ETHI Committee Meeting

     Good morning, everyone. Welcome to the last committee meeting before we have a break week next week.

    Appearing before us today is Mr. Daniel Therrien, Privacy Commissioner of Canada.

    We also have the senior general counsel and director general of legal services for policy and research, Ms. Patricia Kosseim.

    We also have the director general for Privacy Act investigations, Ms. Sue Lajoie.

    Mr. Therrien, you understand that we are beginning a study into the review of privacy legislation in our country at the federal level. I know you mentioned this before, when you appeared just a little while ago. I'm really pleased the committee has decided to go down this road as one of the first priorities in its mandate. Hopefully we can come up with some excellent recommendations and update and modernize the legislation. We're beginning our study with you in earnest today.

    We'll open up the floor for 10 minutes. Then we'll proceed to some questions.

    Welcome. We're looking forward to your comments this morning.

    Thank you very much, Mr. Chair.

    Thank you to the members of the committee for inviting us to speak today on this very crucial need to overhaul the Privacy Act, and thank you for accepting to look at this issue as a matter of priority in the workings of your committee.

    You mentioned my two colleagues. I should add that I'm making a statement today, and we will answer your questions, but we will provide the committee with a fuller submission, with recommendations, in the week when you're back from the break that you mentioned, the week of March 21.

    When the Privacy Act was proclaimed on Canada Day back in 1983, it was a development that Canadians could celebrate, as Canada became a world leader in privacy law. Unfortunately, more than three decades have since passed without any substantive change to a law designed for a world where federal public servants still largely worked with paper files. Technology, on the other hand, has not stood still. In the digital world, it is infinitely easier to collect, store, analyze, and share huge amounts of personal information, making it far more challenging to safeguard all of that data and raising new risks for privacy.

    Largely in response to those changes, many other jurisdictions—in Canada and around the world—have moved to modernize their laws. It's also important that we move to reform the antiquated Privacy Act to provide Canadians with a law that protects their rights in an increasingly complex environment.

    Our recommendations fall under three broad themes: first, responding to technological change; second, legislative modernization; and third, the need for transparency.

    Let's start with our first theme: technological change.

    Technological change has allowed government information sharing to increase exponentially. Existing legal rules are not sufficient to regulate this kind of massive data sharing. We would therefore recommend that the Privacy Act be amended to require that all information sharing be governed by written agreements and that these agreements include specified elements.

    The fact that government departments collect and use ever-greater amounts of personal information has also increased the stakes when it comes to privacy breaches. Over the years, we have seen massive government breaches affecting tens, even hundreds, of thousands of citizens.

    We recommend creating an explicit requirement for institutions to safeguard personal information under their control as well as a legal requirement to report breaches to my office.

    Let's now move on to our second theme, which is legislative modernization.

    We believe that the Privacy Act needs to be aligned with the legal reality of 2016.

    Among other things, the law should be amended so that Federal Court review under the Privacy Act is broadened to cover all rights.

    Currently, the only cases that may be pursued in Federal Court under the Privacy Act are those involving denials of access to personal information. We cannot pursue cases involving collection, use, and disclosure. Since there can be no right without a remedy, there is a risk that the rights of individuals will go unheeded.

    While we are pleased that in the vast majority of cases, government departments do eventually agree to implement our recommendations, the process to reach that point is often prolonged and arduous. So how do we speed up the process?

    I am not seeking order-making powers at this time. In my view, increasing the scope of court intervention would offer an adequate protection of rights. I would suggest that adopting a new approach recently enacted in Newfoundland and Labrador’s access and privacy law should help bring more rigour and speed to the process, while maintaining the informality of the ombudsman model.

    In Newfoundland and Labrador, on receipt of the commissioner’s recommendations, a public body in the province must either comply or apply to court for a declaration that they do not need to take the recommended action. This creates an incentive for government to respond to complaints in a more timely and disciplined manner, without creating the costs of a more formal adjudicative system. Such a system could reduce the risk that some may perceive a conflict between the commissioner's roles as impartial tribunal and privacy champion.

    Another key recommendation to ensure adequate regulation, in an environment where technology makes possible the collection of massive amounts of personal information, is an explicit necessity requirement for the collection of personal information. This change would protect against excessive collection and align the Privacy Act with other privacy legislation in Canada and abroad.

    We also recommend the creation of a legal requirement for institutions to conduct privacy impact assessments and to submit them to my office for review. New information sharing agreements should be similarly submitted. The use of PIAs by institutions, as well as their timeliness and quality, have sometimes been uneven. A legal requirement would ensure PIAs are conducted in a thorough manner and completed before new programs are launched or when information management rules of existing programs are substantially modified.

    Additionally, there should be an obligation on government to consult my office on bills that will affect privacy before they are tabled in Parliament.

    Finally, to ensure we do not again have a badly out-of-date law in the future, it would be useful to add a requirement for ongoing parliamentary review of the Privacy Act every five years.

     Our third and final theme is enhancing transparency.

    An important component of transparency is providing individuals with access to their own personal information. As the Supreme Court of Canada has affirmed several times, the Access to Information Act and the Privacy Act should be seen as a “seamless code”. Privacy is an important enabler of transparency and open government by providing individuals with access to their own personal information held by federal institutions. At the same time, though, privacy is also a legitimate limit to openness if personal information risks being revealed inappropriately. For these reasons, I commend the committee for its decision to consider the two statutes together.

    One important transparency measure would be to allow my office to report proactively on the privacy practices of government. Reporting to parliamentarians and Canadians only once or twice a year on how the government is managing privacy issues through annual or special reports to Parliament is, in our view, inadequate. We would like to be in a position to share this information in a more timely way.

     I would also suggest extending the application of the Privacy Act to all government institutions, including ministers' offices and the Prime Minister's Office. While the Privacy Act may not the best instrument to do this, Parliament should also consider regulating the collection, use, and disclosure of personal information by political parties.

    As well, I support extending the right to access personal information held by federal institutions to all persons, rather than only Canadians and those present in Canada. We favour maximizing disclosure to those whose information is at stake, subject to exemptions that are generally injury-based and discretionary.

    Canadian courts have been clear that where privacy and access rights conflict, privacy will take precedence, although this is not absolute.

    The Privacy Act already permits the disclosure of personal information where, in the opinion of the head of the institution, the public interest clearly outweighs any invasion of privacy. This form of public interest override, in our view, strikes the right balance between privacy and access.

    Again, I wish to thank the committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians. I look forward very much to answering your questions today and helping the committee in any way that the office can provide in your critical study.

    Thank you very much, Mr. Therrien. That was a very good opening set of remarks. We have lots of recommendations from you and it was very clear.

    We're going to start our seven-minute opening round now with Mr. Lightbound.

    First, I want to thank the three of you for being here today, it's much appreciated.

    My first question would be regarding one of the last elements that you mentioned in your presentation to us today, that it is worthwhile for the committee to consider the Access to Information Act and the Privacy Act both at the same time. I was wondering if you could elaborate on the interplay between the two statutes and where we should focus on as we review the two of them in parallel.

     As I said in my remarks, the Supreme Court has already held that the two pieces of legislation should be seen together as a seamless code. What does that mean specifically? Certainly, both statutes provide a right of access. In the case of the Access to Information Act, access to general information held by the federal government and its institutions, and in the case of the Privacy Act, a right of access to personal information held by the same institutions. That is a very important common element.

    In both statutes, there are provisions that call for certain exceptions or exemptions to that right, to protect certain interests: law enforcement, international relations, etc. The right of access and the exceptions to the right of access are extremely similar in the two pieces of legislation, and I think that is the core of what the Supreme Court is referring to when it says the two acts constitute a seamless code.

    If you amend the right of access or the exceptions in one act, normally you should do the same, or certainly you should consider whether to do the same, in both pieces of legislation. My colleague, the Information Commissioner, also has a number of recommendations that have to do with coverage, i.e., which institutions should be covered by the Access to Information Act.

    I think that, if you change coverage in one act, you should at least consider whether to amend coverage in the other act. This would deserve some thinking and consideration, but I am inclined to think that if coverage is extended in one piece of legislation, it might not work very well if the same decision is not made for the other act.

    However, there are limits to the seamless code idea. For instance, it is not obvious to me that if one commissioner has order-making powers, the other commissioner needs to have the same powers exactly. I could envisage the two acts working differently on that point. It might be desirable to let the acts work in the same way, but it might not be necessary. Certainly, for right of access and exceptions, and most likely for coverage.... On other issues, there might be room for separate decisions on the two pieces of legislation.

    Thank you.

    I have a second question.

    Regarding the disclosure of personal information, you said in your 2014-15 report that Bills C-13, C-51, and C-44, if I'm not mistaken, which now have the force of law, had a serious impact on the disclosure of personal information without people's consent.

    Can you elaborate on Bill C-51? We have heard a great deal about information sharing between institutions. I am less familiar with Bills C-13 and C-44. I'd like you to talk a bit more about these three bills and the changes they made when it comes to disclosure.

    Bill C-51, whose short title is the Anti-terrorism Act, 2015, had a number of parts. The first part pertained to the sharing of information between federal institutions, including personal information held by federal institutions. Such information can now be shared between government departments and 17 agencies that have specific responsibilities for suppressing or detecting terrorism. What Bill C-51 does is allow all federal departments to disclose personal information to these 17 agencies if it is relevant to detecting or suppressing terrorism.

    We had concerns about the lack of comprehensive oversight mechanisms and the evidence threshold for sharing information, among other things.

    I understand that the government plans to introduce a bill or conduct a study to review Bill C-51. We think that is an excellent idea.

     The purpose of Bill C-44 was to give the Canadian Security Intelligence Service, CSIS, explicit authority to operate outside Canada. Before this bill was introduced, CSIS exercised its powers in Canada. Bill C-44 enabled CSIS to extend its activities outside the country. CSIS and the government were of the opinion that this was already provided for implicitly. Bill C-44 authorized it explicitly. The bill more explicitly authorizes information sharing between CSIS and similar agencies in other countries.

    The concern we raised had to do with the risk of human rights violations, depending on the countries to which this information would be disclosed. We recommended that steps be taken to control this information sharing in order to avoid torture, for example, in the worst-case scenario.

    Bill C-13 had to do with online crime in general, but amended the other law that my office administers, the Competition Act, to allow private companies to give information to police in investigations where electronic documents or personal information could be relevant. That applies in the case of online crime, but also more generally.

    We had some concerns about that as well. We felt that the scope of the bill was too broad and that some provisions might not comply with a recent Supreme Court decision in Spencer, which provides for protection of some metadata when people use the Internet to share personal information.

     We've gone about a minute over seven minutes. It was a good answer so I let that continue.

    We now move to Mr. Jeneroux for seven minutes.

    Thanks again everyone for being here.

    Clarify for me, do you have investigative powers? We had a few of your colleagues here in the room. Do you need a complaint to investigate, or can you investigate without a formal complaint?

     We can receive complaints, but yes we can initiate a complaint when there are reasonable grounds to do so.

    Thank you for clarifying that.

    Let me read you a short statement and get your comments on it. “We will accelerate and expand open data initiatives, and will make government data available digitally, so that Canadians can easily access and use it.”

    To some in that room, that may mean real change, but to me it's a lot of vague words and buzzwords. Do you mind commenting on how you see that, and how you interpret that statement in terms of how you're now going to work with the new government?

     Just to be clear, we're talking about what is found in the mandate letters of certain ministers on the issue of open data.

    This is from page 25 of the document entitled “Real Change: A New Plan for a Strong Middle Class”.

    Yes, the statement was found in the platform of the now governing party and perhaps, if I'm not mistaken, in the mandate letters of certain ministers.

    Here, we're into one of the themes on the reform of the Privacy Act, transparency. I wholeheartedly agree with the objective of a more open government and more transparency. In the context of the Privacy Act, the most important manifestation of this is that the act should be clarified and amended to provide for more access, to circumscribe the exceptions to the extent possible.

    What you referred to is less on the issue of law and principle, it's more on the question of pragmatic and practical access by people to information. Again, I applaud any initiative that would provide easier access by citizens to their personal information or to other information under the Access to Information Act.

    We haven't been consulted on how this would actually occur in practice, so I applaud the principle and objective, but I'm not sure exactly what the government has in mind in terms of how to make this work in practice. I would suggest that perhaps you would wish to put these questions to Treasury Board officials if they appear before you.

    It's the government that has the lead in determining how this will happen in practice and Treasury Board will provide you with more information than I can provide.

    I thought there would have been some consultation, but perhaps not.

    Talking about the need for education, your 2014 study found that most people believed privacy protection began with them and you previously stressed the need for education. Talking especially about our younger generations and the cloud system, we all have iPhones and iPads now, what role do you see, that perhaps pertains within the act, in increasing that level of education?

    Is that something that is outside the scope of the act or is that something we can focus on and bring within the act?

    Public education is a statutory obligation that my office has under the private sector legislation, PIPEDA. There's no corresponding provision in the Privacy Act. We undertake some training of government officials, for instance, on how to apply the Privacy Act, but we do not have a statutory mandate, a legal mandate, under the Privacy Act to undertake public education activities.

    We think there is just as much of a need to educate the public in terms of how the government complies with its obligations as there is in relation to the private sector.

    Canadians, when we ask them through polls, are of the view that the sensitivity of the information that they give to government...The fact that when you're dealing with the private sector, there is an element of consent and choice that does not exist with the government for the most part. For example, if you want a service, you must provide certain information. Canadians expect as much in relation to government as they do for the private sector.

    You mentioned that the Privacy Act is probably not the best instrument to regulate collection, use, and disclosure of personal information by political parties. In your opinion, what is the best instrument to hold the ministers and the Prime Minister's Office accountable to the Privacy Act?

     There are two things here. For minister's offices and the Prime Minister's Office, the Privacy Act is the correct instrument to regulate the handling of personal information.

    When you look at the coverage of the access and privacy acts, I would come at it from the perspective that there's currently a list of departments and institutions that are part of the executive branch that are covered by the Privacy Act. As a general rule, the entire executive branch and all government institutions should be covered by the Privacy Act, including minister's offices and the Prime Minister's Office.

    On the question of political parties, I'm coming to that conclusion because coverage is an issue that is before you, so who should be covered who is not covered? There has been a lot of discussion and concern about the fact that the collection and use of personal information by political parties is currently unregulated. Canada is one of the few countries in which this is so. Canada and the U.S. are the outliers here. In most other countries, the personal information managed and collected by political parties is regulated in some manner by law.

    I don't think the Privacy Act is the right instrument because it's essentially designed for the management of information by a government department. Many of its provisions are drafted with that in mind and political parties do not operate in the same context.

    However, I will take this opportunity to say that in terms of coverage, if there's one institution where there is a gap in terms of regulation, and that needs to be remedied, it would be political parties.

    Thank you.

     Mr. Blaikie, for seven minutes.

    Thank you very much for your presentation.

    I'm sure you are following the debate in the United States about Apple and access to text messages without permission. I'd like to know your thoughts on that. Do you think there is a principle to uphold, based on the idea that some messages will not be accessible, in principle, because the police don't have a way of accessing them?

    That is a very complicated issue involving two extremely legitimate but conflicting interests.

    The issue has come up in the case of Apple, but it could just as easily come up in Canada. The specific issue has to do with companies like Apple that produce telephones and computers where data are encrypted.

    On the one hand, encryption is extremely important in protecting personal information.

    On the other hand, private companies obviously have to be subject to the law. This case has to do with producers of telephones and companies that provide communication services. These companies are governed by law. Ultimately, the law applies to them.

    Legislators need to ask themselves a fundamental question about law enforcement bodies. In this case we are talking about Apple versus the FBI, but we could be talking about Canada's police forces or Parliament. In practical terms, if law enforcement bodies want access to information that is encrypted and difficult for them to access, the law could cover that. Is it a good idea to have a law to force companies to decrypt information if that removes protection that is generally essential to people?

    It is a complex issue. We need to be very careful before we go ahead and legislate on such issues.

    Thank you very much.

     Just to go back quickly to the issue of political parties. I was wondering if you could explain a little more, first of all, where you think it would make sense to make changes, if Parliament is going to make changes. Second, could you put a little meat on the bone in terms of some of the concerns about personal information, and what kind of personal information parties may be using right now that they oughtn't use in the ways that they may be using them?

    I start from the principle that information collected by political parties will, for the most part, be quite sensitive personal information because it goes to political opinion. We don't explicitly refer in Canadian law to what is referred to explicitly in Europe as the distinction between general personal information and sensitive personal information. Nevertheless, political opinion is obviously very sensitive personal information.

    I think it's wrong that the management of that kind of sensitive information is unregulated. Do I have examples of wrongs committed? I don't know. We can't investigate. We don't have the jurisdiction to investigate. I'm starting from the premise of the sensitivity of the information that is unregulated. Why is it unregulated? Because parties fall in between the Privacy Act and PIPEDA. They are not government institutions, but they are not commercial institutions. If they were either of the two, we wouldn't be talking about this. They fall in between.

    If the changes don't come in the Privacy Act, would you still think it appropriate that it be your office that has the capacity to provide that kind of oversight?

    I'm not asking for it; I'm not rejecting it. I'll say that in British Columbia my equivalent colleague does have jurisdiction over political parties under the equivalent of PIPEDA, the private sector legislation in British Columbia. So it's certainly an option.

    I'm not asking for this. There might be others who would be able to do this. We have expertise in terms of privacy that would make us one of the candidates to have that mandate.

    I wonder if you could speak to what you think are the relative advantages and disadvantages, say, of having two separate commissioners for information and privacy. We've talked a little about how these acts complement each other. Does it make sense to have one commissioner really overseeing both acts, or do you think there are advantages in the current system that trump whatever advantages may come with having one commissioner?

    The first thing I'll say is that our recommendations before you have to do with substantive legal rules as opposed to mechanics and architecture. We don't have recommendations before you on architecture. In large part this is because this act is so old that we need to cut to the chase and get to having improvements on a dozen or so very important substantive issues. We haven't looked in great depth at the issue of architecture.

    I will say, though, that I would not be inclined to regroup the two institutions under one roof, in part because I'm responsible for the Privacy Act with respect to government. I'm also responsible for PIPEDA with respect to the private sector. So all the telcos, all of the manufacturers such as Apple and so on, Google.... I have quite a bit on my plate and we don't have infinite resources.

    At the end of the day I think it is a good thing for the protection of the privacy rights or access rights of Canadians that they have two commissioners, two offices, with different responsibilities, although they share similar rules. I think Canadians are better served that way.

    Thank you very much, Mr. Blaikie.

    Mr. Saini. You have up to seven minutes, please.

     Mr. Therrien, I want to thank you and your colleagues very much for coming here this morning.

     I wanted to ask you a question about something you said in your opening comments. I want to refer that back to the testimony of the Information Commissioner when she was here. Madame Legault, in her report on striking the right balance, stated categorically and unequivocally that she preferred the order-making model, and that 68% of bodies generally use that mechanism. You stated in your opening comments that you were not seeking these powers. Since we are reviewing the Privacy Act, do you not believe this should be included, and do you not believe this would be more advantageous for you to do your job in a more efficient and effective way?

     I'll start by saying we're not asking for order-making powers at this time. I'm not opposed in principle to order-making powers. At the end of the day I think we can get to the same place differently in a way that would satisfy all concerns and without creating certain risks potentially. Why order-making powers? Madame Legault and I agree on many things, and we're not that far apart. I think she testified—and that is the situation with us as well—that when there are complaints either to her office, or to my office, government departments ultimately agree to act in the way we recommend them to act.

    Order-making powers are not empirically required to change the way that government departments respond to our complaints, because ultimately they do. The issue is more the time it takes for government to reach that stage. Part of her argument, and I agree with her, is that currently the process is quite long. I said that in my remarks as well. There is an exchange of correspondence with government departments that sometimes takes two, three, or four iterations before we get to the right place. That may be in part because all we can do is to recommend, and there is no sanction for government not to act promptly in responding to our investigations.

    An order-making power would create the right incentive for departments to act promptly and respond to our requests, but I think the Newfoundland model that I'm suggesting to you gets to the same place by amending legislation. I would continue to make recommendations and not orders, but according to the Newfoundland model these recommendations have to be complied with by government, unless they take the matter to court and challenge the recommendations made.

    We get to the same place, just to finish on the question of the potential risks of an order-making power. Over the years there has been much discussion around the fact that order-making powers mean a more formal process. That certainly has the potential to be costlier, to involve more in terms of procedural rights, and so on. There's the potential for that, and that's one factor.

    Another factor is that if there are order-making powers in a body that also has a responsibility, which I'm recommending here, to promote privacy rights, can you have in the same place a body that promotes privacy and the same body adjudicating impartially on the rights of Canadians vis-à-vis a government institution? I'm not saying it's incompatible. It's possible perhaps in terms of structure to build Chinese walls and to make these distinctions.

    The reason, Mr. Commissioner, that I raise this point is that you mentioned earlier that it has been 30 years since this act was revised. I'm saying it in this manner because we're in the process of reviewing the act, and we don't know in the future when it will be reviewed. You mentioned in your recommendations that you would like it done every five years. That may or may not happen. Would it not be more prudent in terms of thinking of the future if we put this provision in now so that it would not complicate or inhibit a future commissioner who may have to testify in front of a body that may not necessarily want real change?

     The order-making model is a legitimate model, but it's not the only model out there. In Canada I think there are eight jurisdictions without and five with. It's a very legitimate model, but it's not the only one.

    I think we're getting to exactly the same place, addressing the same concerns, through this legislation that was adopted in Newfoundland after very serious consideration by a committee that included the former chief justice of the Newfoundland Court of Appeal and my predecessor, Madam Stoddart. It also, I submit, is a very prudent model that gets to the same place without some of the risks.

    You don't think it would be prudent to put that mechanism in any review that we conduct now, to give in the future...? You talked about the Newfoundland model, which I appreciate. But do you not foresee that maybe having that in the provisions now would help in the future, help a future commissioner if something else arises, if the act is not necessarily reviewed every five years?

    It's a question of judgment. In my judgment, prudence is in favour of the Newfoundland model. I'm not saying the other model is imprudent, but I think overall, looking at all of the considerations I've put before you, prudence is in favour of that model.

    Thank you very much.

    We'll now move to the five-minute round.

    Mr. Kelly.

    Previous suggestions for amending the Privacy Act have included broadening and clarifying which federal institutions are covered by the act. Could you provide us with some examples of federal institutions that are presently not covered by the act that you believe should be covered? What factors contribute to the needs to these institutions that are currently not covered to be covered?

    I'm recommending that all of the executive branch be covered by the Privacy Act, including the PMO and ministers' offices. Why? The Privacy Act is intended to provide access by citizens to information that government holds about them. That relates to service delivery, to conferring rights. There is personal information held in ministers' offices and the PMO that is extremely relevant to service delivery and how rights are delivered.

    Many statutes provide statutory responsibilities to ministers, who then delegate them in the bureaucracy. A lot of the information that relates to these questions is in the bureaucracy, and that's currently accessible. But ultimately it's the minister who's responsible to make these determinations, and in some cases the ministers personally do make these decisions. It shouldn't matter whether the information rests in the bureaucracy or in a minister's office if it's the same kind of information that can potentially be used for the same statutory purposes.

    At present, ministers' offices and the PMO are not subject to the current privacy law, and you believe that's a change that should be made.

    Yes.

    Okay.

    This is somewhat along the line of Mr. Saini's question. The Newfoundland and Labrador model that you mentioned sounds to me like an order-making model, in that the recourse to court is the only way to avoid an institution having to apply. How is that different from an order-making model?

    At the end of the day, the commissioner issues a recommendation, which obviously has a lot of weight, because it needs to be heeded. Otherwise, the government needs to go to court. But it is a recommendation. I think the procedural way in which these recommendations are made potentially would be lighter, less formal, less costly, and less open to challenges that it is potentially inconsistent with the promotion roles of the commissioner.

    They are not far apart, I totally agree, but I think it's a distinction that matters. As I say, I agree with my colleague on what the ills are. The ills are mostly in terms of the length and duration of the process. I'm just suggesting a different way to get to the same place with fewer risks, in my view.

     We heard from a variety of provincial commissioners in our meeting earlier this week. What I found interesting was that in each of the provinces we heard from, there's a dual mandate with the access to information and privacy. All three of the commissioners we heard from were quite forceful in their suggestions that this was the correct model, because the two pieces go hand in hand.

     I listened to your presentation and to Mr. Blaikie's earlier question. You don't agree that both of those pieces should be handled by the same commissioner, and I will get you to comment again on that. All three of the commissioners were quite adamant that both pieces should belong to one commissioner.

    My starting point, again, is that we've not looked at this question of architecture in great detail. I'm not philosophically opposed to this; I'm just being pragmatic. I'm looking at our responsibilities and the responsibilities of the Information Commissioner. There may be a distinction between the situation federally and provincially, in that federally the mandate is somewhat broader than it is in provincial jurisdictions. But at the end of the day, I'm looking at this pragmatically, and I want to make sure Canadians are well served.

    Is it possible to regroup the two institutions under one roof, with the same resources the two have? Would it work? Potentially.

    This act has not been amended for 30 years. I'm not sure the thing to do is to look at architecture. I think the thing to do is look at substantive rights, and fix that. There's more time to look at architecture.

    Thank you very much, Mr. Kelly.

    We now move to Mr. Bratina, please, for five minutes.

    Thank you so much.

    On the Newfoundland case again, we're aware of the approach that you see merit in. Did you review the decision-making process or talk to your colleagues in Newfoundland and Labrador about how they arrived at that point?

    I'll deal with that in two stages: first, before the legislation was adopted; and then after.

    Before the legislation was adopted, this recommendation followed a review by a committee or commission presided over by Mr. Wells, the former premier and chief justice, and Madam Stoddart, with a third commissioner. They did a thorough review of the legislation in place in Newfoundland.

     On this question of order-making versus not, we can provide you with a summary of that report. Those are the considerations I'm putting before you. Order-making could be more formal and more costly. It could create risks in terms of conflict of roles with the promotional role. They came up with this model. That's what they recommended. That's what the legislature adopted in Newfoundland.

    On the second phase, the legislation was adopted in June of last year. It's recent.

     I spoke with my Newfoundland colleague, the commissioner. He said it had exactly the impact that was desired, i.e., submissions by government are more prompt and they are of better quality. To date there have not been judicial challenges of recommendations, so the government has followed all the recommendations made under that model.

    It works. I'm not saying the other model cannot work, but this model, so far, has shown it can work.

     So my point, Mr. Chair, is that it seems as though it was carefully crafted. That leads me to the Bill C-44 CSIS matter, which you want to review, because it seems to have some gaps in it, such as, obviously, sharing information with other jurisdictions that may not have the same level of scrutiny that we would have, or protections rights built in, therefore leading to some sad results for the people involved.

    Maybe this isn't a fair question, but would the same level of scrutiny and care have been taken to frame Bill C-44? Theoretically even though we're dealing with a 30-year-old act, it worked pretty well until there were substantive changes in the way we collect and disseminate information. It seems to me, though, after a year or two, that the bill should have stood on stronger foundations than it appears to have.

     I would come back again to the decision-making process and ask you whether you feel that we have to have that level in our review of everything you bring forward, but particularly of Bill C-44.

    That's an interesting question. Obviously there should be rigour before legislation is amended. I will say that obviously national security legislation needs to be up to date in terms of the threat faced by Canada, and the arguments for Bill C-44 had to do with updating the legislation to be in line with the current threat environment, the fact that it's international in nature, etc., so there was some foundation for the objective.

     In terms of how to ensure the protection of rights in an environment where CSIS is given more powers, absolutely this deserves more scrutiny, and perhaps Bill C-44 should be looked at at the same time as BillC-51. That might be a possibility. All of these laws deal with what should be the legal architecture in Canada to deal with the terrorist threat. Apparently the government wants to have some form of review, particularly of Bill C-51. There would be some merit to extending that more broadly.

    That's pretty much it, Mr. Bratina, for the five minutes.

    We have five more minutes for the Conservatives. If it's okay with the committee, I would like to ask a few questions. Normally, I try not to do that, but if you'll humour me, then we'll move back to the Liberals for five minutes, and you can let me know who that would be.

    Mr. Commissioner, as you gave your remarks and as I was going through the documents in preparation for this committee today, I had several questions.

    In your opening remarks dealing with technological change, in your first two paragraphs you talk about how the technological change has allowed government information...and we know that, as the information age is continuing to evolve, there are massive amounts of information out there. You have a recommendation here “to require that all information sharing be governed by written agreements and that these agreements include specified elements”. Could you give me an example of exactly what you meant when you made that statement?

    There are provisions under the current Privacy Act authorizing sharing of information between federal departments. Some of these provisions are quite broad. For instance, information can be shared for “consistent purposes”. What is consistent in a given context depends on the context of the relationship between the two departments that are sharing information.

    What I'm suggesting is not to change the rule about consistent use, but to add a layer of protection on top of that, whereby there would be a requirement that the departments enter into a written agreement to give more meaning to what is consistent in the context of the activity that they're undertaking together. That would better protect rights; it would be transparent; it would provide more clarity; it would allow us, as we recommend, to express certain views on whether indeed the sharing would be for a consistent purpose; and it would allow us to audit the activity after the fact.

     I appreciate that. Thank you for that clarification.

    In your remarks, under legislative modernization you have a recommendation that there should be an obligation on government to consult your office on bills that will affect privacy before they are tabled in Parliament.

    You are aware, of course, Commissioner, that there is already a substantive legal opinion and legislative process for the drafting of legislation. You explicitly said “government”. I would like some clarification on what part of the process, whereby a bill already goes through the legislation drafting process and goes through checks for constitutionality and all of these other types of checks, your office would fit in with.

    I would also like clarification as to whether, when you say government, you actually mean members of Parliament as well, because not all legislation that's tabled in the House of Commons is tabled by government. Every member of Parliament who is not a member of the executive has the right to table private member's legislation. We have the resources of Parliament, but we don't necessarily have the resources of government to do some of these things and we are sometimes under very stringent timelines to get our legislation tabled before Parliament. This would be a layer added on that would lengthen that process in certain instances.

    Could you give me some clarification on that? I just want to protect the rights of parliamentarians, making sure that they can table legislation.

     We certainly do not want to be in the way of parliamentarians wishing to table legislation. What we're asking for is an obligation to be consulted.

     I'm coming from the standpoint of prevention of privacy violations. The current act is in large part curative. If there is a breach, an individual can complain; we investigate and we make a recommendation to remedy a breach of privacy that has occurred. Both this particular recommendation and the recommendation to make it a legal requirement to proceed with privacy impact assessments, for instance, are meant to facilitate prevention of privacy violations by ensuring that when programs are adopted, privacy impact assessments are sent to us so that we can give advice, or that when legislation is conceived—by the government, but I think it would apply to parliamentarians as well—the views of the Privacy Commissioner's office are sought.

    We would not be an impediment. We would give views. The government is free to table legislation, and parliamentarians would remain free to table legislation. We think we have value to add to this process so that new rules, new programs, or new legislation receives advice from our office to mitigate privacy risks.

    Rather than during the legislative review process, such as when appearing before a committee, wherever legislation would be potentially impacted you would want a preventative or advisory role up front in the drafting of the legislation, would you?

    It would be not “rather than” but “in addition to”.

    We'll go to Mr. Erskine-Smith for five minutes, please.

    My first question relates to damages and penalties. Under PIPEDA, in the context of sections 14 and 16 working together, there is a role for damages. Is that a model we'd look to under the Privacy Act? Is there a particular damages or penalties model that you would recommend?

    I'll turn it over to my colleague in a second. I'll say as a preliminary remark that one of our recommendations is to extend the jurisdiction of the Federal Court so that the court is competent to deal not only with access cases but with all rights, including collection, use, and disclosure. I think it's important that all rights conferred by the act be the subject of remedies in the Federal Court.

    You're now into the question of what kinds of remedies, and I'll ask my colleague to answer.

    You've pointed to section 16 under the private sector legislation, which provides a good model of the array of remedies a court could order in the event of contravention of the act—in that case PIPEDA, but there is no reason that it wouldn't apply in the case of the Privacy Act as well—by way of an order to do something, an order to stop doing something, an order for damages, or an order for a publication of a notice of any action taken or proposed to be taken to correct practices. All of those are applicable in the public sector as well.

     One of the previous recommendations and your current recommendations is a mandatory breach notification. Can you give us some examples of where the government has failed to notify? Is this a real problem that we are facing? Why this recommendation?

    First of all, as was noted by the chair, in 2016 the government collects and handles a mass of information, so there is a need for obligations to safeguard that information. Currently, that is the subject of government policy, not legal obligations per se. There is a policy obligation imposed by the Treasury Board on departments to notify both the Treasury Board and the Office of the Privacy Commissioner when there is a significant breach of personal information, and this is a good thing. What we note, though, is that there are certain departments we never hear from, or the quality of the notifications given is at best uneven. It is a good start to have this as a policy obligation, but we think that, point one, making it a legal obligation would improve the quality, and point two, making this a legal obligation is the norm in almost all other jurisdictions, either provincially in Canada or internationally. That is the norm.

    A number of my colleagues have asked about the Newfoundland model. In my experience with courts, if the applicants, in this case the government, are seeking a declaration that they do not need to take a particular action, there is no particular pressing need for them to pursue the application expeditiously. Is there not a worry that there are going to be delays here? If it is the applicant who wants information, there is an incentive to speed the thing up, but if the applicant is the government.... Maybe the Newfoundland model is too new and we don't have this experience on record, but is there not a worry that the government wouldn't pursue that application with haste?

    We would have to look at the specific statute. We can get back to you. Of course, there would be ways to mitigate that risk. What happens if there is a recourse before the court? Is the recommendation applied in the meantime or not? Is there a mechanism whereby the court would be seized with this issue quickly? There is the issue of delays in the court system. There is a potential risk there, and perhaps we could get back to you with some thoughts on that issue.

    I would appreciate that.

    On my last question, the chair delved into this a bit. At one point you suggested that all shared information should be governed by written agreements with specified elements as between government institutions. Obviously, with PIPEDA there is a consent to a particular use. If you are going to share that information beyond, from one organization, you need further consent, if it is not consistent with that initial use. Is that what you are getting at here? What would be an example of a specified element pursuant to one of these agreements?

    Consent is a different matter. Consent under the Privacy Act is also grounds for permissible disclosure. What we are dealing with here are the other provisions of section 8, which authorize disclosure other than consent, including consistent use. The elements that we have in mind, at a minimum, would be these: What is the personal information, exactly, that is being shared between the two institutions? What is the purpose? Beyond a consistent purpose, what is the specific purpose for which the information is being shared? Are there some accountability measures as to who actually decides, and what kind of information exists to ensure we can monitor this after the fact? We cannot regulate in the same way all sharing of information between all departments, so agreements would have certain minimal content, which I described, but the rest would be up to each agreement.

    Thank you very much, Mr. Erskine-Smith.

    We now have Mr. Blaikie. Do you want to use your spot here at the end?

    Yes, thank you very much, Mr. Chair.

    I am hoping to move the motion that I served notice of the other day, and I think it would be nice to have that motion dealt with in the public portion of our meeting. To be mindful of our witness, I would be willing to cede the floor to have him dismissed with thanks for his presentation so that he doesn't have to be here for the debate.

     We have Mr. Therrien here until about quarter after, so why don't we allow you an opportunity to move your motion right after that time is up? I'm guessing that's going to be sooner rather than going to the full length.

    That sounds great. In that case, I'll ask a very quick question for our last couple of minutes together.

    One of the things that came up with the Information Commissioner was the need for an oversight role, so that when claims for access are made and a decision is taken not to disclose certain information, it would be important to have a third party evaluate that decision by seeing the information.

     I wonder if there's any kind of corresponding situation on the privacy side. Are there cases where governments make decisions about personal information where it would make sense to have them be reviewed? Currently, you don't have the power to step in and assess the integrity of that decision.

    Are you referring to things like cabinet confidences, for instance? I'm not sure I get—

    Maybe there's a substantial enough difference between the two acts and the nature of those requests such that this question is misguided, but that would be the case on the information side, yes. Something is said to be a cabinet confidence and the Information Commissioner doesn't have the ability to go in, look at that information, and then say that in fact it makes sense to refuse that request.

     Is there anything comparable on the privacy side that we should be considering as part of the review?

    I think we're talking essentially—maybe not completely but essentially—about cabinet confidences. Under both statutes, the fact that information is protected by cabinet confidence is grounds to actually exclude the information from the application of one or the other statute.

    I understand that this would in practice be more of a problem for my colleague, given the nature of the information. It would be rare that personal information affecting a citizen would be the subject of a cabinet confidence, whereas it would be very frequent in the case of more general information.

    That's a long answer to say that the same provision applies in both statutes. In practice, that is not really a problem for us because of the nature of the information.

    Thank you.

    That uses up those three minutes. Is there anybody else who has questions?

    I'll start with Mr. Saini. I don't know if we need a specific amount of time, but if we start going on for 10 to 12 minutes, then I'll move on to someone else.

     In terms of your brief and the report you've published, you brought up some global privacy concerns. In that report, you stated that there were some successes with other global partners. You had success in dealing with data breaches. You gave the examples of Adobe, Globe24h.com, and the issue with unsecured webcams.

     I know that there was a meeting in Mauritius where you discussed all these things, and there was a consensus, a comprehensive agreement that was reached, which was supposed to be put in place in October 2015. There are roughly 200 countries around the world. I'm sure that not every country signed that agreement. You gave the example of Globe24h.com, a company in Romania that showed some legal analysis produced here in Canada.

     We're living in an interconnected world. I have two questions for you. Number one, can you tell me how many countries signed that agreement in Mauritius? Number two, what recourse do we have with regard to those countries that are not party to that agreement? What can we do as a country to make sure that data in Canada, for Canadians, is not given to other countries?

     You've indicated that there are certain countries that you have these agreements with, such as the U.K., Australia, and now Romania. I'm sure there are countries that we don't have that agreement with, so how do we deal with that in terms of the data of Canadians?

     I'll give a partial answer due to time considerations because that's a huge issue. Here we're talking about regulation of personal information in relation to the private sector, not the government. This is not the Privacy Act; this is PIPEDA.

    Regarding the agreement in question, its value is having a template that can be used by any country, any member of the international conference of privacy commissioners, who wants to use it as opposed to the previous scenario where agreements were bilateral. We had a number of bilateral agreements before. Now we have this global arrangement that is accessible by commissioners. We will give you the exact number of countries in writing after. At this point, there are around 10 countries, so it's certainly not the whole globe.

    What do we do when information is at risk in a country where we have no agreement? We can negotiate an agreement with that country if need be. It would be a matter of whether the co-operation that we're seeking in these agreements is co-operation with another privacy commissioner or data protection authority. Depending on the country, that other commissioner may or may not have a system such that we really want to co-operate, so that would be one consideration. That's the international framework.

    I'll leave it there. There's much more to say, but I'll leave it there.

    Mr. Bratina.

    Mr. Therrien, you mentioned on February 23 that the digital world has impacts on privacy, leaving some populations vulnerable, and you referred to youth and seniors. We see the vulnerability of not understanding credit card interest rates or payday loan charges, and that's because some of us just struggle with math. But in the question of the digital world for youth and seniors, could you tell me exactly what you're looking at in terms of that vulnerability and how it might be addressed?

    Yes. Again, this is mostly a PIPEDA issue, as opposed to the Privacy Act, but I didn't mention these risks in my remarks a few weeks ago.

    The risks may not be exactly the same for youth and seniors. Youth are, of course, very adept at using technology. There are many privacy considerations, but one of them is to make sure that young people are prudent in their use of technology so that information they put out there cannot be used by others against their interests. In part our strategy is to better inform youth through teachers, for instance, on the risks of the new digital world.

    Seniors, of course, are less adept, but more and more older people are using these technologies. Identity theft and fraud are often considerations. Again, essentially we want to better inform various populations of the benefits of technology but also of the risks.

    On the notion of “better inform”, that's the education part. Perhaps you could speak to how you envision the education part of this taking place.

    With respect to seniors and youth, we already have a public education mandate under PIPEDA. It's a question of how we would do this, and we have various means. We attend conferences and outreach activities. We want to improve our website, for instance, and give tips to populations, vulnerable populations in particular.

    Going back to the Privacy Act, we do not have a statutory mandate to do public education for information held by the government, and it would be as important to undertake these public education measures.

    That's very good.

    Mr. Kelly.

    Mr. Bratina really asked a very similar question to what I was going to ask, which was just dealing with the vulnerable groups that have been identified and the extent to which the commissioner might recommend or embrace a mandate to educate the public about how to manage their privacy.

     I've answered in large part. In relation to the government, let me give you a specific example of how it would be useful to have a public education mandate under the Privacy Act vis-à-vis government. On the question of encryption that Mr. Blaikie raised, currently we have a public education mandate under PIPEDA, which means that our research, for instance, and our public education efforts are focused on how consumers relate to private companies.

    We don't have a similar mandate vis-à-vis citizens in relation to the state. It would be useful under the public education mandate under privacy to have some research done on the question of the tension between the desirability of encryption and the legitimate needs of law enforcement power, what steps could be taken by citizens in that context, and how to educate them so that they know what the issues and are better able to protect themselves.

    Going beyond education, do you see a role in co-operation with law enforcement on the issue of fraud?

    People need to take care to guard their privacy and understand their privacy issues in relation to the government. Fortunately, government doesn't typically actually try to defraud people, unlike the private side with spam email and scam-type pieces that explicitly try to defraud citizens through unwise disclosure of their personal information.

    How do you see your role as Privacy Commissioner in co-operation with law enforcement over fraud?

    We co-operate with government, for example, on advice to citizens on how to protect themselves against cybersecurity threats or other risks of a privacy nature. We do that with Public Safety on different issues. We do that with the innovation department, which is responsible for PIPEDA. We already do that. Should we do more? Potentially, but this is something that already occurs.

    Mr. Lightbound.

    I have two quick questions.

    The first one you mentioned. You touched upon metadata in your answer regarding Bill C-13, and as far as I know, metadata is not defined in any way, shape, or form in our legislation. I was wondering if your office had any recommendations pertaining to metadata, and if it should be defined and where it should be so defined. Do you have any take on this?

    My second question is regarding a recommendation that your office made back in 2008 that recommended to provide greater discretion to the Office of the Privacy Commissioner to report publicly on the privacy management practices of government institutions. That's a recommendation that was made in 2008 and I was wondering if this still stands and if your ability to report publicly on privacy issues is in any way hindered at this moment and what could be done.

     I'll start with the second question. Yes, it is still one of our recommendations.

    Currently we can inform the public and parliamentarians only in the context of reports to Parliament, which are either annual reports or special reports. Otherwise we're bound by a confidentiality provision under the Privacy Act not to reveal our investigative activities. We continue with that recommendation.

    On the question of whether we should legislate metadata, we have put on our website two research papers that seek to inform the public and others as to what metadata is. We have one on IP addresses and another on metadata more broadly, which is an operational, practical description of what metadata is.

    Should it be legislated? I would have to give some serious thought to that because it's a difficult beast to define. If you're interested in this, we could get back to you on that point.

    On the issue of metadata, I refer to the Spencer case. The Spencer decision of the Supreme Court in 2014 helped a lot in regulating what law enforcement can do with metadata in the context of investigations. There have been recommendations, discussions, or wishes expressed by law enforcement to perhaps change or nuance what the Supreme Court has said. Clearly, I would not be in favour of reducing the protection that comes from the Spencer decision, and if anything, if there was legislation to adopt on that point, my recommendation would be to codify and confirm the principles of Spencer. Would it be a good thing to define metadata? I'm less certain of that, but to confirm the principles of Spencer would be useful.

    Mr. Long.

    I want to go back to one of the earlier things I think we discussed as a committee.

    You said that several recommendations have been made to amend the Privacy Act over the past 30 years, but there really hasn't been anything substantial done. That certainly goes beyond whether it was a Conservative government, a Liberal government, NDP, or whatever. I'm looking for your opinion as to why there haven't been changes to the act.

    I don't have a precise answer to give you. As you say, several parties were in government. The act was adopted in the 80s. I honestly don't know. In part, policies were adopted short of legislation to address some of the privacy risks, but in my view, this is no longer sufficient. I'll leave it at that.

    Can you tell me how the office is set up? I'm a business person. How many staff do you have? When were you were appointed and by whom? What is your budget? Have you requested budget increases? Has that been successful for you? Could you just give us a bit of a background on that, please?

     The office has approximately 180 employees responsible for administering the Privacy Act with respect to the public sector and PIPEDA with respect to the private sector. We have approximately 50% of our employees working on enforcement or investigation of one kind or another, in relation to either the Privacy Act or PIPEDA, and that includes a group that does audit and review.

    Madame Lajoie is director general of investigations with respect to the Privacy Act. There is a similar group responsible for investigations under PIPEDA. There is a policy group, of which Madame Kosseim is the director general and senior general counsel. We have a policy group. We obviously have certain corporate services, legal services, finance, and human resources. We have a communications branch, which is responsible in large part for our public education effort. We have a small but efficient technology branch with technologists who are very helpful in giving us a technological grounding for our investigations or our policy recommendations. That's the structure. The number of employees is 180. The budget is roughly $24 million.

    There have been budget asks over the years, some of which were successful. In 2008 there was a successful budget ask, which led to some increases in the complement. That was eight years ago now, and as I say, technology continues to evolve, and there are many more issues we have to deal with. Currently, we are struggling to meet our responsibilities with the resources that we have.

    Mr. Long, I appreciate the nature of the questioning. I'll just advise the committee that this path of discussion might be better served when we discuss the estimates. I know we have those coming forward in very short order. That will be a great opportunity for those questions.

    We're now very much approaching the time that's allocated, but Mr. Massé has not had an opportunity yet today to ask a question and get on the record.

    Mr. Massé, if you have a quick question, I think that would wrap up our committee business for this witness.

    Thank you, Mr. Chair.

    I might take a different approach. Given that Canadians want to have access to effective and efficient programs, how can we balance the collection and sharing of information by various departments when service delivery programs are increasingly complex and targeted? How can the government balance the collection, sharing, and protection of information to keep providing effective service delivery to Canadians?

    That is an excellent question.

    Since the beginning of my term, the questions I have been asked about information sharing have often had to do with police forces or national security. However, you are quite right to look at the situation more broadly.

    The government has initiatives to increase information sharing among departments, in part to improve program effectiveness. That is a legitimate and commendable goal. I think that the purpose of the Privacy Act is not to prevent that kind of activity, but to regulate the sharing of personal information in order to ensure that Canadians' privacy is respected.

    For example, when I recommend that there be written agreements for information sharing, I recognize that information may be shared to achieve commendable and legitimate goals. However, it is also important to have rules to govern and protect privacy.

    Thank you.

     Thank you very much, Mr. Therrien, for coming in today. I'm sure we'll hear from you again at some point in time during the study. It's usually appropriate at the end of the study after we've heard from a number of other witnesses.

    I know you've given us a list of proposed and prospective witnesses that I'll be sharing with our analysts and of course with the committee. I'm sure at the end, when we've had a chance to talk to a wide range of folks from across Canadian society, we'll have an opportunity to bring you back in and tie up any loose ends and questions that we might have.

    I want to thank you very much for your time. I'm very optimistic about the feeling around the table. Hopefully when somebody in the future asks you why it hasn't been done for 30 years you won't have to say I don't know, because we'll get some legislation that will update and modernize the Privacy Act.

    We will assist the committee in any way during your study.

    Very good.

    We'll now stay in the public portion of the meeting.

    Mr. Blaikie, you wanted to move your motion.

    Thank you very much, Mr. Chair.

    Yes, I would like to move that motion and take a bit of time to motivate it.

    The way that this came up is there was an access to information request made by a Canadian Press reporter that was recently denied by the government. Some documents were released, but substantial portions of them were left out and not disclosed. The government chose to exercise a discretionary exemption to leave out some of the advice and deliberations from that document.

    I think it would be useful for the committee to have a sense of the kind of advice that's being offered to the President of the Treasury Board and to government on how to go forward. I think it would be useful to us because it would help inform the study that we're doing on the Access to Information Act, to get a sense of the kinds of recommendations that are being made to government, and the basis on which those recommendations are being made. I think that would be important for our committee to consider.

    I could imagine a government that wasn't committed to openness and transparency maybe not wanting to see such a motion go through, and they might argue, for instance, that.... Frankly, I find it hard to see why this information wouldn't be useful to the committee.

    You might argue that the scope of this particular motion is too broad. I would of course be willing to entertain friendly amendments to appropriately narrow that scope if the feeling of the committee is that this scope is too broad. Perhaps we want to try to narrow it down to those particular documents that were the subject of the access request and ensure that members of the committee, and more than members of the committee, members of the public are able to have access to the advice and deliberations on how government might proceed with reforms to the Access to Information Act, and are heard.

    I think it was a mistake on the part of the government to deny this particular request and not make that advice and those deliberations open to the public. I think particularly with respect to this piece of legislation it's incumbent on government. I hear a sincere desire from the government to open up a new culture of openness and transparency. What better way to start than by making the discussions around reform to this act as open and as transparent as possible?

    It's in the spirit of making the committee's work more useful to government, assisting government, and getting off on the right foot in terms of a culture of openness and transparency, that I move this motion. I hope we can pass it today so that this information might inform our discussion as soon as possible.

    Thank you.

    Thank you very much, Mr. Blaikie.

    Colleagues, we have a motion now on the floor. The motion is in front of you in both official languages.

    For greater clarity on the motion, as I understand it, Mr. Blaikie, you are asking the committee to compel briefing materials and memos from the Treasury Board as one part of it.

    The second thing that you're asking is then for the President of the Treasury Board to come here to speak to those memos, briefing materials, and in the more broader context the role of Treasury Board in the administration of the Access to Information Act study that we're doing. Do I understand the intention of your motion clearly?

     Yes, that's correct.

    Mr. Lightbound.

    I would recommend to the committee that we take this motion under consideration. I thank Mr. Blaikie for bringing it up. Let's take it under consideration so that we can bring some amendments.

    For now I would suggest we adjourn the debate on the motion.

    I don't know if we can adjourn debate on the motion. We can adjourn the committee, which would stop the debate on everything. We could ask the mover of the motion—

    Then that's what I move.

    Are you asking to adjourn the committee? I don't think there's a mechanism to adjourn the debate.

    What was the second option?

    You could move to adjourn the committee and then the committee is over if it passes. That is a non-debatable motion, and if you move to adjourn then the committee would adjourn. When we resume the committee then we would resume here.

    Mr. Massé.

    I'd like to propose a motion to defer this motion to the committee.

    I don't know if that's—

    I don't want to adjourn the meeting, because we have to decide what we're going to do with our next meeting. This is getting a little awkward.

    Mr. Blaikie, what I would suggest, as somebody who is now adjudicating for the first time in this committee—and it will happen a lot—is that you've heard a friendly suggestion that we table discussion on this motion so the parties around the table, even though you've given 48 hours' notice.... it sounds to me they would like to have further discussions among themselves so they can come back with some possible amendments.

    If you are adamant about this motion right now we can either adjourn the committee, or we can simply vote on this motion and deal with the motion as it is in front of us. That would not preclude anybody from moving the motion again in the future.

    Mr. Jeneroux.

    Just so we're all clear, we received this on Tuesday. It's now been the appropriate 48 hours to have something before us. We're prepared to vote on the motion, and we're prepared to proceed with it. I'm not sure how much longer the Liberals need at this point.

    I would suggest we move forward and vote. If there's a friendly amendment of sorts then that's reasonable, but to simply defer again seems a little...we've had 48 hours up to this point to do this.

    Thank you.

    Mr. Erskine-Smith.

    We learned for the first time today that information was requested from the Treasury Board, and pursuant to the Access to Information Act it was refused.

    This committee is studying the Access to Information Act and reforms to the Access to Information Act. To suggest that materials were perhaps properly refused under the current regime, and that ought to be disclosed, presupposes the very question that we're trying to answer in this committee.

    With all due respect I learned this for the first time. I think that it would be prudent to defer—we're talking about when we sit next Tuesday—and bring this motion back. My own opinion is that it would be more prudent to bring Mr. Brison here before us to answer questions as to where the government would like to go with this.

    It does appear to me to be too broad on its face, but with all due respect it's pretty reasonable to push this to the next meeting.

    I can't do that unilaterally. I either need the mover of the motion to withdraw, or to deal with the motion.

    I would say the 48-hour notice provision is fair. I think these documents would help to give some context to our time with the minister, so I'm certainly not opposing having the minister here because it's part of the motion. I think having those documents in advance would probably help us ask some better questions of the minister and make more effective use of his time.

    I'm not inclined to defer this motion. I think that we could vote on it today, with the understanding that if there are amendments that other members of the committee would like me to consider as friendly amendments, I'm certainly happy to consider them.

    Mr. Jeneroux.

    Further to Mr. Erskine-Smith's point, regardless of when you found out the details it doesn't mean that the President of the Treasury Board is going to appear before us tomorrow. It's still at the next meeting. We have a constituency week going ahead here, and we have the following week for meetings, as well.

    It's a bit less than a two-week period to be prepared on their end for that.

     Mr. Massé.

    The goal of inviting the President of the Treasury Board to come and share his perception and his game plan is very noble. However, we feel it is a bit too early for that. Obviously, we would like to do that a bit later.

     I would therefore like to propose to the Chair to move a motion to put this motion to a vote.

    I appreciate that.

    Mr. Blaikie.

    I just wanted to clarify that the request is for the President of the Treasury Board to come following receipt of that information. So it may well actually be after the next sitting week, depending on when we get those documents. The idea is to get those documents and to have a chance to read those documents before we speak with the President of the Treasury Board so we might be able to ask him better questions that are more relevant to the options he's considering rather than spending our time with him asking about things that may well not be things that the government is seriously considering. Just in terms of timeline, I would say that this doesn't prescribe any particular timeline.

    It does not.

    The point is well taken, however, that at the very least it would be two weeks. It may well take longer depending on the response from Treasury Board, which, of course, I would hope would be prompt, but my experience is that it isn't.

    I'm sorry, Mr. Blaikie.

    That's okay. In the case that it wasn't, it would take longer.

    Colleagues, I'm offering this given my experience as a veteran parliamentarian at the table. Normally when motions like this go forward and requests are made of departments, it takes several weeks for these documents to be received. The committee does have the power to compel the documents if the documents aren't received in the order, or manner, or to the completion level that we want. That is a different matter. This is a request. We're not compelling; we're requesting information from Treasury Board. We are just asking. The motion seeks to ask the President of the Treasury Board to come. We cannot compel the President of the Treasury Board to come. He is also a parliamentarian, and we cannot compel a parliamentarian to come. We can compel other witnesses to come through things like subpoenas and so on if we choose to go down that path. I've been a parliamentarian for 10 years and I have never seen a committee subpoena anybody, because normally we get co-operation.

    That being said, Mr. Blaikie has the motion on the floor. There doesn't appear to be a desire to withdraw the motion at this time. I just want to clarify a couple of different things here and the I'll move to Mr. Lightbound. I will not do anything until everybody has had a chance to speak to this.

    There are friendly amendments, and then there are actual amendments. Sometimes committees adopt a policy of having friendly amendments. With a friendly amendment, we just kind of ask the mover of the motion if they would consider a friendly amendment and then we kind of massage, in an amoeba-like fashion, the wording of the motion and get to something that looks different from the motion that's currently before us. Or you can actually move an amendment, which is the proper way to do things.

    I'm of the opinion that as parliamentarians we're all adults around this table. If we want to do it either way I'm good with that unless we get into an unwieldy situation, in which case, I would prefer to follow the rules of how we actually make amendments, and amendments to those amendments, and then vote on those amendments. If we're going to get unwieldy, then we'll go down that road.

    Mr. Massé.

    It's just to react to what I said. Maybe I wasn't clear enough and maybe I'm not knowledgeable enough regarding the process, but I've asked for a motion to go to a vote.

     I'm not sure why we're still—

    We can't do that. My understanding of the way it works is that the vote will happen when the debate collapses, as soon as people are done speaking to the motion that's before us. The only thing that can interrupt the debate on this motion is the actual time for this committee running out, in which case we would need to agree to extend that time for the committee and we would resume discussing this when the committee next met, or we would have to adjudicate this motion, or we'd have to have unanimous consent to defer or table the motion.

    On a point of order, can we not call the question? If we vote in favour of calling the question, can we call the question?

    No. We can't vote to decide if we're going to vote. I know that seems frustrating at times, and, believe me, I sat on that side of the table for a long time, but this is the process. I would like to adjudicate this motion today in some form or other.

    Mr. Lightbound.

    Mr. Chair, I'd like to move again to adjourn the debate. I'm pretty sure it's something that's possible to do. It's called a dilatory motion. I would challenge you to explain further why you think that's not possible.

     After discussion with the clerk, I understand the notion of a dilatory motion. If you wanted to end the debate on this, you would have to move the adjournment of the committee. Committees are not bound by the same prescriptive timelines that the House of Commons is.

     My advice from the clerk is that we continue on with this debate until the time for the committee has passed, and then we'll simply resume this at the next committee meeting. Otherwise, we have to find a way to.... My understanding is that motion would not be in order. I might be wrong, but this is the advice I'm getting from the clerk.

     Mr. Saini.

    I don't really see what the issue is here. For me, ultimately, we want to reach some sort of conclusion. To get to that conclusion, I think it would be premature to not actually have the President of the Treasury Board here first, listen to his viewpoints and get his guidance, and then, from that point, build some sort of consensus among the members of this committee on how we should go forward.

     To put the cart before the horse doesn't make any sense. If we're going to work in this committee.... You mentioned the two ways you can do that. You can massage things in amoeba-like fashion, and I don't prescribe doing that. If this is going to be a friendly committee and we're all trying to reach the same objective, then we should have the same path to reach that objective. Debating on this and that doesn't make sense to me. I think that it would be possible for us, as adults, as you mentioned—and this is not a very contentious committee—to all work together. I think we should all work together to reach some objective or some conclusion, where all of us work together and bring our experiences into it collectively, rather than have these motions come back and forth.

    I couldn't agree with you more, Mr. Saini. Are you proposing an amendment, then?

    I have a list. I have Mr. Jeneroux, Mr. Lightbound, Mr. Bratina, and Mr. Erskine-Smith. If you don't have an amendment, Mr. Saini, I'll move to Mr. Jeneroux.

    Yes, I'm watching to heighten things on the other side. I'm encouraging them to come up with that friendly amendment. I don't think you'll be offside in proposing that. A lot of what you're talking about is actually in the form of an amendment. I will stop talking and hope that there's a friendly amendment on the other side.

    Mr. Lightbound.

     I'll start with a proposal for an amendment and see how that goes. I'd like to have your suggestions as well.

    I would suggest that we move with this: That the Committee invites the President of the Treasury Board to elaborate on possible changes to the Access to Information Act.

    Just for clarification, Mr. Lightbound, what you're suggesting is striking the words “request all briefing materials and memos”, replacing that with the words “invites the President of the Treasury Board”, ending it at where the semi-colon currently is after “Access to Information Act”, and striking the rest. Is that correct?

    That would be: That the Committee invites the President of the Treasury Board to elaborate on possible changes to the Access to Information Act.

    Right. We've heard the terms. We now have an amendment on the floor. That amendment would strike most of the first sentence and replace it with the word “invites”, so it reads: That the Committee invites the President of the Treasury Board to elaborate on possible changes to the Access to Information Act.

    You're then striking all the words after the semi-colon.

    We have an amendment. The amendment is in order.

    Who would like to speak to the amendment?

    Mr. Bratina.

    We had the Privacy Commissioner here with us. It seems to me that in the original motion, we are acting as the Privacy Commissioner. We could have held this document up to him, asked what he thought, and said, “Are we usurping your job in demanding these memos and so on?”

     I don't think the committee's role is to act as Privacy Commissioner and find out whatever these memos are. There's a process in place that speaks to that. We're reviewing the process, but we're not necessarily reviewing all of the requests that have come in from the media and whoever else to find out what this information is. I think the amendment is quite in order. Let's bring in the President of the Treasury Board and see what he has to say in terms of our mandate and references as a committee.

     The amendment is absolutely in order.

    Mr. Jeneroux.

    In order to continue the good nature of this committee, it's not entirely what Mr. Blaikie asked for, but it's a good start and probably a good step toward goodwill. It's something that we would support on our side.

    Mr. Blaikie.

    Without wanting to undermine any sense of goodwill, I probably won't be supporting this amendment.

    I won't do it because there are two components to this motion. One is to have the President of the Treasury Board here in order to have the committee get a better sense of what he may reasonably consider coming from us, not that that would be any restriction on what we could recommend, but to give us a better sense of where he would like to go and how he understands his mandate from the Prime Minister on access to information reform.

    I appreciate that that is maintained in the spirit of this amendment, but what's lost is...There are documents and this request, its denial, and subsequent story show that there are documents that may help this committee in its study to get a better sense of what the advice to government should be.

    We do have the power to request documents and my understanding...It's written in the House procedures manual that the Standing Orders do not delimit the power to order the production of papers and records. The result is a broad absolute power and then on the surface it appears to be without restriction.

    That same guide acknowledges that in practice there may be reasons why people, who are the subject of requests, may not want to provide those documents, but those reservations, on the part of the people who are having that request made, don't in any way limit those powers. We would be well within our right to request those documents. They could serve a useful purpose in our study and it would make sense for us to do so.

    I would agree with Sean Holman, who is an assistant professor of journalism at Mount Royal University, who essentially said, with respect to the access request, “What would be so wrong in letting the public know about what options are under consideration by the government?”

    I think that rhetorical question has a point to it and I wanted it to be part of the motion. It's the will of the committee, of course, to decide what to do, but for my part I will be voting against the amendment.

    Thank you very much, Mr. Blaikie.

    We're running out of time to actually even get to the other business at hand.

    We have the amended version before us. All in favour of the amendment? Opposed?

    (Amendment agreed to)

    The Chair: We're now back to the original motion. Because the amendment carried, the motion before us in amoeba-like fashion reads that the committee invite the President of the Treasury Board to appear before it to elaborate on the possible changes to the Access to Information Act.

    (Motion as amended agreed to [See Minutes of Proceedings])

    The Chair: The motion is carried unanimously.

    We now have about five minutes left to suspend and go into committee business, unless we want to do committee business in public to save a few minutes.

    Are there any questions or concerns about that, or shall I suspend?

    [Proceedings continue in camera]