I am, thank you.
Thank you very much for allowing the Canadian Civil Liberties Association to appear before the committee today.
We were founded in 1964 to protect the rights and freedoms cherished by Canadians and entrenched in our Constitution.
Too often these days, privacy is characterized as a barrier that someone can decide to erect or to take down. An institution or a group might want to build it higher, chip away at it, or smash it completely, depending on its assessment of privacy as a value. The barrier metaphor, which we see increasingly in the media and other conversations about encryption, health information, and national security, to name a few, is a confrontational, unproductive, and arguably ineffective way to think and talk about privacy.
CCLA suggests that, particularly in the context of this much-needed conversation about Canada's federal privacy legislation, we need to talk about privacy as a human right. A rights-based approach, of course, doesn't remove all conflict, because all of our charter-protected rights and every right that is enshrined in international law exist in tension with other rights. However, it does provide us the motivation to engage on the level of first principles, so when we begin to specify what privacy protection actually looks like in Canada, we are all operating from a common understanding that it matters, not just to individuals but to us as a society, nationally and globally. A commitment to privacy as a human right can help us navigate the dramatic changes we have seen since the act came into effect 30 years ago.
Technology hasn't just changed the ways we can collect and use data; it has also changed our societal attitudes toward information. The potential of large collections of information—big data—to reveal useful patterns and probably hidden secrets is regularly heralded by both private and public sector bodies. Government both collects information itself and potentially has access to the ever-increasing stores of information in the hands of the private sector. At the same time, what we hear from people when they call and speak with us at CCLA is that citizens are afraid of technologies and processes they don't understand being used in ways that can have serious consequences for their life chances without their knowledge. This legitimate fear is undermining public trust in bodies, including governments, that collect, manage, and store information.
In this data-rich environment filled with data-hungry actors and fearful citizens, it is increasingly important that Canada's privacy law be revised to be strong, flexible, and well-grounded. It needs to encompass contemporary and future uses of personal information and, most important, it needs to engender trust in Canadians.
All of our recommendations are made with these overarching concerns in mind. I am going to rocket through 10 points, most of which are going to be familiar to you because they are in agreement with the submission to this committee, in March, by the Privacy Commissioner of Canada and subsequent witnesses. I am going to be extremely brief, but I am happy to clarify during questions.
First, we must ensure that there is a necessity and correctness standard put into the legislation, to be applied when deciding whether to collect information, whether to keep it, and whether to share it. Is it needed? Is it correct to collect and use it? By that I mean, would it withstand a charter challenge? This standard will encourage data minimization and guard against what we all know is a well-known tendency to over-collect data and store it for too long, just in case it might be useful sometime in the future.
Requirements for information sharing agreements need to be clarified in this legislation as well. This is particularly vital since the passage of the Anti-terrorism Act, 2015, which greatly expanded the scope of information sharing between government departments. At the time then Bill C-51 passed, the reassurances that Canadians were given in relation to these new sharing powers were that the Office of the Privacy Commissioner of Canada would have review and oversight. Regardless of the changes that are or aren't made as a result of the ongoing national security consultation, we believe revisions to the Privacy Act can provide much-needed safeguards and transparency for all information, for any purposes, in Canada. There need to be openness and transparency regarding the way information sharing happens, the extent of that sharing, and the explicit safeguards that we assume will be put in place to ensure that sharing is proportionate and that privacy risks have been properly assessed and mitigated. Of course, this holds true for sharing domestically and with foreign governments.
Transparency reporting requirements, in that same vein, need to be clarified and established. In particular, that is the case for lawful access requests made in a law enforcement context to private sector bodies that hold information about individuals. These reports provide valuable public information that can foster and inform public debates and decisions about privacy and, going back to my earlier comments, enhance trust in government institutions. Citizens deserve, and many want, an understanding of the nature and frequency of requests by law enforcement bodies for their personal information when it happens without their consent or knowledge. CCLA has always argued that the ability of law enforcement to make these requests should be limited, as per Spencer, but to the extent that these requests are allowed, with or without a warrant, a strong transparency regime is necessary to ensure the public is properly informed.
In keeping with the theme of enhancing public trust in the way government collects and uses personal information, CCLA would also recommend that privacy impact assessments be mandatory when government departments create new or expanded programs that might affect Canadians' privacy. The assessments need to be submitted to the OPC, Office of the Privacy Commissioner, for review during the design and planning phase while there is still time to mitigate any privacy risks. At the conclusion of the process, appropriate summaries should be made public so that citizens can see that this process has happened.
In a similar vein, we suggest that there should be consultation with the OPC when drafting legislation and regulations that affect the privacy of Canadians. Again, that should happen before the bills are tabled. This recommendation is directly relevant to my preamble, where I asked for privacy to be talked about as a human right. Having a process in place where privacy interests can demonstrably be shown to have been taken into consideration in the development of new legislation gives privacy rights the appropriate weight and is consistent with international trends.
We would also encourage government institutions to lead the way in cybersecurity by adding a specific obligation in the act for them to provide the appropriate level of both technological and processual protection to data collected, whether it is in transit, at rest, during use, in storage, or at the time of destruction. We recommend the federal government take a proactive approach to making sure the data its institutions hold is protected to an exemplary standard. We believe this can be achieved, in part, by revisions to the Privacy Act. Of course, more information will come out about that in the cybersecurity review.
We would like to see breach reporting made mandatory in law rather than just policy. Government institutions should have to report breaches beyond a relevant threshold, an agreed-upon threshold, to the OPC and notify individuals in a timely manner. The threshold needs to be clearly defined in the legislation, much the way it was done in similar amendments to PIPEDA.
Even if breaches fall short of the standard that is agreed upon for mandatory breach reporting, government institutions should be required to keep records of all breaches for possible review by the OPC. Knowing that they are accountable for doing so will be a strong motivator for needed data security and improved data stewardship.
The record-keeping requirements need to be sufficiently robust so that the commissioner can look at them and make sure that the assessments about whether or not a breach meets the threshold are happening properly.
We would like to see order-making power given to the Privacy Commissioner. It was with interest that we noted he now agrees. More information sharing and collection means that more potential harm can come from excesses. There need to be consequences in proportion to the risks, which means that the commissioner needs expanded powers to make sure the fullest protection of the revised law can be brought to bear in a timely and effective manner.
Last, we recommend regular review of the act every five years. I don't think that requires elaboration in this changing environment.
Once again, thank you very much for allowing us to appear.