Information & Ethics Committee on Aug. 9th, 2022

Yes. Further, I think it is possible to have these requirements at a sufficient level of generality, but still meaningful, without being overly prescriptive and preventing officials, whether by the police or others, from exercising judgment. But—

I'm not aware that they did engage in that study.

I think police need to recognize that they're not always going to be in uniform and that it affects them individually just as easily as it does you and me and anybody else.

Members of law enforcement are like everybody else. They, too, lack the fundamental education about privacy rights and responsibilities and legislation. They are law enforcement, and that's what they do. They see it from that perspective, as they ought to, but they need to be encouraged to see it from other perspectives.

First of all, I think if the spyware is regulated in the hands of RCMP and federal agencies, that doesn't address the municipal and the provincial law enforcement agencies, so it has to be all encompassing.

I think it's a matter of crafting laws—again, without the direct or indirect influence of industry—that put the liability first on the hardware and software companies and their executives who sell products that are full of vulnerabilities that allow spyware, ransomware and malware attacks. Ban federal procurement or use, directly or indirectly, of spyware by legislation, regulation or order in council, with equivalent bans in each province and territory, and work with foreign governments to ban the sale, export, distribution, use of and investment in commercial spyware.

We already have international free trade agreements that have mandatory cross-border information-sharing provisions and all sorts of other provisions. They need to include provisions where signatories agree to criminalize and prosecute the individuals and the organizations that create, test, market, fund and distribute spyware—and the executives and the investors. There have to be penalties because, otherwise, it's like policy: It's on the books, but if someone in another country can use these products against us, their own governments have to be involved in stopping it because that's in that country, of course. It's out of our reach.

One of the most important differences, I think—a distinction—that the GDPR in Europe brought to bear is that when a privacy impact assessment is conducted, when an organization has a data protection officer, which they must, their focus under the GDPR is the risk to the individual whose information is being collected, used, etc. It's not the risk to the organization. In my experience, that is all too often how Canadian organizations look at it.

First of all, if they have a preliminary PIA—because we're busy; we're a large organization—the few people who actually understand it are too busy to do a PIA for everybody, so they ship it back to the department and say, “Here, you do a preliminary PIA, and you tell me if you think we need to do a PIA.” They don't know what they're looking at, so of course it's easy to say, “Nah, it doesn't affect personal information, so we don't need a PIA.” That's where it ends. That's a flawed system.

When they do do a PIA, some of them are just so cursory. It talks about the benefits of a product or a new system or something, but it doesn't talk about the risk to the individual. It's as if their role is to protect the risk of the organization. That has to change.

No.

No.

That there be transparency in the procurement process is certainly a very good idea. It's necessary, actually. On whether the name of a particular vendor should become public, I would go back to the general standard: There should be transparency as a rule, except if methods would become ineffective through transparency.