Evidence of meeting #32 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was departments.
A recording is available from Parliament.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
In defining the recommendation, would the discretionary exemption still be one-offs, or would you write them in a specific way?
Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch, Office of the Privacy Commissioner of Canada
Currently, the act provides for a balancing test, with oversight from our office. On a transactional basis, if personal information is disclosed in the context of an access to information request, we will be informed of that. We can't overwrite that—that is a ministerial discretion. However, we could intervene if we think the individual should be informed of that disclosure before the disclosure actually happens.
One of the basic principles of our office is that we should look at these on a transactional basis, because the weighing of the factors will be very different on a case-by-case basis. There's not a class exemption, for instance, for personal information. Those should be treated on a case-by-case basis.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
In terms of the recommendation, then, is it a drastic change from what has been in place before? I'm trying to understand it. It sounds to me like the discretion and the injury-based notion of exemptions already exist. Is this something further, just to be clear on it?
Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch, Office of the Privacy Commissioner of Canada
I think the recommendation is that where there are exemptions in the act to access to personal information requests, those should be injury-based as a starting premise. With respect to the Privacy Act exemptions, for access to personal information requests, that's the general principle that we're putting forth as the default.
Liberal
The Vice-Chair Liberal Joël Lightbound
Thank you, Mr. Bratina.
Mr. Therrien, if I may, a have a few brief questions for you.
I know this does not relate specifically to the Privacy Act. I did, however, like what you said earlier to Mr. Massé about metadata. We have seen in Mr. Lagacé's case, for example, that the courts were involved. A judge issued a warrant. In your opinion and based on your expertise, what would be the best legal avenue to regulate this metadata and access to it?
I have a second question as well. In your opinion, would it be helpful to include a definition of metadata in the Privacy Act to ensure that it is treated as personal information?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'm not sure I have a specific answer to your question as to what the criteria should be.
Let will begin with the following. Apart from the story that was reported in the media this week, another case was heard in an Ontario court a few months ago. The telecommunications companies complained that the police had access to metadata of a very large number of people who went by a specific location. There was a telecommunications tower which made it possible for data to be transmitted to the police, to which it could have access under a warrant. The telecommunications companies asked the judge to establish conditions in the warrant in order to protect privacy.
The judge ruling on the case stated—and I think this was correct—that he did not have the legal tools to do what the companies were asking, including establishing a period of time during which the police could keep the data obtained under the judge's warrant.
In my opinion, the courts recognized that, even if they wanted to impose conditions on obtaining or keeping metadata, the current legal regime is not clear enough to give them these tools or to impose such a condition. This raises the question as to whether such conditions should be added.
What should the criteria be? I do not have a specific recommendation apart from what we have discussed thus far about criteria such as necessity, proportionality, that only the information needed for a police investigation is obtained under the warrant, that this information is kept only for the time necessary for the investigation, and so forth.
The basic principles of necessity and proportionality seem appropriate to me. How do we articulate this as specifically as possible in the laws that empower judges to authorize the police to access certain information? I do not have a specific recommendation for you. Clearly, we are talking about provisions of the Criminal Code pertaining to orders to keep or produce information. First, the current criteria require court intervention, which is a good thing. Secondly, the criteria are rather lenient. I think we should question whether judges should be empowered, based on the case before them, to give the police the authorization requested and to set conditions to protect privacy.
Should metadata be defined in the Privacy Act? That would be helpful.
Is it in the Privacy Act? We know that the collection, use and sharing of metadata is not authorized under general privacy legislation alone. We would have to find a way to ensure that the definition and the rules surrounding collection, use and sharing—which is the crux of the matter—apply in all cases where such information is used.
I am not pleading here for standardized rules. I recognize that these activities depend on the context. The collection of data for the purpose of identifying risks to national security, the work of the CSE, the Communications Security Establishment, is one context, and the work of the police in a criminal investigation is another context where protections are generally higher.
That said, the applicable rules should certainly be indicated, in a general way. Moreover, the applicable rules should depend on the context.
Liberal
The Vice-Chair Liberal Joël Lightbound
In one of your recommendations, you say that the government should consult you before it implements laws or regulations that have an impact on privacy.
Do you think that your recommendations, further to this consultation, should be made public?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Absolutely.
I think we should intervene as early as possible, specifically to reduce risks to privacy. Such a system must not, however, create the impression that the OPC is advising the party in power in one way and advising the other political parties differently. In exercising this responsibility, it is extremely important for us to be seen as acting impartially.
Liberal
The Vice-Chair Liberal Joël Lightbound
Thank you.
That is the end of my questions and of our meeting, Mr. Therrien, Ms. Lajoie and Ms. Kosseim.
We will suspend now and resume in camera to discuss committee business.
Thank you again for appearing before the committee.
[Proceedings continue in camera.]