Evidence of meeting #119 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was aluminum.
A recording is available from Parliament.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
To the best of my knowledge, yes.
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
The only thing I would like to know.... Our amendment, NDP-3, is identical to the Privacy Commissioner's amendment. I'm an anglophone, so I will defer to my francophone friends to decide. To me, the question is which is the better one of the two. The Conservative Party has never led me astray.
NDP
Brian Masse NDP Windsor West, ON
As long as we hear from others that their amendment is good, I'm comfortable with that. I want to make sure, again, that it's the right one of the two. I'll support CPC-2 if that's what I hear from my francophone friends.
Liberal
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I come from Winnipeg, but I'm not a Franco-Manitoban. I think amendments NDP-3 and CPC-2 mean the same thing.
Liberal
The Chair Liberal Joël Lightbound
There's only a one-word difference between amendments NDP-3 and CPC-2. They mean the same thing.
Mr. Garon, go ahead.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
I was going to say the same thing. There's only a one-word difference.
Amendment CPC-2 states, “afin qu’un”, but amendment NDP-3 reads “de sorte qu'un”. This reveals the full richness of the French language, but they say the same thing.
Liberal
The Chair Liberal Joël Lightbound
And with those wise words, do I have the unanimous consent of the committee to adopt amendment CPC-2?
Conservative
Liberal
The Chair Liberal Joël Lightbound
A recorded vote is requested.
(Amendment agreed to: yeas 11; nays 0 [See Minutes of Proceedings])
Thank you.
If the government leaves some imperfections in its bills, it's to test the opposition members. You've successfully passed the test. Congratulations.
Liberal
The Chair Liberal Joël Lightbound
It was a test.
NDP-3, then, is not movable, which brings us to CPC-3, moved by Mr. Perkins.
I'll yield the floor to you.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Thank you, Mr. Chair.
This one's not a test, I don't think.
Throughout the bill, the term “lawful authority” appears. Now, we're in the early stages of the bill, and we found that our concern was that nowhere in the definition section of the bill does it actually define what “lawful authority” means. Without even providing that term, I think it provides a bit of ambiguity in there.
For instance, proposed section 44 of Bill C-27 allows an organization to share “an individual's personal information” with a government institution upon request “for the purpose of enforcing federal or provincial law”. The language of proposed section 44 is taken from PIPEDA, as I understand it, and it is problematic, given that it outlines few privacy safeguards that have been afforded to individuals in the past with Supreme Court decisions like the 2014 R. v. Spencer case. I'm sure everyone on the committee is familiar with that—I know that some of the witnesses are—but I'll just go over a summary of it.
R. v. Spencer, in 2014, according to Wikipedia, “is a landmark decision of the Supreme Court of Canada on informational privacy. The Court unanimously held that internet users were entitled to a reasonable expectation of privacy in subscriber information held by Internet service providers. And as such, police attempts to access such data could be subject to section 8 of the Charter of Rights and Freedoms. At issue was whether the police could request subscriber information associated with an IP address from an Internet service provider without prior judicial authorisation, who could then voluntarily provide it. The Supreme Court ruled that the request for internet subscriber information infringed on the Charter's guarantee against unreasonable search and seizure.”
Law enforcement, with some exceptions, in my view—in our view—generally should be required to produce a court order when asking for somebody's personal information: a bank account, personal messages, health information and that kind of thing.
The ambiguity with respect to the meaning of “lawful authority” that existed in PIPEDA with regard to disclosures to law enforcement remains in the CPPA and will likely result in continued disclosures of personal information without consent by organizations to police and to other law enforcement agencies in the absence of a court order.
Given this issue, the Privacy Commissioner recommended that the definition of “lawful authority” for purposes of sections like proposed section 44 in this bill be amended to clarify that individuals should still enjoy a reasonable expectation of privacy.
In the Privacy Commissioner's submission on Bill C-11 in May 2021, the Privacy Commissioner said:
Beyond transparency, clarity is also required with respect to the impact of the 2014 R v. Spencer decision with respect to when the state can obtain personal information via warrantless access. When Bill S-4 was before Parliament, the OPC recommended that:
a legal framework, based on the Spencer decision, is needed to provide clarity and guidance to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada's decision. Such a framework would provide Canadians with greater transparency about private sector disclosures of their personal information to state agencies.
The Privacy Commissioner went on to state:
The ambiguity with respect to the meaning of “lawful authority” that existed in PIPEDA remains in the CPPA, as evidenced by companies' continued disclosures of personal information without consent to police and other law enforcement agencies absent a court order.
As such, we reiterate and update for Bill C-11—
At the time, that's what he was dealing with.
—a recommendation previously made in our 2015 submission to Parliament on Bill S-4, that a clarifying provision be introduced that defines lawful authority for the purposes of section 44. This provision would make clear that discretionary disclosures to law enforcement following a request should be permissible only where there are exigent circumstances, pursuant to a reasonable law other than section 44 of the CPPA, or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.
Recommendation 19: That a definition clarifying the meaning of “lawful authority” for the purposes of section 44 be introduced.
It wasn't. In his submission for this bill, on April 26, 2023, the Privacy Commissioner again proposed recommendation 19: “That a definition clarifying the meaning of 'lawful authority' for the purposes of section 44 be introduced” in this bill.
This amendment follows on the recommendations of the Privacy Commissioner on numerous occasions to “make clear that discretionary disclosures to law enforcement...should be permissible only where there are exigent circumstances, pursuant to a reasonable law other than section 44 of the CPPA, or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.”
That's by way of introduction. I haven't read the actual amendment, which is fairly short, but I know the witnesses have read it.
Do you agree with the Privacy Commissioner that this needs to be added to this bill, that we need to add a definition in the definitions section for “lawful authority”, which is a term used frequently throughout this legislation?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I want to thank the member for that question.
I think our abiding consideration would be that we note and acknowledge the import of R. v. Spencer as a fundamental precept that needs to be understood as it relates to the ongoing interpretation and implementation of the CPPA, in much the same way as it has shaped the implementation of PIPEDA. In that regard, I think this helpful construct, as it relates to the relationship between the CPPA and law enforcement, is a potentially useful area to ensure is well understood.
Our abiding view would be that it should conform to the legal test set out in Spencer.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
In short, you're saying we don't need to define this in the definitions section of the bill. What's there and in jurisprudence is all we need.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
No, I think jurisprudence is helpful. I would suggest that, if there is to be a legal definition of “lawful authority” added, it must conform to the legal test set out in Spencer.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
You are agreeing, then, that adding this would add clarity consistent with R. v. Spencer and would ensure there is no confusion about the meaning of “lawful authority” within the CPPA—something the Privacy Commissioner has been seeking for a decade.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I would defer to Ms. Angus to ensure the legal test established in Spencer is articulated.
Runa Angus Senior Director, Strategy and Innovation Policy Sector, Department of Industry
Thank you.
On this, I would say that what the Privacy Commissioner has called for is the Spencer test being put into the law.
When I look at the paragraph you quoted on that, I see three criteria: the criterion of “exigent circumstances”, the criterion of “a reasonable law” and the criterion of “prescribed circumstances”, which are the three criteria in the Spencer decision. What I want to make clear is that these are three separate criteria, so they are either-or. It can be exigent circumstances, or reasonable law, or prescribed circumstances. Actually, the Spencer decision doesn't refer to them as “prescribed circumstances” but rather as “the common law authority” that police have, which is in paragraph 71 of R. v. Spencer.
Those are the three criteria set out in R. v. Spencer. To the extent it should be defined, that is the definition currently used by law enforcement and organizations when they disclose pursuant to PIPEDA.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Can you repeat those three criteria to make sure I understand? I'm looking to make sure they're covered in the amendment.
Senior Director, Strategy and Innovation Policy Sector, Department of Industry
They are exigent circumstances, a reasonable law other than section 44, and common-law authority that police have. Those are the three circumstances that are set out in Spencer. Again, they are not cumulative. They are separate; it's either-or. Either there are exigent circumstances or there's a reasonable law or there is common-law authority whereby personal information that does not attract a reasonable expectation of privacy can be disclosed.
Those are the exact words in paragraph 71 of R. v. Spencer, which the Privacy Commissioner referred to.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
What I'm trying to get at here is that there's clearly a gap in the law, which you're trying to get at by using the term “lawful authority” throughout this version of the new privacy act that's being proposed in CPPA. We've seen how, with the weak wording that was in PIPEDA, which is carried forward here, businesses and organizations often provide information to law enforcement agencies or the agencies that are going after it on fishing expeditions when they don't really have the interest of the privacy of the individual in mind.
When a government organization or a law authority asks a business or an organization for access to something, they clearly, sometimes, without going through the hoops of consulting with all of their inside and outside corporate lawyers, give out access to personal information and data that hurts an individual's privacy.
There was recently a Supreme Court ruling on the issue of IP addresses. That was done in just the last few months, so clearly there's an issue with the current wording of PIPEDA, which this carries forward, which is inadequate to protect the privacy of an individual against the overreach of a law enforcement agency or government that is going after information, however legitimate they may think it is in the particular circumstance. Under law enforcement, you can pretty much justify most intrusions into personal privacy. Certainly, having the speed of this and not having to be burdened with going and getting a warrant or some sort of judicial authority to do this makes life a lot easier for those authorities, but that doesn't make it easier to protect an individual's privacy.
Without this type of further definition in the bill, we're going to continue to end up with these cases of people, with or without their knowledge, having their data shared with these agencies, and then having to fight, after the fact, through the Supreme Court, to try to put the toothpaste back in the tube, to say this was something that should not have happened.
Now, I'm not a lawyer, as I often say here, but this just strikes me as unfair when we have the opportunity right now, in creating a new privacy law, to actually listen to the Privacy Commissioner, who's been dealing with this for quite some time, for at least a decade, and asking for Parliament to put in a simple definition, which can be lifted straight from the presentation of the Privacy Commissioner.
Again, as MP Masse said last time, I trust the Privacy Commissioner on these issues and I have not yet been convinced that putting this in will somehow diminish the bill or harm somebody's privacy. In fact, I think it enhances an individual's privacy.
Does putting this in enhance somebody's privacy, or does it diminish it?
