Information & Ethics Committee on Aug. 8th, 2022

Not at this time; we were made aware of its use through the media and the question on the Order Paper at the end of June. We reached out to the RCMP. They are aiming to provide us with information at the end of August. It will be coming this month, but it hasn't come yet.

Well, we have not received detailed information in terms of the context and the use. That's what we look forward to receiving and to providing advice on with the facts. I think what I could say at a high level is that, on the one hand, these tools appear to be potentially highly intrusive in terms of their capabilities to gather information. On the other hand, they are also subject to an extensive regime in terms of judicial authorization and conditions. We will look at those two aspects to see the intrusiveness of the tools but also the safeguards, including the fact that they are, if they are, and the extent to which they are subject to judicial authorization and the criteria and notification—the elements in terms of the Criminal Code. We're going to look to see if, given the evolution of the technology and the capabilities, there should be more in terms of safeguards, whether it be with respect to retention policies or otherwise.

These are the things we're going to be looking at once we have the briefing and the more detailed information, as we would have done and as we would do in the context of any program where a PIA would be done.

Sure. Currently, there's no legal obligation on departments or the RCMP for doing this. There is a policy from the Treasury Board and there's a directive. Those policy instruments require that PIAs be done when there's a new program or new use that could potentially be having an impact on the privacy of Canadians. There's a requirement that my office be notified early enough so that we can provide meaningful input. The idea, again, is to reassure Canadians, and also to ensure that the information and advice is there.

But we see situations like this one, where this is done very late, after the tools have been used for some time, so we're not in a position where we can address or prevent. We're in a reactive mode. Our advice and recommendation, or my hope, is that this be made a legal obligation in the Privacy Act, because then there hopefully would be more timely compliance with this requirement.

Under not a legal obligation but under the policy documents of the Treasury Board; this is something that's not legally required but is more internal. The sanctions could be imposed by the Treasury Board itself...or removal of delegation or these types of things, but there is certainly in this policy the sense that my office should be notified and that a PIA should be done in high-risk situations where the tools can have an impact on privacy.

The fact that there's a judicial authorization regime doesn't remove the need to do a PIA, but it's an important element that would certainly be looked at and considered in a PIA as a mitigation measure.

That the PIA be done would be the legal requirement and that my office be consulted in appropriate cases; again, there may be situations where you have to manage the risk at play. There's also the sensitivity of the information. Situations have to be looked at on their facts.

Our recommendation is that if it were a legal obligation, there would be more compliance. Maybe it would help organizations ensure that they do it, that they have the resources to do it and that they're coordinated enough to do it. I understand that organizations have a lot of pressure and have a lot of things they have to bear in mind. I'm very sympathetic to that. I think having it as a legal obligation is sometimes helpful, because it focuses the attention on that.

A government entity's use of spyware raises privacy concerns right off the bat. That doesn't mean that it won't be allowed in situations where it's appropriate. As I said earlier, privacy is not an obstacle to the public interest, but it always has to be taken into account. Privacy is a fundamental right and needs to be taken into account. It's a matter of human dignity.

You're right about how quickly technology is moving, and tools are becoming more and more sophisticated. This isn't the same as just intercepting a conversation on a landline; smart phones hold a wealth of information.

The approach we advocate is taking privacy into account from the get‑go, especially given the potential for technologies to be more and more privacy-intrusive. Also important is the ability to properly weigh the risks and the necessity of using the tool.

My office and this committee recommended necessity and proportionality as criteria. That is not to say that the tool can't be used. Perhaps it can. Perhaps, in this case, that balance was achieved, but it's important to make sure. Those checks and balances not only protect privacy, but they also reassure Canadians that privacy is being respected.

This afternoon, you'll be hearing from RCMP representatives. I think they will highlight the fact that these tools are subject to oversight under part VI of the Criminal Code. In its response, the RCMP said that the use of these types of tools was subject to judicial authorization. That's an important aspect.

That oversight comes down to criteria set out in a section of the Criminal Code for the purpose of protecting privacy while allowing criminal investigations to take place.

What we are saying is that, when these tools are new, very powerful and potentially intrusive, it's important to carry out privacy impact assessments, even if judicial review mechanisms are in place. There is a system that has that requirement, but it's not a legal one. It's the system that was put in place pursuant to the Treasury Board policy. My office asks departments to ask these questions and to document the information.

At the end of the day, the results may show that, while these tools are certainly intrusive, they are necessary given the difficulty of conducting the investigation and the lack of alternatives. It's not about choosing between the public interest and privacy; it's about ensuring respect for both, but it has to be done in a way that builds trust. It's better to carry out assessments at the front end so that the use of these tools doesn't come to light in a news report or in response to a parliamentarian's question. This kind of situation can be avoided by conducting assessments first and by consulting my office when appropriate.

Parliamentarians, my office and stakeholders need to ask questions and examine the possible repercussions these tools have on privacy.

You're right: there are a number of bills and initiatives. Organizations need to address privacy considerations in their plans and activities, and parliamentarians need to do the same when it comes to bills. My office is here to provide the committee with advice on legislative measures.

We said the same thing in relation to facial recognition technology: it's important to consider the safeguards in place. That includes the requirement to obtain judicial authorization before using spyware.

My priority is to determine what the repercussions and implications of using the tools are, and to make recommendations based on the information provided by the RCMP. We hope the RCMP will follow through on our recommendations, and that's what we expect.

It's not legally binding to the extent that a section of the act is, but it would be looked at in identifying the purpose of the act and in identifying sections of the act. The preamble is very helpful, so we would look to—