Bill C-59 (Historical)

I'm sorry. It was Bill C-59...?

Yes. I think that is the case. It's possible that the revisions under Bill C-59 will ever so slightly limit some of those concerns in relation to stricter proportionality requirements around sharing.

Still, once information is shared under that agreement, we don't know how far it can go, and again that brings up the concerns about whether the uses of that information will be limited to what it was collected for.

Yes. My understanding is that under the terms of Bill C-59 it is the national security functions of CBSA that will be brought under the aegis of the new integrated review committee. It's not clear to me whether or not the more specifically customs-related activities of CBSA are covered under that. It's actually a bit unclear the extent to which all the activities of CBSA are covered, because the legislation specifies that it will be their national security activities that are subject to review by that committee.

Thank you to the committee for allowing the Canadian Civil Liberties Association the opportunity to appear before you today and speak on Bill C-21.

I'm going to focus on three topics: first, the need to for appropriate frameworks including explicit privacy protection for information sharing that happens between the CBP and the CBSA; second, the need to ensure that critical details about how the collection of this information will take place receives public attention and parliamentary debate rather than relying excessively on regulations; and third, the need to increase CBSA accountability commensurately with this significant increase in their powers.

The information that Canada will collect and share with the United States after Bill C-21 is passed includes biographical information as well as the date, time, and place of entry or exit for every traveller crossing the Canadian border, including Canadian citizens.

This is information on literally millions of Canadians. StatsCan suggests that in January 2017 alone Canadians made 3.6 million trips to the U.S. It also allows for information about every person who boards a plane, train, bus, or ship—if those conveyances are prescribed, because that prescription is left to regulation—in Canada to be collected and shared.

When the beyond the border agreement was signed, CCLA along with the ACLU in the United States and Privacy International in the U.K. developed and released a series of core legal principles for sharing the U.S.-Canada security perimeter. In respect of information sharing, we recommended that it should be restricted to the particular purpose—not used, disseminated, or stored for secondary uses. It needs to be subject to rules limiting the duration of retention to reasonable periods, and it should be subject to independent oversight review and accountability procedures. In particular, when the laws of the two countries differ, the highest standard that grants the best protections to individuals should prevail.

As an example of the problems introduced by different privacy standards, we're concerned that at the time this bill was originally discussed in 2014 one source suggested that Canada had decided to limit the time they could retain personally identifiable information to 15 years. The U.S. has said they reserve the right to retain it for 75 years or longer. Even 15 years is a long time, and it's worth considering whether or not that's the right time frame. It is highly questionable that Canada could maintain control over the uses of information through a memorandum of agreement with the U.S. for as long as a lifetime .

We believe the responsibility for taking such principles seriously should be explicit in the legislation. In addition to the current amendments to Bill C-21, we would suggest including an amendment to add a preamble similar to that found in the recent national security legislation, Bill C-59, and similar to that found in section 3 of the Immigration and Refugee Protection Act, which is another act that CBSA administers. Both of these pieces of legislation explicitly identify the responsibility of customs enforcement officers to carry out their responsibilities in a manner that safeguards the rights and freedoms of Canadians and that respects the Charter of Rights and Freedoms. One might argue that it's incumbent on them to do so whether or not that clause is inserted in the legislation, but we would argue that there is both practical and symbolic value in including it in the Customs Act at this time.

On a pragmatic level, one way to ensure that privacy protections are in place is to conduct privacy impact assessments. Clearly, for a project of this scope, which is going to collect information on millions of Canadians, these assessments should be undertaken before information is collected under this legislation and ideally in time to inform the regulations. The assessments should be reviewed by the Privacy Commissioner of Canada, and an executive summary should be publicly reported.

We realize that Bill C-21 is enabling legislation and will continue a process that has already begun. In fact, there were privacy impact assessments for the pilot stages of this project before Canadian information was collected, but these assessments need to be updated in light of the expanded collection.

CBSA also committed to conducting an analysis on all uses of personal information by all parties involved in the sharing of biographic entry data, and while that analysis to my knowledge is not publicly available, I would suggest that, as an important precautionary step before expanding the scope, the committee might wish to see if that analysis actually took place, and figure out how it's working now before we expand it.

I'd also just like to flag that in 2015, in his spring report, the Auditor General expressed concerns that the CBSA's project management framework was not conducting risk assessments at appropriate times. That would be another area where the committee might want to make sure the technological infrastructures as well as the policy infrastructures around this information are appropriately secure.

In relation to regulations, clause 2 of Bill C-21 amends the act so that proposed subsection 92(1) will allow the CBSA to collect information from prescribed sources in the prescribed circumstances, within the prescribed time, and in the prescribed manner, and then allow the Governor in Council to make regulations to fill in those blanks. The problem is that leaving so much to be prescribed means a process that is less public, less transparent, and less accountable.

In simpler terms, who we are going to collect the information from, why, when, and how is not clearly specified anywhere in the legislation, but these aren't inconsequential details. Knowing them would allow us to evaluate the nature of the collection process, weigh the potential risks to privacy, and better understand the potential costs of a leak or breach. Knowing the source of information allows us to judge its integrity. Knowing why and how it can be collected allows us to assess the proportionality of the collection in relation to its purpose. Clichés sometimes ring true: the devil is in the details.

While we appreciate the need to keep the legislation technologically neutral and flexible, flexible should not mean completely open-ended, particularly because regulations can be changed quietly, largely out of public view, with a much less democratic process than the one we're engaging in today. What current drafters intend to include in the regulations may not be what subsequent governments would choose.

We are, at this time, witness to a dramatic change in policy direction in one of our neighbours. We should take that lesson to heart. When we're talking about practices that engage charter-protected rights to privacy and mobility, safeguards should be enshrined in law. To this end we recommend the committee consider what aspects of the collection process could and should reasonably be included in the legislation.

Lastly, this bill expands CBSA powers but does not increase accountability. CBSA is still the only federal agency with security and law enforcement powers that doesn't have comprehensive, independent oversight or review of its actions. We argue that it's unwise to continue expanding their powers without increasing that accountability framework.

CBSA will now be allowed to share information for the purposes of enforcing the Employment Insurance Act and the Old Age Security Act. If mistakes are made, that could have highly detrimental effects on individuals. There should be a possibility for individuals to appeal the accuracy of the information to an independent body.

CBSA's role in controlling the exit of goods and people from Canada is expanding. The bill creates a new requirement for people exiting Canada now to answer the questions of a CBSA officer truthfully. Answering falsely is an offence. This is a broad power. There is no question that people should have to respond truthfully to a CBSA officer, but I'm sure we've all seen recent stories about agents on both sides of the border asking questions that people are alleging relate to racial background, religious beliefs, and political opinions. Potentially allowing some form of this intrusive and problematic questioning on exit as well as entry doubles the opportunity for potential abuses of power.

While creating an independent review body for the CBSA is clearly beyond the scope of this bill, allowing a potential escalation of a non-problem while simultaneously failing to provide a recourse to an independent civilian body to receive complaints, review policies or officer conduct, or investigate potential misconduct is simply wrong. Every time the CBSA's powers are increased, the lack of an independent review body to provide additional and necessary safeguards becomes more problematic.

Thank you for the opportunity to provide these comments. I look forward to your questions.