I appeared last week before the Standing Committee on Access to Information, Privacy & Ethics as part of the committee’s review of the Privacy Act. My opening remarks highlighted several longstanding concerns with the legislation and then turned to three broader issues: Bill C-51’s information sharing provisions, transparency reporting, and the revival of lawful access issues.
My full prepared opening remarks are posted below:
Appearance before the House of Commons Standing Committee on Access to Information, Privacy & Ethics, September 29, 2016
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. My areas of speciality include digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada’s External Advisory Board and I have been privileged to appear before multiple committees on privacy issues, including PIPEDA, Bill S-4, Bill C-13, the Privacy Act, and this committee’s earlier review of social and media privacy.
I appear today in a personal capacity representing only my own views.
As you know, there is a sense of déjà vu when it comes to Privacy Act reviews. There have been multiple studies and successive federal privacy commissioners who have tried to sound the alarm on the legislation that is viewed as outdated and inadequate. Canadians rightly expect that the privacy rules that govern the collection, use, and disclosure of their personal information by the federal government will meet the highest standards. For decades, we have failed to meet that standard.
I would like to quickly touch on some Privacy Act concerns, but with your indulgence, also talk about the broader privacy law environment in Canada by raising several other related issues and concerns.
A. Privacy Act
The Privacy Commissioner of Canada has provided the committee with many recommended changes and I endorse the submission. Most of the recommendations are not new. Successive commissioners have asked for the same changes, but successive governments have failed to act.
I would like to briefly raise four issues related to the current law:
1. Education and the Ability to Respond
The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act desperately needs to include a similar mandate for public education and research.
Moreover, the notion of limiting reporting to an annual report reflects a by-gone era. In our current 24 hour, social media driven news cycle, restrictions on the ability to disseminate information – particularly information that touches on the privacy of millions of Canadians – cannot be permitted to remain out of the public eye until an annual report can be tabled. Where the Commissioner deems it in the public interest, the Office must surely have the power to disclose in a timely manner.
2. Strengthen Protections
As this Committee has already heard, the Privacy Act falls woefully short in meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be model, it instead requires far less of itself than it does of the private sector. A key reform in my view is the limiting collection principle. A hallmark of private sector privacy law, the government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities.
3. Breach Disclosure
Breach disclosure legislation has become commonplace in the private sector privacy world and it has long been clear that similar disclosure requirements are needed within the Privacy Act. The Treasury Board guidelines are a start, but legal rules are essential. In fact, the need for reform is even stronger given the absence of security standards within the current Act. Provisions that establish such standards and mandate disclosure in the event of a breach are crucial to establish an appropriate level of accountability and to ensure that Canadians can guard against potential identity theft and other harms.
4. Privacy Impact Assessments
Privacy touches us in many ways and it similarly is implicated by many pieces of legislation. The Privacy Commissioner has regularly appeared before Committees to provide a privacy perspective on proposed legislation, yet this approach runs the risk of rendering privacy as little more than a mere afterthought. It is far more appropriate to conduct privacy impact assessments before legislation is tabled or at least before implementation.
B. Bigger Picture
We could address some of the long standing irritants about the Privacy Act and still not fully address the problems. That stems in part to the fact that there are many moving parts in the federal privacy world and a broader vision is needed. I’d like to quickly highlight three issues that are currently on the agenda:
1. Bill C-51’s Information Sharing Provisions
I realize the government is currently consulting on national security policy, with a particular emphasis on Bill C-51. From my perspective, one of Bill C-51 biggest problems – perhaps its biggest – was the information sharing provisions.
The privacy-related concerns stem from Bill C-51’s Security of Canada Information Sharing Act, a bill within the bill, that went far further than sharing information related to terrorist activity..
It permits information sharing across government for an incredibly wide range of purposes, most of which have nothing to do with terrorism. The previous government tried to justify the provisions on the grounds that Canadians would support sharing information for national security purposes, but the law now allows sharing for reasons that would surprise and disturb most Canadians given how broadly that can be interpreted. Further, the scope of sharing is exceptionally broad, covering 17 government institutions, many of which have little to do with national security.
The national security consultation background paper raises this issue, but appears to largely defend the status quo, raising only the possibility of tinkering with some clarifying language.
If we don’t address the information sharing issue, I fear that many of the other potential Privacy Act improvements will be undermined. This requires a wholesale re-examination of information sharing within government and the safeguards in place to prevent misuse.
2. Transparency and Reporting
In recent years, the stunning revelations about requests and disclosures of personal information of Canadians – millions of requests, the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used.
Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports and they have been joined by some of Canada’s leading communications companies such as Rogers and Telus. There are still some holdouts – notably Bell – but we have a better picture of requests and disclosures than we did before.
However, these reports represent just one side of the picture. Public awareness of the world of requests and disclosures would be far more informed if government also released transparency reports. These need not implicate active investigations, but there is little reason that government not be subject to the same expectations on transparency as the public sector.
Indeed, the Liberal party focused on transparency in its election platform. Improvements to access to information are absolutely critical, but transparency is about more than just opening the doors to requests for information. Pro-active disclosure of requests for Canadians’ information should be part of the same equation.
3. Government Mandated Interception Capabilities and Decryption
Finally, I wanted to come back to the public safety consultation launched earlier this month. While many think of it as a C-51 consultation, it is much more. The return of lawful access issues threatens to scrap the 2014 lawful access compromise and raise some very serious privacy concerns.
For example, the consultation implies that the “lack of consistent and reliable technical intercept capability on domestic telecommunications networks” presents a risk to law enforcement investigations. Yet left unsaid is that the prior proposed solutions in the form of government-mandated interception capabilities were rejected due to the enormous cost, inconsistent implementation, and likely ineffectiveness of standards that would exempt many smaller providers. Creating government-mandated interception capabilities at all providers would represent a huge privacy risk that runs roughshod over both PIPEDA and the Privacy Act.
Further, the consultation places another controversial issue on the policy table, noting that encryption technologies are “vital to cybersecurity, e-commerce, data and intellectual property protection, and the commercial interests of the communications industry” but lamenting that those same technologies can also be used by criminals and terrorists.
Given its widespread use and commercial importance, few countries have imposed decryption requirements. This year’s controversy involving access to data on an Apple iPhone owned by the San Bernardino, California shooter revived the debate over access to encrypted communications, however, and the consultation asks Canadians to comment on the circumstances under which law enforcement should be permitted to compel decryption.
A move toward compelling decryption would place more than just our privacy at risk – our innovation strategy and personal security would also hang in the balance.
In conclusion, fixing the Privacy Act is long overdue. There are no mysteries about what needs to be done. Indeed, there have been numerous studies and a steady stream of Privacy Commissioners who have identified the problems and called for reform. What has been missing is not a lack of information but rather a lack of political will to hold government to the same standard that it holds others. I look forward to your questions.