Thank you, Mr. Chair.
First of all, I'd like to express what a pleasure and honour it is to be back before you today. It's a bit of a homecoming. I'm truly honoured to be able to help inform your debate on a topic of such importance.
I will be giving my presentation in both official languages. I guess 27 years as a public servant has made a lasting impact. So I will start in French, but continue my remarks in English.
I should tell you from the outset that I'm in total agreement with the recommendations of the Privacy Commissioner of Canada concerning the reform of the Privacy Act
To avoid exceeding my allotted time, I have chosen to expand on what I consider to be the priority recommendations. Naturally, during the question period, I will be happy to elaborate on any recommendations I have not mentioned due to time limitations. Without further delay, I will move on to the first point I wish to make.
My first recommendation is about the requirement for written agreements governing the sharing of personal information. In support of this recommendation, I refer you to two documents: Justice O’Connor’s report as part of the Commission of Inquiry into the Actions of Canadian Officials in relation to Maher Arar; and the special report entitled "Checks and Controls" that I tabled in Parliament on January 28, 2014, with the assistance of the wonderful staff at the Office of the Privacy Commissioner, and with input—this deserves to be emphasized—from five experts in national security.
Let's begin with Justice O'Connor's inquiry report in the Arar matter.
In his report, Justice O’Connor concluded that by sharing personal data about Mr. Arar with foreign authorities, Canadian government authorities had contributed to the torture of an innocent person. In the hope preventing this from happening again, he recommended that Canada better control the transfer of personal information to foreign agencies. This shows how topical the Privacy Commissioner's recommendation is.
In the introduction to the special report that I filed on January 28, 2014, the experts we consulted mentioned the levelling of territorial boundaries, be they national or international, as a decisive change in the public security context. This change necessitates the sharing of personal information.
Given this convergence of necessity and risk, I believe the requirement for written agreements to better govern this sharing is needed for two major reasons: the protection of fundamental rights, and the accountability of government agencies in protecting these fundamental rights. The Commissioner's recommendation is therefore very relevant, and even urgent, in this regard.
Let's move now to the second recommendation that I would like to underline in my list of priorities. It is restricting collection to a government program by relevance to activity.
On this front, I would actually like to go further than the Privacy Commissioner. I fully support his proposal; however, I would prefer to tie the requirement of necessity not to the program or activity, but to the Canadian Charter of Rights and Freedoms. The reason is that it would be stronger protection.
Indeed, let me show you through a concrete example in the work that I did for nearly six years how the linkage outside the program or activity is superior.
In 2009 at the OPC we received a privacy impact assessment from the RCMP to roll out a program whereby a camera mounted on the cars of the RCMP would pick up licence plates. Automatic licence plate recognition was the name, and it would retain information about, let's say, non-executed warrants or interventions that had to be effected and could not be effected, a suspended driver's licence, for example.
It would keep the data that did have a match in the police database for two years, and it would keep the data that did not have any match for six months. In other words, the data—meaning the licence plate recognition of Mrs. So-and-so, who happened to be doing her groceries at this time at this supermarket—would be held for six months, in spite of no contravention of the law whatsoever. We questioned that, and the RCMP said, “Well, it's part of the program”, to which we said, “But it does not meet the standard of necessity under the charter, and the charter has precedence over every other law”. The RCMP indeed took that out and did not retain the innocent person's information.
That, to me, truly shows that there is superior protection where you link it to the charter, rather than embed it in a justification of the program.
The third priority I will underline is to require federal institutions to consult the Office of the Privacy Commissioner on legislation and regulations with privacy implications before they are tabled. To me, the logic of this recommendation lies, first of all, in the role of the commissioner as an agent of Parliament, and second, in the fundamental nature of the right to privacy.
Let's look at the commissioner's role and status. The Privacy Commissioner is an agent of Parliament. What does that mean? That means that he has been invested with the protection of a value so important to Canadian identity and democracy that he is placed above political partisanship and reports directly to Parliament.
Because of this status, and the fact that privacy has been entrusted to an institution with this status, it is completely logical that the commissioner be consulted about legislation or regulations prior to their being tabled, to ensure they are privacy-compliant.
The example I will use here, which I feel clearly illustrates the advantage of this recommendation, can be found in a series of bills that either died on the Order Paper or were withdrawn or adopted with reservations regarding lawful access. These bills were so deficient in terms of compliance that they did not survive political wrath and proved to be untenable. They led to acrimonious debates and undermined public confidence in government institutions. Prior consultation with the Privacy Commissioner, I believe, would have provided for a dialogue between the internal proponents of the legislation and the Privacy Commissioner to find a correct balance in the bill prior to tabling, and therefore, could have led to legislation that was better balanced.
The Anti-terrorism Act of 2015, for example, might have struck a better balance between the legitimate needs of the state and the fundamental rights of citizens. Now, the current government has to redo it to make it balanced and satisfactory.
It is therefore my conclusion that in light of the increasing collection, use and sharing of personal information, the Privacy Act must be modernized so that its scope and effect are consistent with the realities of risk and the need for protection.
I will be pleased to answer any questions the committee members may have about all this, Mr. Chair.