Public consultation on the Privacy Act – Submission – Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic

Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC)

Tamir Israel, Staff Lawyer

With written contribution & analysis from:

[Information was severed]

February 14, 2021

CC-BY-SA 4.0 2021 Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC)

Electronic version first published by the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic. The Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) is a legal clinic based at the Centre for Law, Technology & Society at the University of Ottawa, Faculty of Law.

The Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic has licensed this work under a Creative Commons Attribution Share-Alike 4.0 (International) License.

https://creativecommons.org/licenses/by-sa/4.0/

Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic

University of Ottawa, Faculty of Law, Common Law Section
57 Louis Pasteur Street
Ottawa, ON K1N 6N5
Website: https://cippic.ca
Email: admin@cippic.ca
Twitter: @cippic

Corrections & Questions

Any errors, omissions or policy positions remain solely the responsibility of the primary author. Please send all questions and corrections to the primary author directly, at: tamir@cippic.ca

Introduction
Section 1. Putting Human Rights & Privacy First
Section 2. Furthering Reconciliation
Section 3. An Effective Regulatory Framework
- 3.1 Improving accountability for frontline agencies
- 3.2 Applying & Enforcing the Act
Section 4. Improving Transparency Measures
Section 5. Safeguards & Breach Notification
Section 6. Publicly Available & De-identified Data
- 6.1 Publicly Available Information
- 6.2 Identity Obfuscation Techniques
Section 7. Cross-Border Disclosures
Section 8. Automated Decision-making
Section 9. Biometric Protections

Table of Recommendations

Recommendation 1: Purpose clause must place privacy protection first
Recommendation 2: Data practices must be necessary & proportionate
Recommendation 3: Incorporate Indigenous Community Control
Recommendation 4: Formalize Accountability obligations
Recommendation 5: Encode Rigorous Privacy Impact Assessment Obligations
Recommendation 6: Grant the Privacy Commissioner True Regulatory Powers
Recommendation 7: Encode a Private Right of Action for Resulting Harms
Recommendation 8: Encode Statistical Reporting & Individual Notice Requirements
Recommendation 9: Set high standard for safeguards & breach notification
Recommendation 10: Secure conditions for robust encryption & vulnerability disclosure
Recommendation 11: Ensure publicly available information is sufficiently protected
Recommendation 12: Identity obfuscation techniques as safeguards, not exclusions
Recommendation 13: Formalize Cross-Border Transfer Regime
Recommendation 14: Encode a Regulatory Framework for Automated Decision-Making
Recommendation 15: Additional Protection for Biometrics

Introduction

The Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) is pleased to provide its input into the government’s consultation on the Privacy Act. As noted in the Department of Justices’ Consultation Document, government data handling practices have evolved substantially since the adoption of the Act in 1983, as have the regulatory tools used by independent agencies around the world to ensure the human right to privacy is respected as personal information is gathered, analyzed and stored in ever-expansive ways.

This initiative, which seeks to modernize the Privacy Act, is therefore timely and welcome.

Section 1. Putting Human Rights & Privacy First

Privacy is a human right, protected by Articles 12 and 17 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, respectively and includes the right to effective measures precluding unauthorized processing, the right to individual access, the right to openness of data handling processes, and the right to data accuracy.^{Footnote 1}

In Canadian law, privacy is protected by sections 7 and 8 of the Charter, and laws that protect the right to privacy are classified as quasi-constitutional in nature.^{Footnote 2} This classification is “a reminder of the extent to which the protection of privacy is necessary to the preservation of a free and democratic society.”^{Footnote 3}

The Privacy Act plays a critical role in securing the human right to privacy and, by extension, the fundamental values of autonomy, dignity and informational self-determination that underpin it.^{Footnote 4} The Act’s over-arching framework must be commensurate with its important constitutional nexus if the protection of privacy is to be fully realized.

A human rights centric approach recognizes the pre-eminent importance of privacy in relation to other, non-constitutional values such as administrative expediency.^{Footnote 5}

Recommendation 1: Purpose clause must place privacy protection first

The Privacy Act’s purpose clause should be replaced with the following:

Purpose

X. The purpose of this Act is to extend the laws of Canada to protect individuals with respect to their personal information and in particular to protect the fundamental right to privacy in an era in which technology increasingly facilitates the accumulation, circulation and exchange of information.

A human rights approach must also ensure that incursions on the right to privacy only occur where it is proportionate and necessary to achieve a specifically articulated and legitimate objective.^{Footnote 6}

Currently, a government agency may only collect personal information where it “relates directly” to an operational program or activity.^{Footnote 7} For decades, this was understood to limit collection to where it is both necessary and proportionate,^{Footnote 8} a requirement that was confirmed by non-binding Treasury Board of Canada Secretariat policies.^{Footnote 9} However, it is no longer clear that the Privacy Act legally requires government agencies to limit collection, use or disclosure of personal information to what is necessary and proportionate.^{Footnote 10} This is inconsistent with the standard for administrative collection imposed by other public sector laws across the country.^{Footnote 11}

Under the existing Act, limits on use and disclosure are mostly limited by the purposes that animated the initial collection of personal information. The current statutory framework places no explicit limits on retention or on the types of purposes that can be advanced by an operating program. This is out of touch with modern data protection obligations, and holds private sector companies to a more stringent standard than their public sector counterparts.^{Footnote 12}

In order to ensure the human right to privacy is adequately protected, the Privacy Act must encode an over-arching limitation ensuring that personal information will only be collected, used, retained or disclosed where proportionate and necessary to an objective that a reasonable person would consider appropriate in the circumstances.

Recommendation 2: Data practices must be necessary & proportionate

The Privacy Act must include an over-arching necessity and proportionality obligation:

X. Personal information will only be collected, used, disclosed or retained by a government institution where it is [strictly] necessary for and proportionate to purposes that a reasonable person would consider appropriate in the circumstances.

Section 2. Furthering Reconciliation

As noted in the Consultation Document, the Privacy Act plays an important role in state interactions with Indigenous Peoples. This modernization initiative offers an opportunity to improve reconciliation by formalizing role for Indigenous groups to participate directly in decision-making that impacts the privacy interests of their communities.

The Truth and Reconciliation Commission of Canada’s (TRCC) Calls to Action emphasize the importance of the Indigenous right to self-determination as expressed in the United Nations

Declaration on the Rights of Indigenous Peoples (UNDRIP) at Call to Action 43.^{Footnote 13} Beyond just self-determination, UNDRIP calls upon states to facilitate Indigenous Peoples’ “right to maintain and strengthen their distinct political, legal, economic, social and cultural institutions”^{Footnote 14} as well as the right to “maintain and develop their own indigenous decision-making institutions.”^{Footnote 15} Article 23 goes on to describe Indigenous Peoples’ right to exercise a right over development and delivery of programs through their own institutions^{Footnote 16} while Article 31 describes the kinds of traditional knowledge and expressions thereof that Indigenous Peoples are entitled to maintain, control, and protect which includes “human and genetic resources.”^{Footnote 17}

The OCAP (Ownership, Control, Access, and Possession) Principles guide Indigenous communities “in making decisions regarding why, how, and by whom information is collected, used, or shared.”^{Footnote 18} These principles reflect the rights of Indigenous Peoples to maintain and control information about their communities and includes reports, statistics, records, and other data. Entities such as the First Nation Information Governance Centre (FNIGC) have developed expertise and governance structures to ensure that Indigenous community input is incorporated into decision-making that impacts data practices, on the OCAP framework.

Embracing the OCAP Principles in the Privacy Act could be achieved through consultation with Indigenous groups. It could involve formalizing a role for the FNIGC and similar governance mechanisms representing other Indigenous groups within the parameters of the Act. This gatekeeping role would operate in addition to the protections in the Act, providing an additional layer of control. Depending on the nature and scope of the information, data can be repatriated to Indigenous groups and the governance bodies such as the FNIGC can operate as a ‘gatekeeper’ to that personal data.^{Footnote 19} Certain government activities including health and demographic research could be made contingent on approval by the FNIGC and in reliance on its community . Notably, FNIGC input must apply to data that is exempted from or imperfectly covered by the current Act, including de-identified and aggregate data.^{Footnote 20} Government use of this type of data can have significant impact on First Nation communities, and its use should reflect their communal privacy interests. Finally, the full realization of the OCAP Principles would necessarily entail increased funding for bodies such as the FNIGC and for other Indigenous communities to increase their own data governance capacity and exercise greater control over the information collected about them and held by federal government departments and agencies.

In addition, additional protections for specific categories of data might be adopted into the Privacy Act in consultation with Indigenous groups. For example, the Canadian Bar Association’s Privacy and Access Law and Aboriginal Law Sections have identified a risk that personal data of residential school survivors might be disclosed without their explicit consent.^{Footnote 21} Disclosure without input in this context could “result in deep discord within the communities whose histories are intertwined with that of the residential schools system” and would undermine reconciliation.^{Footnote 22}

Recommendation 3: Incorporate Indigenous Community Control

In consultation with Indigenous groups, explore formalizing a role for community input mechanisms such as the First Nations Information Governance Centre.
Control and input provided through Indigenous governance bodies should expand the protections available in the Act, and apply to personal data that is currently imperfectly captured by the Act such as de-identified or statistical demographic data.
Funding must also be made available for Indigenous communities seeking to exercise community control over their information.
In consultation with Indigenous groups, some categories of data might require additional and explicit protection within the Act.

Section 3. An Effective Regulatory Framework

An effective regulatory framework must place an independent regulator at its core. Currently, the role delegated to the Privacy Commissioner is deficient in two key respects.

First, the consultation document notes that the Act lacks a comprehensive compliance framework. This is an understatement. Currently, the Office of the Privacy Commissioner of Canada is only able to issue non-binding recommendations when responding to complaints, and even its access to enforcement through the [pita] de novo mechanism is curtailed and limited to individual access denials. Meaningful respect for the right to privacy in the modern era demands an independent regulator with the ability to apply the law where necessary.

Second, under the Act, the Treasury Board of Canada Secretariat (TBS) is the primary vehicle for implementing the Act’s substantive obligations. This provides no latitude for the Privacy Commissioner to impose regulatory policies regarding specific practices. While TBS has an important and central ongoing role to play in privacy management, in an age where technological innovation fuels rapid and tectonic changes in government practices, independent regulatory frameworks have an instrumental role to play.

As a result, the Privacy Act lacks a meaningful regulatory framework commensurate with the important quasi-constitutional rights it is intended to protect.

The current framework for regulatory control and oversight under the Privacy Act is deficient. Under this framework, the Act is applied by government institutions through their respective policies and practices, through TBS which issues government-wide policies and directives, through judicial review of government conduct, or through the auspices of the Privacy Commissioner who can issue non-binding findings in response to complaints or investigations. A modernized Privacy Act would enhance shortcomings in this framework.

3.1 Improving accountability for frontline agencies

Frontline responsibility for applying the Act rightly rests pragmatically with government institutions and agencies through their respective policies and practices.^{Footnote 23} There is currently no explicit accountability obligation in the Act, and the requirement to operate a structured privacy management program arises primarily from non-binding TBS policies.^{Footnote 24} A The consultation document recommends encoding this obligation within the text of the statute.^{Footnote 25}

Accountability obligations are becoming a regular feature of data protection frameworks, including those applying to public sector bodies.^{Footnote 26}

Formalizing an accountability framework within the text of the statute would improve compliance by explicitly empowering the privacy commissioner to review privacy management programs and impose conditions on their structure and constituent elements.

Recommendation 4: Formalize Accountability obligations

Accountability obligations currently hosted primarily in TBS policies should be formalized within the text of the Act and subject to review and detailed elaboration by the Privacy Commissioner.

The consultation document also recommends codifying an obligation to conduct privacy impact assessments within the text of the statute. As with other accountability mechanisms, there is currently no explicit obligation within the Privacy Act to conduct Privacy Impact Assessments (PIA). PIAs are intended to allow for early analysis and review of the privacy and related human rights and ethical implications of an intended activity with the objective of building trust and confidence in government data practices.^{Footnote 27} TBS policies recognize a non-binding requirement to conduct privacy impact assessments for new or substantially modified programs and activities where personal information is implicated.^{Footnote 28}

Several features of the current PIA framework undermine its ability to instill public confidence in government privacy practices. To begin with, the requirement to conduct a privacy impact assessment is a non-binding policy, meaning it can be ignored on a case by case basis while the standard for conducting PIAs can be changed by TBS at any time.^{Footnote 29} Second, while TBS requires agencies to notify the Privacy Commissioner of any privacy impacting initiatives at an early stage of development, agencies are only required to consult with internal government stakeholders until the PIA has been finalized.^{Footnote 30} Finally, there is no obligation to consult with external stakeholders or with the public in general during the program development process, while only recommended some elements of a PIA are ever made public once the PIA has been finalized and approved.^{Footnote 31} As a result, highly invasive programs may progress through testing, piloting and advanced implementation stages before meaningful external input is provided.^{Footnote 32}

The Privacy Act must impose a legal impact assessment obligation, triggered by the intention to adopt or expand any program or course of action that implicates personal information. The Privacy Act must also provide the Privacy Commissioner with latitude to impose binding obligations regarding the nature and rigour with which different impact assessments occur, taking into account factors such as the sensitivity of the personal information at issue and the risk of harm. The impact assessment process must be broad enough to permit a range of considerations,^{Footnote 33} and must include space for public input in particular with respect to the adoption of potentially controversial technologies and programs.^{Footnote 34} It is notable in this respect that regulators in Australia and the United Kingdom, regulators have indicated the need to consult with relevant civil society stakeholders and the general public as integral steps in meeting the legally mandated public impact assessment requirement in their respective privacy statutes.^{Footnote 35}

Finally, the Privacy Act or accompanying binding regulatory guidance from the Privacy Commissioner must mandate that full privacy impact assessments be published by default.^{Footnote 36} Any redactions or omissions must be justified, with reference to clearly established rationales such as those encoded as exceptions to the right of access in section 12 of the Act. In its inaugural report, the government’s National Security Transparency Advisory Group (NS-TAG) noted the “reflexive secrecy” of many government agencies and flagged the need for more aggressive and proactive disclosure in order to foster the democratic resilience and credibility of public agencies.^{Footnote 37} There is simply no justification to continue current practice in Canada, where it is the default to publish short and incomplete summaries of PIAs and force individuals seeking to discover further information to rely on the auspices of the Access to Information Act.

Recommendation 5: Encode Rigorous Privacy Impact Assessment Obligations

Encode an obligation to conduct robust impact assessments at the earliest possible opportunity in the adoption and development cycle of privacy-impacting programs.
Assessments must be conducted under the close supervision of the privacy commissioner and, where appropriate, with public and civil society input, and finalized impact assessments must be made public by default.
The scope of impact assessments must be broad enough to encompass ethical and human rights impacts arising from the processing of personal information.
The privacy commissioner must be able to issue binding regulatory guidance on the conditions for undertaking privacy impact assessments, the criteria which guide how rigorous a given assessment must be, and the need to consult with expert stakeholders or the general public.

3.2 Applying & Enforcing the Act

The Act must also be amended to provide a more robust regulatory framework.

The addition of a mechanism to conclude legally binding agreements with government agencies is a helpful recommendation. The Privacy Commissioner must also be empowered to issue binding orders when resolving investigations under section 29 of the Act, including the power to issue remedial measures where appropriate to comply with the Act. The appeal path from such orders must not replicate the existing de novo review currently employed as the primary enforcement mechanism under PIPEDA (which regulates privacy in the private sector) and for elements of the Privacy Act. De novo review is an overly intensive enforcement mechanism that ignores the specialized expertise of a quasi-judicial body such as the Office of the Privacy Commissioner.

In addition, the Privacy Commissioner must be free to conduct regulatory oversight and control of public agencies outside the strictures of the complaint driven process. In this respect, the capacity to conduct commissioner-initiated investigations under section 29(3) must be broadened by removing the reasonable grounds limitation. It is unclear on why a threshold investigative standard should operate to limit the Commissioner’s capacity to ensure public agencies are respecting the Privacy Act.

In addition, the Commission must be empowered to issue binding regulatory guidance in a proactive manner. Currently, TBS is the primary entity through which non-binding directives and guidelines are applied across all government agencies.^{Footnote 38} While procedural safeguards such as the need for a public inquiry and a statutory appeal would be important to incorporate into the development of binding regulatory policies, the Commission must be empowered to issue proactive guidance even in the absence of an existing violation of the Act.

Recommendation 6: Grant the Privacy Commissioner True Regulatory Powers

Empower the Privacy Commissioner to enter into legally binding agreements with government agencies.
Empower the Privacy Commissioner to issue binding orders subject to deferential appeal by any impacted individual or agency when resolving investigations into violations of the Act.
Empower the Privacy Commissioner to conduct investigations into agency practices even in the absence of reasonable grounds to believe an investigation is required.
Empower the Privacy Commissioner to proactively issue binding regulatory frameworks, following a public proceeding and subject to deferential appeal by any impacted individual or agency .

Finally, in order to incentivize compliance with the Act and to ensure public agencies are held to at least the same standard as private companies, a private right of action should be incorporated into the Privacy Act. Ideally, this right of action would include statutory damages for specific types of violations. At minimum, however, the mechanism should allow for damages where violations of the Privacy Act result in harm. A model for such a provision exists in Bill C-11, which currently proposes to amend PIPEDA by recognizing the right of any individual to seek damages in any superior court of record for any loss or injury suffered as a result of a contravention of that statute.^{Footnote 39} A similar cause of action would be important to ensure accountability for public agencies.

Recommendation 7: Encode a Private Right of Action for Resulting Harms

Encode a private right of action that would at minimum recognize the right of individuals to seek damages in any superior court for any loss or injury resulting from a confirmed contravention of the Act.

Section 4. Improving Transparency Measures

The ability to collect information about individuals without their direct participation has grown exponentially in the years since the Privacy Act was initially enacted. Currently, government agencies are only required to report annual statistics regarding the frequency and nature of certain types of electronic surveillance, while the majority of third party collection remains unreported.^{Footnote 40} It is important for the public to understand the scope and parameters of government data collection from external sources, particularly in light of the tendency for rapid changes in practices regarding data collection of this type. The Privacy Act should require government departments and agencies to report annually the scale and nature of personal data collected directly from third party sources.

As the Consultation Document notes, agencies should also be required to publish privacy notices, explaining to the public their personal information practices. The Privacy Act should include an additional openness obligation, requiring government agencies to elaborate on their practices when receiving requests from individuals. Most private sector organizations in Canada are subject to such openness obligations, and government agencies should not be held to a lower standard.^{Footnote 41}

Finally, the Privacy Act should require government agencies to notify individuals where their sensitive personal data has been collected without their participation, subject to exceptions relating to investigative necessity. Currently, government agencies are able to surreptitiously undertake intrusive programs with no public accountability at all and without impacted individuals ever becoming aware.

For example, in 2018, Statistics Canada undertook an intrusive and wide-ranging program that collected the sensitive financial information of 24 million Canadians from financial institutions.^{Footnote 42} This program only came to public attention through unofficial channels, whereas the agency itself stressed its view that it was under no legal obligation to inform impacted individuals of their inclusion in the program.^{Footnote 43} The operation and secrecy of intrusive, disproportionate and wide-ranging programs of this nature undermines trust in public agencies, and the lack of any legal recourse exacerbates this lack of trust.

Recommendation 8: Encode Statistical Reporting & Individual Notice Requirements

Obligate government agencies to publish annual statistics on the scope and nature of their third party data collection and disclosure programs.
Obligate government agencies to publish privacy notices outlining their privacy practices.
Obligate government agencies to take reasonable steps to inform individuals of the details of their privacy practices upon request.
Obligate government agencies to notify individuals when their sensitive personal information is collected, used or disclosed without individual participation.

Section 5. Safeguards & Breach Notification

While the Privacy Act currently implicitly requires government institutions to prevent unauthorized disclosure, there is no explicit obligation to adopt security safeguards and to notify impacted individuals should a data breach occur. In addition, the Act should explicitly prohibit agencies from undermine cryptography and other central security mechanisms.

Prominent security breaches in both the private and public sector are no longer infrequent occurrences and can greatly undermine trust in government data stewardship.

The reform initiative should formalize the obligation to adopt security safeguards and to notify the Privacy Commissioner as well as any impacted individuals should a breach of these security safeguards occur. The Act should establish rigorous standards for this new security safeguard and notification obligation.

Recommendation 9: Set high standard for safeguards & breach notification

The Act should obligate the adoption of robust technical and organizational safeguards to prevent unauthorized access to personal information under government control.
The Act should obligate agencies to notify the Privacy Commissioner of Canada of any non-trivial breach of security safeguards and to notify any potentially impacted individuals.

The Privacy Act should also adopt measures that will improve the background conditions for cybersecurity. Cybersecurity is effectively an arms raise to secure data against adversaries of constantly evolving capabilities and sophistication. Securing data in this context is difficult, and it is important to adopt measures that will create a more favourable environment for those seeking to do so.

To this end, the Act should explicitly prohibit government actions that undermine security at a systemic level. Historically, various government agencies have controversially acted to weaken core security tools such as encryption protocols and implementation mechanisms.^{Footnote 44} As recommended in 2019 by the House Standing SECU Committee, government agencies should prioritize general cybersecurity over other objectives such as the impetus to undermine critical safeguards in order to facilitate greater access to personal data.^{Footnote 45} The Act should explicitly prohibit agencies from undermining or limiting encryption.

Additionally, the Act should provide a regulatory basis for addressing security vulnerabilities and exploits. This would include the impetus for a framework addressing vulnerability equity and disclosure programs.

Too often, security researchers in Canada have faced serious legal threats and liability for good faith attempts to notify government agencies of security lapses.^{Footnote 46} CIPPIC has additionally worked with security researchers who were deterred from disclosing uncovered vulnerabilities due to the potential threat of civil or criminal liability. Many government agencies and companies around the world have formalized ‘safe harbours’ for individuals who wish to disclose security vulnerabilities.^{Footnote 47}

Formalized Vulnerability Disclosure Programs result in a three-fold benefit. First, they establish parameters for appropriate security analysis to guide researchers. Frequently, potentially problematic security research practices (e.g. where personal information is exfiltrated in contexts where doing so is unnecessary for a proof of concept, or overly rapid publication of an exploit before an agency has had the opportunity to address it) are frequently forestalled simply by providing authoritative and clear guidance on what is and is not appropriate. Second, it substantially improves the security of government systems by removing barriers that otherwise chill security researchers from disclosing critical vulnerabilities. Finally, it is fundamentally unfair to punish well meaning researchers who are simply attempting to point out security flaws in government networks and services. Even where such researchers ultimately mount a legal defence and are acquitted, the cost and trauma are unjust reward for purely non-malicious endeavours. While the details and specifics of any safe harbours for security researchers are perhaps best addressed by individual agencies with guidance from TBS and under the oversight of the Privacy Commissioner, the impetus for this safe harbour must be encoded in the Act.

Government agencies also frequently become aware of vulnerabilities in off the self systems in the course of their general activities. For some agencies, questions surrounding treatment of known vulnerabilities are complicated by conflicting lawful access objectives. For such organizations, a known but undisclosed vulnerability is an opportunity that can be exploited to access a secure system for public safety, national security or broadly framed foreign intelligence purposes. As a result, sometimes known vulnerabilities remain unreported and are even stockpiled by some agencies, even while the same vulnerabilities undermine security of other Canadian government systems. In extreme cases, unauthorized access to vulnerability stockpiles collected by government and private sector agencies has led to widespread harm as the unpatched vulnerabilities in health, financial, educational and government systems were widely exploited.^{Footnote 48} We note that effective defensive security does not require stockpiling of previously unreported zero day exploits.^{Footnote 49}

With this in mind, when organizations balance competing offensive and defensive objectives in order to assess exploit disclosure, it is critical that this occur with independent input and within a legal framework. Many agencies operate a Vulnerability Equities Program, but the parameters and operation of VEPs remain deeply secret and are not clearly subject to rigorous regulatory oversight.^{Footnote 50} Other agencies may lack a formal VEP altogether, despite relying on vulnerabilities in the broader course of their public safety and national security activities. The Privacy Act should therefore mandate organizations to emphasize systemic security when assessing whether to publicize discovered vulnerabilities. The Privacy Commissioner should also be empowered to compel specific agencies to adopt and publicize VEPs, and to audit the operation of these programs.

Recommendation 10: Secure conditions for robust encryption & vulnerability disclosure

Prohibit agencies from actively undermining critical security protocols and tools such as encryption.
Create a legislative safe harbour for responsible security disclosure of vulnerabilities to agencies.
The Act should obligate agencies to emphasize systemic cybersecurity considerations when assessing whether to publicize discovered vulnerabilities.
Empower the Privacy Commissioner to compel specific agencies to adopt and publicize formal Vulnerability Equities Programs and to audit the operation of these programs.

Section 6. Publicly Available & De-identified Data

The Consultation Document contemplates changing two central gate-keeping concepts in the Act. The Document asks whether the Act’s exception for publicly available information should be narrowed and whether a definition should be adopted for when personal information is not ‘identifiable’ and therefore falls outside the protections of the Act. The Act must be defined in an expansive manner, so that data categories are not excluded from its protective scope.

6.1 Publicly Available Information

Sub-section 69(2) of the Privacy Act currently excludes publicly available personal information from the Act’s use and disclosure protections. The Consultation Document suggests that ‘publicly available’ should be defined and the scope of the exception should be narrowed. We agree.

It should be noted at the outset that Canadian courts have long recognized that privacy expectations persist in public spaces. As the Consultation Document states, privacy laws have also historically applied to publicly available personal information in Canada.

This is for good reason, and monitoring of social media sites provides a cogent example. Social media is user-generated content. It comes in many forms from text, to images to videos, and is a window into the lives of the content producer. Approximately 95.9% of all Twitter users have less than 500 followers.^{Footnote 51} While for Facebook, an average user has 338 friends and only considers 28% to be authentic.^{Footnote 52} Many platforms also have Terms of Services that restrict third party capturing, storing and indexing. The social context in which these interactions occur reinforces a strong expectation that they will not be repurposed to achieve any of a range of state objectives.

The detailed and sensitive information that can be collected through social media and the deep insights that can be drawn from open source intelligence demonstrate the need for a regulatory framework of some form. This is particularly the case as Indigenous Peoples and members of other marginalized communities are frequently the objects of monitoring. The Royal Canadian Mounted Police’s Project Sitka, for example, mapped Indigenous protest movements in Canada through intensive social media monitoring. Despite the predominantly peaceful nature of the protests, Project Sitka tracked hundreds of individuals through social media and recorded their affiliation with various political protests and causes.^{Footnote 53} The National Energy Board has similarly engaged in monitoring of Indigenous and other participants in a forthcoming regulatory hearing.^{Footnote 54} And in 2010, Aboriginal Affairs and Northern Development Canada surreptitiously monitored the personal Facebook postings of a First Nations activist who was engaged in litigation with the Department.^{Footnote 55} In each of these instances, the potential for abuse is high, underscoring the need to maintain a regulatory regime.

The Act should therefore be amended to remove the broad existing exception for use or disclosure of publicly available information. Some targeted exceptions might be adopted in its place, permitting specific data practices in relation to personal information published on non-interactive sites, such as newspapers, or for purposes that related directly to those for which the personal data was disclosed.

Recommendation 11: Ensure publicly available information is sufficiently protected

Remove the existing exceptions for use and disclosure of publicly available information and replace with targeted exceptions for specific data handling of personal information from non-interactive publications.

6.2 Identity Obfuscation Techniques

The Consultation Document also suggests encoding an explicit role for identity obfuscation techniques within the Privacy Act. As noted in the document, de-identification and other identity obfuscation techniques can operate as a meaningful privacy safeguard. However, de-identification techniques should not operate as wide-ranging exceptions to the Act’s core protections.^{Footnote 56}

Few identity obfuscation techniques are flawless, particularly when applied at large scale, while re-identification capabilities continue to develop.^{Footnote 57} As a result, organizations frequently under-estimate the risk of re-identification, and this has led to a number of instances where individuals have been re-identified by third parties. In addition, de-identified datasets and models can increasingly impact individuals in myriad ways.^{Footnote 58}

As a result, de-identified data which constitutes personal information must remain subject to the Act’s core protections, including its consistent purpose and consent requirements. Enrollment in a personal information bank where personal information has been de-identified to some degree must continue to constitute a ‘use’, a ‘disclosure’, or a ‘creation’ of personal data.

De-identification can play an important role as a technical safeguard for personal information, and in particular can implicate the proportionality of a given data program. For example, depending on the use and personal information at issue, less rigorous notification or consent mechanisms may be appropriate where robust de-identification is applied.

Recommendation 12: Identity obfuscation techniques as safeguards, not exclusions

The Act and all of its protections should continue to generally apply to the collection, use, disclosure and retention of information about an identifiable individual.
Identity obfuscation techniques should be recognized as important technical safeguards, as well as a factor in assessing the proportionality of any given data practice.
Re-identification might be directly incorporated into elements of specific measures in the Act, such as determining whether consent can be implied or not to achieve a non-consistent but publicly important and non-adversarial objective.
Re-identification attempts should be directly prohibited and penalized in the Act.

Section 7. Cross-Border Disclosures

The Consultation Document suggests encoding an accountability regime for the processing or storage of personal data by organizations that reside outside of Canada.

This form of outsourcing can pose a risk to privacy, in particular because such organizations are subject to foreign state access laws and frequently operate under different norms. Cross-border flows are particularly complicated by the broad scope of national security regimes, which place few limits on the ability of signals intelligence agencies to access private data of non-citizens.^{Footnote 59} Private sector companies are limited in their ability to resist lawful access demands from foreign state agencies, a limitation that increases when personal information is stored or processed in foreign jurisdictions.^{Footnote 60}

Currently the Privacy Act regulates disclosures of personal information, including the need to prevent unauthorized disclosure. As a result, risks associated with cross-border personal information flows are considered as a component of the broader impact assessment that accompanies any disclosure of personal information from a government agency to a private sector entity for storage or processing. To that end, in some contexts, measures must be taken to ensure personal information does not flow outside of Canada whereas in other contexts contractual or technical measures must be taken to ensure comparable privacy and security standards.^{Footnote 61} The level of risk is currently assessed based on the sensitivity of the information in question, the reasonable and contractual expectations of impacted individuals, and the probability and gravity of a resulting harm.^{Footnote 62}

The Act could encode an explicit obligation on government agencies to ensure a comparable level of protection when personal information is disclosed in a manner that will expose it to the laws and standards of foreign jurisdictions. Realization of this obligation may be contingent on the existing impact assessment process, under the supervision of TBS and the regulatory oversight of the Privacy Commissioner of Canada. This risk assessment process could be augmented by a personal information classification schema, which would assign different risk levels depending on the sensitivity of the personal information, the incentives for misuse that it attracts, and any benefits that are contingent on the personal information being processed abroad.

Recommendation 13: Formalize Cross-Border Transfer Regime

The Privacy Act should include an explicit obligation governing cross-border disclosure:

X. A Government Institution must ensure that any international transfer of personal information under its control or that results from a disclosure of personal information will provide a comparable level of privacy protection.

Section 8. Automated Decision-making

The Privacy Act must adopt and maintain robust measures for oversight of automated decision-making. Reliance on algorithmic tools is growing rapidly with significant implication for impacted individuals, underscoring the need to retain and expand current obligations in the Act.^{Footnote 63}

Currently, the Privacy Act and related non-binding Treasury Board Secretariat of Canada (TBS) policies impose various obligations with respect to reliance on algorithmic tools.

Sub-section 6(2) of the Privacy Act requires agencies to “take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.”^{Footnote 64} “Administrative purpose” is currently defined as “the use of [personal] information in a decision making process that directly affects [an] individual”.^{Footnote 65}

This obligation leads to a number of implications for automated decision-making systems. First, algorithmic systems rely on large datasets in order to ‘learn’ new automated tasks. Where these automated tasks include decisions that impact individuals, the underlying datasets must be accurate. Second, data-driven analytical tools (including algorithmic systems) rely on personal data in their operation and must be carefully calibrated to ensure that they lead to accurate results when relied upon in government decision-making processes that impact individuals.^{Footnote 66} As many automated decision-making tools are characterized by deep racial biases, disproportionate impact on marginalized groups must be actively avoided.^{Footnote 67}

The Consultation Document recommends expanding sub-section 6(2) so that it is no longer limited to personal information in the context of automated decision-making by broadening the current definition of ‘administrative purpose’. While a more general ‘fit for purpose’ definition of administrative purpose would improve the protective scope of the Privacy Act, any amendments should, at minimum, retain an emphasis for the importance of personal information used in decision-making processes. An improved provision would explicitly encode a general obligation to ensure that any automated tools used in administrative decision-making are accurate.^{Footnote 68} In terms of specific vetting criteria, an ongoing role for TBS and the Office of the Privacy Commissioner of Canada is appropriate. In this context, TBS can issue policies, the OPC can impose binding regulatory guidance, and the OPC can apply fact-specific obligations when conducting impact assessments and conducting investigations.

Automated decision-making processes are currently also guided by non-binding TBS policies, including the TBS Directive on Automated Decision-Making and a TBS Algorithmic Impact Assessment tool.^{Footnote 69} The Directive adopts specific measures addressing transparency, accuracy and the need for human supervision, with measures of increasing rigour recommended based on the perceived anticipated ‘impact’ of a given decision-making system, while the Impact Assessment tool provides assists agencies in determining the gravity of this impact.^{Footnote 70}

Elements of this framework should be encoded directly into the Privacy Act. Specifically, the obligation to include human supervision of any automated decision-making system impacts on individuals. A lower threshold for triggering the obligation for human intervention should be adopted, modelled on the European regime, which prohibits fully automated decision-making where any legal or similarly significant effects may result for an individual.^{Footnote 71} The Privacy Commissioner should establish what criteria and considerations might meet these impact thresholds through binding regulatory guidance,^{Footnote 72} while TBS would manage implementation.^{Footnote 73}

The Act should similarly adopt obligations for public transparency requiring public notification in advance of the adoption of algorithmic tools in any decision-making process, to explain the underlying general logic of an algorithmic assessment to any individual impacted by it, to provide details regarding the composition of any training datasets, and to publicize theoretical and ongoing accuracy and bias rates.

The Act’s accuracy obligation could be met through a range of measures, depending on the impact of the anticipated tool. The Privacy Commissioner of Canada should be explicitly empowered to determine the specific criteria that should trigger different levels of rigour in meeting this obligation. Adoption of impactful automated decision-making systems must continue to be preceded by independent peer review, as well as consultation with stakeholders, including in particular with members of systemically marginalized communities.^{Footnote 74} TBS should also be responsible for periodically auditing decision-making systems for accuracy and bias, and the Privacy Commissioner may require independent third party audits in appropriate instances.

Recommendation 14: Encode a Regulatory Framework for Automated Decision-Making

The Act’s accuracy obligations should explicitly encompass an obligation to ensure data-driven assessment tools are accurate as possible.
The Act should include an explicit right to a human decision-maker at least where administrative conduct impacts the legal or other substantial interests of individuals.
The Act should explicitly obligate state agencies to be transparent in their use of automated decision-making tools. Measures include disclosing what tools are in use, publishing the composition of training datasets employed, and publishing accuracy and racial bias rates on an ongoing basis.
The Act should encode an individual right to be notified of any automated assessment tool that contributed to a decision that impacted them and to request an explanation of the logic underlying that assessment.
The Act should empower the Privacy Commissioner of Canada to compel different accuracy and transparency measures depending on the potential impact of the automated decision-making system in question and to audit systems for impact and bias.

Section 9. Biometric Protections

Biometric information poses a distinct threat to privacy. The underlying information is inherently sensitive, in that it is intricately linked to individual’s physical being or core behavioural traits. State deployment of biometric capabilities are also frequently intrusive in nature, while the creation and adoption of such capabilities frequently occurs surreptitiously, without public input.^{Footnote 75}

Legal regimes around the world increasingly adopt dedicated legal protections for biometric information.^{Footnote 76} Regional public and private sector entities have imposed moratoriums on some particularly intrusive forms of biometric recognition.^{Footnote 77}

The Privacy Act should explicitly recognize the sensitive nature of biometric information. Any specific course of conduct by a government agency that involves biometric information should trigger the highest and most robust protections available. This could involve, for example, requiring a more overt form of consent or a more stringent proportionality and necessity analysis.

The Act should also empower the Privacy Commissioner to impose specific conditions on the adoption and use of particularly intrusive biometric tools, including the requirement for prior approval by the Commissioner in the absence of express statutory authorization.^{Footnote 78}

Recommendation 15: Additional Protection for Biometrics

The Act should explicitly recognize biometrics information as sensitive, triggering the most robust protections available under the Act.
The Act should empower the Privacy Commissioner to impose specific conditions on the adoption and use of particularly intrusive biometric systems.

Footnotes

Footnote 1

Human Rights Committee, CCPR General Comment 16, HRI/GEN/1/Rev.9, para 10 (noting, with respect to personal information held by public or private authorities, that the right to privacy protected by Article 17 of the ICCPR encompasses the right to effective measures precluding unauthorized processing, the right to individual access, the right to openness of data handling processes, and the right to data accuracy).

Return to footnote 1 referrer

Footnote 2

Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 5, paras 24-25.

Return to footnote 2 referrer

Footnote 3

Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 5, paras 24-25.

Return to footnote 3 referrer

Footnote 4

Human Rights Committee, CCPR General Comment 16, HRI/GEN/1/Rev.9, paras 1 and 10: “this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons. The obligations imposed by this article require the State to adopt legislative and other measures to give effect to the prohibition against such interferences and attacks as well as to the protection of this right The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.”

Return to footnote 4 referrer

Footnote 5

HJ Heinz Co of Canada Ltd v Canada (Attorney General), 2006 SCC 13, para 26: “… the right to privacy is paramount over the right of access to information, except as prescribed by the legislation.”

Return to footnote 5 referrer

Footnote 6

See: Human Rights Committee, CCPR General Comment 16, HRI/GEN/1/Rev.9, para 7: “competent public authorities should only be able to call for such information relating to an individual’s private life the knowledge of which is essential in the interests of society as understood under the Covenant.”

Return to footnote 6 referrer

For examples from the European Human Rights framework, see: European Data Protection Supervisor, Opinion 10/2017, p 7 (discussing the permissible scope of derogations by member states from elements of the European data protection law):

The EDPS, first, emphasises that any derogations from the right to the protection of personal data must not go beyond what is strictly necessary to achieve their objectives and must meet the high standards required by Article 52(1) of the Charter. This Article provides that ‘any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others’ (emphasis added).

See also: Opinion 1/15, January 30, 2015 (CJEU, Grand Chamber) para 138; Case C-291/12, Schwarz v Bochum, October 17, 2013 (CJEU Fourth Chamber) para 34; Case C-92/09, Volker und Markus Schecke GbR, November 9, 2010 (CJEU, Grand Chamber), para 65.

See also: Cash Converters Canada Inc v Oshawa (City), 2007 ONCA 502, paras 29-31.

Footnote 7

Privacy Act, RSC 1985, c P-21, section 4.

Return to footnote 7 referrer

Footnote 8

Union of Canadian Correctional Officers, 2016 FC 1289, para 139: “…as part of the parliamentary business for the Act’s reform, the Department of Justice took the position that section 4 need not be amended to include a necessity test because the test was already contained therein. The Department of Justice’s legal representative provided the following explanation: “[t]he Treasury Board guidelines have said this expression “unless it relates directly” should mean a necessity test. Arguably, that’s the only legal interpretation that’s possible.

Return to footnote 8 referrer

Footnote 9

Treasury Board of Canada Secretariat, Treasury Board of Canada Secretariat, Interim Directive on Privacy Practices, effective March 13, 2020, section 6.2.8. See also discussion in Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297, Section 3.2.2, p 117.

Return to footnote 9 referrer

Footnote 10

Canada (Union of Correctionnel Officers) v Canada (Attorney General), 2019 FCA 212, paras 38 and 40.

Return to footnote 10 referrer

Footnote 11

Cash Converters Canada Inc v Oshawa (City), 2007 ONCA 502, para 52. See also: British Columbia, Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, section 26(c); Ontario, Freedom of Information and Protection of Privacy Act, RSO 1990, c F 31, sub-section 38(2); Nova Scotia, Freedom of Information and Protection of Privacy Act, SNS 1993, c 5, paragraph 24(1)(c).

Return to footnote 11 referrer

Footnote 12

PIPEDA, section 5(3).

Return to footnote 12 referrer

Footnote 13

Truth and Reconciliation Commission of Canada, Calls to Action (Winnipeg: Truth and Reconciliation Commission of Canada, 2012) at 4.

Return to footnote 13 referrer

Footnote 14

United Nations Declaration on the Rights of Indigenous Peoples, GA Res 61/295, UNGAOR, 61st Sess, Supp No 53, UN Doc A/61/53 (2007), 19 at 21.

Return to footnote 14 referrer

Footnote 15

First Nations Information Governance Centre, “Ownership, Control, Access and Possession (OCAP): The Path to First Nations Information Governance”, May 2014, https://fnigc.ca/wp-content/uploads/2020/09/5776c4ee9387f966e6771aa93a04f389_ocap_path_to_fn_information_governance_en_final.pdf, p 23.

Return to footnote 15 referrer

Footnote 16

FNIGC, OCAP, p 24.

Return to footnote 16 referrer

Footnote 17

FNIGC, OCAP, p 25.

Return to footnote 17 referrer

Footnote 18

Alberta First Nations Information Governance Centre, “Ownership, Control, Access and Possession”. http://www.afnigc.ca/main/includes/media/pdf/brochures/OCAP%20FAQ.pdf.

Return to footnote 18 referrer

Footnote 19

FNIGC, OCAP, p 14.

Return to footnote 19 referrer

Footnote 20

FNIGC, OCAP, p 28. A framework of this nature adopted within the Privacy Act should apply to other related statutes as well, such as the Access to Information Act.

Return to footnote 20 referrer

Footnote 21

Privacy and Access Law and Aboriginal Law Sections, “Privacy Act Modernization”, October 2019, Canadian Bar Association https://www.cba.org/CMSPages/GetFile.aspx?guid=e57b3073-09bd-44a3-91d5-c664b44309f2, p 30.

Return to footnote 21 referrer

Footnote 22

Canada (Attorney General) v Fontaine, 2017 SCC 47, para 47.

Return to footnote 22 referrer

Footnote 23

Treasury Board of Canada Secretariat, Interim Policy on Privacy Protection, effective as of March 13, 2020, section 4.2; Treasury Board of Canada Secretariat, Interim Directive on Privacy Practices, effective March 13, 2020, sections 3.3 and 6.

Return to footnote 23 referrer

Footnote 24

TBS, Interim Policy on Privacy Protection, effective as of March 13, 2020, section 4.2; TBS, Interim Directive on Privacy Practices, effective March 13, 2020, sections 3.3 and 6: “heads of government institutions are to establish practices for the protection and management of personal information under their respective institution’s control to ensure that the Act is administered in a consistent and fair manner. This directive supports the policy by setting out the requirements for sound privacy practices and management of personal information.”

Return to footnote 24 referrer

Footnote 25

Consultation Document, pp 16-17 and Annex 3.

Return to footnote 25 referrer

Footnote 26

OECD, Council Recommendation, Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013), C(80)58/Final, as amend by C(2013)19, Article 15; European Union Regulation 2016/679, Article 25; European Data Protection Supervisor, Opinion 5/2018, May 31, 2018.

Return to footnote 26 referrer

Footnote 27

Office of the Privacy Commissioner of Canada, Guide to the Privacy Impact Assessment Process, March 2020.

Return to footnote 27 referrer

Footnote 28

TBS, Interim Directive on Privacy Impact Assessment, effective March 13, 2020.

Return to footnote 28 referrer

Footnote 29

Canada (Union of Correctionnel Officers) v Canada (Attorney General), 2019 FCA 212.

Return to footnote 29 referrer

Footnote 30

TBS, Interim Directive on Privacy Impact Assessment, effective March 13, 2020, paras 6.3.6, 6.3.15 and 8.2; Office of the Privacy Commissioner of Canada, Guide to the Privacy Impact Assessment Process, March 2020. TBS, Interim Policy on Privacy Protection, effective March 13, 2020, para 4.2.12 requires agencies to notify the Privacy Commissioner of any anticipated policies or programs that might implicate the Privacy Act or the privacy of Canadians at an early stage of development.

Return to footnote 30 referrer

Footnote 31

TBS, Interim Directive on Privacy Impact Assessment, effective March 13, 2020, para 6.3.16.

Return to footnote 31 referrer

Footnote 32

Bryan Carney, “RCMP Has Yet to Complete Privacy Assessment on Social Media Surveillance Tech”, The Tyee, March 29, 2019, https://thetyee.ca/News/2019/03/29/RCMP-Privacy-Assessment-Incomplete/; “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297, section 3.2.2; Tamir Israel and Christopher A Parsons, “Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada”, ver.2, August 2016, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2901522, Section Two.

Return to footnote 32 referrer

Footnote 33

Colin J Bennett & Robin M. Bayley, “Privacy Protection in the Era of ‘Big Data’: Regulatory Challenges and Social Assessments”, in Bart van der Sloot, Dennis Broeder & Erik Schrijvers, Eds, Exploring the Boundaries of Big Data, (Amsterdam: Amsterdam University Press, 2016).

Return to footnote 33 referrer

Footnote 34

Article 29 Working Party, Guidelines on Data Processing Impact Assessments, WP248Rev.1,October 4, 2017, p 8: “The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)). It is particularly relevant when a new data processing technology is being introduced.”

Return to footnote 34 referrer

Footnote 35

Office of the Australian Information Commissioner, “Guide to Undertaking Privacy Impact Assessments”, May 4, 2020, https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments/#s4-identify-and-consult-with- stakeholders, Section 4 " Identify and Consult with Stakeholders"; United Kingdom Information Commissioner’s Office, Conducting Privacy Impact Assessments Code of Practice, https://ico.org.uk/media/about-the-ico/consultations/2052/draft-conducting-privacy-impact-assessments-code-of-practice.pdf, p 15 "External Consultations".

Return to footnote 35 referrer

Footnote 36

This is the case in the United States, where the E-Government Act of 2002, requires that “each agency shall… if practicable, make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.” E-Government Act of 2002, Pub L107-347, Title II, December 17, 2002, 116 Stat 2910, (codified at 44 USC 3501, notes), section 208(b)(1)(B)(iii).

Return to footnote 36 referrer

Footnote 37

National Security Transparency Advisory Group, “Initial Report: What We Heard in Our First Year”, November 25, 2020, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2020-nstag-irwwh/2020-nstag-irwwh-en.pdf.

Return to footnote 37 referrer

Footnote 38

Privacy Act, section 3.01 and paragraph 71(1)(d); SI/83-109, clause (c); Canada (Union of Correctionnel Officers) v Canada (Attorney General), 2019 FCA 212. Information management directives and guidelines are also circulated by TBS through the auspices of the Financial Administration Act, RSC 1985, c F-11, section 7.

Return to footnote 38 referrer

Footnote 39

Bill C-11, Digital Charter Implementation Act 2020, Clause 2, which would enact section 106 of the Consumer Privacy Protection Act.

Return to footnote 39 referrer

Footnote 40

Criminal Code, RSC 1985, c C-46, Part VI.

Return to footnote 40 referrer

Footnote 41

See, for example, PIPEDA, Principle 4.8.

Return to footnote 41 referrer

Footnote 42

Andrew Russell & David Akin, “Stats Canada Requesting Banking Information of 500,000 Canadians Without Their Knowledge”, Global News, October 26, 2018, https://globalnews.ca/news/4599953/exclusive-stats-canada-requesting-banking-information-of-500000-canadians-without-their-knowledge/.

Return to footnote 42 referrer

Footnote 43

Office of the Privacy Commissioner of Canada, Statistics Canada: Invasive Data Initiatives Should be Redesigned, December 9, 2019, paras 114-122.

Return to footnote 43 referrer

Footnote 44

See generally: Lex Gill, Tamir Israel & Christopher Parsons, “Shining a Light on the Encryption Debate: A Canadian Field Guide”, May 2018, https://cippic.ca/uploads/20180514-shining_a_light.pdf, Parts 3 and 4.

Return to footnote 44 referrer

Footnote 45

Standing House Committee on Public Safety and National Security (SECU), “Cybersecurity in the Financial Sector as a National Security Issue”, 38th Report, 42nd Parl 1st Sess, June 2019, https://www.ourcommons.ca/Content/Committee/421/SECU/Reports/RP10589448/securp38/securp38-e.pdf, Recommendation 8.

Return to footnote 45 referrer

Footnote 46

Katitza Rodriguez & Aaron MacKey, “Dear Canada: Accessing Publicly Available Information on the Internet is Not a Crime”, Electronic Frontier Foundation, April 19, 2018, https://www.eff.org/deeplinks/2018/04/dear-canada-accessing-publicly-available-information-internet-not-crime; Gary Dimmock, “’It Was Four Years of My Life on Hold’ – CAS Whistleblower Cleared of Hacking Charges”, Ottawa Citizen, June 4, 2020, https://ottawacitizen.com/news/local-news/it-was-four-years-of-my-life-on-hold-cas-whistleblower-cleared-of-hacking-charges; Jane Sims, “Canada Revenue Agency Hacker Pleads Guilty Says He Had Best of Intentions”, Ottawa Citizen, May 6, 2016, https://ottawacitizen.com/news/local-news/canada-revenue-agency-hacker-pleads-guilty-says-he-had-best-of-intentions; Tamir Israel, “EFF White Paper Examines Nexus Between Cybercrime Laws, Human Rights & Security Researchers”, CIPPIC, October 18, 2018, https://cippic.ca/news/EFF_paper_examiens_nexus_between_cybercrime_laws_human_rights_and_security_research.

Return to footnote 46 referrer

Footnote 47

Christopher Parsons, “Cybersecurity in the Financial Sector as a National Economic Security Issue”, Testimony before the Standing House Committee on Public Safety and National Security (SECU), February 27, 2019, https://christopher-parsons.com/wp-content/uploads/2019/03/Standing-Committee-on-Public-Safety-and-National-Security_-Cybersecurity-in-the-Financial-Sector-as-a-National-Economic-Security-Issue-Christopher-Parsons.pdf.

Return to footnote 47 referrer

Footnote 48

Return to footnote 48 referrer

Footnote 49

FireEye, “Unauthorized Access of FireEye Red Team Tools”, December 8, 2020, https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html.

Return to footnote 49 referrer

Footnote 50

Return to footnote 50 referrer

Footnote 51

Sysomos, “Twitter Statistics”, Sysomos, https://sysomos.com/inside-twitter/twitter-statistics/.

Return to footnote 51 referrer

Footnote 52

Maddy Osman, “Wild and Interesting Facebook Statistics and Facts (2021)”, January 3, 2021, Kinsta, https://kinsta.com/blog/facebook-statistics/.

Return to footnote 52 referrer

Footnote 53

Royal Canadian Mounted Police, National Intelligence Coordination Centre, “Project SITKA”, File #20131509123, March 16, 2015.

Return to footnote 53 referrer

Footnote 54

Civilian Review and Complaints Commission for the RCMP, Complaint by the British Columbia Civil Liberties Association regarding the Events and the Actions of the RCMP Members Involved in the National Energy Board Hearings in British Columbia”, Final Report, December 2020.

Return to footnote 54 referrer

Footnote 55

Office of the Privacy Commissioner of Canada, Aboriginal Affairs and Northern Development Canada Wrongly Collects Information from First Nation Activist’s Personal Facebook Page”, October 29, 2013. https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-federal-institutions/2012-13/pa_201213_01/.

Return to footnote 55 referrer

Footnote 56

For example, see European Union Regulation 2016/679, recital 28-29: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.”

Return to footnote 56 referrer

Footnote 57

Alex Hern, “’Anonymous’ Browsing Data Can Be Easily Exposed, Researchers Reveal”, The Guardian, August 1, 2017, https://www.theguardian.com/technology/2017/aug/01/data-browsing-habits-brokers; Khaled El-Emam, Lucy Mosquera & Jason Bass, “Evaluating Identity Disclosure Risk in Fully Synthetic Health Data: Model Development and Validation”, (2020) 22(11) J of Med Internet Res doi:10.2196/23139; Arvind Narayanan & Edward W Felten, “No Silver Bullet: De-identification Still Doesn’t Work”, July 9, 2014, https://www.cs.princeton.edu/~arvindn/publications/no-silver-bullet-de-identification.pdf; Liangyuan Na, Cong Yang, Chi-Cheng Lo, et al, “Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed with Use of Machine Learning”, (2018) 1(8) JAMA Netw Open, doi:10.1001/jamanetworkopen.2018.6040; Arianna Dorschel, “Rethinking Data Privacy: The Impact of Machine Learning”, April 24, 2019, https://medium.com/luminovo/data-privacy-in-machine-learning-a-technical-deep-dive-f7f0365b1d60.

Return to footnote 57 referrer

Footnote 58

Examples include: Andrew Russell & David Akin, “Stats Canada Requesting Banking Information of 500,000 Canadians Without Their Knowledge”, Global News, October 26, 2018, https://globalnews.ca/news/4599953/exclusive-stats-canada-requesting-banking-information-of-500000-canadians-without-their-knowledge/; Teresa Scassa, “Back to the Future II: Big Data and Privacy in Canada”, teresascassa.ca, March 11, 2015, https://www.teresascassa.ca/index.php?option=com_k2&view=item&id=181:back-to-the-future-ii-big-data-and-privacy-in-canada&Itemid=80; Charles Arthur, “TomTom Satnav Data Used to Set Police Speed Traps”, The Guardian, April 28, 2011, https://www.theguardian.com/technology/2011/apr/28/tomtom-satnav-data-police-speed-traps; Nathan Munn, “‘Predictive Policing’ is Coming to Canada’s Capital, and Privacy Advocates are Worried”, Vice: Motherboard, February 13, 2017, https://www.vice.com/en_us/article/jpaew3/ottawa-police-strategicoperations-centre-canada surveillance.

Return to footnote 58 referrer

Footnote 59

See, for example, Case C-311/18, Schrems v Facebook Ireland, July 16, 2020; Tamir Israel, “Foreign Intelligence in an Inter-Networked World: Time for a Re-Evaluation”, in Ed Michael Geist, Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa: University of Ottawa Press, 2015), https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=2643476; Christopher A Parsons, Lex Gill, Tamir Israel, Bill Robinson & Ronald J Deibert, “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59”, December 2017, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3101557.

Return to footnote 59 referrer

Footnote 60

Electronic Frontier Foundation et al, Joint Civil Society Response to Discussion Guide on a 2nd Additional Protocol to the Budapest Convention on Cybercrime, T-CY(2018)16, June 28, 2018, https://cippic.ca/uploads/20180628-CSResponsetoCoE-TCY2018-16.pdf; Tamir Israel, “Trade Agreements; Recent and Upcoming Implications for BC FIPPA Section 30.1”, Testimony, Special Committee to Review the Freedom of Information and Protection of Privacy Act, Legislative Assembly of British Columbia, November 18, 2015, https://cippic.ca/uploads/20151118-BCFOICommittee-Testimony.pdf; United States v Microsoft, Brief of the Interveners, Electronic Frontier Foundation et al, Case No 17-2 (Supreme Court of the United States), https://www.eff.org/document/eff-scotus-amicus-brief-us-v-microsoft;

Return to footnote 60 referrer

Footnote 61

Office of the Privacy Commissioner of Canada, Canada Revenue Agency Takes Adequate Measures to Ensure Personal Information not Moved to US, September 27, 2016; Treasury Board of Canada Secretariat, “Taking Privacy into Account Before Making Contracting Decisions”, August 2010, https://www.canada.ca/en/treasury-board-secretariat/services/access-information-privacy/privacy/guidance-document-taking-privacy-into-account-before-making-contracting-decisions.html; Treasury Board of Canada Secretariat, “Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows”, 2006, https://www.tbs-sct.gc.ca/pubs_pol/gospubs/tbm_128/pm-prp/pm-prp-eng.pdf.

Return to footnote 61 referrer

Footnote 62

TBS, “Taking Privacy into Account Before Making Contracting Decisions”, August 2010, https://www.canada.ca/en/treasury-board-secretariat/services/access-information-privacy/privacy/guidance-document-taking-privacy-into-account-before-making-contracting-decisions.html.

Return to footnote 62 referrer

Footnote 63

Petra Molnar & Lex Gill, “Bots at the Gate: A Human Rights Analysis of Automated Decision-Making in Canada’s Immigration and Refugee System”, The Citizen Lab & International Human Rights Program, September 2018, https://citizenlab.ca/wp-content/uploads/2018/09/IHRP-Automated-SystemsReport-Web-V2.pdf; Kate Robertson, Cynthia Khoo & Yolanda Song, “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada”, The Citizen Lab, September 2020, https://citizenlab.ca/2020/09/to-surveil-and-predict-a-human-rights-analysis-of-algorithmic-policing-in-canada/; Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297.

Return to footnote 63 referrer

Footnote 64

Privacy Act, sub-section 6(2); HJ Heinz Co of Canada Ltd v Canada (Attorney General), 2006 SCC 13, para 22.

Return to footnote 64 referrer

Footnote 65

Privacy Act, section 3; See discussion in: Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297, footnote 544.

Return to footnote 65 referrer

Footnote 66

Ewert v Canada, 2018 SCC 30, (interpreting Corrections and Conditional Release Act, SC 1992, c 20, subsection 24(1), which imposes comparable accuracy obligations).

Return to footnote 66 referrer

Footnote 67

Ewert v Canada, 2018 SCC 30, paras 49 and 50. See also: Petra Molnar & Lex Gill, “Bots at the Gate: A Human Rights Analysis of Automated Decision-Making in Canada’s Immigration and Refugee System”, The Citizen Lab & International Human Rights Program, September 2018, https://citizenlab.ca/wp-content/uploads/2018/09/IHRP-Automated-SystemsReport-Web-V2.pdf; Kate Robertson, Cynthia Khoo & Yolanda Song, “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada”, The Citizen Lab, September 2020, https://citizenlab.ca/2020/09/to-surveil-and-predict-a-human-rights-analysis-of-algorithmic-policing-in-canada/; Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297; Kate Crawford, “The Hidden Biases in Big Data”, April 1, 2013, Harvard Business Review, https://hbr.org/2013/04/the-hidden-biases-in-big-data; Safiya Umoja Noble, “Algorithms of Oppression”, (NY: New York University Press, 2018); Sarah Myers West, Meredith Whitaker & Kate Crawford, “Discriminating Systems: Gender, Race, and Power in AI”, April 2019, AI Now Institute.

Return to footnote 67 referrer

Footnote 68

‘Automated administrative decision-making’ should be defined broadly and inclusively. The definition employed in Treasury Board of Canada Secretariat, Directive on Automated Decision-Making, effective as of April 1, 2019, https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32592 should be adopted.

Return to footnote 68 referrer

Footnote 69

TBS, Directive on Automated Decision-Making, effective as of April 1, 2019, https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32592; Government of Canada, Algorithmic Impact Assessment, version 0.8, last modified June 3, 2020, https://canada-ca.github.io/aia-eia-js/.

Return to footnote 69 referrer

Footnote 70

See discussion in Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297, pp 120 et seq.

Return to footnote 70 referrer

Footnote 71

See EU Regulation 2016/679, Article 22 and recital 71.

Return to footnote 71 referrer

Footnote 72

See, for example: Article 29 Working Party, Guidelines on Automated Individual Decision-Making and Profiling, February 6, 2018, WP251rev.01, https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053 and European Data Protection Board, Endorsement 1/2018, May 25, 2018.

Return to footnote 72 referrer

Footnote 73

Treasury Board of Canada Secretariat, Directive on Automated Decision-Making, effective as of April 1, 2019, https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32592; Government of Canada, Algorithmic Impact Assessment, version 0.8, last modified June 3, 2020, https://canada-ca.github.io/aia-eia-js/.

Return to footnote 73 referrer

Footnote 74

Return to footnote 74 referrer

Footnote 75

Kate Robertson, Cynthia Khoo & Yolanda Song, “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada”, The Citizen Lab, September 2020, https://citizenlab.ca/2020/09/to-surveil-and-predict-a-human-rights-analysis-of-algorithmic-policing-in-canada/; Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297.

Return to footnote 75 referrer

Footnote 76

See, for example: Québec, Act to Establish a Legal Framework for Information Technology, 2001 RSQ c C-1.1, section 44, http://legisquebec.gouv.qc.ca/en/showdoc/cs/C-1.1; Vincent Gautrais, “Know Your Law: Guide Respecting the Management of Technology-Based Documents”, La Foundation du Barreau du Québec, 2005, https://www.fondationdubarreau.qc.ca/wp-content/uploads/2016/10/Guidetech_allege_EN.pdf; European Union Regulation 2016/679, Article 9; Biometric Information Privacy Act, 740 Ill Comp Stat 14/1 (State of Illinois); Australia, Privacy Act 1988, No 119, 1988, https://www.legislation.gov.au/Details/C2021C00024, section 6 “sensitive information” (d)-(e) and section 3.3.

Return to footnote 76 referrer

Footnote 77

Electronic Frontier Foundation, “Bans, Bills and Moratoria”, last accessed September 30, 2020, https://www.eff.org/aboutface/bans-bills-and-moratoria; Association for Computing Machinery, US Technology Policy Committee (USTPC), Statement on Principles and Prerequisites for the Development, Evaluation and Use of Unbiased Facial Recognition Technologies”, June 30, 2020; Arvind Krishna, Chief Executive Officer, IBM, Letter to Congress, June 8, 2020, https://www.ibm.com/blogs/policy/wp-content/uploads/2020/06/Letterfrom-IBM.pdf; Jay Greene, “Microsoft Won’t Sell Police its Facial-Recognition Technology, Following Similar Moves by Amazon and IBM”, The Washington Post, June 11, 2020, https://www.washingtonpost.com/technology/2020/06/11/microsoft-facial-recognition/; Jay Greene, “Amazon Bans Police Use of its Facial Recognition Technology for a Year”, The Washington Post, June 10, 2020, https://www.washingtonpost.com/technology/2020/06/10/amazon-rekognition-police/.

Return to footnote 77 referrer

Footnote 78

Tamir Israel, “Facial Recognition at a Crossroads: Transformation at our Borders & Beyond”, September 2020, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3714297.

Return to footnote 78 referrer

Date modified:: 2021-11-30

Language selection

Search