Information & Ethics Committee on Sept. 27th, 2016

Evidence of meeting #24 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was commissioner.

A recording is available from Parliament.

On the agenda

Privacy Act

MPs speaking

Blaine Calkins
Rémi Massé
David Tilson
Matt Jeneroux
Daniel Blaikie
Nathaniel Erskine-Smith
Raj Saini
Joël Lightbound
Wayne Long
Bob Bratina

Also speaking

Colin Bennett  Professor, Department of Political Science, University of Victoria, As an Individual
Colonel  Retired) Michel Drapeau (Professor, University of Ottawa, Faculty of Common Law, As an Individual
Kellie Krake  Staff Lawyer, Law Reform, Canadian Bar Association
Gary Dickson  Executive Member, Privacy and Access Law Section, Canadian Bar Association

12:35 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Thank you.

I have a very broad question.

In your CBA analysis, Mr. Dickson, and from whatever readings I've also done, there has been some talk of reconciling the PIPEDA with some sort of privacy regime to make them more aligned. Of the two starkest differences that have been highlighted in PIPEDA, one is that there is a differential in accountability between a ministerial office and a private enterprise, in that there is a recourse on the government side to have ministerial accountability, while the recourse when you're dealing with private business is that the consumer can go somewhere else and find another service provider.

I also understand that there's the consent issue, because on the private sector side consent is given, but on the public sector side it's more statutory.

In trying to be effective and trying to be efficient, are there any other stark differences that you or Mr. Bennett or anybody else could highlight, or do you think the motivation of the committee should be somehow to reconcile the two so that there are not two different regimes out there, one for the private sector and one for the public sector, so that it would be easier for Canadians to understand one regime and the slight responsibilities that might have to be entertained between the public sector and the private sector?

12:40 p.m.

Executive Member, Privacy and Access Law Section, Canadian Bar Association

Gary Dickson

I'd say, with respect, that the Privacy Commissioner has managed since PIPEDA came into force to be able to address that part of the mandate and deal with concerns with respect to private businesses and private sector organizations, and at the same time to meet the responsibilities under the Privacy Act when it comes to matters related to the public sector.

I'm not sure I feel or understand a need for a higher degree of integration or harmonization than currently exists. I think there are a number of things that are equally important, such as the protection of information, the powers of the commissioner, and so on. Apart from those two issues of accountability and consent, those are divergent matters driven by statute, and I don't see a need to try to reconcile or resolve those into a single approach. They both exist for legitimate reasons that have been tested with the experience of the dual statutes.

12:40 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

My main question is this. Outside of those two, are there other stark differences that you see? Could everything else outside of the slight differences that may be apparent between the public sector and private sector have more of a regime that was maybe 80% or 90%—I'm just throwing a number out there—and that could be similar to make it easier for people to understand that these are the slight differences and how to reconcile the two?

12:40 p.m.

Executive Member, Privacy and Access Law Section, Canadian Bar Association

Gary Dickson

From a CBA perspective, those are the two key areas where there are differences for legitimate reasons. I think most of the other elements of PIPEDA work equally well in the Privacy Act. I haven't gone through and itemized each one, but those are the two big differences, which I respectfully submit need to continue to be respected.

12:40 p.m.

Prof. Colin Bennett

I draw your attention to two other things. One is the standard for collection test. The Privacy Commissioner has recommended a necessity for collection related to a government program. I strongly support that. I think that's also relevant in the context of the debates about the revisions of Bill C-51.

The other is that with the basic privacy principles, there's a lot of convergence between the two statutes. There is a big gap in the Privacy Act having to do with security safeguards. The language you find in section 4.7 of schedule I in PIPEDA does not have equivalence in the Privacy Act, and that's a huge gap.

Beyond those, I think all of the other issues have to do with the powers of the commissioner and the tools and the instruments that the commissioner has at his disposal, and that includes mandatory data breaches and PIAs.

12:40 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

I have a final question. Both the information act and the Privacy Act were put in place at the same time to be seamless. From what I'm hearing, you feel that both commissioners should have different powers, or should they have the same powers?

12:40 p.m.

Prof. Colin Bennett

Well, I....

12:40 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Let's take one step back.

We finished a report, and the recommendation of the committee was to give the Information Commissioner order-making powers. I think that after that cup of coffee that Mr. Drapeau alluded to, the Privacy Commissioner now also wants the same power.

Is it the case that either we give them the same powers, or there's going to be an imbalance in power?

12:45 p.m.

Prof. Colin Bennett

I think both should have the same powers. I don't know quite how the Privacy Commissioner came to that conclusion. There's been a long series of analysis on this issue.

I would make the point that Canada is probably the only country in the world where the issues of access to information and privacy are seen as two sides of the same coin. In most other places, countries either have a data protection act and no freedom of information, or they have freedom of information and no data protection.

The logic of doing that back in the 1980s was very persuasive. Since then, the two regimes have diverged, particularly as a result of the enactment of PIPEDA, which gives the Privacy Commissioner authority over a range of institutions in the privacy sector and responsibility for a range of issues that were never contemplated when the Privacy Act was promulgated.

12:45 p.m.

Conservative

The Chair Conservative Blaine Calkins

Well, I think that brings our meeting to a close. I would like to thank our witnesses and my colleagues. Perhaps you'll allow me as the chair to ask the one question in the room that everybody wants to know the answer to but was never brought up: based on last night's debate, is it Trump or Clinton?

I'm kidding, of course.

All kidding aside, Mr. Saini actually asked the question that I had, based on the report that we just issued from this committee, and we're awaiting the government response and legislation. I appreciate the answer, Mr. Bennett. That was the one question I had. If order-making power exists in the information act, then it should probably be counterbalanced with order-making power. Whether we got that right or not remains to be seen.

I think Mr. Drapeau would have something to say about that, but we already know these things.

Thank you very much, ladies and gentlemen, for coming here today. We much appreciate it. I know you'll keep a keen interest in what this committee is doing. If there's any other information that you think we should be aware of throughout our study, please send that to us.

Thank you, colleagues. We'll resume with another meeting on Thursday.

The meeting is adjourned.