Evidence of meeting #23 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was surveillance.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Clerk of the Committee  Mr. Hugues La Rue
Brenda McPhail  Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association
Thomas Keenan  Professor, University of Calgary, As an Individual
Ken Rubin  Investigative Researcher, Advocate, As an Individual
Tamir Israel  Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

12:15 p.m.

Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association

Brenda McPhail

I think we'd be a bit more direct than Mr. Israel and just say yes, we think metadata should be a category of protected data. I think there's been sufficient jurisprudence now to suggest that metadata can be very revealing of intimate personal details about the biographical core.

On the actual mechanism for doing that, perhaps regulation is great for the detail, but in terms of a general purpose statement as part of the kinds of information covered, we'd love to see that placed directly.

12:15 p.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

Mr. Erskine-Smith, you can have my last two minutes.

12:15 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks.

My first question is with respect to the PIPEDA model of damages. Would you propose incorporating that same model, whether it's administrative damages or damages at the Federal Court, in the Privacy Act? That's for any or all of you.

12:15 p.m.

Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Tamir Israel

It's a bit of a tough one, but yes, as a starting point, we would, and probably further than what's in PIPEDA right now. The current damages mechanism in PIPEDA is closer to a fine, basically. It's hard to actually implement, because you need to meet very high standards of proof before you can show that someone intentionally violated privacy, whereas an administrative monetary penalty regime would be more appropriate to these types of regulatory regimes.

We specifically suggested in our comments, but very briefly, consideration of a private right of action. There is an issue, of course, where you're opening the government up to fines, and obviously that has to—

12:15 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

The private right of action does exist in PIPEDA, though, under sections 14 to 17.

12:15 p.m.

Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

12:15 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

We're looking at that kind of model then.

12:15 p.m.

Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Tamir Israel

That mechanism is tied to damage recovery. I would make it little bit different, because the one in PIPEDA is ancillary to a complaint. You have to file a complaint, go through the process, and basically start all over again in Federal Court if you hope to get damages. Very few people are willing to go through that entire process.

12:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

An administrative penalty followed by some form of judicial review at the Federal Court level.

12:20 p.m.

Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Tamir Israel

And maybe an independent, individual right of action that's in parallel would be worth considering.

12:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Is there any disagreement?

12:20 p.m.

Professor, University of Calgary, As an Individual

Thomas Keenan

I would just add one thing. I was on a board once that disbursed $2 million of administrative penalties collected by the Alberta Securities Commission. We used it to educate the public about investors. I would suggest that education would be a wonderful use of any monies collected.

12:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

12:20 p.m.

Conservative

The Chair Conservative Blaine Calkins

We'll now start the five-minute round with Mr. Kelly, please.

September 20th, 2016 / 12:20 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you to all for coming today and for appearing.

When we undertook our study of the Access to Information Act and the systems that were in place, many witnesses, including you, Mr. Rubin, began with fairly compelling and very strong cases on the current failings that existed under the status quo, with very forceful arguments on the need to change. In these presentations, many excellent concerns were raised about the anxieties Canadians have around privacy, changes to technology, and things that were hitherto seemingly science fiction that are now reality.

Can you comment on where the compelling case is for the need to rewrite the act as opposed to perhaps some of the policy-based things that are in place now? I'll let maybe each of you have half a minute or so on that.

12:20 p.m.

Investigative Researcher, Advocate, As an Individual

Ken Rubin

In polls and all the rest, a lot of people rank privacy as their number one concern, and I don't think they're reassured. A lot of people will say privacy is dead, but on the other hand, people need reassurance, and included in that is legislative reassurance. I think the act has to be brought up to date so that the public can feel much more confident in these times where surveillance makes privacy much more difficult. They need to know that there is some toughness and so on. If you don't bring in the order-making powers, if you don't bring in the charter, if you don't bring in other legislation, people will not feel that their leverage and their privacy rights are protected. We do need the change.

12:20 p.m.

Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association

Brenda McPhail

At CCLA we have members of the public calling us. The kinds of calls we get in relation to privacy are things like, they heard on the news that CSE is tapping phones in airports and how can that be legal, or they heard that police are collecting thousands of people's data to catch a jewel thief using a Stingray device and how can that be legal.

The overwhelming tone is the sense that there's something fundamentally wrong if they can't understand that practices that are happening and which they're being told are okay really are.

There's a sense that the law is not keeping up with their expectations, that there should be limits to the amount of data about them that can be used and collected.

I talked about trust a number of times in my presentation. I think that public trust in bodies that collect people's information is eroding. You could think about it perhaps more in relation to the private sector, but having trust in government is fundamental to ensure political participation in our democratic society. It's absolutely vital that citizens believe that their government has their best interests at heart when it comes to the protection of their personal information. If they don't have that feeling, then the social licence that public bodies like national security agencies and law enforcement agencies have from the public is going to be compromised. I think we're already seeing signs of that happening. That would be my suggestion as to a compelling case.

12:25 p.m.

Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Tamir Israel

I'd like to largely adopt the comments of my two colleagues and add one more example that gets a lot of attention and undermines public confidence and trust, and that's in the security context where we're getting increasingly large numbers and frequency of data breaches often with government-held data. This often leads to harm to individuals because it often leads to identity theft and other ancillary types of harm. It does erode public trust. Against the backdrop of this, this is information that citizens need to entrust to their government to participate in daily life.

In that particular subset of considerations, in addition to the ones mentioned by my colleagues, should be imposing and formalizing obligations for technical security safeguards so that the Privacy Commissioner's office can leverage the expertise it has in this field to ensure we adopt high levels of technical safeguards, imposing notification obligations so that individuals are uniformly notified when these types of breaches happen and are able to take remedial action. These types of things really are important moving forward because they're going to be more problematic down the road, not less.

12:25 p.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you.

We now move to Mr. Saini.

12:25 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Thank you all very much for being here today.

I want to highlight a point and get your comments.

When the act was first written, we had written records and now we're moving to digital records. There's always this fear of oversharing or over-collecting of data. Right now in the act there is something where government institutions can collect data that they consider relates directly to the program they're analyzing. One of the issues, and Ms. McPhail and Mr. Israel spoke about this, is the necessity of collecting information.

How would we define a necessity test? How could we put that into legislation?

12:25 p.m.

Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Tamir Israel

Our written comments, which we'll submit in due time, will provide you with some legislative suggestions. Many of the provincial counterparts of the Privacy Act have a necessity obligation. What it does functionally is important. You could get to the same place with the existing standard, which is information relating to an operational program. But reorienting the thinking on necessity is an important step that lets government achieve its legitimate objectives but refocuses the data practices adopted by civil servants around whether they really need a piece of information and whether they need to keep it for the length of time they have in mind.

Having necessity in there explicitly would be a defined legal standard. It would also help to reorient the thinking around data practices so that they're not over-collecting or keeping things too long.

12:25 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Ms. McPhail, did you have a comment?

12:25 p.m.

Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association

Brenda McPhail

I would agree with Mr. Israel. I think it's really important that something in the act causes people to ask not just what they can collect, but what should they collect. Is it necessary? Is it important? Those are the things that need to be considered and the technical ways as to how you would introduce that.

We could provide some written submissions if that would be useful, but just as a general principle, the overarching idea in the age of over-collection of data is that the government is saying, “Wait. Stop. Is it necessary?” I think that's a really important foundational point.

12:25 p.m.

Professor, University of Calgary, As an Individual

Thomas Keenan

I'd like to make the case for data obfuscation, which is you don't always have to keep all the data and keep it exactly.

I was approached by a member of a provincial union who said their salaries are going on the sunshine list right down to the pennies they make and was that a risk for identity theft. I said you're darn right it is. If somebody calls a bank and they know your exact salary, that's another point of identity.

I suggested that be rounded off to the nearest $500. It didn't happen, so the reality is maybe governments don't need the data as precisely as they might think. They might be able to put it in ranges. StatsCan does an admirable job of making sure you can't track it to an individual when they let data back out. Nobody seems to think about that. We always seem to think we need exactly down to the penny. Maybe we don't.

12:25 p.m.

Investigative Researcher, Advocate, As an Individual

Ken Rubin

The way government legislation is written, there are always exemptions to getting this or that. Why aren't there any exemptions to what's necessary? I think maybe a list of things that government has no business collecting may be one way of helping facilitate a narrower definition of necessity.