Evidence of meeting #5 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Sue Lajoie  Director General, Privacy Act Investigations, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada

9:40 a.m.

Conservative

The Chair Conservative Blaine Calkins

I appreciate that. Thank you for that clarification.

In your remarks, under legislative modernization you have a recommendation that there should be an obligation on government to consult your office on bills that will affect privacy before they are tabled in Parliament.

You are aware, of course, Commissioner, that there is already a substantive legal opinion and legislative process for the drafting of legislation. You explicitly said “government”. I would like some clarification on what part of the process, whereby a bill already goes through the legislation drafting process and goes through checks for constitutionality and all of these other types of checks, your office would fit in with.

I would also like clarification as to whether, when you say government, you actually mean members of Parliament as well, because not all legislation that's tabled in the House of Commons is tabled by government. Every member of Parliament who is not a member of the executive has the right to table private member's legislation. We have the resources of Parliament, but we don't necessarily have the resources of government to do some of these things and we are sometimes under very stringent timelines to get our legislation tabled before Parliament. This would be a layer added on that would lengthen that process in certain instances.

Could you give me some clarification on that? I just want to protect the rights of parliamentarians, making sure that they can table legislation.

March 10th, 2016 / 9:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We certainly do not want to be in the way of parliamentarians wishing to table legislation. What we're asking for is an obligation to be consulted.

I'm coming from the standpoint of prevention of privacy violations. The current act is in large part curative. If there is a breach, an individual can complain; we investigate and we make a recommendation to remedy a breach of privacy that has occurred. Both this particular recommendation and the recommendation to make it a legal requirement to proceed with privacy impact assessments, for instance, are meant to facilitate prevention of privacy violations by ensuring that when programs are adopted, privacy impact assessments are sent to us so that we can give advice, or that when legislation is conceived—by the government, but I think it would apply to parliamentarians as well—the views of the Privacy Commissioner's office are sought.

We would not be an impediment. We would give views. The government is free to table legislation, and parliamentarians would remain free to table legislation. We think we have value to add to this process so that new rules, new programs, or new legislation receives advice from our office to mitigate privacy risks.

9:45 a.m.

Conservative

The Chair Conservative Blaine Calkins

Rather than during the legislative review process, such as when appearing before a committee, wherever legislation would be potentially impacted you would want a preventative or advisory role up front in the drafting of the legislation, would you?

9:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It would be not “rather than” but “in addition to”.

9:45 a.m.

Conservative

The Chair Conservative Blaine Calkins

We'll go to Mr. Erskine-Smith for five minutes, please.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

My first question relates to damages and penalties. Under PIPEDA, in the context of sections 14 and 16 working together, there is a role for damages. Is that a model we'd look to under the Privacy Act? Is there a particular damages or penalties model that you would recommend?

9:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll turn it over to my colleague in a second. I'll say as a preliminary remark that one of our recommendations is to extend the jurisdiction of the Federal Court so that the court is competent to deal not only with access cases but with all rights, including collection, use, and disclosure. I think it's important that all rights conferred by the act be the subject of remedies in the Federal Court.

You're now into the question of what kinds of remedies, and I'll ask my colleague to answer.

Patricia Kosseim Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada

You've pointed to section 16 under the private sector legislation, which provides a good model of the array of remedies a court could order in the event of contravention of the act—in that case PIPEDA, but there is no reason that it wouldn't apply in the case of the Privacy Act as well—by way of an order to do something, an order to stop doing something, an order for damages, or an order for a publication of a notice of any action taken or proposed to be taken to correct practices. All of those are applicable in the public sector as well.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

One of the previous recommendations and your current recommendations is a mandatory breach notification. Can you give us some examples of where the government has failed to notify? Is this a real problem that we are facing? Why this recommendation?

9:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

First of all, as was noted by the chair, in 2016 the government collects and handles a mass of information, so there is a need for obligations to safeguard that information. Currently, that is the subject of government policy, not legal obligations per se. There is a policy obligation imposed by the Treasury Board on departments to notify both the Treasury Board and the Office of the Privacy Commissioner when there is a significant breach of personal information, and this is a good thing. What we note, though, is that there are certain departments we never hear from, or the quality of the notifications given is at best uneven. It is a good start to have this as a policy obligation, but we think that, point one, making it a legal obligation would improve the quality, and point two, making this a legal obligation is the norm in almost all other jurisdictions, either provincially in Canada or internationally. That is the norm.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

A number of my colleagues have asked about the Newfoundland model. In my experience with courts, if the applicants, in this case the government, are seeking a declaration that they do not need to take a particular action, there is no particular pressing need for them to pursue the application expeditiously. Is there not a worry that there are going to be delays here? If it is the applicant who wants information, there is an incentive to speed the thing up, but if the applicant is the government.... Maybe the Newfoundland model is too new and we don't have this experience on record, but is there not a worry that the government wouldn't pursue that application with haste?

9:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We would have to look at the specific statute. We can get back to you. Of course, there would be ways to mitigate that risk. What happens if there is a recourse before the court? Is the recommendation applied in the meantime or not? Is there a mechanism whereby the court would be seized with this issue quickly? There is the issue of delays in the court system. There is a potential risk there, and perhaps we could get back to you with some thoughts on that issue.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I would appreciate that.

On my last question, the chair delved into this a bit. At one point you suggested that all shared information should be governed by written agreements with specified elements as between government institutions. Obviously, with PIPEDA there is a consent to a particular use. If you are going to share that information beyond, from one organization, you need further consent, if it is not consistent with that initial use. Is that what you are getting at here? What would be an example of a specified element pursuant to one of these agreements?

9:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Consent is a different matter. Consent under the Privacy Act is also grounds for permissible disclosure. What we are dealing with here are the other provisions of section 8, which authorize disclosure other than consent, including consistent use. The elements that we have in mind, at a minimum, would be these: What is the personal information, exactly, that is being shared between the two institutions? What is the purpose? Beyond a consistent purpose, what is the specific purpose for which the information is being shared? Are there some accountability measures as to who actually decides, and what kind of information exists to ensure we can monitor this after the fact? We cannot regulate in the same way all sharing of information between all departments, so agreements would have certain minimal content, which I described, but the rest would be up to each agreement.

9:50 a.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much, Mr. Erskine-Smith.

We now have Mr. Blaikie. Do you want to use your spot here at the end?

Daniel Blaikie NDP Elmwood—Transcona, MB

Yes, thank you very much, Mr. Chair.

I am hoping to move the motion that I served notice of the other day, and I think it would be nice to have that motion dealt with in the public portion of our meeting. To be mindful of our witness, I would be willing to cede the floor to have him dismissed with thanks for his presentation so that he doesn't have to be here for the debate.

9:50 a.m.

Conservative

The Chair Conservative Blaine Calkins

We have Mr. Therrien here until about quarter after, so why don't we allow you an opportunity to move your motion right after that time is up? I'm guessing that's going to be sooner rather than going to the full length.

Daniel Blaikie NDP Elmwood—Transcona, MB

That sounds great. In that case, I'll ask a very quick question for our last couple of minutes together.

One of the things that came up with the Information Commissioner was the need for an oversight role, so that when claims for access are made and a decision is taken not to disclose certain information, it would be important to have a third party evaluate that decision by seeing the information.

I wonder if there's any kind of corresponding situation on the privacy side. Are there cases where governments make decisions about personal information where it would make sense to have them be reviewed? Currently, you don't have the power to step in and assess the integrity of that decision.

9:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Are you referring to things like cabinet confidences, for instance? I'm not sure I get—

Daniel Blaikie NDP Elmwood—Transcona, MB

Maybe there's a substantial enough difference between the two acts and the nature of those requests such that this question is misguided, but that would be the case on the information side, yes. Something is said to be a cabinet confidence and the Information Commissioner doesn't have the ability to go in, look at that information, and then say that in fact it makes sense to refuse that request.

Is there anything comparable on the privacy side that we should be considering as part of the review?

9:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think we're talking essentially—maybe not completely but essentially—about cabinet confidences. Under both statutes, the fact that information is protected by cabinet confidence is grounds to actually exclude the information from the application of one or the other statute.

I understand that this would in practice be more of a problem for my colleague, given the nature of the information. It would be rare that personal information affecting a citizen would be the subject of a cabinet confidence, whereas it would be very frequent in the case of more general information.

That's a long answer to say that the same provision applies in both statutes. In practice, that is not really a problem for us because of the nature of the information.

Daniel Blaikie NDP Elmwood—Transcona, MB

Thank you.

9:55 a.m.

Conservative

The Chair Conservative Blaine Calkins

That uses up those three minutes. Is there anybody else who has questions?

I'll start with Mr. Saini. I don't know if we need a specific amount of time, but if we start going on for 10 to 12 minutes, then I'll move on to someone else.

Raj Saini Liberal Kitchener Centre, ON

In terms of your brief and the report you've published, you brought up some global privacy concerns. In that report, you stated that there were some successes with other global partners. You had success in dealing with data breaches. You gave the examples of Adobe, Globe24h.com, and the issue with unsecured webcams.

I know that there was a meeting in Mauritius where you discussed all these things, and there was a consensus, a comprehensive agreement that was reached, which was supposed to be put in place in October 2015. There are roughly 200 countries around the world. I'm sure that not every country signed that agreement. You gave the example of Globe24h.com, a company in Romania that showed some legal analysis produced here in Canada.

We're living in an interconnected world. I have two questions for you. Number one, can you tell me how many countries signed that agreement in Mauritius? Number two, what recourse do we have with regard to those countries that are not party to that agreement? What can we do as a country to make sure that data in Canada, for Canadians, is not given to other countries?

You've indicated that there are certain countries that you have these agreements with, such as the U.K., Australia, and now Romania. I'm sure there are countries that we don't have that agreement with, so how do we deal with that in terms of the data of Canadians?

9:55 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll give a partial answer due to time considerations because that's a huge issue. Here we're talking about regulation of personal information in relation to the private sector, not the government. This is not the Privacy Act; this is PIPEDA.

Regarding the agreement in question, its value is having a template that can be used by any country, any member of the international conference of privacy commissioners, who wants to use it as opposed to the previous scenario where agreements were bilateral. We had a number of bilateral agreements before. Now we have this global arrangement that is accessible by commissioners. We will give you the exact number of countries in writing after. At this point, there are around 10 countries, so it's certainly not the whole globe.

What do we do when information is at risk in a country where we have no agreement? We can negotiate an agreement with that country if need be. It would be a matter of whether the co-operation that we're seeking in these agreements is co-operation with another privacy commissioner or data protection authority. Depending on the country, that other commissioner may or may not have a system such that we really want to co-operate, so that would be one consideration. That's the international framework.

I'll leave it there. There's much more to say, but I'll leave it there.