Information & Ethics Committee on Sept. 29th, 2016

In the amendments put into the private sector law, PIPEDA, by the Digital Privacy Act, there is a threshold that represents a real risk of significant harm. Part of that is a statement of principles, but if the information is encrypted and nobody can get access to it reasonably, that significantly lowers the risk of significant harm, so it might not even trigger the notification threshold. I think that there does need to be some flexibility. You don't want to be too prescriptive in that sort of thing.

Importantly, Parliament introduced new offences into the private sector legislation, through the Digital Privacy Act, related to not reporting those breaches. If you do not report one of those, you can in fact be convicted of an offence. I'm not sure that necessarily works in the public service per se. I think it's worth looking at. There should be an assumption that the government will follow the law if the law says you shall report it.

I would, in fact, be in favour of lowering the threshold for reporting to the Privacy Commissioner so that the Privacy Commissioner can provide knowledgeable, informed input on whether or not the breach actually represents a real risk of significant harm, and the commissioner should himself be able to notify the individuals at the institution's expense if the institution refuses to.

David hits on a good point. In a breach-disclosure regime you do need thresholds. People who are ardently pro-privacy are going to say that if we adopt the lowest of thresholds so that just about everything is going to get reported, not only are there going to be significant costs associated with that to organizations, but the reporting and disclosure system is largely going to turn into noise from the perspective of individuals. The whole goal here is to get their attention and to allow them to deal with the issue.

If what we have are notices going out on a daily basis because we have an incredibly low threshold, the news value of those stories will be largely eliminated because it will just be another day, and the individuals will increasingly just ignore them despite the fact that we have a lot of expense.

I think David is right. The issue is how to ensure that the right instances, those where there is a real risk, get reported back to the people who are affected, and at the same time remove the potential reticence of organizations, both in the private and the public sector, to at least do the initial report so that we can engage in a meaningful consideration of the risk.

Lowering the threshold and ensuring that you have a body that will keep it confidential and is well trusted like the Privacy Commissioner offers a pretty nice balancing system that allows for external consideration of the risks involved and also ensures that where there is a real need to know for those who are affected, they are notified.

I'll start by saying I think it depends a little bit on who's doing the reporting. Let's start with law enforcement and some of those law enforcement requests. We know that it took many years to even get to the point where law enforcement was tracking some of this kind of information. They did so largely because the demands for easier access to this information were being met with questions, “How often are you accessing this? Give us some actual data.” It turned out there was very little data to be had.

We now have some data, but I think it's still fair to say that there are many law enforcement branches that are either not fully collecting all this information or are using a bit of a haphazard mechanism. If there were requirements to disclose, there would also be requirements to more systematically collect.

It seems to me that, in fact, it's in the interests of not just of the public having access to information but of those organizations too. We have some of those same entities now saying they want to have easier access to this information, notwithstanding the 2014 legislative compromise and the Spencer decision from the Supreme Court of Canada. I think they've got an onus to at least begin to provide more data on what's actually been happening that moves away from the odd anecdote here or there.

At the moment, we're heavily reliant on what we can learn from either the Internet companies or some of the telecom companies without, as I mentioned, uniformity. I think we need to look at the other side of the coin as well in creating obligations for the systematic collection and then disclosure, and I think aggregating that information is very important.

Thanks for the question. On that last bit, I think it's not necessarily an either-or issue. I do think there is unquestionably a role for this committee on some of those issues. For example, one of the other issues that I've been spending a lot of time on lately is the Trans-Pacific Partnership, the TPP. As I'm sure you know, there are multiple committees that have been examining the impact of the TPP. Certainly, international trade, but not just international trade. Agriculture and others are taking a look at the implications of that agreement for their ambits.

I think the same is true when we take a look at what's taking place in that part of the national security consultation. I think there are clear implications for a number of other committees, and not just this committee either. For example, it seems to me it's pretty clear the implications of some of the issues that I've talked about have a huge impact, or would have a huge impact, on the communications industry, the industry committee, or ISAT, or whatever we're calling it nowadays. If it doesn't take a look at those issues, then I think we're missing a piece of the pie.

I would think that a general statement of principle related to that would have a natural home in the Privacy Act, to say that any formal or informal information-sharing arrangements between a government institution and another government institution or another government.... Federal-provincial information sharing takes place all the time, as it does internationally between CRA and the IRS in the United States. Increasingly, we're seeing that sort of stuff. There should be a decision-making framework on what's in, what's out, what's okay, and what's a consistent use, thinking of why the information was collected in the first place. All of those MOUs should be in one place, on one website, and available to the public to really understand what is in fact going on.

My initial thought is that there is a distinction between going to court to force government to do what it legally is supposed to do and preventing it from doing what it legally is not supposed to do: kind of your classic judicial review, or the implementation of an order to do or not to do something.

When it comes to harm to individuals that has happened in connection with these sorts of things, I would, first of all, want to make sure that there is nothing in the Privacy Act that cuts off that possibility. There is a section in there already that says that no government institution, crown servant, or otherwise, has any liability for any action it takes in good faith under the legislation. That has been used by the federal Department of Justice to say, “We are immune to lawsuits.” That was thrown out by the Federal Court of Appeal in a hearing I was involved with in April.

Again, you want to make sure that individuals who are in fact harmed—because we are seeing an increasing recognition in the case law, in the evolution of the common law in Canada and the civil code in Quebec, that privacy harms can be significant.

I would be careful about doing that. Other privacy statutes, in the rest of Canada, have provisions that allow individuals to seek damages after it has gone through the Privacy Commissioner process. The courts have generally said that this doesn't actually close the door on the other avenues, but you want to be very careful that it doesn't.

You can see a mechanism.... For example, you mentioned, quite rightly, that the privacy harms are relatively modest when it comes to just general damages, hurt feelings, embarrassment, and things like that. It is seldom worth an individual's effort to hire a lawyer and go to court to recover $5,000's worth of damages.

If you want to enable individual claims on a relatively low threshold in terms of the expense, I think that makes a lot of sense, but if you make it so that it has to go through a complaint to the Privacy Commissioner first, then on, there is no mechanism, for example, in PIPEDA for a kind of a class doing that. One applicant gets to go to the Federal Court in order to get a finding and get damages. You don't want to close the door on that, which would ultimately be a licence to the federal government to commit a huge amount of harm for which it would not be legally responsible.

I'll start with the typical lawyer response. I think it depends.

I can envision a couple of scenarios drawn out of your particular example. I can envision a scenario where, let's say in Ontario, OHIP or the provincial Ministry of Health has reason to believe that an individual has been outside the province or outside the country for an entire year and thus shouldn't qualify for health insurance. There is some evidence to that effect, so as part of its more routine anti-fraud investigations, it looks to find different data points it can collect. One can argue that in those instances it is necessary.

A different situation, though, might well be that there are claims that one way to reduce health care spending at a provincial level is to try to weed out those who aren't eligible who are claiming so that we need to be actively monitoring everybody's movements to try to proactively identify who doesn't qualify and thus remove them from the insurance rolls. That doesn't strike me as a particularly wise thing to do and wouldn't meet the kind of standard that we might want to establish.

I was just going to say that there is a continuum. You can always find a second, third, fourth use for information that has been collected. I do think that there needs to be reasonableness put in there, but having transparency about what government is doing, how they are doing it, and for what purpose allows Canadians to actually understand what is happening and to question it if it's problematic.

One of the wonderful things about Canadian laws generally is that they are usually technologically neutral. You don't focus on a technology.

Certainly, technological changes can necessitate a kind of revisiting and updating, which obviously is the case here with the Privacy Act, but I think what has driven the need to update the Privacy Act actually isn't technology. That fed into it, but in fact it was people's differing expectations and understanding of what privacy is, having more control over your personal information and more of a say in those sorts of things, and recognizing that privacy harms can take place.

In 1983, the question was much more 1984-related in terms of “we need to regulate what the government collects because you'll end up with Big Brother”. In this day and age, there's just so much information that's collected everywhere, not just in government but elsewhere, that Canadians' expectations of privacy have evolved, and the statute needs to do that.

If the committee is going to suggest wording changes in the statute, for example, I would caution you to avoid dealing with the technology. It's better, I think. PIPEDA is a real model of how you can come up with a privacy statute that's based on principles, bedrock principles that I think most Canadians can get on board with. That's the skeleton on which you put the meat, but you want to make sure that it will in fact stand the test of time. As an additional protection, the five-year reviews are imperative for a statute such as this.

I'm supportive of that recommendation, and supportive of it for the same reason that I'm supportive of some of the shift toward thinking about access to information in a more wholesome manner that captures some of that as well, which I know the government has talked about.

Again, when I think about some of the issues that I have focused on in the past, that divide between ministerial offices and departments is increasingly blurry. That's not to say that the department doesn't function as a department in providing the best advice it can to the minister's office—of course it does—but the decision-making and policy development now occur not just in the department. They quite clearly occur very often in the ministerial offices, so from my perspective, having an understanding of those processes and ensuring that they are subject to the same kind of transparency and openness requirements is important. That means ensuring that the Access to Information Act covers it, but I think it also means that the Privacy Act does as well.

I would generally agree with that, although I would add that I think there's a difference between the Privacy Act and the Access to Information Act in this. One can understand that you have cabinet confidences and things like that, but there shouldn't be a system that would allow an office within the functioning of government to collect information and use it in a way that otherwise would be completely unlawful. You end up with a complete zone of non-regulation in that particular place. You wouldn't want to, for example, set up a system that would encourage a program to be operated out of a minister's office in order to avoid the functioning of a quasi-constitutional statute.