Mr. Chairman and members of the committee, I thank you for the invitation to appear and testify on Bill . I'm going to read my remarks, in a desperate academic attempt to stay within your 10-minute time frame.
Bill provides statutory powers for the final phase of the entry-exit initiative. As the committee will be aware from previous testimony, the entry-exit scheme dates back to promises made under the Beyond the Border action plan agreed to in 2011 between Canada and the United States. Its provisions are, for now, Canada-U.S.-centric. The Beyond the Border action plan is the latest iteration of agreed schemes for post-9/11 border security, dating back to the safe border accord of December 2001. The Liberal government affirmed its commitment to the entry-exit information plan during a summit meeting between and then U.S. President Obama in March 2016.
The entry-exit scheme has had a staged rollout since its first phase, which lasted from September 2012 to June 2013. It served to test the data exchange between Canada and the U.S. at select land border ports of entry. The second phase began in June 2013 for fuller land border crossing information exchange for third country nationals, permanent residents of Canada, and lawful permanent residents of the United States. The final stage of entry-exit, requiring statutory force in Bill , would see the biographical exchange of information on all travellers, including Canadian citizens, at the land border, and the collection of biographical exit data on all air travellers, again including Canadian citizens, leaving Canada.
Biographical data acquired under Bill would consist, as you've heard, of the page 2 information from Canadian passports presented to Customs and Border Protection officials at U.S. ports of entry when crossing the land border. This information includes, as you'll know, name, nationality, date of birth, sex, and place of birth.
For the air mode, it would involve what is referred to as API/PNR, or advance passenger information/passenger name record, data provided by air carriers and air reservation systems for exit records for air travel. API data includes page 2 biographical passport data plus flight information. PNR derives from airline departure control and reservation systems, and varies depending on the collector. It can include type of ticket, date of travel, number of bags, and seat information.
The information flow that Bill augments is meant to be automatic. It would involve the passage of electronic data from U.S. CBP at land entry—U.S. entry data becoming Canadian exit data—in near real time. For air travel, it would involve the transmission of electronic passenger manifests from air carriers. All of this information would go to the Canada Border Services Agency for processing.
The backgrounder published by the government when the legislation was first introduced in June 2016 indicates that the entry-exit initiative is meant to serve a large number of objectives. It is not specifically a national security tool, but could, in my view, enhance investigations into the movements of suspected terrorists, foreign espionage actors, and WMD proliferators, among other actors of concerns, and it could provide a useful investigative supplement to other powers available to security and intelligence agencies.
It is worth noting that Mr. Bolduc of CBSA testified before this committee on October 3, making the point that one additional benefit that Bill powers would provide was “it will bring Canada on par with the rest of the world and our Five Eyes partners. There's a huge, huge benefit for Canada.” This was a direct quotation from Mr. Bolduc. I am not quite sure how to read this enthusiasm, except to say that Bill C-21 measures are, in keeping with a long tradition in Canadian national security, meant to demonstrate our ally worthiness.
In this same vein, it is also important to note the restrictions that the government has said it will put in place in terms of information sharing from the vast pool of data that will be collected under Bill . Land border exit information will inevitably be shared with the United States government, because the information is collected by U.S. CBP agents. We are assured that exit information from the air mode would not be shared with the United States or any other foreign government. Whether this blanket restriction makes sense is questionable, in my view. The committee may wish to consider an amendment to the legislation in this regard, which would bring it more into line with the Secure Air Travel Act, of which I'll speak a little later.
has testified before this committee that “exchange of information both within Canada and with the U.S. will be subject to formal agreements that will include information management safeguards, privacy protection clauses, and mechanisms to address any potential problems.” These are important promises that presumably will be fulfilled through regulation. Notably absent, however, is any commitment to transparency around the entry-exit initiative. There is no requirement, for example, for any annual report to Parliament and the public on its application and efficacy.
This lack of a transparency commitment is compounded by the current absence of meaningful independent review of CBSA, the core actor that will operationalize Bill .
While government officials have testified that the information flows provided for through Bill will be seamless and automatic, the real issues, it seems to me, involve analysis of the data by CBSA, retention and security of the data, and information sharing. Bill C-21 legislation is a black box in these regards, leaving much to regulation. There is a question in my mind as to whether the legislation needs to be more forthcoming in three particular areas: data retention schedules, information sharing protocols, and transparency requirements.
Before I come to some modest proposals to improve Bill , a note on a parallel and existing legislative power might be in order. There exists already a limited form of entry-exit controls for air travel, which have been in place since 2007 but which were amended with Bill in 2015 under the title of the Secure Air Travel Act or SATA. SATA, often referred to as the passenger protect program, creates a list of persons that the Minister of Public Safety “has reasonable grounds to suspect will (a) engage or attempt to engage in an act that would threaten transportation security; or (b) travel by air for the purpose of committing” a terrorism offence. I'm slightly paraphrasing the sections of SATA here.
SATA contains some provisions that are not held in common with Bill , including specific powers and information disclosure, both domestically and through written agreements with foreign states and entities. These are under sections 11 and 12 of the Secure Air Travel Act. These sections, incidentally, are not proposed to be amended in Bill as that bill comes forward, presumably, to this committee.
There is also an important statutory reference to retention of data received from air carriers or air reservation systems in the SATA legislation, and this requires:
||The Minister of Transport must destroy any information received from an air carrier or an operator of an [air] reservation system within seven days after the act on which it is received, unless it is reasonably required for the purposes of this Act.
That's section 18 of SATA. In other words, the minister is empowered to retain records of air travel for the listed persons but not for the general public.
To bring Bill into closer alignment with SATA on data retention and information sharing protocols and to enhance transparency and ensure independent review of its powers, I would suggest the following responses to Bill C-21, which the committee might want to take under consideration:
First, Bill should adopt the explicit SATA references in sections 11 and 12 for information sharing domestically and internationally. I think this would be an improvement on doing this by regulation.
Second, Bill should adopt a reasonable retention schedule for entry-exit data based on expert government advice on the minimum period necessary for the retention to meet the many different objectives of the entry-exit initiative as listed in the backgrounder document published with the bill in 2016. A seven-day retention cycle as provided for in SATA would be self-defeating, but so would overly lengthy retention periods. CBSA must not become a data swamp.
Third, Bill should contain a mandatory requirement for annual reporting to Parliament on its provisions by CBSA.
Fourth, the committee should encourage the government to be explicit about its plans for the conduct of regulatory review of CBSA national security activities, either through an independent body or captured by the paragraph 8(1)(b) mandate for the proposed national security and intelligence review agency, NSIRA, under Bill . This may require future clarifying amendments to Bill C-59.
Fifth, the committee should encourage the government to finalize its plans for an independent complaints mechanism for CBSA. There have been discussions under way about this for some considerable time now.
Sixth, and finally, I would encourage the committee to hold early hearings on CBSA and its rapidly expanding mandate. Doing so might serve as a foundational exercise for the new national security and intelligence review agency when it is created.
Thank you for your time and attention.
Thank you very much for having me.
I am Esha Bhandari. I'm a staff attorney with the American Civil Liberties Union, and I'm based in New York. I previously testified before the Canadian House of Commons committee on Access to Information, Privacy and Ethics on June 15, 2017, when I addressed two issues affecting Canadians' privacy rights in the United States' border searches of electronic devices and changes to Privacy Act protections covering the data of non-U.S. citizens held by the U.S. government. I will cover those two topics and also mention additional developments that have been happening in the last few months that I think are relevant to this committee.
On searches of electronic devices at the U.S. border, there is currently a regime of suspicionless searches. This means that the U.S. government claims the authority to search the electronic devices, including smartphones and laptops, of any traveller presenting themselves at the border, whether it's an airport or land, without any individualized suspicions and no requirement of a warrant or probable cause. This can include manual searches on the spot of the data and content on the devices, or it can include seizing devices and running them through what's called a forensic search, which is essentially a computer strip search where the government can access all files, including metadata and deleted files. In these circumstances, the traveller would be deprived of their device for days or maybe weeks.
This practice is currently the subject of litigation. It has been challenged by the American Civil Liberties Union, and the legal landscape is currently unclear. There are currently also pushes for greater transparency, meaning that the advocacy community in the United States, civil rights and civil liberties groups, are asking the government to release more information on whose data is being searched, what the nationalities of the people being searched are, and what the reasons for the searches are. At the moment, we only have aggregate data, and we know that, based on that aggregate data, the number of searches is increasing. In fiscal year 2016 there were about 19,000 device searches compared to about 8,500 in 2015. Again, we don't know why these numbers are increasing.
Turning to privacy protections, this is a separate issue not relating to travellers presenting themselves at the border per se, although it affects all data held by the U.S. government that would pertain to Canadians who are not citizens of the U.S. or are not green card holders or lawful permanent residents.
In January 2017, the administration issued an executive order stating that the Privacy Act protections would be stripped from all non-U.S. citizens and green card holders, meaning that all information held in U.S. government databases or systems of records would no longer be subject to the statutory protections that include protections on accessing the information that is held on you, correcting that information, and restricting the dissemination of that information beyond current enumerated exceptions.
Under the Privacy Act, for example, U.S. citizens have protections against their data being shared non-consensually. While there are exceptions for sharing data for law enforcement purposes and other enumerated exceptions, for the most part, individuals have to consent to their data being shared. Now with the new policy that says these protections will not be given to non-citizens, the only backstop is what are now known as privacy principles, and these fair information practice principles will be applied to the data of non-citizens and non-green card holders. While these are based on information privacy principles that have been the basis of many other worldwide privacy regimes, including the OECD privacy principles, nonetheless they do not provide the same protections as the Privacy Act. At this point in time, it seems fairly clear that non-citizens who have data of theirs held by the U.S. government do not have rights under the Privacy Act or any other statutory regimes to correct information that is held on them.
They may be able to use the Freedom of Information Act to request the information that is held on them by the U.S. government. That would be subject to any exemptions that the government could invoke to withhold information. Even if Canadians, for example, were able to get their information through a Freedom of Information Act request, there's now no right to correct that information, and there's no statutory right to limit the dissemination of that information for any reason that the government sees fit.
Those are the two main areas that I addressed in my previous testimony, and I will simply add that there is also currently an ongoing debate regarding retention of information on social media handles or social media activities of visitors to the United States. The government issued a notice on September 18, 2017, which made clear that it is retaining certain social media information that people provide in the course of applying for immigration benefits, which would include potentially information that visitors to the U.S. provide at the border. This information is being retained, and as of now it's unclear what the scope of that information being gathered is and how long it's being retained and for what purposes.
We do know that the default retention for this kind of information collected from visitors or others who are seeking immigration benefits in the U.S. is 75 years. As far as we can tell, there is currently a collection of the type of information on social media activity that's being done and being retained. The American Civil Liberties Union and other civil rights and civil liberties groups have been writing comments to the government highlighting the concerns that this poses for human rights and particularly for freedom of expression and freedom of association if travellers and visitors to the United States are fearful that they will be asked questions about their special media activity, and that the answers will be retained for a long period of time and potentially subject to being shared with other government agencies.
Thank you very much.
Thank you very much to the chair for the opportunity to present remarks on Bill , which we believe is a fundamental cornerstone to the automated and more efficient way borders are managed for Canada.
As you mentioned, I'm an executive board member of the Canadian/American Border Trade Alliance. It's a group that has celebrated its 25th anniversary this year as a binational grassroots organization representing a number of public and private sector organizations. They're involved in Canadian and American trade, border crossing, transportation, tourism, airports, and bridge operators, among others.
As a voluntary board member for Can/Am BTA, I should also add that I have professionally worked for 20 years in all forms of border management between the U.S. and Canada, with my firm InterVISTAS consulting, specializing in different kinds of movements. Some members of the committee have seen my past work as the independent reviewer of the current pre-clearance act that was tabled in the House of Commons. I've also looked at the root causes of border delay, and that pertains to both goods movement and people movements.
The Canadian/American Border Trade Alliance is in full support of the provisions of Bill , in terms of being able to have exit information that is recorded when individuals leave the country. As many have already testified before this committee, the intent of being able to expand the current capabilities that have been deployed since 2013 to provide information on Canadian citizens to support a range of different objectives on a restricted basis is that this biographic information on Canadians is going to be important to be able to close the loop in terms of the set of entries and exits from Canada. As we have seen in reports from the operating agencies, some 20 million records have already been looked at so far.
In granting new powers to government to be able to perform these kinds of activities, we always look at this in three ways. First, will this capability provide the ability for governments to better manage our borders, particularly the perimeter around the U.S. and Canada? Second, are there opportunities for efficiencies to be created to allow folks working for CBSA and IRCC to do more with what they currently have as resources? Third, from the Can/Am Border Trade Alliance perspective, are there opportunities to facilitate trade and travel?
Growth is continuing, particularly for international visitors and air travel, over 5% per annum over the next 20 years, as forecasted. In terms of being able to provide the capability for Canada to take the recommendations of groups such as ICAO, the International Civil Aviation Organization, in terms of recommended practices, certainly these are opportunities that are available for the Government of Canada to pursue facilitated efficiencies.
Imagine the age-old question that you face when you cross the border as to how long you have been away, and the amount of work to manually swipe passports and look at that particular question, and converting that to more productive types of questions, to be able to look at the kinds of people going across the borders.
As mentioned by other witnesses to the committee, Canada is not the first country to look at this. There are lessons to be learned from other countries that have sought to implement exit immigration data. I'll cite a couple of them.
In addition to the United States, recently the United Kingdom implemented the border systems program, which took effect in mid-2015. That represented a 20-year shift in the U.K. in terms of the way exit information is looked at. Prior to 1994, that was done through an exit booth when leaving the U.K. On departure, you would actually see an immigration person. As in a number of countries around the world, that was the mechanism. However, over the period of time of automating that capability and into mid-2015, the U.K. Home Office worked very closely with different port operators and airlines to be able to implement this. It very well might be a model to look at the provisions of implementing exit and entry from the Beyond the Border action plan. The issues were fairly limited.
Contrasting this was the move this past summer in the EU in putting forward a set of regulations in response to a number of attacks, in Paris and Brussels namely, and being able to have states in the Schengen area required to provide tracking of entry and exit information. In this case, the deployment was horrible by all accounts. Between May and June 2017, the number of delays was 97% greater than in 2016. In a number of countries, France and Spain namely, the delays in border formalities in August 2017 could reach up to two hours.
That is not the model to pursue because the ability to systematically and cohesively deploy this, as we have seen since the 2013 decision to provide a test of exit data, is certainly something that we've seen here in the experience to date. Granted, scaling this upwards is a different challenge, and certainly we're confident the agencies looking at this will have the ability to keep an eye on the ball to make sure delays aren't in place.
Interestingly, the world leader in this area, Australia, pioneered the approaches in the 1990s for advanced passenger processing. One of the first countries to fully automate the data in looking at arrivals, in April 2016, Australia moved ahead with what they called outward advanced passenger processing. This itself provided a similar capability to be able to have exit data put in place. Based on a long history of working collaboratively with the airlines toward implementation, that went fairly smoothly. I will also add that in my earlier remarks about finding facilitation benefits, Australia has a broader vision into the future. Its 2015 seamless traveller initiative has as its viewpoint being able to facilitate over 90% of travellers without stopping at a booth.
At Can/Am BTA we look at these examples and we applaud this. Where do we go from here? We would suggest three things to this committee to be looked at.
Number one is making sure that the border technologies being deployed are compatible with the powers that are provided in . Although C-21 is limited to documents for outbound international travel or data coming in from CBP, we see a number of countries like Australia and the United States moving very rapidly toward biometric entry systems in addition to exit. While that's not the scope of C-21, it is certainly a progression and future that needs to be evaluated.
Number two, the passports that Canada uses do not have that ability for quick reading. Namely, the advantages of secure vicinity RFID is a technology available at a number of border crossings and that needs to be expanded greatly into the document itself.
Number three, and I can expand on this during questions from the committee, while ensuring that privacy is protected in terms of data, there are opportunities with the new Canadian centre on transportation data to be able to look at what this data source could help with on an anonymized basis. I reside in Vancouver, where there is a growing Vancouver-Victoria-Seattle tourism triangle. The ability to understand exits and departures much like cruise ships from Halifax and leaving by air for the United States, that source of information is currently a bit grey. There are opportunities other than this one that could provide advantages to both industry and government to understand those patterns of travel.
I look forward to questions from the committee.