Evidence of meeting #94 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-26.
A recording is available from Parliament.
4:30 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
I think in your opening testimony you touched on this. I just want to go over it one more time. I think you wish that more came under your purview based on what this legislation is bringing in. Is there anything else you'd like to have oversight on?
February 12th, 2024 / 4:30 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'm not suggesting that we would have oversight under this legislation. I'm suggesting that we be given the necessary information so that we can fulfill our mandate under privacy legislation with respect to public sector and private sector privacy information.
One of the recommendations I've made is that privacy impact assessments be mandatory and that I be consulted on those so that we can provide insight and advice to departments, because when that happens at the front end, these issues can be corrected and addressed before they become issues that can impact Canadians' trust.
It's not so much the fact that my office would be the regulator; in many instances we wouldn't be.
I'll give the example of former Bill C-11, which falls under the CRTC. The CRTC has jurisdiction, but we can provide input, and the bill recognizes privacy as a consideration.
4:30 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Thank you.
It's always great to have you at committee.
4:30 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Mr. Gaheer.
We'll have Ms. Michaud next.
Go ahead, please, for six minutes.
4:30 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
Thank you to the witnesses for being with us.
In your opening remarks, Mr. Dufresne, you raised your concerns with respect to privacy. Most of the witnesses we've heard from actually share your concerns.
What you're recommending—that your office be consulted—differs from what most of the other witnesses have proposed. The mandate of the Office of the Privacy Commissioner is to oversee “compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act”.
You are recommending that, should Bill C-26 be passed, the Department of Public Safety or the minister responsible consult your office.
In the case of other bills, do departments or ministers consult your office on privacy considerations? If so, can you provide an example? It would give us a sense of how things would work.
4:30 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
All right.
What we examine are activities that impact privacy. Our mandate does not extend to security issues that do not relate to privacy. We aren't looking to broaden our mandate.
According to Treasury Board policy, departments are supposed to consult our office when activities or projects could impact the privacy of Canadians. That doesn't always happen. It's a policy, not a legal requirement. We are recommending that the requirement be set out in the Privacy Act.
In some cases, we've worked with the National Security and Intelligence Review Agency to examine departments' practices and the transfer of information as it relates to privacy. In that situation, security and privacy did overlap.
In co-operation with our colleagues at Competition Bureau Canada and the Canadian Radio-television and Telecommunications Commission, we established the Canadian Digital Regulators Forum. We realized that there was some overlap, or a grey area, in many sectors. Some activities bring together competition, privacy and broadcasting considerations. The idea is to coordinate our efforts to avoid contradictory approaches.
If the activity could potentially impact privacy, we recommend that our office be informed. Not only would that be beneficial, but it would also give Canadians some reassurance.
4:35 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
That part about reassuring people is extremely beneficial.
I gather that, if it's just a recommendation, the department or minister wouldn't necessarily have to consult your office. However, if the bill is amended to incorporate the requirement in the legislation, the minister or department would have to consult your office.
Do I have that right?
4:35 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That's exactly right. If it's in the legislation, it becomes a legal requirement, and departments have no choice.
4:35 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
You also mentioned additional oversight mechanisms. It's a fairly important idea that comes up often. Some have raised concerns over giving the minister the power to make orders, because we don't have a clue what that could look like.
It's fine to give the minister powers, but clearly, the House and parliamentarians don't necessarily have control over the whole regulation-making process. The government is really the one in control.
What is a better way to control this and ensure that privacy is protected?
4:35 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
One way would be to build in the test stipulating that the activity be necessary and proportionate. The second one is missing. The necessity component is covered in the act. For example, certain provisions stipulate that, if the minister is of the view that it is necessary to do something, the minister has the power to do so. Other provisions refer to relevance.
The principle of proportionality is important. The necessity test is important and helps to meet the objective. Ensuring proportionality, however, means really checking whether the method is the least privacy-invasive. It's similar to the assessment carried out under the charter, in terms of achieving that balance.
This would cover the principles of necessity and proportionality, which are central to the protection of privacy. That's the case in the international community and in countries such as Australia, the U.S. and Great Britain. They have clearer rules around taking privacy into account and examining other options.
The idea isn't to prevent the minister from doing their job—absolutely not. As I said, I strongly support the objectives of the bill, but it's important to build in that requirement, especially when people's privacy is at stake.
4:35 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you.
Are there other recommendations you want to share with the committee? I'm talking about protecting privacy and reassuring the public or businesses and organizations that would have to comply with the legislation if enacted.
Some are concerned that the legislation will mean more work for them, more red tape. The sharing of information is another cause for concern.
4:35 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think all the recommendations I covered in my opening remarks help to reassure Canadians, as well as small and medium-sized businesses. The institutions are there to help them. The responsibility is not being put wholly on individuals or small and medium-sized businesses.
Take privacy impact assessments. If the process is mandatory and my office is consulted, it would give people reassurance. They would realize that there is some oversight, that the commissioner is aware, that the commissioner can make recommendations and, if necessary, that the commissioner can file complaints or make recommendations.
It's about transparency, in other words—
4:35 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Ms. Michaud. Your time is up.
Mr. Julian, go ahead, please.
4:35 p.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you, Mr. Chair.
Thank you, Mr. Dufresne, for your service as law clerk and parliamentary counsel of the House of Commons, as well as your work in your current role as the Privacy Commissioner of Canada.
Thank you to all the witnesses for the information they have shared with the committee.
Commissioner, I have two questions for you.
You mentioned the importance of having Bill C-26 require government organizations to conduct privacy impact assessments.
First, have government or non-government organizations ever consulted your office? The bill was introduced in June 2022, so certainly, there will be an impact.
Second, has an organization consulted your office to learn how to conduct the assessments? What impact will Bill C-26 have?
4:40 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
As it stands, Bill C-26 does not include a requirement to conduct privacy impact assessments. The Treasury Board does, however, have a policy with such a requirement. We consult with departments regularly. We have a government advisory directorate, and we provide advice to departments.
In some cases, the assessments are done after the fact, once the tool has already been used. In fact, I recently appeared before the Standing Committee on Access to Information, Privacy and Ethics on the subject.
It undermines trust when Canadians find out that the government is using a tool or developing a program without conducting a privacy impact assessment first. That's why privacy impact assessments should be conducted at the outset.
In addition, people should know that our office has been consulted. That way, when the information becomes public, they know that we were consulted, that discussions were held and that advice was given.
That is what I'd like to see in Bill C-26, given the potential impact of those powers.
4:40 p.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you.
I have one last question.
Can you give us some best practices other countries follow to prevent personal information from being shared outside the country?
4:40 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It is actually permitted to share information outside the country, provided that it's done in accordance with lawful agreements and specific conditions. Under the European model, for example, laws and mechanisms have to be equivalent to what exists in Europe. In Canada, the law requires that it be equivalent to what exists here, where the sharing of information may potentially be contract-based.
That's why we recommend that the legislation include a requirement to specify retention practices and safeguards, as well as apply the necessity and proportionality test, before data are shared with organizations in other countries. The goal is to prevent the data from being vulnerable to a cyber-attack.
4:40 p.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you.
I'd like to go to you, Mr. Yalkin.
You raised some important issues through OSFI. I have two questions for you.
First off, have you been consulted at all on Bill C-26? Was the banking sector consulted before the legislation was tabled, or afterwards?
Second, how many cyber-attack incidents have we had in the financial institutions covered by OSFI's mandate? How many cyber-attacks were there in 2023? Is that number increasing, decreasing or staying stable?
4:40 p.m.
Assistant Superintendent, Regulatory Response Sector, Office of the Superintendent of Financial Institutions
Mr. Chair, we were engaged by Public Safety on the bill itself. In terms of consultations with other stakeholders, I'd defer to them to respond to those questions.
Should the bill come to pass, we would obviously look forward to engaging with Public Safety in the development of the regulations. We expect, as part of this process, that the banking sector would have an opportunity to engage.
In terms of the frequency and severity of cyber-incidents, I can share a bit of information on that because we have a reporting protocol that financial institutions are expected to comply with. They alert us within 24 hours if a technology incident or cyber-incident occurs.
We have seen an increase when it comes to cybersecurity incidents. In 2022, I believe we had 10 of what we call priority one incidents, but we saw a significant increase in these in 2023. I think the number almost tripled to about 28 in 2023. Basically, moving from 2022 to 2023, we had a number of more impactful incidents. This represents a significant growth from our perspective as a prudential regulator.
4:40 p.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
I'm going to move on to Ms. Robertson, but can you share with us how priority one is defined for a cyber-attack or a cyber-incident? If you could let the committee know, that would be very helpful. One of my colleagues may follow up on this.
Ms. Robertson, you identified in your paper the importance of having a special advocate. Could you speak a little bit more about the importance of that in the legislation?
4:45 p.m.
Senior Research Associate, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
Yes, of course.
Special advocates are intended to enhance the fairness of a closed hearing process concerning secret evidence without compromising Canada's ability to safeguard security information. They protect fairness for the party that is excluded from the closed hearing, as well as the public's right to free expression, by ensuring that any secrecy in the court proceedings is necessarily justified.
You can have special advocates either challenging the amount of secrecy that the government is seeking with respect to the evidence, or testing with due diligence and adversarial submissions the sufficiency, weight and appropriateness of the evidence that the government seeks to rely on. There's a very long history in the courts of using special advocates to protect the openness of the courts as well as the fairness of those proceedings.
4:45 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Ms. Robertson.
Thank you, Mr. Julian.
Now we're moving on to the second round.
Mr. Lloyd, you have five minutes, please.
4:45 p.m.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
Thank you, Mr. Chair.
I'll go straight into the questions, and I'll start with Ms. Robertson.
We're talking about Canadians' private information and about information sharing. It can all seem a bit abstract. I am wondering if you can provide some examples of what you can imagine. What kind of information are we talking about that we're concerned about being inappropriately shared between agencies?
4:45 p.m.
Senior Research Associate, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
The breadth of the collection and sharing powers means that the list of hypotheticals with respect to critical infrastructure providers, as well as telecommunications providers, could be quite long.
I'll provide one hypothetical example: There is the potential that the minister could compel telecommunications providers to furnish subscriber information with respect to individuals using telecommunications networks anonymously in circumstances that have been the subject of the Supreme Court of Canada's guidance around the importance of protecting the privacy interests of that type of information. In terms of this legislation, there would be no apparent restriction in preventing that information from being shared with other government agencies identified in the bill and from potentially repurposing that information for other aspects of their mandate, such as providing assistance with federal law enforcement.
4:45 p.m.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
Now, I was reading that under this act and the legislative review the minister doesn't even have to make these orders known. They can be confidential. Usually they have to be posted in the Canada Gazette, where everyone can access them and see them. However, the minister can make orders that the information be withheld from the Canada Gazette.
Are you saying that there's a situation where Canadian citizens could have a telecommunications order to provide their private information? The subjects of that might not even know that it's happening and would have no recourse to know that it's happening to them.