Welcome to the 32nd meeting of the Standing Committee on Access to Information, Privacy and Ethics.
We are fortunate to have with us today the Privacy Commissioner of Canada, Mr. Daniel Therrien, who is accompanied by Ms. Sue Lajoie, director general, Privacy Act investigations, and Ms. Patricia Kosseim, senior general counsel and director general, legal services, policy, research, and technology analysis branch.
Welcome and thank you for being here.
We have an hour and a half. We will begin with a presentation by Mr. Therrien, for 10 minutes, followed by questions from MPs.
You have the floor, Mr. Therrien.
Thank you, Mr. Chair, and gentlemen of the committee.
Thank you once again for your invitation and your decision to conduct this important review of the Privacy Act.
I would also like to thank all those experts who have testified before you thus far.
As you have heard from many expert witnesses, the 33-year old Privacy Act is woefully out of date.
Over the past few years in particular, technological developments have been revolutionary, making the collection, use and sharing of personal information by governments much easier.
Last spring, I had recommended amendments to the Privacy Act under three main themes: legal modernization, technological innovation, and the need for transparency.
I stand by these recommendations, but would like to make certain clarifications today.
Many witnesses have asserted, particularly from the provinces, that there is much to be said for a regime of privacy protection that includes binding orders issued at the conclusion of certain investigations.
In my appearance last March, I indicated that the current ombudsman model needs to be changed as it often leads to delays. Furthermore, under the current regime, departments do not have a strong incentive to make complete and detailed representations at the outset, and the current model does not therefore result in a timely, final remedy.
The ombudsman model has been in place since the OPC's inception in 1983. This means in part that I can be both a privacy champion, as well as investigating complaints. These are both vital roles in the protection of privacy and I was concerned that legal reasons would force me to choose one over the other. Specifically, the concern was that the courts would deem that I would not be able to adjudicate complaints impartially if I am also a privacy advocate.
After careful review, last summer in particular, we have concluded that there are indeed legal risks with one body having both adjudicative and promotion functions. Based on our review, however, these risks are likely the same under the hybrid model in Newfoundland and Labrador.
Importantly, crucially in fact, our review also led us to conclude that these risks can be largely mitigated through a clearer separation of adjudicative and promotion functions within the OPC.
This kind of structure, as you know, exists in many provinces. It is important to understand that such a separation would entail certain costs, but we have not yet quantified these.
Since the legal risks and mitigation measures are the same under the hybrid model in Newfoundland and Labrador, the order-making model is in my opinion preferable as it provides a more direct route to timely, final decisions for complainants.
Therefore, as I wrote to the committee in September, I now recommend that the act be amended by replacing the ombudsman model with one where the Privacy Commissioner would be granted order-making powers.
In your committee's report on Access to Information Act reform, several recommendations appeared that were consistent with the policy to promote open and transparent government.
I agree completely with this policy as a cornerstone for public trust and accountability, but I suggest that it should be pursued in a way that protects privacy. As I mentioned several times, the Access to Information Act and the Privacy Act are to be seen as seamless codes, and changes to one act must consider the impact on the other. Changes to the way in which access and privacy rights are balanced under the current legislation should be carefully thought through, including any changes to the definition of personal information, and changes to the Access to Information Act's public interest override.
In my view, these changes should be considered in the second phase of Access to Information Act reform. I was therefore happy to see that your report in June on access, if I read it correctly, did not recommend changes that would affect that balance.
Now here's a word about risks if reform is not pursued. There will be, in my view, real consequences if Canada does not modernize its privacy legislation.
In the public sector, these consequences include, first, risks of data breaches that are not properly mitigated; second, excessive collection and sharing of personal information, which may affect trust in government; and more specifically, third, a reduced trust in online systems that may undermine the government's efforts to modernize its services and coordinate its digital communications with Canadians.
Some governments have already moved forward to strengthen their privacy protection frameworks, most notably the European Union. There is a risk, in my view, that if European authorities no longer find Canada's privacy laws essentially equivalent to those protecting EU nationals, commerce between Canada and Europe may become more difficult. This is not theoretical. This is what happened to the United States when the safe harbour agreement was found invalid by EU courts a few months ago.
Since I last appeared before this committee in March, the Federal Court recently considered the Privacy Commissioner ad hoc mechanism that my office created to provide for an independent review of complaints against my own office. This mechanism was needed when the OPC itself became subject to the Privacy Act with the adoption of the Federal Accountability Act in 2007. In assessing the independence of this mechanism, the court noted this was a question more appropriately addressed by Parliament. I would therefore invite the committee to consider this issue at this point, and we've added this to our revised list of recommendations.
In conclusion, I wish to thank and congratulate the committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians. We hope that the government will see fit to take action on all of our recommendations.
Since the government has confirmed its intention to amend the Access to Information Act in two stages, we would ask that the following recommendations to the Privacy Act, at a minimum, be part of phase one.
First, an explicit necessity threshold for the collection of personal information should be adopted, so that the easier collection made possible by new technologies is properly regulated in a way that protects privacy. Second, an obligation to safeguard personal information and a breach notification provision should be made explicit in the act, to ensure the risk of data breaches is properly mitigated. Third, a requirement for written information-sharing agreements, with prescribed minimal content, should be adopted to improve transparency.
Finally, amendments consequential to phase one amendments to the Access to Information Act should be made, including replacing the ombudsman model with one where commissioners are given order-making powers to ensure that individuals receive timely, final decisions to their complaints.
Thank you for your attention. I welcome your questions.
The question you're raising actually should make us all think about the worst-case scenario that Canada has experienced since 9/11, which was the Maher Arar case. It is important that we understand the lessons from that case and other lessons from 9/11. Here we had Canada sharing information with the United States and later on with Syria, which led, according to the commission of inquiry, to Mr. Arar being tortured by Syrian authorities. How can you mitigate that?
First of all, Canada does not have complete control of this issue. Of course that's a question of bilateral relations and bilateral agreements between countries, but Canada can certainly make its position known and prescribed in agreements by making sure that, when Canada shares information with another country, the information to be shared is identified and the purposes for which it is shared are identified, and here I do not mean on a transactional basis. It would be too cumbersome to have agreements on a transactional basis. That's not what we're recommending, but we are recommending that there be umbrella agreements that provide more specificity than the act itself on what type of information in a given context will be shared and for what purpose the information will be shared. That's one set of criteria.
As to potential sharing by the country with which we have an immediate agreement to a third country, that should also be part of the agreement with the second country. It should be provided that, in the case of Mr. Arar, an agreement between Canada and the U.S. would provide that the United States would not be able to share information with a third state unless certain conditions were met. I think that would be an important safeguard.
Will the United States or a second country always comply with this agreement? Well, that's a question of bilateral arrangements between countries. Normally, in these situations, countries try to live by their commitments. Is there an absolute guarantee that this would be so? No, but normally these commitments are agreed to, so it would be important, in an agreement like that, that the potential of sharing with a third country, particularly, as you say, one where human rights protection may not be robust, is covered in the agreement with the second country.
First, what is the ill to be solved? The ill to be solved is in part delay, the fact that the current model does not give sufficient incentives for government departments to provide submissions to us, and particularly well-thought-out submissions early on in the process. That leads to delays for the person who should benefit from the intervention of the Privacy Commissioner, the person who makes a complaint. The order-making recommendation is meant to give the complainant a timely response and a final response that will not drag on in the courts forever.
I've dealt with the issue of timeliness. In the current system, departments do not necessarily have to give us full submissions from the get-go. It's possible for them to make their real case before the Federal Court because we can only make recommendations but it is the Federal Court that can actually order a federal institution to do something consistent with the Privacy Act. We have seen cases where departments gave us a set of submissions in our investigation and have then augmented these submissions when they were before the Federal Court. I think that's also inconsistent with the desire to have timely final decisions for the complainant as soon as possible.
These are two issues that order making would try to address. I was originally and I am still of the view that there is a risk with order making as well as with the Newfoundland model that if the Privacy Commissioner has a promotional role, a privacy champion role, and an adjudicative role, these two roles can conflict. Our analysis over the past few months has confirmed that unless you take measures to divide certain functions internally, the courts will likely intervene and say you're not impartial when you adjudicate because you took a position as an advocate that showed how you were disposed to look at a certain issue, and you maintained that position and did not listen to the facts carefully. That's a real risk.
I was concerned with that risk from the get-go. We thought originally that the Newfoundland model could potentially offer a solution but after further review we think that actually the risk is the same whether it's order making or the Newfoundland model, so if the risk is the same, if the mitigation measures, namely division within the OPC, are the same, I'd rather have order making because between the two models it's the one that provides the most direct route, the faster route, for the person we should care about, which is the complainant.
I think it applies to most sectors, actually.
Under European law, part of the privacy protection given to EU nationals by European law is that the substantive protection standards provided under EU law essentially are transferred when information goes outside Europe. Europe only allows the transfer of data outside of Europe if Europe is satisfied that the protections in place in the other country are adequate, or according to a recent judgment from the European court of justice, essentially equivalent to those in place in Europe.
In Europe, an important safeguard for privacy protection is the necessity and proportionality test. When I recommend to you that collection and other activities occur on a necessity test, I have in mind the protection of Canadians primarily, but it may also be useful when Europe ultimately assesses Canada's privacy laws that we have similar concepts in terms of privacy protection.
In the safe harbour case, the European court found that the U.S. privacy protection was not adequate and was not essentially equivalent to that of Europe, and therefore, put an end to what was then the agreement under which personal information was transferred from Europe to the U.S.
Canada has the benefit of having its legislation found adequate by Europe in the early 2000s, but Europe must renew this assessment from time to time. While I'm not saying that this is something we need to have in mind for tomorrow, ultimately Europe will reassess Canada's laws, and I think we would be in a better situation if some of the main concepts of privacy protection in Canada were not a carbon copy of European law but had some equivalency.
I'm not sure I have a specific answer to your question as to what the criteria should be.
Let will begin with the following. Apart from the story that was reported in the media this week, another case was heard in an Ontario court a few months ago. The telecommunications companies complained that the police had access to metadata of a very large number of people who went by a specific location. There was a telecommunications tower which made it possible for data to be transmitted to the police, to which it could have access under a warrant. The telecommunications companies asked the judge to establish conditions in the warrant in order to protect privacy.
The judge ruling on the case stated—and I think this was correct—that he did not have the legal tools to do what the companies were asking, including establishing a period of time during which the police could keep the data obtained under the judge's warrant.
In my opinion, the courts recognized that, even if they wanted to impose conditions on obtaining or keeping metadata, the current legal regime is not clear enough to give them these tools or to impose such a condition. This raises the question as to whether such conditions should be added.
What should the criteria be? I do not have a specific recommendation apart from what we have discussed thus far about criteria such as necessity, proportionality, that only the information needed for a police investigation is obtained under the warrant, that this information is kept only for the time necessary for the investigation, and so forth.
The basic principles of necessity and proportionality seem appropriate to me. How do we articulate this as specifically as possible in the laws that empower judges to authorize the police to access certain information? I do not have a specific recommendation for you. Clearly, we are talking about provisions of the Criminal Code pertaining to orders to keep or produce information. First, the current criteria require court intervention, which is a good thing. Secondly, the criteria are rather lenient. I think we should question whether judges should be empowered, based on the case before them, to give the police the authorization requested and to set conditions to protect privacy.
Should metadata be defined in the Privacy Act? That would be helpful.
Is it in the Privacy Act? We know that the collection, use and sharing of metadata is not authorized under general privacy legislation alone. We would have to find a way to ensure that the definition and the rules surrounding collection, use and sharing—which is the crux of the matter—apply in all cases where such information is used.
I am not pleading here for standardized rules. I recognize that these activities depend on the context. The collection of data for the purpose of identifying risks to national security, the work of the CSE, the Communications Security Establishment, is one context, and the work of the police in a criminal investigation is another context where protections are generally higher.
That said, the applicable rules should certainly be indicated, in a general way. Moreover, the applicable rules should depend on the context.