Evidence of meeting #66 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was devices.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch, Office of the Privacy Commissioner of Canada

3:55 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Welcome back, everyone. Today we have our 66th meeting of the Standing Committee on Access to Information, Privacy and Ethics. We're continuing our study with respect to the protection of Canadians' privacy at the border and in the United States.

To that end, we're joined today by the Office of the Privacy Commissioner of Canada, their representation including Mr. Therrien, the Privacy Commissioner; Ms. Ives, the acting director general of audit and review; and Ms. Kosseim, senior general counsel and director general of legal services, policy research and technology analysis branch.

The floor is yours.

3:55 p.m.

Daniel Therrien Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Thank you very much, Mr. Chair, for the invitation to appear before you today on your study of the border.

Privacy rights and the border must be considered in context, and an important element of context is that trade is, of course, important to Canada. This means that smart controls for border goods and data, as they move across borders, are required.

One topic of discussion flagged for your current study relates to screening and searches by Canadian border services officers. As you know, the powers of border officers are quite broad. They may question travellers, collect biometric information for identification purposes, as well as examine, search, or detain any goods.

As for searches of the person, they may also conduct pat-down searches and frisks, take X-rays or body scans, and they may even demand strip searches or body cavity examinations. All searches of persons require reasonable grounds to suspect some legal contravention, particularly the concealment of goods or of anything that would present a danger to human life or safety.

For their part, electronic devices have historically been considered as goods by the CBSA. Paragraphs 99(1)(a) and (c) of the Customs Act allow for examination, opening, and taking samples of goods without grounds. These provisions apply to materials both entering and leaving Canada. In addition, under existing charter jurisprudence, greater latitude is given to state authorities at the border to enforce sovereignty and territorial integrity and to regulate immigration.

At the same time, though, the Supreme Court has found in many other contexts that searching of electronic devices is extremely intrusive. Therefore, while the law is not settled, I think it is clear that Canadian courts would find that groundless searches of phones, of cellular devices, were unconstitutional even at the border.

The idea that electronic devices should be considered as mere goods and therefore be subject to border searches without legal grounds is clearly outdated and does not reflect the realities of modern technology. This may well be why Canada's policy is more nuanced than what the Customs Act may allow.

Under CBSA policy, specific grounds need to be satisfied, namely that “evidence of contraventions may be found on the digital device or media”. I think that policy is wise, but it should in my view be elevated to a rule of law in the near future.

Another border issue of note concerns Bill C-23, which is now before the Senate. Bill C-23, the pre-clearance act, 2016, would implement the 2015 agreement on land, rail, marine, and air transport pre-clearance between the Government of Canada and the Government of the United States. This would provide for pre-clearance activities on the part of the Canadian and U.S. customs officials to take place at various points of entry on both sides of the border.

I've raised concerns about U.S. announcements to search the electronic devices of any and all aliens who seek to enter the U.S. These searches will be at their discretion and without specific legal grounds other than generally to protect homeland security.

Bill C-23 establishes that U.S. pre-clearance officers in Canada are subject to Canadian law as they perform their duties or exercise any powers. The Canadian government reminds us that this would include the Canadian Charter of Rights and Freedoms, the Canadian Bill of Rights, and the Canadian Human Rights Act. However, these protections are somewhat hollow, as they would be severely limited by the principle of state immunity, meaning that they could not be enforced in a court of law.

It should be noted that under Bill C-23, searches of persons, including relatively non-intrusive pat-down searches, require “reasonable grounds to suspect” in order to be carried out by U.S. officers in Canada. In my view, searches of electronic devices can be much more intrusive than these frisk searches.

As I recommended in the context of the study of Bill C-23, border searches of electronic devices should require reasonable grounds to suspect, the same threshold that applies to searches of persons.

This past spring, I informed you of my correspondence with the three appropriate ministers regarding the executive orders of the new U.S. administration, issued earlier this year. Measures like these clearly have a material effect on the privacy of many citizens, given the scale of tourism and business travel to the United States.

One order would specifically exclude non-U.S. citizens and lawful permanent residents from certain privacy protections.

Upon review, I have concluded that, while Canadians have some privacy protection in the United States, that protection is fragile because it relies primarily on commitments or administrative agreements that do not have the force of law, for instance the Five-Eyes Agreement and the Beyond the Border Agreement with the United States.

I have therefore called upon our government to ask their U.S. counterparts to strengthen privacy protections for Canadians. This could be done, for example, by adding Canada to the list of designated countries under the U.S. Judicial Redress Act, which would extend some of the protections conferred by the U.S. Privacy Act to Canadians, as they are in place for citizens of several European countries.

We have also asked the government for assurances that the protection afforded by Canada-U.S. administrative agreements will continue despite the order and to be advised of any changes that may adversely affect the privacy of Canadians. We understand that the findings have now been compiled and a response is forthcoming.

Let us turn now to the information-sharing agreements with the United States.

Generally speaking, we have spent considerable time on border issues and information-sharing in the past several years, in particular, the Beyond the Border initiatives with the United States. To date, we have provided feedback on close to fifty separate privacy impact assessments (PIAs) on just these programs alone. Through these exchanges, we have made a series of recommendations to the CBSA and various other federal departments implicated in expanding information exchange and other border-related processes.

Overall, we have been pleased with the level of consultation and the improved quality of privacy analysis undertaken by agencies involved with border security.

That said, we still have concerns over issues such as retention periods applicable to data collected from travellers and the risk that data collected for border purposes is then used for secondary purposes.

Both of these issues were found to be problematic from the point of view of European law, in a recent judgment of the European Court of Justice on the Canada-EU API/PNR Agreement.

In closing, as people, goods and data move across borders more frequently, it is important that Parliament ensures that we have the appropriate rules in place to respect individuals' privacy. The importance of the rules has been recognized historically in relation to the search for persons. In my opinion, it is time to extend these safeguards to electronic devices.

Thank you for inviting me and I look forward to your questions.

4:05 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Thanks very much.

We'll begin the seven-minute round of questions with Mr. Saini.

4:05 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Good afternoon, Mr. Therrien, and to your colleagues, thank you very much for coming. I was joking with you. I think you're almost a permanent member of this committee because you're here at least once month. I hope you enjoyed the summer like we did.

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:05 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Now that we're here, I want to ask a bit of a technical question because certain things happened in the spring. The FCC changed some of the Internet provider rules, and Trump's executive order was done at the same time. Therefore, now you may have the potential impact of a Canadian going to the American border, and he may be asked for a password of his device—that's one issue—so now his privacy is not protected. However, the other thing is that now when he gets to a certain point, he may have his phone or something connected to their Internet, so his information may be sold according to the FCC rules.

Can you give us an overview of what your opinion of this is, and also what advice you would have? How do you think this is going to affect us domestically here?

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's quite a broad-ranging question.

4:05 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

You have seven minutes.

4:05 p.m.

Voices

Oh, oh!

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Of course, the first thing to say is that states are sovereign, including the United States of America, so in the comments that I've made in my opening remarks, I call on the Canadian government to take certain measures to protect the privacy of Canadians, first and foremost, in devising appropriate laws that protect the very sensitive information found in electronic devices—that's Canadian domestic law—and to the extent possible, in the pre-clearance agreement.

But at some point, a Canadian who wants to visit the United States either for tourism, business, or other reasons will come up against U.S. state authorities, and the U.S. is free to adopt the rules that are in their interest in order to protect their safety. That, apparently, means in part that U.S. border officials.... If you just set aside pre-clearance, if a Canadian wants to go to the United States and comes across a border officer, either inland at the border or at a U.S. airport, that person may be required to provide the password to their cellphone.

I don't think that is protective of privacy, but it is within the powers of the U.S. government to impose that rule. We may come into what that means in terms of a prudent approach by a Canadian who will face that situation, but you're now talking about U.S. laws and practices. The U.S. is competent and has the authority to impose these rules. I don't think they're good rules, but these are the rules that apparently will be imposed on travellers.

You're bringing in the private sector angle with your reference to the FCC changes and whether information collected by the U.S. government could be sold. I haven't analyzed this in any great detail. Certainly, following the executive order of President Trump that limited, if not eliminated, privacy protection for non-Americans, we were seized with, of course, concerns by Canadians. We looked at the situation of whether Canadians are protected. There are no laws to protect Canadians, but there are a number of administrative agreements that, until rescinded, do provide some protections. Among these administrative protections is an order made by then-president Obama that provides similar protections to non-Americans in regard to the activities of the NSA, particularly what the U.S. government does with information intercepted in the name of foreign intelligence.

I'm giving you the grande ligne of the rules that are applicable. There are still remaining administrative protections in the U.S. Of course, they are administrative protections and they could be rescinded tomorrow by the U.S. administration, but there are still, at this point, a number of administrative protections for Canadian citizens.

4:10 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

I have one final question, and I'll make it a little bit easier.

We know that the GDPR rules are going to be coming into effect in May 2018. We also know that right now the United States and Europe have a privacy shield, which we don't have, and eventually the European Union is going to ask that everybody rise to their level in terms of the regulations that they will have.

Do you think it would be prudent or probably easier and more facile if the United States, the European Union, and Canada could somehow come to one standard, as opposed to the United States and Europe having one standard, and Canadians not having any protection because of the executive order?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It would certainly be easier, but it is a well-known fact that there are important differences of approach between the United States and Europe with respect to privacy, so I don't think that this will happen any time soon, which puts Canada in a difficult position, obviously.

I've asked that certain legal protections be given to Canadians. For instance, asking the U.S. government to add Canada to a list of countries to which protection is given under the Judicial Redress Act would not be the whole way to having a tripartite regime, but there are steps. My point is that there may be steps along the way stopping short of having a tripartite privacy protection regime as between the EU, the U.S., and Canada.

4:10 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Can you quickly give an example of some countries that are on the judicial redress list?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

A good number of European countries, more than 20, are on that list, essentially because of pressures put on the United States by European states along the lines of the conversations they are having with the U.S. that led to the privacy shield. All these issues are related, and it is not a benevolent act by the U.S. to have designated certain European states on that list. It's because pressure was put to bear on the U.S. by these European states. That could be an approach for Canada.

4:10 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Thanks very much.

With that, we go to our second seven-minute round of questions.

Mr. Kent, welcome to the committee.

4:10 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thank you very much, Chair. It's a pleasure to be with you.

Thank you very much, Commissioner, Ms. Kosseim, and Ms. Ives, for joining us today.

As we all know, as most Canadians know, the manner of screening and searches varies very much from screening officer to screening officer, location to location, air pre-clearance as opposed to ground and maritime pre-clearance.

Do you have statistics categorizing complaints from the three different sorts of clearance in the questioning, the procedures, say, at a land border as opposed to pre-clearance at Pearson International, or for maritime arrivals and departures of tourist vessels?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I can undertake to give you these numbers. I don't have them right now, but we don't have a very large number of complaints on these issues. The announcements of a few months ago about new U.S. government practices with respect to cellular devices led to a handful of complaints. Before that we had fewer than 10 complaints on border issues altogether. Our trends will not be based on very many complaints.

4:15 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Most of them would be anecdotal or media reports of complaints.

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:15 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Very often, when we as parliamentarians travel to certain countries around the world we're advised to leave our personal devices at home and to take what is euphemistically called a “burner”, with only as much as information as we would want to share with individuals in these particular countries.

Would you advise, until we have a clearer picture of exactly how this will happen, that perhaps Canadians should think about what they have in their devices before they travel, and where prudent, leave them at home and carry a burner?

September 18th, 2017 / 4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would certainly advise Canadians to limit the number of devices they bring to the U.S. and to review and limit the information that is found on the devices they're bringing with them to the United States. I think it would be prudent to see whether you could leave in Canada on local devices, your home computer and whatnot, information that you want to keep and that you may not need in the United States.

Another potential measure would be if professionally you need information in the United States, say information protected by solicitor-client privilege or other legal privileges in Canada, and you don't want it to be reviewed by U.S. customs officers, you may want to put it on a secure part of the cloud, for instance, so that it's retrievable once you are in the United States and you can access it then. In short, think hard about what kind of information you want to bring with you in your electronic devices as you cross the border because we have heard that information can be required by U.S. customs officers. It's prudent to act accordingly.

4:15 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

We as parliamentarians have different levels of security on our devices besides the thumbprint or the password to get into the general area. Would you advise again at the same time there is as much vulnerability to parliamentarians or private business people as to private citizens who may have secondary levels of security or even encryption, and they too could be required or asked to open those other levels?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The announcement made by the U.S. administration is that they can require information found on your devices for no legal grounds other than an understandable desire to protect homeland security, but with no legal grounds whatsoever. That applies to everyone and anyone, and it applies regardless of the security measures you have on your device. They say, “If you are to enter the United States, we can require that you give us your password or whatever security mechanism exists between us, the border officials, and the information we want to look at.”

4:15 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

You referenced the data retention period questions and the judgment of the European Court of Justice. Did the European Court of Justice look at data retention generally, or did they look at the difference between GPS locator records, phone number records, or text records?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The European court looked at a very specific program, a draft agreement between Canada and the EU having to do with the transfer of certain types of passenger information between Canada and the European Union. It dealt specifically with that information, although lessons can be learned about other border control programs. The judgment itself had to do with that specific program.