Information & Ethics Committee on Oct. 6th, 2016

As I've mentioned to Mr. Dusseault, I see this favourably, because we have a legal void at the moment in this regard. In other words, there is personal information held or could be held in these offices that is not currently protected. When you look at the fact that the government in power, the ministers, the Prime Minister, do exercise the powers of government, they should be held to the standards of the Privacy Act to collect, use, or disclose that information.

It is, absolutely. I was confronted with this when we finished the investigation of, as it was then, Employment and Social Development Canada. You will recall that it lost a hard drive of 583,000 Canadians' financial information. It was just too big, I felt, to leave it to the annual report. I thought that the Canadian public deserved a quicker result of our investigation, and therefore, proceeded by tabling a special report.

But it is quite stilted and onerous. It is demonstrating a lack of flexibility. I was wanting to serve the Canadian public well by stating the results of our investigation, but I could only do it through the special report procedure.

I believe that this recommendation is very cohesive in the transparency theme of the commissioner's recommendations.

As I mentioned when I described the status of the Privacy Commissioner as an agent of Parliament, he does not need to inform government. He just goes out and says this is what he has discovered and this is what he is reporting on. The way it is done, it would be at the end of an investigation, or it could be as we did for ESDC.

When the news came out, I immediately announced that I was initiating a complaint, because the commissioner can either initiate the complaint or reply to complaints filed by a plaintiff or many complainants. This was really too big not to do something about it, so I chose to initiate a complaint. Then I chose to publish the report outside of the annual report, but the artificiality of that constrain I had, which meant I had to do a special report, was really not justified. It really was a hindrance to transparency, for no use.

The departure I would make is the one I have underlined, and that relates to the recommendation on necessity. That's recommendation 4, where the Privacy Commissioner says that it should be proven to be necessary to the program or government activity. I believe that inherent test is not sufficient. It should be an external test grounded in the charter.

How relevant.

First of all, just to put it in perspective, Europe does not have separate legislation for private and public sectors, and I have often questioned in my mind whether we should. But we do and we have an excellent system. The reason we do is easily justified by the difference in legal paradigms that are the subset of both. This, again, goes back to my answer to Ms. Rempel, meaning one is the state-to-citizen relationship Privacy Act and that is grounded strictly in necessity. The state cannot intrude upon your privacy unless it is demonstrably justified in a free and democratic society.

The relationship you have with other data holders, say Google, Facebook, or any company you buy something from, is predicated on your relationship, your free relationship with them, and therefore is built on consent.

I think that the way we have it constructed is working very well. However, the bridge that you're pointing to is extremely important and increasing. We've seen it with what is often referred to as the deputization of the private sector. Obviously, the big showdown of Apple and the FBI is an example of that in the U.S., where you have this treasure trove of information in the private sector that the law enforcement agencies, therefore the public sector, wants to have access to. How do we regulate that connection?

There has been clarification in Canada. One clarification was, as I mentioned earlier on, R. v. Spencer. A more recent clarification that goes more directly to your question is in R. v. Rogers Communications Partnership. That was January 2016, where the issue at hand was a judicial warrant for a tower dump, a tower dump being giving to the police all of the exchanges, communications, within the vicinity of a specific cellphone tower, which would have resulted in providing the police with 43,000 people's exchanges between, say 3:00 and 5:00 on that day. Why? Because there had been a jewellery robbery at that time on that day. Rogers said, no, opposed the warrant, and the police stood down. However, Rogers still went to court and said that warrant was invalid because it was overly broad. The police replied via the Auditor General that Rogers had no standing in fighting this issue, whereas the court—and this is very important to your question—said not only was Rogers right in refusing to comply with a judicial warrant because a judicial warrant was too broad to be constitutional, but it had the obligation to oppose the warrant as its contractual duty to its customers.

That really illustrates, I believe, the link you're making between public and private.

We have to follow the law everywhere we operate, and the law is different in different countries.

I was in our Singapore office recently and we were discussing, specifically, how you regulate privacy law in Singapore, but in that case, it was a Canadian business going there. The jurisdictional rules around privacy law are such that where the operation takes place, where the information is collected, must always correspond to the laws of the country where it is collected.

However, there are different laws for cross-border. There are countries that do not allow the cross-border transfer of personal information from their citizens, except with very tight rules, conditions, and so on. There are other countries who are mainly requiring due diligence, saying you can go cross-border but make sure that through the transfer you protect the information at the same level as, say, Canadian law requires you to. They do that by, first, choosing very trustworthy contractors, and second, by having contractual clauses that specify, the contractor will protect the information at the level they, the customer who's using the contractor to transfer the information, are held to and that they will audit and inspect the contractor. There are compliance measures like that.

Yes, it is definitely a conflict of laws challenge, but one that is governed by rules of conflicts of laws.