Thanks very much. Good afternoon.
My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I have appeared many times before this committee on privacy issues, although not always in such a nice room. As always, I appear in a personal capacity representing only my own views.
I'm grateful to the committee for its commitment to privacy and its efforts to highlight the privacy issues associated with our airports and border crossings. The media has regularly covered these issues, as you know. There are fears of device searches at borders, stories of information sharing that goes beyond most reasonable expectations, and mounting concerns about the approach of U.S. law and border officials with respect to the privacy rights of non-citizens and non-permanent residents.
These stories hit home, as we saw just a few minutes ago with Mr. Long in the last panel. Everyone seems to have their own story. Recent incidents include one involving a Quebec resident who didn't want to provide his cellphone password. It was searched at the Canadian border in Halifax. He was ultimately arrested for not giving a passcode when asked. The argument was that he was hindering an investigation. In another incident, a Canadian man was denied entry into the U.S. after customs and border patrol officers demanded that he open his phone and provide access to his apps. There was yet another incident involving a Canadian photojournalist who was inspected on his way to Standing Rock. Officials photocopied pages of his personal journal and asked for three mobile phone passwords, which he said he could not disclose because of his ethical obligation to protect his sources. The phones were taken and returned hours later with tamper tape covering the SIM cards, suggesting the cards had been removed and copied.
The privacy associated with border crossings now seemingly captures everyone's attention. I think it's worth asking why. I think there are at least three sources of concern that help point to potential policy solutions.
First, there is the feeling amongst many that border crossings represent no-privacy zones in which it feels as if officials are entitled to demand whatever information they wish and can use whatever means to acquire it. I know of technical experts who regularly wipe their phones or establish border crossing social media accounts in order to counter fears of invasive searches, both physical and digital, when crossing the border.
Second, as these stories suggest, the search itself—and we've heard about this now from a number of people—has changed dramatically in recent years with the legal safeguards failing to keep pace. It's one thing to know that your belongings may be searched. Yet today, we all know that our devices and the information on them can tell a far more personal story, our social graph, our location history, our reading habits, our contacts, and our purchasing history. In searching this information, officials may literally be accessing just about everything about us. Doing so, potentially without appropriate safeguards, understandably leaves many feeling vulnerable. The data indicates, as we heard on the last panel, that at least in the United States, these forms of searches are increasing rapidly. In fact, in the United States, there have been some policies that have posited that such searches can occur with or without reasonable suspicion.
Third, it may not be comfortable to say, but part of the concern stems from the fact that the U.S. border is by order of magnitude the most significant one for Canadians. This is not solely a comment about the current U.S. administration. Rather, it reflects long-standing concerns about the U.S. approach to privacy and fears that U.S. privacy protections may be weaker than those found in Canada. For example, the enactment of the USA Patriot Act after 9/11 opened the door to extensive access to personal information without traditional safeguards. Over 10 years later, the Snowden revelations reinforced the massive data gathering efforts of signals intelligence and law enforcement agencies. Most recently, the Trump administration's executive order aimed at reversing efforts to establish privacy protections for non-U.S. citizens and residents again placed the issue in the spotlight.
What is there to do about it? I thought the Privacy Commissioner of Canada, who raised issues such as information sharing across borders, the U.S. executive order, and CBSA searches provided excellent context and advice.
I'd like to briefly provide additional comments on four issues.
First, I think this committee and several of these committees have done excellent work on Privacy Act reform. As you know, it has been an issue that has regularly come up before this committee. There are few areas within Canadian privacy that are more overdue for updating. Indeed, there have been consistent and persistent calls for reforms for decades.
One of the methods of addressing some of the airport privacy concerns in Canada may be through the Privacy Act. Your proposed reforms to provide the Office of the Privacy Commissioner of Canada with greater powers would empower that office to examine border issues in a more comprehensive manner and open the door to more careful reviews of cross-border sharing arrangements. You recommended the reforms; now we need action.
Second, information sharing within government—we just heard about it from Mr. Fraser—remains a source of concern. Indeed, some of the most notable anecdotal stories involving abuses or questionable conduct at the border arise due to information sharing between governments or government departments. The Privacy Act and the OPC are supposed to create safeguards against misuse of personal information, or the use of information for purposes for which it was not collected. However, we have witnessed mounting pressure in recent years for more information sharing between governments and government departments.
Bill C-51, which we all know garnered widespread criticism, featured a significant expansion of government sharing of information, undermining, I would argue, the effectiveness of the Privacy Act. Unfortunately, the information-sharing provisions as they were amended in that bill were only modestly changed. Information sharing was considered a feature, not a bug, and I should note that included the Liberal Party when it was in opposition.
Bill C-59, which seeks to amend Bill C-51, leaves many of the information-sharing provisions intact. There are two needs here that must be reconciled. One, I think we all recognize that government needs to be able to use the information it collects in a reasonable and efficient manner. Two, the public needs confidence that its information will not be misused. That confidence comes from legislative safeguards and effective oversight. There is reason to believe we do not yet have the right balance.
Third, as the Privacy Commissioner of Canada has discussed, Canadian law must apply on Canadian soil when it comes to these issues, particularly the charter. Reducing so-called friction at the border is a laudable goal. No traveller wants long lines or lengthy delays, and that of course applies in a commercial context as well. However, expediency has a price, and sacrificing the Canadian Charter of Rights on Canadian soil is, in my view, a bad bargain. The Supreme Court of Canada has upheld unauthorized searches of devices, and those principles should apply on Canadian soil in a like manner at the border.
Fourth, with the NAFTA negotiations ongoing this week in Ottawa, I think it is important to link those trade talks with this issue. While there is no airport privacy chapter in the agreement, at least that I'm aware of, NAFTA touches on many of these related issues. There will be pressure—we know there is pressure—to speed up border crossings in the name of increased trade. Further, the digital trade chapter, formerly the e-commerce chapter, is likely to include provisions on data localization, prohibiting some of the data localization, and restrictions on data transfers. NAFTA, of course, is not a privacy deal, but the reverberations from the agreement will be felt in the privacy world.
The European Union has regularly linked privacy and data protection with trade. We ought to do the same, recognizing that these issues are linked and that the policy recommendations that come out of this committee on this issue need to make their way into the negotiations. In fact, I'd go even further by noting that the U.S. now seeks to accord the Europeans with privacy protections under the privacy shield. Other countries, such as Australia during the TPP negotiations, sought to ensure that Australians enjoyed the same level of protection. Surely, Canada can use the NAFTA discussions to ensure that the same kind of protection afforded to citizens of other countries outside the United States is afforded, as well, to Canadians.
I look forward to your questions.