Information & Ethics Committee on Sept. 27th, 2017

Thank you very much. I'll offer some very brief remarks.

As you said, I'm from the Canadian Air Transport Security Authority, CATSA, and I'm joined by my colleague Natalie Sabourin. She's the manager responsible for privacy and ATIP. To remind you, CATSA is responsible for security at airports. We're responsible for outgoing passengers, in comparison to my colleagues who are responsible for inbound. Our mandate focuses on the screening of passengers and their baggage, also airport workers who get into the restricted area at the airport. We also offer a restricted area identity card.

In terms of privacy and the retention of information at CATSA, we have four programs in place, and I'd be happy to tell you about any of them. One is what we call our boarding pass scanning system, which scans the passenger's boarding pass when they arrive at the checkpoint. Another is CCTV cameras that we have for the checkpoint. The third is a database where we store incident information. The last is to connect with the NEXUS card.

That's an overview of the areas where we keep personal information, but we don't share information with the United States. With that brief introduction, I'd be very happy to respond to any privacy-related questions you have.

Thank you, Mr. Chair.

On behalf of the Canada Border Services Agency, I am pleased to be here to contribute to your ongoing discussions regarding privacy at Canada's airports and borders. With me today is Robert Mundie, acting vice-president of the corporate affairs branch and the agency's chief privacy officer.

The CBSA is committed to maintaining both an individual's right to privacy and the safety and security of Canadians. Our officers are trained to conduct all border examinations with as much respect for privacy as possible.

The CBSA's information collection has always maintained a balance between protection of the border and national security, while safeguarding the privacy of the information with which we have been entrusted.

Currently, under the authority of the Customs Act and the Immigration and Refugee Protection Act, we collect routine, biographical data from the passport—name, date of birth, and citizenship—and some biometric information, such as fingerprints, in certain visa-required situations.

This information is shared with international partners when and where necessary, and is covered by legislation, international treaties, and bilateral information sharing agreements.

Collection is almost always done through automation, for instance, by scanning the machine readable zone of a passport to reduce the possibility of error. Once collected, the information can be shared systematically or on a case-by-case basis.

For example, data is routinely and systematically shared with Immigration, Refugees and Citizenship Canada, and with Statistics Canada, and can be shared on a case-by-case basis with the RCMP and CSIS pursuant to an active investigation.

Robust privacy programs and policies are in place to guide information sharing and use.

We have a statement of mutual understanding, in addition to various memoranda and information sharing agreements, with the United States, highlighting privacy principles that both parties will adhere to with respect to personal information.

We also consult regularly with the Office of the Privacy Commissioner, and have prepared detailed privacy impact analyses for various initiatives.

For example, the entry/exit initiative, or Bill C-21, has submitted a PIA for each phase of the project and has implemented all of the Privacy Commissioner's recommendations. We will further engage the OPC should Bill C-21 receive royal assent.

We protect personal information through restricted system access with user profiles. In addition, detailed instructions have been provided to users on how information can be shared. For instance, they must adhere to strict information retention and disposal schedules.

Individuals may submit an access to information request to the CBSA to obtain their travel history, including records of entries and, for third country nationals and permanent residents, their exit from Canada.

In the event of any questions or discrepancies, individuals can request that the CBSA amend or correct the information. If the CBSA agrees that information should be changed, it will also automatically and systematically inform any party who received the information of that correction.

In summary, the agency collects information to support its mandate with respect to national security, border management, and immigration program integrity. It shares information only when it's relevant, proportionate, and necessary to the administration of customs and immigration law.

Before concluding, I would like to say a few words regarding an issue that I know is of interest to the committee, the searches of electronic devices at the border.

As the committee is aware, courts have long upheld that travel across international borders is voluntary, and that there is a lower expectation of privacy when travelling, particularly when entering or leaving a country's borders.

The agency uses many avenues to inform the travelling public of their rights, their obligations, and what they should expect. Travellers are aware that they, and their goods, may be subject to thorough examination.

The Customs Act gives border services officers the authority to examine goods for customs-related purposes. In this context, goods are defined in section 2(1) of the act to include “any document in any form,” which therefore encompasses electronic documents.

The examination of digital devices and media must always be performed with a clear link to administering and enforcing CBSA-mandated program legislation that governs the cross-border movement of people and goods. Individuals also have the obligation under section 13 of the Customs Act to present and open their goods if requested to do so by an officer. Because a password may be required to open and examine documents on an electronic device, officers may compel a traveller to provide it in order to allow for the fulfillment of that traveller's obligations. The examination of electronic goods may uncover a range of customs-related offences. For example, electronic receipts may prove that goods have been deliberately undervalued or undeclared. Electronic devices may also harbour prohibited goods such as child pornography. I would like to underline, however, that CBSA policy is clear: electronic devices should not be searched as a matter of routine.

In fact, officers are instructed not to do so unless there are a number of indicators that a device may contain evidence of a contravention.

It is agency policy to turn off wireless and Internet connectivity when examining a device to ensure that the examination does not extend to material not stored directly on the device. This means that information stored remotely but accessible from mobile devices or laptops—such as social media accounts or computing clouds—cannot be searched. Officers cannot compel individuals to provide passwords for accounts that are stored remotely or online.

In conclusion, the CBSA takes its privacy protection responsibilities seriously.

We welcome the views of the Privacy Commissioner and we will continue to work with his office to strengthen our information-sharing activities and the way we collect, store, retain and dispose of personal information.

Thank you, Mr. Chair. We would be pleased to answer any questions from the committee.

Well, unfortunately, it's very difficult for me to comment on U.S. policies and legislation, so I wouldn't be able to offer any comments on your question.

We engage with colleagues from U.S. border protection on making sure that any agreements we have in place and the rules under which we share information and how we protect it are respected. Any information that we share with the U.S. would be managed through those MOUs and treaty. As for the general passage of people at the border and what is collected by U.S. officials, I cannot offer any comments on that.

I don't know about the rules that apply on travellers entering the U.S. I'm sorry.

When you're going through the security checkpoint, you need to be sure that your device can be powered on. We're looking at it from a security point of view. We're not looking at it from a privacy point of view. We ask that the device be able to be powered on, and that's it.

As for CBSA, I think it's important to address the myth that we often go into the personal phone of travellers. This is not the case. We conduct our examination in a progressive fashion. As we've built elements to go further in the questioning and the examination, that will eventually lead us, if we have enough grounds, to ask for a cellphone and ask the traveller to provide us with the password to be able to look into it.

The general public should not fear carrying their electronic devices across borders. As with any other electronic devices, we should be mindful of what we have on them. If we feel that there is confidential information related to business practices or you're involved in an investment and you don't want that information to be made public, or you want to keep it private, well, you shouldn't have it on your personal devices. That would be a general rule of thumb I would give to anybody.

I wouldn't be able to tell you when we started doing that. I do not have that information with me.

In this day and age, the use of those devices is widespread. Really, someone who does not have a cellphone is the exception.

However, with the permission of the chair, I could check when we started using this practice at our checkpoints.

I asked my team to find the mechanism that helps us gather that information. Since the public is very interested in this type of activity at the agency, I asked that we be able to keep statistics rigorously in order to make the information public.

The data I can provide is more anecdotal rather than rooted in the reality that our officers experience on a daily basis. However, the agency is committed to computing that data and making it public. I'm talking about the number of inspections of cellular or other electronic devices, and the types of devices that are checked.

Yes, that has happened before.

It depends. We act on a case-by-case basis. In most cases, people co-operate with the authorities at the border. However, in general, an officer may order the disclosure of the password and, if the person refuses and the officer has good reason to believe that there may be prohibited material on the phone, there may be an arrest and perhaps even an appearance in court.