Information & Ethics Committee on Sept. 18th, 2017

Thank you very much, Mr. Chair, for the invitation to appear before you today on your study of the border.

Privacy rights and the border must be considered in context, and an important element of context is that trade is, of course, important to Canada. This means that smart controls for border goods and data, as they move across borders, are required.

One topic of discussion flagged for your current study relates to screening and searches by Canadian border services officers. As you know, the powers of border officers are quite broad. They may question travellers, collect biometric information for identification purposes, as well as examine, search, or detain any goods.

As for searches of the person, they may also conduct pat-down searches and frisks, take X-rays or body scans, and they may even demand strip searches or body cavity examinations. All searches of persons require reasonable grounds to suspect some legal contravention, particularly the concealment of goods or of anything that would present a danger to human life or safety.

For their part, electronic devices have historically been considered as goods by the CBSA. Paragraphs 99(1)(a) and (c) of the Customs Act allow for examination, opening, and taking samples of goods without grounds. These provisions apply to materials both entering and leaving Canada. In addition, under existing charter jurisprudence, greater latitude is given to state authorities at the border to enforce sovereignty and territorial integrity and to regulate immigration.

At the same time, though, the Supreme Court has found in many other contexts that searching of electronic devices is extremely intrusive. Therefore, while the law is not settled, I think it is clear that Canadian courts would find that groundless searches of phones, of cellular devices, were unconstitutional even at the border.

The idea that electronic devices should be considered as mere goods and therefore be subject to border searches without legal grounds is clearly outdated and does not reflect the realities of modern technology. This may well be why Canada's policy is more nuanced than what the Customs Act may allow.

Under CBSA policy, specific grounds need to be satisfied, namely that “evidence of contraventions may be found on the digital device or media”. I think that policy is wise, but it should in my view be elevated to a rule of law in the near future.

Another border issue of note concerns Bill C-23, which is now before the Senate. Bill C-23, the pre-clearance act, 2016, would implement the 2015 agreement on land, rail, marine, and air transport pre-clearance between the Government of Canada and the Government of the United States. This would provide for pre-clearance activities on the part of the Canadian and U.S. customs officials to take place at various points of entry on both sides of the border.

I've raised concerns about U.S. announcements to search the electronic devices of any and all aliens who seek to enter the U.S. These searches will be at their discretion and without specific legal grounds other than generally to protect homeland security.

Bill C-23 establishes that U.S. pre-clearance officers in Canada are subject to Canadian law as they perform their duties or exercise any powers. The Canadian government reminds us that this would include the Canadian Charter of Rights and Freedoms, the Canadian Bill of Rights, and the Canadian Human Rights Act. However, these protections are somewhat hollow, as they would be severely limited by the principle of state immunity, meaning that they could not be enforced in a court of law.

It should be noted that under Bill C-23, searches of persons, including relatively non-intrusive pat-down searches, require “reasonable grounds to suspect” in order to be carried out by U.S. officers in Canada. In my view, searches of electronic devices can be much more intrusive than these frisk searches.

As I recommended in the context of the study of Bill C-23, border searches of electronic devices should require reasonable grounds to suspect, the same threshold that applies to searches of persons.

This past spring, I informed you of my correspondence with the three appropriate ministers regarding the executive orders of the new U.S. administration, issued earlier this year. Measures like these clearly have a material effect on the privacy of many citizens, given the scale of tourism and business travel to the United States.

One order would specifically exclude non-U.S. citizens and lawful permanent residents from certain privacy protections.

Upon review, I have concluded that, while Canadians have some privacy protection in the United States, that protection is fragile because it relies primarily on commitments or administrative agreements that do not have the force of law, for instance the Five-Eyes Agreement and the Beyond the Border Agreement with the United States.

I have therefore called upon our government to ask their U.S. counterparts to strengthen privacy protections for Canadians. This could be done, for example, by adding Canada to the list of designated countries under the U.S. Judicial Redress Act, which would extend some of the protections conferred by the U.S. Privacy Act to Canadians, as they are in place for citizens of several European countries.

We have also asked the government for assurances that the protection afforded by Canada-U.S. administrative agreements will continue despite the order and to be advised of any changes that may adversely affect the privacy of Canadians. We understand that the findings have now been compiled and a response is forthcoming.

Let us turn now to the information-sharing agreements with the United States.

Generally speaking, we have spent considerable time on border issues and information-sharing in the past several years, in particular, the Beyond the Border initiatives with the United States. To date, we have provided feedback on close to fifty separate privacy impact assessments (PIAs) on just these programs alone. Through these exchanges, we have made a series of recommendations to the CBSA and various other federal departments implicated in expanding information exchange and other border-related processes.

Overall, we have been pleased with the level of consultation and the improved quality of privacy analysis undertaken by agencies involved with border security.

That said, we still have concerns over issues such as retention periods applicable to data collected from travellers and the risk that data collected for border purposes is then used for secondary purposes.

Both of these issues were found to be problematic from the point of view of European law, in a recent judgment of the European Court of Justice on the Canada-EU API/PNR Agreement.

In closing, as people, goods and data move across borders more frequently, it is important that Parliament ensures that we have the appropriate rules in place to respect individuals' privacy. The importance of the rules has been recognized historically in relation to the search for persons. In my opinion, it is time to extend these safeguards to electronic devices.

Thank you for inviting me and I look forward to your questions.

I did.

It's quite a broad-ranging question.

Oh, oh!

Of course, the first thing to say is that states are sovereign, including the United States of America, so in the comments that I've made in my opening remarks, I call on the Canadian government to take certain measures to protect the privacy of Canadians, first and foremost, in devising appropriate laws that protect the very sensitive information found in electronic devices—that's Canadian domestic law—and to the extent possible, in the pre-clearance agreement.

But at some point, a Canadian who wants to visit the United States either for tourism, business, or other reasons will come up against U.S. state authorities, and the U.S. is free to adopt the rules that are in their interest in order to protect their safety. That, apparently, means in part that U.S. border officials.... If you just set aside pre-clearance, if a Canadian wants to go to the United States and comes across a border officer, either inland at the border or at a U.S. airport, that person may be required to provide the password to their cellphone.

I don't think that is protective of privacy, but it is within the powers of the U.S. government to impose that rule. We may come into what that means in terms of a prudent approach by a Canadian who will face that situation, but you're now talking about U.S. laws and practices. The U.S. is competent and has the authority to impose these rules. I don't think they're good rules, but these are the rules that apparently will be imposed on travellers.

You're bringing in the private sector angle with your reference to the FCC changes and whether information collected by the U.S. government could be sold. I haven't analyzed this in any great detail. Certainly, following the executive order of President Trump that limited, if not eliminated, privacy protection for non-Americans, we were seized with, of course, concerns by Canadians. We looked at the situation of whether Canadians are protected. There are no laws to protect Canadians, but there are a number of administrative agreements that, until rescinded, do provide some protections. Among these administrative protections is an order made by then-president Obama that provides similar protections to non-Americans in regard to the activities of the NSA, particularly what the U.S. government does with information intercepted in the name of foreign intelligence.

I'm giving you the grande ligne of the rules that are applicable. There are still remaining administrative protections in the U.S. Of course, they are administrative protections and they could be rescinded tomorrow by the U.S. administration, but there are still, at this point, a number of administrative protections for Canadian citizens.

It would certainly be easier, but it is a well-known fact that there are important differences of approach between the United States and Europe with respect to privacy, so I don't think that this will happen any time soon, which puts Canada in a difficult position, obviously.

I've asked that certain legal protections be given to Canadians. For instance, asking the U.S. government to add Canada to a list of countries to which protection is given under the Judicial Redress Act would not be the whole way to having a tripartite regime, but there are steps. My point is that there may be steps along the way stopping short of having a tripartite privacy protection regime as between the EU, the U.S., and Canada.

A good number of European countries, more than 20, are on that list, essentially because of pressures put on the United States by European states along the lines of the conversations they are having with the U.S. that led to the privacy shield. All these issues are related, and it is not a benevolent act by the U.S. to have designated certain European states on that list. It's because pressure was put to bear on the U.S. by these European states. That could be an approach for Canada.

I can undertake to give you these numbers. I don't have them right now, but we don't have a very large number of complaints on these issues. The announcements of a few months ago about new U.S. government practices with respect to cellular devices led to a handful of complaints. Before that we had fewer than 10 complaints on border issues altogether. Our trends will not be based on very many complaints.

Yes.

I would certainly advise Canadians to limit the number of devices they bring to the U.S. and to review and limit the information that is found on the devices they're bringing with them to the United States. I think it would be prudent to see whether you could leave in Canada on local devices, your home computer and whatnot, information that you want to keep and that you may not need in the United States.

Another potential measure would be if professionally you need information in the United States, say information protected by solicitor-client privilege or other legal privileges in Canada, and you don't want it to be reviewed by U.S. customs officers, you may want to put it on a secure part of the cloud, for instance, so that it's retrievable once you are in the United States and you can access it then. In short, think hard about what kind of information you want to bring with you in your electronic devices as you cross the border because we have heard that information can be required by U.S. customs officers. It's prudent to act accordingly.

The announcement made by the U.S. administration is that they can require information found on your devices for no legal grounds other than an understandable desire to protect homeland security, but with no legal grounds whatsoever. That applies to everyone and anyone, and it applies regardless of the security measures you have on your device. They say, “If you are to enter the United States, we can require that you give us your password or whatever security mechanism exists between us, the border officials, and the information we want to look at.”

The European court looked at a very specific program, a draft agreement between Canada and the EU having to do with the transfer of certain types of passenger information between Canada and the European Union. It dealt specifically with that information, although lessons can be learned about other border control programs. The judgment itself had to do with that specific program.

They tell me that the U.S. has provided them with some information and that they will send it to our office shortly.

As a matter of law, yes.

I say yes, as a matter of law. Of course, the border could not be managed if everyone were to be searched, but as a matter of law, yes.

It's subject to diplomatic relations.

Yes.

The basis on which the U.S. has designated countries on that list has less to do with the security of information for Americans. Actually, it's the other way around. Europeans, of course, have strong privacy laws, and they have put pressure on the U.S. government, saying, “You should protect the information of our citizens—Poland, etc.—in an adequate way; otherwise, we will not share information with you.”

I do not know whether the Canadian government has asked, but certainly Canada could ask.

The fact that we are an important trade partner for the U.S. is obviously a relevant consideration.

It starts with what kind of risk tolerance you have about your information being looked at by U.S. customs officers. There's a personal assessment to be made. For instance, if there's privileged information on your device, then obviously you have a higher responsibility to protect that information. My point is to think about what you're exposing your information to and limit the amount of information that you bring to the U.S., because it may be acquired by customs officers.

It could be shared.

It's certainly possible.

We have received a complaint some time ago from an individual. This had nothing to do with electronic devices, but somebody was refused admission to the U.S. based on the fact that they had called 911 in Canada during an event of trauma. The person was considering suicide, and that was the reason she was refused admission to the United States. It's a bit similar to your example about a health condition that can lead to the refusal of admission to the United States based on such information.

If it's not physical, you're now into interception of communication territory, which has different rules.

As you say, these devices contain a lot of sensitive information. We should be very concerned. The law allows U.S. officers to collect anything they essentially want because there are no legal grounds for their actions. To be realistic, I made a distinction with Mr. Cullen about the law and the practice. Customs officers do not have the resources and cannot review the content of the devices of every traveller who comes across the border. That in a sense is an element of context, but as a matter of principle, I think it is right to say these devices contain a lot of very personal information, very sensitive information. When the law, including Canadian law, continues to treat the content of cellular devices as goods, as a cardboard box, as a piece of clothing, it is just not realistic.

You're talking about information collected about travellers by Canadian border officials?

Retention is obviously an important issue, but I'll start by saying that it is legitimate for Canadian border officers and, for that matter, U.S. border officers to collect some personal information to determine whether the person who wants to be admitted should be admitted. Therefore, I'm not saying that no information should be collected. Some information is absolutely reasonable to make a decision about admission. But if we're within that area of certain pieces of information reasonably linked to the decision to admit, then our concern moves to how long this is retained—you're right to raise that question—and for what purpose it can then be disclosed to other departments.

It depends on what the purpose is for which you're collecting the information. If, for instance, the information is collected to determine the legality of your status in Canada, I think it's fair to keep it until your legal or illegal status is finally determined. It all depends on what purpose the information is being collected for. It's primarily collected for border management reasons, so there's no one answer as to how long. It depends on what the reason is that it's being collected, and if it's a reasonable purpose, how long does the government need it to achieve that purpose?

Are you referring to Canada or the United States?

An increase has been noted in the United States. According to the data collected, 5,000 cell phone searches were conducted in 2015 as compared to 25,000 searches in 2016. That is an increase of over 500% from 2015 to 2016. Moreover, according to reliable figures for 2017, there were 5,000 searches in just one month, in February 2017. So there has been an increase.

The figures are not collected by us so we have not been able to see them. To my knowledge, there is no targeting of specific groups. That would of course be a valid question to ask.

As I said in my introductory remarks, customs officials can do many things under Canadian law. Under Canadian law, cell phones are treated like property. As such they can be searched without cause at this time. That is the statute law.

The policy of the Canadian government and of CBSA is to restrict this legal authority such that the devices in question can be searched only if the Canadian customs official has cause to suspect something related to an offence.

So the policy is not as permissive as the law, in my opinion, because the government and CBSA sense that the courts would not uphold the use of powers without cause as the statute law allows.

Even though the information is gathered and collected by the government pursuant to its powers, that does not give it the right to use the information for unwarranted reasons.

If the government takes possession of certain information, there is clearly a risk, but Canada may not disclose or use that information as it wishes. It would certainly be wrong to disclose trade secrets without the judicial or legal authorization to do so.

We have in fact received a small number of complaints and we are in the process of investigating them. They pertain to cell phone searches by the CBSA.

In recent months or the past year or so, we have received three complaints about these practices. Under the Privacy Act, we have the legal obligation to review each complaint. Not all complaints require the same degree of rigour, but we do have to review them all.

Since there have only been three complaints, it is hard to say if there is a trend. I can say, however, that these are definitely people who have read in the media or in various notices that their devices could be searched by Canadian or U.S. authorities. People are worried about this with good cause and want to make sure that government practices are legal. So they filed complaints with us and we are examining them.

Are you referring to the Preclearance Act?

If a Canadian has their cell or electronic device searched by U.S. customs officials on Canadian soil under this regime, we have no jurisdiction. That is under the jurisdiction of the American authorities, under the agreement between Canada and the United States.

The only mechanism under which a person could address a Canadian is the one proposed by the Standing Committee on Public Safety and National Security in the amendment to the bill that I just mentioned.

Are you talking about border management in Canada rather than on the U.S. side?

European law is strict as to overarching principles. We saw this in the judgment by the European Court of Justice regarding the border program. To my knowledge, European law deals with these matters according to broad principles. In general, it allows departments and government to gather information only when it is necessary and commensurate with the objective in question. To my knowledge, there is no specific rule for the application of these broad principles to customs practices. That said, we could make some enquiries in that regard.

As to the extent of border powers, the issue, in my opinion, is that there is extensive jurisprudence in Canada indicating that the expectation of privacy at the border is less than in other situations since the person is seeking entry to another country. I think this principle remains valid. It has, however, been used to severely limit if not eliminate judicial guarantees at the border.

With the advent of electronic devices, we have to ask some questions. Customs officials have the right to conduct certain searches at the border, but should that extend to searching financial records on a person's telephone, information about their intimate relationships, or the person's health, for instance? Asking the question gives you the answer. Canada needs to get with the times and treat these devices as they should be treated legally.

I haven't seen cases of this nature, but I'll say this. The essence of what the law currently allows is to collect a lot of information in the name of border safety. The possibility of criminals, hackers, and so on is a relevant consideration. I don't want to exaggerate the nature of the problem, but the more information the government collects, obviously, the more it's at risk of being collected and hacked by people with criminal intent. That, I think, is another reason that government should be careful not to collect information beyond what is necessary, and even if it is necessary, not to retain it beyond the period necessary to keep it. The government is obviously a repository of a lot of very interesting information that is of interest to people with criminal intent.

We've not seen many but we've seen some, and when I say some, again, this is not information collected through devices.

The example I have in mind is a public example of a lady whose information was collected by a police service in Canada during a crisis that she was under, a suicide attempt, when she called 911. That information becomes part of police records, and that information is then disclosed to U.S. border authorities in the name of co-operation between the law enforcement bodies of Canada and the U.S. It led to the refusal by U.S. officers, who did not let her in because they felt that she was at risk of either committing suicide or somehow endangering U.S. people.

That was as a result of this 911 call, but the same could happen through the search of an electronic device that would reveal a medical condition, for instance.

To put it into context, we are talking about information obtained by the Canadian government at the border being disclosed to other departments for purposes other than border control.

The Canadian government has publicly disclosed its intention to use such information for program integrity, for instance. It also wants to be able to confirm whether a person claiming to be in Canada for residency purposes, which affords them certain social benefits, really is. That is one of the ways the government would like to use the information. There can also be tax reasons, which could lead to information sharing with police forces, for instance. All these purposes are possible. The government has in fact indicated that it intends to use this information for those purposes.

For our part, we are not necessarily saying that these reasons are unacceptable, but we want to see to what extent the various departments receiving information from customs need it for the purposes of their programs. We are not at that stage yet and we are awaiting information from the government in the form of evaluations of privacy factors. We are waiting for the government to provide certain, more detailed information justifying these purposes.

Let me give you an example regarding retention periods. When the CBSA first consulted us about some of these programs, it said it wanted to keep the information for 75 years. Those consultations were some time ago. We discussed this with the agency and it then decided to reduce the period to 30 years, in order to be able to identify individuals, and to de-identify the information after 15 years.

There is a dialogue with the departments. We see that they want to keep the data for a very long time. After discussing the matter, we are often able to reduce the retention period, but it is difficult to have a thorough discussion with the departments. Once again, there is no magic number when it comes to retention. The real question is what the departments need the information for and how long they have to keep it to meet their objectives, but it is difficult to have that discussion with them

May I, for a few seconds?

All I would say...

It's okay, I've lost track

Oh, oh!

Definitely it's taking time to catch up to the new security and the technological advances that we've seen in the last few years, so I would say, yes, there's a question of latency—latency in terms of the public's understanding of what they're exposed to. We'll do our best to inform Canadians through the means that we have, but I think it's also a bit unreasonable, unrealistic, to think that individuals will change completely their way of life for these reasons—and in North America there's a lot of travel between Canada and the U.S. Yes, we can inform some people, and some people will change their behaviour and, for instance, not bring as much personal information, but Parliament has a huge role in ensuring that the laws, to the extent that they deal with Canadian officers, protect people so that they are not subject to groundless searches.

Quite possibly, yes.

Yes.

We'll confirm later, but I believe this number of 25,000 is the number of searches of electronic devices on non-Americans, but not necessarily Canadians.

No.

Or vice versa....

Indeed.

It does not change the U.S. law in the respect that you're mentioning. A U.S. border officer could ask a European to give the password to the content of their electronic device. The agreements between the U.S. and Europe give redress to that European in that case. In the case of Canada, since we are not a country under the Judicial Redress Act, we cannot exercise these redress mechanisms. The only mechanism that is envisaged is the one that SECU, the national security committee, is adding to the pre-clearance agreement.

In substance, Europeans are subject to the same searches in the U.S. as Canadians, but by process, Europeans have a right of redress that we do not have.

I wish I couldn't. The U.S. has a relatively complex set of redress mechanisms, some internal to government, like ombudsmen for instance, and in some cases judicial redress. It's a complicated system.

Under the policy of the CBSA, yes.

No. The U.S law and policy are much more permissive for border officers. It is different. By policy, Canadian officers are restricted to look at what is on the device, but under the law, they could go much further.

If government officials on either side had suspicion about someone as a criminal, they could seek judicial authority for that information, even if it's in the cloud. The difference is that, to get that information that would be protected by a criminal, you would need a judicial authorization of some kind. At the border, it's much easier.

In the United States, they could require that.

That's a fair point.

We've not investigated the practices of the U.S. administration. The way I would answer is that the executive order on limiting the application of the U.S. Privacy Act gives a message to officials in the U.S. government that the data of foreign nationals is not to be protected. It's a general message. What the administration or what officials actually do with that message then depends on the intricacies of the operation.

It's a signal.

It's mostly a matter of bilateral relations between the two states.

Which number?

I've asked three ministers of our government to essentially confirm that protection through administrative agreements—and there are a number of them—and whether they still protect Canadians despite the signal given by President Trump through his executive order. One part of the picture is to obtain confirmation by the U.S. government that these agreements continue to be in effect. That's certainly one way.

I'm told that the Canadian government has obtained information from the U.S. government, and that I will be given a version of that information shortly.

Yes.

Yes.

There is also judicial recourse in the United States. Some American citizens are challenging the new U.S. policy, so that will find its way through the U.S. courts.

In the U.S., the system is somewhat different. There is no one counterpart. There are privacy experts in individual departments including Homeland Security who advise departments of privacy matters. They are not independent of the executive branch, as I am.