Information & Ethics Committee on Oct. 20th, 2016

Evidence of meeting #29 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was sector.

A recording is available from Parliament.

On the agenda

Privacy Act
Committee Business

MPs speaking

Blaine Calkins
Raj Saini
Matt Jeneroux
Daniel Blaikie
Rémi Massé
Wayne Long
Pat Kelly
Joël Lightbound
Bob Bratina

Also speaking

Michael Karanicolas  Senior Legal Officer, Centre for Law and Democracy
Vincent Gogolek  Executive Director, B.C. Freedom of Information and Privacy Association

12:30 p.m.

Senior Legal Officer, Centre for Law and Democracy

Michael Karanicolas

I think this strays a little bit outside my expertise, but generally speaking, you would want to see information sharing agreements specify clearly how the information may be used, and that includes further disclosure. This is a major issue both in the public sector and in the private sector.

I have my contractual relationships with Facebook and Twitter. I give them information about me. They have licence to share that information with third parties that I don't interact with. I don't know what their names are. This is a major concern.

Generally speaking, from the government's perspective, I would think that should be spelled out in a co-operative relationship with the other governments, the other agencies. If they're found to be breaching that relationship, if they're not playing by the rules that have been established, then the government should consider terminating that engagement.

12:30 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

You mentioned remedy in your opening remarks. If there is a data breach, let's say, in a second or third country, how would that work? You have a specific set of laws here and you have specific penalties here. If the data breach happens or something happens in the second or tertiary country, their laws or their fines may not be as severe as they are here. If somebody here has a data breach of their information in another country, how would you...?

12:30 p.m.

Senior Legal Officer, Centre for Law and Democracy

Michael Karanicolas

This is the problem with global data flows. We're used to traditional ideas of jurisdiction. Even international law is based on this idea of where a country ends. When you have information that's flowing all over the place—when you have the Internet, which doesn't have traditional borders—it's very difficult to apply traditional understandings of jurisdiction and traditional protections of rights.

This is one of the reasons we supported the Information Commissioner's recommendation to engage more with colleagues. It's good to try to push for common approaches to privacy and common approaches to human rights protections, and certainly with the countries we roughly see eye to eye with in terms of how human rights should be protected.

I brought up the example of the Ashley Madison user in Saudi Arabia or Russia whose information was suddenly disclosed and is now personally under threat. We would want to see the Canadian government and Canadian regulators taking action in those kinds of cases, but if it happens the other way around, it's difficult to say. This is why international collaboration is so important. Right now I don't think there are clear rules for how that should be addressed.

12:35 p.m.

Conservative

The Chair Conservative Blaine Calkins

Go ahead, Mr. Blaikie.

12:35 p.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

I want to go back to Mr. Lightbound's question about the necessity testing being tied to the charter as opposed to the federal program. I'm looking for just a little more education, maybe.

It seems to me that tying into the charter would be less restrictive than tying into the program, because federal programs and collection of information would be.... You could make a charter challenge if you felt for some reason that the government was, for the purposes of a program, collecting information that violated your charter rights, information that they didn't have a right to have or a right to collect. That would be something for the courts to determine. Having a further necessity test that's tied to the purposes of the program is actually a restriction within that larger restriction.

Isn't that how it works? If someone felt that the government was violating their charter rights by collecting information in a certain way, they could take that to court, and having the necessity test tied to the federal program would be a restriction within that—or do I just not understand how those two things interact?

12:35 p.m.

Executive Director, B.C. Freedom of Information and Privacy Association

Vincent Gogolek

There are independent remedies in the charter for a breach, and of course we have privacy rights in the charter in sections 7 and 8. That would be independent of anything to do with the actual Privacy Act itself in terms of something being necessary.

When you have a charter breach or after you find a breach, you look at section 1 in terms of whether it is justified, because rights are not infinite and uncontradictable. There may be very good reasons for it. There is something called the Oakes test, which deals with proportionality, necessity, and linking to the purposes of that breach. That's very well-defined constitutional law.

12:35 p.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

Here's what I'm trying to understand. Let's say we're applying to a government program to receive a drug of some kind in order to help with therapy. A necessity test tied to the program might ask about my employment history, which really isn't relevant to that. Because of the necessity test that's tied to the program, you wouldn't have a right to ask about my employment history. When it's a health-related issue, you may be able to ask certain health-related questions and I would have to disclose the information in order to access that program, but I don't see how the charter piece actually is more restrictive than that. To me, that seems to rule out far more things than the charter provision.

Maybe there is just something in this I'm not understanding.

12:35 p.m.

Senior Legal Officer, Centre for Law and Democracy

Michael Karanicolas

You can create a legal standard that goes beyond the charter protections. The charter is the point at which rights must be respected, and you can take a legal standard that goes beyond that.

In terms of the actual formulas for remedy, though, in that kind of case you would complain to the Privacy Commissioner either way, whether you were relying on a constitutional provision—

12:35 p.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

Really what I'm asking about is that I just don't understand tying the necessity test to the charter itself, which is already there and in effect is more restrictive than having one tied to the nature of the program and the information that would be required for a specific program. That, to me, seems to be more restrictive than a more general one; as long as it doesn't violate my charter rights, then the government can ask for that information.

Do you see what I mean? This necessity test for the charter is being pitched as more restrictive. I just don't understand how it would actually be more restrictive than saying, “You are restricted to asking only for information that pertains to your needs in order to be able to deliver this program.” That, to me, seems actually to be the more restrictive test. Is there something I'm not understanding? How does the charter, generally speaking, get more restrictive than something that would be tied to asking for information that pertains only to what you would need in order to deliver the program?

12:40 p.m.

Executive Director, B.C. Freedom of Information and Privacy Association

Vincent Gogolek

The charter is more overarching. I'm a little reluctant to try to interpret somebody else's argument that I just saw in terms of the transcript, having read it once. I thought it was interesting, but I would really have to take a look at it. I can speak to our experience in B.C., where we do have a necessity test, and it does work.

In terms of the Privacy Act being brought up to the standard that would be expected of modern privacy law, I think that putting it in, in the way the commissioner recommended, is probably the way to go.

12:40 p.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much, colleagues.

I thank our witnesses for coming in today.

Thank you, Mr. Gogolek, for appearing again, and thank you, Mr. Karanicolas, for your personal first appearance on behalf of your organization, the CLD.

I expect that we'll have an opportunity to call you or your organizations back again at some particular point time as we review other legislation that's relevant and germane to this committee's business. We thank you very much for your time.

Colleagues, I have some things that I need to discuss with you. They involve the availability of witnesses whom we've asked to come before the committee on a study unrelated to this one. I would like to protect the personal information of some of these witnesses, so I would love to entertain a motion to go in camera.

12:40 p.m.

A voice

I so move.

12:40 p.m.

Conservative

The Chair Conservative Blaine Calkins

(Motion agreed to)

We'll suspend for a second to go in camera. Let's get back to work as soon as possible. We only have a few minutes. Thanks.

[Proceedings continue in camera]