Evidence of meeting #21 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

Members speaking

Before the committee

Teresa Scassa  Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual
David Lyon  Professor, Queen's University, As an Individual
Lisa Austin  Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

9:35 a.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Ms. Scassa, you spoke about third party collection of data, by which I am assuming your are referring to information collected for commercial reasons by a private business or information transferred between private individuals that through a second transfer ends up with an agency of government.

Could you give me some examples of how government ends up with information collected by a third party?

9:40 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

Yes, that's essentially through information-sharing provisions that are found in both the Criminal Code and in PIPEDA, the private sector data protection legislation, which allows for disclosure. In the Criminal Code, it's disclosure in the context of law enforcement; in PIPEDA, it can be law enforcement, but it can be in relation to an investigation or in relation to the enforcement of any law of Canada or a province, so the range of regulatory purposes is much broader.

That information can be requested from the private sector company and can be provided on request if the private sector company is wiling to disclose that information, or it can be sought through a court order. In either event, the information will be collected by government. That collection is not directly from the individual but from the private sector company. It can be information that is very specific to an individual, but it can also be—and this has been the case now with some court orders—bulk information that is going to be searched or analyzed for patterns.

9:40 a.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much, Mr. Kelly. We've gone a little bit past.

Mr. Dubé, you have up to seven minutes, please.

Matthew Dubé NDP Beloeil—Chambly, QC

Thank you, Mr. Chair.

My thanks to the witnesses for joining us today.

Ms. Austin, I think it was you who talked about the importance of government agencies gathering data in order to develop social programs. However, the problem is not just about gathering data; it is also about storing the gathered data, if I may put it that way. Think of recent examples, specifically the Canada Revenue Agency; whether personal information was lost or accidentally disclosed doesn’t really matter.

What should be done to make sure that data are not only collected appropriately but also protected appropriately once they have been gathered?

The same question goes to the other witnesses too.

9:40 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

I think one of the important issues around how we store and protect information is that it also has charter dimensions to it.

The recent jurisprudence in the Supreme Court of Canada has been very strong on the idea that you need safeguards around information. For example, when there's an analysis of the reasonableness of a law in the context of a charter privacy issue, there's an increasing discussion on the question of safeguards, in that if you don't safeguard the information properly, that can be the charter breach.

The gravity of that issue is that it's not some sort of technical, administrative element to the Privacy Act. There are serious charter issues in not safeguarding that information properly that the courts are starting to really pay attention to.

My own view is that we haven't built in enough on the technical side of the review process. We still seem to be thinking about it much along the lines of what David Lyon has been talking about, seeing personal information as if it's discrete information collected in a kind of paper environment that's shared in filing cabinets, but these are information systems. They're technical systems. It's software. It's algorithms. The whole issue of safeguarding has an incredible technical side to it as well. Getting the legal standards right, whether it's in the legislation or in regulations, is important, and getting the oversight right is important, but there's a whole technical side to that too. I think we're not building enough technical expertise into the review process.

As to what that looks like particularly, I don't have an answer for you, but I think we need to really understand the fluidity that David Lyon is talking about. The practical expression is that these are software systems. These are algorithms that we're talking about. These aren't social security numbers in a paper file in a filing cabinet. It's a highly technical environment.

Matthew Dubé NDP Beloeil—Chambly, QC

I want to give a chance to the other witnesses, but I want to ask my next question just to make sure I have time for it.

It's a great springboard talking about this whole digital element, the software and servers. We talked about foreign states and our relationships with them. It ties into the TPP, for example.

One of the big issues that's been brought up is around localization. In other words, if Canadians have data in the U.S., they have far less legal recourse there than here in Canada, given the U.S. surveillance machine. We know that localization is something that companies in Silicon Valley, for example, aren't particularly fans of. It makes it more difficult for social media and things like that to expand in a way that's beneficial to them.

What do we need to do when we're negotiating trade agreements like this, knowing that goods could be data now as well, and that's something we need to be mindful of? When we see some of these flawed agreements with regard to Canadians' privacy, is that something that needs to be considered in the law?

9:45 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

I'd be happy to comment on cross-border data flows.

This doesn't seem like a Privacy Act issue per se, but I do think we should really understand the issue, again from a kind of constitutional perspective. As a Canadian, if you are physically in Canada and you're living here and residing here, but your data goes to the United States, their position is that you are a non-resident alien—we're in Canada, so we're not resident in the United States—so the fourth amendment of the U.S. Constitution, which provides for protection of privacy, does not apply at all.

There's a lot of Canadian jurisprudence that says that once you're dealing with what happens in a foreign state, it's their rules that apply, not ours, so what you do when you put your data in the U.S., is what I call plunking your data into a constitutional black hole. There's no constitutional right there.

What should we be doing? Data localization is one response to that dynamic. I think it's an unrealistic response to think that this is a solution in the long term. Another response, though, given the size of Canada and the size of our economy, is to negotiate a bilateral agreement with allies like the U.S. to say that when Canadian data is in the United States, you protect us to the same extent that you protect your own citizens.

I would actually go further and say you need to protect us according to our own standards in the Canadian charter, because Canadian charter standards of privacy are better in relation to data in most of these contexts than the American constitutional standards. Why? It's because the Americans still buy into what's called the third party doctrine. They say that if you share information with a third party, such as a telecommunications provider, there's no longer a reasonable expectation of privacy. You've given it up in relation to the States.

It's a crazy doctrine. We've never agreed with it in Canada. The Supreme Court of Canada has denounced it for more than 20 years.

It's crucial, I think, that we actually negotiate and say, “If you want access to our data for any kind of law enforcement or for national security, it's the Canadian charter that applies.” That mimics what the MLAT process tries to accomplish in having the constitutional rights of the data bearer apply, and we need to find a way to do that. I think that's the way forward, but I think it's a treaty that needs to be negotiated.

9:45 a.m.

Professor, Queen's University, As an Individual

David Lyon

I might add, too, that the question suggested some kind of deliberate transfer of data for the purposes of trade or law enforcement or whatever, but in fact data frequently travels through the States between one Canadian location and another. The routing system can take data into the United States and then return it to Canada. This can be even between two locations in the same city, but it goes through the U.S. In those circumstances, the possibility that the individual's information is subject to American law and therefore doesn't have any kind of protection for the individual is true as well. It happens incidentally as data is routed into the United States.

9:45 a.m.

Conservative

The Chair Conservative Blaine Calkins

That's very, very interesting.

That takes us over your time, Mr. Dubé.

Mr. Lightbound is next.

Joël Lightbound Liberal Louis-Hébert, QC

Thank you all for being here. It's very interesting and much appreciated.

My first question concerns the necessity requirement that we find in section 4 of the act currently, which says that information collected must relate directly to an operating program or activity of an institution.

When we hear that the government has been snooping on the social media of Canadians and millions of records have been data-mined, so to speak, how do you conceive that we should narrow that necessity requirement? Are there specific suggestions you would make to us? What I've read from Mr. Therrien is a pretty broad suggestion. Are there examples around the world that you could point us to as we review the Privacy Act?

I'd start with Madam Austin.

9:50 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

It's a great question. Concerning the necessity standard, I understand why the section 1 framework is the one being suggested. It's a well-known kind of legal framework for proportionality analysis. In international human rights there's a necessary and proportional test as well, which is a great thing to take a look at.

My only hesitation on the necessity requirement is that the section 1 test, if you start to interpret it through the lens of existing jurisprudence, has largely been developed in the context of social legislation. The courts really focus on minimal impairment, and they don't focus on the kind of broader balancing that you would find, for example, in the traditional section 8 of the charter privacy cases. In those search and seizure cases, the “reasonable expectation of privacy” is understood as a kind of balancing. State interests are already balanced against privacy in that provision. Again, the ”reasonable and probable grounds” test is not a minimal impairment test; there is stronger protection for privacy in that kind of balancing.

My only hesitation is not to think that.... I think the necessity test and the section 1 framework are an improvement over what is in the Privacy Act right now, but I'm hesitant about its becoming a kind of stamp of approval for collections, uses, and disclosures, particularly in the context of starting to get into law enforcement or national security, because there is a more robust view of proportionality, I would argue, in section 8 and section 7 of the charter that is not reflected there. It's as if you're jumping to a section 1 justification when you haven't done the more robust analysis early on. I think that's a problem in those contexts.

9:50 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

The directly related problem with the current standard is that it's too soft and is capable of multiple interpretations. The desire to move to a necessity standard is to try to bring to bear more firmly the concept of data minimization, which is an important data protection principle because it requires a reduction of the amount of information that is collected in the first place. The focus really should be on whether this information is necessary for this program or service. If it's not necessary, then it shouldn't be collected.

Obviously, with any word, there's going to be wiggle room and room for interpretation and room for arguments: “Well, this is actually necessary. because what we're doing requires....” I think this is part of the problem in the big data environment: we start to say that what we're trying to do is collect enough information so that we can do these other analytics or other profiling, which will enable us to do these other things, and therefore it becomes necessary.

I think there are risks with any vocabulary that is used. The goal here is to try to minimize data collection. In combination with other measures being recommended, such as privacy impact assessments and so on, it may be that there are ways in which more supervision can be imposed.

Joël Lightbound Liberal Louis-Hébert, QC

I want to hear you on another topic. Madam Austin, you've mentioned quite accurately the dangers of information sharing, especially when we think of the Maher Arar saga. Currently Bill C-51 states that the information sharing must be in accordance with current legislation in Canada. In the Privacy Act, we have a general prohibition against the sharing of information in section 8, which is tempered by a lot of exceptions in subsection 8(2), and it goes on and on. For instance, paragraph 8(2)(b) says that it can be done if it's in accordance with another regulation or law, which is a catch-22, so to speak.

I would like to hear your thoughts on section 8 and hear whether you have any ideas on how we could further narrow the information sharing within the Privacy Act.

9:50 a.m.

Associate Professor, University of Toronto, Faculty of Law, David Asper Centre for Constitutional Rights, As an Individual

Lisa Austin

One of the big problems is thinking that with Bill C-51, privacy is going to be protected because the Privacy Act applies. The broad authorization for information sharing in SCISA itself seems to capture a lot of what section 8 does. I don't have the act in front of me, but any analysis of this issue has to start from the proposition that compliance with section 8 does not mean compliance with the charter. All sorts of information sharing could be consistent with those disclosure provisions or the use provisions in section 7 or section 8 of the Privacy Act, as it currently stands, yet still violate the charter.

I'm not sure, as a matter of legislative drafting, if you want to change those provisions or just indicate somewhere that in some circumstances this is going to raise charter issues, because it won't necessarily or in all circumstances. The Privacy Act regulates collection, usage, and disclosure of personal information. Not all of that is going to meet a constitutional threshold for the reasonable expectation of privacy. That's the tricky part. When you're contemplating information sharing, particularly in those contexts where the individual is in that coercive relationship with the state, you have to be incredibly mindful that there are charter issues at stake. How can that be built in?

That's why we were arguing that you need an interpretive principle saying that this was meant to be consistent with the charter and build in charter review. Perhaps something could be written into section 8 that this must also be consistent with the charter. You want to build up expertise somewhere of people who understand what the jurisprudence is saying about uses and disclosures of information. When they trigger charter violations, what does that mean? Do you need prior authorization? Is it an issue of safeguards? What do those safeguards mean? Make sure those information processes are compliant from the start so that some person doesn't luck out and find out about this process and then have to go to court 10 years later. You build in charter compliance from the start.

Joël Lightbound Liberal Louis-Hébert, QC

Seeing that the chair does not interrupt me—

9:55 a.m.

Conservative

The Chair Conservative Blaine Calkins

If you've got a quick follow-up....

Joël Lightbound Liberal Louis-Hébert, QC

It wasn't a follow-up; it's another topic.

9:55 a.m.

Conservative

The Chair Conservative Blaine Calkins

Can we wait until the next round?

Joël Lightbound Liberal Louis-Hébert, QC

Yes, sure.

9:55 a.m.

Conservative

The Chair Conservative Blaine Calkins

That concludes our seven-minute round.

We move to Mr. Strahl, please, for five minutes, sir.

9:55 a.m.

Conservative

Mark Strahl Conservative Chilliwack—Hope, BC

Thank you, Mr. Chair, and thank you to the witnesses.

This is a fascinating topic and a fascinating time. Dr. Lyon, people are increasingly concerned about their privacy while they're increasingly revealing more about themselves on a voluntary basis in increasingly insecure media online. Even though they are doing that, you mentioned that people are still cognizant of their privacy rights and expect their privacy to be respected.

I want to speak specifically about one of the recommendations of the Privacy Commissioner. There was a recommendation of a mandatory legal obligation to report serious privacy breaches under the Privacy Act.

Dr. Lyon, do you believe that is a good recommendation, and do you believe that it can be enforced under the Privacy Act?

June 14th, 2016 / 9:55 a.m.

Professor, Queen's University, As an Individual

David Lyon

It's difficult to answer the second part about the possibility of enforcement. As to the actual revelation about the breaches, it seems to me that it is is essential that we, as a public, know what is happening and when privacy breaches have occurred.

These things tend to be displayed under certain circumstances, but they can also be kept under cover. They can be swept under the carpet so that we never know about them. I think it's essential that we know about those breaches and that they be made public and that there be a requirement to make them public.

As to exactly how you would do that, as I say, I would defer to others.

9:55 a.m.

Conservative

Mark Strahl Conservative Chilliwack—Hope, BC

Speaking of others, Dr. Austin or Professor Scassa, does either of you agree with that recommendation, and do you have any ideas on the best way that those breaches should be reported or on the timeliness of the reporting?

9:55 a.m.

Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual

Teresa Scassa

I would emphasize the importance of two levels of breach reporting, similar to what's been done with PIPEDA.

When the PIPEDA amendments come into effect, you're going to have a first level of breach reporting when breaches reach a certain threshold of harm, and that triggers an obligation to notify both the Privacy Commissioner and individuals who may be facing that potential for harm. That's one level, and it's a tremendously important one, because it's not just reporting the breach but also trying to mitigate harm and notify those individuals who may be affected.

The second level that's in PIPEDA, one which I think is quite interesting, is a requirement for organizations to document any breaches whether they reach that threshold or not, meaning things that are essentially breaches even though the information ultimately didn't end up in anyone's hands. I think that kind of record-keeping and reporting to the Privacy Commissioner doesn't necessarily have to be made open to the broader public—that decision would have to be made—but it could be just reporting to the Privacy Commissioner.

I think it's important because this goes to another thing, which is trying to identify those security practices that are weak and need to be improved within. If the Privacy Commissioner has access to this information, it gives a chance to see whether this is a common problem across government that should be addressed or whether it's a particular department that hasn't adequately trained its staff on certain privacy measures. It allows a more proactive approach to try to address security problems that become visible through this level of reporting.

I would encourage having those two levels so that it's not just harm that triggers notification, but that there's another level where any breach should be reported in order to try to diagnose problems and address them before they become more significant.

10 a.m.

Conservative

Mark Strahl Conservative Chilliwack—Hope, BC

Thank you very much.

The Privacy Commissioner also pointed to the Newfoundland and Labrador model as the best model to modernize Canada's Privacy Act. Do you agree with the commissioner, and if so, why? Do you think there are better models, either in Canada or internationally, that we could adopt to improve our act?

Maybe I'll start with Ms. Austin.