Bill C-59 (Historical)

Yes. My understanding is that under the terms of Bill C-59 it is the national security functions of CBSA that will be brought under the aegis of the new integrated review committee. It's not clear to me whether or not the more specifically customs-related activities of CBSA are covered under that. It's actually a bit unclear the extent to which all the activities of CBSA are covered, because the legislation specifies that it will be their national security activities that are subject to review by that committee.

Thank you to the committee for allowing the Canadian Civil Liberties Association the opportunity to appear before you today and speak on Bill C-21.

I'm going to focus on three topics: first, the need to for appropriate frameworks including explicit privacy protection for information sharing that happens between the CBP and the CBSA; second, the need to ensure that critical details about how the collection of this information will take place receives public attention and parliamentary debate rather than relying excessively on regulations; and third, the need to increase CBSA accountability commensurately with this significant increase in their powers.

The information that Canada will collect and share with the United States after Bill C-21 is passed includes biographical information as well as the date, time, and place of entry or exit for every traveller crossing the Canadian border, including Canadian citizens.

This is information on literally millions of Canadians. StatsCan suggests that in January 2017 alone Canadians made 3.6 million trips to the U.S. It also allows for information about every person who boards a plane, train, bus, or ship—if those conveyances are prescribed, because that prescription is left to regulation—in Canada to be collected and shared.

When the beyond the border agreement was signed, CCLA along with the ACLU in the United States and Privacy International in the U.K. developed and released a series of core legal principles for sharing the U.S.-Canada security perimeter. In respect of information sharing, we recommended that it should be restricted to the particular purpose—not used, disseminated, or stored for secondary uses. It needs to be subject to rules limiting the duration of retention to reasonable periods, and it should be subject to independent oversight review and accountability procedures. In particular, when the laws of the two countries differ, the highest standard that grants the best protections to individuals should prevail.

As an example of the problems introduced by different privacy standards, we're concerned that at the time this bill was originally discussed in 2014 one source suggested that Canada had decided to limit the time they could retain personally identifiable information to 15 years. The U.S. has said they reserve the right to retain it for 75 years or longer. Even 15 years is a long time, and it's worth considering whether or not that's the right time frame. It is highly questionable that Canada could maintain control over the uses of information through a memorandum of agreement with the U.S. for as long as a lifetime .

We believe the responsibility for taking such principles seriously should be explicit in the legislation. In addition to the current amendments to Bill C-21, we would suggest including an amendment to add a preamble similar to that found in the recent national security legislation, Bill C-59, and similar to that found in section 3 of the Immigration and Refugee Protection Act, which is another act that CBSA administers. Both of these pieces of legislation explicitly identify the responsibility of customs enforcement officers to carry out their responsibilities in a manner that safeguards the rights and freedoms of Canadians and that respects the Charter of Rights and Freedoms. One might argue that it's incumbent on them to do so whether or not that clause is inserted in the legislation, but we would argue that there is both practical and symbolic value in including it in the Customs Act at this time.

On a pragmatic level, one way to ensure that privacy protections are in place is to conduct privacy impact assessments. Clearly, for a project of this scope, which is going to collect information on millions of Canadians, these assessments should be undertaken before information is collected under this legislation and ideally in time to inform the regulations. The assessments should be reviewed by the Privacy Commissioner of Canada, and an executive summary should be publicly reported.

We realize that Bill C-21 is enabling legislation and will continue a process that has already begun. In fact, there were privacy impact assessments for the pilot stages of this project before Canadian information was collected, but these assessments need to be updated in light of the expanded collection.

CBSA also committed to conducting an analysis on all uses of personal information by all parties involved in the sharing of biographic entry data, and while that analysis to my knowledge is not publicly available, I would suggest that, as an important precautionary step before expanding the scope, the committee might wish to see if that analysis actually took place, and figure out how it's working now before we expand it.

I'd also just like to flag that in 2015, in his spring report, the Auditor General expressed concerns that the CBSA's project management framework was not conducting risk assessments at appropriate times. That would be another area where the committee might want to make sure the technological infrastructures as well as the policy infrastructures around this information are appropriately secure.

In relation to regulations, clause 2 of Bill C-21 amends the act so that proposed subsection 92(1) will allow the CBSA to collect information from prescribed sources in the prescribed circumstances, within the prescribed time, and in the prescribed manner, and then allow the Governor in Council to make regulations to fill in those blanks. The problem is that leaving so much to be prescribed means a process that is less public, less transparent, and less accountable.

In simpler terms, who we are going to collect the information from, why, when, and how is not clearly specified anywhere in the legislation, but these aren't inconsequential details. Knowing them would allow us to evaluate the nature of the collection process, weigh the potential risks to privacy, and better understand the potential costs of a leak or breach. Knowing the source of information allows us to judge its integrity. Knowing why and how it can be collected allows us to assess the proportionality of the collection in relation to its purpose. Clichés sometimes ring true: the devil is in the details.

While we appreciate the need to keep the legislation technologically neutral and flexible, flexible should not mean completely open-ended, particularly because regulations can be changed quietly, largely out of public view, with a much less democratic process than the one we're engaging in today. What current drafters intend to include in the regulations may not be what subsequent governments would choose.

We are, at this time, witness to a dramatic change in policy direction in one of our neighbours. We should take that lesson to heart. When we're talking about practices that engage charter-protected rights to privacy and mobility, safeguards should be enshrined in law. To this end we recommend the committee consider what aspects of the collection process could and should reasonably be included in the legislation.

Lastly, this bill expands CBSA powers but does not increase accountability. CBSA is still the only federal agency with security and law enforcement powers that doesn't have comprehensive, independent oversight or review of its actions. We argue that it's unwise to continue expanding their powers without increasing that accountability framework.

CBSA will now be allowed to share information for the purposes of enforcing the Employment Insurance Act and the Old Age Security Act. If mistakes are made, that could have highly detrimental effects on individuals. There should be a possibility for individuals to appeal the accuracy of the information to an independent body.

CBSA's role in controlling the exit of goods and people from Canada is expanding. The bill creates a new requirement for people exiting Canada now to answer the questions of a CBSA officer truthfully. Answering falsely is an offence. This is a broad power. There is no question that people should have to respond truthfully to a CBSA officer, but I'm sure we've all seen recent stories about agents on both sides of the border asking questions that people are alleging relate to racial background, religious beliefs, and political opinions. Potentially allowing some form of this intrusive and problematic questioning on exit as well as entry doubles the opportunity for potential abuses of power.

While creating an independent review body for the CBSA is clearly beyond the scope of this bill, allowing a potential escalation of a non-problem while simultaneously failing to provide a recourse to an independent civilian body to receive complaints, review policies or officer conduct, or investigate potential misconduct is simply wrong. Every time the CBSA's powers are increased, the lack of an independent review body to provide additional and necessary safeguards becomes more problematic.

Thank you for the opportunity to provide these comments. I look forward to your questions.

I have a couple of recommendations. One is, I'm not speaking to the national strategy but certainly taking that information and bringing it back to policies that exist. I would flag Bill C-59, things that were not touched under Bill C-51, so using that information to inform existing state policy.

Number two is to create a repository of complaints. If complaint mechanisms already exist within departments, I think perhaps there should be an overarching way to collect that information, to gather that information, so we have a sense of the kinds of discrimination that Muslims are facing across the board, so coalescing that in some way.

The last one I would say is to improve oversight. There's a lot of discussion. We can get into this as well. Oversight we know post-Arar is deficient. We need to enhance those methods, but the only way we can do that is to understand the problem.

Thanks very much. Good afternoon.

My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I have appeared many times before this committee on privacy issues, although not always in such a nice room. As always, I appear in a personal capacity representing only my own views.

I'm grateful to the committee for its commitment to privacy and its efforts to highlight the privacy issues associated with our airports and border crossings. The media has regularly covered these issues, as you know. There are fears of device searches at borders, stories of information sharing that goes beyond most reasonable expectations, and mounting concerns about the approach of U.S. law and border officials with respect to the privacy rights of non-citizens and non-permanent residents.

These stories hit home, as we saw just a few minutes ago with Mr. Long in the last panel. Everyone seems to have their own story. Recent incidents include one involving a Quebec resident who didn't want to provide his cellphone password. It was searched at the Canadian border in Halifax. He was ultimately arrested for not giving a passcode when asked. The argument was that he was hindering an investigation. In another incident, a Canadian man was denied entry into the U.S. after customs and border patrol officers demanded that he open his phone and provide access to his apps. There was yet another incident involving a Canadian photojournalist who was inspected on his way to Standing Rock. Officials photocopied pages of his personal journal and asked for three mobile phone passwords, which he said he could not disclose because of his ethical obligation to protect his sources. The phones were taken and returned hours later with tamper tape covering the SIM cards, suggesting the cards had been removed and copied.

The privacy associated with border crossings now seemingly captures everyone's attention. I think it's worth asking why. I think there are at least three sources of concern that help point to potential policy solutions.

First, there is the feeling amongst many that border crossings represent no-privacy zones in which it feels as if officials are entitled to demand whatever information they wish and can use whatever means to acquire it. I know of technical experts who regularly wipe their phones or establish border crossing social media accounts in order to counter fears of invasive searches, both physical and digital, when crossing the border.

Second, as these stories suggest, the search itself—and we've heard about this now from a number of people—has changed dramatically in recent years with the legal safeguards failing to keep pace. It's one thing to know that your belongings may be searched. Yet today, we all know that our devices and the information on them can tell a far more personal story, our social graph, our location history, our reading habits, our contacts, and our purchasing history. In searching this information, officials may literally be accessing just about everything about us. Doing so, potentially without appropriate safeguards, understandably leaves many feeling vulnerable. The data indicates, as we heard on the last panel, that at least in the United States, these forms of searches are increasing rapidly. In fact, in the United States, there have been some policies that have posited that such searches can occur with or without reasonable suspicion.

Third, it may not be comfortable to say, but part of the concern stems from the fact that the U.S. border is by order of magnitude the most significant one for Canadians. This is not solely a comment about the current U.S. administration. Rather, it reflects long-standing concerns about the U.S. approach to privacy and fears that U.S. privacy protections may be weaker than those found in Canada. For example, the enactment of the USA Patriot Act after 9/11 opened the door to extensive access to personal information without traditional safeguards. Over 10 years later, the Snowden revelations reinforced the massive data gathering efforts of signals intelligence and law enforcement agencies. Most recently, the Trump administration's executive order aimed at reversing efforts to establish privacy protections for non-U.S. citizens and residents again placed the issue in the spotlight.

What is there to do about it? I thought the Privacy Commissioner of Canada, who raised issues such as information sharing across borders, the U.S. executive order, and CBSA searches provided excellent context and advice.

I'd like to briefly provide additional comments on four issues.

First, I think this committee and several of these committees have done excellent work on Privacy Act reform. As you know, it has been an issue that has regularly come up before this committee. There are few areas within Canadian privacy that are more overdue for updating. Indeed, there have been consistent and persistent calls for reforms for decades.

One of the methods of addressing some of the airport privacy concerns in Canada may be through the Privacy Act. Your proposed reforms to provide the Office of the Privacy Commissioner of Canada with greater powers would empower that office to examine border issues in a more comprehensive manner and open the door to more careful reviews of cross-border sharing arrangements. You recommended the reforms; now we need action.

Second, information sharing within government—we just heard about it from Mr. Fraser—remains a source of concern. Indeed, some of the most notable anecdotal stories involving abuses or questionable conduct at the border arise due to information sharing between governments or government departments. The Privacy Act and the OPC are supposed to create safeguards against misuse of personal information, or the use of information for purposes for which it was not collected. However, we have witnessed mounting pressure in recent years for more information sharing between governments and government departments.

Bill C-51, which we all know garnered widespread criticism, featured a significant expansion of government sharing of information, undermining, I would argue, the effectiveness of the Privacy Act. Unfortunately, the information-sharing provisions as they were amended in that bill were only modestly changed. Information sharing was considered a feature, not a bug, and I should note that included the Liberal Party when it was in opposition.

Bill C-59, which seeks to amend Bill C-51, leaves many of the information-sharing provisions intact. There are two needs here that must be reconciled. One, I think we all recognize that government needs to be able to use the information it collects in a reasonable and efficient manner. Two, the public needs confidence that its information will not be misused. That confidence comes from legislative safeguards and effective oversight. There is reason to believe we do not yet have the right balance.

Third, as the Privacy Commissioner of Canada has discussed, Canadian law must apply on Canadian soil when it comes to these issues, particularly the charter. Reducing so-called friction at the border is a laudable goal. No traveller wants long lines or lengthy delays, and that of course applies in a commercial context as well. However, expediency has a price, and sacrificing the Canadian Charter of Rights on Canadian soil is, in my view, a bad bargain. The Supreme Court of Canada has upheld unauthorized searches of devices, and those principles should apply on Canadian soil in a like manner at the border.

Fourth, with the NAFTA negotiations ongoing this week in Ottawa, I think it is important to link those trade talks with this issue. While there is no airport privacy chapter in the agreement, at least that I'm aware of, NAFTA touches on many of these related issues. There will be pressure—we know there is pressure—to speed up border crossings in the name of increased trade. Further, the digital trade chapter, formerly the e-commerce chapter, is likely to include provisions on data localization, prohibiting some of the data localization, and restrictions on data transfers. NAFTA, of course, is not a privacy deal, but the reverberations from the agreement will be felt in the privacy world.

The European Union has regularly linked privacy and data protection with trade. We ought to do the same, recognizing that these issues are linked and that the policy recommendations that come out of this committee on this issue need to make their way into the negotiations. In fact, I'd go even further by noting that the U.S. now seeks to accord the Europeans with privacy protections under the privacy shield. Other countries, such as Australia during the TPP negotiations, sought to ensure that Australians enjoyed the same level of protection. Surely, Canada can use the NAFTA discussions to ensure that the same kind of protection afforded to citizens of other countries outside the United States is afforded, as well, to Canadians.

I look forward to your questions.