Information & Ethics Committee on Oct. 20th, 2016

Certainly.

Thank you very much for this invitation.

To give you a bit of background on my organization, the Centre for Law and Democracy is an NGO based in Halifax that works to promote foundational rights for democracy. Most of our work is international, but it is a Canadian-based organization. We work here as well.

Our general focus is on freedom of expression, but that has increasingly taken us into privacy advocacy in recent years because there is a growing consensus about the broader importance of privacy to freedom of expression. This was noted by the UN Special Rapporteur on freedom of expression in 2013 and in the 2014 report by the Office of the UN High Commissioner for Human Rights.

The right to privacy, of course, is also internationally recognized as a human right on its own, protected by article 12 of the Universal Declaration of Human Rights as well as the International Covenant on Civil and Political Rights, which Canada has ratified.

I'll add that the value of a right like privacy must be considered in broader and systemic terms, rather than just by virtue of one's own sense of the private. Too often, as part of our advocacy, we've come across a statement to the effect that, “Well, I personally don't care too much about privacy or the integrity of my information. I'm not particularly a private person. I don't have much to hide, so I don't see these as important issues to address.” To me, that thinking is analogous to a person saying that because they're not personally religious, they feel no need to safeguard freedom of religion. There are broad social benefits that accrue to everyone by having a robust and properly protected right to privacy.

With regard to the current recommendations that are being discussed, we generally support what's been put forward by the OPC. For the sake of brevity, I'm not going into detail on all of the recommendations, but any of the ones that I don't specifically mention, we do support.

To start off, we strongly support the need for greater clarity around information agreements made under paragraphs 8(2)(a) and 8(2)(f) of the Privacy Act. There's a global trend among governments, and that includes our neighbours to the south, to adopt an approach to privacy that extends some protections to their own citizens and virtually none to foreigners. In this context, Canadians have to rely on their government to safeguard their privacy rights in dealings with external actors.

Clarity, transparency, and robust oversight are key ingredients to this, and the OPC's recommendations are a necessary step along that path. We would actually go beyond the OPC's recommendations and suggest that these agreements should be public and should set clear limits as to the purposes for which the disclosures may be made. There should also be a system of disclosure when these conditions are violated and effective remedies for those individuals who are affected.

CLD supports the recommendation that there should be an explicit necessity requirement for the collection of personal information. I would note that this is not just about protecting against the privacy infringements that result from the collection and processing of the information itself. Over-collection magnifies the threat to data security, since the ease of storing massive amounts of information can turn public agencies into a bigger target for hackers. Security experts have long argued that data minimization is among the most important defensive measures in protecting personal information.

When the United States Office of Personnel Management was catastrophically hacked last year, releasing, among other things, the results of background checks for millions of current and former employees, one of the big questions that security experts asked was why on earth they were warehousing all this information. There's no such thing as perfect security, but by working to manage and restrict the amount of information held, an agency can proactively mitigate the damage of a breach if and when it occurs.

Expanding the commissioner's ability to share information with counterparts domestically and internationally is also a good idea, particularly in light of the dynamic nature of global information flows. The Internet poses a significant challenge to traditional understandings of borders and jurisdiction, which makes it difficult to safeguard rights online. When a guy in Saudi Arabia, a country where adultery is a criminal office, has his Ashley Madison profile leaked due to negligent safeguards by that company, where does his remedy lie? That's to say nothing of the almost 1,300 Ashley Madison users who identified themselves to the service as gay and whose log-in information originated from countries where homosexuality is criminalized.

There are very serious international consequences to these kinds of leaks. The Internet is a borderless place, and any agency that seeks to protect the rights of Canadians online needs to coordinate internationally.

CLD supports the idea of stronger transparency on reporting requirements for government institutions. However, rather than setting specific standards in the act, we would suggest leaving the specific scope of that to either the Privacy Commissioner or the Information Commissioner, to be defined through their regulations. That is in order to allow them to deal with emerging issues as they arise without having to reform the law.

There are two areas where we take issue with the recommendations. One is regarding the exception in the Access to Information Act for personal information, which the Office of the Information Commissioner has argued should be narrowed, so that it only applies to information whose disclosure would create an unjustified invasion of privacy. This would transform the current class exception for personal information into a harm-based exception in line with international better practices.

The OPC has voiced opposition to narrowing the definition in the matter in the way that the OIC suggests. CLD strongly supports the OIC's position in narrowing the definition.

The first reason is that there are enormous amounts of personal information whose disclosure is not sensitive—for example, where the information is already broadly publicly available—and as a consequence there would be no material harm in its disclosure. A harm test, which is what we're advocating, clarifies that information should always be disclosed in these kinds of cases. This prevents undue delays in processing requests and is a core earmark of good access to information legislation.

Second, in its submission the OPC has advocated for a formula that inherently tilts the scales in favour of privacy by requiring that a public interest override to have the information disclosed would only kick in if the interest in disclosure would clearly outweigh the privacy interest. This is an incorrect approach. The right to information is a human right, is broadly recognized internationally, and is also recognized as a limited and derivative constitutional right. It should be balanced against the right to privacy on equal terms.

Regarding order-making power, CLD doesn't necessarily oppose this idea. At the same time, I'm not particularly convinced by the argument for order-making power based on a necessity for parity between the Information Commissioner and the Privacy Commissioner. There are important differences between these two institutions, the main one being that the OIC's reviews are almost entirely aimed at public bodies, whereas the OPC has an oversight role over both public and private bodies.

This is a substantial consideration when you're talking about providing the agency with a bigger stick to wield. It heightens questions about procedural fairness and investigations, which the OPC has itself identified as a challenge.

There is also the question of collaboration and relationships with private sector respondents and whether this would impact the ability of the OPC to seek informal resolution or whether enhanced powers would make it more likely that private sector interests, if contacted by the OPC for an investigation, would put up a defence and lawyer up.

Again, that's not to say that we're opposed to order-making power. To me, it comes down, first of all, to whether order-making power is necessary to compel compliance with the recommendations that are being issued and, second of all, to whether it would make the OPC more effective in its oversight role. Would it create a greater impetus for organizations to follow their recommendations? Would it turn it into a stronger body, or would it further delay the process by making companies more defensive through the investigations? I don't know the answer to that question, but I think it's important to think about the issue in those terms.

It's also worth considering in the context of the statement by the OPC that most institutions do eventually agree to their recommendations, though there can be lengthy delays. Against that backdrop, obviously the delays are a legitimate concern, but if that's the major issue, I'm not entirely certain how order-making power would solve it more effectively than the hybrid model that had been previously suggested.

Without making a statement against order-making powers, I want to frame the discussion that way and have the discussion over questions of efficacy and necessity, as opposed to parity between the different institutions.

That's what I have in terms of our opening statements. Thanks very much. I look forward to engaging.

Thank you, Mr. Chair.

Thank you to the committee for inviting us back once again to speak on an issue of considerable public interest and public importance.

It's a relief to see that this committee is examining the Privacy Act in the same general time frame as the Access to Information Act, because the two, of course, were introduced together. It's important for them to be looked at by the committee at the same time. I much appreciate that you're doing it in the way you're doing it. I think is a very good approach.

You have our written submissions, which deal with each of the Privacy Commissioner's recommendations. We also have a few thoughts of our own at the end. I'll follow the example of—

Okay, thank you for that.

In any event, I'll just deal with the points that I think need amplification. There are many of the commissioner's recommendations that we're in agreement with, and you'll see that in the submission when it finally emerges.

Generally I think that in the testimony you've heard so far, it's common ground among the witnesses that the Privacy Act is outdated, antiquated, and in need of complete overhaul to ensure that Canadians' privacy rights are properly protected. This should also be done to bring the act into closer harmony with not just the more modern and more protective privacy laws, but also with its federal private sector equivalent, PIPEDA, which is administered by the very same commissioner.

Of course there are differences between the public and private sector, obviously. However, for Canadians who are going to the Privacy Commissioner to seek remedies or to figure out what their rights are or what the Privacy Commissioner can do for them, I'm sure it's very confusing as to why the remedies in terms of the public sector are so very different, and the procedures so very different, from what they would have in terms of PIPEDA. We urge you to make the changes required to end this disparity and confusion.

I'll now proceed to quickly go through the recommendations of the commissioner.

First is the requirement to put in an explicit necessity requirement for data collection. This is the standard set out in B.C.'s Freedom of Information and Protection of Privacy Act, as well as a number of other laws. The concept has received considerable interpretation, judicially and quasi-judicially, so its operation is well understood. We recommend that this be explicitly included in the act. We agree with the commissioner.

We'd also like to point out that one of the many criticisms of last year's Security of Canada Information Sharing Act, which was part of Bill C-51, is that it allows information on the lowest possible standard—that is, that the information is relevant to a receiving organization's jurisdiction or responsibilities in relation to activities that undermine the security of Canada in relation to detection, identification, analysis, prevention, investigation, or disruption of those activities.

We're of the view that this law is actually subordinate to the Privacy Act. However, the government's own background paper to the green paper, which is now currently also the subject of consultations, is actually contradictory on this point. In one place it says yes, it does override, and in another place it says no, it doesn't, that it's subject to other legislation, including the Privacy Act. It seems that the government itself is not entirely clear on this point. Given the weaknesses in terms of the lack of an explicit necessity clause in the Privacy Act, we think this would go some way toward helping resolve this ambiguity.

I'd also like to point out that the CSIS act uses the standard of necessity as well.

In terms of expanding judicial recourse and remedies under section 41, we support this recommendation. We would note that the B.C. legislative committee that recently reviewed our province's act has recommended that penalties be increased in order to focus the minds of those who may either not be paying proper attention to privacy rights or would ride roughshod over them.

One example of why this is necessary is the case of Sean Bruyea, a veterans advocate who had his personal information, which was held by Veterans Affairs, accessed hundreds of times by hundreds of individuals, including his financial, medical, and psychiatric records. Some of those records actually ended up in not one but two different ministerial briefing notes.

Mr. Bruyea was eventually compensated, but that was because he had already brought an action for damages for violation of his charter rights. That's an exceptional action, and we agree with the commissioner that there should be a broader scope and a broader availability of sanctions, including damages, under the Privacy Act.

In terms of the ombudsman versus order-making power versus hybrid, we see that the Privacy Commissioner himself, last month, has come around to the view that order-making power would be preferable. This is the view we have long held and the view we have also put forward in terms of the Information Commissioner. Both of these officers of Parliament should have order-making powers.

With regard to the discretion to discontinue or decline complaints in specified circumstances, this is understandable and necessary for the economy of public resources in cases where there is a request or a demand for review that is frivolous, vexatious, or done in bad faith. However, it should be restricted to those narrow points.

In terms of exceptions, the commissioner's recommendation 16, we agree with the Information Commissioner on this point. We have for a long time been in favour of exceptions to release under the ATIA being harms-based, and that would include personal information. We are also not in favour of this being discretionary.

I have three additional points that I would like to raise. First, I'd like to point out that in British Columbia our public sector act has a domestic data storage requirement, something that does not exist at the federal level. Again, this requirement was recently supported by the committee reviewing our act earlier this year, and also by the Government of British Columbia. We would commend this to you as something you may want to look at, in terms of B.C.'s experience.

Second, in 2008 the commissioner made a recommendation to eliminate the stipulation that the act apply only to recorded information. We think that was a good idea in 2008, and we still think it's a good idea. Although the commissioner hasn't mentioned it this time, we think it's an important change.

Third, something that we're seeing increasingly in the public and private sector in terms of decision-making is the use of data mining, and especially the use of algorithms to either supplement or entirely replace decision-making by human beings. Data is run through a program, and a recommendation, which humans may be reluctant to overrule, comes out. These rulings oftentimes have very serious effects on individuals, especially in terms of social services or benefits or things like that.

Something we have found over the years is that there is a great deal of resistance by private sector and public sector bodies that are using these algorithms and technologies to provide any kind of access to their workings, or even the basis on which these things work.

This really contradicts what happens when you have a human decision-maker. They normally have to provide reasons. There's something you can look at to figure out how they got to their decision. If this approach is replaced by a black box that has unknown data coming in from an unknown variety of sources and a recommendation coming out at the end, the person whose livelihood, finances, business, and other interests may be affected should have a right to see that. I think that has to be in the act.

I now look forward to your questions.

Thanks very much.

First of all, it's great that you found that work, “Travel Guide to the Digital World”.

I completely agree that there's a big difference between information collection that happens in the private sector and information collection that happens in the public sector. Information collection by the public sector has a lot more potential for abuse and needs to be monitored much more carefully, partly because governments can get up to.... I work a lot in repressive countries, so I know governments can do much nastier things with private information, personal information, than private companies can. Governments have extraordinary levels of power, and the ability to misuse that information is much higher in the public sector than in the private sector. We take a much more wary approach when we talk about government collection of information.

You also noted the consent model. When you talk about consent, that's another issue. You can choose to delete your Facebook account and you can choose to delete your Gmail account, but you can't really choose to stop paying your taxes. You're a Canadian. You're in the system. It does also change the dynamic quite a bit.

I will also say that the consent model for collecting information in the private sector does need to be thought through very carefully, and I would argue that the current consent model is broken. Nobody reads their terms of service and nobody understands their terms of service. There's a bit of a vicious circle. The fact that nobody reads their terms of service means that the lawyers who draft these terms of service are incentivized to draft them in incredibly broad and vague ways in order to make sure they cover every imaginable use. There's no incentive for them to clarify the terms or to limit the actual uses in their terms of service, because they know that the users don't care. Then the fact that these terms of service are drafted in such a broad way makes it very difficult for people who want to read and understand them to actually get an understanding of what they mean. That, in turn, disincentivizes users from actually reading and engaging with them.

While I do agree that information collection in the public sector needs to be watched more carefully, I don't think that this consent-based model is necessarily the answer to the private sector doing whatever they want. Actually, I think that stronger and clearer rules around how private sectors use people's information are very badly needed. I think that the current model is not providing adequate safeguards.

I've seen estimates that if you were to read every terms of service document that you were presented with, it would take something like 200 hours out of your week. It's not practical for people to actually be their own safeguards on this issue.

Sorry. I realize I am straying a little from the question.

Just quickly, in terms of what public bodies should be doing, I'm not a data security expert. You have security people who will tell you the areas you need to improve. The main thing that I would say is data minimization.

You can do what you can to try to make yourself as secure as possible, but the most important thing is that you can also make sure you manage your information, such that if and when there is a breach, you don't open up all this information that you should have deleted years ago.

First of all, while sharing information among the Five Eyes is not the same as handing that information over to Egypt or Saudi Arabia, I think that abuses do take place and have taken place within our Five Eyes partners. There's clear evidence of that.

I'll particularly point to the U.K. and the fact that GCHQ has operated far beyond the kinds of limits that we've seen in other agencies. The U.K. is now talking about pulling away from the European Court of Human Rights. I think there are very serous concerns among our Five Eyes partners, so I wouldn't necessarily start from that perspective.

In terms of actually controlling the information, I think the best thing that can be done is to spell out very clearly and publicly the kinds of information we are willing to share, to have an open public debate about it, see what Canadians are and are not comfortable with, and have agreements that specifically reference those uses of information, with consequences if those agreements are not adhered to. You can spell out specifically in the agreement if it goes beyond this agreed-upon measure.

It was a bit early.

I absolutely agree that there does need to be a balancing between those two, but this is not the only instance in which we balance rights against one another. We balance privacy against freedom of expression when talking about regulation of the media and what they should and should not be able to publish. We balance national security against privacy when we talk about appropriate scopes for data collection and data storage.

Balancing rights against each another is something that democracies have to do. In this case, with specific reference to the Access to Information Act, what we want to see is a balancing, on equal terms, of the right to privacy against the right to access to information to see where the greater public interest lies.

The general way that this is structured in better practice jurisdictions around the world is to have an exception with the Access to Information Act to say that information will not be disclosed if its disclosure would cause harm to personal privacy. Beyond that, this exception, and all other exceptions, will be subject to a public interest test whereby, if the public interest and disclosure override the privacy interest, then the information should be disclosed regardless of the exception.

It's a very important question because, as you point out, technology moves very quickly. Things that were around in 1983, such as telecopiers, don't exist anymore. That's an entire category of one of the standard things that was used back then.

This shows the importance for legislators of writing laws at a relatively high level, keeping them principle-based and technology-neutral. That's so you're dealing with the concepts of things like “personal information transmission”, as opposed to “faxing” or “using teletype”, or “specifying”. Unless there's some very good reason—a particular technology has a very particular problem or issue or feature that needs to be dealt with—keeping the laws that you come up with at that higher level and without specifying a specific technology, unless it is a necessary requirement to deal with that actual problem, I think is the way to go.

I would add that regular reviews are a good idea. I think five-year reviews have been among the recommendations for both the Information Commissioner and the Privacy Commissioner. I think they are a great idea.

You mentioned that it's been over 30 years, and there haven't been any amendments. Canada was, I think, the eleventh country in the world to pass an access to information law. There are now, I believe, 113 laws that have been passed around the world, so standards have advanced tremendously in the intervening years. There's an important need to keep up, so regular reviews written into the legislation are a very good idea.

I would add that I completely agree with writing things in a technologically neutral fashion. That's always a good model for legislation generally.

I would also mention that progressive implementation of proactive disclosure obligations can be a good measure, as we see in a lot of different laws in which obligations for what should be disclosed ramp up over time. We do see this happening to an extent with the government, which is pioneering new open data initiatives and expanding new ways to engage with people. That is great.

However, what some countries do is that they allow the Information Commissioner—and I sort of hinted at this in my presentation—to set regulations about what levels of disclosure should be expected, and then those obligation levels can level up over time.