Evidence of meeting #32 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was departments.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Sue Lajoie  Director General, Privacy Act Investigations, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch, Office of the Privacy Commissioner of Canada

11 a.m.

Liberal

The Vice-Chair Liberal Joël Lightbound

Hello everyone.

Welcome to the 32nd meeting of the Standing Committee on Access to Information, Privacy and Ethics.

We are fortunate to have with us today the Privacy Commissioner of Canada, Mr. Daniel Therrien, who is accompanied by Ms. Sue Lajoie, director general, Privacy Act investigations, and Ms. Patricia Kosseim, senior general counsel and director general, legal services, policy, research, and technology analysis branch.

Welcome and thank you for being here.

We have an hour and a half. We will begin with a presentation by Mr. Therrien, for 10 minutes, followed by questions from MPs.

You have the floor, Mr. Therrien.

11 a.m.

Daniel Therrien Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Thank you, Mr. Chair, and gentlemen of the committee.

Thank you once again for your invitation and your decision to conduct this important review of the Privacy Act.

I would also like to thank all those experts who have testified before you thus far.

As you have heard from many expert witnesses, the 33-year old Privacy Act is woefully out of date.

Over the past few years in particular, technological developments have been revolutionary, making the collection, use and sharing of personal information by governments much easier.

Last spring, I had recommended amendments to the Privacy Act under three main themes: legal modernization, technological innovation, and the need for transparency.

I stand by these recommendations, but would like to make certain clarifications today.

Many witnesses have asserted, particularly from the provinces, that there is much to be said for a regime of privacy protection that includes binding orders issued at the conclusion of certain investigations.

In my appearance last March, I indicated that the current ombudsman model needs to be changed as it often leads to delays. Furthermore, under the current regime, departments do not have a strong incentive to make complete and detailed representations at the outset, and the current model does not therefore result in a timely, final remedy.

The ombudsman model has been in place since the OPC's inception in 1983. This means in part that I can be both a privacy champion, as well as investigating complaints. These are both vital roles in the protection of privacy and I was concerned that legal reasons would force me to choose one over the other. Specifically, the concern was that the courts would deem that I would not be able to adjudicate complaints impartially if I am also a privacy advocate.

After careful review, last summer in particular, we have concluded that there are indeed legal risks with one body having both adjudicative and promotion functions. Based on our review, however, these risks are likely the same under the hybrid model in Newfoundland and Labrador.

Importantly, crucially in fact, our review also led us to conclude that these risks can be largely mitigated through a clearer separation of adjudicative and promotion functions within the OPC.

This kind of structure, as you know, exists in many provinces. It is important to understand that such a separation would entail certain costs, but we have not yet quantified these.

Since the legal risks and mitigation measures are the same under the hybrid model in Newfoundland and Labrador, the order-making model is in my opinion preferable as it provides a more direct route to timely, final decisions for complainants.

Therefore, as I wrote to the committee in September, I now recommend that the act be amended by replacing the ombudsman model with one where the Privacy Commissioner would be granted order-making powers.

In your committee's report on Access to Information Act reform, several recommendations appeared that were consistent with the policy to promote open and transparent government.

I agree completely with this policy as a cornerstone for public trust and accountability, but I suggest that it should be pursued in a way that protects privacy. As I mentioned several times, the Access to Information Act and the Privacy Act are to be seen as seamless codes, and changes to one act must consider the impact on the other. Changes to the way in which access and privacy rights are balanced under the current legislation should be carefully thought through, including any changes to the definition of personal information, and changes to the Access to Information Act's public interest override.

In my view, these changes should be considered in the second phase of Access to Information Act reform. I was therefore happy to see that your report in June on access, if I read it correctly, did not recommend changes that would affect that balance.

Now here's a word about risks if reform is not pursued. There will be, in my view, real consequences if Canada does not modernize its privacy legislation.

In the public sector, these consequences include, first, risks of data breaches that are not properly mitigated; second, excessive collection and sharing of personal information, which may affect trust in government; and more specifically, third, a reduced trust in online systems that may undermine the government's efforts to modernize its services and coordinate its digital communications with Canadians.

Some governments have already moved forward to strengthen their privacy protection frameworks, most notably the European Union. There is a risk, in my view, that if European authorities no longer find Canada's privacy laws essentially equivalent to those protecting EU nationals, commerce between Canada and Europe may become more difficult. This is not theoretical. This is what happened to the United States when the safe harbour agreement was found invalid by EU courts a few months ago.

Since I last appeared before this committee in March, the Federal Court recently considered the Privacy Commissioner ad hoc mechanism that my office created to provide for an independent review of complaints against my own office. This mechanism was needed when the OPC itself became subject to the Privacy Act with the adoption of the Federal Accountability Act in 2007. In assessing the independence of this mechanism, the court noted this was a question more appropriately addressed by Parliament. I would therefore invite the committee to consider this issue at this point, and we've added this to our revised list of recommendations.

In conclusion, I wish to thank and congratulate the committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians. We hope that the government will see fit to take action on all of our recommendations.

Since the government has confirmed its intention to amend the Access to Information Act in two stages, we would ask that the following recommendations to the Privacy Act, at a minimum, be part of phase one.

First, an explicit necessity threshold for the collection of personal information should be adopted, so that the easier collection made possible by new technologies is properly regulated in a way that protects privacy. Second, an obligation to safeguard personal information and a breach notification provision should be made explicit in the act, to ensure the risk of data breaches is properly mitigated. Third, a requirement for written information-sharing agreements, with prescribed minimal content, should be adopted to improve transparency.

Finally, amendments consequential to phase one amendments to the Access to Information Act should be made, including replacing the ombudsman model with one where commissioners are given order-making powers to ensure that individuals receive timely, final decisions to their complaints.

Thank you for your attention. I welcome your questions.

11:05 a.m.

Liberal

The Vice-Chair Liberal Joël Lightbound

Thank you very much for being with us again this morning, Mr. Therrien. Thank you for your presentation.

I think the MPs have a number of questions for you. We will begin with Mr. Raj Saini, for seven minutes.

11:05 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Thank you, Mr. Therrien, for your opening remarks.

Last week, we heard from several departments. I want to ask you this question specifically because I want to make sure that we understand where the Privacy Act or where the impact should begin. There's one specific case where you helped the RCMP with their drone surveillance program, where you were involved at the outset of that program.

We got some differing answers, but when departments are going to have a rule, regulation, law, or whatever, where do you think your department could be best implicated in making sure that the act or that rule...? Do you believe it should be from the beginning, and do you think that should be a necessary requirement?

11:10 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, it should be at the beginning, and many privacy laws around the world agree with that premise.

My premise is that it is preferable to identify, reduce, and mitigate privacy risks before they occur, as opposed to finding remedies after the risk has materialized. It is important to have remedial powers, but it is just as important, and probably more important, to identify risks as programs are developed, and to mitigate these risks from the get-go.

11:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Something that I've had a particular interest in is the information-sharing agreements, not necessarily domestically but internationally. You mentioned the EU in your opening remarks. What can we do to make sure that our laws are strengthened?

Specifically, bilaterally I know that we have agreements with certain countries that have the same sort of robust regime that we do, but we may have agreements with countries whose regime is not as robust. How do we prevent any information in a secondary country from being exposed, especially for a Canadian individual?

Secondly, if we have a bilateral agreement with one country, we may not have a bilateral agreement with a third country, but the second and third country may have an agreement. How do we prevent that information from going beyond the second country?

11:10 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The question you're raising actually should make us all think about the worst-case scenario that Canada has experienced since 9/11, which was the Maher Arar case. It is important that we understand the lessons from that case and other lessons from 9/11. Here we had Canada sharing information with the United States and later on with Syria, which led, according to the commission of inquiry, to Mr. Arar being tortured by Syrian authorities. How can you mitigate that?

First of all, Canada does not have complete control of this issue. Of course that's a question of bilateral relations and bilateral agreements between countries, but Canada can certainly make its position known and prescribed in agreements by making sure that, when Canada shares information with another country, the information to be shared is identified and the purposes for which it is shared are identified, and here I do not mean on a transactional basis. It would be too cumbersome to have agreements on a transactional basis. That's not what we're recommending, but we are recommending that there be umbrella agreements that provide more specificity than the act itself on what type of information in a given context will be shared and for what purpose the information will be shared. That's one set of criteria.

As to potential sharing by the country with which we have an immediate agreement to a third country, that should also be part of the agreement with the second country. It should be provided that, in the case of Mr. Arar, an agreement between Canada and the U.S. would provide that the United States would not be able to share information with a third state unless certain conditions were met. I think that would be an important safeguard.

Will the United States or a second country always comply with this agreement? Well, that's a question of bilateral arrangements between countries. Normally, in these situations, countries try to live by their commitments. Is there an absolute guarantee that this would be so? No, but normally these commitments are agreed to, so it would be important, in an agreement like that, that the potential of sharing with a third country, particularly, as you say, one where human rights protection may not be robust, is covered in the agreement with the second country.

11:15 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

How about if it comes to commercial transactions? Would you suggest something in that regard? In some cases there are Canadian companies or Canadian individuals who have interests in many countries around the world, and if certain tax information, corporate information, can be shared with another country because of a bilateral tax treaty, what would happen? How would we prevent that information, which could impact the company in Canada, from being shared with other countries or other competitors?

11:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll put it at the level of policy objective. That issue, of course, was raised in the context of FATCA, as an example. The first step, I think, is to determine whether the agreement between Canada and another state—here the United States—for tax purposes is trying to achieve a legitimate purpose. In the case of FATCA, the objective was to avoid tax evasion, which is a legitimate purpose.

In general terms, first, the purpose must be identified. Is it a legitimate purpose? Then, ensure that the information that being shared is consistent with that purpose and does not go beyond that purpose. If you follow these rules, yes, the information of certain Canadian individuals or companies may be shared, but it will be because an analysis will have been made that there is a valid policy objective to be achieved and that no more than what needs to be shared for that purpose is shared.

11:15 a.m.

Liberal

The Vice-Chair Liberal Joël Lightbound

Thank you, Mr. Saini. Your speaking time is up. There will certainly be time for more questions at the end.

We will now move on to Mr. Jenereux, for seven minutes.

11:15 a.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Thank you very much for being here. I appreciate your taking the time, and I'm sure there are a lot of staff who have listened to plenty of the testimony over the months of preparing your remarks today.

You definitely hit my biggest concern on the head in your discussion on the order-making powers and your changes over the course of the year leading up to this testimony. Particularly, in March 2016, you recommended improving the ombudsman model to the investigation of complaints and wrote that the Newfoundland and Labrador hybrid model would be the best to advance the Privacy Act. Then in 2016 in a letter to our committee, you said that the adoption of the order-making powers at the federal level on balance would be preferred to the hybrid model.

You went into a bit of detail, but I want to give you the opportunity to go into a bit more on why you prefer the order-making model to the hybrid, and what led you to the decision you're at today.

11:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

First, what is the ill to be solved? The ill to be solved is in part delay, the fact that the current model does not give sufficient incentives for government departments to provide submissions to us, and particularly well-thought-out submissions early on in the process. That leads to delays for the person who should benefit from the intervention of the Privacy Commissioner, the person who makes a complaint. The order-making recommendation is meant to give the complainant a timely response and a final response that will not drag on in the courts forever.

I've dealt with the issue of timeliness. In the current system, departments do not necessarily have to give us full submissions from the get-go. It's possible for them to make their real case before the Federal Court because we can only make recommendations but it is the Federal Court that can actually order a federal institution to do something consistent with the Privacy Act. We have seen cases where departments gave us a set of submissions in our investigation and have then augmented these submissions when they were before the Federal Court. I think that's also inconsistent with the desire to have timely final decisions for the complainant as soon as possible.

These are two issues that order making would try to address. I was originally and I am still of the view that there is a risk with order making as well as with the Newfoundland model that if the Privacy Commissioner has a promotional role, a privacy champion role, and an adjudicative role, these two roles can conflict. Our analysis over the past few months has confirmed that unless you take measures to divide certain functions internally, the courts will likely intervene and say you're not impartial when you adjudicate because you took a position as an advocate that showed how you were disposed to look at a certain issue, and you maintained that position and did not listen to the facts carefully. That's a real risk.

I was concerned with that risk from the get-go. We thought originally that the Newfoundland model could potentially offer a solution but after further review we think that actually the risk is the same whether it's order making or the Newfoundland model, so if the risk is the same, if the mitigation measures, namely division within the OPC, are the same, I'd rather have order making because between the two models it's the one that provides the most direct route, the faster route, for the person we should care about, which is the complainant.

11:20 a.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

On that note then, do you think that the commissioner's order-making powers should be defined in the act, or do you think instead that a broad discretion is more effective in exercising that power?

11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It could be defined. It certainly can be defined, and it probably should be defined as meaning that the Privacy Commissioner could make orders that would direct a government institution to do what in the Privacy Commissioner's view is necessary to comply with the Privacy Act. That's ultimately what order making is all about, and of course there would be judicial review by the Federal Court after that, but in terms of administrative process that's what order making would be, so you would need to define that in the statute.

11:20 a.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

We had a number of the departments in front of us and they expressed a real concern about opening up requests to outside of Canada, in other jurisdictions. In particular, immigration felt they weren't meeting the particular level at this point in time. They were hitting about 60% in terms of their privacy investigations in a timely fashion, and they're worried that this would increase it more.

Have you any comments on that?

11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would start from the premise that rights under privacy should not depend on nationality; that's a policy choice. There are already mechanisms whereby even though there is no statutory right, there are mechanisms that I will ask my colleague Sue to explain that get to the same place. Essentially to give foreign nationals a right would codify and give greater stature to a set of rules, which by and large already exist. Would this create more volume and more delays? Potentially.

Sue.

11:20 a.m.

Sue Lajoie Director General, Privacy Act Investigations, Office of the Privacy Commissioner of Canada

For example, a lot of the requests Citizenship and Immigration receives for information that would traditionally be considered personal information requests are handled through the Access to Information Act. Because of some of the wording of the legislation, because the individual is located outside Canada and is not a Canadian citizen, they still have a means to obtaining the information they would need for processing their immigration file. They go through a person present in Canada to represent them and obtain that information. It's unclear how many additional requests opening the Privacy Act to a broader audience would change.

11:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

In other words, to give foreign nationals a right of access under the Privacy Act wouldn't deal directly with what currently occurs indirectly when you have foreign nationals making access requests through agents under the Access to Information Act. If we're there indirectly already, let's do it directly.

11:25 a.m.

Liberal

The Vice-Chair Liberal Joël Lightbound

Thank you, Mr. Jeneroux. We're well over seven minutes.

We will now move to Mr. Blaikie.

11:25 a.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

Thanks,

At least one of our witnesses who was somewhat critical of the idea of conferring order-making power on the Privacy Commissioner said that in part it was because of the quantity of requests you get through PIPEDA. I was wondering if you think that at a certain point a difference in quantity of requests or complaints requires a qualitative difference in response. Do you think that's important, first of all, and second, do you think the office could tolerate a difference in powers with respect to the public function under the Privacy Act and the private function under PIPEDA?

11:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think at the end of the day, the way in which my provincial colleagues have implemented similar schemes demonstrates that it's only the tip of the iceberg. Only the small minority of cases of complaints lean to order making. Before you get there, you try to resolve, you try to mediate, you try all kinds of things that we would try to do. I don't see why we would have a different experience from that experience in provinces where order making is a necessary tool to use in few cases. It's important to have the tool in the tool box, but in managing the volume of work and the volume of complaints, I don't think that order making would be used in very many cases.

11:25 a.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

In the case of having necessity tests for the collection of information, whether they're related to programs or whether it's a charter test or whatever else, how do you envision the oversight mechanism for that? Is that something your office would do? Would it largely be self-regulated by government departments, and then your office would just get involved if someone were to complain that a government department was collecting information that didn't pertain to a program? How do you see the oversight?

11:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

First, it would start with privacy impact assessments. As government departments developed new programs that require personal information, we would engage with them at the level of privacy impact assessments, before the fact, having in mind this necessity standard to assess whether the way they propose to proceed would conform with that principle.

Once the program was in force and the information was collected, yes, we would be involved based on complaints, as is currently the case. If you agreed with our recommendations, we would be able to order departments to no longer collect or to change their practice, if we think it is not consistent with the necessity test.

Finally, the courts would be there as the ultimate arbiter. They ultimately would define the legal interpretation of the criteria that the OPC would then be bound to follow.

11:25 a.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

In the case of your recommendation for information sharing, that the threshold be that the sharing is necessary as opposed to reasonable, I think, is the difference. Again, I'm just curious how that would work when it comes to oversight. You mentioned a couple of cases, Maher Arar being one, where there was information sharing among governments that had negative consequences. If you were to have that necessity requirement, how do you imagine the oversight happening? Who does it and when, exactly? If the RCMP is getting ready to share information with a foreign government, for instance, do they call up your office and say this is something they're about to do? How does that oversight actually happen?

11:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

First of all, necessity would apply to the collection of information. For information sharing, our recommendation is that there be agreements with certain content, which I won't go into, but necessity is not one of the conditions of our information-sharing agreements. There should still be a link between the objective of the program, the information to be collected, and so on.

Your point is how we would oversee transactions, at the transactional level, for information-sharing cases. First, we would intervene before the transaction occurs, at the policy level, at the PIA level. At the transactional level, if a department wanted to consult us and they couldn't, there's nothing in our recommendations that would require them to consult us on a case-by-case basis. It would occur before the fact, at the policy level, at the content of the agreement level. Then the department would implement the agreement. If somebody felt that this transaction did not have accordance with privacy law, he or she could make a complaint. We would intervene then.

I don't see our interacting with institutions on a case-by-case level once the rules are set.