Thank you very much for this invitation.
To give you a bit of background on my organization, the Centre for Law and Democracy is an NGO based in Halifax that works to promote foundational rights for democracy. Most of our work is international, but it is a Canadian-based organization. We work here as well.
Our general focus is on freedom of expression, but that has increasingly taken us into privacy advocacy in recent years because there is a growing consensus about the broader importance of privacy to freedom of expression. This was noted by the UN Special Rapporteur on freedom of expression in 2013 and in the 2014 report by the Office of the UN High Commissioner for Human Rights.
The right to privacy, of course, is also internationally recognized as a human right on its own, protected by article 12 of the Universal Declaration of Human Rights as well as the International Covenant on Civil and Political Rights, which Canada has ratified.
I'll add that the value of a right like privacy must be considered in broader and systemic terms, rather than just by virtue of one's own sense of the private. Too often, as part of our advocacy, we've come across a statement to the effect that, “Well, I personally don't care too much about privacy or the integrity of my information. I'm not particularly a private person. I don't have much to hide, so I don't see these as important issues to address.” To me, that thinking is analogous to a person saying that because they're not personally religious, they feel no need to safeguard freedom of religion. There are broad social benefits that accrue to everyone by having a robust and properly protected right to privacy.
With regard to the current recommendations that are being discussed, we generally support what's been put forward by the OPC. For the sake of brevity, I'm not going into detail on all of the recommendations, but any of the ones that I don't specifically mention, we do support.
To start off, we strongly support the need for greater clarity around information agreements made under paragraphs 8(2)(a) and 8(2)(f) of the Privacy Act. There's a global trend among governments, and that includes our neighbours to the south, to adopt an approach to privacy that extends some protections to their own citizens and virtually none to foreigners. In this context, Canadians have to rely on their government to safeguard their privacy rights in dealings with external actors.
Clarity, transparency, and robust oversight are key ingredients to this, and the OPC's recommendations are a necessary step along that path. We would actually go beyond the OPC's recommendations and suggest that these agreements should be public and should set clear limits as to the purposes for which the disclosures may be made. There should also be a system of disclosure when these conditions are violated and effective remedies for those individuals who are affected.
CLD supports the recommendation that there should be an explicit necessity requirement for the collection of personal information. I would note that this is not just about protecting against the privacy infringements that result from the collection and processing of the information itself. Over-collection magnifies the threat to data security, since the ease of storing massive amounts of information can turn public agencies into a bigger target for hackers. Security experts have long argued that data minimization is among the most important defensive measures in protecting personal information.
When the United States Office of Personnel Management was catastrophically hacked last year, releasing, among other things, the results of background checks for millions of current and former employees, one of the big questions that security experts asked was why on earth they were warehousing all this information. There's no such thing as perfect security, but by working to manage and restrict the amount of information held, an agency can proactively mitigate the damage of a breach if and when it occurs.
Expanding the commissioner's ability to share information with counterparts domestically and internationally is also a good idea, particularly in light of the dynamic nature of global information flows. The Internet poses a significant challenge to traditional understandings of borders and jurisdiction, which makes it difficult to safeguard rights online. When a guy in Saudi Arabia, a country where adultery is a criminal office, has his Ashley Madison profile leaked due to negligent safeguards by that company, where does his remedy lie? That's to say nothing of the almost 1,300 Ashley Madison users who identified themselves to the service as gay and whose log-in information originated from countries where homosexuality is criminalized.
There are very serious international consequences to these kinds of leaks. The Internet is a borderless place, and any agency that seeks to protect the rights of Canadians online needs to coordinate internationally.
CLD supports the idea of stronger transparency on reporting requirements for government institutions. However, rather than setting specific standards in the act, we would suggest leaving the specific scope of that to either the Privacy Commissioner or the Information Commissioner, to be defined through their regulations. That is in order to allow them to deal with emerging issues as they arise without having to reform the law.
There are two areas where we take issue with the recommendations. One is regarding the exception in the Access to Information Act for personal information, which the Office of the Information Commissioner has argued should be narrowed, so that it only applies to information whose disclosure would create an unjustified invasion of privacy. This would transform the current class exception for personal information into a harm-based exception in line with international better practices.
The OPC has voiced opposition to narrowing the definition in the matter in the way that the OIC suggests. CLD strongly supports the OIC's position in narrowing the definition.
The first reason is that there are enormous amounts of personal information whose disclosure is not sensitive—for example, where the information is already broadly publicly available—and as a consequence there would be no material harm in its disclosure. A harm test, which is what we're advocating, clarifies that information should always be disclosed in these kinds of cases. This prevents undue delays in processing requests and is a core earmark of good access to information legislation.
Second, in its submission the OPC has advocated for a formula that inherently tilts the scales in favour of privacy by requiring that a public interest override to have the information disclosed would only kick in if the interest in disclosure would clearly outweigh the privacy interest. This is an incorrect approach. The right to information is a human right, is broadly recognized internationally, and is also recognized as a limited and derivative constitutional right. It should be balanced against the right to privacy on equal terms.
Regarding order-making power, CLD doesn't necessarily oppose this idea. At the same time, I'm not particularly convinced by the argument for order-making power based on a necessity for parity between the Information Commissioner and the Privacy Commissioner. There are important differences between these two institutions, the main one being that the OIC's reviews are almost entirely aimed at public bodies, whereas the OPC has an oversight role over both public and private bodies.
This is a substantial consideration when you're talking about providing the agency with a bigger stick to wield. It heightens questions about procedural fairness and investigations, which the OPC has itself identified as a challenge.
There is also the question of collaboration and relationships with private sector respondents and whether this would impact the ability of the OPC to seek informal resolution or whether enhanced powers would make it more likely that private sector interests, if contacted by the OPC for an investigation, would put up a defence and lawyer up.
Again, that's not to say that we're opposed to order-making power. To me, it comes down, first of all, to whether order-making power is necessary to compel compliance with the recommendations that are being issued and, second of all, to whether it would make the OPC more effective in its oversight role. Would it create a greater impetus for organizations to follow their recommendations? Would it turn it into a stronger body, or would it further delay the process by making companies more defensive through the investigations? I don't know the answer to that question, but I think it's important to think about the issue in those terms.
It's also worth considering in the context of the statement by the OPC that most institutions do eventually agree to their recommendations, though there can be lengthy delays. Against that backdrop, obviously the delays are a legitimate concern, but if that's the major issue, I'm not entirely certain how order-making power would solve it more effectively than the hybrid model that had been previously suggested.
Without making a statement against order-making powers, I want to frame the discussion that way and have the discussion over questions of efficacy and necessity, as opposed to parity between the different institutions.
That's what I have in terms of our opening statements. Thanks very much. I look forward to engaging.
Okay, thank you for that.
In any event, I'll just deal with the points that I think need amplification. There are many of the commissioner's recommendations that we're in agreement with, and you'll see that in the submission when it finally emerges.
Generally I think that in the testimony you've heard so far, it's common ground among the witnesses that the Privacy Act is outdated, antiquated, and in need of complete overhaul to ensure that Canadians' privacy rights are properly protected. This should also be done to bring the act into closer harmony with not just the more modern and more protective privacy laws, but also with its federal private sector equivalent, PIPEDA, which is administered by the very same commissioner.
Of course there are differences between the public and private sector, obviously. However, for Canadians who are going to the Privacy Commissioner to seek remedies or to figure out what their rights are or what the Privacy Commissioner can do for them, I'm sure it's very confusing as to why the remedies in terms of the public sector are so very different, and the procedures so very different, from what they would have in terms of PIPEDA. We urge you to make the changes required to end this disparity and confusion.
I'll now proceed to quickly go through the recommendations of the commissioner.
First is the requirement to put in an explicit necessity requirement for data collection. This is the standard set out in B.C.'s Freedom of Information and Protection of Privacy Act, as well as a number of other laws. The concept has received considerable interpretation, judicially and quasi-judicially, so its operation is well understood. We recommend that this be explicitly included in the act. We agree with the commissioner.
We'd also like to point out that one of the many criticisms of last year's Security of Canada Information Sharing Act, which was part of Bill , is that it allows information on the lowest possible standard—that is, that the information is relevant to a receiving organization's jurisdiction or responsibilities in relation to activities that undermine the security of Canada in relation to detection, identification, analysis, prevention, investigation, or disruption of those activities.
We're of the view that this law is actually subordinate to the Privacy Act. However, the government's own background paper to the green paper, which is now currently also the subject of consultations, is actually contradictory on this point. In one place it says yes, it does override, and in another place it says no, it doesn't, that it's subject to other legislation, including the Privacy Act. It seems that the government itself is not entirely clear on this point. Given the weaknesses in terms of the lack of an explicit necessity clause in the Privacy Act, we think this would go some way toward helping resolve this ambiguity.
I'd also like to point out that the CSIS act uses the standard of necessity as well.
In terms of expanding judicial recourse and remedies under section 41, we support this recommendation. We would note that the B.C. legislative committee that recently reviewed our province's act has recommended that penalties be increased in order to focus the minds of those who may either not be paying proper attention to privacy rights or would ride roughshod over them.
One example of why this is necessary is the case of Sean Bruyea, a veterans advocate who had his personal information, which was held by Veterans Affairs, accessed hundreds of times by hundreds of individuals, including his financial, medical, and psychiatric records. Some of those records actually ended up in not one but two different ministerial briefing notes.
Mr. Bruyea was eventually compensated, but that was because he had already brought an action for damages for violation of his charter rights. That's an exceptional action, and we agree with the commissioner that there should be a broader scope and a broader availability of sanctions, including damages, under the Privacy Act.
In terms of the ombudsman versus order-making power versus hybrid, we see that the Privacy Commissioner himself, last month, has come around to the view that order-making power would be preferable. This is the view we have long held and the view we have also put forward in terms of the Information Commissioner. Both of these officers of Parliament should have order-making powers.
With regard to the discretion to discontinue or decline complaints in specified circumstances, this is understandable and necessary for the economy of public resources in cases where there is a request or a demand for review that is frivolous, vexatious, or done in bad faith. However, it should be restricted to those narrow points.
In terms of exceptions, the commissioner's recommendation 16, we agree with the Information Commissioner on this point. We have for a long time been in favour of exceptions to release under the ATIA being harms-based, and that would include personal information. We are also not in favour of this being discretionary.
I have three additional points that I would like to raise. First, I'd like to point out that in British Columbia our public sector act has a domestic data storage requirement, something that does not exist at the federal level. Again, this requirement was recently supported by the committee reviewing our act earlier this year, and also by the Government of British Columbia. We would commend this to you as something you may want to look at, in terms of B.C.'s experience.
Second, in 2008 the commissioner made a recommendation to eliminate the stipulation that the act apply only to recorded information. We think that was a good idea in 2008, and we still think it's a good idea. Although the commissioner hasn't mentioned it this time, we think it's an important change.
Third, something that we're seeing increasingly in the public and private sector in terms of decision-making is the use of data mining, and especially the use of algorithms to either supplement or entirely replace decision-making by human beings. Data is run through a program, and a recommendation, which humans may be reluctant to overrule, comes out. These rulings oftentimes have very serious effects on individuals, especially in terms of social services or benefits or things like that.
Something we have found over the years is that there is a great deal of resistance by private sector and public sector bodies that are using these algorithms and technologies to provide any kind of access to their workings, or even the basis on which these things work.
This really contradicts what happens when you have a human decision-maker. They normally have to provide reasons. There's something you can look at to figure out how they got to their decision. If this approach is replaced by a black box that has unknown data coming in from an unknown variety of sources and a recommendation coming out at the end, the person whose livelihood, finances, business, and other interests may be affected should have a right to see that. I think that has to be in the act.
I now look forward to your questions.
Good morning. Thank you both for coming here.
Mr. Karanicolas, I was reading a piece that you wrote. I think you called it “Travel Guide”, and you talked about data retention obligations.
I want a differentiation from you, if you could highlight that for us, between the private sector and the public sector. You wrote in that piece about certain governments around the world, whether Thailand or India, having certain data retention obligations, and you wrote about an issue in Europe, where they tried to require service providers to retain data, but certain states hesitated.
When we look at the private sector, we see that consent is required when they collect data. Their collection of data tends to be more targeted, as opposed to government's, where the data tends to be broader or more diffuse. The government has an obligation to collect data. There's the CRA, and things like that. How do we ensure that the government is able to retain that data and yet also ensure that over-collection does not occur?
Could you highlight some of the things that we could improve, as compared to the private sector, and how we could go about that?
First of all, it's great that you found that work, “Travel Guide to the Digital World”.
I completely agree that there's a big difference between information collection that happens in the private sector and information collection that happens in the public sector. Information collection by the public sector has a lot more potential for abuse and needs to be monitored much more carefully, partly because governments can get up to.... I work a lot in repressive countries, so I know governments can do much nastier things with private information, personal information, than private companies can. Governments have extraordinary levels of power, and the ability to misuse that information is much higher in the public sector than in the private sector. We take a much more wary approach when we talk about government collection of information.
You also noted the consent model. When you talk about consent, that's another issue. You can choose to delete your Facebook account and you can choose to delete your Gmail account, but you can't really choose to stop paying your taxes. You're a Canadian. You're in the system. It does also change the dynamic quite a bit.
I will also say that the consent model for collecting information in the private sector does need to be thought through very carefully, and I would argue that the current consent model is broken. Nobody reads their terms of service and nobody understands their terms of service. There's a bit of a vicious circle. The fact that nobody reads their terms of service means that the lawyers who draft these terms of service are incentivized to draft them in incredibly broad and vague ways in order to make sure they cover every imaginable use. There's no incentive for them to clarify the terms or to limit the actual uses in their terms of service, because they know that the users don't care. Then the fact that these terms of service are drafted in such a broad way makes it very difficult for people who want to read and understand them to actually get an understanding of what they mean. That, in turn, disincentivizes users from actually reading and engaging with them.
While I do agree that information collection in the public sector needs to be watched more carefully, I don't think that this consent-based model is necessarily the answer to the private sector doing whatever they want. Actually, I think that stronger and clearer rules around how private sectors use people's information are very badly needed. I think that the current model is not providing adequate safeguards.
I've seen estimates that if you were to read every terms of service document that you were presented with, it would take something like 200 hours out of your week. It's not practical for people to actually be their own safeguards on this issue.
Sorry. I realize I am straying a little from the question.
I would add that regular reviews are a good idea. I think five-year reviews have been among the recommendations for both the Information Commissioner and the Privacy Commissioner. I think they are a great idea.
You mentioned that it's been over 30 years, and there haven't been any amendments. Canada was, I think, the eleventh country in the world to pass an access to information law. There are now, I believe, 113 laws that have been passed around the world, so standards have advanced tremendously in the intervening years. There's an important need to keep up, so regular reviews written into the legislation are a very good idea.
I would add that I completely agree with writing things in a technologically neutral fashion. That's always a good model for legislation generally.
I would also mention that progressive implementation of proactive disclosure obligations can be a good measure, as we see in a lot of different laws in which obligations for what should be disclosed ramp up over time. We do see this happening to an extent with the government, which is pioneering new open data initiatives and expanding new ways to engage with people. That is great.
However, what some countries do is that they allow the Information Commissioner—and I sort of hinted at this in my presentation—to set regulations about what levels of disclosure should be expected, and then those obligation levels can level up over time.
I'll reiterate that we're not opposed to order-making power. We're on the fence about it, and to me it seems like an issue of efficacy more than anything else. I'm inclined to defer it to the Privacy Commissioner, if they think it will help them to do the job better.
I don't think the argument that if one commissioner has it, therefore the other commissioner has it holds a lot of water with me. It's more that you look at the commissioner's specific mandate, you look at their success in implementing their recommendations, and you look at the tool kit they have available to them and the needs they have. You design particular powers around that. These commissioners are structurally similar in a lot of ways, but have very different mandates, so I do think they require different considerations. That was the way I was trying to frame it.
With the divide between public sector and private sector, there are enhanced procedural considerations if you want to talk about an organization that is levying fines, and potentially large fines. There have been a lot of pushback complaints from the private sector about the anti-spam mechanism, about CASL, and the way fines have been levied there. I think people in the private sector are a bit concerned about that.
I have heard from private sector people on the argument I made about private sector interests being less likely to co-operate with an agency that has order-making powers. You hear that from people in the private sector. You have to take it with a grain of salt because, of course, they don't want to be overseen by an organization that has power to fine them. They would prefer an organization that doesn't have those powers to be overseeing them. There's an obvious interest there, but I also don't think it can be entirely discounted. I would defer to the Privacy Commissioner if the question is framed specifically on efficacy.
When you're limiting the order-making powers so that they only apply to government, I think if you did it in that way, then it would certainly limit some of the concerns, and that would make the argument for parity a little bit better. If you look at the Privacy Commissioner's role specifically with regard to interacting with public bodies, you see it is quite similar to the Information Commissioner's role.
However, the Privacy Commissioner also needs to have the tools available to properly protect Canadians' privacy, particularly in the private sector, particularly when you look at the failures of the consent-based model, which I went into a little bit before. I do think there need to be stronger rules in place. Whether that's done through orders from the Privacy Commissioner, whether it's done through legislation or regulations, or whether it's done through recommendations, I'm not sure, but I do think there needs to be greater clarity.
I have a brief point about the private sector, but it relates to all of it.
In the private sector, of course, we have two different sets of regimes. We have PIPEDA, which is the federal regime, and then we have substantially similar regimes in a number of other provinces, including British Columbia, which we're familiar with. You have the unusual situation of the commissioner making recommendations under PIPEDA, while in British Columbia, our commissioner issues orders.
We were involved in a case in which an insurance company had been ordered to get explicit consent from their customers for use of their credit information to determine the level of their premiums, so we had an actual order. Eventually another complaint was brought under PIPEDA from Ontario, a PIPEDA-level resolution was reached, and the organization ended up doing this at a national level.
It could create an interesting situation. You could have one substantially similar jurisdiction where there's an order in place and an organization or a company is required to do something, but not in the PIPEDA jurisdiction.
This is another reason we are in favour of order-making power for the Privacy Commissioner, both public and private.
Thank you very much, colleagues.
I thank our witnesses for coming in today.
Thank you, Mr. Gogolek, for appearing again, and thank you, Mr. Karanicolas, for your personal first appearance on behalf of your organization, the CLD.
I expect that we'll have an opportunity to call you or your organizations back again at some particular point time as we review other legislation that's relevant and germane to this committee's business. We thank you very much for your time.
Colleagues, I have some things that I need to discuss with you. They involve the availability of witnesses whom we've asked to come before the committee on a study unrelated to this one. I would like to protect the personal information of some of these witnesses, so I would love to entertain a motion to go in camera.
A voice: I so move.
(Motion agreed to)
The Chair: We'll suspend for a second to go in camera. Let's get back to work as soon as possible. We only have a few minutes. Thanks.
[Proceedings continue in camera]