Information & Ethics Committee on Nov. 1st, 2016

Thank you, Mr. Chair, and gentlemen of the committee.

Thank you once again for your invitation and your decision to conduct this important review of the Privacy Act.

I would also like to thank all those experts who have testified before you thus far.

As you have heard from many expert witnesses, the 33-year old Privacy Act is woefully out of date.

Over the past few years in particular, technological developments have been revolutionary, making the collection, use and sharing of personal information by governments much easier.

Last spring, I had recommended amendments to the Privacy Act under three main themes: legal modernization, technological innovation, and the need for transparency.

I stand by these recommendations, but would like to make certain clarifications today.

Many witnesses have asserted, particularly from the provinces, that there is much to be said for a regime of privacy protection that includes binding orders issued at the conclusion of certain investigations.

In my appearance last March, I indicated that the current ombudsman model needs to be changed as it often leads to delays. Furthermore, under the current regime, departments do not have a strong incentive to make complete and detailed representations at the outset, and the current model does not therefore result in a timely, final remedy.

The ombudsman model has been in place since the OPC's inception in 1983. This means in part that I can be both a privacy champion, as well as investigating complaints. These are both vital roles in the protection of privacy and I was concerned that legal reasons would force me to choose one over the other. Specifically, the concern was that the courts would deem that I would not be able to adjudicate complaints impartially if I am also a privacy advocate.

After careful review, last summer in particular, we have concluded that there are indeed legal risks with one body having both adjudicative and promotion functions. Based on our review, however, these risks are likely the same under the hybrid model in Newfoundland and Labrador.

Importantly, crucially in fact, our review also led us to conclude that these risks can be largely mitigated through a clearer separation of adjudicative and promotion functions within the OPC.

This kind of structure, as you know, exists in many provinces. It is important to understand that such a separation would entail certain costs, but we have not yet quantified these.

Since the legal risks and mitigation measures are the same under the hybrid model in Newfoundland and Labrador, the order-making model is in my opinion preferable as it provides a more direct route to timely, final decisions for complainants.

Therefore, as I wrote to the committee in September, I now recommend that the act be amended by replacing the ombudsman model with one where the Privacy Commissioner would be granted order-making powers.

In your committee's report on Access to Information Act reform, several recommendations appeared that were consistent with the policy to promote open and transparent government.

I agree completely with this policy as a cornerstone for public trust and accountability, but I suggest that it should be pursued in a way that protects privacy. As I mentioned several times, the Access to Information Act and the Privacy Act are to be seen as seamless codes, and changes to one act must consider the impact on the other. Changes to the way in which access and privacy rights are balanced under the current legislation should be carefully thought through, including any changes to the definition of personal information, and changes to the Access to Information Act's public interest override.

In my view, these changes should be considered in the second phase of Access to Information Act reform. I was therefore happy to see that your report in June on access, if I read it correctly, did not recommend changes that would affect that balance.

Now here's a word about risks if reform is not pursued. There will be, in my view, real consequences if Canada does not modernize its privacy legislation.

In the public sector, these consequences include, first, risks of data breaches that are not properly mitigated; second, excessive collection and sharing of personal information, which may affect trust in government; and more specifically, third, a reduced trust in online systems that may undermine the government's efforts to modernize its services and coordinate its digital communications with Canadians.

Some governments have already moved forward to strengthen their privacy protection frameworks, most notably the European Union. There is a risk, in my view, that if European authorities no longer find Canada's privacy laws essentially equivalent to those protecting EU nationals, commerce between Canada and Europe may become more difficult. This is not theoretical. This is what happened to the United States when the safe harbour agreement was found invalid by EU courts a few months ago.

Since I last appeared before this committee in March, the Federal Court recently considered the Privacy Commissioner ad hoc mechanism that my office created to provide for an independent review of complaints against my own office. This mechanism was needed when the OPC itself became subject to the Privacy Act with the adoption of the Federal Accountability Act in 2007. In assessing the independence of this mechanism, the court noted this was a question more appropriately addressed by Parliament. I would therefore invite the committee to consider this issue at this point, and we've added this to our revised list of recommendations.

In conclusion, I wish to thank and congratulate the committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians. We hope that the government will see fit to take action on all of our recommendations.

Since the government has confirmed its intention to amend the Access to Information Act in two stages, we would ask that the following recommendations to the Privacy Act, at a minimum, be part of phase one.

First, an explicit necessity threshold for the collection of personal information should be adopted, so that the easier collection made possible by new technologies is properly regulated in a way that protects privacy. Second, an obligation to safeguard personal information and a breach notification provision should be made explicit in the act, to ensure the risk of data breaches is properly mitigated. Third, a requirement for written information-sharing agreements, with prescribed minimal content, should be adopted to improve transparency.

Finally, amendments consequential to phase one amendments to the Access to Information Act should be made, including replacing the ombudsman model with one where commissioners are given order-making powers to ensure that individuals receive timely, final decisions to their complaints.

Thank you for your attention. I welcome your questions.

Yes, it should be at the beginning, and many privacy laws around the world agree with that premise.

My premise is that it is preferable to identify, reduce, and mitigate privacy risks before they occur, as opposed to finding remedies after the risk has materialized. It is important to have remedial powers, but it is just as important, and probably more important, to identify risks as programs are developed, and to mitigate these risks from the get-go.

The question you're raising actually should make us all think about the worst-case scenario that Canada has experienced since 9/11, which was the Maher Arar case. It is important that we understand the lessons from that case and other lessons from 9/11. Here we had Canada sharing information with the United States and later on with Syria, which led, according to the commission of inquiry, to Mr. Arar being tortured by Syrian authorities. How can you mitigate that?

First of all, Canada does not have complete control of this issue. Of course that's a question of bilateral relations and bilateral agreements between countries, but Canada can certainly make its position known and prescribed in agreements by making sure that, when Canada shares information with another country, the information to be shared is identified and the purposes for which it is shared are identified, and here I do not mean on a transactional basis. It would be too cumbersome to have agreements on a transactional basis. That's not what we're recommending, but we are recommending that there be umbrella agreements that provide more specificity than the act itself on what type of information in a given context will be shared and for what purpose the information will be shared. That's one set of criteria.

As to potential sharing by the country with which we have an immediate agreement to a third country, that should also be part of the agreement with the second country. It should be provided that, in the case of Mr. Arar, an agreement between Canada and the U.S. would provide that the United States would not be able to share information with a third state unless certain conditions were met. I think that would be an important safeguard.

Will the United States or a second country always comply with this agreement? Well, that's a question of bilateral arrangements between countries. Normally, in these situations, countries try to live by their commitments. Is there an absolute guarantee that this would be so? No, but normally these commitments are agreed to, so it would be important, in an agreement like that, that the potential of sharing with a third country, particularly, as you say, one where human rights protection may not be robust, is covered in the agreement with the second country.

I'll put it at the level of policy objective. That issue, of course, was raised in the context of FATCA, as an example. The first step, I think, is to determine whether the agreement between Canada and another state—here the United States—for tax purposes is trying to achieve a legitimate purpose. In the case of FATCA, the objective was to avoid tax evasion, which is a legitimate purpose.

In general terms, first, the purpose must be identified. Is it a legitimate purpose? Then, ensure that the information that being shared is consistent with that purpose and does not go beyond that purpose. If you follow these rules, yes, the information of certain Canadian individuals or companies may be shared, but it will be because an analysis will have been made that there is a valid policy objective to be achieved and that no more than what needs to be shared for that purpose is shared.

First, what is the ill to be solved? The ill to be solved is in part delay, the fact that the current model does not give sufficient incentives for government departments to provide submissions to us, and particularly well-thought-out submissions early on in the process. That leads to delays for the person who should benefit from the intervention of the Privacy Commissioner, the person who makes a complaint. The order-making recommendation is meant to give the complainant a timely response and a final response that will not drag on in the courts forever.

I've dealt with the issue of timeliness. In the current system, departments do not necessarily have to give us full submissions from the get-go. It's possible for them to make their real case before the Federal Court because we can only make recommendations but it is the Federal Court that can actually order a federal institution to do something consistent with the Privacy Act. We have seen cases where departments gave us a set of submissions in our investigation and have then augmented these submissions when they were before the Federal Court. I think that's also inconsistent with the desire to have timely final decisions for the complainant as soon as possible.

These are two issues that order making would try to address. I was originally and I am still of the view that there is a risk with order making as well as with the Newfoundland model that if the Privacy Commissioner has a promotional role, a privacy champion role, and an adjudicative role, these two roles can conflict. Our analysis over the past few months has confirmed that unless you take measures to divide certain functions internally, the courts will likely intervene and say you're not impartial when you adjudicate because you took a position as an advocate that showed how you were disposed to look at a certain issue, and you maintained that position and did not listen to the facts carefully. That's a real risk.

I was concerned with that risk from the get-go. We thought originally that the Newfoundland model could potentially offer a solution but after further review we think that actually the risk is the same whether it's order making or the Newfoundland model, so if the risk is the same, if the mitigation measures, namely division within the OPC, are the same, I'd rather have order making because between the two models it's the one that provides the most direct route, the faster route, for the person we should care about, which is the complainant.

It could be defined. It certainly can be defined, and it probably should be defined as meaning that the Privacy Commissioner could make orders that would direct a government institution to do what in the Privacy Commissioner's view is necessary to comply with the Privacy Act. That's ultimately what order making is all about, and of course there would be judicial review by the Federal Court after that, but in terms of administrative process that's what order making would be, so you would need to define that in the statute.

I would start from the premise that rights under privacy should not depend on nationality; that's a policy choice. There are already mechanisms whereby even though there is no statutory right, there are mechanisms that I will ask my colleague Sue to explain that get to the same place. Essentially to give foreign nationals a right would codify and give greater stature to a set of rules, which by and large already exist. Would this create more volume and more delays? Potentially.

Sue.

For example, a lot of the requests Citizenship and Immigration receives for information that would traditionally be considered personal information requests are handled through the Access to Information Act. Because of some of the wording of the legislation, because the individual is located outside Canada and is not a Canadian citizen, they still have a means to obtaining the information they would need for processing their immigration file. They go through a person present in Canada to represent them and obtain that information. It's unclear how many additional requests opening the Privacy Act to a broader audience would change.

In other words, to give foreign nationals a right of access under the Privacy Act wouldn't deal directly with what currently occurs indirectly when you have foreign nationals making access requests through agents under the Access to Information Act. If we're there indirectly already, let's do it directly.

I think at the end of the day, the way in which my provincial colleagues have implemented similar schemes demonstrates that it's only the tip of the iceberg. Only the small minority of cases of complaints lean to order making. Before you get there, you try to resolve, you try to mediate, you try all kinds of things that we would try to do. I don't see why we would have a different experience from that experience in provinces where order making is a necessary tool to use in few cases. It's important to have the tool in the tool box, but in managing the volume of work and the volume of complaints, I don't think that order making would be used in very many cases.

First, it would start with privacy impact assessments. As government departments developed new programs that require personal information, we would engage with them at the level of privacy impact assessments, before the fact, having in mind this necessity standard to assess whether the way they propose to proceed would conform with that principle.

Once the program was in force and the information was collected, yes, we would be involved based on complaints, as is currently the case. If you agreed with our recommendations, we would be able to order departments to no longer collect or to change their practice, if we think it is not consistent with the necessity test.

Finally, the courts would be there as the ultimate arbiter. They ultimately would define the legal interpretation of the criteria that the OPC would then be bound to follow.

First of all, necessity would apply to the collection of information. For information sharing, our recommendation is that there be agreements with certain content, which I won't go into, but necessity is not one of the conditions of our information-sharing agreements. There should still be a link between the objective of the program, the information to be collected, and so on.

Your point is how we would oversee transactions, at the transactional level, for information-sharing cases. First, we would intervene before the transaction occurs, at the policy level, at the PIA level. At the transactional level, if a department wanted to consult us and they couldn't, there's nothing in our recommendations that would require them to consult us on a case-by-case basis. It would occur before the fact, at the policy level, at the content of the agreement level. Then the department would implement the agreement. If somebody felt that this transaction did not have accordance with privacy law, he or she could make a complaint. We would intervene then.

I don't see our interacting with institutions on a case-by-case level once the rules are set.