Public Safety Committee on Feb. 12th, 2024

I'm not suggesting that we would have oversight under this legislation. I'm suggesting that we be given the necessary information so that we can fulfill our mandate under privacy legislation with respect to public sector and private sector privacy information.

One of the recommendations I've made is that privacy impact assessments be mandatory and that I be consulted on those so that we can provide insight and advice to departments, because when that happens at the front end, these issues can be corrected and addressed before they become issues that can impact Canadians' trust.

It's not so much the fact that my office would be the regulator; in many instances we wouldn't be.

I'll give the example of former Bill C-11, which falls under the CRTC. The CRTC has jurisdiction, but we can provide input, and the bill recognizes privacy as a consideration.

All right.

What we examine are activities that impact privacy. Our mandate does not extend to security issues that do not relate to privacy. We aren't looking to broaden our mandate.

According to Treasury Board policy, departments are supposed to consult our office when activities or projects could impact the privacy of Canadians. That doesn't always happen. It's a policy, not a legal requirement. We are recommending that the requirement be set out in the Privacy Act.

In some cases, we've worked with the National Security and Intelligence Review Agency to examine departments' practices and the transfer of information as it relates to privacy. In that situation, security and privacy did overlap.

In co-operation with our colleagues at Competition Bureau Canada and the Canadian Radio-television and Telecommunications Commission, we established the Canadian Digital Regulators Forum. We realized that there was some overlap, or a grey area, in many sectors. Some activities bring together competition, privacy and broadcasting considerations. The idea is to coordinate our efforts to avoid contradictory approaches.

If the activity could potentially impact privacy, we recommend that our office be informed. Not only would that be beneficial, but it would also give Canadians some reassurance.

That's exactly right. If it's in the legislation, it becomes a legal requirement, and departments have no choice.

One way would be to build in the test stipulating that the activity be necessary and proportionate. The second one is missing. The necessity component is covered in the act. For example, certain provisions stipulate that, if the minister is of the view that it is necessary to do something, the minister has the power to do so. Other provisions refer to relevance.

The principle of proportionality is important. The necessity test is important and helps to meet the objective. Ensuring proportionality, however, means really checking whether the method is the least privacy-invasive. It's similar to the assessment carried out under the charter, in terms of achieving that balance.

This would cover the principles of necessity and proportionality, which are central to the protection of privacy. That's the case in the international community and in countries such as Australia, the U.S. and Great Britain. They have clearer rules around taking privacy into account and examining other options.

The idea isn't to prevent the minister from doing their job—absolutely not. As I said, I strongly support the objectives of the bill, but it's important to build in that requirement, especially when people's privacy is at stake.

I think all the recommendations I covered in my opening remarks help to reassure Canadians, as well as small and medium-sized businesses. The institutions are there to help them. The responsibility is not being put wholly on individuals or small and medium-sized businesses.

Take privacy impact assessments. If the process is mandatory and my office is consulted, it would give people reassurance. They would realize that there is some oversight, that the commissioner is aware, that the commissioner can make recommendations and, if necessary, that the commissioner can file complaints or make recommendations.

It's about transparency, in other words—

As it stands, Bill C-26 does not include a requirement to conduct privacy impact assessments. The Treasury Board does, however, have a policy with such a requirement. We consult with departments regularly. We have a government advisory directorate, and we provide advice to departments.

In some cases, the assessments are done after the fact, once the tool has already been used. In fact, I recently appeared before the Standing Committee on Access to Information, Privacy and Ethics on the subject.

It undermines trust when Canadians find out that the government is using a tool or developing a program without conducting a privacy impact assessment first. That's why privacy impact assessments should be conducted at the outset.

In addition, people should know that our office has been consulted. That way, when the information becomes public, they know that we were consulted, that discussions were held and that advice was given.

That is what I'd like to see in Bill C-26, given the potential impact of those powers.

It is actually permitted to share information outside the country, provided that it's done in accordance with lawful agreements and specific conditions. Under the European model, for example, laws and mechanisms have to be equivalent to what exists in Europe. In Canada, the law requires that it be equivalent to what exists here, where the sharing of information may potentially be contract-based.

That's why we recommend that the legislation include a requirement to specify retention practices and safeguards, as well as apply the necessity and proportionality test, before data are shared with organizations in other countries. The goal is to prevent the data from being vulnerable to a cyber-attack.

Mr. Chair, we were engaged by Public Safety on the bill itself. In terms of consultations with other stakeholders, I'd defer to them to respond to those questions.

Should the bill come to pass, we would obviously look forward to engaging with Public Safety in the development of the regulations. We expect, as part of this process, that the banking sector would have an opportunity to engage.

In terms of the frequency and severity of cyber-incidents, I can share a bit of information on that because we have a reporting protocol that financial institutions are expected to comply with. They alert us within 24 hours if a technology incident or cyber-incident occurs.

We have seen an increase when it comes to cybersecurity incidents. In 2022, I believe we had 10 of what we call priority one incidents, but we saw a significant increase in these in 2023. I think the number almost tripled to about 28 in 2023. Basically, moving from 2022 to 2023, we had a number of more impactful incidents. This represents a significant growth from our perspective as a prudential regulator.

The breadth of the collection and sharing powers means that the list of hypotheticals with respect to critical infrastructure providers, as well as telecommunications providers, could be quite long.

I'll provide one hypothetical example: There is the potential that the minister could compel telecommunications providers to furnish subscriber information with respect to individuals using telecommunications networks anonymously in circumstances that have been the subject of the Supreme Court of Canada's guidance around the importance of protecting the privacy interests of that type of information. In terms of this legislation, there would be no apparent restriction in preventing that information from being shared with other government agencies identified in the bill and from potentially repurposing that information for other aspects of their mandate, such as providing assistance with federal law enforcement.