Evidence of meeting #32 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was foreign.
A recording is available from Parliament.
3:55 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I am trying to find what you are talking about in the ten recommendations the commissioner made, but I do not believe it is included there. Have you seen the Commissioner's ten recommendations?
3:55 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
Yes, I have her report with me. I think there's someone here from the Privacy Commissioner's office who may have extra copies.
As I say, she is recommending as her number two recommendation that section 41 of the Privacy Act be amended to allow the commissioner and Canadians to go to court in order to enforce their rights under the Privacy Act and to give the Federal Court the power to award damages against institutions that fail to comply with the legislation.
3:55 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
The second element you talked about is transborder information-sharing. This is, indeed, the major challenge with regard to reforming this legislation. Everyone would agree on that. Earlier, you stated that you would like to see people receive a notice at home telling them that their personal data has been forwarded to Aeroplan, in New York, for example.
Once you have this knowledge, what more can a citizen do? I agree that citizens should be informed; it is always better to be informed. But afterwards, one has no control whatsoever over this information... Would it not be preferable to ask people if they agree to having their personal information sent to New York?
3:55 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
Absolutely.
The theory in the private sector, at least where there's competition, is that this would create a market for Canadian companies to restrict their data sharing to sharing within Canada, and to advertise that and attract customers that way. Of course, that argument does not apply in the public sector, which is why we need stricter regulation in this area, and possibly blocking--statutes that block the Canadian government institutions from transferring data to foreign entities, at least when it's not adequately protected.
British Columbia has been through this entire exercise. There's no need to repeat it. You can look at the amendments they made to their public sector privacy laws in order to deal with this and find out how those are working.
As with so many issues under the Privacy Act, Treasury Board has adopted a policy. They've educated all the federal government institutions about this issue, they have done a review of all the contracts, they have identified risk areas, and all this kind of thing. Our view is that this is an area in which that policy is not good enough, an area in which we can and should look at legislating further protections for Canadians.
4 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
You are talking about Treasury Board. Have you ever had access to the Coordination of Access to Information Request System? Are you in agreement with the decision...
4 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
Absolutely. We are extremely concerned about the recent actions by this government to block access to the CAIRS database. That is, in our view, a critical component of the current--now we're onto a different topic--access to information.
4 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
I would like to say that this is of great concern.
4 p.m.
Liberal
The Chair Liberal Paul Szabo
Okay, on the access side, but we'll get back to privacy now.
Mr. Masse, please.
4 p.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
My understanding of the way it works with the United States is that we actually have to have a separate treaty to have that in place for privacy. In fact, the B.C. model doesn't really cover that off. The federal government requires a treaty.
Have you heard of that before? I mean, I've done past work with the Privacy Commissioner on this and raised it. There are certain elements of the Quebec and the B.C. model that are of concern because it's supposed to be a privacy treaty, because no law in Canada can tell the United States what to do.
4 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
That's right.
The Privacy Act issue really comes down, in my view, to a practical concern. When a private entity receives an order from the FBI, they have to figure out whether they need to comply or not and what are the consequences of not complying with that order. The idea is to have greater consequences based on Canadian law for those entities to comply--greater consequences for complying with the FBI order than for not complying with the FBI order. That is what it comes down to. We're talking about the private sector here, and the same applies whether it's private or public sector outsourcing.
4 p.m.
NDP
Brian Masse NDP Windsor West, ON
I'm fairly certain, and I'll double-check on my stuff for Mr. Martin when he comes back, but one of the things that exposed this was.... I did a campaign back in 2003 with regard to the Canada census. That was outsourced to Lockheed Martin, and what came about, because of the Patriot Act, is that all the Canadian information on our census data was vulnerable.
As you know, with the Patriot Act, once it goes over to the United States, where they were going to bring that information for correlation and data summary to package it for us.... It's against the law for Lockheed Martin, if that information is actually accessed, to even disclose that back to Canada. It's against the law for them to tell, even if it's a subsidiary.... For example, CIBC was another campaign I was on. CIBC outsourced its information to an American company; that company cannot even inform CIBC when its data is accessed by the FBI and CIA under that system.
What ended up happening with the Lockheed Martin and Census Canada case is that Census Canada made them undertake certain measures in Canada and keep that information there, costing the government of the day millions of dollars or more, which probably defeated the whole point of outsourcing this in the first place. At any rate, that could be a potential model, to require Canadian companies to abide by privacy information.
Do you have any comments on that? I think that's a model that should be enforced in the private sector here in Canada. Then you would never have the leakage, because we can't control it once it leaves the country unless we actually have an information treaty.
4 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
My understanding is that that was, at least in part, what the B.C. government legislated; that is, the data has to remain in Canada and all the processing has to be done in Canada.
I think Statistics Canada learned a lesson the hard way with the Lockheed Martin outsourcing. To my recollection, the result is that they allowed the foreign company to engage in consulting with respect to the software but not to actually handle the census information.
I agree with you. I think those are ways to deal with the problem.
4:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
I think the problem with the B.C. legislation--and I'm only going by memory on this file for this particular part--was that it applied to government contracts, not for private sector contracts. That's the hole that I think British Columbia still has to fill. That would require a response from the national government, to enforce that type of a model on the private sector.
When you're doing some of your work in the United States, can you describe a little bit more about what kinds of roadblocks you run into? It's a very difficult path to try to uncover in terms of data management over there.
Did you contact any agencies, or did you contact departments? Have you had the opportunity to do that yet? And what was the response?
4:05 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
No, our research actually has been limited to Canada, to trying to understand from the Canadian perspective what the information-sharing mechanisms and avenues currently in place are. I can give you an example.
We've had people complain to us and to the Privacy Commissioner about Canadian e-mail providers outsourcing to American e-mail providers. This was done by canada.com. Under the private sector law, you will recall that organizations, when they outsource, are required to ensure that the data they are outsourcing is subject to a comparable level of protection.
The question is, when you outsource to an American company, is that data still subject to a comparable level of protection, or is it, by virtue of the Patriot Act, automatically given a lower level of protection? The Privacy Commissioner, in a couple of initial findings on this, one in relation to CIBC, found that it was comparable, because of all the information-sharing arrangements in place.
We're not ready to accept that conclusion. We believe there are a number of reasons why it probably is easier for the FBI to access the information when it's in the United States than when it is in Canada and held by Canadian companies. We were trying to do the research to prove our point. We found it extremely difficult to uncover the apparently hundreds of information-sharing agreements and arrangements out there.
4:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
That's interesting. When you look at what is happening over here, incredibly the government is now moving on requiring real estate agents to collect, even from those who are not clients who sign off with them on a housing deal, when they enter into negotiations and do searches and so forth, everything from the social insurance numbers to mortgage information, telephone numbers, and a whole bunch of information. I'm not sure whether you're familiar with this. I can forward it to you. The government is proposing that those real estate agents collect that information and contain it themselves.
I wonder what you think about that element. The association is fighting it. They believe it's going to create an unnecessary amount of work. Second to that, you'll have a whole bunch of real estate agents who have information, which could be used for identity theft, because it is very sensitive personal and financial information and government-numbered information that they use to access a mortgage before they actually make a claim on a house or a piece of property.
This is happening right now. I wonder what you think about that issue.
4:05 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
It is a great example of why privacy impact assessments are so important. I would love to see the privacy impact assessment that was done on that particular government initiative.
It also points out the need for really strong private sector data protection legislation so that those real estate agents have the guidance they need as well as the requirements to ensure that the information is protected.
But I think your point is good. Every time we create another database of sensitive personal information, it is vulnerable to abuse and access. That privacy impact assessment should have done a really thorough job of weighing those risks: the need to collect that information and the benefits of collecting the information against the cost.
4:10 p.m.
Liberal
The Chair Liberal Paul Szabo
I'm sorry, but we have to go on.
I'm sure this is going to come up again, because this happens to be an issue where the money-laundering provisions in the regulations under the Department of Finance and FINTRAC basically supercede the Privacy Act obligation. It's a different situation.
Mr. Van Kesteren, please, you have seven minutes.
4:10 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Thank you, Mr. Chair.
Thank you for appearing.
Ms. Lawson, I want to ask you a question with regard to the Internet. I know we've moved on, but I want to digress and follow up on what we had been talking about.
Usually when we change laws or make laws, we do so because there's a problem. We have new legislation or whatever, and we find out that it's infringing or there's some other problem, so we want to change it. We've heard a lot today about especially the sharing of information with foreign countries, especially with the United States, and there's something that I don't quite understand.
Do you have examples of why we need stricter disclosure? The only time I hear about an infringement where somebody's rights are violated is when someone has possibly been a member of an organization that blows up buildings. Why wouldn't a foreign country want to have some type of disclosure?
I hear the other side talking, but we've corrected it. And that was not an example of disclosure, that was an example of abuse of disclosure.
Why are we doing this? Do we have examples of where...? Quite frankly, if the Americans want to know about me, I have nothing to hide. I have no problem at all.
What's the big deal?
4:10 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
A number of Canadians, innocent, ordinary Canadians, have come to me and told me--I've read about many more in the news--that they have been denied the ability to board a plane, that they have encountered pretty extreme harassment and inconvenience in their efforts to move across the border in particular. They've been denied the right to cross the border, even, and enter the United States, or have been taken in and interrogated at length because 20 years ago they were part of some demonstration or engaged in some civil disobedience or something like that.
There are many examples out there, I think, of individuals who have suffered because of foreign state collection of their information and use of it in a way that we would not consider appropriate in Canada. We've been seeing a recent trend toward more of that in the United States.
So that's one concern, just on the law enforcement side. I think there is evidence.
4:10 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
But isn't it incumbent upon us, if we have a citizen who has broken the law or something, to share that information with another government? Isn't it part of being a good neighbour? Don't they have the right to that information?
We're talking about rights--you've given me some examples, and I think it would be interesting to follow up on those--but isn't there a balance there somewhere?
May 6th, 2008 / 4:10 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
Absolutely, which is why my first point is that we need transparency here. We need to know what's going on.
We have seen examples of where states have gone too far. You don't need to go too far back in history to see pretty extreme examples. I don't think we should be complacent about governments even when they appear to be acting appropriately now. We should have legislated limits on state activities.
When it comes to foreign states, we should be very careful about the extent to which we trust foreign states to handle the information of Canadian citizens appropriately.
4:10 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
You still haven't answered my question. We've read just recently in the paper about the person who belonged to a terrorist organization. Isn't it incumbent upon us to share that information? You can say you don't trust a certain country, but if the acts of violence and terrorism are going to be played out in that particular country and he or she wants to travel there, don't we have a right to share that information?
4:15 p.m.
Director, Canadian Internet Policy and Public Interest Clinic
I'm not proposing that we get rid of all of these information-sharing arrangements. I believe this is an issue that Mr. Justice O'Connor really thoroughly reviewed in the Arar inquiry. I would just refer you to that report.
I'm not suggesting that we don't share information. First and foremost, I'm suggesting that the Privacy Act right now is inadequate in terms of holding the government to an appropriate level of transparency regarding such agreements.
4:15 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Well, I'm glad you brought that up, because I was kind of getting the message that we ought not to share those things.
Anyway, you're here as the director of the Canadian Internet Policy and Public Interest Clinic. I get calls from a policeman who works in child pornography. I want to get your take on this. What about the sharing of information with the police, or access to Internet providers? I want your feeling on that, specifically in an area like child pornography, where the police are handcuffed when they want to investigate and try to break up these rings.
What's your take? How far should we be going?