Information & Ethics Committee on June 14th, 2016

Evidence of meeting #21 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

Access to Information Act
Privacy Act

MPs speaking

Blaine Calkins
Nathaniel Erskine-Smith
Pat Kelly
Matthew Dubé
Joël Lightbound
Mark Strahl
Raj Saini
Wayne Long
Francis Scarpaleggia
Michel Picard

Also speaking

Teresa Scassa  Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
David Lyon  Professor, Queen's University, As an Individual
Lisa Austin  Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

10:30 a.m.

Liberal

Francis Scarpaleggia Liberal Lac-Saint-Louis, QC

I'm just looking for affirmation of whether my understanding is correct.

We have an Access to Information Act, which was probably a very prescriptive thing. The government could only have access to certain information. For tax information, for example, it was social insurance number and address. Then as technology expanded, other information was available—IP addresses, for example. Even technology that already existed all of a sudden became relevant. Hydro meter readings are an example, because of grow ops and so on.

Is my understanding correct that essentially the act is out of date because it doesn't take into account all this new information that is available, and that somehow we have to codify what we should be allowed to collect? In fact, we'll always be a step behind, because the technology will always be expanding. To fill those gaps, we'll have to rely on court decisions until we have enough information to amend the act again to deal with things like metadata and so on. Is that a correct way of looking at the process we're involved in here?

10:30 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

I would almost say the act is out of date because it's the act. In a sense, in our conversation today we've moved between the private sector legislation, the national security establishment, the charter, and the Privacy Act, and references have been made as well to the fact that this whole paradigm has changed. To address some of these issues in their specific silos—this is a Privacy Act issue, this is a Criminal Code issue, this is a national security issue, this is an access to information issue—may simply be an out-of-date approach overall.

10:30 a.m.

Liberal

Francis Scarpaleggia Liberal Lac-Saint-Louis, QC

We're really trying to pinpoint what should be acceptable and what shouldn't be acceptable, but we can never be up to date on that. Is that correct? Is that a way of looking at it?

10:30 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

I think that's right. It is constantly changing, but it may just be that the paradigm in which we are structuring these issues also needs to have some reworking and rethinking.

10:30 a.m.

Liberal

Francis Scarpaleggia Liberal Lac-Saint-Louis, QC

The rules that we use to make those decisions can be—

10:30 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

It's the rules, and it's also the way that we separate issues and say this is this kind of issue, and that's the other kind of issue. The questions of algorithmic governance that Professor Austin has raised also raise really interesting issues about human rights that go beyond just the human right to privacy but also extend into other types of human rights. That's part of the challenge as well.

10:30 a.m.

Liberal

Francis Scarpaleggia Liberal Lac-Saint-Louis, QC

We will always have to rely on jurisprudence, to some extent, to decide what is acceptable and what is not acceptable. The act can never be up to date in that respect. Is that correct?

10:30 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

I think that's right.

10:30 a.m.

Conservative

The Chair Conservative Blaine Calkins

I'm not quite so pessimistic. We can always write it in a way that allows for dynamic systems.

I know Mr. Long and Mr. Lightbound each have a question. We'll go to Mr. Lightbound first.

10:30 a.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

I'll be very quick, and it's more or less a yes-or-no question. My question is for Mesdames Scassa and Austin.

As far as I know, metadata is not defined anywhere in Canadian legislation. Correct me if I'm wrong, but I don't think it is. Do you think it should be included in our definition of personal information in the Privacy Act, so that it becomes protected, or that there should be something about it in the Privacy Act?

10:30 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

I was just going to ask what you mean by metadata, so obviously the answer is yes. It's actually quite a broad term.

10:30 a.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

It is. That's true.

10:30 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

It's basically information about information. In any event, yes, I think probably that would be the case.

10:30 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

I think it would be helpful under the definition of personal information, which is broad enough to capture it. It's identifiable information, so in many contexts metadata would definitely fit as identifiable information. It would be helpful to clarify it by saying, “for instance, it includes...”, and when you have the non-exhaustive list, to put that in. It's interpretatively helpful.

The caveat then is how you define metadata. If you used some kind of general thing, such as “this includes information about information”, or something like that....

10:35 a.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

That's all.

Thank you.

10:35 a.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much.

Mr. Long, do you have a quick supplementary question?

10:35 a.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

It's not that quick, so I'll just save it for the future.

10:35 a.m.

Conservative

The Chair Conservative Blaine Calkins

The chair has one quick question for Ms. Scassa.

In your presentation, you talked about indirect collection of data from the private sector by the government, unbeknownst to the rest of us. My personal information, which would normally be governed by PIPEDA in a relationship that I would have with a private sector company, could then, through a relationship that the company has with the government.... Did I hear you right?

10:35 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

It's just that PIPEDA permits companies, without the knowledge and consent of the individual, to disclose information to investigative bodies, police, law enforcement, national security, or other regulatory bodies upon their request. The company can refuse to do so without a court order, but they can make these voluntary disclosures. That has been a significant issue under PIPEDA, under which information can be voluntarily disclosed, without a warrant, to government actors, essentially.

10:35 a.m.

Conservative

The Chair Conservative Blaine Calkins

Okay.

I have one quick question for you, Ms. Austin. It deals with jurisprudence.

We talked about sovereignty issues as they pertain to data. Mr. Saini actually had a line of questioning on this. The courts decided years ago that any person who enters the territorial confines of Canada is granted all of the privileges and protections that a Canadian citizen is afforded. Has there been any jurisprudence or any test put to whether or not a person's information or their personal data, if it enters the jurisdictional boundaries of Canada, has the personal protections afforded by the Charter of Rights and Freedoms?

10:35 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

To my knowledge, that issue hasn't been litigated.

10:35 a.m.

Conservative

The Chair Conservative Blaine Calkins

It hasn't been tested yet.

10:35 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

Not to my knowledge; when your body's in one place and your data's in another, you are sort of in an unknown area.

10:35 a.m.

Conservative

The Chair Conservative Blaine Calkins

Okay. Thank you very much.

Mr. Lyon, my question for you comes from the example you gave me, as a former IT professional, when we were talking about information moving from a hub in Canada to a hub in the United States and then back to potentially the same city in Canada. The data packets, which is what I assume you were talking about in a network transfer, would potentially be routed through a jurisdiction outside of Canada in order to get to their destination. That raises some questions.

Would you have any witnesses you could propose to this committee who could speak to the IT components of this issue? That's some fairly technical stuff that we'd have to get right. I would love to have a line of questioning with somebody who could answer some highly technical questions.

10:35 a.m.

Professor, Queen's University, As an Individual

David Lyon

It's tremendously important that you do. The person I'd suggest would be Andrew Clement at the University of Toronto.