Welcome to this meeting of the Standing Committee on Access to Information, Privacy and Ethics. The Chair, Mr. Calkins, is not here today, so I will be replacing him. Consequently, this meeting of the committee will be chaired in French.
I'd like to thank the various witnesses for being with us today. Chantal Bernier, of Dentons Canada, was also with the Office of the Privacy Commissioner of Canada for six years. Monique McCulloch is with Shared Services Canada, and Maxime Guénette and Marie-Claude Juneau are with the Canada Revenue Agency.
Each group will have 10 minutes to give a presentation. This will be followed by a question period, in which the committee members can ask questions.
I will begin based on the order I have before me. Which means you begin, Ms. Bernier. You have the floor.
First of all, I'd like to express what a pleasure and honour it is to be back before you today. It's a bit of a homecoming. I'm truly honoured to be able to help inform your debate on a topic of such importance.
I will be giving my presentation in both official languages. I guess 27 years as a public servant has made a lasting impact. So I will start in French, but continue my remarks in English.
I should tell you from the outset that I'm in total agreement with the recommendations of the Privacy Commissioner of Canada concerning the reform of the Privacy Act
To avoid exceeding my allotted time, I have chosen to expand on what I consider to be the priority recommendations. Naturally, during the question period, I will be happy to elaborate on any recommendations I have not mentioned due to time limitations. Without further delay, I will move on to the first point I wish to make.
My first recommendation is about the requirement for written agreements governing the sharing of personal information. In support of this recommendation, I refer you to two documents: Justice O’Connor’s report as part of the Commission of Inquiry into the Actions of Canadian Officials in relation to Maher Arar; and the special report entitled "Checks and Controls" that I tabled in Parliament on January 28, 2014, with the assistance of the wonderful staff at the Office of the Privacy Commissioner, and with input—this deserves to be emphasized—from five experts in national security.
Let's begin with Justice O'Connor's inquiry report in the Arar matter.
In his report, Justice O’Connor concluded that by sharing personal data about Mr. Arar with foreign authorities, Canadian government authorities had contributed to the torture of an innocent person. In the hope preventing this from happening again, he recommended that Canada better control the transfer of personal information to foreign agencies. This shows how topical the Privacy Commissioner's recommendation is.
In the introduction to the special report that I filed on January 28, 2014, the experts we consulted mentioned the levelling of territorial boundaries, be they national or international, as a decisive change in the public security context. This change necessitates the sharing of personal information.
Given this convergence of necessity and risk, I believe the requirement for written agreements to better govern this sharing is needed for two major reasons: the protection of fundamental rights, and the accountability of government agencies in protecting these fundamental rights. The Commissioner's recommendation is therefore very relevant, and even urgent, in this regard.
Let's move now to the second recommendation that I would like to underline in my list of priorities. It is restricting collection to a government program by relevance to activity.
On this front, I would actually like to go further than the Privacy Commissioner. I fully support his proposal; however, I would prefer to tie the requirement of necessity not to the program or activity, but to the Canadian Charter of Rights and Freedoms. The reason is that it would be stronger protection.
Indeed, let me show you through a concrete example in the work that I did for nearly six years how the linkage outside the program or activity is superior.
In 2009 at the OPC we received a privacy impact assessment from the RCMP to roll out a program whereby a camera mounted on the cars of the RCMP would pick up licence plates. Automatic licence plate recognition was the name, and it would retain information about, let's say, non-executed warrants or interventions that had to be effected and could not be effected, a suspended driver's licence, for example.
It would keep the data that did have a match in the police database for two years, and it would keep the data that did not have any match for six months. In other words, the data—meaning the licence plate recognition of Mrs. So-and-so, who happened to be doing her groceries at this time at this supermarket—would be held for six months, in spite of no contravention of the law whatsoever. We questioned that, and the RCMP said, “Well, it's part of the program”, to which we said, “But it does not meet the standard of necessity under the charter, and the charter has precedence over every other law”. The RCMP indeed took that out and did not retain the innocent person's information.
That, to me, truly shows that there is superior protection where you link it to the charter, rather than embed it in a justification of the program.
The third priority I will underline is to require federal institutions to consult the Office of the Privacy Commissioner on legislation and regulations with privacy implications before they are tabled. To me, the logic of this recommendation lies, first of all, in the role of the commissioner as an agent of Parliament, and second, in the fundamental nature of the right to privacy.
Let's look at the commissioner's role and status. The Privacy Commissioner is an agent of Parliament. What does that mean? That means that he has been invested with the protection of a value so important to Canadian identity and democracy that he is placed above political partisanship and reports directly to Parliament.
Because of this status, and the fact that privacy has been entrusted to an institution with this status, it is completely logical that the commissioner be consulted about legislation or regulations prior to their being tabled, to ensure they are privacy-compliant.
The example I will use here, which I feel clearly illustrates the advantage of this recommendation, can be found in a series of bills that either died on the Order Paper or were withdrawn or adopted with reservations regarding lawful access. These bills were so deficient in terms of compliance that they did not survive political wrath and proved to be untenable. They led to acrimonious debates and undermined public confidence in government institutions. Prior consultation with the Privacy Commissioner, I believe, would have provided for a dialogue between the internal proponents of the legislation and the Privacy Commissioner to find a correct balance in the bill prior to tabling, and therefore, could have led to legislation that was better balanced.
The of 2015, for example, might have struck a better balance between the legitimate needs of the state and the fundamental rights of citizens. Now, the current government has to redo it to make it balanced and satisfactory.
It is therefore my conclusion that in light of the increasing collection, use and sharing of personal information, the Privacy Act must be modernized so that its scope and effect are consistent with the realities of risk and the need for protection.
I will be pleased to answer any questions the committee members may have about all this, Mr. Chair.
Thank you very much, Mr. Chair and members of the committee, for the invitation to describe the framework that Shared Services Canada has put in place to comply with the Privacy Act. We are pleased to be joining you this morning.
My name is Monique McCulloch. I am the director of the access to information and privacy protection division, which is within the corporate services branch at Shared Services Canada. I act as the coordinator for the whole department, and I am responsible for administering all ATIP legislative and policy obligations.
I would like to add that I am also here on behalf of Violaine Sauvé, who is Shared Services Canada's chief privacy officer.
Before describing the ATIP framework, I would like to provide some context on the mandate of Shared Services Canada.
Shared Services Canada was created to modernize information technology infrastructure services so as to ensure a secure and reliable platform for the delivery of digital services to Canadians. The department aims to deliver one email system, consolidated data centres, reliable and secure telecommunications networks, and 24/7/365 protection against cyber threats
Shared Services Canada currently provides information technology infrastructure services across 43 departments, 50 networks, 485 data centres, and 23,000 servers.
For fiscal year 2015-16, while still growing its capacity, the ATIP office employed four full-time employees, as well as two part-time employees—one casual and one student—to carry out Privacy Act business. Shared Services Canada spent just over $411,000 to administer the Privacy Act portion of the ATIP program.
Since its creation in August 2011, Shared Services Canada has put in place a framework, anchored by internal policies, instructions and training, that identifies the procedures and processes for handling requests for personal information as well as all policy matters under the Privacy Act
The ATIP division introduced an ATIP management framework, which sets out a comprehensive governance and accountability structure. A total of 14 ATIP policy instruments have been established within Shared Services Canada, including a directive on conducting privacy impact assessments, as well as a standard on how to manage privacy breaches. These reflect Shared Services Canada's responsibilities under both the Access to Information Act and the Privacy Act with respect to access rights, and with regard to the collection, use, disclosure, retention, and disposal of personal information.
The ATIP division is responsible for developing, coordinating, implementing, and monitoring compliance, with effective ATIP-related policies, guidelines, systems, and procedures across Shared Services Canada. This enables the department to meet the requirements and to fulfill its obligations under the Access to Information Act and the Privacy Act.
In terms of the volume of requests for personal information, I would now like to share some statistics from the fiscal year 2015-2016 annual report on the Privacy Act.
In all, there were 123 formal requests for records under the Privacy Act, of which 120 were completed before the end of the reporting period. All 120 requests were completed within the prescribed time limits, and no complaints were filed.
The Shared Services Canada ATIP division weekly tracks its turnaround times in processing requests, and monitors the time limits of their completion. Performance reports are communicated to senior management each month.
In 2013, Shared Services Canada was also part of the initial ATIP online pilot project, led by the Department of Citizenship and Immigration and the Treasury Board Secretariat, to facilitate and expedite Canadians' rights of access. Today, the majority of ATIP requests received by the departments are made online as part of open government initiatives.
Mr. Chair, I will end here, and will now answer the committee members' questions.
Thank you, Mr. Chair and committee members.
My name is Maxime Guénette. I'm the Assistant Commissioner of the Public Affairs Branch, and Chief Privacy Officer of the Canada Revenue Agency.
With me today is Marie-Claude Juneau, Director of the Access to Information and Privacy Directorate at the Agency, whom you may remember from her appearance before this committee earlier this year in the context of its study of the Access to Information Act.
We are both pleased to appear before you today in support of your study of the reform of the Privacy Act.
With some 40,000 employees, the Agency is one of the Government of Canada’s largest institutions. Very few organizations interact with Canadians as much as we do. In 2014-2015 alone, 31 million individuals and corporate taxpayers interacted with the CRA.
As a result, we have one of the largest personal information holdings in the Government of Canada, as acknowledged by the Privacy Commissioner. Therefore, the Agency takes its obligations under the Privacy Act and related policy instruments very seriously.
This is because the trust Canadians place in the Agency to protect their information is the cornerstone of Canada’s system of voluntary self-assessment. In particular, section 241 of the Income Tax Act and section 295 of the Excise Tax Act prohibit the disclosure of taxpayer information by any employee of the Canada Revenue Agency, unless specifically authorized under these Acts. Breach of these provisions is a criminal offence and is subject to strong penalties, up to and including imprisonment.
Accordingly, recognizing the critical importance of sound privacy management, and in keeping with the recommendation of the Privacy Commissioner, the Canada Revenue Agency appointed its first Chief Privacy Officer in 2013, and I have the privilege of having been appointed to this role in two months ago, in August 2016.
As the chief privacy officer, I oversee all privacy management activities within the agency. This oversight is informed by ongoing performance measurement in key areas, including information technology, security, communications, and training.
As part of my duties, I am accountable for the provision of oversight, advice, and support to achieve compliance with legislative and policy requirements. In my capacity as chief privacy officer, I am required to brief the agency's management committee and our board of management on the state of privacy management at least twice yearly. I also chair a senior-level committee that addresses privacy issues as an integral part of the agency's business.
Over the past several years the agency has implemented numerous technological changes to further strengthen privacy management. We have enhanced front-end controls to our systems to ensure that employees have access only to the CRA computer systems that they require to perform their duties. We have also strengthened back-end controls to build on our automated systems for better monitoring of transactions performed by employees. These monitoring controls will be fully implemented next year, and these are as a result of a recommendation from the Privacy Commissioner in the audit from 2013.
Through a phased approach, the agency, so far, has implemented six of the nine recommendations stemming from the Privacy Commissioner's 2013 audit. Three of the recommendations involving multi-year investments continue to be implemented. We expect they'll be implemented in 2017.
Overall, the CRA has invested over $10 million and is planning further significant investment to enhance its identity and access management controls to improve the protection and confidentiality of taxpayer information and to reduce the risk of internal fraud.
We have also improved our procedures to address and manage privacy breaches so as to ensure more timely reporting of material privacy breach incidents to the Office of the Privacy Commissioner and to the Treasury Board Secretariat.
As you know, Canadians are technologically savvy and are avid consumers of online content. This makes them very sophisticated clients. They rightly expect from their government institutions the same high-quality and timely online interactions as they have become accustomed to receiving from service providers, such as Google or Amazon. For instance, we expect more than 86% of Canadians will file their taxes online next year. We expect that number to probably reach about 90% within three years.
The agency is continuing to invest in ways to improve our services to Canadians, largely through ongoing investments in IT-based solutions, such as My Account, Manage Online Mail, and MyCRA app. Yet as we work to keep pace with the latest innovations and with consumer expectations for faster, more user-centric, and more seamless service, we must ensure that appropriate measures are in place to safeguard the personal information we collect as part of our work.
The CRA assesses its new and modified technological advancements, programs, and activities from a privacy perspective by conducting privacy impact assessments, or PIAs. So far this year we have completed 16 PIAs, and we are on track to complete approximately 18 more by the end of the fiscal year. Our PIA plan includes 20 active PIAs at this time. This is one way we balance this fine line between meeting the expectations of Canadians with regard to service improvement, while ensuring new initiatives comply with privacy requirements.
The Agency also strives to ensure that its employees are well aware of their responsibilities in safeguarding the personal information within their custody. Our Code of Integrity and Professional Conduct, and our Integrity Framework, have been important tools to impart on employees the extent to which the protection of the privacy rights of taxpayers is central to their responsibilities, even after they leave the Agency.
Despite these measures and the many efforts to safeguard personal information, breaches do, unfortunately, occur from time to time. The CRA is keenly aware that, due to the nature of the information holdings we have, a breach of personal information can be seriously injurious to an individual or an organization. For this reason, all privacy breach incidents are assessed with a very high level of rigour. There is always room for improvement, and the Agency is continuously looking for ways to enhance its privacy management practices through program, policy and technological changes.
In fact, we regularly consult with the Office of the Privacy Commissioner and the Treasury Board Secretariat on the subject. The Agency has strong processes, policies and procedures to ensure compliance with the Privacy Act and its related policy instruments. Controls are in place, and we continue to assess and improve those controls on an ongoing basis. Our responsibility to protect Canadians’ information is fundamental to who we are and what we do. That is why we continue to dedicate significant efforts to meeting the expectations of Canadians in this regard.
I hope that I've given committee members a useful overview of the Canada Revenue Agency’s operating environment as it relates to the Privacy Act.
Ms. Juneau and I will be very pleased to answer your questions.
Thank you, Mr. Chair.
I'm going to broach another subject.
The Privacy Commissioner also recommended that the coverage of the Privacy Act be extended to other federal government institutions—ideally, to all of them. It is proposed that the and ministers' offices be included within the ambit of the Act as well.
At our last meeting, we heard representatives from British Columbia, Nova Scotia, and Newfoundland and Labrador. I asked them whether their ministers' offices and their premier's office are subject to the Act, and to my great surprise, all three of them answered yes. I wonder whether this is ideal and feasible. Ms. Bernier will be able to answer this question.
Upon visiting several government Web sites, including the Web site, citizens are asked to provide their email address so they can receive government updates. It's nothing partisan, but data collection is involved. Would it be appropriate to make this subject to the Privacy Act?
With Shared Services, I was a little surprised at the low number of requests that the department received, 123 under the Privacy Act, of which 120 were completed before the end of the reporting period. It's not clear to me exactly how long that really is, but it sounds like it's at least within the length of time in which you're expected to complete them.
During our study of access to information, we heard from both your department and other departments—perhaps we didn't hear from yours—that received access requests. We heard repeatedly that compliance was a problem with the resources available, and that backlogs, when they happened, were the result of insufficient resources and other system problems, which we've tried to address through improvements.
Why do you think you have so few requests under the Privacy Act? The first and most obvious thing that occurred to me was whether anybody knows and understands your department and the enormous volume of information handled there. I don't think I had ever heard of Shared Services until I became a member of Parliament. Are there people out there who don't know they ought to be making requests to your department?
It connects nicely with my response to the previous question.
It was made very explicit in the Shared Services Canada Act that, for the purpose of exercising rights of access under both the Access to Information Act and the Privacy Act, the data that resides within SSC's IT infrastructure, whether it's the data centres, the email solutions, the networks, is not under the control of Shared Services Canada, but in fact under the control of partner organizations. The access requests, under both acts, must be filed by the government institution that has the mandated program activity, and therefore, overall responsibility for managing that information and making it available.
Shared Services Canada does not have a high volume of requests under the Privacy Act, contrary, for example, to the Revenue Agency or Immigration Canada or ESDC, and other government departments. Their primary bread and butter is the handling of personal information in the delivery of programs and services, such as taxpayer administration and employment insurance, but Shared Services Canada does not deliver program activities of that volume where we handle person information.
We'll have some personal information in terms of email authentication, IP addresses, that type of administration, but we don't administer federal program activities that hold known—
You see? In my empathy I made the number bigger.
Voices: Oh, oh!
Ms. Chantal Bernier: There are 40,000 employees of various levels who need to reply to people who call from everywhere, as Monsieur Dusseault was saying. They need to reply, so they need to have access to the files, yet it has to be controlled. It can't go out. It's sensitive information. That's the first complexity, that it's operational, with so many people at so many levels.
The second complexity is that the government does want to have access to some of the information. For example, we know that “follow the money” is key to uncovering illegal activities. That means there has to be some authorized access in spite of all the protections. That's another complexity.
Then, with 400,000 people in the public service—this number is correct—that's a lot of people to monitor. That's a lot of people who could have a grudge, who could have some malicious intent. I've seen lots of them. I haven't seen them only in government. I've seen them in the private sector as well. If you look at the internal threats to data security and the external threats to data security, you realize that the risk is very high.
One advantage we have in our law firm, since you made the comparison, is that we're all lawyers. We are all lawyers who have a vested interest in this business flourishing, and therefore we have a culture that favours, that helps, data security. In the government, however, you can have a disgruntled employee. You don't have an employee who at the same time has a personal investment of money in the business. You have different contingencies to contend with.
I can tell you about one agency for which I have a lot of sympathy. It was also very operational. Their main challenge was their disengaged staff. Because the staff was disengaged, the staff did not exercise the proper discipline that they should have.
Obviously, the Canada Revenue Agency takes into account the sensitivity of the information that's disclosed in assessing the severity of the breach. We have medical information, financial information, and personal identifiers like social insurance numbers. Those kinds of things would very obviously trigger the reporting of a breach, anything that could lead to the risk of identity theft or fraud.
However, to your point, and to speak a bit to what Madame McCulloch was alluding to, there are different types of breaches. One type of breach we see a lot in the CRA has to do with misdirected mail. The volume can appear to be high from an absolute number perspective, although I would flag that from a percentage point of view, given the 110 million pieces of mail that we move in a year, it is less than 0.001%. However, a piece of correspondence that went to the wrong address, wasn't opened, and was sent back to us, we log as a security breach internally. This isn't something that would warrant flagging to the Privacy Commissioner.
A security breach that has to do with an employee willfully accessing taxpayer information outside his normal duties is treated very differently. If I'm not mistaken, the 20 or 21 cases that were flagged with the Privacy Commissioner all had to do with wrongful access to taxpayer information by employees. There's quite a range, and different departments' business would very obviously be quite different. There is a certain amount of flexibility, which is built into the current framework, that's useful.
I certainly can take a first try at it.
I think there is a lot of misinformation, which is why—and I'm going back still to the report of January 28, 2014, because it focused so clearly on this—we made 10 recommendations that I really hope will not be forgotten because they address those very practical issues. One was transparency. Can the government tell us more specifically what it does?
From having been both at Public Safety Canada, where I was assistant deputy minister, and at the Office of the Privacy Commissioner, I can tell you that it's really not that bad. There is no Big Brother. The government doesn't have the money, it doesn't have the interest, and frankly, it's much more strategic and ethical than this representation.
However, the comments you hear—and I know you do because I hear them, as well—really underscore the need for greater transparency, specifically that there be annual reports for all the agencies that collect public safety information or collect signal information, and that there be regular appearances by the heads of these agencies before House of Commons committees, such as this one or public safety, etc. Bring them to account and say, “Once a year, we want a report from you. What do you see as a threat, what are your activities in relation to the threat, and how do they respect fundamental rights?”
My question is for the Canada Revenue Agency representatives, and is about the measures taken in the event of privacy violations.
Recently, a USB key or a laptop—I can't remember which—was left in a bus. Malicious people got access to CRA data. The vulnerability that made this possible is called Heartbleed.
In another incident, the CBC made an access to information request, and was given a file mistakenly in response. So the CBC ended up with very sensitive information, and, naturally, it reported on all that information.
I'd like to know exactly what measures are being taken in this regard. Earlier, there was talk of possible damages, but you don't seem to be envisaging them for the moment, since they're not mandatory. What do you do to inform and reassure taxpayers in such cases? Do you take measures to attenuate the repercussions for the victims of these privacy breaches, such as ensuring that their credit score remains good? When the data falls into the wrong hands, what do you do? How do you react?
As Mr. Guénette just mentioned, the Agency follows a well-established process for reporting all types of incidents. Following an incident, the Security and Internal Affairs Directorate conducts an investigation and sends us its findings. The question to be determined is whether there's been a security breach. If there has been we report the breach to the Privacy Commissioner. We also have a disciplinary framework at the Agency. Based on that framework, we verify how the breach was reported, and whether a disciplinary measure is applicable in such a case.
As for what we do to mitigate the impact of security breaches, I will come back to the example you gave concerning the CBC. When the incident occurred, what we did in terms of access to information and privacy measures was to verify the processes implemented by the Agency, and determine where surveillance or review could be enhanced with a view to preventing such a situation from recurring.
Another process was developed too. A private firm verified whether our processes were indeed adequate, and whether there were still shortcomings. Following that audit, the firm made a few recommendations. The measures it recommended were mainly about systems, system audits, and quality assurance. We have implemented those procedures, to prevent such situations from recurring.
Thank you very much for the question.
Mr. Chair, two types of actions were taken in that regard. One is more technical, and the other is about employee education.
From the technical standpoint, we're continuing to implement measures. In fact, I alluded to them in my preliminary remarks. They have been and are continuing to be put in place, in order to better document and control employee access to Agency databases and applications. As I was mentioning, reviews are done twice a year, to ensure that if there are changes to the duties of certain employees, and access needs to be reviewed, it's done.
Improvements were also made so that an "audit trail" can be created in the National Audit Trail System. This makes it possible to detect accesses not tied to certain duties, and to notify managers of those accesses. So measures were put in place so that managers can receive automatic notifications of this kind. For example, I might need to speak to Ms. Juneau because I received an indication that she accessed some information that doesn't seem to fit with her duties. Several applications are subject to this type of audit.
Yes, they're in operation, but they continue to be improved. We anticipate the work will be finished in 2017—that is, by the end of next year. Those are the more technical elements.
However, since that 2009 audit, a lot of emphasis has been placed on employee education. We have certain data that enables us to identify the cases where privacy breaches are reported the most. This is because, as you were saying, what needs to be reported is now clear to employees, compared to the situation five years ago. There's the Integrity Code, to which I've referred. There's also the Integrity Framework. Added to that are the communication initiatives we've implemented, and mandatory training. There are several indicators on our performance management dashboard. As Chief of Privacy, I must check on the extent to which employees are doing training, and the extent to which they're consulting the available information. For example, we recently made a video available. Based on the most recent numbers we have, it was viewed more than 12,000 times by employees. The video explains the kinds of privacy breaches that can occur inadvertently.
All this to say that a major communications effort has been made in this regard, and certainly must continue. We see—and I think the data support this—that there is now a better understanding of the importance of protecting personal information, of what can constitute a privacy breach, and of the procedure to follow so these breaches can be identified when they arise.
Thanks for the question.
Very similarly to Ms. McCulloch, I would think we approach our dealings with the Privacy Commissioner with the intention to find common ground, and if we enter a different legislative framework where there is an order, we would attempt to resolve the situation before it comes to that.
In terms of what that particular change might imply for our work, it's hard to speculate on what that might look like, without knowing more of the specifics of how that would roll out. Certainly with a place like CRA, with the volume that we're dealing with, depending on how this gets rolled out, there may be an impact in terms of our processes and our resources, which we would need to address, but we would comply with whatever framework is put in place by the government.
Yes, I think I would agree with Ms. McCulloch that the attempt is to find common ground, and then, for the most part, we are successful in doing that.
First of all, just to put it in perspective, Europe does not have separate legislation for private and public sectors, and I have often questioned in my mind whether we should. But we do and we have an excellent system. The reason we do is easily justified by the difference in legal paradigms that are the subset of both. This, again, goes back to my answer to Ms. Rempel, meaning one is the state-to-citizen relationship Privacy Act and that is grounded strictly in necessity. The state cannot intrude upon your privacy unless it is demonstrably justified in a free and democratic society.
The relationship you have with other data holders, say Google, Facebook, or any company you buy something from, is predicated on your relationship, your free relationship with them, and therefore is built on consent.
I think that the way we have it constructed is working very well. However, the bridge that you're pointing to is extremely important and increasing. We've seen it with what is often referred to as the deputization of the private sector. Obviously, the big showdown of Apple and the FBI is an example of that in the U.S., where you have this treasure trove of information in the private sector that the law enforcement agencies, therefore the public sector, wants to have access to. How do we regulate that connection?
There has been clarification in Canada. One clarification was, as I mentioned earlier on, R. v. Spencer. A more recent clarification that goes more directly to your question is in R. v. Rogers Communications Partnership. That was January 2016, where the issue at hand was a judicial warrant for a tower dump, a tower dump being giving to the police all of the exchanges, communications, within the vicinity of a specific cellphone tower, which would have resulted in providing the police with 43,000 people's exchanges between, say 3:00 and 5:00 on that day. Why? Because there had been a jewellery robbery at that time on that day. Rogers said, no, opposed the warrant, and the police stood down. However, Rogers still went to court and said that warrant was invalid because it was overly broad. The police replied via the Auditor General that Rogers had no standing in fighting this issue, whereas the court—and this is very important to your question—said not only was Rogers right in refusing to comply with a judicial warrant because a judicial warrant was too broad to be constitutional, but it had the obligation to oppose the warrant as its contractual duty to its customers.
That really illustrates, I believe, the link you're making between public and private.
We have to follow the law everywhere we operate, and the law is different in different countries.
I was in our Singapore office recently and we were discussing, specifically, how you regulate privacy law in Singapore, but in that case, it was a Canadian business going there. The jurisdictional rules around privacy law are such that where the operation takes place, where the information is collected, must always correspond to the laws of the country where it is collected.
However, there are different laws for cross-border. There are countries that do not allow the cross-border transfer of personal information from their citizens, except with very tight rules, conditions, and so on. There are other countries who are mainly requiring due diligence, saying you can go cross-border but make sure that through the transfer you protect the information at the same level as, say, Canadian law requires you to. They do that by, first, choosing very trustworthy contractors, and second, by having contractual clauses that specify, the contractor will protect the information at the level they, the customer who's using the contractor to transfer the information, are held to and that they will audit and inspect the contractor. There are compliance measures like that.
Yes, it is definitely a conflict of laws challenge, but one that is governed by rules of conflicts of laws.