Evidence of meeting #41 for Access to Information, Privacy and Ethics in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.
A video is available from Parliament.
Liberal
Patricia Lattanzio Liberal Saint-Léonard—Saint-Michel, QC
Is there any aspect of your reappointment we have not covered and that you wish to bring to the attention of this committee?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
No. I think my task for the next year would be to continue to comment on legislation and try to prepare the OPC for what comes next.
Conservative
Conservative
The Chair Conservative Chris Warkentin
There will be other rounds.
We'll turn to Madame Gaudreau for six minutes.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Thank you, Mr. Chair.
Mr. Therrien, let's continue in French. I have a few comments to start with.
First, I would like to thank you for your impartiality and to congratulate you on your role as commissioner. We need your input to do our work. I am very grateful for that.
I am also grateful for your co‑operation with our counterparts in other provinces, for going to see what is going on elsewhere and also for seeking to understand legislation in other countries.
In 2019, I did hear your request about fundamental reform. As a committee, we clearly had to adjust.
However, I am very concerned. Yes, [Technical difficulty—Editor] in the first part of the session, my motion had been clear that we need to stop checking people's social security numbers and make sure that we use other means to check identity. Many private companies are already doing this.
We didn't get to see Bill C‑11 go through, but how would that bill have contributed to your desire for reform? At the same time, how do you see the coming months, as your precious time is running out in the coming year?
Those are the first questions I want to ask you.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
With respect to Bill C‑11, I would refer you to the brief we submitted a month ago.
The current Personal Information Protection and Electronic Documents Act (PIPEDA) is essentially an act that originally incorporated into federal legislation an industry code of practice that was created a little over 20 years ago. So the current wording of PIPEDA is very much a repeat of that code. A code of practice is a code that is intended to improve business practices, but it is not written like a law. Bill C-11 is certainly a step forward. The structure of the bill is adequate, in terms of its content, to raise the appropriate questions.
That being said, we clearly have a lot of concerns about the content and the answers that the bill gives to those questions.
For example, what should the rules be on consent? What should the rules be on corporate responsibility? What should the powers of the commissioner's office be?
The starting point of the structure of the act is good, but a lot of work remains to be done. Looking at it broadly, I would say that the work before you, and before us, is to protect the right to privacy as a human right, as it should be. That's my view.
Beyond that, we need to find the right methods to help Canada ensure that data, including personal data, can be used in the public interest while protecting privacy. I think that's the overall goal. Public authorities have a responsibility to ensure that, in the 21st century, laws are drafted in such a way that we, as a society, can enjoy the benefits of the digital age, but in a way that protects privacy. That's how—
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
With respect to Bill C‑11, my understanding is that we cannot be against motherhood and apple pie, because steps need to be taken. Clearly, we, as legislators, should quickly put forward the reform. We see reports from other countries that have moved forward, and we are a little behind. What I understand is that, regardless of current events or partisanship, if we are concerned about fundamental rights, we should make this a priority.
There is also the issue of facial recognition, the data and images that are used. I am very concerned as an individual, but also as a legislator. When I'm asked about what we have done to properly protect people, I'm a little embarrassed.
Do you agree?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I certainly agree that it is urgent to better regulate the issue, both in terms of human rights and in terms of having a solid framework regulating the use of data in order to protect privacy. It is urgent.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Since this is the last year of your mandate, what would you like to leave behind? What is your greatest wish as commissioner?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Ideally, I would like to see new legislation in the private and public sector.
I would like, at least, to see proposed legislation, in both sectors, that gives a clear indication that, in the near future, Canada will be moving to adopt rules that achieve the objectives I have just stated, namely the protection of rights and an assurance that data is used in a responsible manner.
If no new legislation is adopted, there should at least be clear proposals to that effect that can be adopted and implemented right away.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Thank you, Mr. Therrien.
We will see each other again soon.
Conservative
The Chair Conservative Chris Warkentin
Thank you, Madame Gaudreau.
We're going to turn to Mr. Angus for six minutes.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you so much, Mr. Therrien, for joining us again.
In early 2020, I wrote to you requesting an investigation into Clearview AI, the facial recognition technology, on whether or not they had breached Canadian law. Your finding was that “What Clearview does is mass surveillance and...is illegal.”
Throughout that time, the RCMP made a number of false statements to the public about their use of Clearview AI, and I asked you to investigate whether or not the RCMP had been using this illegal technology. Your office reached out to the RCMP, and they said they weren't. Is that correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Initially they said they were not, and later they acknowledged that in some parts of the organization they did.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Okay. They changed their tune when the Clearview AI client list was hacked and made public. I'm concerned that Canada's top police force lied to an officer of Parliament and had to come clean because their client list was hacked and we knew the RCMP was using that technology.
Does it concern you they were misrepresenting their use of Clearview AI to you?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That's an issue we gave some consideration to when we were writing our report of finding. We did not conclude, actually, that they had misrepresented the situation. They told us at first that they were not using the technology. Ultimately they essentially said that because they did not have the systems in place to ensure that the use of new technologies was reported higher up in the hierarchy, when they found out that the technology was used in part by some individual officers to test it and in part by a group of people concerned with child disappearances, then they told us that, indeed, they were using the technology.
These are the facts, I think, as well as they can be summarized.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I guess what concerns me is that it doesn't seem as though it was just a few individuals. There were five RCMP divisions, plus national headquarters, where the technology was being used, and there were also 17 unpaid trial licences in various detachments. When they were asked why they used this, they said they used it only in child exploitation cases, but those represented only 6% of the uses. Again, I find that troubling. Of course, we want to help children and to help in cases of child exploitation, but what were the other 94% of the searches being used for? Didn't they keep track? Were they not able to explain that to you?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
They did not and they were not, and the only finding was that the RCMP was using technology that we found violated privacy. That was the first main conclusion. The second was that the RCMP did not appropriately account for and assess—importantly assess—new technologies that its officers were using. The second part is what will be the main focus of our engagement with the RCMP in the next few months.
NDP
Charlie Angus NDP Timmins—James Bay, ON
In the RCMP documents on Project Wide Awake, they have a [Technical difficulty—Editor] their officers, “You have zero privacy anyway, get over it.” It suggests to me a disregard for the law. As well, the RCMP took the position that they weren't responsible for the fact that Clearview AI, as a private sector partner, broke the law. If they were using it, it wasn't their problem. You stated, “In our view, a government institution simply cannot collect personal information from a third party agent if that third party's collection was unlawful in the first place.” That would seem to me to be a pretty clear reading of what Canadian law should be, and yet they seem to think they weren't obligated.
We have this new law, Bill C-11, which is supposed to clarify the uses of technology, but Minister Bill Blair, when I asked him about this, said they were certainly looking to give the police tools to use. Are you concerned that Bill C-11 would allow the RCMP to ignore these basic principles of privacy law and would allow them to contract with third party operators like Clearview AI?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I would answer with respect to the two relevant clauses.
In terms of the RCMP, to the extent that the principle that we outlined, i.e., that a federal department or institution should not rely on information that was obtained illegally by a third party partner, if that's not clear and the RCMP argue that it is not clear, then what needs to be changed is the public sector Privacy Act. That's point number one.
In terms of the particular use of the Clearview technology, Clearview also was, and I think still is, arguing that its database was created to assist the police and other institutions in law enforcement against crime. The company sees that as a legitimate purpose. There's no question that to develop some tools to assist the police to enforce the law is legitimate, but neither the police nor the private sector can or should do anything they like, regardless of privacy protection. That's point number two.
In our submission on Bill C-11, we ask that Parliament does make clear, with a technology like Clearview, which in our view constituted mass surveillance, that the law be extremely explicit, and that this is contrary to private sector privacy law as well.
Conservative
The Chair Conservative Chris Warkentin
Thank you, Mr. Angus.
We're going to turn to Mr. Carrie now, for the next five minutes.
Conservative
Colin Carrie Conservative Oshawa, ON
Thank you, Mr. Chair.
Mr. Therrien, I want to thank you for a number of things.
First of all, thank you for accepting an extension of your term. I think your institutionalized knowledge right now is extremely important. One of the things I'm getting a lot of emails about is trust—Canadians trusting the government. I think some of it's warranted, and some of it may not be warranted. I see you as somebody who is standing up for Canadian privacy rights. You mentioned privacy as a human right. Constituents of mine are concerned about that.
I would like to address a couple of those concerns with you now.
Mr. Barrett brought up the vaccination passport and whatever that's going to be in Canada. I was a little disturbed to hear that though you've been consulted, you really haven't been brought in on whatever it will turn out to be. There are meetings later in the week, you said, but the government is already making announcements on it today.
I'm going to be doing a survey in Oshawa on it, because I'm getting emails from some people who think the idea of some type of a vaccine passport is reasonable and sensible. Others say it's a bad precedent and are concerned about civil liberties and their privacy. With the whole thing about censorship and Bill C-10, people seem to be concerned.
Do you have some advice about what we could put in place to make sure that we talk about the Canadians who do have privacy issues or perhaps religious, health or conscience issues as we move forward with this type of vaccine passport?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
There are a number of considerations that are relevant.
The first one is whether there is authority for this. I think there likely is.
With Mr. Barrett, I discussed a number of other issues, including the fact that this exceptional measure should be time-limited. That's an important consideration.
You mentioned religious or other rights that might explain why someone has not been vaccinated. That certainly needs to be one of the considerations. The “vaccine passport”—lets call it that—or proof of vaccination in ArriveCAN can probably be used as the rule. It should accommodate exceptions, particularly exceptions founded on the exercise of fundamental rights like freedom of religion. There need to be exceptions.
The last thing I would say is that the use of a measure like this—which again is exceptional and does impact civil rights—needs to be based on good science. There needs to be good evidence that vaccination actually protects people who would be in contact with a vaccinated person. It's entirely conceivable that such evidence exists, but we have not been shown it yet. That's another consideration.
I will leave it at that.