Surveillance is always scary.
I'm back here to testify given my involvement for over four decades in privacy matters and advocacy. My privacy advocacy work began with a local civil liberties group dealing with the growing use of social insurance numbers as an identifier. As an investigative researcher, I dug up information on the problems with increasing use of computer matching of personal information, and yes, back then, I was a witness testifying on the limits of Canada's proposed privacy act and on secretive data sharing.
Now the privacy issues are even more complex in this digital age and are threatening given the widespread legal and illegal sharing of and access to personal data, metadata mining, data profiling, and massive surveillance.
Throughout I've never wavered in the belief that Canadians need more access to and control over their personal information and better information about intrusions. Canada cannot continue three and a half decades later to have weak privacy legislation. The focus on limited privacy access to one's records to the detriment of regulating the state and private sector's relentless intrusions into the lives of Canadians has left us with inadequate safeguards.
There is not much in the current Privacy Act and PIPEDA that puts a stop to online snooping, data mining, and biometric identity matching or that addresses and restricts the growing use of secretive newer surveillance technologies like Stingray cellphone listening devices or prevents the increasing sharing of Canadians' personal data with foreign authorities.
No Canadian minister or prime minister has stepped in demanding better privacy protection or proposing remedies against what Edward Snowden revealed as the means of secret massive surveillance trolling.
No Canadian prime minister has put in place regulatory restrictions that, for instance, deal with the handling of increased amounts of Canadian personal data housed or transmitted through the United States and potentially captured under its Patriot Act or subjected to other foreign entity intrusions.
Public Safety Minister Ralph Goodale's recent discussion paper on police security powers does not alleviate civil liberties privacy protection concerns. Treasury Board President Scott Brison's statements, including before this committee, that more not fewer records must be exempt under national security, do not calm those concerns. Brison went on to say that the Information Commissioner, or for that matter the Privacy Commissioner, would have limited review and access to such security records, so the Trudeau government's opening moves are then far from reassuring.
What we do need is a greatly strengthened data protection act. Let me briefly turn to 10 areas in which improvements can be made.
My first recommendation to improve legislation is in agreement with testimony of a previous witness, Lisa Austin. We must begin by framing further advances restricting privacy invasion in terms of and in line with Canada's Charter of Rights and Freedoms, so first and foremost a new act's purpose clause must recognize privacy protection as a constitutional protected right.
My second recommendation is that a basic rewriting of privacy legislation needs to create a whole new predominant part one section that emphasizes transparent and enforceable obligations and restrictions on data sharing, matching, profiling, and tracking.
If a privacy act is to become, as it should be, a data protection act rather than simply a limited and outdated access to personal information act, there must be provisions added for tougher and clearer regulation and restrictions on personal information sharing.
While the Privacy Commissioner calls for prompt mandatory reporting of public sector personal data breaches, he only advocates some selective notification of those affected and minimal transparency, and he sets out no enforceable binding order or penalty powers for his office despite the fact that such breaches occur fairly regularly. I'll explain that more.
My third recommendation is threefold. First, individuals should be given mandatory rights of consent on a timely basis for government collection and use of their information. Second, there should be fewer exemptions, exempt banks and delays so individuals can promptly obtain more fully their information. Third, all agencies, including the prime minister and his office, should be covered.
My fourth recommendation, which former privacy commissioner Jennifer Stoddard suggested, is that unrecorded information such as personal biological samples, including DNA and iris scans, be covered. Data gathered from radio frequency identification chips or now by Stingray collection needs to be explicitly covered by public and private sector privacy legislation.
My fifth recommendation is that officials' salaries and perks and private sector violations no longer be considered as personal information, but be public. For example, exact bonus payment information received must be made public The company's name, as in the case of the bank fined $1.1 million by FINTRAC, or in the case of companies and individuals found to be tax haven offenders must also be made public.
My sixth recommendation is for a privacy commission to have order-making power. Now Commissioner Therrien agrees at this point, but enforcement powers and stiffer penalties for privacy invasion would still be needed to help effectively restrict privacy invasions and regulate transborder data flow. His office would need wider investigative powers to review such matters as questionable transborder data flow and metadata collections. It's not simply a matter of order powers.
My seventh recommendation, in agreement with Commissioner Therrien, is that both he and all Canadians need a legislative expanded right to go to court, including in cases of improper collection and use of personal data. Courts now are only able to hear cases about access to blocked individual personal files. It would help too if individuals and groups bringing such privacy violation cases to court were given resources to sue the government. It is important to note that individuals and groups may still challenge commissioner orders as limited and want the courts to provide greater privacy protection than commissioner orders offer.
My eighth recommendation is that oversight be separate when it comes to access to information and privacy. Joining such acts so closely together destroys their opportunities to more fully develop their separate and, at times, conflicting public interests. One is for proactive disclosure and multi-transparency tools and accountability practices; the other is for restricting privacy invasions and enhancing data sovereignty. It's time to untie privacy legislation from access to information legislation.
My ninth recommendation is that in order to have an effective data protection act, the House privacy committee must consider bold changes to the Privacy Act in conjunction with improving the Personal Information Protection and Electronic Documents Act, PIPEDA. The threats under both acts are similar, the remedies the same and the object the same, which is that Canadians want more control on what personal data third parties, from police to marketers, can access.
My 10th and final recommendation is for greater transparency—no surprise—when it comes to the public knowing about the use of privacy invasion powers. Canadians remain largely unaware of the systems and means authorities are using to conduct surveys that can affect them. Little is known about the cost of surveillance and about the budget and expenditures law and security forces have in this regard. We remain in the dark about how frequently and where, for instance, Stingray equipment is used and the cost involved. We remain unclear about what laws or authorities allow surveillance. I can think of dozens of such laws.
The committee, in addition to conducting periodic reviews of privacy legislation, should have a subcommittee tasked with reviewing and questioning laws that broadly allow privacy invasion and intrusions.
Let me end with an example of where the public is kept in the dark on how Canada's system of surveillance operates. Recently I uncovered data whereby the public safety minister and his officials had issued, in a 2014 to early 2016 period, licences to the RCMP, CSIS, and CSE of National Defence which in turn allow unnamed private companies to have and sell surveillance equipment to unnamed buyers, be it possibly malware, Stingray, or other surveillance equipment or components. This is done under the cover of a section of Canada's Criminal Code.
Documents obtained indicate, for instance, that CSIS has trusted, long relations with certain surveillance companies, and, in one instance, a ministerial licence granted was backdated. We do not know, then, what kind of surveillance occurs, and there is no known reporting requirement, like under wiretap legislation.
The point, Mr. Chairman and members of the committee, is a minister of the crown oversees this surveillance arrangement far away from public scrutiny. His or her first concern is not to champion privacy protection for the public. I and others are offering up suggestions for Canada to move beyond weak privacy protection legislation and lax regulation to protect citizens.
I thank you very much.