Information & Ethics Committee on March 10th, 2016

Thank you very much, Mr. Chair.

Thank you to the members of the committee for inviting us to speak today on this very crucial need to overhaul the Privacy Act, and thank you for accepting to look at this issue as a matter of priority in the workings of your committee.

You mentioned my two colleagues. I should add that I'm making a statement today, and we will answer your questions, but we will provide the committee with a fuller submission, with recommendations, in the week when you're back from the break that you mentioned, the week of March 21.

When the Privacy Act was proclaimed on Canada Day back in 1983, it was a development that Canadians could celebrate, as Canada became a world leader in privacy law. Unfortunately, more than three decades have since passed without any substantive change to a law designed for a world where federal public servants still largely worked with paper files. Technology, on the other hand, has not stood still. In the digital world, it is infinitely easier to collect, store, analyze, and share huge amounts of personal information, making it far more challenging to safeguard all of that data and raising new risks for privacy.

Largely in response to those changes, many other jurisdictions—in Canada and around the world—have moved to modernize their laws. It's also important that we move to reform the antiquated Privacy Act to provide Canadians with a law that protects their rights in an increasingly complex environment.

Our recommendations fall under three broad themes: first, responding to technological change; second, legislative modernization; and third, the need for transparency.

Let's start with our first theme: technological change.

Technological change has allowed government information sharing to increase exponentially. Existing legal rules are not sufficient to regulate this kind of massive data sharing. We would therefore recommend that the Privacy Act be amended to require that all information sharing be governed by written agreements and that these agreements include specified elements.

The fact that government departments collect and use ever-greater amounts of personal information has also increased the stakes when it comes to privacy breaches. Over the years, we have seen massive government breaches affecting tens, even hundreds, of thousands of citizens.

We recommend creating an explicit requirement for institutions to safeguard personal information under their control as well as a legal requirement to report breaches to my office.

Let's now move on to our second theme, which is legislative modernization.

We believe that the Privacy Act needs to be aligned with the legal reality of 2016.

Among other things, the law should be amended so that Federal Court review under the Privacy Act is broadened to cover all rights.

Currently, the only cases that may be pursued in Federal Court under the Privacy Act are those involving denials of access to personal information. We cannot pursue cases involving collection, use, and disclosure. Since there can be no right without a remedy, there is a risk that the rights of individuals will go unheeded.

While we are pleased that in the vast majority of cases, government departments do eventually agree to implement our recommendations, the process to reach that point is often prolonged and arduous. So how do we speed up the process?

I am not seeking order-making powers at this time. In my view, increasing the scope of court intervention would offer an adequate protection of rights. I would suggest that adopting a new approach recently enacted in Newfoundland and Labrador’s access and privacy law should help bring more rigour and speed to the process, while maintaining the informality of the ombudsman model.

In Newfoundland and Labrador, on receipt of the commissioner’s recommendations, a public body in the province must either comply or apply to court for a declaration that they do not need to take the recommended action. This creates an incentive for government to respond to complaints in a more timely and disciplined manner, without creating the costs of a more formal adjudicative system. Such a system could reduce the risk that some may perceive a conflict between the commissioner's roles as impartial tribunal and privacy champion.

Another key recommendation to ensure adequate regulation, in an environment where technology makes possible the collection of massive amounts of personal information, is an explicit necessity requirement for the collection of personal information. This change would protect against excessive collection and align the Privacy Act with other privacy legislation in Canada and abroad.

We also recommend the creation of a legal requirement for institutions to conduct privacy impact assessments and to submit them to my office for review. New information sharing agreements should be similarly submitted. The use of PIAs by institutions, as well as their timeliness and quality, have sometimes been uneven. A legal requirement would ensure PIAs are conducted in a thorough manner and completed before new programs are launched or when information management rules of existing programs are substantially modified.

Additionally, there should be an obligation on government to consult my office on bills that will affect privacy before they are tabled in Parliament.

Finally, to ensure we do not again have a badly out-of-date law in the future, it would be useful to add a requirement for ongoing parliamentary review of the Privacy Act every five years.

Our third and final theme is enhancing transparency.

An important component of transparency is providing individuals with access to their own personal information. As the Supreme Court of Canada has affirmed several times, the Access to Information Act and the Privacy Act should be seen as a “seamless code”. Privacy is an important enabler of transparency and open government by providing individuals with access to their own personal information held by federal institutions. At the same time, though, privacy is also a legitimate limit to openness if personal information risks being revealed inappropriately. For these reasons, I commend the committee for its decision to consider the two statutes together.

One important transparency measure would be to allow my office to report proactively on the privacy practices of government. Reporting to parliamentarians and Canadians only once or twice a year on how the government is managing privacy issues through annual or special reports to Parliament is, in our view, inadequate. We would like to be in a position to share this information in a more timely way.

I would also suggest extending the application of the Privacy Act to all government institutions, including ministers' offices and the Prime Minister's Office. While the Privacy Act may not the best instrument to do this, Parliament should also consider regulating the collection, use, and disclosure of personal information by political parties.

As well, I support extending the right to access personal information held by federal institutions to all persons, rather than only Canadians and those present in Canada. We favour maximizing disclosure to those whose information is at stake, subject to exemptions that are generally injury-based and discretionary.

Canadian courts have been clear that where privacy and access rights conflict, privacy will take precedence, although this is not absolute.

The Privacy Act already permits the disclosure of personal information where, in the opinion of the head of the institution, the public interest clearly outweighs any invasion of privacy. This form of public interest override, in our view, strikes the right balance between privacy and access.

Again, I wish to thank the committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians. I look forward very much to answering your questions today and helping the committee in any way that the office can provide in your critical study.

As I said in my remarks, the Supreme Court has already held that the two pieces of legislation should be seen together as a seamless code. What does that mean specifically? Certainly, both statutes provide a right of access. In the case of the Access to Information Act, access to general information held by the federal government and its institutions, and in the case of the Privacy Act, a right of access to personal information held by the same institutions. That is a very important common element.

In both statutes, there are provisions that call for certain exceptions or exemptions to that right, to protect certain interests: law enforcement, international relations, etc. The right of access and the exceptions to the right of access are extremely similar in the two pieces of legislation, and I think that is the core of what the Supreme Court is referring to when it says the two acts constitute a seamless code.

If you amend the right of access or the exceptions in one act, normally you should do the same, or certainly you should consider whether to do the same, in both pieces of legislation. My colleague, the Information Commissioner, also has a number of recommendations that have to do with coverage, i.e., which institutions should be covered by the Access to Information Act.

I think that, if you change coverage in one act, you should at least consider whether to amend coverage in the other act. This would deserve some thinking and consideration, but I am inclined to think that if coverage is extended in one piece of legislation, it might not work very well if the same decision is not made for the other act.

However, there are limits to the seamless code idea. For instance, it is not obvious to me that if one commissioner has order-making powers, the other commissioner needs to have the same powers exactly. I could envisage the two acts working differently on that point. It might be desirable to let the acts work in the same way, but it might not be necessary. Certainly, for right of access and exceptions, and most likely for coverage.... On other issues, there might be room for separate decisions on the two pieces of legislation.

Bill C-51, whose short title is the Anti-terrorism Act, 2015, had a number of parts. The first part pertained to the sharing of information between federal institutions, including personal information held by federal institutions. Such information can now be shared between government departments and 17 agencies that have specific responsibilities for suppressing or detecting terrorism. What Bill C-51 does is allow all federal departments to disclose personal information to these 17 agencies if it is relevant to detecting or suppressing terrorism.

We had concerns about the lack of comprehensive oversight mechanisms and the evidence threshold for sharing information, among other things.

I understand that the government plans to introduce a bill or conduct a study to review Bill C-51. We think that is an excellent idea.

The purpose of Bill C-44 was to give the Canadian Security Intelligence Service, CSIS, explicit authority to operate outside Canada. Before this bill was introduced, CSIS exercised its powers in Canada. Bill C-44 enabled CSIS to extend its activities outside the country. CSIS and the government were of the opinion that this was already provided for implicitly. Bill C-44 authorized it explicitly. The bill more explicitly authorizes information sharing between CSIS and similar agencies in other countries.

The concern we raised had to do with the risk of human rights violations, depending on the countries to which this information would be disclosed. We recommended that steps be taken to control this information sharing in order to avoid torture, for example, in the worst-case scenario.

Bill C-13 had to do with online crime in general, but amended the other law that my office administers, the Competition Act, to allow private companies to give information to police in investigations where electronic documents or personal information could be relevant. That applies in the case of online crime, but also more generally.

We had some concerns about that as well. We felt that the scope of the bill was too broad and that some provisions might not comply with a recent Supreme Court decision in Spencer, which provides for protection of some metadata when people use the Internet to share personal information.

We can receive complaints, but yes we can initiate a complaint when there are reasonable grounds to do so.

Just to be clear, we're talking about what is found in the mandate letters of certain ministers on the issue of open data.

Yes, the statement was found in the platform of the now governing party and perhaps, if I'm not mistaken, in the mandate letters of certain ministers.

Here, we're into one of the themes on the reform of the Privacy Act, transparency. I wholeheartedly agree with the objective of a more open government and more transparency. In the context of the Privacy Act, the most important manifestation of this is that the act should be clarified and amended to provide for more access, to circumscribe the exceptions to the extent possible.

What you referred to is less on the issue of law and principle, it's more on the question of pragmatic and practical access by people to information. Again, I applaud any initiative that would provide easier access by citizens to their personal information or to other information under the Access to Information Act.

We haven't been consulted on how this would actually occur in practice, so I applaud the principle and objective, but I'm not sure exactly what the government has in mind in terms of how to make this work in practice. I would suggest that perhaps you would wish to put these questions to Treasury Board officials if they appear before you.

It's the government that has the lead in determining how this will happen in practice and Treasury Board will provide you with more information than I can provide.

Public education is a statutory obligation that my office has under the private sector legislation, PIPEDA. There's no corresponding provision in the Privacy Act. We undertake some training of government officials, for instance, on how to apply the Privacy Act, but we do not have a statutory mandate, a legal mandate, under the Privacy Act to undertake public education activities.

We think there is just as much of a need to educate the public in terms of how the government complies with its obligations as there is in relation to the private sector.

Canadians, when we ask them through polls, are of the view that the sensitivity of the information that they give to government...The fact that when you're dealing with the private sector, there is an element of consent and choice that does not exist with the government for the most part. For example, if you want a service, you must provide certain information. Canadians expect as much in relation to government as they do for the private sector.

There are two things here. For minister's offices and the Prime Minister's Office, the Privacy Act is the correct instrument to regulate the handling of personal information.

When you look at the coverage of the access and privacy acts, I would come at it from the perspective that there's currently a list of departments and institutions that are part of the executive branch that are covered by the Privacy Act. As a general rule, the entire executive branch and all government institutions should be covered by the Privacy Act, including minister's offices and the Prime Minister's Office.

On the question of political parties, I'm coming to that conclusion because coverage is an issue that is before you, so who should be covered who is not covered? There has been a lot of discussion and concern about the fact that the collection and use of personal information by political parties is currently unregulated. Canada is one of the few countries in which this is so. Canada and the U.S. are the outliers here. In most other countries, the personal information managed and collected by political parties is regulated in some manner by law.

I don't think the Privacy Act is the right instrument because it's essentially designed for the management of information by a government department. Many of its provisions are drafted with that in mind and political parties do not operate in the same context.

However, I will take this opportunity to say that in terms of coverage, if there's one institution where there is a gap in terms of regulation, and that needs to be remedied, it would be political parties.

That is a very complicated issue involving two extremely legitimate but conflicting interests.

The issue has come up in the case of Apple, but it could just as easily come up in Canada. The specific issue has to do with companies like Apple that produce telephones and computers where data are encrypted.

On the one hand, encryption is extremely important in protecting personal information.

On the other hand, private companies obviously have to be subject to the law. This case has to do with producers of telephones and companies that provide communication services. These companies are governed by law. Ultimately, the law applies to them.

Legislators need to ask themselves a fundamental question about law enforcement bodies. In this case we are talking about Apple versus the FBI, but we could be talking about Canada's police forces or Parliament. In practical terms, if law enforcement bodies want access to information that is encrypted and difficult for them to access, the law could cover that. Is it a good idea to have a law to force companies to decrypt information if that removes protection that is generally essential to people?

It is a complex issue. We need to be very careful before we go ahead and legislate on such issues.

I start from the principle that information collected by political parties will, for the most part, be quite sensitive personal information because it goes to political opinion. We don't explicitly refer in Canadian law to what is referred to explicitly in Europe as the distinction between general personal information and sensitive personal information. Nevertheless, political opinion is obviously very sensitive personal information.

I think it's wrong that the management of that kind of sensitive information is unregulated. Do I have examples of wrongs committed? I don't know. We can't investigate. We don't have the jurisdiction to investigate. I'm starting from the premise of the sensitivity of the information that is unregulated. Why is it unregulated? Because parties fall in between the Privacy Act and PIPEDA. They are not government institutions, but they are not commercial institutions. If they were either of the two, we wouldn't be talking about this. They fall in between.

I'm not asking for it; I'm not rejecting it. I'll say that in British Columbia my equivalent colleague does have jurisdiction over political parties under the equivalent of PIPEDA, the private sector legislation in British Columbia. So it's certainly an option.

I'm not asking for this. There might be others who would be able to do this. We have expertise in terms of privacy that would make us one of the candidates to have that mandate.