Information & Ethics Committee on Sept. 27th, 2016

Thank you very much, Mr. Chairman. I'm pleased to be here.

I am a professor of political science at the University of Victoria. I'm currently on sabbatical leave at the University of Toronto, so I haven't come all the way from Victoria today.

I have written or edited a number of books on the subject of privacy protection, both comparatively and historically, and that's my expertise. I'm generally known for my comparative work on privacy governance in both the public and the private sectors.

I'd like to begin by saying something about the history of the Privacy Act and why it came into being, because I think that historical context is important.

At the time the act was passed, Canada was only one of a handful of countries, most of which were in Europe, that had passed any form of privacy protection legislation. It was enacted with little public media or parliamentary debate. To a large extent, it was motivated by the associated passage of the Access to Information Act and the need to ensure that both acts were compatible with respect to exemptions.

The title is a misnomer. The law addresses just a subset of the multiple issues and concerns embraced by the word “privacy”. It's more properly regarded as a data protection statute. That's the word that's typically used in Europe to cover the regulation of the collection, processing, storage, and disclosure of personally identifiable information.

As the Privacy Commissioner and many others have pointed out, the Privacy Act is in dire need of modernization. It is a first-generation statute, and two or three other generations have evolved since. The lack of reform has also meant that a good deal of the content of the regulation is contained in an accumulation of Treasury Board Secretariat guidance that can sometimes be ignored or selectively interpreted.

The act is also based, in my view, on the dated assumption that government information is contained in neat data banks and can be listed, managed, and regulated. It's also based on the false assumption that the chief threat to privacy came from state bureaucracy rather than from the private sector. There are now over 100 countries in the world that have some form of comprehensive data protection law, and virtually all of them cover the practices of both corporations and government.

Given our complex federal system, that was never going to be an option for Canada. We are stuck with some legacies that are difficult to escape from. In my view, the general task here is to amend the law in such a way that the basic privacy principles remain intact, which embraces the more contemporary ideas about how to protect personal data in a networked environment in which personal data can be shared instantaneously and easily between and within organizations. The main difference between the laws that were passed in the 1980s and the 1990s and those that were passed in the 21st century is that contemporary law now embraces a full range of different tools or instruments for privacy.

I am in general agreement with what the Privacy Commissioner said to you in his submission of March of this year. I do not disagree with any of the suggestions that he made, but I would like to focus in the time remaining on four areas of reform mentioned in his submission: data breach reporting, privacy impact assessments, the overall powers of the Privacy Commissioner, and the question of information sharing.

I also have some final comments on the capture of personal data by federal political parties. I know this was something you've asked witnesses about in your previous sessions. I have written about that extensively. I've researched it and I want to make a few comments about it.

First, with regard to data breach reporting, the frequency of data breaches in the federal government is quite striking. Data breaches cost money and they damage trust and reputation. Mandatory privacy data breach notification is now a feature of modern data protection law. It's now required under some conditions for Canada's private sector under the amendments to PIPEDA.

It's also crucial, in my view, to combine the stick of mandatory data breach reporting with a carrot that says that if you've taken proper technical measures and safeguards to protect that data through encryption, then it's not that you get out of jail free, but you just have to do less in terms of reporting.

Organizations and agencies need to be incentivized to encrypt data. Therefore, I would strongly suggest that any mandatory data breach reporting requirement be accompanied by appropriate legislative requirements for physical, organizational, and technical safeguards similar to those that are found in PIPEDA.

Second, privacy impact assessments, or PIAs, have been a feature of the privacy protection landscape since the late 1990s, and Canada was one of the first countries to think seriously about this issue and their appropriate role. Ideally, they should be a recurrent process, an ongoing process, rather than just a checklist. They're designed to be an early warning, and they're particularly critical when programs and services that have potentially significant implications for privacy are being contemplated or amended. Experience suggests, however, that they are more likely to be effective when they're embodied in existing administrative procedures, such as technology procurement, budgetary submissions, and so on.

The OPC has reported that the quality of PIAs in the federal government is very uneven because there's no legislative requirement to conduct them, as there is in other countries and in some provinces. I therefore strongly support the OPC's recommendation that the current TBS guidance be given statutory force.

Thirdl, with regard to the powers of the Privacy Commissioner, when the Privacy Act was passed, there was little contemplation that the commissioner would be anything more than a standard ombudsman within the general parliamentary tradition, and an awful lot of the text of the Privacy Act is about the complaints investigation process. That is extremely important.

One take-away I'd like to give to you here is that comparatively, through my experience and research, the most important powers of a privacy commission are those that are proactive and general or systemic, rather than those that are reactive or individual-based. I would like to see the act reformed in such a way that some of the more proactive powers are included in the legislation. That includes order-making power. The commissioner can only make non-binding recommendations; he cannot compel a public body to take or cease any action without recourse to the courts.

I know there's been a lot of debate about this point over the years. I am encouraged that the Privacy Commissioner has now come around to the view that he does require order-making power such as that exercised by the commissioners in B.C. and Alberta. I think it's a natural progression.

The commissioner should obviously be given an explicit public education and research mandate, the same as that provided under PIPEDA. He does that anyway. It's not in the law. It shouldn't be controversial. A government agency should also be given the requirement to consult with him on draft legislation and regulation with privacy implications before they're tabled. He suggested that. It's a natural thing to do. It shouldn't be controversial.

Finally, on information sharing, the Privacy Act, in my view, has been ineffective in regulating the sharing of personal information among government agencies. I say more about this in my testimony. I won't go into any great depth here. The OPC has recommended that any sharing of information among agencies be made in a written manner. The problem, in my view, is the so-called “consistent use” exemption, which was originally intended as an exceptional circumstance—just those exceptional circumstances when agencies need to share data when they didn't think about it and it wasn't included in the Info Source database.

If you look at Info Source now, you see a whole range of consistent uses that are listed. I think it's got out of control and I think it needs to be reined in. There should be written requirements, and so on.

Finally, if I may, I'd like to say something about the capture and processing of personal data by federal political parties. I understand that the committee has been interested in this question. I'd be interested in answering any questions you have about it. I wrote a report on this subject for the Office of the Privacy Commissioner back in 2012, and I actually testified before this committee two or three years ago when you were interested in social media and social networking in relation to this subject.

Political parties are largely exempt from Canadian privacy laws. They're not covered under PIPEDA or substantially similar provincial laws, with the exception of the Personal Information Protection Act in B.C. They're not government agencies, they're not covered by the Privacy Act, and they're largely exempt from CASL, the spam legislation, as well as from the do-not-call regulations administered by CRTC.

Thus, for the most part, individuals have no legal rights to learn what information is contained in party databases, which are extensive; to access and to correct those data; to remove themselves from the systems; or to restrict the collection, use, and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, or to control who has access to it.

I am not arguing that the Privacy Act is the appropriate statutory vehicle to deal with this problem, and there are also problems with bringing parties under PIPEDA, but as I've done a lot of research on this subject, I just want to alert you to the fact that this is a huge gap in the Canadian privacy regime, and, in my view, and that it requires some urgent resolution.

I'll leave it at that for now. Thank you very much for your attention. I look forward to your questions and I hope to submit a longer submission later in the process.

Mr. Chair, ladies and gentlemen, thank you for giving me the opportunity to comment on the proposal advanced by the Privacy Commissioner in his letters of March 22 and September 13.

For reasons of brevity, and I will be brief, permit me to identify the recommendations with which I agree, without commenting on any of them.

I agree in principle with 11 of the recommendations made by the Privacy Commissioner, the OPC, namely recommendations 1 to 4, 6 to 8, and 11, 12, 14, and 16.

However, I disagree with six of his recommendations. Let me touch very briefly on the reasons for not endorsing these in my further comments.

First is recommendation 5, which deals with expanding judicial recourse and remedies under section 41. The only reason for my disagreement with this recommendation is that it doesn't go far enough. I believe one of the most important remedies that can be provided to a complainant is to handle his or her complaint in a reasonable amount of time. This is currently not happening. I recommend that a time limit be imposed upon the OPC to make findings and recommendations.

Recommendation 9 is to provide the OPC with an explicit public education and research mandate. I disagree with this. The Privacy Act has been in existence for 33 years. It's not a complex piece of legislation. Its breadth and its reach are rather limited. It deals exclusively with personal information in records under the control of the federal government. I don't believe the public needs to be educated on this right of access to their personal information. I anticipate that such an added function would lead to a substantial increase to an already large bureaucracy at the OPC.

I'm also of the mind that the role of public education and research, if required, should be left to the universities and research organizations or bar associations.

Recommendation 10 is for a five-year review of the act. I also do not believe there is a need for review on such a relatively frequent basis. I'll go along with 10 years, but certainly not five years.

Recommendation 13 is to grant the OPC the discretion to discontinue or decline complaints in specific circumstances. Under the Privacy Act, Canadians have a quasi-constitutional right to access their personal information and to complain to the OPC if they feel that their rights have been violated. I feel it would be wrong to empower the commissioner with the discretion to refuse to investigate a complaint, as it would disenfranchise the complainant and deprive him or her of any possible remedy before the court.

Recommendation 15 is to extend the coverage of the act. The commissioner recommends extending the right of access to foreign nationals. I disagree, at least for now.

At present, the OPC is one of the slowest complaint tribunals in Canada. As a case in point, I have a complaint at the moment that has been outstanding since June 2012. We have been informed recently that we shouldn't expect findings before December of this year. It took four years. I will admit it is a very complex case, but it took four years to get to it.

If you look at their report from last year—this year's report will be tabled sometime today—we know there is a one-year backlog already. Anybody submitting a complaint today has to wait at least a year if they were to be at the front of the queue from this time onward. I submit that it would be folly to extend coverage of the act to foreign nationals until we can provide Canadians with the service they deserve.

I must now address the fact in his September 13 letter, the commissioner has repudiated the recommendation he made six months earlier.

I have already indicated my agreement with the recommendation on March 22 by which he proposed a hybrid system for the investigation of complaints. I agree with that. However, I strongly disagree with his September letter, in which he now asks for order-making powers.

I have trouble understanding why the commissioner has done an about-face and is now requesting order-making powers rather than the hybrid model. Like him, I will refer to the La Forest judgment. Justice La Forest warned us that such a change would be costly, that it could further delay the investigation process and, worse still, that it could lead to closed-door hearings.

I will now quote Justice La Forest's statements that are included in the Privacy Commissioner's letter.

There is a danger that a quasi-judicial, order making-model could become too formalized, resulting in a process that is nearly as expensive and time-consuming as court proceedings. It is also arguable that the absence of an order-making power allows the conventional ombudsman to adopt a stronger posture in relation to government than a quasi-judicial decision-maker. There is also some virtue in having contentious access and privacy issues settled by the courts, where proceedings are generally open to the public.

Thank you for your attention.

Thank you very much for the invitation to present the CBA's views on the Privacy Act amendments.

The CBA is a national association of 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is to seek improvements in the law and the administration of justice. It's that perspective that brings us before you today.

Our submission on the Privacy Act amendments was prepared by the Canadian Bar Association's privacy and access law section. With me today is Gary Dickson, an executive member of that section. He served as Saskatchewan's first full-time information and privacy commissioner for 10 years. He also served as an elected member of the Legislative Assembly of Alberta for nine years, with specific responsibility for access to information and privacy legislation.

Mr. Dickson will now address the substance of our submission and respond to any of your questions.

Good morning, Mr. Chairman and members.

You will have already seen the Canadian Bar Association's written submission in response to each of the 16 suggestions from the Privacy Commissioner, at least as they stood when he wrote to your committee on March 22.

The position of the Canadian Bar Association is, and has been, that this 1983 statute is long overdue for reform. More than 200 government institutions are currently subject to the Privacy Act , and collectively they collect, use, and disclose massive volumes of personal information of Canadians. The CBA is supportive of 13 of those recommendations. Let me highlight our thoughts on three of the recommendations that the CBA did not fully agree with.

Recommendation 6 may be the most significant, in that it deals with the role and powers of the Privacy Commissioner. The CBA completely agrees with the commissioner that the current model of pure ombudsman requires reform. This, of course, confers on the Privacy Commissioner broad powers to undertake investigations, but at the end of the day only the limited power to offer recommendations, which may be accepted in whole or in part or rejected. This is a model that's currently seen in Yukon, the Northwest Territories, Nunavut, Saskatchewan, Manitoba, Nova Scotia, and New Brunswick.

If the committee agrees that change is needed, there are essentially two models that exist in other Canadian jurisdictions to consider for this important office. One is the order-making model, under which the Privacy Commissioner is in effect an administrative tribunal and can issue enforceable orders to government institutions. This is the model that exists in British Columbia, Alberta, Ontario, Quebec, and Prince Edward Island.

The alternative we suggest would be the newer model that's been created and then implemented in Newfoundland and Labrador's June 2015 amendments to their access and privacy law. In our paper, at page 8, we describe this as the enhanced ombudsman model.

I know this committee has had the opportunity to hear from the authors of the seminal report that was done in Newfoundland that had been shared by Clyde Wells and is aware of the reasons for the recommendations. The preference of the CBA, when we looked at the two models initially, was that the enhanced ombudsman model would be the preference.

Mindful that the Privacy Commissioner has just revised his position and moved from supporting the enhanced ombudsman model to the order-making model, we thought it might be useful for the CBA to offer a thumbnail sketch of some of the advantages and disadvantages that we've identified with the two different models.

With the order-making model, an advantage is that it would clearly align more closely with international models of data protection. That's what you would see in the Federal Trade Commission and the Federal Communications Commission in the U.S., as well as in the United Kingdom and Mexico. Most European data protection authorities also have that kind of an order-making tribunal model.

Clearly we would see much a more timely response to the oversight office once formal investigations are started. In the experience in those provinces that have order-making, there tends to be a more positive response and a more timely response when the commissioner comes calling. Obviously there would be higher levels of compliance in cases where the government institution would otherwise not accept a recommendation from the commissioner, although you've already heard from the Information Commissioner that most recommendations are now accepted without any order-making capacity.

With regard to the disadvantages, the process tends to be more formal and more attenuated when you have an administrative tribunal. The strict obligation to ensure procedural fairness typically builds in longer time periods to move a file forward. That could translate to even longer delays than those already encountered, and certainly less flexibility for the commissioner. The process will be less user friendly for your constituents and perhaps more intimidating to individuals who make complaints to the order-making commissioner. It will likely mean dividing staff and creating a separate group of intake officers and mediators, then a separate group of adjudicators or hearing officers, and then installing within the office some kind of a wall between the two groups.

The chief advantage of the enhanced ombudsman model is a less formal, more flexible process that we think will be more user-friendly for your constituents. Allowing the commissioner to hold government institutions to account and order them to provide relevant documents and responses within deadlines, which don't currently exist for the privacy commissioner under the Privacy Act, will go a long way towards expediting and accelerating the process. I remind you that this process is often prolonged and arduous, the key being how to get co-operation from government institutions in providing the documents and information you need. We think improved efficiency should flow from the new powers suggested to better control the process of an investigation.

On the substantive issue of whether there has been a breach, the enhanced ombudsman model shifts the onus to government institutions. This is something we think highly appropriate. If a government institution is dissatisfied with a decision of the commissioner, it's up to the government institution to go to court to obtain a final determination.

Finally, as we see it, it would be easier for the privacy commissioner's office to transition to the enhanced ombudsman model than to an order-making model. When I recently spoke with Newfoundland and Labrador's information and privacy commissioner's office, one of the senior officials commented that the new system, only a year old, was working in an excellent fashion. He thought it had been very successful.

The disadvantage is that we only have about a year of experience here. Newfoundland embarked on this new process in June of 2015, so it's a limited time. We understand, though, that the system appears to be working well at present.

One of the other items we had a concern with was recommendation 8, the prior consultation suggestion or requirement. We note that the Treasury Board policy on privacy protection, section 6.2.12, already requires notification of the commissioner of

any planned initiatives (legislation, regulations, policies, programs) that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians. This notification is to take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.

We don't know to what extent this is not being complied with, but it's quite clear and it's an appropriate direction.

We absolutely agree with the importance of early consultation, but we question whether it's realistic to make it a condition precedent to a bill's first reading. My experience as a House leader in the official opposition of a provincial legislature is that from time to time bills have to be introduced on short notice. It may be the end of a session or it may be that bills need to be introduced quickly, not to shorten and abridge the period for consideration but in fact to allow for ample consultation. In most cases it would be absolutely appropriate to have prior notice, but I can imagine cases in which it might not be useful or realistic to have a statutory requirement for prior notice.

On number 16, the personal information exemption, I can simply say that the CBA could not achieve a consensus position. This is one of those rare cases of a difference of opinion between the Information Commissioner and the Privacy Commissioner. We recognize that most provinces have this kind of two-part test, first determining whether it's a breach of personal information privacy and then considering whether it an unlawful or unreasonable invasion of privacy. We could not achieve a consensus position on this point. CBA represents a large number of lawyers with many different kinds of clients and views, and in this area we are not able to assist the committee in by offering a concrete suggestion or recommendation.

Thank you. I appreciate the time and the opportunity. The Canadian Bar Association looks forward to your questions.

I think our public service is very well informed. It is well equipped to provide information and submissions, while bearing in mind privacy issues. This is not too onerous.

People know that some of their personal information is recorded in documents belonging to various departments. In my own experience, I have regular dealings with various government bodies. In exchanging correspondence or documents, everyone is aware of the need to apply the act as it stands.

Earlier I said that the act is not particularly complex. It really is not. You have to pay attention to certain nuances but, in practice, you know which parts of a document contain personal information. We have to rely on the good judgment of each public servant, who can consult experts if necessary to ask whether they can disclose that bundle of information.

Thank you for your question, and it's really a big question.

To deal with any privacy legislation, how do you strike the right balance between the rights of the individual and the legitimate service needs of government agencies?

The Privacy Act is based on a theory. It's based on a principle that when individuals give information to an organization, they do so for a specified, transparent, and confined purpose. That principle is under threat by the data processing activities of government and the private sector in the belief that in this era of big data analytics, you can take information from a variety of different silos, correlate it, and find correlations that are going to be of interest to government in the implementation of public policy.

The Privacy Act is based, as I said, on this dated assumption that information can be categorized and put in silos, put in data banks. I think that is under severe challenge. The Info Source tool is dated and reflects a reality that is 30 years out of date.

Finally, government can do an awful lot in making public policy and delivering services without personally identifiable information. In answer to your question, you should identify the information and anonymize the information in an appropriate way, so that you can have both worlds. This comes under the title of privacy by design, whereby you build privacy in at the beginning. Those are the kinds of tools that the Privacy Commissioner should have, and that should be made more explicit in the Privacy Act.

I hear from privacy professionals and from the Privacy Commissioner's office that it's generally not used a lot. It is often dated. It produces huge headaches for government departments that have to keep it up to date and define consistent uses.

I certainly see the value in having something like that when you are trying to regulate information sharing, but I do wonder sometimes whether or not it's a bureaucratic requirement that has outlived its necessity.

Thank you for the opportunity to respond.

The question you asked is not much different from the question that would have been asked more than 30 years ago when legislators and parliamentarians were looking at trying to create a regime that would provide adequate protection for the privacy of Canadians, yet at the same time allow the necessary collection, use, and disclosure of personal information to keep people safe and to deliver services that your constituents and all Canadians require and expect.

There was a royal commission in Ontario in 1980 that produced a seven-volume report wrestling with that very question. We have certainly the experience of over 30 years with legislation.

I think the way we try to address and meet this constantly changing world of threats and challenges and so on to personal privacy is flexibility and comprehensive protection. For that you need legislation that's adequate to the task, which is the exercise you and your colleagues are currently engaged in. It means having a privacy oversight agency or, as Colin would say, a data protection agency, that has the necessary flexibility to be able to deal with changing threats and constantly changing new privacy-impacting technology.

The other thing that is always important to recognize is that it's never only about the statute. I like to think we have a privacy regime that's composed of a number of components. One is what you're currently engaged with, looking at the statute, but I think we make a huge mistake to focus only on the statute. In many respects, you can have a South African statute, which is one of the best in the world, but in practice it has no lift because there isn't the administrative infrastructure. All the other supporting parts don't exist.

What we need to look at in Canada is the role of Treasury Board. It's the role of access and privacy coordinators and making sure they're appropriately trained, that they're sufficiently senior in an organization, and that they can provide timely advice to lawmakers and government officials. It's about the role, of course, of the Privacy Commissioner.

I come back to talking about flexibility. One of the things that attracts the CBA to the enhanced ombudsman model is that we think it provides a measure of the flexibility we need to meet the evolving world of new and different challenges to privacy.

Thank you for accepting my invitation.

I wrote a report for the Privacy Commissioner in 2012. At the time Jennifer Stoddart was receiving a number of complaints about political parties. She couldn't do anything about it, so she asked me to do some research on what the main federal political parties were doing in terms of the capture of personal data.

It's complex, but essentially what happens is that the information from the voters list is distributed under the authority of the Elections Act, and then it's supplemented by information from a whole range of an expanding number of sources: telephone polling, door-to-door canvassing, social media, commercial databases, and so on. Techniques that we are currently seeing in the United States have slowly been migrating into Canadian politics. Many people are concerned about this. Political parties are one of the only types of organization in Canada that do not have to abide by the basic common sense, fair information principles, many of which are not controversial. The three main parties do have privacy codes, and they have been making some strides.

What to do is a bit of dilemma, because political parties are sui generis. They're not government agencies, so they don't really fit under the Privacy Act. They're not commercial organizations, and therefore PIPEDA would be a stretch.

What I advised both the Privacy Commissioner and the Chief Electoral Officer a couple of years ago when this was discussed was that an interim step would be to negotiate a code of practice. Based on the 10 privacy principles in PIPEDA, the main political parties would be invited to develop privacy codes that would give individuals basic rights of access to their data and would also oblige the large number of workers and volunteers who work for parties during election times to hold that data securely. The adherence to those codes of practice would be a condition for receiving the voters list at the election under the Elections Act.

I thought that was a good interim measure to at least get party officials to get their mind around this issue. It would not, therefore, deal with the complexities of statutory change, which would obviously be controversial.

Political parties play a crucial role in our democracy in mobilizing voters and in educating the public, and you don't want to have privacy rules in place that hamper that ability.

On the model in B.C., British Columbia is the only jurisdiction in Canada where political parties are covered. That has to do with the particular drafting of our Personal Information Protection Act, which is the substantially similar B.C. legislation that was passed as a result, in the wake of PIPEDA. There have been three investigations, I think, by the former privacy commissioner of British Columbia into political parties. The parties there have been developing codes of practice along the lines that I suggested.

I don't know that this needs to be controversial. We have a principle in this country that you shouldn't be building secret databases. That's the principle behind the Privacy Act. Unless they're exempt for national security reasons, they shouldn't be secret. Individuals should have some right to know what information is being collected on them, how it's processed, and who it's disclosed to.

In most other countries of the world, political parties are covered, with the exception of the United States. There's a gap in Canada. I think the initial step is to engage the major political parties in a process whereby the 10 basic principles in PIPEDA are laid out, then there's a discussion about how those apply to the peculiar context of political campaigning, and then that is translated into some sort of agreeable code of practice for the major political parties. This should not be a race to the bottom.

I've written a great deal on this and I'd be happy to share that with the committee, if you're interested.

Back in the day, the major threat was presumed to be coming from government. It was Big Brother. The history of the Privacy Act was that it followed on from the Access to Information Act and the need to make sure the personal information exemptions in the two statutes were internally consistent.

At that time, it was thought that the private sector could be governed through voluntary self-regulation. For the period of the late 1980s and 1990s, that's what happened. There was a process through the Canadian Standards Association, which I was involved with, that got the major private sector associations to agree to the CSA standard, which then became the basis for PIPEDA.

There are different issues having to do with government agencies and the private sector. With respect to corporations, the role of consent is stronger than it tends to be in government agencies, where the stipulation is that it has to be a statutory requirement, a legislative requirement. Most countries today are starting with a blank slate and think they just have to have one comprehensive statute. Why? It's because it's so difficult to know where the private sector ends and where government begins. That's what technology has produced. The personal information flows backward and forward across those lines in ways that are difficult to regulate.

Having said that, we have to live with those legacies. I don't think there would be any appetite for scrapping PIPEDA, or scrapping the Privacy Act and building a completely new privacy regime.

We live with those legacies. I do think that as far as possible—and this goes to what my colleagues have said—the powers that are included in the Privacy Act for the Privacy Commissioner should be consistent with those under PIPEDA.