Information & Ethics Committee on June 14th, 2016

I don't think I know enough about the system specifically to know what kind of access is forecast, but there are technological ways, even within a large shared database, that you can create different levels of access for different persons or parties that have access to that database. I'm not sure if one of the measures that is being contemplated is to create those different levels of access to manage access within the database.

I will go back to some of the earlier remarks I made: you can't think of safeguarding privacy just in terms of the administrative processes for sharing information; you have to look as well at the technical systems that we're building. You have to think about it at that level, so that you know how to build those systems and you can put in the safeguards that you should have a legal obligation to have. It's difficult to bolt them on after the fact. It's possible, but it's usually expensive and difficult.

You think about it up front. When you are building processes, you need to think about privacy up front. You think about compliance with the charter up front, and you build it into the technical apparatus that you construct up front.

That's a great question. I would emphasize the need for safeguards, which is an issue that is coming up in charter jurisprudence. That is partly why we are arguing for an improved accuracy obligation in the Privacy Act itself to set up some obligation to get those assurances.

I think what you need in these alliances and these international contexts is to protect each other's citizens through treaties that agree to extend certain kinds of rights. Then you have audit processes under them, so that people can go and take a look at the information practices. I don't think you can solve that through a privacy act.

That might be the answer. It might be, at least among allies, that you create some international regime for doing that. I know there's a lot of interest in how to deal with the MLAT process in the evolving world.

There are various models. I don't know what the right one is, but it does seem to me that it's some kind of international agreement, or at least super national in some way. In Privacy Act reform, you can tweak it and start getting at some of these obligations and you can create agreement, but you do need something stronger than that.

Do you have a national security or law enforcement regime in mind here? Is that the situation?

This is not an area that I deal with specifically, but it does seem that there needs to be a lot more oversight of the agencies that might be involved in receiving and sharing that information. That seems to me to be a critical issue.

How the actual mechanism would work is not something I'm privy to or know about. It does seem to me, though, that we need a lot more oversight on those agencies that are concerned with law enforcement and security matters, because that's where the issues arise and where things become very murky.

There are things that we have already been talking about.

In a sense, they can be talked about in terms of technological changes and the new kinds of means of finding out about individuals for one purpose or another. There are things I mentioned in terms of the trends toward a greater use of biometrics, and sensors being embedded in buildings, streets, vehicles, and so on. A lot of it sounds like coming to terms with the technological changes that are already occurring. That seems to me to be crucial.

On the other hand, I've been trying to stress the ways in which the very idea of privacy has altered since the 1980s, when the act was originally conceived. It seems to me to be essential that we bear that in mind as well. This comes into, or is completely consistent with, what Lisa Austin is saying about the need for charter compliance here.

It seems to me that the notion of privacy was once conceived in a very atomistic and individual way, and it had to do with very specific harms that could be identified. In today's situation, we have to think about a much broader range of issues that have to do with democratic participation and human rights, so the very notion of privacy, it seems to me, needs to be expanded.

It's both things: it's coming to terms with the real technological changes—and again, big data is a huge issue here—on the one hand, and it's also understanding how the notion of privacy has itself evolved into a much more social and participatory matter than was thought of in the Privacy Act originally.

That's the bottom line. You should never ask academics questions about the bottom line.

The point about increasing the judicial remedies is that one of the big defects in the Privacy Act that the Privacy Commissioner points to is that the provisions around the collection, use, and disclosure are ones that you can't take to court. You don't have recourse there, yet those are increasingly vital in safeguarding information in all sorts of contexts, whether they be administrative, national security, or law enforcement.

It's absolutely vital that we have something there. Is it going to cost more? Probably, but I would say, again, that recourse an important aspect of protecting privacy rights. Without that, you can't make the Privacy Act work in the context that it's being asked to work in.

—what those costs would be. Sorry; I wouldn't know.