Information & Ethics Committee on June 2nd, 2022

I would not say negligent. I have pointed instead to public-private partnerships. The government and its institutions are increasingly calling upon private companies that have developed technologies—which is normal—to help government carry out its programs. In this case, it was the RCMP.

It is normal for a federal government institution to call upon the private sector, but in so doing it must not be able to use data that it could not collect itself. Violations of laws cannot be subcontracted to the private sector.

In this case, the company clearly violated the law applicable to the private sector, that is PIPEDA, or the Personal Information Protection and Electronic Documents Act. The RCMP called upon this company, which violated the law.

In our opinion, a reasonable interpretation of the law for the public sector, which governs the RCMP, is that it should have verified the legality of the company's practices, which it hired by contract. This applies to the RCMP, but equally to all government departments.

I'll be glad to do that.

As I recall, Bill C-11 was tabled in the fall of 2020. The government has announced that a successor will be tabled in 2022, perhaps before the summer.

I thought it was important that the OPC start thinking about how it would be organized to inherit new responsibilities that the earlier Bill C-11 would have given the OPC. We don't know what the new bill will say, but there's a chance, of course, that it will have many elements of Bill C-11. The idea is to get ahead of the curve and think about how we would exercise these responsibilities, so we're not caught off guard if the transition period after the adoption of the bill is shorter than we would hope.

Among the responsibilities that Bill C-11 would have given the OPC—and we think it's likely this will continue to be the case—is order-making. It would be subject to appeal before a tribunal, which we think is unnecessary...but still order-making. That would require, we think, the setting up of an adjudication branch of arbiters or adjudicators. Right now, we have investigators who make recommendations, but with new legislation that has order-making powers, we would likely need to have adjudicators somewhat distant from investigators to ensure the fairness of processes.

That is one area we looked at.

The bill also provided for a review function of the code of practice.

We have looked at all the new authorities Bill C-11 would have given the OPC, and we have given some thought to how we would exercise these responsibilities.

I'll start by explaining what the current law is.

The Privacy Act gives Canadian citizens the right to access personal information about themselves held by the government. That right does not exist for foreign nationals, except when they proceed through Canadian agents—

To cut this short, the government expects that there will be a very significant volume of access requests by foreign nationals, some of them immigrants interested in their immigration status, and proportionally there will be an increase of complaints with the OPC. We think there will be an important resource demand for the OPC. We have made a request to the government, which has not been denied. It's under consideration. We think it's really important to receive funding for this activity.

Not yet.

For the extension order, there has not been a refusal. The request is still being studied.

Overall, I think the issue is that we're going to inherit many new responsibilities, first under this order and then under new laws in the private sector or public sector. That's why we think we need to increase our resources significantly, probably to double them. When you look at other data protection authorities, that's generally the trend.

We have had some budget increases by the government, but definitely, with new responsibilities, we will need significant new funding.

At this point, we're in a situation where unless we're provided further funding, yes, we expect the backlogs to grow. But I'm an optimist, and with new laws and a new extension order, I certainly hope there will be some funding that will help ensure that we can deal with these complaints in a timely manner.

The Tim Hortons application did indeed track their users' movements every few minutes of every day. I think that shows, among other things, that the current law—in part because it does not have penalties and in part because it does not define accountability as I've suggested—allows companies to use technology because it exists, because it may be helpful or useful, and eventually to collect information even though they may not have a direct use for it.

Before companies engage in the use of these technologies, they should be required by law to properly assess the privacy risks of that activity and they should only collect information to the extent that it is proportionate to the uses of their commercial objectives.