Public consultation on the proposed Regulations for the Examination of Documents Stored on Personal Digital Devices

Submission of the Office of the Privacy Commissioner of Canada to Canada Border Services Agency

July 14^th, 2022

Terri Gabbatt
Manager, Traveller Facilitation and Customs Policy Unit
Canada Border Services Agency
Submitted to: Terri.Gabbatt@cbsa-asfc.gc.ca

Dear Terri Gabbatt,

Subject: OPC Response to public consultation on the proposed Regulations for the Examination of Documents Stored on Personal Digital Devices

We appreciate the opportunity to provide comments to the Canada Border Services Agency (CBSA) in response to its public consultation on the text of the proposed Regulations for the Examination of Documents Stored on Personal Digital Devices.

We understand the intent is for these proposed Regulations to come into force as soon as possible following Royal Assent of related legislative changes to the Customs Act under Bill S-7 An Act to amend the Customs Act and the Preclearance Act, 2016.

At our June 6, 2022, appearance before the Standing Senate Committee on National Security and Defence (SECD) on Bill S-7, we identified four elements missing from the Bill which we noted are important procedural and accountability requirements that should also be included within the legal framework in support of a defined threshold in the law. Specifically:

• Imposing record-keeping requirements related to device searches, including obligations to document indicators justifying the search;
• Ensuring certain technical procedures and requirements are in place to limit the scope of the search to only what is stored on the phone (e.g. disabling network connectivity);
• Establishing rules for password collection and retention limits; and,
• Implementing mechanisms for complaints, redress, and independent oversight.

These recommendations were made to address key issues raised in the course of our 2019 investigation of the CBSA with respect to the examination of digital devices,^{Footnote 1} where we proposed there be a clear legal framework to set rules in support of a higher threshold for the examination of digital devices at the border. They also stem from the findings of a separate investigation of the CBSA completed by our Office in 2020 regarding requiring a passcode in the context of an examination of a digital device. In that instance, we found passcodes were being retained unnecessarily beyond the examination process in cases where the CBSA had not seized the device.^{Footnote 2}

These investigations uncovered failures by the CBSA to follow its internal policy requirements governing the examination of digital devices. As a result, we recommended that the Customs Act be amended to include a clear legal framework for the examination of digital devices, including specific rules to impose a higher threshold for the examination of such devices, in line with the requirements of the CBSA’s policy. We note this aligns with a recommendation from the Standing Committee on Access to Information, Privacy and Ethics (ETHI) following its 2017 study “Protecting Canadians’ Privacy at the U.S. Border”, which similarly recommended that CBSA’s policy controls on device searches should be legally binding.^{Footnote 3}

The Regulations as currently drafted broadly address two existing policy requirements: they specify the types of information that must be recorded by an officer who examines a digital device, and require officers to take “necessary steps” to ensure only documents stored on the device are accessible during the examination.^{Footnote 4} While these rules do address two of the key elements we recommended be included within the legal framework for the examination of digital devices, below we recommend important enhancements to the proposed rules and identify other key elements still not addressed in the current proposal.

Note-taking Requirements

Appropriate note-taking is essential to ensuring accountability and facilitating retrospective review and oversight over device searches. The Regulations, as drafted, delineate seven types of information required to be recorded when a digital device is examined. One of the most important elements in the list is the requirement to record the basis for the examination, which would require the officer to articulate their rationale for conducting the search in accordance with the law and the defined threshold. Along these lines, we recommend the list proposed in the Regulations be amended to include the following additional elements to enhance the articulation of the rationale:

• The requirement for noting the basis of the examination to also include noting if the rationale changes as the examination progresses, for instance, if new evidence or facts emerge;
• The proposed requirement for noting the type of document that was examined to also include the reasons why a particular document was examined;
• Adding a requirement to note any communication with the traveller that may be relevant to the circumstances of the examination; and
• Adding a requirement to note whether the search was resultant or not, and the steps taken following that determination.

Disabling Network Connectivity

In line with our recommendations to SECD in the context of our appearance on Bill S-7, we would like to reiterate that the Regulations should include more specific technical procedures and requirements that ensure the scope of an examination is limited to documents stored locally on a digital device. In this regard, we would emphasize that certain technical steps and procedures should be specified by the Regulations as necessary to ensure there is no connection to a network, including, but not necessarily limited to: activating “airplane mode”, deactivating connection to a WiFi network and, ensuring a device is not sharing a connection with another device via Bluetooth or otherwise.

Password Collection and Retention

We note that the proposed Regulations do not include any requirements for password collection or retention limits. Our Office considers passwords and passcodes to be “sensitive personal information” when paired with other identifiers or if it is matched with the device it unlocks. The sensitivity of a passcode may be increased if it is reused across multiple accounts or activities. Accordingly, we continue to recommend the Regulations include specific provisions directing the methods and circumstances for password and passcode collection, including specifying that an officer must not retain a password or passcode in instances where the examination of a digital device is non-resultant. While we are aware that some rules for password collection and retention are currently addressed by CBSA policy, we remain of the view that these should be included within the legal framework for the examination of digital devices so the rules are legally binding.

In line with this, we note that during the SECD clause-by-clause discussion of Bill S-7, Senator Yussuff inquired about whether the four missing elements identified by our Office, including on password collection and retention, would be included in the Regulations. The CBSA responded by saying the first two elements were already included in the draft Regulations and suggested in its response that the third element on passwords would be considered during its regulatory work. Following this discussion, Senator Yussuff indicated he would be satisfied if it would be included in the Regulations, with which we agree.

Solicitor-Client Privileged Information

We note that the current draft Regulations do not address an amendment to Bill S-7 adopted by the Senate which requires the Regulations to include the “measures to be taken by an officer if a person asserts that a document to be examined under subsection 99.01(1) is subject to a privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries, or litigation privilege”. Along these lines, we recommend the CBSA include its current policy requirements for dealing with solicitor-client privileged information, and other types of sensitive information of this nature, within the proposed Regulations.

We appreciate the opportunity to share our views as part of your public consultation and would be pleased to engage with your officials on any of the issues raised in this submission. We are also available to engage with the CBSA on the Regulations proposed in Bill S-7 to be established under the Preclearance Act paragraph 43(1)(c.1), as they are being developed.

Sincerely,