Public Safety Committee on Oct. 5th, 2017

As Canadians, we don't get to dictate U.S. policy, so when Canadians appear or anyone appears at a U.S. border, they have to accept U.S. law. Certainly my advice to the U.S. government would be the same as I've given this committee, which is you collect information, you use it for the purpose for which it was collected, and when it's no longer necessary or relevant, you safely dispose of that information.

In terms of the impact on Canadians, I think it's important to realize that the data flow from Canada to the United States is occurring as people have already left the United States. While I share the concerns on issues such as profiling, the reality is the trigger for Canada to send this record to the United States is someone leaving the United States and entering Canada and not the other way around, so it's difficult to understand how that, again, would have a significant impact on a traveller. I've just left the United States and come to Canada and now Canada is sending the information that the U.S. presumably already has, other than the fact that I've left.

Again, in terms of information retention, it's difficult to know what the United States will do with that, but again the only information that Canada is really giving them that they don't already have is the date, time, and port of exit. If anything as a Canadian, I'd prefer that the United States knows that I left. That way, the next time I show up requesting entry into their country, they're going to have that record and know that when I said I was staying for a week, I stayed for a week.

I believe that's true. I believe that what's left to be prescribed in regulations is not what kinds of information can be collected, but from where and from whom and then how. It is my understanding that you would have to amend the legislation for different kinds of information.

Canadians and Americans have always had somewhat different privacy cultures. Under the current administration, the current trend has been to diminish privacy protections, particularly for foreign nationals, and Canadians, of course, are foreign nationals in the U.S. What this does is it makes it more incumbent on us....

As my colleague pointed out, we don't get to dictate American policy, but what we do get to do with individual agreements is negotiate our terms. As general privacy protections in the U.S. are under siege and being eroded in a range of ways, it makes it all the more important that in specific agreements we make sure that our Canadian values are addressed in relation to agreements, because when there is no general protection, the terms of the individual agreement is all we have to make sure that we're safe.

We don't do any formal polling. What we do have is a fairly extensive public inquiries program where people call in to us with their civil liberties concerns. Over the last eight months, the number of people calling in with concerns about privacy issues at the border has tripled, which for a small organization is a significant increase.

There is a fundamental difference between Canadians as consumers making an informed choice to share data in exchange for a perceived benefit or convenience, and the state mandating that information they have to give to the state can be shared with other parties with relatively little control by individuals. It's a bit of a different thing.

There's also an increasingly blurred boundary between public and private. We know that the state is interested in using information that's publicly available but not necessarily shared for the purposes that individuals would have expected it to be used by the state. This is something we're concerned about in a more general way.

What we're increasingly seeing—and polling by the Privacy Commissioner of Canada supports this—is that people feel as though they're losing control of their information across all sectors, and in all ways. They're losing control of what the public sector does with it, they're losing control of what the private sector is doing with it, and they're not happy about it. I think there's a real blurring of boundaries. I think people are unhappy in both regards, and I'm not sure that everyone necessarily makes the distinction. They're just feeling that all of their information is going out and they don't know what's going to happen to it.

Less permissive is better than more permissive in our opinion. Things that you mean to have enshrined in legislation should be there.

I'm not sure. I share your question in relation to that.

I would note that under the Security of Canada Information Sharing Act, information sharing was vastly expanded, and the scope of agencies that were identified as having potentially something to do with national security was extremely broad. That's something we criticized in relation to Bill C-51, and it seems reasonable to continue to criticize it here.

I'm not sure I'd use the words “totally protected”, but we can manage those risks. Canada, and particularly the federal government in Canada, has a good process. We have a proven risk assessment methodology. In fact, the Government of Canada process is so good that I often use it with private sector clients.

What it comes down to is the application of what we know. If we correctly architect systems, correctly design systems, perform risk assessments, take seriously the guidance provided for our lead agencies in that space, if we look at, for example, the controls that are suggested by the Communications Security Establishment and ITSG-33, we can build systems that are quite secure and that certainly provide the level of security needed to protect this level of information.

I'm not saying it won't, but I'm not saying it will either.