Evidence of meeting #79 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cbsa.
A recording is available from Parliament.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
I have a quick question, and then I'm going to pass the rest of the time to Mr. Motz.
One of the agencies that the data is going to be shared with is the Canada Revenue Agency. In terms of the purpose of this bill—protection and public security—what role do you see the CRA having in this capacity, having access to this data?
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
I'm sorry, but I'm not an expert on the CRA's functions. I assume it has to do with keeping a watch on individuals who are not complying with Canada's tax laws, but I'm kind of at sea about this. I just pay my taxes.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
That's not public safety or national security. Okay. I'm sorry.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you.
Professor, I was very pleased to hear your comments on the analytical capacity or the lack thereof and the need for it in government. I think my colleague across the way would agree with me, based on his background as well as mine, that it's absolutely critical. It's emerging that the most critical component in the public safety, law enforcement, and anti-terrorism environment in which we live in our world is the analytical capacity to review and track individuals. I thank you for that. I think it's something that CBSA will work with government to increase.
You indicated that part of your concern was with the appropriate retention schedules. That's complex. There need to be some guidelines with regard to those, along with some flexibilities. I guess I'm left to wonder about this, given my background. When data is redacted, is gone, or we lose it to a retention schedule, it's amazing how many times we require that data and we no longer have it. I'm thinking of the recent example from Edmonton. If that data had been lost some way, how would we know and how could we track some of the concerns we have regarding public safety and terrorism, which is what Bill C-21 is supposed to do?
I know some balance needs to be struck and I know there are some groups that would have us be more concerned about retention and say we should destroy everything within years. You indicated that there are some streams, and that, depending on the purpose, we need to have different retention schedules. Can you explain that so it's a bit clearer and so we get it right?
October 24th, 2017 / 9:35 a.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
I'll do my best on this. Again, I don't feel I have any kind of perfect or solid answer for the committee on this, but I think the approach is to stream it according to the different objectives of Bill C-21 in terms of the concerns that it's meant to deal with, and to keep in mind as well that Bill C-21 information, entry-exit information, is going to be only a small piece to a larger informational puzzle that you might need to apply to particular cases. It's never going to be stand-alone information.
In that sense, although I understand your concern that once you delete data from a database it's gone forever, I think there are a couple of things to be said about that. One is that there's probably another source from which that data could ultimately be acquired if you really needed it after a period of time that was covered by the retention schedule.
Second, and importantly, we have to understand that the more that an agency like CBSA is flooded with information, just as a general proposition, the less able it's going to be to actually winnow that information and find what it really needs to find in it. My concern is with the way we can—
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
That's okay.
NDP
The Vice-Chair NDP Matthew Dubé
I was trying to let you finish the thought there. It's an important one.
Mr. Fragiskatos, go ahead, please.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Mr. Chair, I will be splitting my time with my colleague Ms. Damoff.
I want to go back, if I can, to the question about information about citizens being collected and the need to lock it down. Criminal groups could access it—hackers or foreign governments. It's back to that point again.
Our Five Eyes allies have similar legislation on the books. Canada is the only country, as even you have emphasized in the media, that does not have this sort of legislation in place. Are there examples you could point to, safeguards those countries have put in place, to address the fear you've highlighted?
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
I think it would be hard to find examples of purely successful data retention.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
I think everybody is working according to the same best practices in terms of secure data storage and surrounding it with privacy protections. That would certainly be true for all of our Five Eyes partners, but really the challenge grows exponentially with the more information you have that you're trying to secure.
To come back to Bill C-21 information, particularly about Canadian citizens, it is basic biographical information, so to that extent, it's mostly publicly available information. It's probably important not to exaggerate our concerns about locking it down in specific terms, but there should be more concern with the principle, which is that any database needs to be protected.
There is passport information and, with regard to air exit, some more specific information that could be of value. There's the general principle that anything that comes into the federal government needs to be treated as data to be secured, and the question of whether CBSA can do that effectively given the vast volumes. The specific harms that might flow from hacking into this database are hard to measure, generally because those kinds of hacking attempts aren't specifically targeted at, say, this pool of data, but are used to gain entry into other pools of data. That's really how the most sophisticated hacking works.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Thank you very much.
I'll turn it over to my colleague.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Thank you very much.
Thank you, Professor Wark.
I understand that Statistics Canada already publishes entry information for people coming into Canada, as well as their country of origin, so in terms of annual reporting, would it make sense to just have StatsCan add the exit information to their annual report, as opposed to producing a brand new report? If so, do you think it would make sense to make the amendment here, or in Bill C-59?
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Thank you, Ms. Damoff.
I am not completely aware of what Statistics Canada does with this information or how regularly it reports it. I still think there would be value in putting a requirement into Bill C-21 legislation for an annual public report, without specifying exactly what should go into that. I think a statistical component would be important, partly just to demonstrate that CBSA is completely confident of its ability to acquire these statistics and to demonstrate them themselves. That would just be a basic test that they would be under.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
I have another quick question.
Do you see any value in adding to this bill a clause that would require a review of the legislation after a certain number of years?
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Ms. Damoff, I actually thought about that. It's very much up to members of Parliament to decide on that.
I suppose my personal view, for what it's worth, is that Parliament has a lot of onerous duties around reviewing bills on a schedule. If there had to be a trade-off to building in a scheduled review of this act as opposed to Bill C-59, for example, I would rather see it in something more significant, like Bill C-59, than this one.
It's a fairly limited bill in some respects, and if there is that parliamentary reporting requirement, I think that would go a long way to meeting any concerns and would not necessitate a review. If the public reporting suggested there were major problems with the initiative, then presumably Parliament could take some action.
Liberal
The Chair Liberal John McKay
Thank you, Ms. Damoff.
Thank you, Professor Wark. It's always good to receive the wisdom of seniors.
Liberal
The Chair Liberal John McKay
We will bring this committee back to order.
We have two witnesses for our next hour. From the American Civil Liberties Union, we have Esha Bhandari.
I'm hoping you can hear and see me. After you hear and see me, it really improves.
Solomon Wong is an executive board member from the Canadian/American Border Trade Alliance.
Given the vagaries of technology and the importance of what you want to say, my suggestion, Ms. Bhandari, would be that you go first for your presentation.
Esha Bhandari Staff Attorney, Speech, Privacy, and Technology Project, American Civil Liberties Union
Thank you very much for having me.
I am Esha Bhandari. I'm a staff attorney with the American Civil Liberties Union, and I'm based in New York. I previously testified before the Canadian House of Commons committee on Access to Information, Privacy and Ethics on June 15, 2017, when I addressed two issues affecting Canadians' privacy rights in the United States' border searches of electronic devices and changes to Privacy Act protections covering the data of non-U.S. citizens held by the U.S. government. I will cover those two topics and also mention additional developments that have been happening in the last few months that I think are relevant to this committee.
On searches of electronic devices at the U.S. border, there is currently a regime of suspicionless searches. This means that the U.S. government claims the authority to search the electronic devices, including smartphones and laptops, of any traveller presenting themselves at the border, whether it's an airport or land, without any individualized suspicions and no requirement of a warrant or probable cause. This can include manual searches on the spot of the data and content on the devices, or it can include seizing devices and running them through what's called a forensic search, which is essentially a computer strip search where the government can access all files, including metadata and deleted files. In these circumstances, the traveller would be deprived of their device for days or maybe weeks.
This practice is currently the subject of litigation. It has been challenged by the American Civil Liberties Union, and the legal landscape is currently unclear. There are currently also pushes for greater transparency, meaning that the advocacy community in the United States, civil rights and civil liberties groups, are asking the government to release more information on whose data is being searched, what the nationalities of the people being searched are, and what the reasons for the searches are. At the moment, we only have aggregate data, and we know that, based on that aggregate data, the number of searches is increasing. In fiscal year 2016 there were about 19,000 device searches compared to about 8,500 in 2015. Again, we don't know why these numbers are increasing.
Turning to privacy protections, this is a separate issue not relating to travellers presenting themselves at the border per se, although it affects all data held by the U.S. government that would pertain to Canadians who are not citizens of the U.S. or are not green card holders or lawful permanent residents.
In January 2017, the administration issued an executive order stating that the Privacy Act protections would be stripped from all non-U.S. citizens and green card holders, meaning that all information held in U.S. government databases or systems of records would no longer be subject to the statutory protections that include protections on accessing the information that is held on you, correcting that information, and restricting the dissemination of that information beyond current enumerated exceptions.
Under the Privacy Act, for example, U.S. citizens have protections against their data being shared non-consensually. While there are exceptions for sharing data for law enforcement purposes and other enumerated exceptions, for the most part, individuals have to consent to their data being shared. Now with the new policy that says these protections will not be given to non-citizens, the only backstop is what are now known as privacy principles, and these fair information practice principles will be applied to the data of non-citizens and non-green card holders. While these are based on information privacy principles that have been the basis of many other worldwide privacy regimes, including the OECD privacy principles, nonetheless they do not provide the same protections as the Privacy Act. At this point in time, it seems fairly clear that non-citizens who have data of theirs held by the U.S. government do not have rights under the Privacy Act or any other statutory regimes to correct information that is held on them.
They may be able to use the Freedom of Information Act to request the information that is held on them by the U.S. government. That would be subject to any exemptions that the government could invoke to withhold information. Even if Canadians, for example, were able to get their information through a Freedom of Information Act request, there's now no right to correct that information, and there's no statutory right to limit the dissemination of that information for any reason that the government sees fit.
Those are the two main areas that I addressed in my previous testimony, and I will simply add that there is also currently an ongoing debate regarding retention of information on social media handles or social media activities of visitors to the United States. The government issued a notice on September 18, 2017, which made clear that it is retaining certain social media information that people provide in the course of applying for immigration benefits, which would include potentially information that visitors to the U.S. provide at the border. This information is being retained, and as of now it's unclear what the scope of that information being gathered is and how long it's being retained and for what purposes.
We do know that the default retention for this kind of information collected from visitors or others who are seeking immigration benefits in the U.S. is 75 years. As far as we can tell, there is currently a collection of the type of information on social media activity that's being done and being retained. The American Civil Liberties Union and other civil rights and civil liberties groups have been writing comments to the government highlighting the concerns that this poses for human rights and particularly for freedom of expression and freedom of association if travellers and visitors to the United States are fearful that they will be asked questions about their special media activity, and that the answers will be retained for a long period of time and potentially subject to being shared with other government agencies.
Thank you very much.
