Thank you very much, Mr. Chair, for the invitation to appear before you today on your study of the border.
Privacy rights and the border must be considered in context, and an important element of context is that trade is, of course, important to Canada. This means that smart controls for border goods and data, as they move across borders, are required.
One topic of discussion flagged for your current study relates to screening and searches by Canadian border services officers. As you know, the powers of border officers are quite broad. They may question travellers, collect biometric information for identification purposes, as well as examine, search, or detain any goods.
As for searches of the person, they may also conduct pat-down searches and frisks, take X-rays or body scans, and they may even demand strip searches or body cavity examinations. All searches of persons require reasonable grounds to suspect some legal contravention, particularly the concealment of goods or of anything that would present a danger to human life or safety.
For their part, electronic devices have historically been considered as goods by the CBSA. Paragraphs 99(1)(a) and (c) of the Customs Act allow for examination, opening, and taking samples of goods without grounds. These provisions apply to materials both entering and leaving Canada. In addition, under existing charter jurisprudence, greater latitude is given to state authorities at the border to enforce sovereignty and territorial integrity and to regulate immigration.
At the same time, though, the Supreme Court has found in many other contexts that searching of electronic devices is extremely intrusive. Therefore, while the law is not settled, I think it is clear that Canadian courts would find that groundless searches of phones, of cellular devices, were unconstitutional even at the border.
The idea that electronic devices should be considered as mere goods and therefore be subject to border searches without legal grounds is clearly outdated and does not reflect the realities of modern technology. This may well be why Canada's policy is more nuanced than what the Customs Act may allow.
Under CBSA policy, specific grounds need to be satisfied, namely that “evidence of contraventions may be found on the digital device or media”. I think that policy is wise, but it should in my view be elevated to a rule of law in the near future.
Another border issue of note concerns Bill , which is now before the Senate. Bill C-23, the pre-clearance act, 2016, would implement the 2015 agreement on land, rail, marine, and air transport pre-clearance between the Government of Canada and the Government of the United States. This would provide for pre-clearance activities on the part of the Canadian and U.S. customs officials to take place at various points of entry on both sides of the border.
I've raised concerns about U.S. announcements to search the electronic devices of any and all aliens who seek to enter the U.S. These searches will be at their discretion and without specific legal grounds other than generally to protect homeland security.
Bill establishes that U.S. pre-clearance officers in Canada are subject to Canadian law as they perform their duties or exercise any powers. The Canadian government reminds us that this would include the Canadian Charter of Rights and Freedoms, the Canadian Bill of Rights, and the Canadian Human Rights Act. However, these protections are somewhat hollow, as they would be severely limited by the principle of state immunity, meaning that they could not be enforced in a court of law.
It should be noted that under Bill , searches of persons, including relatively non-intrusive pat-down searches, require “reasonable grounds to suspect” in order to be carried out by U.S. officers in Canada. In my view, searches of electronic devices can be much more intrusive than these frisk searches.
As I recommended in the context of the study of Bill , border searches of electronic devices should require reasonable grounds to suspect, the same threshold that applies to searches of persons.
This past spring, I informed you of my correspondence with the three appropriate ministers regarding the executive orders of the new U.S. administration, issued earlier this year. Measures like these clearly have a material effect on the privacy of many citizens, given the scale of tourism and business travel to the United States.
One order would specifically exclude non-U.S. citizens and lawful permanent residents from certain privacy protections.
Upon review, I have concluded that, while Canadians have some privacy protection in the United States, that protection is fragile because it relies primarily on commitments or administrative agreements that do not have the force of law, for instance the Five-Eyes Agreement and the Beyond the Border Agreement with the United States.
I have therefore called upon our government to ask their U.S. counterparts to strengthen privacy protections for Canadians. This could be done, for example, by adding Canada to the list of designated countries under the U.S. Judicial Redress Act, which would extend some of the protections conferred by the U.S. Privacy Act to Canadians, as they are in place for citizens of several European countries.
We have also asked the government for assurances that the protection afforded by Canada-U.S. administrative agreements will continue despite the order and to be advised of any changes that may adversely affect the privacy of Canadians. We understand that the findings have now been compiled and a response is forthcoming.
Let us turn now to the information-sharing agreements with the United States.
Generally speaking, we have spent considerable time on border issues and information-sharing in the past several years, in particular, the Beyond the Border initiatives with the United States. To date, we have provided feedback on close to fifty separate privacy impact assessments (PIAs) on just these programs alone. Through these exchanges, we have made a series of recommendations to the CBSA and various other federal departments implicated in expanding information exchange and other border-related processes.
Overall, we have been pleased with the level of consultation and the improved quality of privacy analysis undertaken by agencies involved with border security.
That said, we still have concerns over issues such as retention periods applicable to data collected from travellers and the risk that data collected for border purposes is then used for secondary purposes.
Both of these issues were found to be problematic from the point of view of European law, in a recent judgment of the European Court of Justice on the Canada-EU API/PNR Agreement.
In closing, as people, goods and data move across borders more frequently, it is important that Parliament ensures that we have the appropriate rules in place to respect individuals' privacy. The importance of the rules has been recognized historically in relation to the search for persons. In my opinion, it is time to extend these safeguards to electronic devices.
Thank you for inviting me and I look forward to your questions.
Of course, the first thing to say is that states are sovereign, including the United States of America, so in the comments that I've made in my opening remarks, I call on the Canadian government to take certain measures to protect the privacy of Canadians, first and foremost, in devising appropriate laws that protect the very sensitive information found in electronic devices—that's Canadian domestic law—and to the extent possible, in the pre-clearance agreement.
But at some point, a Canadian who wants to visit the United States either for tourism, business, or other reasons will come up against U.S. state authorities, and the U.S. is free to adopt the rules that are in their interest in order to protect their safety. That, apparently, means in part that U.S. border officials.... If you just set aside pre-clearance, if a Canadian wants to go to the United States and comes across a border officer, either inland at the border or at a U.S. airport, that person may be required to provide the password to their cellphone.
I don't think that is protective of privacy, but it is within the powers of the U.S. government to impose that rule. We may come into what that means in terms of a prudent approach by a Canadian who will face that situation, but you're now talking about U.S. laws and practices. The U.S. is competent and has the authority to impose these rules. I don't think they're good rules, but these are the rules that apparently will be imposed on travellers.
You're bringing in the private sector angle with your reference to the FCC changes and whether information collected by the U.S. government could be sold. I haven't analyzed this in any great detail. Certainly, following the executive order of President Trump that limited, if not eliminated, privacy protection for non-Americans, we were seized with, of course, concerns by Canadians. We looked at the situation of whether Canadians are protected. There are no laws to protect Canadians, but there are a number of administrative agreements that, until rescinded, do provide some protections. Among these administrative protections is an order made by then-president Obama that provides similar protections to non-Americans in regard to the activities of the NSA, particularly what the U.S. government does with information intercepted in the name of foreign intelligence.
I'm giving you the grande ligne of the rules that are applicable. There are still remaining administrative protections in the U.S. Of course, they are administrative protections and they could be rescinded tomorrow by the U.S. administration, but there are still, at this point, a number of administrative protections for Canadian citizens.
Well, I didn't say that.
Again, Mr. Commissioner, thank you so much for coming. You are a regular and we appreciate your input.
I thought I would start by sharing a story of what I went through not too long ago while crossing the border. My riding is Saint John-Rothesay, and I'm an hour from the Calais border. We went across, and we were asked to pull in. We went inside to talk with the customs agents, and I was to accompany the agents back to the car. We were told to put all of our phones in the car and open the phones up. Then I left. We sat inside for a better part of 30 to 45 minutes. It was me, a friend, my son, and one other person, and we waited. Eventually, they came back and said we were all good. We went back to the car, and the phones were clearly not in the same places as they had been.
Like Mr. Cullen said, obviously it's cause for concern when you cross that border. Respecting that, as you say, they don't have to give you entry into the United States. But I guess, from a Canadian's viewpoint—and, again, I apologize, it's the same line of questioning as Mr. Cullen.
How concerned should Canadians be? As Mr. Cullen said, we cross now with our iPads, laptops, and phones, and in my phone is my banking information and my emails. It's not just text and pictures anymore. It's basically your life history and all your records. On a scale of one to 10, as Canadians, how concerned should we be?
This has been enlightening. It seems to me that it's almost like the combination of two forces. One is the more vigorous security environment that we've lived in the last 10, 15, 20 years, certainly since 9/11, plus the incredibly powerful and pervasive technology that we have. I'm wondering, from your perception in dealing with Canadians, those who are raising either concerns or formal complaints, if there's a lack of awareness of what it is to experience, as Mr. Long did, the “Leave your phones in the car and we'll just take a peek” thing, with all the information the phone contains—all of those passwords, all of those bank accounts, everything about you.
If a Canadian were to see a customs official going through all of their luggage and taking everything out and looking through it, or going through their home, that would be an obvious invasion of privacy. These are personal things. Why would they be looking through someone's photo albums? Yet we seem not to have caught up to the technology we have and the power someone has when they say, “I need your phone and you need to give me your password.”
I guess this is more of a philosophical question, but is there a latency, a catching up, for Canadians in terms of what it is to cross the border? If we were to receive this designated country status, would that go towards alleviating most, some, or a few of your concerns with respect to that information we're giving over when we cross into the U.S.?
It's PRG-2015-31. This is the policy guidance that says that, under the Customs Act, paragraph 99(1)(a) is for customs purposes only, and mentions the multiplicity of indicators. With respect to IRPA, subsection 139(1) refers to reasonable grounds, that the purpose of the search should be confined to these issues, and that they must explain their reasoning. Certain protections are outlined.
Not for today, but if you could review that policy guidance from the CBSA, and if you have additional privacy protections that you would like to see the CBSA include in that policy guidance, it would be good to have that for our purposes at this committee.
I take your principal point here that the policy is generally wise, but it ought to be reflected in legislation. The first point is that we receive any additional guidance you have, and the second recommendation would be that it be reflected overall in legislation. That's on the Canadian side, as I understand it. We provide protections to Canadians and foreign nationals through the CBSA rules. None of those same protections apply if we're travelling to the United States.
We had the ACLU before us, and they said, as you've said, that the rules allow the government to search any travellers, regardless of citizenship status, and devices without a warrant, probable cause, or suspicion. You've mentioned the U.S. Judicial Redress Act. Are there any other measures or mechanisms that we should be asking our American counterparts to implement to protect Canadians' privacy, other than simply adding Canada to the designated list of countries under the JRA?