Evidence of meeting #34 for Transport, Infrastructure and Communities in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.
A recording is available from Parliament.
11:35 a.m.
Liberal
John McCallum Liberal Markham—Unionville, ON
Okay. It's a pretty weak redress system, I think you've just agreed.
Do you think there is a role for the Canadian government, the federal government, to assist Canadians who may get caught up in this system, innocent Canadians? And if so, what could the federal government do to help such people?
11:35 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I believe generally there's a role for the government to assist Canadians who have problems abroad. If, for example, there's a false positive match—any incidents that we've heard of seem to be issues of false positive matches—I would think the Canadian government then could supply additional information, perhaps, to try to clear up the false positive match with the Department of Homeland Security's watch lists.
11:40 a.m.
Liberal
John McCallum Liberal Markham—Unionville, ON
The minister told us that he'd had extensive consultations with you in your office. I'm wondering if in any of these consultations the government gave any thoughts or answers to your concerns as to how they would deal with the concerns that you have raised.
11:40 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Could I perhaps ask Mr. Baggaley to comment on that?
We did consult with the government generally, but I don't believe it had a large margin of manoeuvre.
11:40 a.m.
Carman Baggaley Strategic Policy Advisor, Office of the Privacy Commissioner of Canada
Yes, it was a joint meeting. In April we met with both Public Safety and Transport Canada officials together.
One of the issues that was discussed was whether legislation such as is now before this committee was necessary or whether there were other provisions in PIPEDA that would allow the disclosure. We recommended that for the sake of clarity it would be better to have legislation, as opposed to fitting it under some other exception.
We subsequently wrote the Department of Transport and the Department of Public Safety, in which we made four recommendations, and this was before Bill C-42 was introduced, one of which was to continue to press to limit collection, press to shorten retention periods, to negotiate more robust redress mechanisms, and finally, to limit the use and disclosure of personal information. So we had one meeting and we followed it up with a letter.
11:40 a.m.
Bloc
Michel Guimond Bloc Montmorency—Charlevoix—Haute-Côte-Nord, QC
Ms. Stoddart, thank you for giving us the benefit of your insight into this important bill.
You and the members of your team have probably understood that we have to strike a balance between air safety imperatives and the disclosure of personal information. It's not an easy line to draw. How far can we go? I'm very pleased to see that you have major concerns, particularly with regard to the information that would be provided.
When Minister Toews testified earlier this week—it was on Tuesday, I believe—he talked about information that would be disclosed, such as the person's name, date of birth and gender, but also, if available, other information related to that person's passport and itinerary. Under the U.S. Secure Flight program, there is also the condition introduced by the words "but also".
In the middle of page 4 of your brief, you make the following recommendation: "Ensure that the minimal amount of personal information is disclosed to American authorities..."
Without saying it so directly, you're suggesting that we amend the bill. You're advising us not to stick solely to the three areas. You say: "Ensure that the minimal amount of personal information is disclosed to American authorities—Secure Flight only requires three pieces of information."
On the previous page, you put the emphasis on certain aspects of the Secure Flight program, and you add the words "but also". What do you think the Americans are requiring? What do you recommend?
11:40 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
They require three pieces of information in all cases, but where it is available, they require a set of other information such as passport number, the airline's internal numbers used to monitor the ticket, the passenger and so on. There are seven or eight elements, and we could read them to you.
In my opinion, the confusion stems from the fact that, for virtually all flights, although not all, all pieces of information are required. However, for all flights, they gather the three pieces of information required by the U.S. Department of Homeland Security, that is to say name, date of birth and gender. For example, if I travel on a friend's small personal aircraft to go fishing in Maine, that friend will not have to provide all the other pieces of information because he does not belong to a commercial U.S. airline. He will nevertheless have to state the names, dates of birth and gender of the people who accompany him.
11:45 a.m.
Bloc
Michel Guimond Bloc Montmorency—Charlevoix—Haute-Côte-Nord, QC
All right. So you recommend that we stick solely to the three pieces of information, even in the case of the airlines that have more parameters. Is that correct?
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I don't believe that's possible. The statement means that the Secure Flight program requires three pieces of information in all cases. When the other information is not available, it is not necessary to provide it.
11:45 a.m.
Bloc
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
That's correct. This may seem somewhat paradoxical, but in our work we often see institutions or businesses that, out of a desire to please, provide information that is not required. We saw that in the case of the Financial Transactions Reports Analysis Centre of Canada—FINTRAC—in our recent audit.
For the sake of prudence, we suggest, not that this be included in the act, but that, in the event the bill is passed, the government use its regulatory power to describe this in regulations so that it's accessible and well explained to everyone.
11:45 a.m.
Bloc
Michel Guimond Bloc Montmorency—Charlevoix—Haute-Côte-Nord, QC
I asked the minister about how long the information would be kept. We're talking about seven days. In the second point on page 4 of your notes for remarks, you state: "Question the retention periods of seven days [...]" Is this something you're suggesting to us? Do you think seven days is too long a period?
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, we find it very long. Given the speed of computers, we would expect a period of a few days, perhaps 48 hours. A period of seven days may mean that they want to use the information to conduct very thorough analyses, which is disturbing when the U.S. government accumulates information on Canadians.
11:45 a.m.
Bloc
Michel Guimond Bloc Montmorency—Charlevoix—Haute-Côte-Nord, QC
I asked the minister what guarantee we had that the Americans would destroy that information after seven days. He answered that the guarantee was that the Americans had told him they would destroy it. What happens if they don't do it?
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
If they don't destroy it—
11:45 a.m.
Bloc
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No one will know. That's somewhat the problem with all the states that take action in fields that are not subject to standards of general inspection, if there isn't a UN committee that, in future, will look at what's in the data bases of all the world's governments. And yet, that's what we do for the development of atomic weapons. However, as the minister said, we have to believe them.
11:45 a.m.
Conservative
11:45 a.m.
NDP
Dennis Bevington NDP Western Arctic, NT
Thank you, Mr. Chair.
Thank you, Madam Stoddart, for joining us today.
We just received this document, which is the proposed regulatory framework for the information required. This came from the minister's office, and it clearly says that information from the passenger name record of the airlines will be included in the information required by foreign states. The passenger name record is slightly different from the three requirements. Would you not agree?
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes.
11:45 a.m.
NDP
Dennis Bevington NDP Western Arctic, NT
That includes things like visa number, a whole mass of information--is that not correct?
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
It does. I believe there are about 25 elements.
11:45 a.m.
NDP
Dennis Bevington NDP Western Arctic, NT
There are 25 elements of information that would be included, and it clearly states in the proposed regulatory framework that that's what's going to happen. Any comments on that?
11:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I'm sorry I haven't been able to look at this regulatory framework. Could I get back to you on this?
If we're talking about Bill C-42, we're only talking about the possibility of giving any personal information in the case of a flyover. That wasn't clear, I think, from the present wording of either that act or PIPEDA. So it's just to make that absolutely clear.
