I am staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa's Centre for Law, Technology and Society and the Faculty of Law. CIPPIC is a public interest legal clinic that works to advance the public interest in policy debates arising at the intersection of law and technology.

I wanted at the outset to thank you for inviting us to testify before you today, as well as for undertaking this important review of the federal Privacy Act, a central component of Canada's privacy, transparency, and accountability framework.

Since the introduction of the Privacy Act in the late 1970s, the policy landscape surrounding data protection has evolved dramatically, driven by tectonic shifts in the technical capability and general practices surrounding the collection and use of personal information. The federal Privacy Act has simply not kept pace with these dramatic changes, a reality that hinders its ability to continue to achieve its objectives, in light of heightened incentives and technical capacities to collect and keep personal information at unprecedented scales. The nature of the objectives incentivizing state data practices has rapidly evolved over the years since the adoption of the act, which initially focused primarily on regulating data practices animated by administrative purposes.

Today's privacy challenges are driven by a far more diverse set of incentives. The era of data-driven decision-making, colloquially referred to as “big data”, increasingly pushes state agencies to cast wide nets in their data collection efforts. Additionally, more often than not, the act is applied in review of activities motivated by law enforcement and security considerations that are far removed from the administrative activities that animated its initial introduction.

Finally, data sharing between domestic and foreign state agencies now occurs on a more informal, and often technologically integrated, basis than could have been envisioned in the late 1970s.

The Privacy Act is in drastic need of modernization, and to that effect, CIPPIC has reviewed and largely endorses the recommendations made by the Office of the Privacy Commissioner of Canada to this committee with respect to changes necessary to ensure today's data protection challenges are met. We will elaborate on a few of these, as well as on some additional recommendations that we have developed in our comments today. In addition, in our written comments, which will eventually make their way to the committee, we provide some legislative language suggestions, which we hope will help guide your review of this act.

The remainder of our opening comments focus primarily on discussing and highlighting specific recommendations designed to enhance proportionality, transparency, and accountability, as well as address shortcomings that have arisen from specific technological developments.

Before turning to these broader themes, however, our first recommendation addresses the Privacy Act's purpose clause, which we believe should be updated to explicitly recognize the objectives of the act: to protect the right to privacy of individuals, and to enhance transparency and accountability in the state's use of personal information. Express recognition of these purposes, as is done in provincial counterparts to the Privacy Act, will assist in properly orienting the legislation around its important quasi-constitutional objectives, and will help to secure its proper and effective application if ambiguities arise in the future, as they surely will.

Necessity and proportionality are animating principles that have become central to data protection regimes around the world, but are absent from the aging Privacy Act. It's important to explicitly recognize these principles in the act, and to adopt additional specific measures that are absent from its current purview, but are nonetheless essential to ensuring private data is collected in a proportionate manner.

As a starting point, first, the Privacy Commissioner's recommendation for explicit recognition of necessity as the standard governing data collection practices should be implemented. Necessity is a formative data protection concept and provides important context for assessing when data should or should not be collected, used, or disclosed. The existing standard, which requires only that data practices relate directly to an operating program or activity, is simply too imprecise in the age of big data, where organizations are increasingly encouraged to collect data that has minimal clear, immediate connection to current objectives.

Second, the Privacy Act imposes no explicit limitations on how long data can be retained once it is legitimately collected. The lack of any explicit obligation to adopt reasonable retention limitations can mean that that data is kept well beyond the point where its utility has expired, exponentially increasing the risk of data breach and of inappropriate uses. The lack of an explicit retention limitation requirement can even lead to the indefinite retention of data that has only a very short window of utility, greatly undermining the proportionality of a particular activity.

As an example, our clinic, along with Citizen Lab at the Munk School of Global Affairs, recently issued a report examining the use of a surveillance tool called a cell site simulator. These devices operate by impersonating cellphone towers in order to induce all mobile devices within range to transmit certain information that is then used to identify or track individuals or devices. The devices operate in a coarse manner. For each individual target the devices are deployed against, the data of hundreds or thousands of individuals within range will be collected. Non-target data collected is only immediately useful for identifying which datasets belong to the individual, the legitimate target of the search, and which do not, an objective that could be accomplished within 24 to 48 hours of collection. However, as the underlying collection of these thousands of non-targeted datasets is legitimate, these datasets might be kept indefinitely. These large datasets can then be reused at any point in the future and, subject to ancillary statutory regimes such as the Security of Canada Information Sharing Act, which was recently adopted via former Bill C-51, can be shared across a wide range of other agencies.

Including an explicit retention limitation provision would not only mandate state agencies to adopt clear retention policies, but would also allow the commissioner to address unreasonable retention in a principled manner. This, in turn, will reduce the risk of data breach and generally increase the proportionality of data collection practices.

Third, we would recommend the adoption of an overarching proportionality obligation that would apply to all collection, retention, use and disclosure of personal information by government agencies into the Privacy Act. This would be comparable to its counterpart that is currently found in subsection 5(3) of PIPEDA. As you have heard from other witnesses, the Privacy Act increasingly provides an important avenue for ensuring charter principles for the protection of fundamental privacy rights are fully realized. An overarching proportionality or reasonableness obligation modelled on subsection 5(3) of PIPEDA would provide an avenue for assessing charter considerations across all data practices. It will also provide the Privacy Act with a measure of flexibility, allowing it to keep pace with technological change by providing a general principle by which unanticipated future developments can be measured.

In addition to these proportionality measures, there are clear gaps in the Privacy Act's current transparency framework and further opportunities to enhance the openness of state practices, which in turn will encourage accountability and public confidence.

At the outset, we encourage the adoption of the Privacy Commissioner's recommendation for a public policy override to the act's confidentiality obligations. This would allow important information regarding anticipated privacy activities to enter the public record in a timely manner.

Second, the Privacy Act should be amended to include statistical reporting obligations attached to various electronic surveillance powers in the Criminal Code. As Mr. Rubin mentioned, statistical reporting obligations were once a hallmark of electronic surveillance regimes and are attached to certain electronic surveillance activities, such as wiretapping, but these activities have largely been superseded by other electronic surveillance activities that have no comparable statistical reporting obligations attached to them.

One investigation conducted by the Privacy Commissioner's office recently found that law enforcement agencies themselves did not have a clear picture of the scope of their own practices in relation to the collection of subscriber information from telecommunication companies. Understanding the nature and scope of state surveillance practices is all the more important in light of the tendency for rapid change in practices in this sphere. Imposing a statistical reporting obligation in the Privacy Act that applies across the spectrum of electronic surveillance powers would therefore provide an important transparency mechanism.

Finally, the adoption of a general obligation on state agencies to explain their data practices would greatly enhance transparency. While the act currently obligates government agencies to explain to individuals the purposes for which their personal information is collected and used, it lacks a general obligation to explain agency practices.

One modelled on PIPEDA's openness principle would be beneficial. If this concept is adopted, it should address the challenges raised by algorithmic non-transparency, which would entail an obligation to explain the logic of any automated decision-making mechanisms adopted by the state.

We have some suggestions on accountability and compliance measures that I will submit in writing and you folks can review at a later time.

I did want to very quickly touch on a couple of recommendations we have that address very specific technological developments that have led to gaps in the Privacy Act.

We would recommend updating the definition of “personal information” so that it is aligned with the comparable definition under PIPEDA. The current definition only applies to personal information that is recorded, whereas many modern data collection and use practices never actively record any personal information, but can still have a very salient privacy impact.

In addition, we would endorse the Privacy Commissioner of Canada's recommendation to adopt an explicit obligation to adopt reasonable technological safeguards, as well as individual breach notification obligations.

Finally, and very briefly, we would also endorse the Privacy Commissioner's recommendation to formalize the privacy impact assessment requirement, as well as recommend an avenue for facilitating public input into the process so that discussions of privacy-invasive programs can occur with public input at the formative stages.

Thank you. Those are my comments for today.

One of the big problems is thinking that with Bill C-51, privacy is going to be protected because the Privacy Act applies. The broad authorization for information sharing in SCISA itself seems to capture a lot of what section 8 does. I don't have the act in front of me, but any analysis of this issue has to start from the proposition that compliance with section 8 does not mean compliance with the charter. All sorts of information sharing could be consistent with those disclosure provisions or the use provisions in section 7 or section 8 of the Privacy Act, as it currently stands, yet still violate the charter.

I'm not sure, as a matter of legislative drafting, if you want to change those provisions or just indicate somewhere that in some circumstances this is going to raise charter issues, because it won't necessarily or in all circumstances. The Privacy Act regulates collection, usage, and disclosure of personal information. Not all of that is going to meet a constitutional threshold for the reasonable expectation of privacy. That's the tricky part. When you're contemplating information sharing, particularly in those contexts where the individual is in that coercive relationship with the state, you have to be incredibly mindful that there are charter issues at stake. How can that be built in?

That's why we were arguing that you need an interpretive principle saying that this was meant to be consistent with the charter and build in charter review. Perhaps something could be written into section 8 that this must also be consistent with the charter. You want to build up expertise somewhere of people who understand what the jurisprudence is saying about uses and disclosures of information. When they trigger charter violations, what does that mean? Do you need prior authorization? Is it an issue of safeguards? What do those safeguards mean? Make sure those information processes are compliant from the start so that some person doesn't luck out and find out about this process and then have to go to court 10 years later. You build in charter compliance from the start.

Thank you.

I thank you for inviting me to appear before you today. I appreciate the opportunity. I have prepared a written submission for your committee. It's currently being translated and will be distributed to you. My comments will be a summary of that submission. I welcome your further questions.

The basic point I want to stress to you today is that Privacy Act reform must take account of the Canadian Charter of Rights and Freedoms and its protections for privacy. We should not think that compliance with the Privacy Act means compliance with the charter, and we should not think that strengthening the Privacy Act's adherence to fair information principles means that it's thereby consistent with the charter's protection for privacy.

It's crucial that we understand this, for we're now in an era when the government collects large amounts of information about individuals and shares this both within government and with other governments, including foreign governments. This is not just for the provision of social services but for law enforcement and national security purposes, as both the prior witnesses stressed as well. Indeed, when the former government introduced Bill C-51 and the new Security of Canada Information Sharing Act, Canadians were told that because the Privacy Act applied and the Privacy Commissioner would provide review, there would be an appropriate balance between protecting the privacy of citizens and ensuring national security. This is an illusion, and it's a dangerous one.

The Privacy Act is quasi-constitutional legislation, that's true. The Supreme Court has said that multiple times. However, it should not be equated with the constitutional protection of privacy rights. The Privacy Act is based on what have come to be known internationally as “fair information principles”. Its basic model is a response to the growth of the administrative state and its accompanying information practices. An individual seeking government services in a social welfare state context has an interest in receiving those services. The administration of those services requires personal information to be collected and processed, so the individual interest in relation to this personal information is not about preventing its collection, use, or disclosure, but in preventing the overcollection of personal information or its subsequent uses or disclosures for different purposes, as well as in ensuring that the information is accurate. The central individual entitlement is to have access to the information the state holds about oneself, and to correct it for inaccuracies. This law was never really meant to apply to the context of law enforcement and national security in any robust way, and many of its exceptions capture those uses.

In contrast, the constitutional protection of privacy in Canada has developed largely in relation to section 8 of the charter, although privacy has also been protected through section 7. Its central paradigm is its search and seizure context, where the state seeks information in relation to law enforcement investigations. Here the individual interest lies completely in opposition to the state interest. It is a coercive relationship. The central individual entitlement is to have state access protected through the warrant requirement and the reasonable and probable grounds standard. These are two different frameworks, but they need to be integrated if we think the Privacy Act has anything to say to the increasing information practices the government employs in the context of law enforcement and national security. Charter review should be built into a strengthened Privacy Act review, particularly in this context.

In light of this, I have four recommendation I want to offer to you. Again, those are outlined in the written submission.

First is an interpretive principle. We recommend that the Privacy Act should include a reference to privacy rights protected by the Canadian Charter of Rights and Freedoms. Put a reference to it in the purpose section to allow for arguments to be made in reference to the Charter of Rights and Freedoms.

Our second recommendation is that government information practices should be reviewed for compliance with charter rights. The necessity standard that the Office of the Privacy Commissioner of Canada is advocating is not adequate. It's better than what we have, and it's good in many contexts, but it's not adequate.

Why do I say that? Charter rights can be at issue with the collection, use, or disclosure of personal information. The charter is engaged when there's a reasonable expectation of privacy; it's not simply when personal information is collected, used, or disclosed, but where there's a reasonable expectation of privacy. The Supreme Court of Canada has repeatedly held that information that has been collected by the state for one purpose can retain a residual reasonable expectation of privacy in relation to other purposes, including disclosure to foreign states.

Engaging in something like a necessity test modelled after the Oakes test for section 1, which is what the Privacy Commissioner advocates, is not going to be adequate in this context. Why? The section 8 reasonable and probable grounds test, which is the basic standard, is not a test that says the state gets access to information if it is necessary for a law enforcement purpose; it's a test that says that “...law enforcement goals hold sway only at the point marked by the probable effectiveness of reaching that goal.” This idea of probable effectiveness is not part of the the section 1 jurisprudence to date.

It's actually quite unclear when a breach of either section 7 or section 8 of the charter can be upheld under section 1 of the charter. That's because there's an internal balancing in section 1 as well as as one in section 7, and courts are loath to uphold them under section 1, so we should not be quick to regularize some kind of section 1 analysis until we actually import the charter privacy protections, particularly in the context of state use of this information for law enforcement and national security purposes.

Therefore, we recommend that the use or disclosure of personal information for law enforcement investigative or national security purposes should be subject to a review that reflects the protection of an individual's charter rights under sections 7 and 8, and not simply be reviewed on a necessity standard.

Our third recommendation is that the Office of the Privacy Commissioner be empowered to undertake charter review of government information practices. Charter review of these information practices should not be a burden placed on ordinary Canadians to both discover information practices that are difficult for them to see and understand—to come to know what those practices are—and to challenge them in court. It should not be a burden on the individuals to initially challenge these things in court in a context where we have an access to justice crisis in this country. Instead, we should build it into the Office of the Privacy Commissioner's function.

However, it's also important that this be reviewed on a standard of correctness in the courts. It should not be built into an administrative process such that the courts are then reviewing charter complaints on a reasonableness standard. It should be correctness.

Therefore, we recommend that the exemptions, particularly those under sections 7 and 8 of the Privacy Act for uses and disclosures of personal information without consent, should be subject to charter review conducted by the Privacy Commissioner, subject to judicial review on a standard of correctness.

Our fourth recommendation is that you strengthen the obligation of accuracy under the Privacy Act.

Inaccurate information can have grave consequences on fundamental rights and freedoms. This is one of the tragic lessons from the Arar commission. Currently the obligation of accuracy is in subsection 6(2) of the act. It applies to uses of personal information, but it should apply to uses and disclosures of information, not just uses. It's currently confined to administrative purposes, and it should be broadened to all the purposes that it's used for.

I think that the act should also be modernized to recognize what academics are increasingly terming “algorithmic responsibility”—that is, the idea that the issue is not just the accuracy of the information that's collected, used, or disclosed, but the accuracy of information processing methods used by the government.

In an era of big data, an era when vast amounts of information are being collected and analyzed in different ways, we need to be concerned about the accuracy of those methods of analysis. We need to be concerned that they're not building in biases, for example, or other forms of inaccuracy. Therefore, we recommend that subsection 6(2) of the act be amended to impose an obligation to ensure the accuracy of any personal information that is used or disclosed by the institution for all purposes. The obligation of accuracy should also apply to methods of information processing.

I'll end my comments there.

Thank you.