Evidence of meeting #27 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.
A recording is available from Parliament.
11:30 a.m.
Liberal
The Vice-Chair Liberal Joël Lightbound
Thank you very much, Mr. Long and Ms. Bernier.
That concludes the seven minutes available to you, Mr. Long.
I now give the floor to Ms. Rempel.
11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Thank you, Mr. Chair.
I just want to go, Ms. Bernier, back to the evidence that you presented. I just want to clarify something.
You just stated the example of the use of Facebook data, and then you compared that to the R. v. Spencer case, right? Just to clarify, I believe the ruling in the R. v. Spencer case related more to the use of IP addresses and the collection of metadata. Is that correct?
11:30 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Absolutely. They're completely different situations. In the Spencer case, what occurred is that Mr. Spencer had child pornography on his account, and that was detected. Without a warrant—this is very important, without a warrant—the police went to Shaw, his Internet service provider, to get his personal information from behind the IP address, which Shaw provided.
11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Just to clarify, though, for the committee, because I was just listening to your testimony, and you were using the example of a Facebook post or putting personal information on Facebook, and then you used the example of R. v. Spencer as a rationale for why a Facebook post wouldn't be applicable. Do you still want to make that connection?
11:30 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
I link them as various examples of the need to clarify the quality of personal information as “personal” on the Internet.
11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Just to be perfectly clear, would you say the publication of, let's say, family activities or content of a Facebook post would be the same scope as the ruling as R. v. Spencer? I heard that linkage in your testimony and I'm not sure if that's the same thing. It was metadata, right, versus a blog post, let's say?
11:30 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Yes. First of all, in Spencer, what the court says—and this is very important—is that personal information is not what it is, it's what it reveals. It's a dynamic notion.
11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
To clarify, would you say that if there was a blog posted on Facebook, and then, let's say, a government department or somebody used that information, it would be in the exact same scope as the R. v. Spencer ruling?
11:30 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
I would say that if the blog post, the Facebook post, is not meant for the government and the government cannot justify that it has picked it up for a valid public interest related to its mandate, that is a violation of the act.
11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Is that your opinion, or can you point to relevant case law that shows that?
11:30 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Well, I would point to the findings that I made in regard to Cindy Blackstock. That was exactly the finding. We said, “Listen, Government of Canada, Ms. Blackstock's posts were personal. You collected it, yet you cannot justify that you collected it within your programs or activities, hence you collected it in violation of the Privacy Act.”
11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Again, just to clarify for the committee here so it's reflected in our report, R. v. Spencer would not be relevant materially in the example you gave before.
11:30 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
To me, R. v. Spencer is crucial because it determines what the test is for personal information on the Internet. The test is not what the information is but what it reveals. Hence, if all you have is, say, an IP address, it's not the phone book. You cannot take it in a static form and say it's just a little number. That equates to my saying, “Please give me the key to your house”, and you say, “No”, and I say, “Why not? It's just a little piece of metal.” It's a piece of metal that lets me go into your house.
October 6th, 2016 / 11:30 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
As legislators, you can understand that there's probably some confusion. I agree with you that there's a difference between consent in terms of...and I think a larger question is what we do with big data writ large. I certainly wouldn't want my debit card activities or my Google search results to be informative. I think even companies using that is an interesting policy discussion.
However, to me, putting something on a Facebook post with public settings is akin to pasting something on a telephone pole. At what point, as legislators, do we have to remove the nature of consent in terms of putting information into the public domain from privacy concerns? By putting information out in the public domain, isn't there an acknowledgement that you're consenting to do that? As such, the information would be considered public.
If I put a big statement about my weekend activities out in a paper format and posted it outside here, I would assume somebody would use that. I'm not sure how an electronic format changes that.
11:35 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
The point is that the government cannot use that, because the government cannot use your personal information unless it demonstrates necessity. That's the charter test.
11:35 a.m.
Conservative
11:35 a.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
It's not necessarily the production of your information into the public domain. It still could be used. It's not off the table. It just has to meet that legal test.
11:35 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Necessity is crucially the test. It is articulated in section 1 of the charter. Specifically it says, “demonstrably justified in a free and democratic society”. That has been interpreted in the Oakes decision, with which you're probably familiar, as really based on four criteria: necessity; proportionality of the intrusion to that necessity; effectiveness of that intrusion, in that you have to prove that it actually works; and the absence of a less intrusive alternative. That is truly the key.
11:35 a.m.
Conservative
11:35 a.m.
Liberal
The Vice-Chair Liberal Joël Lightbound
Unfortunately, no, but we'll be back to you perhaps later if we have some time.
Our next round of questioning will be from Mr. Dusseault.
11:35 a.m.
NDP
Pierre-Luc Dusseault NDP Sherbrooke, QC
Thank you, Mr. Chair.
I would also like to thank the witnesses who are before us today.
I'm pleased to see you again, Ms. Bernier.
My first questions will be about the Commissioner's fifth recommendation, namely, to expand judicial recourse and remedies. I am thinking, in particular, about the part of the last sentence which asks "that the Court be able to award a full array of remedies including damages", something that is not presently the case.
What do you think of this recommendation, Ms. Bernier? Is it possible for a court of justice to award damages against a government institution that has violated a citizen's rights, with potential financial repercussions for the citizen?
11:35 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Yes, it is.
You might be aware that the Commissioner revised this recommendation in a subsequent letter in September. He corrected or revised his sixth recommendation, which is about his role as ombudsman. In revising that sixth recommendation, he stated that Recommendation 5, to which you refer, would no longer be necessary.
That said, let's go back to the starting assumption, which forms the basis of your excellent question. There are precedents on the subject. For example, in Europe, privacy commissioners have the power to impose fines. There is therefore a monetary amount, even for government institutions that violate privacy.
11:35 a.m.
NDP
Pierre-Luc Dusseault NDP Sherbrooke, QC
Understood.
Mr. Guénette and Ms. Juneau, this morning, while reading the privacy policies for the My Account online program, I noted that section 9 contains the following wording:
The CRA has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times.
However, there's a small sentence that really surprised me. It reads:
However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the CRA is not responsible for any damages you may experience as a result.
Based on this sentence, I have a feeling you would not agree with the Commissioner's recommendation to allow citizens to be granted damages if their privacy has been violated due to the Canada Revenue Agency's My Account program.
Is that correct?
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
I probably wouldn't go as far as saying we'd disagree with the Commissioner. I think the current statutory framework doesn't provide for anything in the nature of requiring a government body to pay damages. Naturally, if the statutory framework undergoes changes, the wording on the site might have to be changed to reflect the new framework.
To come back to the fact that there is a risk, we have, of course, adopted encryption measures. The risk exists when there is a transfer of information between the taxpayer and the Agency. Although there is encryption, there is a risk, however minimal. We try to minimize it when data is transferred. That's what we're referring to.