Thank you very much, Mr. Chair.
Thank you to the members of the committee for inviting us to speak today on this very crucial need to overhaul the Privacy Act, and thank you for accepting to look at this issue as a matter of priority in the workings of your committee.
You mentioned my two colleagues. I should add that I'm making a statement today, and we will answer your questions, but we will provide the committee with a fuller submission, with recommendations, in the week when you're back from the break that you mentioned, the week of March 21.
When the Privacy Act was proclaimed on Canada Day back in 1983, it was a development that Canadians could celebrate, as Canada became a world leader in privacy law. Unfortunately, more than three decades have since passed without any substantive change to a law designed for a world where federal public servants still largely worked with paper files. Technology, on the other hand, has not stood still. In the digital world, it is infinitely easier to collect, store, analyze, and share huge amounts of personal information, making it far more challenging to safeguard all of that data and raising new risks for privacy.
Largely in response to those changes, many other jurisdictions—in Canada and around the world—have moved to modernize their laws. It's also important that we move to reform the antiquated Privacy Act to provide Canadians with a law that protects their rights in an increasingly complex environment.
Our recommendations fall under three broad themes: first, responding to technological change; second, legislative modernization; and third, the need for transparency.
Let's start with our first theme: technological change.
Technological change has allowed government information sharing to increase exponentially. Existing legal rules are not sufficient to regulate this kind of massive data sharing. We would therefore recommend that the Privacy Act be amended to require that all information sharing be governed by written agreements and that these agreements include specified elements.
The fact that government departments collect and use ever-greater amounts of personal information has also increased the stakes when it comes to privacy breaches. Over the years, we have seen massive government breaches affecting tens, even hundreds, of thousands of citizens.
We recommend creating an explicit requirement for institutions to safeguard personal information under their control as well as a legal requirement to report breaches to my office.
Let's now move on to our second theme, which is legislative modernization.
We believe that the Privacy Act needs to be aligned with the legal reality of 2016.
Among other things, the law should be amended so that Federal Court review under the Privacy Act is broadened to cover all rights.
Currently, the only cases that may be pursued in Federal Court under the Privacy Act are those involving denials of access to personal information. We cannot pursue cases involving collection, use, and disclosure. Since there can be no right without a remedy, there is a risk that the rights of individuals will go unheeded.
While we are pleased that in the vast majority of cases, government departments do eventually agree to implement our recommendations, the process to reach that point is often prolonged and arduous. So how do we speed up the process?
I am not seeking order-making powers at this time. In my view, increasing the scope of court intervention would offer an adequate protection of rights. I would suggest that adopting a new approach recently enacted in Newfoundland and Labrador’s access and privacy law should help bring more rigour and speed to the process, while maintaining the informality of the ombudsman model.
In Newfoundland and Labrador, on receipt of the commissioner’s recommendations, a public body in the province must either comply or apply to court for a declaration that they do not need to take the recommended action. This creates an incentive for government to respond to complaints in a more timely and disciplined manner, without creating the costs of a more formal adjudicative system. Such a system could reduce the risk that some may perceive a conflict between the commissioner's roles as impartial tribunal and privacy champion.
Another key recommendation to ensure adequate regulation, in an environment where technology makes possible the collection of massive amounts of personal information, is an explicit necessity requirement for the collection of personal information. This change would protect against excessive collection and align the Privacy Act with other privacy legislation in Canada and abroad.
We also recommend the creation of a legal requirement for institutions to conduct privacy impact assessments and to submit them to my office for review. New information sharing agreements should be similarly submitted. The use of PIAs by institutions, as well as their timeliness and quality, have sometimes been uneven. A legal requirement would ensure PIAs are conducted in a thorough manner and completed before new programs are launched or when information management rules of existing programs are substantially modified.
Additionally, there should be an obligation on government to consult my office on bills that will affect privacy before they are tabled in Parliament.
Finally, to ensure we do not again have a badly out-of-date law in the future, it would be useful to add a requirement for ongoing parliamentary review of the Privacy Act every five years.
Our third and final theme is enhancing transparency.
An important component of transparency is providing individuals with access to their own personal information. As the Supreme Court of Canada has affirmed several times, the Access to Information Act and the Privacy Act should be seen as a “seamless code”. Privacy is an important enabler of transparency and open government by providing individuals with access to their own personal information held by federal institutions. At the same time, though, privacy is also a legitimate limit to openness if personal information risks being revealed inappropriately. For these reasons, I commend the committee for its decision to consider the two statutes together.
One important transparency measure would be to allow my office to report proactively on the privacy practices of government. Reporting to parliamentarians and Canadians only once or twice a year on how the government is managing privacy issues through annual or special reports to Parliament is, in our view, inadequate. We would like to be in a position to share this information in a more timely way.
I would also suggest extending the application of the Privacy Act to all government institutions, including ministers' offices and the Prime Minister's Office. While the Privacy Act may not the best instrument to do this, Parliament should also consider regulating the collection, use, and disclosure of personal information by political parties.
As well, I support extending the right to access personal information held by federal institutions to all persons, rather than only Canadians and those present in Canada. We favour maximizing disclosure to those whose information is at stake, subject to exemptions that are generally injury-based and discretionary.
Canadian courts have been clear that where privacy and access rights conflict, privacy will take precedence, although this is not absolute.
The Privacy Act already permits the disclosure of personal information where, in the opinion of the head of the institution, the public interest clearly outweighs any invasion of privacy. This form of public interest override, in our view, strikes the right balance between privacy and access.
Again, I wish to thank the committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians. I look forward very much to answering your questions today and helping the committee in any way that the office can provide in your critical study.
As I said in my remarks, the Supreme Court has already held that the two pieces of legislation should be seen together as a seamless code. What does that mean specifically? Certainly, both statutes provide a right of access. In the case of the Access to Information Act, access to general information held by the federal government and its institutions, and in the case of the Privacy Act, a right of access to personal information held by the same institutions. That is a very important common element.
In both statutes, there are provisions that call for certain exceptions or exemptions to that right, to protect certain interests: law enforcement, international relations, etc. The right of access and the exceptions to the right of access are extremely similar in the two pieces of legislation, and I think that is the core of what the Supreme Court is referring to when it says the two acts constitute a seamless code.
If you amend the right of access or the exceptions in one act, normally you should do the same, or certainly you should consider whether to do the same, in both pieces of legislation. My colleague, the Information Commissioner, also has a number of recommendations that have to do with coverage, i.e., which institutions should be covered by the Access to Information Act.
I think that, if you change coverage in one act, you should at least consider whether to amend coverage in the other act. This would deserve some thinking and consideration, but I am inclined to think that if coverage is extended in one piece of legislation, it might not work very well if the same decision is not made for the other act.
However, there are limits to the seamless code idea. For instance, it is not obvious to me that if one commissioner has order-making powers, the other commissioner needs to have the same powers exactly. I could envisage the two acts working differently on that point. It might be desirable to let the acts work in the same way, but it might not be necessary. Certainly, for right of access and exceptions, and most likely for coverage.... On other issues, there might be room for separate decisions on the two pieces of legislation.
Bill , whose short title is the Anti-terrorism Act, 2015, had a number of parts. The first part pertained to the sharing of information between federal institutions, including personal information held by federal institutions. Such information can now be shared between government departments and 17 agencies that have specific responsibilities for suppressing or detecting terrorism. What Bill C-51 does is allow all federal departments to disclose personal information to these 17 agencies if it is relevant to detecting or suppressing terrorism.
We had concerns about the lack of comprehensive oversight mechanisms and the evidence threshold for sharing information, among other things.
I understand that the government plans to introduce a bill or conduct a study to review Bill C-51. We think that is an excellent idea.
The purpose of Bill was to give the Canadian Security Intelligence Service, CSIS, explicit authority to operate outside Canada. Before this bill was introduced, CSIS exercised its powers in Canada. Bill C-44 enabled CSIS to extend its activities outside the country. CSIS and the government were of the opinion that this was already provided for implicitly. Bill C-44 authorized it explicitly. The bill more explicitly authorizes information sharing between CSIS and similar agencies in other countries.
The concern we raised had to do with the risk of human rights violations, depending on the countries to which this information would be disclosed. We recommended that steps be taken to control this information sharing in order to avoid torture, for example, in the worst-case scenario.
Bill had to do with online crime in general, but amended the other law that my office administers, the Competition Act, to allow private companies to give information to police in investigations where electronic documents or personal information could be relevant. That applies in the case of online crime, but also more generally.
We had some concerns about that as well. We felt that the scope of the bill was too broad and that some provisions might not comply with a recent Supreme Court decision in Spencer, which provides for protection of some metadata when people use the Internet to share personal information.
I'll start by saying we're not asking for order-making powers at this time. I'm not opposed in principle to order-making powers. At the end of the day I think we can get to the same place differently in a way that would satisfy all concerns and without creating certain risks potentially. Why order-making powers? Madame Legault and I agree on many things, and we're not that far apart. I think she testified—and that is the situation with us as well—that when there are complaints either to her office, or to my office, government departments ultimately agree to act in the way we recommend them to act.
Order-making powers are not empirically required to change the way that government departments respond to our complaints, because ultimately they do. The issue is more the time it takes for government to reach that stage. Part of her argument, and I agree with her, is that currently the process is quite long. I said that in my remarks as well. There is an exchange of correspondence with government departments that sometimes takes two, three, or four iterations before we get to the right place. That may be in part because all we can do is to recommend, and there is no sanction for government not to act promptly in responding to our investigations.
An order-making power would create the right incentive for departments to act promptly and respond to our requests, but I think the Newfoundland model that I'm suggesting to you gets to the same place by amending legislation. I would continue to make recommendations and not orders, but according to the Newfoundland model these recommendations have to be complied with by government, unless they take the matter to court and challenge the recommendations made.
We get to the same place, just to finish on the question of the potential risks of an order-making power. Over the years there has been much discussion around the fact that order-making powers mean a more formal process. That certainly has the potential to be costlier, to involve more in terms of procedural rights, and so on. There's the potential for that, and that's one factor.
Another factor is that if there are order-making powers in a body that also has a responsibility, which I'm recommending here, to promote privacy rights, can you have in the same place a body that promotes privacy and the same body adjudicating impartially on the rights of Canadians vis-à-vis a government institution? I'm not saying it's incompatible. It's possible perhaps in terms of structure to build Chinese walls and to make these distinctions.
I'll deal with that in two stages: first, before the legislation was adopted; and then after.
Before the legislation was adopted, this recommendation followed a review by a committee or commission presided over by Mr. Wells, the former premier and chief justice, and Madam Stoddart, with a third commissioner. They did a thorough review of the legislation in place in Newfoundland.
On this question of order-making versus not, we can provide you with a summary of that report. Those are the considerations I'm putting before you. Order-making could be more formal and more costly. It could create risks in terms of conflict of roles with the promotional role. They came up with this model. That's what they recommended. That's what the legislature adopted in Newfoundland.
On the second phase, the legislation was adopted in June of last year. It's recent.
I spoke with my Newfoundland colleague, the commissioner. He said it had exactly the impact that was desired, i.e., submissions by government are more prompt and they are of better quality. To date there have not been judicial challenges of recommendations, so the government has followed all the recommendations made under that model.
It works. I'm not saying the other model cannot work, but this model, so far, has shown it can work.
I'll start with the second question. Yes, it is still one of our recommendations.
Currently we can inform the public and parliamentarians only in the context of reports to Parliament, which are either annual reports or special reports. Otherwise we're bound by a confidentiality provision under the Privacy Act not to reveal our investigative activities. We continue with that recommendation.
On the question of whether we should legislate metadata, we have put on our website two research papers that seek to inform the public and others as to what metadata is. We have one on IP addresses and another on metadata more broadly, which is an operational, practical description of what metadata is.
Should it be legislated? I would have to give some serious thought to that because it's a difficult beast to define. If you're interested in this, we could get back to you on that point.
On the issue of metadata, I refer to the Spencer case. The Spencer decision of the Supreme Court in 2014 helped a lot in regulating what law enforcement can do with metadata in the context of investigations. There have been recommendations, discussions, or wishes expressed by law enforcement to perhaps change or nuance what the Supreme Court has said. Clearly, I would not be in favour of reducing the protection that comes from the Spencer decision, and if anything, if there was legislation to adopt on that point, my recommendation would be to codify and confirm the principles of Spencer. Would it be a good thing to define metadata? I'm less certain of that, but to confirm the principles of Spencer would be useful.
Thank you very much, Mr. Chair.
Yes, I would like to move that motion and take a bit of time to motivate it.
The way that this came up is there was an access to information request made by a Canadian Press reporter that was recently denied by the government. Some documents were released, but substantial portions of them were left out and not disclosed. The government chose to exercise a discretionary exemption to leave out some of the advice and deliberations from that document.
I think it would be useful for the committee to have a sense of the kind of advice that's being offered to the President of the Treasury Board and to government on how to go forward. I think it would be useful to us because it would help inform the study that we're doing on the Access to Information Act, to get a sense of the kinds of recommendations that are being made to government, and the basis on which those recommendations are being made. I think that would be important for our committee to consider.
I could imagine a government that wasn't committed to openness and transparency maybe not wanting to see such a motion go through, and they might argue, for instance, that.... Frankly, I find it hard to see why this information wouldn't be useful to the committee.
You might argue that the scope of this particular motion is too broad. I would of course be willing to entertain friendly amendments to appropriately narrow that scope if the feeling of the committee is that this scope is too broad. Perhaps we want to try to narrow it down to those particular documents that were the subject of the access request and ensure that members of the committee, and more than members of the committee, members of the public are able to have access to the advice and deliberations on how government might proceed with reforms to the Access to Information Act, and are heard.
I think it was a mistake on the part of the government to deny this particular request and not make that advice and those deliberations open to the public. I think particularly with respect to this piece of legislation it's incumbent on government. I hear a sincere desire from the government to open up a new culture of openness and transparency. What better way to start than by making the discussions around reform to this act as open and as transparent as possible?
It's in the spirit of making the committee's work more useful to government, assisting government, and getting off on the right foot in terms of a culture of openness and transparency, that I move this motion. I hope we can pass it today so that this information might inform our discussion as soon as possible.
Without wanting to undermine any sense of goodwill, I probably won't be supporting this amendment.
I won't do it because there are two components to this motion. One is to have the President of the Treasury Board here in order to have the committee get a better sense of what he may reasonably consider coming from us, not that that would be any restriction on what we could recommend, but to give us a better sense of where he would like to go and how he understands his mandate from the on access to information reform.
I appreciate that that is maintained in the spirit of this amendment, but what's lost is...There are documents and this request, its denial, and subsequent story show that there are documents that may help this committee in its study to get a better sense of what the advice to government should be.
We do have the power to request documents and my understanding...It's written in the House procedures manual that the Standing Orders do not delimit the power to order the production of papers and records. The result is a broad absolute power and then on the surface it appears to be without restriction.
That same guide acknowledges that in practice there may be reasons why people, who are the subject of requests, may not want to provide those documents, but those reservations, on the part of the people who are having that request made, don't in any way limit those powers. We would be well within our right to request those documents. They could serve a useful purpose in our study and it would make sense for us to do so.
I would agree with Sean Holman, who is an assistant professor of journalism at Mount Royal University, who essentially said, with respect to the access request, “What would be so wrong in letting the public know about what options are under consideration by the government?”
I think that rhetorical question has a point to it and I wanted it to be part of the motion. It's the will of the committee, of course, to decide what to do, but for my part I will be voting against the amendment.