Information & Ethics Committee on Sept. 29th, 2016

Thank you very much.

Thank you for the opportunity to speak about this statute, which is one of the most important statutes we have to regulate the interaction between individual citizens and their government.

The Privacy Act was great for the 1980s, but much has changed since then. This committee has heard a lot about changes in technology, but I think one overarching consideration is changes in people's expectations. We have seen developed, in a number of different jurisdictions across Canada, much more modern privacy laws. We have the Personal Information Protection and Electronic Documents Act, which regulates the private sector and is based on fair information practices. I believe this committee has also heard a lot about the new ATIPPA statute in Newfoundland. You had the benefit of speaking to the committee responsible for the report that led to its complete revamp.

One thing worth noting, when you are looking at this statute compared with other more modern privacy statutes, is that consent generally does not work in the government context. Individual citizens don't choose, for example, the government with which they deal, compared with choosing which bank they go to, and things like that.

One thing I want to emphasize, first and foremost, is that I have had the opportunity to review and actually contribute to the Canadian Bar Association's submissions over the years. Although I am speaking in my own capacity, I generally agree with everything that's in there. Also, I am in general agreement with what has been noted and asked for in the Privacy Commissioner's submissions to this committee over the course of a number of years. There are a couple of things I would like to specifically highlight that I think are important to look at.

One is what could be a basic technical fix, which is to remove the requirement that personal information be recorded in order to be subject to the statute. Information that is just stated orally, that is handed over.... The statute can be interpreted such that the disclosure of information orally is not captured within the statute, and that is a significant gap.

I also think that there should be a provision in the statute to clarify that the work product of public servants should not be considered to be personal information of those public servants. This statute should work hand in hand with the Access to Information Act to encourage transparency of government operations. Unwarranted calls for privacy standing up in the face of government transparency are problematic and something that can be quite easily addressed.

The rest of my recommendations or suggestions would probably be lumped in under three different categories: accountability, transparency, and overall making the statute effective.

Under the accountability banner, I would think that we need more clarity, as citizens, about how government manages the personal information of its citizens. We have the personal information banks and info source systems, which I don't think are entirely effective. There needs to be more proactive disclosure to citizens about how their information is used, who is responsible for it, and which government department is using it.

There should also be a necessity test, which is something this committee has heard about, with respect to the collection of personal information. The government institution should collect only information that is necessary for its functioning activities.

I think there should also be an element of personal accountability within the statute, which is missing. Many more modern privacy laws, particularly health privacy laws but also others across the country, have an offence provision that if an individual or even an institution, unlawfully and usually with knowledge, is in violation of the statute, they can be charged under that. We have seen a large number of privacy breaches across the country related to individuals just browsing through large databases for their own entertainment, and charges being brought against those individuals in various provinces. I think that's something that should be introduced into the Privacy Act.

Under the heading of transparency, fair information practices are generally based on notice and consent. As I said, consent isn't something that generally works in the public sector context, but I do think that there needs to be more proactive communication to citizens about what the information is going to be used for in order to justify its collection. Other jurisdictions regularly include privacy notices on the forms that they require citizens to complete, letting them know and setting their expectations with respect to why the information is necessary, how it is going to be used, who is going to be the custodian of that information, and how they can get access to it and have it corrected, if necessary, to exercise their other rights under the statute.

Also in connection with transparency, I think that the Privacy Act should specifically give the commissioner an education mandate, but along with that it should also give the commissioner the ability to publish reports of findings of investigations under the Privacy Act.

Currently the commissioner publishes such findings for private sector investigations, but we need more guidance. Transparency about what the government is doing with respect to personal information would be significantly served if there were such an obligation, or at least the mandate and the ability for the commissioner to report findings. In the annual report that the commissioner issues each year, there are summaries of some notable cases, but I think we would all benefit from understanding what government departments are doing with people's personal information. Having that information out there, particularly if it's found that the government department has not acted properly, would serve a significant education mandate for all government departments, but also for citizens generally.

I do think we need to have breach notification if there's a breach of security safeguards, similar to what was added to PIPEDA in the Digital Privacy Act, an obligation on the part of the government institution to notify both the Privacy Commissioner and notify affected individuals if a proper threshold has been met. I think the one in the Digital Privacy Act is a reasonable one.

Then ultimately, there's making it effective. I'm not a fan of order-making powers. I think the ombuds model works, but I have come around to see the wisdom of the Newfoundland hybrid model, where if a government department is not going to follow a recommendation with respect to any obligation under the Privacy Act—collection, use, disclosure, or other safeguards—the department should have to stand up in front of a court and justify it and explain why it doesn't have to. In effect, that puts the onus on the government department, and we would end up with a body of case law that would be more clear. That could be by an expedited application process, which is already the procedure under PIPEDA, so that these don't turn into significant, huge federal cases.

Those are the highlights of my recommendations for the statute. It is really outdated, really antiquated, and I don't think it accords with the evolved expectations of individuals about how their information is going to be collected, used, and disclosed. We shouldn't tolerate a quasi-constitutional statute that's at least two generations out of date.

Thank you very much.

Thank you.

Good morning, everyone. As you heard, my name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law.

My areas of specialty are digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada's external advisory board, and I have been privileged to appear before many committees on privacy issues, including things such as PIPEDA, Bill S-4, Bill C-13, the Privacy Act, and this committee's earlier review a number of years ago on social media and privacy.

I appear today though, as always, in a personal capacity representing only my own views. As you know, there is a sense of déjà vu when it comes to Privacy Act reviews. We have had many studies and successive federal privacy commissioners who have tried to sound the alarm on legislation that is viewed, as you just heard, as outdated and inadequate. I think that Canadians rightly expect that the privacy rules that govern the collection, use, and disclosure of information by and within the federal government will meet the highest standards, and for decades we have failed to meet that standard.

I would like to quickly touch on some Privacy Act concerns, but with your indulgence I'll talk a bit about some of the other broader privacy law environment issues in Canada that I think are really directly related to the Privacy Act.

First though, on the Privacy Act—and this is going to sound familiar as I have flagged some of the same issues that David did—I think the Privacy Commissioner of Canada has provided this committee with many very good recommendations, and I endorse the submission. As you know, most of those recommendations are not new. Successive commissioners have asked for largely the same changes, and successive governments of all parties have failed to act.

I want to highlight four issues in particular with respect to the current law, and as I say, David has flagged some of them already. The first is education and the ability to respond. The failure to engage in meaningful Privacy Act reform may be attributable, at least in part, to the lack of public awareness of the law and its importance. I think the Privacy Commissioner plays an important role in educating the public, and has done so on PIPEDA and broader privacy issues. The Privacy Act really needs a similar mandate for public education and research. Moreover—and you just heard this—the notion of limited reporting through an annual report, I think, reflects a bygone era. In our current 24-hour, social-media-driven news cycle, restrictions on the ability to disseminate information, particularly information that can touch on the privacy of millions of Canadians, can't be permitted to remain outside of the public eye and left for annual reports when they are tabled. Where the commissioner deems doing so to be in the public interest, the office must surely have the power to disclose in a timely manner.

I also think we need to think about strengthening protections. As you've heard, the Privacy Act falls woefully short of meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be a model, it instead requires far less of itself than it does of the private sector. A key reform, in my view, is the principle of limiting collection, a hallmark of private sector privacy law. The government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities.

I'd also flag, as David did, breach disclosure, which has been commonplace in the private sector privacy world, and it has long been clear that similar disclosure requirements are needed within the Privacy Act. The Treasury Board guidelines are a start, but legal rules, in my view, are essential. In fact, the need for reform is even stronger given the absence of clear security standards within the act. Provisions that establish such standards and mandate disclosure in the event of a breach are crucial to establishing an appropriate level of accountability and ensuring that Canadians can guard against potential identity theft and other harms.

The final issue is privacy impact assessments. As you all know, privacy touches us in many ways, and it similarly is implicated in many pieces of legislation. I recall that during the last session of Parliament, the Privacy Commissioner regularly appeared before committees to provide a privacy perspective on many different pieces of legislation. This approach of coming in after the legislation has been drafted at the committee, I think, runs the risk of rendering privacy as little more than just an afterthought. It's more appropriate to conduct a privacy impact assessment before legislation is tabled, or, at a minimum, at least before it's implemented.

Those are some of the issues on the Privacy Act side, but as I said, I wanted to talk about three bigger picture issues that I think are some of the moving parts in the federal privacy world.

The first has to do with Bill C-51's information-sharing provisions. I realize the government is currently consulting on national security policy, and there's, as you know, a particular emphasis on Bill C-51. From my perspective, one of the biggest problems was the information-sharing provisions. The privacy-related concerns stem from an act within the act in Bill C-51's Security of Canada Information Sharing Act. As you may know, the sharing of information went far beyond information related to terrorist activity.

It permits information sharing across government for an incredibly wide range of purposes, most of which have little to do with terrorism. The previous government tried to justify the provisions on the grounds that Canadians would support sharing of information for national security purposes, but the law now allows sharing for reasons that I think would surprise and disturb many Canadians, given how broadly those provisions can be interpreted.

Further, the scope of sharing is very broad, covering 17 government institutions, many of which are only tangentially related, if at all, to national security. The background paper on the national security consultation raises the issue, but in my view appears to largely defend the status quo, raising only the possibility, it seems to me, of tinkering with some clarifying language. If we don't address the information-sharing issue, I fear that many of the potential Privacy Act improvements will be undermined. I think this requires a wholesale re-examination of information sharing within government and the safeguards that are there to prevent misuse.

Second, I want to talk about transparency and reporting from a slightly different perspective. As many of you may know, in recent years, there have been stunning revelations about requests and disclosure of personal information of millions of Canadians, millions of requests, the majority of which are without court oversight or warrant, which I think points to a real weakness within Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used.

Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports, and they have been joined by some of Canada's leading communications companies such as Rogers and Telus. There are still some holdouts, notably Bell, but we have a better picture of requests and disclosures than we did before. However, these reports represent just one side of the picture. Public awareness of requests and disclosures would be far more informed if government also released transparency reports. These need not implicate active investigations, but there is little reason for government to not be subject to the same expectations on transparency as we expect of the private sector. Indeed, the Liberal Party focused on transparency in its election platform. Improvements to access to information are absolutely critical, but transparency is about more than just opening the doors to requests for information. Proactive disclosure of requests for Canadians' information should be part of the same equation.

Third and finally, I want to talk briefly about government-mandated interception capabilities and decryption. The public safety consultation that I referenced, which was launched earlier this month, has been largely characterized as a C-51 consultation, but it's much more. The return of lawful access issues threatens to scrap the 2014 lawful access compromise, and I think raises some really serious privacy concerns.

For instance, the consultation implies that “lack of consistent and reliable technical intercept capability on domestic telecommunication networks” represents a risk to law enforcement investigations. Yet left unsaid is that the prior proposed solutions in the form of government-mandated interception capabilities for telecommunications companies were rejected due to the enormous cost, inconsistent implementation, and likely ineffectiveness of standards that would exempt many smaller providers. Creating government-mandated interception capabilities for all providers represents an enormous privacy risk that I think runs roughshod over both PIPEDA and the Privacy Act.

Further, the consultation places another controversial policy issue on the table, noting that encryption technologies are “vital to cybersecurity, e-commerce, data and intellectual property protection, and the commercial interests of the communications industry”, but lamenting that some of those same technologies can be used by criminals and terrorists.

Given its widespread use and commercial importance, few countries have imposed decryption requirements. This year's controversy involving access to data on an Apple iPhone that was owned by the San Bernardino, California, shooter revived debate over access to encrypted communications. The consultation asks Canadians to comment on circumstances under which law enforcement should be permitted to compel decryption. A move toward compelling decryption, in my view, would place more than just our privacy at risk. It would also place our innovation strategy and personal security in the balance.

In conclusion, fixing the Privacy Act is long overdue. There is little mystery about what needs to be done. Indeed, there have been numerous studies and a steady stream of privacy commissioners who have identified the problems and called for reform. What has been missing is not a lack of information, but rather, with all respect, a lack of political will to hold government to the same standard that it holds others.

I look forward to your questions.

I could start if you like, and I'd start first by thanking you for those really kind words. It's almost as if my mother were on the committee. Thanks so much. That's really kind.

This represents one of the most challenging issues that we face. Notwithstanding the fact, as I indicated, that I feel like there has been a lack of political will to address what's clearly a thorny issue, part of the challenge is how you strike some balance in these issues.

When I think of some of the exceptions that we find in the act and what we saw coming out of Bill C-51, I think there is a broad desire to recognize that in a data-driven world there is value in that data and we want government to be smarter and to act smarter and be able to use some of that information. Part of it stems from thinking about safeguards that can be adopted by government that are similar to what we find within the private sector, the de-identification of data in many instances, so that the value in the data may not come from specific individuals but rather comes from the information in aggregate and looking to government to adopt some of those same kinds of practices.

Where that's not possible though we have to start thinking about strengthening some of the reporting mechanisms from within government and creating stronger oversight mechanisms within government, recognizing that there are going to be instances in which sharing is important, and sometimes on an emergent basis, has to happen. But what we haven't had, and this was touched on by both of us off the top, is a framework of accountability that allows for the public to better understand when that's happening to allow independent officers to conduct more effective reviews and then ensure that the public is aware that's happening when it does indeed happen.

I'm happy to provide my thoughts on that.

The Privacy Act is well placed to consider metadata as a concept. The definition of personal information in the statute, if it's fixed in order to deal with the recorded or not recorded thing, is information about an individual. Metadata is information about an individual whether you're talking about metadata or the actual content, that's all information about an identifiable individual and it's all personal information.

With respect to specific uses or collections, authorities to collect information, particularly for national security purposes, it does make sense that it would be located in a statute related to national security.

My thinking on that topic is that for years I have been hearing principally from law enforcement people suggesting that metadata is like dust; it's nothing. In fact, metadata can be everything when it comes to information about people's biographical core. Certainly your travel itinerary doesn't tell you who you spoke with at the end of your journey but it tells you where you went and how long you were gone for and all that sort of information. I do think it needs to be managed as personal information. To suggest that it's something completely apart from personal information trivializes it, and I think it's actually a bit deceptive.

I would largely echo David's comments.

I can recall appearing before a couple of House and Senate committees on Bill C-13, the lawful access bill, and much of the discussion for many of the witnesses was to try to emphasize the import of metadata. It's refreshing to have the issue raised right off the top and to have a recognition of the privacy import of that information.

I think the privacy community and the technical community, both of which have come forward on these issues, have consistently tried to argue that what we need is to take metadata far more seriously as a privacy issue. That has been largely missing. Frankly, we were met with largely dismissive responses and the law enforcement perspective that this is little more than dust and the sense that, somehow, lower thresholds were appropriate.

Yet when you take a look at what that metadata can ultimately reveal, as authorities in the United States have sometimes said.... I think Stewart Baker, the former general counsel of the NSA, has said, “We kill people based on metadata”.

The value of that information and the potential import of that information is huge, so I don't think it's a question of where it appears. I think it's actually essential that we address it as equivalent to some of the most sensitive privacy information that we potentially have both in our Privacy Act and in other legislative instruments where that same data is touched on.

I could start by saying that, interestingly, Canada itself, on the private sector side, for example, has been viewed as a model. That's not to say that PIPEDA is perfect. It is not.

There is definitely room for improvement there, but if you take a look at some of the competing perspectives on privacy, you see that the European perspective tends to adopt more of a human-rights-oriented approach, and the U.S. perspective tends to be somewhat more commercially oriented. The Canadian compromise, I think, is generally viewed as a good one.

What makes the Canadian approach an effective one, I think, is that it's based on international privacy principles, principles that have been updated over time. If we want to look to what kind of standard or what sort of example we need, I don't think we have to look far. Those kinds of standards, the kinds that I think you've heard about pretty consistently now, are not reflected in the Privacy Act today. The starting point is to do a mapping, in a sense, of what is seen as the standard and to look for ways to ensure the Canadian law measures up.

Certainly. Not having any teeth in the legislation I think is ultimately problematic. Forcing the individual concerned to be the one who goes to court and has the onus of proving to the judge that somehow their rights have been infringed I think places too much of a burden on the individual. Also, when you simply look at the economics between the two—the government and an individual—that's a pretty daunting prospect for an individual.

There is probably greater opportunity when the commissioner doesn't have the ability to compel the person to do something, but does have a lot of authority in terms of the ability to sit down and discuss it. I've certainly seen this in the private sector. It's a much less confrontational approach. The commissioner would have the ability to work with the public body in order to exercise moral suasion to convince them that “this is it and that ultimately this is the recommendation”. Then, if the government institution decides that they're not going to follow that recommendation, they should be the ones to stand up in front of a judge and say that they're not legally required to do this. You can clearly have a difference of opinion.

To me, it's as much not wanting to change the character of the interaction between the office and the individual, or the office and the institution, and wanting to make sure that the onus is properly on the right party, and also that the burden ultimately is on the right party. I do think it also allows a greater degree.... If the commissioner has an education mandate and an advocacy mandate and all these other sorts of things, you don't want to turn the commissioner into essentially a tribunal as well. You want to separate that as well. The commissioner makes a recommendation. If the institution decides not to follow it, the onus could be on them to justify that.

I do. Most of my thoughts, I must admit, are within the private sector context. I haven't been privileged enough to see what takes place within those internal discussions between the Privacy Commissioner and a government department. I do believe—and I guess I would differ with my colleague—that order-making power is necessary, certainly in a private sector context.

I say that for at least a couple of reasons. I think the experience we've had over the last number of years demonstrates that real penalties matter. The Conservative government was sometimes criticized for its position on some privacy legislation, but one area in which it enacted very tough rules—and I think we've seen some of the effect of that—was the anti-spam legislation. There are debates about the legislation to be sure, but what I think is indisputable is that the legislation had the effect of getting businesses' attention in a way that legislation without teeth doesn't. We see that difference.

I would also say that we now have enough experience with companies being quite willing to disregard the Privacy Commissioner's views that I think a tougher position is needed. A classic example would involve Bell—it comes up again, I suppose—in the decision involving relevant targeted advertising. There has been a long process of investigation, with input from many Canadians. I think they got more complaints over that particular issue, when it started getting some attention, than over virtually any other. The commissioner has made a finding, and Bell's initial position is “well, that's nice; that's your view; we disagree”.

It's not clear to me, given the import we place and the responsibility we place on the Privacy Commissioner, how companies can adopt that position and basically say, “See you in court, and let's litigate this for a few years before we decide what will take place”. Bell ultimately backed down, but I think the presence of order-making power would have changed that dynamic considerably.

I can start by saying it's always a challenge to keep pace with technology, and we all, I think, recognize that the legislative process moves at a different speed than technology does. That's, I think, a given. Filling in where technology has raced ahead and there is a need for an urgent response, I think, at times will make sense. But at the same time, I do think you have to get your foundational pieces of legislation right, and that means updating them on a pretty regular basis.

In fact, it was the Conservative government that on at least a couple of areas that are really my bread and butter in a sense—copyright and privacy—made a strong point of saying that they wanted to build in mandatory reviews to ensure that the legislation would stay up to date in a rapidly changing environment. A copyright review will take place next year. PIPEDA was one of the first to try to do the same thing by saying we'd have a mandatory review every five years. I don't think that's been well respected, quite frankly.

I think you have to get the foundation right. While there is a role for supplementing legislation where issues emerge, this legislation scarcely covers the VCR era. We're going back a long way if we're trying to think about the technology that was relevant at the time the legislation first came in versus the technology of the world we live in today. Notwithstanding some of the efforts to address some of those issues through directives and the like, what we fundamentally need is to re-establish what the baseline happens to be.