Information & Ethics Committee on June 14th, 2016

Yes, that's essentially through information-sharing provisions that are found in both the Criminal Code and in PIPEDA, the private sector data protection legislation, which allows for disclosure. In the Criminal Code, it's disclosure in the context of law enforcement; in PIPEDA, it can be law enforcement, but it can be in relation to an investigation or in relation to the enforcement of any law of Canada or a province, so the range of regulatory purposes is much broader.

That information can be requested from the private sector company and can be provided on request if the private sector company is wiling to disclose that information, or it can be sought through a court order. In either event, the information will be collected by government. That collection is not directly from the individual but from the private sector company. It can be information that is very specific to an individual, but it can also be—and this has been the case now with some court orders—bulk information that is going to be searched or analyzed for patterns.

I think one of the important issues around how we store and protect information is that it also has charter dimensions to it.

The recent jurisprudence in the Supreme Court of Canada has been very strong on the idea that you need safeguards around information. For example, when there's an analysis of the reasonableness of a law in the context of a charter privacy issue, there's an increasing discussion on the question of safeguards, in that if you don't safeguard the information properly, that can be the charter breach.

The gravity of that issue is that it's not some sort of technical, administrative element to the Privacy Act. There are serious charter issues in not safeguarding that information properly that the courts are starting to really pay attention to.

My own view is that we haven't built in enough on the technical side of the review process. We still seem to be thinking about it much along the lines of what David Lyon has been talking about, seeing personal information as if it's discrete information collected in a kind of paper environment that's shared in filing cabinets, but these are information systems. They're technical systems. It's software. It's algorithms. The whole issue of safeguarding has an incredible technical side to it as well. Getting the legal standards right, whether it's in the legislation or in regulations, is important, and getting the oversight right is important, but there's a whole technical side to that too. I think we're not building enough technical expertise into the review process.

As to what that looks like particularly, I don't have an answer for you, but I think we need to really understand the fluidity that David Lyon is talking about. The practical expression is that these are software systems. These are algorithms that we're talking about. These aren't social security numbers in a paper file in a filing cabinet. It's a highly technical environment.

I'd be happy to comment on cross-border data flows.

This doesn't seem like a Privacy Act issue per se, but I do think we should really understand the issue, again from a kind of constitutional perspective. As a Canadian, if you are physically in Canada and you're living here and residing here, but your data goes to the United States, their position is that you are a non-resident alien—we're in Canada, so we're not resident in the United States—so the fourth amendment of the U.S. Constitution, which provides for protection of privacy, does not apply at all.

There's a lot of Canadian jurisprudence that says that once you're dealing with what happens in a foreign state, it's their rules that apply, not ours, so what you do when you put your data in the U.S., is what I call plunking your data into a constitutional black hole. There's no constitutional right there.

What should we be doing? Data localization is one response to that dynamic. I think it's an unrealistic response to think that this is a solution in the long term. Another response, though, given the size of Canada and the size of our economy, is to negotiate a bilateral agreement with allies like the U.S. to say that when Canadian data is in the United States, you protect us to the same extent that you protect your own citizens.

I would actually go further and say you need to protect us according to our own standards in the Canadian charter, because Canadian charter standards of privacy are better in relation to data in most of these contexts than the American constitutional standards. Why? It's because the Americans still buy into what's called the third party doctrine. They say that if you share information with a third party, such as a telecommunications provider, there's no longer a reasonable expectation of privacy. You've given it up in relation to the States.

It's a crazy doctrine. We've never agreed with it in Canada. The Supreme Court of Canada has denounced it for more than 20 years.

It's crucial, I think, that we actually negotiate and say, “If you want access to our data for any kind of law enforcement or for national security, it's the Canadian charter that applies.” That mimics what the MLAT process tries to accomplish in having the constitutional rights of the data bearer apply, and we need to find a way to do that. I think that's the way forward, but I think it's a treaty that needs to be negotiated.

I might add, too, that the question suggested some kind of deliberate transfer of data for the purposes of trade or law enforcement or whatever, but in fact data frequently travels through the States between one Canadian location and another. The routing system can take data into the United States and then return it to Canada. This can be even between two locations in the same city, but it goes through the U.S. In those circumstances, the possibility that the individual's information is subject to American law and therefore doesn't have any kind of protection for the individual is true as well. It happens incidentally as data is routed into the United States.

It's a great question. Concerning the necessity standard, I understand why the section 1 framework is the one being suggested. It's a well-known kind of legal framework for proportionality analysis. In international human rights there's a necessary and proportional test as well, which is a great thing to take a look at.

My only hesitation on the necessity requirement is that the section 1 test, if you start to interpret it through the lens of existing jurisprudence, has largely been developed in the context of social legislation. The courts really focus on minimal impairment, and they don't focus on the kind of broader balancing that you would find, for example, in the traditional section 8 of the charter privacy cases. In those search and seizure cases, the “reasonable expectation of privacy” is understood as a kind of balancing. State interests are already balanced against privacy in that provision. Again, the ”reasonable and probable grounds” test is not a minimal impairment test; there is stronger protection for privacy in that kind of balancing.

My only hesitation is not to think that.... I think the necessity test and the section 1 framework are an improvement over what is in the Privacy Act right now, but I'm hesitant about its becoming a kind of stamp of approval for collections, uses, and disclosures, particularly in the context of starting to get into law enforcement or national security, because there is a more robust view of proportionality, I would argue, in section 8 and section 7 of the charter that is not reflected there. It's as if you're jumping to a section 1 justification when you haven't done the more robust analysis early on. I think that's a problem in those contexts.

The directly related problem with the current standard is that it's too soft and is capable of multiple interpretations. The desire to move to a necessity standard is to try to bring to bear more firmly the concept of data minimization, which is an important data protection principle because it requires a reduction of the amount of information that is collected in the first place. The focus really should be on whether this information is necessary for this program or service. If it's not necessary, then it shouldn't be collected.

Obviously, with any word, there's going to be wiggle room and room for interpretation and room for arguments: “Well, this is actually necessary. because what we're doing requires....” I think this is part of the problem in the big data environment: we start to say that what we're trying to do is collect enough information so that we can do these other analytics or other profiling, which will enable us to do these other things, and therefore it becomes necessary.

I think there are risks with any vocabulary that is used. The goal here is to try to minimize data collection. In combination with other measures being recommended, such as privacy impact assessments and so on, it may be that there are ways in which more supervision can be imposed.

One of the big problems is thinking that with Bill C-51, privacy is going to be protected because the Privacy Act applies. The broad authorization for information sharing in SCISA itself seems to capture a lot of what section 8 does. I don't have the act in front of me, but any analysis of this issue has to start from the proposition that compliance with section 8 does not mean compliance with the charter. All sorts of information sharing could be consistent with those disclosure provisions or the use provisions in section 7 or section 8 of the Privacy Act, as it currently stands, yet still violate the charter.

I'm not sure, as a matter of legislative drafting, if you want to change those provisions or just indicate somewhere that in some circumstances this is going to raise charter issues, because it won't necessarily or in all circumstances. The Privacy Act regulates collection, usage, and disclosure of personal information. Not all of that is going to meet a constitutional threshold for the reasonable expectation of privacy. That's the tricky part. When you're contemplating information sharing, particularly in those contexts where the individual is in that coercive relationship with the state, you have to be incredibly mindful that there are charter issues at stake. How can that be built in?

That's why we were arguing that you need an interpretive principle saying that this was meant to be consistent with the charter and build in charter review. Perhaps something could be written into section 8 that this must also be consistent with the charter. You want to build up expertise somewhere of people who understand what the jurisprudence is saying about uses and disclosures of information. When they trigger charter violations, what does that mean? Do you need prior authorization? Is it an issue of safeguards? What do those safeguards mean? Make sure those information processes are compliant from the start so that some person doesn't luck out and find out about this process and then have to go to court 10 years later. You build in charter compliance from the start.

It's difficult to answer the second part about the possibility of enforcement. As to the actual revelation about the breaches, it seems to me that it is is essential that we, as a public, know what is happening and when privacy breaches have occurred.

These things tend to be displayed under certain circumstances, but they can also be kept under cover. They can be swept under the carpet so that we never know about them. I think it's essential that we know about those breaches and that they be made public and that there be a requirement to make them public.

As to exactly how you would do that, as I say, I would defer to others.

I would emphasize the importance of two levels of breach reporting, similar to what's been done with PIPEDA.

When the PIPEDA amendments come into effect, you're going to have a first level of breach reporting when breaches reach a certain threshold of harm, and that triggers an obligation to notify both the Privacy Commissioner and individuals who may be facing that potential for harm. That's one level, and it's a tremendously important one, because it's not just reporting the breach but also trying to mitigate harm and notify those individuals who may be affected.

The second level that's in PIPEDA, one which I think is quite interesting, is a requirement for organizations to document any breaches whether they reach that threshold or not, meaning things that are essentially breaches even though the information ultimately didn't end up in anyone's hands. I think that kind of record-keeping and reporting to the Privacy Commissioner doesn't necessarily have to be made open to the broader public—that decision would have to be made—but it could be just reporting to the Privacy Commissioner.

I think it's important because this goes to another thing, which is trying to identify those security practices that are weak and need to be improved within. If the Privacy Commissioner has access to this information, it gives a chance to see whether this is a common problem across government that should be addressed or whether it's a particular department that hasn't adequately trained its staff on certain privacy measures. It allows a more proactive approach to try to address security problems that become visible through this level of reporting.

I would encourage having those two levels so that it's not just harm that triggers notification, but that there's another level where any breach should be reported in order to try to diagnose problems and address them before they become more significant.