Evidence of meeting #66 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was devices.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch, Office of the Privacy Commissioner of Canada

4:55 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

But it does not, under any circumstances, preclude a U.S. border agent from seeking a search from anybody who is travelling to the United States from those countries.

4:55 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

5 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

We're talking about two different things here, right?

September 18th, 2017 / 5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It does not change the U.S. law in the respect that you're mentioning. A U.S. border officer could ask a European to give the password to the content of their electronic device. The agreements between the U.S. and Europe give redress to that European in that case. In the case of Canada, since we are not a country under the Judicial Redress Act, we cannot exercise these redress mechanisms. The only mechanism that is envisaged is the one that SECU, the national security committee, is adding to the pre-clearance agreement.

In substance, Europeans are subject to the same searches in the U.S. as Canadians, but by process, Europeans have a right of redress that we do not have.

5 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Can you be specific on the right of redress? What does that actually entail?

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I wish I couldn't. The U.S. has a relatively complex set of redress mechanisms, some internal to government, like ombudsmen for instance, and in some cases judicial redress. It's a complicated system.

5 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

I have one final question. From my understanding, when a Canadian border officer searches a phone, that phone has to be disabled and that phone cannot connect to the Internet and it cannot connect to a cloud service. Is it true that the only thing searchable on that device is what's contained in that device?

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Under the policy of the CBSA, yes.

5 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

On the American side, do they have that ability? Is the policy the same?

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

No. The U.S law and policy are much more permissive for border officers. It is different. By policy, Canadian officers are restricted to look at what is on the device, but under the law, they could go much further.

5 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Thanks very much.

Mr. Kent, you mentioned you had a follow-up.

5 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Yes. It follows on from Mr. Saini's question.

You suggested earlier that if a traveller to the United States, or conversely to Canada, wanted to protect and manage data, they could park it on the cloud and then access it at their destination. Doesn't that suggest that already border security services, both Canadian and American, are somewhat behind the curve? There are those who might have criminal or other evil intent who would then be able to avoid the examination of a personal device and use the cloud to get around it. Besides the naive—

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

If government officials on either side had suspicion about someone as a criminal, they could seek judicial authority for that information, even if it's in the cloud. The difference is that, to get that information that would be protected by a criminal, you would need a judicial authorization of some kind. At the border, it's much easier.

5 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thank you.

5 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Do you have a follow-up?

5 p.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

I'm confused with the testimony to Mr. Saini and to Mr. Kent because you said that, essentially, the practice in Canada is not to allow our border agencies to take a device, search the device, and then use that device to search the person's cloud information. However, you said both law and practice in the U.S. would allow a U.S. border official to access the cloud through a device. In earlier testimony, you said perhaps if people were worried they could park information on the cloud and then re-access commercial or government information once landed in the U.S. Do you understand? I may have misheard you just as to how the advice given before seems to be contrary to what the reality might be.

Let's say I'm leaving for the U.S. I have highly sensitive government documents on my device, so I park them in the cloud. I go across the border, and they ask for not only my password for my phone, but they say they notice there's a cloud so they'd like the password for my cloud as well.

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

In the United States, they could require that.

5 p.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

Therefore, parking information in a cloud going into the U.S. is not actually going to do anything if I have sensitive documents that I would rather not have in the hands of U.S. border officials.

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's a fair point.

5 p.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

I just wanted to be clear. Again, I'm catching myself up to the technology.

We've noticed these executive orders that have come down from the current administration. In terms of the travelling public, what's the biggest change that's happened since the election of President Trump with respect to the issues that we're dealing with here today? Would there be one significant difference in the way that information is handled or sought versus under the previous administration, or is it more or less a continuance?

5:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We've not investigated the practices of the U.S. administration. The way I would answer is that the executive order on limiting the application of the U.S. Privacy Act gives a message to officials in the U.S. government that the data of foreign nationals is not to be protected. It's a general message. What the administration or what officials actually do with that message then depends on the intricacies of the operation.

5:05 p.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

A signal was sent.

5:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's a signal.

5:05 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Mr. Zimmer, I believe, has a short question, and then I have a few questions.

5:05 p.m.

Conservative

Bob Zimmer Conservative Prince George—Peace River—Northern Rockies, BC

Again, thanks for coming. You talked about the deconstruction of data. I am familiar with databases and with them not being necessarily destroyed like expected. How do we have assurance from the federal government in the U.S. when it says that it's only going to retain specific information for a certain period of time?

How can we be reassured that if it says the information has been deleted that it actually has been? I hate to use that on record, but is it just a simple respect of the other country that it's going to do what it says it's going to do? How do we know if that data has been absolutely destroyed? What can we do if we're suspicious that it hasn't been? Is there any recourse for Canadians?