Letter to the Standing Committee on Access to Information, Privacy and Ethics on study on the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers

February 23, 2024

BY EMAIL

John Brassard, M.P.
Chair
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
Sixth Floor, 131 Queen Street
Ottawa Ontario  K1A 0A6

Dear Mr. Chair,

I am writing to follow up on my appearance before the Standing Committee on Access to Information, Privacy and Ethics on February 1, 2024, in relation to your study on the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers. During my appearance, I was asked to provide the Committee with my specific recommendations in writing, to provide supplementary documentation for the Committee’s consideration, and to reach out to the implicated departments to request further details on their use of these tools and report back to the Committee. I am pleased to provide the following in response to these requests.   

Recommendations to Improve the Privacy Act

Committee members expressed an interest in receiving my specific recommendations on the changes that are required to Canada’s federal Privacy Act to address key gaps. As I noted during my testimony, I believe that there are a number of legal solutions to be considered, and would reiterate the following recommendations:

1. The preparation of Privacy Impact Assessments (PIAs) for privacy-impactful programs or activities should be made a legal obligation for the government under the Privacy Act. PIAs are an effective risk management process and help to ensure accountability and compliance with privacy requirements.
2. The Privacy Act should require that my Office be consulted on any planned initiatives that could have an impact on the privacy of Canadians before they are launched. Conducting a PIA and engaging with my office before a privacy-impactful program or activity commences would strengthen privacy, support the public interest, and generate trust. This is why both should be legal obligations for government institutions.
3. The Privacy Act should require organizations pursuing privacy-impactful activities and programs to demonstrate that they are necessary to achieve a pressing and substantial purpose and that the intrusion on privacy is proportional to the benefits to be gained.
4. The Privacy Act should include privacy by design to require the proactive integration of privacy-protective measures into the design of government programs and activities from the initial phases of development.
5. The Privacy Act should include order-making powers for my Office to help ensure compliance.

Requests of Government Departments

During the meeting, Committee members requested that my Office follow up with the institutions named in the study to request additional details about their use of digital forensic tools.

On February 5th, 2024, my Office wrote to all thirteen institutions as requested by the Committee to determine: a) how many times the technology has been used, b) how many times it has been used absent judicial or other authorization, and c) whether searches are limited to devices or also capture remote stored (i.e., cloud stored) information. We requested a response as soon as possible, and will provide the Committee an update by March 8th, 2024.

Requested Documentation

Finally, Committee Members requested that I share copies of some of my Office’s recent publications, which are particularly relevant to the issues of employee privacy, artificial intelligence and children’s privacy. I am pleased to provide the following documents as enclosures to this letter: 

1. Office of the Privacy Commissioner of Canada, Strategic Plan 2024-2027 – A roadmap for trust, innovation and protecting the fundamental right to privacy in the digital age (January 2024)
   On January 22, 2024, I launched my Office’s Strategic Plan outlining the three key strategic priorities that will guide our work for the next three years. These strategic priorities are where I believe that my Office can have the greatest impact for Canadians and where the greatest risks lie if they are not addressed: 1) maximizing the impact of the work that OPC does to promote and protect the fundamental right to privacy; 2) addressing and advocating for privacy in this time of technological change; and 3) championing the privacy rights of children. The OPC is seeking feedback until March 31, 2024, to help inform how the plan is implemented over the next few years to help advance the identified strategic priorities.
2. Office of the Privacy Commissioner of Canada, Privacy in the Workplace (May 2023)
   This guidance outlines key privacy considerations for employers managing employees’ personal information and discusses topical issues such as the monitoring of employees.
3. Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight, Protecting Employee Privacy in the Modern Workplace (October 2023)
   This resolution calls for a collective effort from governments and employers to address statutory gaps, respect and protect employee rights to privacy and transparency, and ensure the fair and appropriate use of electronic monitoring tools and AI technologies in the modern workplace. 
4. Roundtable of G7 Data Protection and Privacy Authorities, Statement on Generative AI (June 21, 2023)
   This statement calls on developers and providers of generative AI technologies to embed privacy in the design, conception, operation, and management of these new products and services. It also highlights privacy risks in the context of generative AI, as well as technical and organizational measures to ensure that individuals affected by or interacting with generative AI systems have the ability to exercise their rights to access their personal information; rectify inaccurate personal information; erase their personal information; and refuse to be subject to solely automated decisions with significant effects.
5. Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight, Principles for responsible, trustworthy and privacy-protective generative AI technologies (December 7, 2023)
   This joint statement lays out how key privacy principles apply when developing, providing, or using generative AI models, tools, products and services. These include:
   • Establishing legal authority for collecting and using personal information, and when relying on consent, ensuring that it is valid and meaningful;
   • Being open and transparent about the way that information is used and the privacy risks involved;
   • Making AI tools explainable to users;
   • Developing safeguards for privacy rights; and
   • Limiting the sharing of personal, sensitive or confidential information.
6. Global Privacy Assembly, Resolution on AI and employment (October 2023)
   This resolution calls on the GPA to work with organizations that develop or implement AI tools in the employment context, such as surveillance and data collection and retention tools, to ensure that employee privacy is considered at all stages.
7. Global Privacy Assembly, Resolution on Generative AI (October 2023)
   Along with committing to enforcing privacy legislation as it pertains to generative AI tools, this resolution calls on those who develop, provide and deploy these systems to recognize data protection and privacy as a fundamental right. It calls for the creation of responsible and trustworthy generative AI technologies and for training so that employees of the companies that create and use the technology understand the impact of AI systems on data protection, privacy, and the rights of data subjects.
8. Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight, Putting best interests of young people at the forefront of privacy and access to personal information (October 2023)
   This resolution calls on organizations to adopt practices that promote the best interests of young people, ensuring not only the safeguarding of young people’s data, but also empowering them with the knowledge and agency to navigate digital platforms and manage their data safely and with autonomy. Initial steps include identifying and minimizing privacy risks at the design stage. Other recommendations include: making the strongest privacy settings the default; turning off location tracking; and rejecting deceptive practices and incentives that influence young people to make poor privacy decisions or to engage in harmful behaviours.

Conclusion

I hope that this information is of assistance to the Committee, and look forward to reviewing the Committee’s report. Please do not hesitate to contact me should you have any questions or require further information.

Sincerely,

Enclosures (9)

c.c.: Nancy Vohl
Clerk of the Committee