TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Bar Section | The clock is ticking on privacy and cybersecurity for Trudeau’s government Related reading: A view from DC: White House preps a 'bridge' to AI regulation




When Canada’s federal Parliament resumes sitting Jan. 28, Prime Minister Justin Trudeau will have less than nine months until the next federal election. Unless the he asks the Governor in General to dissolve Parliament earlier, the next election will be held Oct. 21. That might seem like a lot of time, but there are less than seventy days, by my count, during which the House of Commons is scheduled to sit before rising for summer June 21. Given the minimum thirty-six days for an election campaign, Parliament won’t resume until after the election.

In this post, we’ll consider how the Liberal government has faired on some key cybersecurity, privacy and intelligence-gathering issues since taking power in 2015, and what might be accomplished before the next election. Will the government make good on its 2015 campaign promise to fix former Prime Minister Stephen Harper’s anti-terrorism laws? Will the government enact cybersecurity standards for critical infrastructure? Will the reforms to the Access to Information Act go through? Will Commissioner Therrien’s pleas for additional powers go unanswered? Are the weak amendments on privacy in the Elections Act destined to be Trudeau’s only significant policy initiative on Canadian privacy rights to make it into law?

National security

The Trudeau government has had some legislative success with respect to its initiatives on national security matters, introducing three bills in June 2017, two of which have passed and has come into force.

Bill C-22, the National Security and Intelligence Committee of Parliamentarians Act was introduced in the House of Commons in June 2016 and was passed by the Senate a year later. Bill C-22 created a national security committee appointed by the prime minister to review, among other things, activities carried out by a department that relates to national security or intelligence. Although a step in the direction of greater oversight, the committee serves at the pleasure of the prime minister and the review activities of the committee can be curtailed whenever a minister believes it would be injurious to national security.

Bill C-23, the Preclearance Act, 2016, was also introduced in the House of Commons in June 2016. The Senate passed it in December 2017. The legislation implements an agreement with the United States that was entered into by former Prime Minister Stephen Harper’s Conservative government. The legislation facilitates the activities of U.S. customs and immigration officials working in Canada as they clear or deny admission to travelers or the entry of goods from Canada to the U.S. The Canadian Bar Association expressed concerns with the legislation, including that travelers could be caught in a catch-22 if they attempted to withdraw from a preclearance area but were not permitted to do so. The traveler could refuse to answer questions only to be arrested for not complying or obstructing the officer. The CBA also raised concerns about permitting U.S. officers enhanced powers of examination, information collection and disclosure without Canada also negotiating an extension of the U.S. Privacy Act of 1974 to protect the privacy of Canadians.

Bill C-59 was supposed to be the Liberal government’s attempt to make good on a campaign promise to overhaul Bill C-51, the Anti-terrorism Act, 2015, which had been passed by the former Conservative government. However, far from assuaging concerns regarding the power of intelligence services, the Liberal’s Bill C-59 has remained the subject of concerns by privacy advocates and civil society organizations, as well as Daniel Therrien, the Privacy Commissioner of Canada.

Concerns regarding security intelligence oversight and information sharing were heightened following a 2016 court decision that revealed unauthorized retention and use of metadata by the Canadian Security Intelligence Service that was collected and retained as a by-product of its investigations and subsequently mined for intelligence services. Bill C-59 would legitimize this type of data collection and use but would subject this data collection, retention and mining to greater oversight.

Even though Bill C-59 was introduced in June 2017, it has not yet been passed. It is currently before the Senate Committee on National Security and Defence. There is still time to enact this bill, which was an important plank in the Liberal government’s 2015 campaign promises.

Although far from perfect from a privacy protection viewpoint, the bill would create enhanced oversight bodies through the establishment of a national Security and Intelligence Review Agency to replace the Security Intelligence Review Committee, a new Intelligence Commissioner, a commitment to national security transparency, and greater accountability with respect to data retention and use.

National cybersecurity standards

In a surprise announcement Dec. 14, 2018, Public Safety and Emergency Preparedness Minister Ralph Goodale told an audience at the Empire Club that federal regulation on cybersecurity would be imminent. The Minister is reported to have suggested that the government would introduce new legislation to lay out corporate and business responsibilities to prevent cyber attacks.

There has been no official announcement from the minister’s office. However, in June 2018, Minister Goodale released a National Cyber Security Strategy document that hints at what might be to come.

One likely possibility is the creation of national cybersecurity standards for critical infrastructure. The National Cybersecurity Strategy noted that critical infrastructure, such as the electricity grid, communications networks and financial institutions, are “so important that any disruption could have serious consequences for public safety and national security.” The government promised to work to define requirements to protect this infrastructure. Whether the legislation will impose obligations on other businesses is not yet clear. However, any imposition of cybersecurity standards will have a trickle-down effect on critical infrastructure supply chains.

If legislation is introduced, it will be interesting to see whether the government proposes any new powers for law enforcement to respond to cybercrime, including any new investigative tools and information sharing provisions. The National Cyber Security Strategy suggested that it was a priority for the government to “enhance law enforcement capacity to respond to cybercrime.” This included supporting coordination and enhancing investigative capacity.

Parliament would have to work exceptionally fast if legislation were to be enacted before the federal election.

Political parties and privacy

The government introduced Bill C-76 in April 2018 and managed to get it over the finish line in December. Bill C-76 amended the Canada Elections Act to improve transparency and improve accessibility. However, it also contained measures to improve the protection of personal information. For example, political parties must now submit a copy of their privacy notice to the Chief Electoral Officer as part of their application for registration as a party. The party must also publish that policy on its website. The Chief Electoral Officer provides political parties with information about electors. Section 56 has created a new offense for knowingly using personal information from the Register of Future Electors except as permitted in the Canada Elections Act.

Other than the restriction on the use of personal information obtained from the Chief Electoral Officer, Bill C-76 does not impose any specific rules on political parties with respect to how they collect, use or disclose personal information. Thus, federal political parties remain largely ungoverned with respect to their privacy practices.

Modernizing the Access to Information Act

The government introduced Bill C-58 in June 2017. This legislation would be the first phase in overhauling the federal access to information regime. It includes new powers for the information commissioner. If passed, the commissioner would be able to make orders requiring government institutions to produce records sought by a requester or requiring the government institution to reconsider its decision. In the course of conducting an investigation of a complaint, the Commissioner would also be able to review records over which the government institution claimed privilege. The commissioner could also begin publishing their orders.

Bill C-58 has passed the House of Commons and is before the Senate Standing Committee on Legal and Constitutional Affairs. It is, however, very likely that the committee will recommend amendments to Bill C-58. In particular, the information commissioner and privacy commissioner have resolved the privacy commissioner’s concerns over the provisions governing consultations with the privacy commissioner when the information commissioner may order the disclosure of personal information that the government institution had refused to disclose. Another probable amendment is to remove the one-year transition period before the commissioner’s order-making power comes into effect.

A possible, but perhaps not as likely, amendment concerns the ability of the commissioner to register their orders in the federal court so that the commissioner does not need to bring applications before the court to enforce them. There was considerable sympathy for the commissioner on this point.

The Senate committee is continuing hearings into Bill C-58. The last hearing was Dec. 6, 2018. There are no further upcoming meetings scheduled as of the time of writing. If the committee does recommend changes that are adopted by the Senate, Bill C-58 would have to head back to the House of Commons.

Meaningful reform of the Access to Information Act is tantalizingly close. The Trudeau government will need to be motivated and focused to get the job done.

Modernizing PIPEDA

In March 2018, the Hon. Navdeep Bains, minister of innovation, science and economic development, managed to see his ministry finalize the Breach of Security Safeguard Regulations. The regulations set the stage for the coming into force of 2015 amendments to the Personal Information Protection and Electronic Documents Act, which created a private sector breach reporting law. The breach reporting law was passed by former Prime Minister Stephen Harper’s Conservative government but the Liberals did not bring it into force until November 2018.

Time is quickly running out for the Trudeau government to table any legislation to modernize PIPEDA to provide the privacy commissioner with greater powers or to make other reforms. Although the likelihood of legislation making significant reforms to PIPEDA at this late stage of Prime Minister Trudeau’s term seems unlikely, there have been a chorus of calls for the government to do so.

In June 2018, Minister Bains responded to the report on modernizing PIPEDA by the Standing Committee on Access to Information, Privacy and Ethics. Minister Bains stated that the government shared the standing committee’s views that changes were necessary “to ensure that rules for the use of personal information in a commercial context are clear and enforceable and will support the level of privacy protection that Canadians expect.”

One set of recommendations from the standing committee concerned the enforcement power of the Office of the Privacy Commissioner of Canada. The committee recommended providing the commissioner the power to make orders and impose fines for non-compliance. The standing committee’s report was not the only parliamentary report to recommend enhanced powers for the commissioner. As Minister Bains noted, the Senate Committee on Transportation and Communications issued a report in January 2018 calling on the government to empower the privacy commissioner to proactively investigate and enforce compliance even in the absence of a complaint or reasonable grounds to believe that there is a violation. The minister did not rule out the possibility of enhancing the privacy commissioner’s powers. However, the government believed further study was warranted.

Since Minister Bains’ response to the standing committee, the privacy commissioner has repeatedly called on the government to act and has taken his demand to the public. In a September 2018 news release, the commissioner argued that he needed order-making powers to ensure that his “guidelines would be more than advice that companies can choose to ignore.” In December 2018, the Commissioner issued a news release acknowledging that PIPEDA should remain principle-based but he believed the time had come to jettison the model of an industry code of conduct (which was the origin of Schedule 1 to PIPEDA and contains many of the substantive obligations). In an accompanying letter to the minister, the commissioner reiterated his request for the power to issue orders and impose fine.

We do not know precisely what motivated the commissioner’s December 2018 letter; however, it may be that he is attempting to get his new powers on the agenda of whatever cybersecurity legislation is being drafted.

Reforming Canada’s Anti-Spam Legislation

Enacted by Prime Minister Stephen Harper’s Conservative government, Canada’s Anti-Spam Legislation is despised by industry and arguably has failed in its objectives to provide Canadians with greater control over the receipt of unsolicited commercial electronic messages. In late-2017, the Standing Committee on Industry, Science and Technology issued a report calling on the government to make substantive changes to the legislation. Minister Bain’s response to the standing committee came in April 2018. Minister Bains acknowledged that CASL needed amendment and noted that lessons could be learned from other jurisdictions.

To date, there has been no indication that the government intends to introduce legislation. The outlook for relief in 2019 is slim.

Canada-United States-Mexico Agreement

The Canada-United States-Mexico Agreement (CUSMA as it is now known in Canada) contains some provisions that limit Canada’s ability to use privacy legislation as a barrier to trade. The privacy implications of CUSMA have been written about for the IAPP here and here. One of the initial concerns by privacy advocates was the effect of CUSMA on data localization. The U.S. trade representative had achieved his goal of committing Canada not to enact laws that require data to be stored within Canada.

CUSMA has been signed but not yet ratified. CUSMA itself does not need to be approved by Parliament. However, CUSMA may not be ratified until any implementing legislation changing Canada’s laws to comport with its obligations under CUSMA have been passed. Ordinarily that implementing legislation can only be introduced after CUSMA has been tabled in Parliament and at least twenty-one sitting days of Parliament have passed. The amendments to existing legislation follow the ordinary parliamentary process.

Although amendments to PIPEDA do not appear to be required to enact CUSMA, there are numerous other areas where legislative change is required. It will be tight, but it is doable for the Trudeau government to enact implementing legislation. However, focusing on CUSMA will consume legislative attention making any new substantive initiatives much less likely in these remaining days of the government’s first term.

Privacy and cybersecurity likely not election issues

So far, it has been an underwhelming first term on the privacy and cybersecurity file for the Trudeau government. If the current bills on Parliament’s agenda are not passed before Parliament dissolves, they will die. However, the government’s performance on the privacy and cybersecurity front is unlikely to be of concern to the Liberals as they head into an election.

No doubt, there will be continuing focus on the possibility of foreign electoral interference rather than everyday privacy issues. However, unless there is an actual security breach or evidence of tampering, even foreign electoral interference is unlikely to be a specific election issue, except as it plays into competing narratives about Canada’s security in the face of increasingly difficult relationships with powers such as China, Saudi Arabia and Russia.

For his part, the privacy commissioner has limited time to continue his campaign for more powers. To date his demands do not seem to have mobilized the Canadian electorate, and likely will not. Canadians may care about privacy, but they seem more interested in the government’s record on pocket-book issues, the resource economy, and immigration.

photo credit: Free Grunge Textures - Canada Grunge Flag via photopin (license)


If you want to comment on this post, you need to login.