Evidence of meeting #32 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was rcmp.
A video is available from Parliament.
12:20 p.m.
Conservative
12:20 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you very much, Mr. Chair.
Good afternoon, Ms. Polsky, and welcome to the committee. We are very pleased to see you today.
We've been discussing privacy and trust from the start. We want to establish and maintain trust.
Many fellow citizens in my riding tell me they have nothing to hide and therefore wonder why we have to address these issues. I'm not sure people understand the intrusive nature of spyware, for example.
Would you be able to explain to us what our fellow citizens are dealing with so we can explain it to them?
12:20 p.m.
President, Privacy and Access Council of Canada
Well, they're saying, “I don't have anything to hide”, but people have said that to me and I've said, “Show me your bank statement” and they get weirded out by it. People do have things to hide, but it's more a matter of the idea that when I wish to share a particular bit of information about me, I should have a choice.
For those who want to display their life online, the minutiae of their lives, that's their choice, but, to paraphrase Senator Simons, governments aren't always benevolent. I look to Hungary and Poland, but to Hungary in particular, which has changed in recent years to become rather authoritarian. Its data protection authority, which you would expect to have a role similar to that of our Privacy Commissioner, has ruled that the use of Pegasus against the country's journalists does not violate the law because there is a national security component.
Things that are okay today can be changed on a whim these days, used against you and taken out of context. That's nothing new; that's gone on from time immemorial, but we need to have the choice. Having our information or information about us gathered, taken, assembled, assessed and analyzed by someone we don't know, we've never met and we've never given permission to—what are they going to do with it?—means we're looking at McCarthy hearings again. It's frightening.
I've been around a long time and there's not a lot that scares me. What's going on now is frightening, and that's what people need to realize. It's not just benevolence.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Do we need to have a public debate on privacy or awareness programs so people are in a better position to understand what they're dealing with?
12:25 p.m.
President, Privacy and Access Council of Canada
Oh, that would be wonderful. Desktop computers have been around for almost a half a century, and as far as I'm aware, there really isn't any substantive education yet, whether for schoolchildren in the youngest grades or even people in university. They're taught to code perhaps, but not everybody needs to code, and knowing how to code doesn't mean you understand privacy—what privacy is, how it can be undermined and how to protect yourself from clicking on the wrong thing and endangering your device, your enterprise and perhaps, in your case, the nation because of national security.
I have spoken with a variety of members of the bench from across the country over the years, and one after the other has said, “I don't know what this privacy stuff is. I'm at this conference to learn it, even though I'm adjudicating matters that are sensitive as to privacy.” There has not been enough education, and there needs to be a dedicated mandatory education component embedded as a pan-Canadian strategy, if you will, so that the provinces and territories can have the encouragement to embed this as a mandatory part of the curriculum, starting at the youngest grades.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
For the moment, shouldn't we impose a moratorium on the use of these technologies until we can understand them better and, in our case, can explain them and legislate more clearly?
12:25 p.m.
President, Privacy and Access Council of Canada
Well, it would be lovely, but we've seen moratoria declared on facial recognition in the past few years by various cities, states and countries, and now they are sliding back to saying that maybe it would be a better thing if they had it. That's a temporary measure. I think it's more important to get to the source of the problem, which is the faulty software that provides the opportunity for spyware, ransomware and other malware to be effective.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Mr. Therrien, I'd briefly like to go back to a point you raised. The right to privacy is addressed in many bills and has been subject to numerous revisions in statutes concerning the private and public sectors.
Wouldn't it be a good idea to create a single statute? I realize that would be complicated, but it might help correct existing deficiencies in the statutes in question.
12:25 p.m.
Lawyer, As an Individual
That's the case in certain countries. Since data travels, as it were, between the private and public sectors, that would be a good idea.
However, I would add that we waited 40 years for amendments to the Privacy Act for the public sector and 20 years for amendments to the act concerning the private sector. The risk involved in combining it all in a single act in Canada today is that it might delay passage of the act respecting the private sector, which is currently before Parliament.
In principle, the public and private sectors should be regulated in a similar manner. The contexts are somewhat different, but the statutes should be based on similar, if not identical, principles.
12:25 p.m.
Conservative
12:25 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you very much.
Mr. Therrien, I'm sure you would note that the President of the Treasury Board is responsible for establishing policies and prescribing forms regarding the operation of the Privacy Act in the public sector. We know that they've had this mandate for quite some time.
Given your time as Privacy Commissioner, could you comment on the rate at which ministries and agencies under the Privacy Act have proactively presented policies and measures for outcomes and accountability within their departmental plans in reporting back to public accounts or to your office? Did you feel they kept pace with technology as it is today?
12:25 p.m.
Lawyer, As an Individual
That's an excellent question.
I would say that during my term, Treasury Board, as a matter of priority, because of limited resources probably, spent more time on access to information questions than privacy questions. They were not absent from the privacy landscape, but they certainly gave priority to access to information. There was an access to information bill presented, etc.
The long and short of it is that there was not an absence of activity, but there was not a whole lot of activity.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Is it safe to say that even though in spirit the policy of the Treasury Board was directing all agencies to enact enhanced protections under the Privacy Act, it didn't necessarily result in proactive new policies that are in keeping with the pace of technology today?
12:30 p.m.
Lawyer, As an Individual
Yes, although I will say that in the recent year or so, there have been interesting developments—a policy on artificial intelligence, for instance—but over my term, there was not a whole lot of activity. There has been more progress recently.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
In the time of your term, how much of that activity in proactive improvement, in self-reflection and auditing, came from law enforcement and public security agencies, with specificity around the RCMP? Was the RCMP leading the way in improving their processes around privacy?
12:30 p.m.
Lawyer, As an Individual
No. If we look at facial recognition and the creation of what they call NTOP, it was at our request. It was not proactive on their part.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Sure. Is it also safe to say that in some of your dealings—I hope we can be candid here—they maybe weren't always forthcoming with the information as necessary for you to be able to fulfill the duties of your work in a timely manner?
12:30 p.m.
Lawyer, As an Individual
I think they functioned within the law as it is.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
That is an important distinction, because what's before us today isn't necessarily a positioning of the RCMP as being rogue or going outside the confines of the law, but it's the gaps, I would argue. In fact, Deputy Commissioner Larkin in his testimony suggested there were gaps in legislation.
Would you also then agree that even though what is currently legal, and I think we've established is quite outdated, it might not necessarily be ethical, given the way in which technology has outpaced legislation?
12:30 p.m.
Lawyer, As an Individual
Whether it's ethical or not, there are certainly improvements that are possible, given the intrusiveness of the technology, beyond part VI of the Criminal Code. Yes.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I think there would be a long debate on the ethics of it, but I would put to the committee that if we have technology that goes beyond the spirit of existing legislation, and is known to be such, then in some instances, whether it's the stingray or operation Wide Awake, which was the social media surveillance, or others, if they're not proactively disclosing these things, then it doesn't give legislators the opportunity to keep up with it. I think that's the spirit of what's before us here today.
I referenced the European Convention on Human Rights, which established transparency, accountability, privacy by design and data protection impact assessments . That's a relatively modern piece of legislation. In your mind, how does Canada compare with that?
12:30 p.m.
Lawyer, As an Individual
We by and large have policies, not always respected, that have a similar spirit, but they're not legal requirements. I think it would be extremely helpful to change these policy rules into laws so that the likelihood that they would actually be implemented would increase significantly.
