Appearance before the Standing Senate Committee on National Security and Defence (SECD) on Bill C-21, An Act to Amend the Customs Act

November 21, 2018
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Good day Senators.

With me today from my office is Lara Ives, Director of the Government Advisory Directorate.

I would like to thank the Committee for the invitation to speak about Bill C-21, An Act to Amend the Customs Act. I am generally satisfied that this border management initiative is based on important public policy objectives and the personal information in question is not particularly sensitive.

That being said, it is important that the information to be collected under the entry-exit program is processed prudently, in accordance with appropriate agreements and procedures. This is especially true about information retention and, in the interest of time, I am going to focus my remarks on this issue.

I appreciate the spirit in which the House passed an amendment aimed at placing reasonable limits on the retention of exit information to be collected by CBSA.

In my appearance before the House Committee studying this Bill, I had spoken about the need for institutions to clearly justify retention periods. Personal information should be retained only so long as necessary to achieve relevant statutory purposes, those of the CBSA or those of the institutions with which CBSA will share exit information.

It would appear that the intent of the House amendment, adding a new section 93.1 to the Customs Act, was to impose a 15-year limit on the retention of exit information. However, the wording adopted does not clearly convey that objective and, in fact, could lead to interpretations that may harm privacy.

The proposed new section 93.1 states that exit information collected under the new legislation shall be retained for 15 years, subject to section 6 of the Privacy Act.

My concerns with this wording are two-fold.

First, the proposed section 93.1 effectively functions as a minimum, and not as a maximum. The words “shall be retained for 15 years” clearly indicate that information cannot be destroyed before the end of the 15 year period. Then, there are no words to prescribe what happens after the end of the period. Therefore, the information can be kept longer.   

Second, it is unclear whether the proposed section 93.1 applies only to CBSA. Given that the amendment refers to information that has been “collected under sections 92 and 93” (the exit program), one interpretation is that the 15-year retention period follows the information so collected even in the hands of another government institution with which exit data is then shared. This interpretation could have the effect of lengthening retention periods for some departments, such as those intending to purge non-relevant data immediately after collection.

We were informed by CBSA officials that this is not their interpretation. They interpret section 93.1 as applying only to CBSA. In their view, if exit information is then shared by CBSA with another institution, that other institution will collect it under its own authority and the retention period will be that governing the latter collection.

If the interpretation of CBSA officials holds, then the 15-year minimum retention period applies only to that Agency. Retention periods governing other institutions would be unaffected by Bill C-21. Some would be shorter than 15 years, other longer.

However, if, as we fear, the minimum 15-year retention period follows the information even in the hands of other institutions, then section 93.1 would have the effect of lengthening the period during which these institutions would have to retain the information.

For example, exit data will be shared with Employment and Social Development Canada (ESDC) for the purpose of verifying employment insurance eligibility. Our understanding is that before the amendment, the data was to have been immediately purged in instances where it wouldn’t lead to employment insurance ineligibility. Under the interpretation we fear may be given to section 93.1, ESDC would be required to keep the data for 15 years, as the data was initially “collected under sections 92 and 93”.

Retention periods shorter than 15 years would still be possible, even under that interpretation, if regulations made under section 6 of the Privacy Act prescribed a shorter period. However, we know of no plans to make such regulations.

In conclusion, although the intent of the House amendment was apparently to prescribe a maximum retention period that sought in part to protect privacy interests of travelers, while giving government institutions sufficient time to complete investigations, the amendment could actually weaken privacy rights.

In my view, it would be desirable, to achieve greater legal certainty, to amend section 93.1 to clarify that it applies only to CBSA and that it is a maximum period.

As for retention periods for institutions that receive information initially collected by CBSA under the exit program, these periods should be guided by the principle outlined at the outset: personal information should be retained only so long as necessary to achieve each specific statutory purpose. If the law allowed for such a sliding scale according to the laws governing the recipient institutions, then I would have no objections.

Thank you Chair. I look forward to your questions.