I appeared last week before the Standing Committee on Access to Information, Privacy & Ethics as part of the committee’s review of the Privacy Act. My opening remarks highlighted several longstanding concerns with the legislation and then turned to three broader issues: Bill C-51’s information sharing provisions, transparency reporting, and the revival of lawful access issues.
My full prepared opening remarks are posted below:
Appearance before the House of Commons Standing Committee on Access to Information, Privacy & Ethics, September 29, 2016
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. My areas of speciality include digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada’s External Advisory Board and I have been privileged to appear before multiple committees on privacy issues, including PIPEDA, Bill S-4, Bill C-13, the Privacy Act, and this committee’s earlier review of social and media privacy.
I appear today in a personal capacity representing only my own views.
As you know, there is a sense of déjà vu when it comes to Privacy Act reviews. There have been multiple studies and successive federal privacy commissioners who have tried to sound the alarm on the legislation that is viewed as outdated and inadequate. Canadians rightly expect that the privacy rules that govern the collection, use, and disclosure of their personal information by the federal government will meet the highest standards. For decades, we have failed to meet that standard.
I would like to quickly touch on some Privacy Act concerns, but with your indulgence, also talk about the broader privacy law environment in Canada by raising several other related issues and concerns.
A. Privacy Act
The Privacy Commissioner of Canada has provided the committee with many recommended changes and I endorse the submission. Most of the recommendations are not new. Successive commissioners have asked for the same changes, but successive governments have failed to act.
I would like to briefly raise four issues related to the current law:
1. Education and the Ability to Respond
The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act desperately needs to include a similar mandate for public education and research.
Moreover, the notion of limiting reporting to an annual report reflects a by-gone era. In our current 24 hour, social media driven news cycle, restrictions on the ability to disseminate information – particularly information that touches on the privacy of millions of Canadians – cannot be permitted to remain out of the public eye until an annual report can be tabled. Where the Commissioner deems it in the public interest, the Office must surely have the power to disclose in a timely manner.
2. Strengthen Protections
As this Committee has already heard, the Privacy Act falls woefully short in meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be model, it instead requires far less of itself than it does of the private sector. A key reform in my view is the limiting collection principle. A hallmark of private sector privacy law, the government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities.
3. Breach Disclosure
Breach disclosure legislation has become commonplace in the private sector privacy world and it has long been clear that similar disclosure requirements are needed within the Privacy Act. The Treasury Board guidelines are a start, but legal rules are essential. In fact, the need for reform is even stronger given the absence of security standards within the current Act. Provisions that establish such standards and mandate disclosure in the event of a breach are crucial to establish an appropriate level of accountability and to ensure that Canadians can guard against potential identity theft and other harms.
4. Privacy Impact Assessments
Privacy touches us in many ways and it similarly is implicated by many pieces of legislation. The Privacy Commissioner has regularly appeared before Committees to provide a privacy perspective on proposed legislation, yet this approach runs the risk of rendering privacy as little more than a mere afterthought. It is far more appropriate to conduct privacy impact assessments before legislation is tabled or at least before implementation.
B. Bigger Picture
We could address some of the long standing irritants about the Privacy Act and still not fully address the problems. That stems in part to the fact that there are many moving parts in the federal privacy world and a broader vision is needed. I’d like to quickly highlight three issues that are currently on the agenda:
1. Bill C-51’s Information Sharing Provisions
I realize the government is currently consulting on national security policy, with a particular emphasis on Bill C-51. From my perspective, one of Bill C-51 biggest problems – perhaps its biggest – was the information sharing provisions.
The privacy-related concerns stem from Bill C-51’s Security of Canada Information Sharing Act, a bill within the bill, that went far further than sharing information related to terrorist activity..
It permits information sharing across government for an incredibly wide range of purposes, most of which have nothing to do with terrorism. The previous government tried to justify the provisions on the grounds that Canadians would support sharing information for national security purposes, but the law now allows sharing for reasons that would surprise and disturb most Canadians given how broadly that can be interpreted. Further, the scope of sharing is exceptionally broad, covering 17 government institutions, many of which have little to do with national security.
The national security consultation background paper raises this issue, but appears to largely defend the status quo, raising only the possibility of tinkering with some clarifying language.
If we don’t address the information sharing issue, I fear that many of the other potential Privacy Act improvements will be undermined. This requires a wholesale re-examination of information sharing within government and the safeguards in place to prevent misuse.
2. Transparency and Reporting
In recent years, the stunning revelations about requests and disclosures of personal information of Canadians – millions of requests, the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used.
Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports and they have been joined by some of Canada’s leading communications companies such as Rogers and Telus. There are still some holdouts – notably Bell – but we have a better picture of requests and disclosures than we did before.
However, these reports represent just one side of the picture. Public awareness of the world of requests and disclosures would be far more informed if government also released transparency reports. These need not implicate active investigations, but there is little reason that government not be subject to the same expectations on transparency as the public sector.
Indeed, the Liberal party focused on transparency in its election platform. Improvements to access to information are absolutely critical, but transparency is about more than just opening the doors to requests for information. Pro-active disclosure of requests for Canadians’ information should be part of the same equation.
3. Government Mandated Interception Capabilities and Decryption
Finally, I wanted to come back to the public safety consultation launched earlier this month. While many think of it as a C-51 consultation, it is much more. The return of lawful access issues threatens to scrap the 2014 lawful access compromise and raise some very serious privacy concerns.
For example, the consultation implies that the “lack of consistent and reliable technical intercept capability on domestic telecommunications networks” presents a risk to law enforcement investigations. Yet left unsaid is that the prior proposed solutions in the form of government-mandated interception capabilities were rejected due to the enormous cost, inconsistent implementation, and likely ineffectiveness of standards that would exempt many smaller providers. Creating government-mandated interception capabilities at all providers would represent a huge privacy risk that runs roughshod over both PIPEDA and the Privacy Act.
Further, the consultation places another controversial issue on the policy table, noting that encryption technologies are “vital to cybersecurity, e-commerce, data and intellectual property protection, and the commercial interests of the communications industry” but lamenting that those same technologies can also be used by criminals and terrorists.
Given its widespread use and commercial importance, few countries have imposed decryption requirements. This year’s controversy involving access to data on an Apple iPhone owned by the San Bernardino, California shooter revived the debate over access to encrypted communications, however, and the consultation asks Canadians to comment on the circumstances under which law enforcement should be permitted to compel decryption.
A move toward compelling decryption would place more than just our privacy at risk – our innovation strategy and personal security would also hang in the balance.
In conclusion, fixing the Privacy Act is long overdue. There are no mysteries about what needs to be done. Indeed, there have been numerous studies and a steady stream of Privacy Commissioners who have identified the problems and called for reform. What has been missing is not a lack of information but rather a lack of political will to hold government to the same standard that it holds others. I look forward to your questions.
Me Michael Rodger Heroux and my wife Ingrid Van Eyk are still having counter intelligence operation run against us under bill C 51. We use Rogers internet and we are constantly still being hacked and CSIS and the RCMP are still torturing us. They are still putting ROOT KITS and malware of all kinds on our operating systems. We have been assaulted and they are threatening assassination against my family and I again. They took our 14 year old daughter away from us and put her in a group home where they are using brain washing techiques against her so we won’t proceed with suing them. She is not allowed to use internet since they took her from us, she is not allowed to have her cell phone. She cannot go out by herself, she always has to be escorted where ever she goes. She cannot use a cell phone, she cannot have her tablet, she cannot play video games anymore, she cannot use a camera, she cannot talk to her family unless someone is on the other phone monitoring what she is saying, she can’t visit with her family unless someone is monitoring the visits, she cannot have a camera to take pictures, she is being BRAIN WASHED by some agent they sent from WASHINGTON DC. She is being reprogrammed by the Trudeau government becauae they have abused our family for over 20 years. When they took her from us JUDGE SAGER ruled NO PREJUDICE AGAINST HER FAMILY AT ALL but they are threatening us that they are going to do her harm.
We went to the ATTORNEY GENERALS OFFICE OF THE INDEPENDANT INVESTIGATION UNIT OF ONTARIO on Bay St. in Toronto here to have the assaults and threats against us investigated but they looked into the assaults and threats and told us it would not be in the best interests of their office to investigate the assaults and threats against our family since we have been persuing legal action against them. They said it was the RCMP that assaulted and threatened us and they said they don’t investigate the RCMP anyways. We got a lawyer not too long ago, he is FALCONER from the FALCONER LAW FIRM and they told us they would help us with our case. We are the ones who had the fradulent 30-08 WARRANTS taken out on us by the HARPER government. We have been tortured ever since and it is still going on. They have been contacting our family members for years to try to get our family members to torture us also.
We are a family of 5. My wife Ingrid Van Eyk and I Michael Rodger Heroux and my daughter Victoria Van Eyk and my other daughter Clarissa Van Eyk and my son Michael Van Eyk. When they took our 14 year old daughter away from us we were living in a government of Toronto housing shelter that is run by the Ontario government. We contacted Justin Trudeau’s MP John Mackay because we were living in his riding at the time but they didn’t want to help us even thought they knew we had been tortured over the fradulent 30-08 terror warrants the Harper government took out on us in 2009. They said we could keep our daughter if we gave them all of our email addresses and phone numbers, they wanted all of our social media platforms and they wanted to be able to come in our home and monitor our family when ever they wanted to and if we didn’t do as they said they were going to take Clarissa away from us. They said they would say we were secluding her in our home for too long. The government of Toronto told us they took her because we wouldn’t answer our door when they came by. We are not doing anything wrong, they just don’t want us talking about the torture of our family. The Toronto police have come by a few times and spoke with our kids to ask them if the torture was real and as soon as they found out it was they took our daughter from us. They put our daughter in a group home to BRAIN WASH her and she is only 14 years old. They set her up with a 22 year old boyfriend from Washington DC and we are going to have him and the group home charged because they are letting her date this man even though she is only 14 years old and ONTARIO CHILDRENS AID knows all about this, THIS IS CHILD MOLESTATION.