Information & Ethics Committee on Sept. 29th, 2016

There are. It's not so much a working group as it's an issue that I've done a lot of writing on. I appeared before the committee on international trade and was one of the panellists at one of the town halls that the government held on the TPP.

There are some privacy provisions. The TPP has an e-commerce chapter, which is really a first in many ways for a trade agreement of this kind, certainly for Canada. It includes some privacy provisions. In my view, it establishes an incredibly low threshold. It does so largely for the private sector. It calls on TPP countries to establish privacy rules, but in a footnote notes that if companies simply put out privacy policies and then there is an enforcement arm to ensure that those privacy policies are abided by, that is sufficient. That's a nod to the United States, which doesn't have overarching privacy rules.

I suppose the position I've taken on the privacy provisions in the TPP, like many of the digital provisions, is that I thought Canada has a good story to tell and has policies, whether it's on privacy or in a number of other areas, that I think reflect considered long-standing discussions and debate about striking appropriate balances, because there's always a balance to be struck on a lot of these issues. Unlike the United States on a lot of these digital issues, which looks to these trade agreements to try to proactively take their policies and see them reflected in trade agreements so that they'll be reflected in other countries, which has the effect of seeing better laws all around the world but also of ensuring that their companies and others know that if they're compliant locally they can look to the same kinds of regimes elsewhere, I thought the Canadian negotiators were really disappointing in that regard and simply didn't prioritize those kinds of issues. Canadian businesses that seek to comply with Canadian rules under our Canadian system won't see those same kinds of rules reflected elsewhere due to the TPP, which I think is a missed opportunity at a minimum.

Those companies still have to meet Canadian standards if they operate in Canada or are collecting information, let's say in the privacy context, from Canadians. It's not that they get a free pass in that regard. It's that, if we take a look at the U.S. strategy, notwithstanding the claims that people like Donald Trump are making about whether or not the U.S. is a winner or loser on the TPP, the U.S. has long sought to carefully and closely align its commercial interests with its trade policy. They actively discuss with their businesses about where they're headed and they try to ensure that their businesses' priorities and their legal systems are reflected, because they believe there's a competitive advantage in having that reflected in trade agreements.

Canada didn't do that in the TPP. It's one of the reasons why you see some prominent business leaders being highly critical of the agreement. I think, as I say, it's a mistake that ultimately puts us at a bit of a competitive disadvantage.

I think the starting point is to not send your work emails through your own server at home.

It feels a bit more like an access to information issue in many respects. The question of emails has been challenging, because of course we want government, the bureaucracy, and others to adopt efficient means of communication. I have launched the occasional access to information request, and if you ask for all records, you get emails as well. There was a time when those revealed a lot, of course subject to all the various exceptions, and those exceptions also removed a lot. Nevertheless, you could often read between the lines on quite a lot because they revealed a fair amount.

Once certain departments, in my experience, found that people were asking for that data, one of the things that started happening was that people stopped communicating via email and started finding other ways that fell outside of that. Part of the discussion on Clinton has been revelations about her discussions with, I think, Colin Powell, and there has been talk about how you can structure a communication system that falls outside of the act.

I think in some ways we've had some of the same kinds of things take place here with people either engaging in discussions that they ensure don't take place by email—the so-called PIN discussions through BlackBerry—or sometimes even doing direct messaging through Twitter. They are finding mechanisms that may fall outside of that system.

My response is that, by and large, where the discussions fall within the discussions of government and policy and the like, and the act applies, the solution isn't to try to find ways to get around those rules. The solution is to try to ensure that the legislation is sufficiently robust to cover them.

This is Right to Know week, and in fact there's been a lot of discussion about that particular topic in connection with transparency within government. Part of it is a notion of a duty to document, which I think touches on an important thing that Michael just raised, that government decisions need to be properly documented and they need to be documented in the proper way and in the proper place, which should be on government-managed information systems. I'm a strong believer in keeping your personal emails out of your work inbox and keeping your work emails out of your personal inbox. There should be a divide between them.

I think it should be possible. I think the commissioner should have the ability, because there are, no doubt, vexatious litigants out there and there are people who abuse the process. You would want to institute it with the appropriate checks and balances and possible judicial review, because cutting somebody off from redress under the Privacy Act is a pretty significant step given its quasi-constitutional status in Canada.

I've seen a lot of abuses of the statute, and certainly I'm sympathetic to a commissioner having to open a file and go through the whole process for something that really, at the end of the day, they know is going to go nowhere. However, I really hesitate to give anybody a tool that cuts somebody off from effective legal redress.

I think that's probably too blunt an instrument since every case stands on its own. The courts have developed a meaningful test for what is a vexatious litigant. I don't think you need to recreate anything out of whole cloth. There's something already there. It always does take into account the nuances and the circumstances. I think that's probably appropriate.

I would not want to see an enormous amount of resources wasted for nothing, but again as I said, I'm concerned about cutting people off from effective redress.

I'll start by saying that I think we do need to flesh out some of those issues. I think it's an important one, and I'm glad we've had the opportunity to talk about it.

For some of the kinds of information we're talking about, consistent with some of the remarks David made at the very outset, there isn't a consent issue there. Some of it will get collected. That's simply a fact. There is this spectrum, and I think David referred to it, where there are certain kinds of uses that don't raise particular concerns or perhaps are sufficiently important that we would say, yes, you ought to be able to use it in those circumstances, provided it's appropriately documented and there are the appropriate kinds of oversight.

There are also, even implicit in your question, departments whose interest in the information may not be in the personal information, per se, but rather in the aggregated data. On the private sector side, the way organizations often deal with information is to say they don't really care about the individual, but they do care about that aggregated data. There may be aggregated data where we can say that as long as we're able to separate that out and find mechanisms to remove the personal side from it so that it's used in an aggregated fashion, there's actually a lot of value, and government can act in a smarter fashion.

It's probably a somewhat unsatisfying answer to again come back to “it depends”, but what we need are rules that recognize that there may be times when those secondary uses can happen without implicating the personal side of personal information. There may be secondary uses that it's kind of nice to have. In those circumstances, appropriate levels of consent seem to me to be the order of the day. There may be instances when it's essential to have access to that information. We need a sufficiently robust oversight and reporting system that doesn't necessarily stop the sharing in those circumstances, because we recognize the import of the sharing. Rather, we need a system that ensures that there is not misuse and that there is appropriate transparency associated with that activity.

I'm in general agreement. There is a recognition in most privacy statutes, and even in the public sector, that you collect information for a purpose. It has to be authorized by law or it has to be reasonably connected to an operating program of the public body. That information can be used for that purpose or for a use compatible with that purpose. There is a body of case law, within the commissioners at least, that talks about that: what is that compatibility?

I think part of it has to do with a direct connection. Is there a direct connection between tracking somebody's status leaving and determining whether there's a likelihood that somebody's going abroad to engage in terrorist activities? Those are both national security contexts. You see those as being relatively adjacent and possibly justifiable. CBSA sharing that information with CSIS might make sense in the circumstances, but that should be under an information-sharing MOU that should be available for public scrutiny. If they want to share it with the tourism department, for example, I can't imagine that being so directly connected.

The nature of the information needs to be taken into account. How sensitive is it, and really, on balance, is it worth doing this? You also have to be mindful of Canadians' expectations. You can always think that any little bit of data the government has can probably be useful someplace else. You need to think about whether it's reasonable in the circumstances that it would be used in that other place, particularly when you look across the very broad diversity of government institutions. The Department of Health provides primary health care to the aboriginal people of Canada. That's a huge amount of very sensitive information about individuals that should never find itself over in Stats Canada, other than in the aggregate, or that shouldn't find itself over in CSIS just because the government of the day has decided to knock down the walls between the departments.

That is a very big question, and it raises a number of different aspects that I think are relevant for this study. One thing that I think is very important is the ability of a member of Parliament to help an individual constituent. That's already in the Privacy Act. Maybe it's worth making that a little bit more robust. The next step is to make sure that it is as easy as possible for an individual to get meaningful redress from the office of the Privacy Commissioner of Canada, making sure that the commissioner has the ability to get all the relevant information to find out what went on.

I mentioned earlier the possible offences related to somebody intentionally flouting their legal obligations under the statute in order to hold people accountable for actual mischief, not just administrative mistakes, which can happen in a large organization. One example that you have given provides a number of opportunities to think about the different layers and different points in time of what a good system will look like. Ultimately, if that person is actually harmed, is there a mechanism by which they can get effective redress? Somebody can be kicked off a benefits program for a year, and that can have a significant impact on their income, things like that. They need a way to make things right, because now, way more than in 1983, we recognize that harms to privacy are real harms.

I think it's a good point. It would make for a really interesting, lengthy discussion. Depending on where you go around the world, the perspective on the kinds of privacy protections you should have and the import of either the private sector side or the public sector side varies. There are places where there is more trust of government than there is of the private sector, so there is a tendency to think, “Well, at a minimum I need to hold a very high standard on the private sector side because I'm less trusting of them.”

I was in Europe earlier this year with a group of digital civil liberties groups. In that kind of context, a lot of the talk was on surveillance. When they were asked what they were most concerned about, it wasn't the NSA, let's say, but it was companies like Google. They were much more concerned about what the private sector side was doing. If you go to other places, perhaps south of the border, I suspect there is more trust of some of the companies with information than there is of government. I think the answer to that varies. Here in Canada, I'm not sure. We probably fall a bit into the mushy middle. I think we have a fair amount of trust of both, probably more trust of government than we do sometimes of companies.

Regardless, in terms of where the law lands, I'd come back to where I started earlier today, which is that I think there are benchmark standards, principles that by this point in time are fairly tried and true and are seen as what a modern privacy law has. The Privacy Act doesn't have them. PIPEDA certainly does a better job of reflecting them. I don't know that these have to be identical. We've spent an hour and a half now talking about some of the nuances that exist in the public sector side that may not be matched in exactly the same fashion with respect to the private sector; nevertheless, some of the core principles remain largely the same, if we're talking about privacy rules that provide people with at least the appropriate level of confidence about how their information is collected.

In that sense, today, it's pretty clear one of these is not like the other. It's the Privacy Act that is in real need of updating.

Actually, if I can be very brief, I think one of the significant needs for Privacy Act reform is the change in the expectations of individuals with respect to what privacy is, what it's about. I think that change was informed significantly by the influence of PIPEDA. That is the standard by which people expect their interactions with business to operate. I do think you should line those up as best you can so that consumers' and citizens' privacy expectations are generally the same and are accorded the same amount of respect in each. They don't map perfectly, but there's a reason they're called fair information practices and principles. To the extent that those principles can be expressed in a statute regulating government, that should be the goal.