Information & Ethics Committee on Sept. 27th, 2017

Agreed.

Mr. Chair and honourable members, we appreciate your invitation and are very pleased to be here today on behalf of the privacy and access law section, immigration law section, and commodity tax, customs, and trade sections of the Canadian Bar Association, as well as the Canadian Corporate Counsel Association and the ethics subcommittee of the policy committee of the CBA board, to present views on the privacy of Canadians at airports, borders, and travelling in the United States.

The CBA is a national association of 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is seeking improvements in the law and the administration of justice. This is what brings us before you today.

My name is David Fraser. I'm an executive member of the privacy and access law section. I'll be representing the CBA sections that prepared our submissions to the committee on this issue, along with Cyndee Todgham Cherniak, who is here with me today. Cyndee is an executive member of the commodity tax, customs, and trade section.

Some information collection is necessary, and certainly expected, at the border; there is really no doubt about that. Our principal concern and the concern of the Canadian Bar Association is mainly about where the line is drawn and where the line is moving and how the fundamental principles in our charter may be left behind as this line is moved. We have commented in our document on both Bill C-21, related to Customs Act amendments, and Bill C-23, related to pre-clearance.

In Bill C-21, we're very concerned about open-ended discretion being given to the CBSA to examine people leaving Canada.

In Bill C-23, we're very concerned about what may be a general disregard of the charter and Canadian norms, when non-Canadian law enforcement officers are empowered to conduct invasive examinations in Canada. We're concerned about broad powers to interrogate those who choose to withdraw from entering the United States. We're concerned that U.S. officers can, for example, perform a strip search in Canada over the objection of a CBSA officer. We're concerned generally about a lack of accountability.

Obviously, electronic devices and the privacy of the contents are of great concern. As lawyers, we're seeing and hearing about searches of digital devices becoming much more commonplace. The CBSA is essentially using suitcase law, developed before the 1980s, to justify a massive intrusion into digital information.

The Customs Act provisions that are at issue were drafted before the 1980s, before laptops, before smart phones, and before thumb drives. In the meantime, the Supreme Court of Canada has said very strongly that all Canadians have an extremely acute privacy interest in the contents of computers, laptops, and smart phones. This has apparently fallen on deaf ears within the CBSA. People travel with a huge quantity of personal information, and the CBSA say that they can go through it legally on a whim. They say they don't, but the law, if applied as they say it is, would allow them to do it on a whim. We say this is likely unconstitutional and needs to be very closely examined by Parliament.

We also have concerns about information sharing, in that the devil is in the details: questions about information sharing between administrative agencies and law enforcement, between one law enforcement agency and another, between federal and provincial agencies, between private companies and governments, and vice versa. We think this needs to be scrutinized very closely, particularly as this information is moving around at a rapid pace. Then you overlay on top of this information sharing between governments, which of course is becoming even more common and something we need to be very concerned about.

My colleague Cyndee will introduce the balance of the issues that we've addressed.

An issue of great importance to the Canadian Bar Association is solicitor-client privilege. Solicitor-client privilege is fundamental to the proper functioning of the Canadian legal system. As a result, steps must be taken to ensure that solicitor-client privilege is protected at Canadian airports, Canadian ports of entry, and U.S. pre-clearance areas on Canadian soil.

The Supreme Court of Canada has repeatedly emphasized that solicitor-client privilege must remain as close to absolute as possible and should not be interfered with unless absolutely necessary. In the rare case of necessity, there must be explicit statutory language stating that privilege can be interfered with, which must be accompanied by legislative safeguards. Most people, including lawyers and clients, travel with solicitor-client privileged documents on their laptops, on their smart phones, on USB keys, and so on.

It is essential that the CBSA and U.S. customs, when operating in Canada, maintain a transparent policy and process to address solicitor-client privilege. When solicitor-client privilege is claimed, Canadian courts, not the CBSA or U.S. custom officers, should make the determination of the validity of such claims.

The Canadian Bar Association has made a number of recommendations in the submissions they have provided to the committee.

One, the CBA recommends the creation of a working group with representatives from the Canadian Bar Association, Justice Canada, and the CBSA to collaborate in the development of a defined policy for examination at the Canadian border where solicitor-client protected information is involved.

Two, the CBA recommends that the CBSA's policy on solicitor-client privilege be made publicly available on the CBSA website. Remarkably, it is not available at the current time for all to see and to hold the CBSA accountable. The CBA has made a number of recommendations in the submissions concerning the content of the current operational bulletin on solicitor-client privilege. Please review those submissions and our recommendations.

This committee should strongly recommend that the Canadian Ggvernment require U.S. customs to have a transparent and available written policy on solicitor-client privilege that is applicable to all pre-clearance examinations on Canadian soil. The CBA submissions also address oversight of the CBSA in areas such as information sharing by the CBSA with other government departments and other countries. Robust accountability mechanisms are crucial to the legitimacy and efficacy of our national security agencies as well as to public confidence in them.

This committee should recommend that the Government of Canada put effective CBSA oversight and complaints mechanisms in place, and that a transparent mechanism and process for Canadians and Canadian residents be put in place to challenge information collected about them at airports and the border. Any oversight model must incorporate a robust review mechanism. There should be verifiable procedures to ensure that any improperly obtained information is expunged from the CBSA and U.S. customs databases.

I would more than welcome any of your questions.

Thanks very much. Good afternoon.

My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I have appeared many times before this committee on privacy issues, although not always in such a nice room. As always, I appear in a personal capacity representing only my own views.

I'm grateful to the committee for its commitment to privacy and its efforts to highlight the privacy issues associated with our airports and border crossings. The media has regularly covered these issues, as you know. There are fears of device searches at borders, stories of information sharing that goes beyond most reasonable expectations, and mounting concerns about the approach of U.S. law and border officials with respect to the privacy rights of non-citizens and non-permanent residents.

These stories hit home, as we saw just a few minutes ago with Mr. Long in the last panel. Everyone seems to have their own story. Recent incidents include one involving a Quebec resident who didn't want to provide his cellphone password. It was searched at the Canadian border in Halifax. He was ultimately arrested for not giving a passcode when asked. The argument was that he was hindering an investigation. In another incident, a Canadian man was denied entry into the U.S. after customs and border patrol officers demanded that he open his phone and provide access to his apps. There was yet another incident involving a Canadian photojournalist who was inspected on his way to Standing Rock. Officials photocopied pages of his personal journal and asked for three mobile phone passwords, which he said he could not disclose because of his ethical obligation to protect his sources. The phones were taken and returned hours later with tamper tape covering the SIM cards, suggesting the cards had been removed and copied.

The privacy associated with border crossings now seemingly captures everyone's attention. I think it's worth asking why. I think there are at least three sources of concern that help point to potential policy solutions.

First, there is the feeling amongst many that border crossings represent no-privacy zones in which it feels as if officials are entitled to demand whatever information they wish and can use whatever means to acquire it. I know of technical experts who regularly wipe their phones or establish border crossing social media accounts in order to counter fears of invasive searches, both physical and digital, when crossing the border.

Second, as these stories suggest, the search itself—and we've heard about this now from a number of people—has changed dramatically in recent years with the legal safeguards failing to keep pace. It's one thing to know that your belongings may be searched. Yet today, we all know that our devices and the information on them can tell a far more personal story, our social graph, our location history, our reading habits, our contacts, and our purchasing history. In searching this information, officials may literally be accessing just about everything about us. Doing so, potentially without appropriate safeguards, understandably leaves many feeling vulnerable. The data indicates, as we heard on the last panel, that at least in the United States, these forms of searches are increasing rapidly. In fact, in the United States, there have been some policies that have posited that such searches can occur with or without reasonable suspicion.

Third, it may not be comfortable to say, but part of the concern stems from the fact that the U.S. border is by order of magnitude the most significant one for Canadians. This is not solely a comment about the current U.S. administration. Rather, it reflects long-standing concerns about the U.S. approach to privacy and fears that U.S. privacy protections may be weaker than those found in Canada. For example, the enactment of the USA Patriot Act after 9/11 opened the door to extensive access to personal information without traditional safeguards. Over 10 years later, the Snowden revelations reinforced the massive data gathering efforts of signals intelligence and law enforcement agencies. Most recently, the Trump administration's executive order aimed at reversing efforts to establish privacy protections for non-U.S. citizens and residents again placed the issue in the spotlight.

What is there to do about it? I thought the Privacy Commissioner of Canada, who raised issues such as information sharing across borders, the U.S. executive order, and CBSA searches provided excellent context and advice.

I'd like to briefly provide additional comments on four issues.

First, I think this committee and several of these committees have done excellent work on Privacy Act reform. As you know, it has been an issue that has regularly come up before this committee. There are few areas within Canadian privacy that are more overdue for updating. Indeed, there have been consistent and persistent calls for reforms for decades.

One of the methods of addressing some of the airport privacy concerns in Canada may be through the Privacy Act. Your proposed reforms to provide the Office of the Privacy Commissioner of Canada with greater powers would empower that office to examine border issues in a more comprehensive manner and open the door to more careful reviews of cross-border sharing arrangements. You recommended the reforms; now we need action.

Second, information sharing within government—we just heard about it from Mr. Fraser—remains a source of concern. Indeed, some of the most notable anecdotal stories involving abuses or questionable conduct at the border arise due to information sharing between governments or government departments. The Privacy Act and the OPC are supposed to create safeguards against misuse of personal information, or the use of information for purposes for which it was not collected. However, we have witnessed mounting pressure in recent years for more information sharing between governments and government departments.

Bill C-51, which we all know garnered widespread criticism, featured a significant expansion of government sharing of information, undermining, I would argue, the effectiveness of the Privacy Act. Unfortunately, the information-sharing provisions as they were amended in that bill were only modestly changed. Information sharing was considered a feature, not a bug, and I should note that included the Liberal Party when it was in opposition.

Bill C-59, which seeks to amend Bill C-51, leaves many of the information-sharing provisions intact. There are two needs here that must be reconciled. One, I think we all recognize that government needs to be able to use the information it collects in a reasonable and efficient manner. Two, the public needs confidence that its information will not be misused. That confidence comes from legislative safeguards and effective oversight. There is reason to believe we do not yet have the right balance.

Third, as the Privacy Commissioner of Canada has discussed, Canadian law must apply on Canadian soil when it comes to these issues, particularly the charter. Reducing so-called friction at the border is a laudable goal. No traveller wants long lines or lengthy delays, and that of course applies in a commercial context as well. However, expediency has a price, and sacrificing the Canadian Charter of Rights on Canadian soil is, in my view, a bad bargain. The Supreme Court of Canada has upheld unauthorized searches of devices, and those principles should apply on Canadian soil in a like manner at the border.

Fourth, with the NAFTA negotiations ongoing this week in Ottawa, I think it is important to link those trade talks with this issue. While there is no airport privacy chapter in the agreement, at least that I'm aware of, NAFTA touches on many of these related issues. There will be pressure—we know there is pressure—to speed up border crossings in the name of increased trade. Further, the digital trade chapter, formerly the e-commerce chapter, is likely to include provisions on data localization, prohibiting some of the data localization, and restrictions on data transfers. NAFTA, of course, is not a privacy deal, but the reverberations from the agreement will be felt in the privacy world.

The European Union has regularly linked privacy and data protection with trade. We ought to do the same, recognizing that these issues are linked and that the policy recommendations that come out of this committee on this issue need to make their way into the negotiations. In fact, I'd go even further by noting that the U.S. now seeks to accord the Europeans with privacy protections under the privacy shield. Other countries, such as Australia during the TPP negotiations, sought to ensure that Australians enjoyed the same level of protection. Surely, Canada can use the NAFTA discussions to ensure that the same kind of protection afforded to citizens of other countries outside the United States is afforded, as well, to Canadians.

I look forward to your questions.

Thank you for having me.

When I teach privacy law, one of the first things we do at the beginning of the term is have a discussion about reasonable expectation of privacy and what it is. It's always a great conversation, especially amongst the budding young law students, who are keen to say you have a reasonable expectation of privacy in everything. They want to say it's everywhere, but it isn't.

That is why you are having this discussion today. On the one hand we have our cellphones, and we've heard testimony already saying that obviously we have a great expectation of privacy in our cellphone. We've even had the Supreme Court say the same thing, that on our devices we have a greater expectation of privacy.

On the other hand we have the borders, and—no joke—the courts in Canada have been strong in their position that we have zero expectation of privacy at the border. That's something the courts have said. Here are a couple of quotes from an Ontario Court of Appeal case from 2006:

No one entering Canada reasonably expects to be left alone by the state, or to have the right to choose whether to answer questions routinely asked of persons seeking entry to Canada. ...The state is expected and required to interfere with the personal autonomy and privacy of persons seeking entry into Canada. Persons seeking entry are expected to submit to and co-operate with that state intrusion in exchange for entry into Canada.

We have these two competing forces, and I applaud the committee for trying to come to terms with it and come up with some meaningful recommendations. We're better off focusing on what we are doing here and some real solutions that we can impose here in Canada, as opposed to trying to figure out what to do to fix Canadian privacy rights in the United States, which is a pretty hard task to do from here.

Now the Privacy Commissioner has made a couple of recommendations in this respect, and I applaud them. For example, and Mr. Geist alluded to this, if Europeans have the privacy shield protecting them, why doesn't Canada have something similar? The starting point is the Judicial Redress Act in the United States, and the Privacy Commissioner has made a comment about this: it would be a simple fix just to list Canada as one of the countries that is afforded protection under this act in the United States. So it's not to say there is nothing that can be done to help Canadians while they are abroad; it's just that we have to recognize that if you are abroad, your privacy rights are not going to be the same as when you are at home.

The last point is let's concentrate on what we can do at home, and I won't reiterate it because I thought Mr. Geist said it really well: Privacy Act reform. Let's get our own house in order. This act is old, and it is in dire need of modernization. I'll end it there.

I'm happy to comment on it, but not wearing my CBA hat. CBSA are the people who control the borders and who and what comes in, and CATSA are the people who scan people who get on planes to make sure they don't have bombs, knives, guns, and things like that. They don't really care what's on your phone, because that's not going to blow up and harm an aircraft. So they have some very significantly different roles. They all are involved in security along the continuum, but they have very different jobs. That might not have been sufficiently clear from their comments.

Again, I don't have my CBA hat on in answering your question; I have an individual hat on. I am a customs lawyer. I deal with people who get their NEXUS passes taken away on a regular basis, and I can tell you that the CBSA does look at cellphones and laptops at airports in addition to border crossings. There may have been a misunderstanding—

—because you had CATSA and the CBSA at the same time, but I can assure you, that if you look at narrative reports by the CBSA, you will find many incidents of review of cellphones at airports.

Overall in my experience, they're not consistent in applying the policy that they even have, and I've heard testimony of a CBSA officer who called it guidelines after justifying a search of a cellphone that was not placed into airplane mode.

So we have a law, the Customs Act, the provisions of which were drafted before the 1980s when none of this was contemplated, and the definition of a good includes a document, when at the time, generally, a document was referring to a bill of lading, so the document of title related to the widget, the box of whatever it is that you're bringing in. So according to their reading of the law, they can look through a cellphone; they can observe any document, and they can do whatever they want with it without any even suspicion, without any reasonable basis, and it's just part of the continuum of their secondary screening.

And they have a policy that says they only do it as part of an escalation, and they only do it if they have reasonable grounds to suspect or reasonable grounds to whatever, but the law that they're operating in doesn't do that.

I can only refer back to what he said, which would be a number of things that would lead them to suspect more, so something such as you're nervous, you seem evasive, those sorts of things.

I think the connection of the Customs Act is if you bring something into Canada that is illegal in Canada under the Criminal Code, that's a violation of the Customs Act.

At the present time, the CBSA can search your briefcase. As a traveller, they can search your briefcase. As a lawyer, they can search your briefcase. According to the policy, if they come across documents marked “solicitor-client privilege”, then they might stop the search. But how many of you the last time you wrote to your lawyer in an email had solicitor-client privilege in the subject line or in the document? Very few documents that lawyers receive have the words “solicitor-client privilege” on them.

Certainly what it would take is that they would have to develop more than the multiplicities of indicators. They would have to have reasonable grounds to suspect that a crime—or it could be also a violation of the Customs Act—has been, is being, or is about to be committed, and that searching the device would provide evidence of that, otherwise reasonable sort of criteria that are used in other circumstances.

It may well be that the reality is that people when asked will simply hand it over in order to get out of there. The simple reality is that at the borders when you're standing in line, you've gotten off a red-eye flight and you're exhausted and want to get through. But in terms—