Privacy Commissioner
Philippe Dufresne Received in Committee of the Whole
June 14, 2022
Honourable senators, the Senate is resolved into a Committee of the Whole to receive Mr. Philippe Dufresne respecting his appointment as Privacy Commissioner.
Honourable senators, in a Committee of the Whole senators shall address the chair but need not stand. Under the rules the speaking time is 10 minutes, including questions and answers, but, as ordered, if a senator does not use all of his or her time, the balance can be yielded to another senator. The committee will receive Mr. Philippe Dufresne, Law Clerk and Parliamentary Counsel of the House of Commons and I would now invite him to join us.
(Pursuant to the Order of the Senate, Philippe Dufresne was escorted to a seat in the Senate chamber.)
Mr. Dufresne, welcome to the Senate. I would ask you to make your opening remarks of at most five minutes.
Honourable senators, it is a great honour and privilege for me to appear before you today to discuss my qualifications and competencies to perform the important role of Privacy Commissioner of Canada.
I take this opportunity to thank you for all the work you do as parliamentarians in legislating, deliberating and holding the government to account.
I would start by saying that my professional life has been dedicated to the strengthening of Canada’s public institutions and to the protection and promotion of the fundamental rights of Canadians.
I have done this for 15 years in the context of human rights at the Canadian Human Rights Commission. I have done it for seven years in the area of constitutional and administrative law as Law Clerk and Parliamentary Counsel of the House of Commons and, if appointed, I would continue do so as Privacy Commissioner of Canada.
Prior to my appointment as Law Clerk of the House in 2015, I was the Canadian Human Rights Commission’s Senior General Counsel, responsible for the Commission’s legal and operational activities pursuant to the Canadian Human Rights Act, the Employment Equity Act, as well as the Access to Information and Privacy Acts.
I was lead counsel for the Commission in the landmark First Nations child welfare case before the Canadian Human Rights Tribunal which led to the largest settlement of its kind in Canadian history. Prior to this, I was lead counsel in the Canada (House of Commons) v. Vaid case before the Supreme Court of Canada, which remains the leading case on parliamentary privilege in Canadian law today.
In addition to the Vaid case, I have appeared before the Supreme Court on 14 occasions in cases raising issues such as the separation of powers, the impartiality of tribunals, the accommodation of persons with disabilities, freedom of expression and the balancing of national security and human rights.
My experience at the Commission has a number of direct correlations with the role of Privacy Commissioner. It involved the promotion and protection of fundamental rights and the investigation of complaints in an expeditious and procedurally fair manner. It required the appropriate balancing of fundamental rights with public-interest considerations and the ability to explain complex concepts in a plain-language and accessible manner. It also involved working with the public and private sectors to find constructive solutions, building a culture of rights, considering international norms and comparators and working with provincial counterparts.
In my current role as the Law Clerk of the House, I am the Chief Legal Officer of the House and lead the office responsible for the provision of legal and legislative services to the House and its members. I have successfully defended the House of Commons’ privileges in the Boulerice v. Board of Internal Economy case, and led the legal team representing the Speaker of the House of Commons in the context of a judicial review application brought last year with respect to the power of this House to compel the production of documents.
I have been tasked by multiple committees to interpret and apply privacy law principles, most recently in reviewing proposed redactions made to documents that were requested by committees in the conduct of their studies.
I’ve played a key role in the development of codes and policies to prevent harassment on the Hill and to ensure an inclusive and safe environment for members of Parliament and staff. I was proud to be the House Administration’s diversity and inclusion champion for the last five years.
More recently, I had the pleasure and privilege of appearing with my colleague the Law Clerk and Parliamentary Counsel of the Senate in a joint appearance before the Special Joint Committee on the Declaration of Emergency.
Throughout my career, I’ve always placed the utmost importance on public service and on giving back to my community and my profession.
As such, I have served in various capacities of the Canadian Bar Association, including as president of the constitutional law section and Executive Board Member of the Quebec Branch. I have also served as President of the Canadian branch of the International Commission of Jurists, an institution that promotes judicial independence in Canada and internationally.
I believe in the importance of education and mentoring. I have been a part-time professor in law faculties and continue to serve as a judge in the Laskin bilingual administrative law mooting competition.
In all my roles, I have been guided by the values of balance, impartiality, fairness, excellence, the rule of law, the public interest and respect for the democratic and legislative processes. Those are the values that, if appointed, I propose to bring to the Office of the Privacy Commissioner of Canada.
For all these reasons, I believe that I would bring to the role of Privacy Commissioner a vast and unique array of experiences and knowledge, as well as the unwavering belief that Canadians’ fundamental privacy rights require strong advocacy, protection, promotion and education on an ongoing basis. As Privacy Commissioner, my vision would be privacy as a fundamental right, privacy in support of the public interest and of Canada’s innovation and competitiveness, privacy as an accelerator of Canadians’ trust in their institutions and privacy in the digital economy.
In closing, I would like to take this opportunity to thank Daniel Therrien for his outstanding service and leadership these last eight years. I’ve been impressed with all of the great work done by the OPC team during his mandate and, if appointed to the position, I look forward to working with this dedicated group of committed professionals in protecting and promoting the privacy rights of Canadians. With that, I would be happy to answer your questions.
Welcome, Mr. Dufresne, and congratulations on your nomination. I have a number of questions. I will be very concise with my questions. I ask that you be the same with your answers so I can get as many of them in as I can before our very capable and able chair cuts me off.
Could you briefly summarize for us the process by which you came to be here — I’ll ask three questions here — before us today? What process was there? Did you apply for this position or were you asked to put your name forward? Why did you decide to seek this appointment, and who did you interview with and what testing did you undergo?
Thank you, senator, for the question. This, as I believe all Governor-in-Council appointments are, was a position advertised on the appointments website, alongside the others, with a list of the requirements and the functions of the positions. So I applied to the position of my own initiative because I saw that this was a position, one of the few, that could take me away from the position of Law Clerk of the House, which is a position I love. This was a position that I felt combined my career as a lawyer, as a promoter and protector of fundamental rights and my role as an adviser to the House, and so I thought that my skills would be of use in this important role. I also saw that with the two laws up for modernization this was an important time for privacy, which I consider a fundamental value, and so I put my name forward.
In terms of the process, there was a screening process that led to my being invited to an interview with the representatives from various departments, the Prime Minister’s Office and academia, and so there was extensive questioning in terms of that process. Once I reached the subsequent stage, there was psychometric assessment following a discussion with the minister and then the decision by cabinet.
Mr. Dufresne, as you well know, the unprecedented use of the Emergencies Act by the Trudeau government earlier this year is being studied by a special joint committee and by the Public Order Emergency Commission. What are your thoughts on the privacy implications of the use of the Emergencies Act, either through your experience as Law Clerk of the House of Commons or through your viewpoint as the incoming Privacy Commissioner? As a Privacy Commissioner, would you commit to conducting an analysis of the privacy implications of the invocation of the Emergencies Act or release publicly any analysis that might have already been done by the office?
Senator, there are processes for the review of the declaration of emergencies, and they are provided for in the act. They include the parliamentary review. They include the Rouleau commission of inquiry that was established, and so they have complementary purposes. I know that the Standing Committee on Procedure and House Affairs is also looking at those matters in terms of the invocation and so on.
In terms of privacy implications, if I am confirmed in my role I will look to matters that come before the commissioner in terms of complaints, and we’ll deal with them on an individual basis.
In 2015, the outgoing commissioner established four strategic privacy priorities. One of his objectives was:
To help create an environment where individuals can use the Internet to explore their interests and develop as people without fear that their digital trace will lead to unfair treatment.
Do you share this objective, and how do you think this is achievable?
When I talk about my vision as Privacy Commissioner in terms of privacy as a fundamental right and privacy balancing public interest and generating trust, it means that I feel Canadians should have enough trust that, when they are participating in the digital economy and when they are using the internet, their privacy is protected — in other words, that they do not have to trade off their privacy rights in order to use what we all use and benefit from, which is the internet and the digital economy.
So in terms of privacy, my hope and what I will work towards, if confirmed, is to have a modernized set of laws, both private and public sector, that ensures privacy is protected in a way that supports innovation and the economy but in a way that ensures that Canadians, again, do not have to trade off these rights in order to participate as digital citizens.
Another objective of the former Privacy Commissioner was:
To promote respect for the privacy and integrity of the human body as the vessel of our most intimate personal information.
Would this also be one of your objectives, and if so, what are your thoughts on the actions of the federal government during the pandemic forcing Canadians to get vaccinated and to share the results? That’s hardly private when they have to share the results.
In terms of the end of your question, in terms of the pandemic, former Privacy Commissioner Therrien, along with provincial counterparts, issued guidelines early on in terms of practices to ensure what was done was based on legal authority, ensure that it was proportional, ensure that it did not take more information than it needed and ensure that it did not last longer than needed. So I agree with those principles, and privacy protection has to do with the second element of my vision, the notion of public interest. Privacy should not be at the expense of the public interest or Canada’s competitiveness. These things go hand in hand, and I see privacy as supporting that, but it has to be done in a way where privacy is front and centre and where we develop a culture of privacy by design so that whatever we do — whether it’s protecting the health of Canadians, whether it’s innovating — we ask how we can do this without harming the privacy of Canadians.
I would like to get your view on privacy and the apps on our smartphones. I know that we all routinely — and I do — click “I agree” on a service agreement when downloading an app and do not fully understand what we are agreeing to. At least I don’t, and I don’t realize the privacy I may be giving up in exchange for using this app. I personally — and think a lot of us, perhaps all of us — have done this more than once, and so I would like to know your views on consent in those instances. Do you think this type of consent is essential, or is it meaningless? I’d like your view on that. I’m concerned about when I click things on my smartphone.
You’re highlighting one of the very real issues, and it has been described by some experts as being a culture of “I agree,” a culture of clicking without necessarily understanding. Oftentimes we use these apps and oftentimes we are pressed for time. We need the information. We’re confronted with this, and we click on it but not agreeing. I don’t often understand those clauses myself. If that’s true and you have a non-legally trained Canadian looking at these clauses, it is not realistic to believe that they will have a meaningful understanding. So that’s one of the elements that has to be looked at in terms of working with those clauses — making them more user-friendly — and there may be areas where consent is not required because there is a socially beneficial purpose and there’s no practical way of getting consent, so these conditions have to be narrow. There may also be circumstances where the purpose is not justified or proportional and it should not be something that individuals can consent to. So we’re moving away from that delegation to individuals to protect their privacy rights and ensuring that we can have a whole system that does that.
I only have less than a minute left, but I will very quickly ask the question. Maybe you can get the answer in. The federal government forces Canadians to use the ArriveCAN app when entering our country. Do you think Canadians should have the right to refuse an app and instead be allowed to use paper forms?
I haven’t considered this specific issue. I think there are some different privacy expectations when crossing borders, so that would be part of the consideration. However, I would say that with this or any type of governmental activity, it is important to have privacy by design. It is important to ask the question and design it to ensure that it does not have an undue impact on privacy beyond what is necessary for legitimate purposes.
Thank you very much for your concise answers. That about exhausts my time.
Thank you for agreeing to accept the nomination and also for applying. When I saw your qualifications I was very pleased, because I believe you understand Parliament, and you have worked on rights issues. I believe this is a good time for a person like you to understand what the rights of all Canadians are.
When it comes to the rights of all Canadians, what kind of lens or diversity training will you do with your staff so that when they look at privacy issues they will address issues faced by all Canadians?
Thank you, senator. This is something that is near and dear to my heart in terms of ensuring the proper lens. I am advocating for a privacy lens — privacy by design — looking at everything one does, whether it’s the government or the private sector, and asking the question about impacts and then building it into the design so you’re not doing it at the end once it’s done and you’re faced with concerns.
I think that’s also very important in terms of diversity and inclusion. There can be links there with privacy as well. We can see some concerns if their algorithmic decision making leads to profiling or bias or these types of things.
In terms of the team — the staff — in my current role as House Law Clerk, I have been the diversity inclusion champion leading a group of committed employees from all sectors of the House at all levels, management or otherwise. When I was appointed champion, I told them that I wanted all of us to become ambassadors of inclusion so that whatever we did — whatever our role was — we would ask the question: What is the impact of this decision I’m making, this policy or this behaviour that I have? What impact does it have on diversity and inclusion? If it’s not a good one, we should question that behaviour, and unless it’s essential to have it, we should stop it. I will be adopting the same approach, if confirmed, in my new role.
Thank you very much for your answer. Obviously, you will follow the same diversity and inclusion model that you had developed earlier on, so I’m not going to even ask you that. I’m assuming you will.
I don’t know if you have had the chance to study some of the recommendations of the previous Privacy Commissioner, but one was on note taking for border security officials. He examined six complaints and he found it very inadequate. If you have not read this yet, I’m willing to wait for an answer. But especially with the rights lens that you will bring and your knowledge of rights, I would like to know if you are going to pursue making sure that border security officials’ note taking is adequate, especially with the new legislation, Bill S-7, that the minister has introduced.
Bill S-7 is the object of discussions, including in terms of the standard being used. It was raised in terms of whether this could have an impact in terms of how it’s used, and whether there are more unfavourable decisions vis-à-vis certain groups and certain individuals. So these are things we have to look for, and we have to make sure there is information about it so we can correct if any approach has discriminatory impact or negative privacy impacts.
I think we do have to have that lens to ensure that our practices are consistent both with human rights in terms of non‑discrimination — which would not, strictly speaking, be my mandate but would animate what I do — and also from a privacy lens.
Thank you very much.
Mr. Dufresne, welcome to the Senate. It’s likely you will be overseeing the biggest revamp in privacy law in this country in several decades as well as an increase in the Privacy Commissioner’s powers. All the while, the data economy has been growing exponentially. How Canada regulates the use of data will catalyze innovation, productivity growth and prosperity. Or not.
Clearly, the new Privacy Commissioner will have to play a balancing act, strengthening and protecting data rights — which you’re eminently qualified to help with for sure — but all the while empowering innovative and globally competitive commercial activity.
In that light, could you describe your views on the extent to which it is important for privacy laws to enable innovation in our economy? How would you ensure that experience with rapidly evolving technologies, competition issues, various business models and global interoperability will be represented on your team?
I’m hoping to ask a second round, but we’ll see.
Thank you for the question. This is core to my vision of my role as Privacy Commissioner if I’m confirmed. I indicated that there were three elements. One was privacy as a fundamental right, and the second was privacy in support of the public interest and Canada’s innovation and competitiveness. So that’s absolutely part of the vision. We need to have a system that doesn’t sacrifice Canada’s innovation, competitiveness and the ability for Canadian industry to succeed.
I believe that can be done. That can be done by having a regime that is principle-based — that respects privacy — but also mindful of the realities and challenges of Canadian industry. I believe that privacy will generate trust and will allow Canadians to feel that they can participate more in the digital economy, which in turn will be good for industry. I think it will be beneficial to have interoperable norms and rules that ensure there is a level playing field and that Canadian companies understand the roles and can be helped in that by my office — if it becomes my office — in terms of outreach, education and information.
In terms of the composition of the team, I have always — in all of my roles — valued diversity of views and diversity of perspectives. My perspective is one — it is from my background — and I have always wanted to surround myself with individuals with different backgrounds and different expertise so we can have the best advice around the table.
For my team at the House, I recruited individuals from the Senate, who are fantastic. I have recruited individuals from the Department of Justice. I have recruited individuals from the private sector. I have recruited individuals from the Library of Parliament — just to have these views.
That’s for the internal team, which is very important. But I also believe outside links with stakeholders, links with industries, whether it’s by having a formal structure like an advisory council or in an informal way, ensures that the channels of communication are open. Because there is value in the commissioner and the office sharing information, but we need to do that while understanding the challenges of industry. This is something that I feel I am able to do because I’m a human rights lawyer, but I’m also an employer and a leader of an organization. I have advised on complying with the laws, but I’ve had to comply with them myself. So I understand the challenges of industry where you have these competing pressures and priorities, and you want this to be done while meeting your obligations to your shareholders or parliamentarians or Canadians.
So these are things that are important to me. I will put in place the networks and the structures needed to —
Thank you. That’s good to hear. Just in terms of consultation, the Government of Canada has had a history of communicating but not robustly consulting. So, hopefully, you’ll be ambitiously establishing a new standard in that regard because of the transition that is going on.
Lastly, I want to have some idea specifically about how you’ll be managing that compliance burden associated with implementing the new privacy legislation to ensure it doesn’t stifle innovation, productivity growth and competitiveness.
There are a number of things there.
Obviously, the content of the legislation is going to be decided not by me, but by Parliament. The Office of the Privacy Commissioner of Canada will play a role in providing views and advice. Of course, there is a role for industry as well to provide views to Parliament, but also to the Office of the Privacy Commissioner of Canada in terms of that process.
I will work with the legislation that Parliament decides to adopt, and with the team, to ensure that it is as user-friendly as it can be for Canadians and for industry. I believe when we were talking about the consent clauses being difficult to understand and how it can be a burden on individuals, I think that that is true as well in terms of the burden on organizations to comply with legal frameworks. There are many obligations.
In my role at the House, I have had to oversee compliance with Bill C-65 on health and safety; compliance with pay equity, proactive pay equity regimes; compliance with proactive accessibility; proactive disclosure of financial information. These are all fundamentally important things to do, but they take work. They put burdens on organizations and leaders who are already overburdened.
Whatever the regulators can do to make it easier — to put the incentives in the right direction — is a positive step.
Thank you for being with us, Mr. Dufresne. I know you have extensive experience with Canadian parliamentarians.
My question deals with a hypothetical situation. Suppose you were appointed to the position you are seeking, and suppose the government currently in office supported or introduced a bill that got a lot of criticism from individuals and organizations for failing to adequately protect privacy. What would you do if the committee tasked with studying such bills invited you to testify and participate in that study?
Thank you, senator. Certainly, in my role as Privacy Commissioner, I will always give my advice to any parliamentary committee that requests it. I believe that this is one of the important aspects of the Privacy Commissioner’s role.
Thanks to my experience as Law Clerk of the House, I have had numerous opportunities to appear before parliamentary committees and provide advice in various legal areas. I will continue to do so as Privacy Commissioner with a view to providing the best and most balanced advice possible. That advice will be consistent with the values that I will convey, namely, recognizing privacy rights as fundamental rights, but also understanding the public interest and the need for laws that are practical, realistic and that can build public confidence.
In a situation where there was opposition, I would ask myself whether my office and I should consider that opposition justified. Obviously, I would listen to the differing views and provide the best advice I can, while being mindful of the weight that the Privacy Commissioner’s representations can carry. I would do so with the responsibility that comes with that influence.
I have a supplementary question.
In this scenario, would you publicly comment on a bill, on your own initiative, if you felt it violated the privacy of Canadians?
I think that’s a situation that has to be assessed on a case-by-case basis. However, I will say that on the face of it, the mandate of the Privacy Commissioner is to protect and promote the privacy of Canadians. I think that’s a very important consideration. Are there be any circumstances that would make it inappropriate to do so proactively? My first impression is that an officer of Parliament has a duty to comment on such matters, whether in an annual or special report. I would like to think that my office is and will remain a centre of excellence on privacy and that we would be invited to comment on privacy bills.
Thank you, Mr. Dufresne.
I want to pick up on what my colleague, Senator Deacon, was asking. Mr. Dufresne, Shopify was once a small start-up, a snowboard retailer founded by a new Canadian. The company has transformed itself into a showcase for entrepreneurs around the world. It grew so quickly that it was the fastest Canadian company to reach $1 billion in annual sales worldwide. Of course we would like to have more companies like this. However, these kinds of companies are using personal data, which requires extra vigilance.
Mr. Dufresne, how do you think your office will be able to protect the personal information of Canadians without undermining the prosperity of innovative Canadian companies like Shopify?
Thank you for the question. I think that it is important to have this balance, and it is not a situation where we should sacrifice one for the other. We have to make privacy a fundamental right and do so in such a way as to encourage innovation and the industry. I would do so by ensuring, insofar as I can comment on legislation, that the perspective and realities of the industry are considered and are part of the analysis. It needs to be possible and realistic for the company, but not to the detriment of fundamental rights. It was the same thing with human rights. I believe it is possible to do this, and I believe that the Privacy Commissioner can play a guiding role and be an interlocutor for the industry. The Office of the Privacy Commissioner has a mandate to protect and promote.
You give the example of a smaller business entering the market. The Office of the Privacy Commissioner could perhaps have some templates and information. It can support the industries. With Bill C-11, there was mention of the approval of codes of practice by the Office of the Privacy Commissioner, audits and proactive verification. I believe that it is important to have these exchanges right from the start and to create this culture of privacy, but not to the detriment of the efficiency and proper operation of businesses.
Consequently, we will have a legal system equivalent to and compatible with international and provincial regimes. At that point, we are raising the bar for both privacy protection and innovation. That is something that has always been very important to me, whether in my role at the Human Rights Commission or at the House of Commons. Fundamental principles should not be protected to the detriment of the public interest, unless that is impossible. We must make every effort in that regard, namely provide incentives to move in the right direction, engage in communication, identify issues and work together to find solutions.
Thank you.
Thank you for being here, Mr. Dufresne. I’d like to congratulate you on your very impressive career.
Mr. Dufresne, the data economy is growing exponentially. The prestigious MIT estimates that data increases in volume by 40% every year. My question is along the same lines as the one asked by Senator Deacon. What do you think your role is in ensuring that Canadians see more benefit from the value of their data, while making sure they also control how that data will be used?
Thank you for the question. The third element of the vision I put forward is protection of privacy as an accelerator of Canadians’ trust in the digital economy, among other things. I think there is a role to play there.
According to statistics from the Office of the Privacy Commissioner of Canada, as reported in the 2022-23 annual plan, surveys showed that only 38% of Canadians felt the industry respected their privacy rights. That is a worrisome statistic that accurately conveys the perceptions of those surveyed. The office’s goal, which I agree with, is to raise that number significantly to about 90%. To help Canadians feel more confident in this respect, we need a strong legal regime grounded in good legislation and solid principles. We need legislation that is reasonable and balanced but that treats privacy as a basic right. Entities such as the Privacy Commissioner are crucial because they have the resources and the mandate to handle that protection and promotion role. It is important that Canadians know that when they participate in the industry, they have certain protections. They must also understand what they are consenting to and what their data will be used for, so that there is some incentive to participate in this economy. It becomes a place where you want to participate and do business.
When we talk about regimes that follow the rule of law, it benefits the industry for the same reason: The industry knows that it can rely on the regime and its principles. It requires good legislation, resources, an organization and good knowledge of the regime, which the Office of the Privacy Commissioner can undoubtedly promote and enhance. We also need incentives that go in the right direction, whether to encourage consumers to participate by reassuring them and providing them with better information, or to encourage the industry with clear and realistic standards, assisting them with information and dialogue in order to avoid a zero-sum game. Improving one does not mean taking away from the other. I think you have to improve both, and it is possible to do that.
Thank you, Mr. Dufresne.
Congratulations on your nomination. You have a very impressive curriculum vitae, both academically and professionally. I would like to ask you a couple of questions on case studies, if you will, to get a sense of how you would interpret these situations.
My first question is — and you may have seen this in the media — there have been reports about misconduct at the Canada Border Services Agency. During the last fiscal year, the CBSA deemed 92 such cases to be founded, some of which involve CBSA members with off-duty ties to organized crime, including drug smuggling.
As you may know, CBSA personnel are not required to undergo annual polygraph tests about their conduct outside of work. As Privacy Commissioner, will you be opposed to yearly mandatory testing to be required by the agency?
I would look at this, again, on the basis of the particular circumstances and the particular purpose of any given measure. Looking at this with a privacy lens, with privacy by design, you need to look at necessity and proportionality.
There would need to be the establishment of the purpose of this, the necessity, and the more intrusive the measure is — as in the case of what you’re describing — the more the necessity for it would have to be high. I would not comment on a hypothetical situation at this date, but I would look at cases on the basis of those principles in terms of necessity and proportionality.
I receive many complaints from Canadians about their dealings with the Canada Revenue Agency, and even though they are prepared to waive their privacy rights in order to speak publicly about the way they have been treated by the CRA, the agency seems to use the Privacy Act as a shield to avoid responsibility and accountability for their actions by stating that, because of the Privacy Act, they can’t discuss an individual case. Then they usually continue on with the standard line about how they take all these concerns seriously and are working hard to rectify these matters. Of course, none of that is true, as they continue to act the very same way in the very next case.
Do you share the view that if an individual waives the right to privacy to discuss their concerns publicly, and to the media in particular, that the government should be required to also disclose information they have about the matter pertaining to that individual?
There are some elements in terms of whether information is in the public domain and the individual waiving it and putting it in the public domain, but we would have to see a specific case. I would hesitate to comment on a specific case until it came before my office for consideration.
As you’re probably aware, section 8(1) of the Privacy Act states:
Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates. . . .
— which I think are the key words —
. . . be disclosed by the institution except in accordance with this section.
In other words, the individual can consent to the disclosure of personal information held by a federal institution. If they gave their consent, why would we allow agencies and departments to basically hide behind the Privacy Act as opposed to saying, in many cases, “We made a mistake and we’re wrong,” rather than putting the information out there?
Again, I would want to see what the argument is and the basis for the department’s position on that and the grounds they are putting forward for refusing to disclose. There is often a lot of context around that, so I would hesitate to give a view without hearing both sides.
Thank you very much.
Congratulations on your nomination, Mr. Dufresne.
Judging from your credentials, it seems to me that you were destined for this job. The risk of privacy violations has increased significantly over the past five or ten years, and you and I both know that one thing fraudsters love to get their hands on is social insurance numbers. This piece of ID is obsolete in 2022, yet it remains essential to getting a job or a mortgage.
I am sure you have looked over the office’s documents from 2014 to 2017. Let me just say that, in this era of facial and voice recognition and biometrics, Canada’s nine-digit ID card looks pretty pathetic compared to what modern countries use.
I would like to hear about your vision and your approach to getting the government to pick up the pace on developing a new, more secure way for Canadians to prove their identity.
Thank you for the question.
In fact, that was the topic of discussions, especially in the House of Commons. The reality is that, like everything else, there is a great deal of potential in the area of digital identity. Indeed, the fact that the social insurance number is probably not the best way to identify a person was mentioned.
As to whether this can be done, I would suggest applying the privacy perspective. It is about determining the realities of this program, the risks involved, the implications and the impacts, because we do not want to solve a problem by creating another. There are risks to having everything that is digital being distributed even faster.
In my opinion, this is something that has potential and seems intuitive to me as a solution for the future. That is why I think we have to be careful about how we do this by analyzing all the implications and incorporating the concept of privacy in its very design.
In his final report, your predecessor projected a significant increase in the number of applications and complaints over the coming years, especially because of immigration and refugee cases.
Should the budget for the Office of the Privacy Commissioner be increased accordingly? We see that its budget is more or less the same for the coming years. Also, do you believe that some files might be set aside if the government does not review your office’s funding?
If I am appointed, I will obviously have more details on this matter. What I have seen to date is that Mr. Therrien has already submitted a request to Treasury Board Secretariat and the office is awaiting a decision on additional resources due to Privacy Act extension order no. 3 on immigration.
I will wait for the response to this request. If there are no additional resources, it has been suggested that we make strategic use of the commissioner’s resources to focus on certain files, and that is something I did when I was at the Canadian Human Rights Commission. I adopted a strategic approach to litigation to devote more resources to those files that had a greater impact, either because of their nature or the number of Canadians involved.
With respect to former Bill C-11, one of the criticisms conveyed was that the Privacy Commissioner was required to verify the codes of practice without being allowed to choose which ones.
All of this will have to be examined. There is also the possible modernization of the Privacy Act, which I hope will occur soon. According to Mr. Therrien, this could double the resources of the commissioner’s office and make it possible to create new structures, particularly for making decisions on orders.
These are challenges that I look forward to addressing if I am appointed. I did just that at the Canadian Human Rights Commission and in my role at the Office of the Law Clerk. I increased the office’s resources in order to meet new legal obligations, and I hope to be successful in doing so.
Thank you very much.
Welcome and congratulations on your nomination. Mr. Dufresne, I know you are aware of the report that was recently released regarding the Tim Hortons app. The report found that Tim Hortons collected and used a large amount of geolocation data for inappropriate purposes, and that it did not obtain meaningful and adequate consent from app users in the collection and use of that data.
Mr. Dufresne, you will be responsible for monitoring the company’s compliance regarding its commitments to delete this geolocation data and for establishing a privacy management program. The parent company of Tim Hortons also owns other restaurants.
Are you going to ensure that all of those restaurants’ apps are in compliance with the law? How will you monitor compliance, and how many other businesses do you think are in the same situation as Tim Hortons?
Thank you for the question. I can’t speak to the last part of your question about how many other companies are in a similar situation, but what I can say about Tim Hortons and the report released by the Office of the Privacy Commissioner, at both the federal and provincial levels, is that we observed a breach of the law. This breach was conditionally resolved because the Tim Hortons chain agreed to delete the data and improve its privacy accountability mechanisms.
Obviously if I am confirmed in this role, I will be in a position to follow up and ensure that these commitments are fulfilled. That brings us back to some of the points we’ve discussed today, with respect to the importance of having a legitimate reason to collect personal information from Canadians.
In this case, the company tracked Canadians’ locations and collected much more geolocation data than would be needed for business purposes. There were concerns about whether valid consent was given. It was not made clear to users that the geolocation data would be collected even when the app was closed. The contract and its clauses were also far too permissive with regard to how this information could be used.
Once again, it is a matter of accountability or of implementing accountability mechanisms to ensure privacy. This is an example of how we can make improvements and ensure that privacy is protected in the app design process. We want it to become a reflex, so that people to have the tools they need to say, “This might be a good idea, but let’s make sure that it complies with sound privacy principles.”
Thank you.
In February, your predecessor, Mr. Therrien, let it be known that his office was informed — not consulted, but informed — by the Public Health Agency of Canada about its collection and use of the mobility data of 33 million Canadians during the COVID-19 pandemic without their consent. Mr. Therrien also said that his office proposed to examine the technical means used to depersonalize that data and to offer advice, but the government declined and said it would rely upon other experts instead.
Mr. Dufresne, does this recent incident of the Trudeau government sidelining and turning down advice from the Privacy Commissioner give you any concern as you take up your new responsibilities?
That issue was studied by the Ethics Committee of the House of Commons, which issued a report and a number of recommendations. I think what came through there in testimony was that there were exchanges and discussions with the commissioner and the government, and the government decided to use its experts in terms of looking at how and whether the information was de-identified, and whether safeguards were in place.
That situation led to some concerns in terms of the sufficiency of that de-identification, and there is currently a complaint that is with the commissioner’s office. So I won’t comment on that beyond saying that it has been looked at and that it highlights that, in many cases, having the commissioner look at cases will be helpful.
Congratulations on your nomination, Mr. Dufresne.
As you’re likely aware, the government has proposed through Bill S-7, which amends the Customs Act and the Preclearance Act, 2016 to introduce a new and lower legal threshold for the examination of personal digital devices by the CBSA and U.S. pre-clearance officers. The proposed legal threshold is called “reasonable general concern”; if an officer has a reasonable general concern about a particular traveller, their digital device could be fully examined off-site without restriction and without cause.
As you know, a personal digital device can contain anything from personal health records, correspondence, banking information — everything, including one’s internet footprint and search history.
The bill has now been amended in our National Security and Defence Committee to raise the threshold standard before a personal digital device can be examined from “reasonable general concern” to “reasonable grounds to suspect.” As you know, “reasonable grounds to suspect” is already well defined in Canadian law; it is unambiguous. The committee believed that the low bar of “reasonable general concern” should not be grounds for a search for all that you hold private and personal.
So my question to you, Mr. Dufresne, is the following: What is your view of the government’s initial “reasonable general concern” standard compared to the amended and well‑established, court-tested “reasonable grounds to suspect?”
Thank you for the question.
This is something that has been raised. A number of interlocutors have raised concerns about the novel standard of “reasonable general concern,” which came after the Alberta Court of Appeal in Canfield struck down the act and found that there needed to be a standard and that it had to be up to Parliament.
In testimony before the Ethics Committee, Commissioner Therrien expressed concerns about that standard, as did the Canadian Civil Liberties Association and Senator Paula Simons. The concerns were that “reasonable general concern” was too vague, that it was not a known legal standard, that it was not objective enough and that it could lead to profiling in the sense that such types of subjectivity could be used disproportionately against others.
Commissioner Therrien indicated in his testimony that he had not seen justification or evidence from the government for that standard and he would wait to see it.
So I think it would be up to the government to explain why.
And what is your view?
My view is that “reasonable grounds to suspect” is a well-known standard and an objective one. So it is something that would have a greater chance of being upheld in the absence of evidence and justification, which the government may have for their standard but I haven’t seen.
Thank you for that.
I have one quick question as a follow-up: What’s your view on the government’s increasing interest in collecting personal and private data of Canadians through the collection and stripping of metadata and the required downloading of government apps?
For any initiative being taken, my view would be to look at it with a privacy lens. What is the purpose? Why is the information being sought? What will be done with it? Is it legitimate? Is there proportionality and necessity? Do the users have knowledge that the information is being used?
I have one final question. If you were successful in becoming the Privacy Commissioner, would you take it upon yourself to make public statements about this, or would you wait until there is a referral to your office?
It would be a case-by-case consideration in terms of whether it is a statement, position, report, proactive audit or a commission-initiated complaint. The commissioner has a number of tools, and they have to be used appropriately. So it would really depend upon the circumstances.
Thank you, Mr. Dufresne.
Mr. Dufresne, welcome to the Senate of Canada and congratulations on your nomination as Canada’s next Privacy Commissioner. I’m very impressed by your biography and curriculum vitae, so congratulations.
I would like to continue on the consultation with our business community. As you know, wealth is most often — I won’t say always — created by entrepreneurs and business. You mentioned that privacy is a fundamental value and trust is extremely important in business, as you know.
Your predecessor, Mr. Therrien, addressed the need for Canada’s privacy laws to be interoperable with laws internationally, and that this would be in the interest of Canadian businesses. Do you share this point of view, and would you consult with entrepreneurs to seek their advice on this matter? Also, would you consult with your international counterparts so that we could share best practices? What is your view on that? Do you agree, and how would you go about doing it?
Thank you, senator. In terms of the overarching question of consultation, I do agree. I think it’s important for the commissioner. If I’m the commissioner, I will be consulting with counterparts, whether in the provinces or internationally, to identify the best practices, what works, what doesn’t work and what elements Canada should incorporate or not. Again, it’s not ultimately going to be my decision, but I appreciate that I will have a voice in that and I will use it to advise Parliament to the best of my abilities by looking at the General Data Protection Regulation, looking at the provinces, looking at the different regimes that exist and elsewhere, having information about that and having discussions within industry to ask what the concerns are. But, at first glance, the concept of interoperability, ensuring that the federal act is consistent in principle and application with what the best practices internationally are and with what the best practices provincially are, is a good idea.
There is an element as well in terms of public and private. We have the Privacy Act and we have the Personal Information Protection and Electronic Documents Act, or PIPEDA. There are more and more private-public partnerships between the government and private industry, so it’s important that the principles be consistent between those two. Those are things, from my standpoint, that are good for industry, but I would welcome industry telling me otherwise and I would listen to their views.
Thank you.
Thank you, welcome and congratulations on your nomination. Keeping in mind the overall mission of the office to protect and promote the privacy rights of individuals, the fact that compliance is described as one of the two core responsibilities of the office and the 2021 report that describes the various powers of the office as to ensure compliance, including summoning witnesses, administering oaths and compelling the production of evidence, how do you plan to ensure departmental accountability for lack of adherence to privacy measures, both in terms of the provision of information and, as other senators have pointed out, hiding behind those measures? Most particularly, I’m curious because, unlike your predecessors, the ability to pursue legal action before federal courts where appropriate has tended not to be utilized. Would you hesitate to use that function?
I feel that all the tools available to the commissioner should be looked at and should be used when appropriate. I am a firm believer in education, promotion, outreach, resolution and finding solutions at the front end, but I am also a believer in the compliance aspect. It’s promotion and protection. That was my experience at the Human Rights Commission as well. There is a similar duality, where much is done to work collaboratively. There are some cases where it will be necessary either because there is no agreement or because there is no clarity, perhaps, in the legal regime and it’s necessary to have a court decision to lead the way. In these appropriate cases, I would absolutely resort to that.
There have been calls, including by the Privacy Commissioner, to give the commissioner order-making powers and the power to either recommend or impose sanctions. I think these are all elements that would strengthen the protection function, make it more timely and help resolve cases. Again, not to say that these should be used often, but the existence of those powers will be good in strengthening the regime and in providing rights earlier and more quickly for Canadians.
Thank you.
Welcome, Mr. Dufresne. I’d like to ask you about the intersection of privacy policy and competition policy and your views on cooperation between the offices of the Privacy Commissioner and the Competition Commissioner. What do you see as the appropriate level of collaboration between the two offices, particularly given that there have been some prohibitions on cooperation between the two offices currently under the act? Do you foresee an increasing need for enforcement powers given the growing power and the growing importance of data in our economy?
Thank you for the question. I have not looked at the details of the intersection between competition and privacy, but I would say that anywhere that there are gaps in terms of legal framework is something that should be dealt with and resolved. There should be no areas that fall between the regulatory regimes and, where appropriate, it is beneficial for the regulating entities, whether it be the Privacy Commissioner, Competition Commissioner, Information Commissioner or others to have these exchanges. There may well be areas where information is confidential and where that sharing of information is not appropriate, but we should ensure that it is by decision and not because the area has simply not been dealt with.
In principle, would you support the sharing of information from the Privacy Commissioner’s office with the Competition Commissioner? The opposite is allowed currently, but not from the Privacy Commissioner’s office to the Competition Commissioner’s office.
This is a proposal that I would want to reflect on and hear views on. I have not seen the argument in favour or against, so before giving my view on that I would need to turn my mind to it.
Honourable senators, the committee has been sitting for 65 minutes. In conformity with the order of the Senate of June 9, 2022, I am obliged to interrupt proceedings so that the committee can report to the Senate.
Mr. Dufresne, on behalf of all senators, thank you for joining us today.
Hon. Senators: Hear, hear!
The Chair: Honourable senators, is it agreed that I report to the Senate that the witness has been heard?
Hon. Senators: Agreed.
Honourable senators, the sitting of the Senate is resumed.