Evidence of meeting #24 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was laws.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

3:50 p.m.

Conservative

The Chair Conservative Pat Kelly

I call this meeting to order.

Welcome to meeting number 24 of the House of Commons Standing Committee on Access to Information, Privacy and Ethics. Pursuant to Standing Order 108(3)(h), the committee is studying the subject matter of main estimates 2022-23.

I would now like to welcome our witness today, Mr. Daniel Therrien, Privacy Commissioner of Canada. Not to pre-empt any of his remarks, but I will point that he will be leaving his office for retirement shortly. This will be our last opportunity to have him at committee. I thank him in advance for his long service to Canada and to this committee.

With that, we'll leave it to you, Mr. Therrien, to begin your remarks.

3:50 p.m.

Daniel Therrien Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Thank you very much, Mr. Chair. That is very kind.

Good morning, Mr. Chair, and members of the committee.

Thank you for the opportunity to appear before you today to discuss some of the lessons of the last eight years and some high-level recommendations on how the law should be reformed.

We are living in the fourth industrial revolution, the digital technology revolution. These technologies are disruptive.

As the pandemic has shown, there can be several benefits to this, for instance in health and education, or even the environment. Digital technologies can indeed serve the public interest.

We have also learned over the years that the consent model means of protecting privacy has serious limitations. It is neither realistic nor reasonable to ask individuals to consent to all possible uses of their data in today's complex information economy, for instance in some circumstances where artificial intelligence is used. The balance of power is too unequal and the asymmetry in terms of who controls personal information is too great.

In fact, consent can be used to legitimize uses that, objectively, are completely unreasonable and contrary to our rights and values. And refusal to provide consent can sometimes be a disservice to the public interest.

During my term, however, we have also seen through investigations that these technologies can present not just potential risks to privacy, but also cause real harms.

For example, our Clearview AI investigation showed that the company used facial recognition technology in a way that amounted to mass surveillance. And our investigation into the RCMP's use of the Clearview technology demonstrated the growing risks posed by public-private partnerships and the absence of a legal framework governing the use of such sensitive biometric data.

The Cambridge Analytica scandal, studied by a committee composed of members of the Standing Committee on Access to Information, Privacy and Ethics and legislators from other countries, showed that privacy violations could lead to violations of democratic rights.

Finally, our investigation into Statistics Canada revealed that a government institution believed evidence-based policymaking could justify the collection of line-by-line financial records of citizens, another form of surveillance.

This leads to the following conclusion. While disruptive technologies have undeniable benefits, they must not be permitted to disrupt the duty of a democratic government to maintain its capacity to protect the fundamental rights and values of its citizens.

What we need, then, is real regulation of digital technologies, not self-regulation.

The previous Bill C‑11 would unfortunately have allowed more self-regulation by giving companies almost complete freedom to set the rules by which they interact with their customers, and by allowing them to set the terms of their accountability.

If we draw on the lessons of the last few years, we will adopt private sector privacy laws that will allow for innovation—sometimes without consent—for legitimate commercial purposes and socially beneficial ends, within a framework that protects our values and our fundamental rights.

In the public sector, we also need laws that limit the state's ability to gather information about its citizens beyond that which is necessary and proportional to achieving its objectives.

Overall, we need federal laws in the public and private sectors that are rights based, that have similar and, ideally, common principles for both sectors, which are based on necessity and proportionality, which are interoperable at both the national and international levels and which give the regulator the power to audit and enforce that it needs to ensure compliance.

Adopting adequate privacy legislation is not sufficient in itself. The regulator must also have adequate enforcement powers, be properly funded and be given regulatory discretion to manage its workload to ensure that it can protect the greatest number of individuals effectively within limited resources.

In July, the Privacy Act extension order will come into force, giving foreign nationals abroad the same right as Canadians to request access to personal information about themselves that is under the control of federal government institutions.

The government believes that this will result in a large increase in the number of requests for access, which will trickle down by way of complaints to our office. The OPC has communicated its funding needs to the government. To date, no new funding has been provided. This is a critical issue for the OPC as it requires additional funds to perform these newly mandated duties.

As for the broader financial impact of law reform, we believe, based on the experience of other data protection authorities, that our budget would need to double, approximately, if the promised new law for the private sector were similar to the former Bill C-11. We also anticipate the expansion of advisory functions and the obligation to review industry codes of practice.

We welcome these new responsibilities as they would promote compliance with the law when programs are at the design stage. Nonetheless, we are concerned that the non-discretionary nature of these activities and of our investigative work would deprive us of the ability to risk-manage our caseload and give greater priority to matters of higher risk. We therefore urge you, when a bill is eventually presented to Parliament, to give my office greater discretion to manage our caseload by selecting its advisory and investigative files to ensure that we can protect the greatest number of Canadians effectively within our limited resources. Not only would this allow us to operate more efficiently, but we have also estimated that it would result in a cost saving of nearly $12 million per year.

As for enforcement powers, I have consistently called for quick and effective remedies, including the power to issue orders and to impose significant monetary penalties proportional to the financial gains that businesses can make by disregarding privacy. Yet further evidence of the need for these powers was provided yesterday with the result of our investigation into Tim Hortons.

Like many other data protection authorities in Canada and abroad, the OPC should also be empowered to conduct proactive audits to verify compliance with the law. The need for this was demonstrated in spades in the recent story about the Public Health Agency's use of mobility data that was obtained in modified form from private sector organizations. In a world where innovation requires trust, an important factor of trust in the population would be the assurance that an independent expert has their back, will verify and ensure compliance with the law and will take appropriate action to stop or correct non-compliant behaviour. Again, these are powers or authorities that a number of our provincial colleagues have in Canada and that a number of our international partners have, including in common-law jurisdictions such as the United Kingdom.

I would like to leave you with a few final thoughts on the future of privacy laws federally and their interoperability with the laws of other jurisdictions, both domestically and internationally.

Domestically, we see that Canada's three most populous provinces have made recent proposals towards responsible innovation within a legal framework that recognizes privacy as a fundamental right. Quebec adopted such a law in 2021.

All of these provinces confer order-making powers on data protection authorities, and they propose to give them the authority to impose monetary penalties directly without going through an administrative appeal—but subject to judicial review. We ask for similar powers, in part so that all Canadians, regardless of their jurisdiction, have access to quick and effective remedies if their privacy rights are violated, and in part to ensure that the OPC remains an influential and often unifying voice in the development of privacy in Canada. If the powers of provincial and the federal authority are different, if the process federally is longer than that in the provinces, I'm concerned that citizens will address themselves to provincial authorities and that the influence of the federal authority will become less.

Globally, it is also essential that Canada's laws be interoperable and not too different from international standards. Some industry stakeholders say that a made-in-Canada approach has been good for the country and that a rights-based approach would hurt innovation.

The idea that rights-based law would impede innovation is a myth. It is simply without foundation. In fact, the opposite is true. There can be no innovation without trust, and there is no trust without the protection of rights.

In our view, a made-in-Canada approach that would be too different from what is becoming the international gold standard would not be in the interest of Canadian business. To the contrary, interoperable laws are in Canada's interest.

In closing, my message to this committee is this: continue the work that you and your predecessors have been doing on these important files. As legislators, you have the power to bring meaningful change to our privacy regime and your reports to date point in the right direction.

Remember also that our laws should protect the right to privacy in its true sense: freedom from unjustified surveillance. Thus, legislation should recognize and protect the freedom to live and develop independently, free from the watchful eye of the state or surveillance capitalism.

In other words, the law should protect our values and rights, hard won over centuries, and should not be set aside in order to benefit from digital technologies.

It has been an honour working with all of you. Thank you for the extra time this afternoon.

I am happy to answer any questions you might have.

4 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you, Commissioner Therrien.

Yes, indeed, to the members who have been wondering, yes, I allowed him whatever time he needed to make his opening statement.

With that, I want to just have a quick word about how I plan to proceed with this meeting.

We started a little bit late. I want to go through our normal first round of six minutes each. The second round, which is Conservative and Liberal; then two and a half minutes each to the Bloc and the NDP; and then back to five minutes to the Conservatives and Liberals. That would take us to about 4:50 p.m.

I propose to do a third round if there is appetite for it. If there is not, we can suspend at that point. If there is appetite, we can continue through and should have enough time to get a third full round in and then allow for a few minutes of committee business at the end when we have some housekeeping items that need to be addressed.

I'll be vacating the chair for a portion of that time to speak in the House, but I will be back in time to take over the short committee business portion where, as I said, we have some housekeeping to take care of.

We'll try to get people out. I know there are people with flights tonight, too.

With that, Mr. Kurek, you have six minutes.

4 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you very much, Mr. Chair.

First, let me thank you, Commissioner, for your work over the last number of years and for your service to Canada. Congratulations, and I hope you are able to enjoy your upcoming retirement.

Commissioner, I'm curious, and perhaps I could ask a very broad question first on whether or not you believe that the whistle-blower protection laws in Canada are adequate.

4 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That has not been a matter that we have experienced or applied very frequently. There are provisions in privacy laws that protect whistle-blowers who wish to make complaints, for instance, either against a company or a government institution. They are used extremely rarely; in fact, I do not recall a case. I would not be able to speak from experience on that matter.

4 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you, Commissioner.

I know there is an ongoing investigation of a leak of some information from the CRA.

Could you share with this committee if you have any recommendations as to how to ensure that whistle-blowers could be protected to ensure that when information is brought forward in the public interest, those who might be bringing it forward will not face repercussions?

4 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

In broad terms—and I have not looked at the Privacy Act or PIPEDA in that regard recently—obviously a whistle-blower should be protected. Their identity should be protected by the tribunal or the office that considers their complaints. At the same time, the complaint needs to be examined in a fair way towards the institution or organization being investigated.

However, I would not have anything really to say other than obviously the identity of the complainant, who is a whistle-blower and for whom there may be reprisals, should be protected.

4 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you, Commissioner.

I'm curious. With Bill S-7 currently before the Senate, an act to amend the Customs Act and Preclearance Act, have you had a chance to examine this piece of legislation and give advice on it?

4 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I have, and officials of the OPC will testify on Monday before the Senate on this legislation. We have prepared for it, so I can say a few things.

Clearly, one of the areas of activity we've examined and investigated during my mandate has been this issue of the searches of cellular devices or electronic devices at the border. There is no question that privacy interests at the border are lesser than within the country itself, which gives more latitude to border officers to search luggage, persons and electronic devices.

We have, in our investigations, underlined the fact that a cellular device or an electronic device is not the same as luggage or a piece of mail. There is much more very sensitive personal information contained in an electronic device. Therefore, although we're at the border, the privacy interests of information found in an electronic device mean that these devices cannot be searched without any grounds whatsoever.

The courts have agreed with that—

4:05 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Sure.

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

—leaving to Parliament the authority or the choice to craft a reasonable standard for border officers to perform their duties.

I would simply end by saying that I know that Bill S-7 proposes a novel standard to authorize border officers to perform their duties. At the end of the day, I would say that it seems to me that no standard will stand up before the courts unless there is an objective basis for the belief by a border officer that he or she will find material that is unlawful. Because of that, I'm not so sure a law can have a standard below reasonable grounds to suspect, which is a known standard, because the courts, it seems to me, will inevitably require some objective basis on the part of the border officer to perform the search.

4:05 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

I'll ask in the few seconds I have left: Do you believe that the bill, as written, is then problematic in terms of not creating an appropriate threshold?

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

There is an attempt in the bill to respond to a court decision and craft a standard. I have heard operational issues at the border, but I have not heard arguments or evidence yet that would address the question I am raising, which is that it seems to me the courts will require an objective basis. I have not heard that evidence on the part of the government yet. It may exist, but I have not heard it yet.

4:05 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you, Commissioner.

4:05 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

Now for six minutes we have Ms. Saks.

4:05 p.m.

Liberal

Ya'ara Saks Liberal York Centre, ON

Thank you, Mr. Chair.

I would like to thank Commissioner Therrien.

It's good to see you again and to thank you in person for your service to Canadians and to all of us as parliamentarians. As an agent of Parliament, your role is really to oversee compliance with the Privacy Act and also to promote the privacy of Canadians in the work we do in many spaces.

In my short time here in Parliament, the digital space is one that has grown. It is being used in every part of our lives through these phones, particularly during COVID. As our workplace environments have become our home environments as well, issues of privacy have certainly been elevated in many aspects of our daily lives.

The Minister of Justice was mandated to develop amendments to the Privacy Act. I'd like to ask you if you support the work and what changes he should prioritize as you exit your years of service.

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The Department of Justice published a consultation paper about a year ago on potential principles for a new public sector law. We recommended certain changes, but by and large, we were fairly happy with the general tenor of the bill and its principles.

One of the issues, if not the main issue, parliamentarians should think about when they consider public sector law is the growing use of technology. There is much greater ease with which both companies and government departments can collect information, so it is important to ensure that technical ease is controlled by rigorous standards. The international norm in that regard is necessity and proportionality. I think that is the main point to be made with respect to the Privacy Act.

4:10 p.m.

Liberal

Ya'ara Saks Liberal York Centre, ON

Thank you for that.

I'd like to step up on that, if I may. You recently collaborated with five other countries to advance privacy in video conferencing and teleconferencing software. Can you explain what this means for ordinary Canadians, particularly in this new Zoom world? Even today, we have members of our committee who are video conferencing with us.

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's an interesting question. It speaks to the role, among other things, of the OPC, not only as an investigative body but also as a body that can provide advice to companies or departments on how to comply with privacy laws.

That exercise involved, as you said, five data protection authorities across the world. The U.K. was one of them, as well as us. Because of COVID and the greater use of platforms like Zoom, Microsoft Teams and the like, these platforms were extremely helpful if not necessary for people to communicate and work, and so on. There were certainly issues, if not concerns, as to whether these platforms properly protected the personal information of users. Rather than formally investigate whether the platforms complied with the law, we had a more informal engagement with a number of these platforms where we were shown some of the technologies being used and how they were used, and we provided certain advice to improve privacy protection.

That exercise did not lead to a stamp of approval by data protection authorities. We looked at everything. We thought everything was compliant with the law, but we thought it was still useful to have this engagement with these companies to see whether anything clearly awry was happening, which we did not see, and to try to elevate the level of privacy protection in the use of these technologies.

4:10 p.m.

Liberal

Ya'ara Saks Liberal York Centre, ON

That's a really important point. The privacy of employees working from home, particularly through these platforms, is something that's certainly of national concern to Canadians. It's something that we've even discussed here as a potential motion for a study by this committee. Sadly, not all of my colleagues agreed with that.

Do you think it's important that we do an exploratory search of this? If this is going to be the technological norm for our employees, both in the public and private sectors going forward, employees need to know that their privacy is protected in the relationship with their employers when they are engaged on these platforms and this technology is a requirement of their work.

Do you have thoughts about that?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's certainly an issue that needs to be examined. There may be jurisdictional issues as to whether this falls under provincial or federal jurisdiction. I will not say it is clearly not under federal jurisdiction. There are companies under the ambit of PIPEDA, the private sector law, that play a role in that sector, so I'm not saying, “Don't go there”, but if you go there, which is certainly a worthwhile issue to examine, ensure there is federal jurisdiction.

4:10 p.m.

Liberal

Ya'ara Saks Liberal York Centre, ON

Yes or no, would a study be worthwhile on this issue?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, on the substance.

4:10 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

Now Mr. Lemire.

4:10 p.m.

Bloc

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

Thank you for welcoming me to the committee, Mr. Chair.

Mr. Therrien, let me start by thanking you for your work throughout your career.

I usually sit on the Standing Committee on Industry and Technology, where you have appeared in the past.

I consider your testimony something of a legacy. It includes a number of elements, and I will become the messenger to see that all your recommendations are implemented, in particular regarding our role as legislators and the need to double your office's budget to improve its effectiveness in the face of “surveillance capitalism”, which is a great term.

That said, regarding the federal government's use of mobility data, the government did inform you of its intentions, but it also chose to use other experts to look into technical ways of depersonalizing the data. In the end, there have been times during your mandate when you might have felt superfluous. At least it seems that way.

Were there times when you felt sidelined by the government?