Evidence of meeting #21 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
June 14th, 2016 / 10:15 a.m.
Liberal
Wayne Long Liberal Saint John—Rothesay, NB
Thank you, Chair.
Thank you to our guest witnesses this morning.
I want to start with Ms. Scassa. You were involved, obviously, in the Supreme Court ruling in Ontario. I think it was in January.
10:15 a.m.
Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
Do you mean the one related to the tower dump?
10:15 a.m.
Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
Well, I've written about it.
10:15 a.m.
Liberal
Wayne Long Liberal Saint John—Rothesay, NB
I'll read that comment in a sec.
I'll state this for the committee. I think there's always a balance—and we've talked about this for many months—between liberty and security. Liberty comes with a cost, but it should never be forfeited for security without extreme reasons.
Your quote in an article I read last night basically said that the judge makes it clear that the information that is sought by police should be really limited to the purposes of the investigation. It should not be a fishing expedition.
Recognizing that there's obviously a balance between what the police need to know and a person's privacy, could you elaborate on that case and what happened there in the background?
10:15 a.m.
Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
This was an interesting case. It came to court because the telecommunications companies involved brought a charter application to court, not because the accused individuals raised charter issues with respect to their rights.
Essentially the police were investigating a jewellery store robbery. They were looking for suspects. They suspected that a cellphone had been used in the commission of the crime, so they sought tower dump warrants, essentially a dump of data from nearby cellphone towers. Rogers and Telus, between them, said this would mean handing over the records of 43,000 individuals who had used their phones within that window of time the police provided, but in addition to that, they sought a great deal more information.
10:15 a.m.
Liberal
Wayne Long Liberal Saint John—Rothesay, NB
For a novice like me, when you say a dump of data, is that basically every bit of information that the cellphone tower picked up through people's phones?
10:15 a.m.
Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
Well, it was more than that. They wanted to know every cellphone transmission that had gone through the tower. In addition, they wanted the subscriber information linked to those cellphone numbers from the companies, they wanted credit card and billing information, and they wanted to know who those 43,000 people who had just been in that part of the city people were calling,.
After Rogers and Telus pushed back, the police narrowed the scope of their warrants, saying, “Never mind. This is all we want. Now don't take us to court.” They tried actually to get the case thrown out on the basis that they had narrowed the scope of their warrants and therefore the charter issues weren't raised. The court decided to hear it anyway.
It's a very strong decision. In it the court is basically saying that we need guidelines for judges who are issuing these types of orders. The police need to be very careful about what they're searching for. We shouldn't be allowing fishing expeditions. The information sought went way beyond what was required. There should be a different approach to it.
The other thing that the judge said at the end of his decision, about an issue that had been raised by Telus and Rogers, was that once all of this information is in the hands of police after these search warrants are issued and the police collect the information, there are no rules in the Criminal Code, PIPEDA, or any statute as to what happens to that information. Is it kept forever? Is it used for other purposes? Is it just stored in a database somewhere, where there might be a data breach of credit card information and other data?
The judge said this is not for us; this is for Parliament to deal with. The court can't create guidelines around that.
This is an issue if police are going to be collecting huge volumes of information. What happens to it and what are the guidelines around disposal of that information once the purpose for its collection disappears?
10:15 a.m.
Liberal
Wayne Long Liberal Saint John—Rothesay, NB
Ms. Austin, Mr. Lyon, or Ms. Scassa, you can all comment on this question if you want.
Commissioner Therrien recently was critical of calls by RCMP Commissioner Bob Paulson and the Canadian Association of Chiefs of Police for, basically, a new law that would expand the right for police to have warrantless access.
Mr. Lyon, can you give me some comments on what you think about that?
10:20 a.m.
Professor, Queen's University, As an Individual
There has been a requirement for warrants for many years, and this requirement has been seen as essential to maintaining the integrity of the individual's privacy.
It seems to me that gaining access without a warrant to people's personal information in the pursuit of law enforcement or for any other purpose is simply unacceptable. It's something that needs to be written into our legal system. We need to know that there is a clear warrant for every access to personal information.
10:20 a.m.
Conservative
The Chair Conservative Blaine Calkins
That takes us up to the five minutes.
We're going to have a little bit of time at the end of the meeting if anybody still has a question. I know Mr. Lightbound had a question he wanted to put.
In order to finish off, we have Mr. Dubé for three minutes.
10:20 a.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
I would like to go back to the way in which offenders are punished. When I look at the recommendations, unless I am mistaken, I see only one that really deals with the kinds of possible consequences in cases of breach of privacy. It reads: “Expand judicial recourse and remedies under section 41 of the Act.”
Transparency is also mentioned a lot. It is essential, no question. It is about making it mandatory for privacy breaches to be declared and to educate the public. All those things are essential, no argument from me.
In your opinion, what should be the consequences for the offenders, if I may put it that way? We are talking about telecommunications companies, even governments or police forces on occasion. Canadians can actually be as equipped and informed as you like, but if those people are in no real danger of facing any consequences, the act is somewhat lacking in teeth.
10:20 a.m.
Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
That's a complex challenge. Right now there are class action lawsuits already under way against the federal government for negligent handling of personal information, for data breaches. Civil recourse and class action lawsuits are going to become more common, so that is one way in which people can have their day in court.
Professor Austin has talked about charter recourse, and there is charter recourse that's available. In some cases it can be brought by the affected individuals. We were just speaking about a case in which it was brought by telecommunications companies that felt that too much data was being sought from them, and that is not the only case in which companies have pushed back. There are these other recourses that are outside the Privacy Act.
In terms of the Privacy Act itself, one concern is exposing the government to liability. If you create obligations or standards that are set in very strong terms in the legislation, that may increase the risk of liability for the government.
In part, the model has also been one of attempting to improve compliance and improve practices within government around personal information. On one level, that's been the ombudsman model. Now the commissioner is seeking additional recourse, an additional means for citizens to insist on compliance with their rights.
Whether that involves just getting a court order for recommendations to be enforced and practices to be changed or whether that also includes a right in damages is not entirely clear, because you can have a recourse to have a court order, a change in practice, without having recourse to get damages. Whether it's required is something to consider.
10:20 a.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Allow me to focus your answer, because I do not have much time.
With the government, I understand. However, with telecommunications companies and banks, for example, there is less need to be concerned, because they have to comply with the law 100%. With the government, I can see that a slight twist is needed.
10:20 a.m.
Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
Banks and telecommunications companies are subject to the Act respecting the protection of personal information in the private sector. In those circumstances, I believe that there is a way to improve recourse under that act.
Ms. Austin raised one of the problems: the burden that the individual must bear. The cost of going to court is very high, of course. We see very few people going to federal court to try and obtain damages under the Act respecting the protection of personal information in the private sector. I even believe that people are representing themselves in court, because having the services of a lawyer is too expensive. That is another problem.
10:25 a.m.
Conservative
The Chair Conservative Blaine Calkins
Perhaps this would be a conversation if we had a review of the PIPEDA legislation, but I appreciate the sentiment.
Colleagues, I always like to make sure that every member of Parliament at the table has an opportunity to ask questions. There are two members of Parliament here who have not been able yet to engage in the conversation.
Mr. Scarpaleggia or Mr. Picard, did you have a question?
10:25 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you, Mr. Chair.
My thanks to the witnesses.
I am going to submit this to you and I would like your comments. I will limit myself to one question.
Information in general is evolving. The quality of the information gathered changes according to the context in which it is received and used. Very often, the content itself is not really important, with exceptions like the social insurance number, of course.
If I give my name and my date of birth, for example, I open myself to some vulnerability in some areas. At the same time, if I subscribe to a birthday club so that I get a letter each year, I must also provide my name and my date of birth. So I have just made public information that could have been dangerous to reveal in another context.
Given the development that Mr. Lyon talked about, who is going to decide the circumstances in which too much information is being gathered?
10:25 a.m.
Professor, Queen's University, As an Individual
It really depends on what other uses are made of that information.
The question about big data has already been raised several times, and that seems to me to be crucial here, because there are many bits of information about us that are far more trivial than our birthdates, and they can be used, once they are concatenated with other data, to create a profile of us so that we end up with profiles that exist within both corporations and law enforcement and national security agencies that are fictions, in a sense, because they are a creation from tiny fragments of data collected from all over.
That, it seems to me, is an issue we really have to address within any attempt to revise these laws.
10:25 a.m.
Liberal
Michel Picard Liberal Montarville, QC
I totally agree on the usage issue.
Ms. Austin, you mentioned something about limiting agencies to collecting information that corresponds to their specific needs, no more and no less. With the evolution of information, how do I evaluate what seems to be within my mandate?
10:25 a.m.
Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual
Do you mean in terms of questions of data minimization?
10:25 a.m.
Liberal
Michel Picard Liberal Montarville, QC
I come from the intelligence community, and the fun of analyzing intelligence is not to get it but to put it into context.
All of a sudden, I may start to look at people who don't have any hair, for no reason. It doesn't mean anything. Why should I know that? I don't know. Maybe in another context I will link that with something else, and oh, that's interesting. I have a profile of an individual who fits this image. All of a sudden, the no-hair issue becomes a very hot issue, and it may exceed, at some point, the mandate I have in my agency.
Who is the judge of evaluating where I stop gathering information, or whether I should stop?
10:25 a.m.
Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual
That is a great question. I guess I would just add one additional way to think about it.
There is the upfront way of thinking about it, but maybe we also need to start thinking about how to review the practices of different departments. I imagine they would have their own norms. Yours would be very different from some other government agencies. After the fact, how effective are these practices?
We might not know up front, and maybe we need to give the benefit of the doubt in certain circumstances. That is a different question. Surely we need to be building on after-the-fact accountability and review to say, “Well, what have you been doing? What has it allowed you in terms of effectiveness?” If it is not effective, maybe we need to go back and change those practices rather than letting them go on.
When it is difficult to know ahead of time, maybe you need to start thinking about some models that combine an initial discretion with the knowledge that you are going to be held to account for what happens here, and we are going to review it.
10:30 a.m.
Conservative
The Chair Conservative Blaine Calkins
In the interest of making sure everybody else gets their questions, at about five minutes left, I need the committee's time for about 10 minutes to discuss future business.
Francis, do you have a quick question?
