Additional questions and answers

Appearance before the Standing Senate Committee on Indigenous Peoples, February 27, 2024

---

Q 1: OPC consulting with Indigenous Peoples

Does the OPC consult with Indigenous Peoples? How often? In what context?

Response / Key Messages

• My office has engaged with groups such as the First Nations Information Governance Centre (FNIGC) and the Inuit Tapiriit Kanatami on topics such as Indigenous Data Sovereignty, various draft guidance documents of my Office and on privacy legislation.
• This has included engagement through roundtables, consultations, and contracts for training opportunities for OPC staff. It also includes ongoing informal engagement through meetings on specific topics.
• Through my office’s Contributions Program, we have funded projects by Indigenous Peoples pertaining to their interpretations of privacy.
• For example, we funded a FNIGC project examining First Nations Data Sovereignty and PIPEDA, including how PIPEDA applies to First Nations businesses, governments, and organizations. They also developed a guide for First Nations businesses to help with compliance.

Background

• We have met with the FNIGC many times over the years in a variety of contexts. They have also provided training to PRPA on the OCAP principles.
• In 2023, we ran a series of roundtables with equity-seeking groups, including organizations representing Indigenous Peoples. The Commissioner, Deputy Commissioner Policy & Promotion and PRPA staff met with many organizations including the FNIGC to discuss general privacy views and to hear views on the modernization of privacy legislation.
• As part of our consultation roundtables on police use of facial recognition technology guidance, we met with the Inuit Tapiriit Kanatami as they had views to share on body worn cameras.
• PRPA plans to host roundtables on group privacy in the coming months and plans to invite Indigenous groups to learn more about their views on community privacy and their observations on privacy legislation.

Prepared by: PRPA

---

Q 2: Indian Residential Schools Settlement Agreement and Records Transfer

What is the legal status of IRSSA and how does this impact the transfer of records to the NCTR?

Response / Key Messages

• The Indian Residential Schools Settlement Agreement (Settlement Agreement) has the status of a contract — albeit a unique one (see Canada v. Fontaine, 2017 SCC 47).
• It is not readily apparent which Privacy Act provision might apply to transfers of documents from federal government institutions to the NCTR, as contemplated in general terms under the Settlement Agreement (Settlement Agreement, Schedule N, articles 11-12).
• That being said, Crown-Indigenous Relations and Northern Affairs Canada may be aware of facts that would allow the application of specific provisions under s.8(2) of the Act.
• Moreover, a court order governing specific transfers—through a Request for Directions to the supervisory judges with jurisdiction over the implementation and administration of the Settlement Agreement—would allow disclosure without consent under paragraph 8(2)(c) of the Privacy Act.

Background

• The Settlement Agreement is the settlement of the most significant class action in Canadian history.
• Where issues relating to the implementation of the Settlement Agreement arise, the parties retain the ability to bring Requests for Directions to one of the supervisory judges. These superior court judges can issue orders to facilitate implementation (Canada v. Fontaine, paras. 31-32; see also Settlement Agreement, article 7.01(3) re the ability of the church organizations or Canada to seek judicial assistance on issues relating to document production, disposal and archiving).

Prepared by: Legal

---

Q 3: The National Centre for Truth and Reconciliation’s status and applicable privacy law

What is the status of the NCTR and how does it interact with privacy law?

Response / Key Messages

• The National Centre for Truth and Reconciliation (NCTR) is the Indigenous archive created to house records received or created during the life of the Truth and Reconciliation Commission (TRC).
• The NCTR was created towards the end of the TRC’s mandate and is affiliated with the University of Manitoba.
• The TRC was expressly provided for under the Indian Residential Schools Settlement Agreement (Settlement Agreement) as one of five key components (art. 7 and Schedule N).
• It was further provided that a National Research Centre be created to archive and make available materials collected by the TRC (Schedule N, art. 12). The NCTR is that centre.
• Unlike the TRC, the NCTR is not a “government institution” listed in Schedule 1 to the Privacy Act. Instead, it is subject to Manitoba privacy law just like its host university (Freedom of Information and Protection of Privacy Act, C.C.S.M. c. F175).

Background

• In addition to provincial privacy law, the NCTR divides its records into “open” and “restricted” records. The former are records not subject to restrictions and more generally available to survivors and their families, researchers, educators and other members of the public. The latter category may be subject to restrictions under provincial privacy legislation or be records the NCTR has not yet reviewed in order to determine their appropriate status (NCTR website).
• Under FIPPA, a disclosure without consent is not an unreasonable invasion of a person’s privacy if the individual has been deceased for 25 years or more; or if the disclosure is to the relatives of the deceased or a person with whom they shared a close relationship and the head of the institution is satisfied it is for compassionate reasons (FIPPA, s.17(4)(h) and (h.1)).

Prepared by: Legal

---

Q 4: Disclosures under the Privacy Act for enforcing a law/conducting an investigation

How does s.8(2)(f) impact disclosures for the purposes of administering or enforcing a law or carrying out an investigation?

Response / Key Messages

• Subject to any other Act of Parliament, a government institution can disclose personal information under its control for the purpose of administering or enforcing a law or carrying out a lawful investigation.
• However, the disclosure must occur pursuant to an agreement or arrangement between the Government of Canada or a federal institution and any of the types of enumerated entities or related institutions.
• Potential recipients include foreign governments and related entities; international organizations of states; provincial governments or institutions.
• The councils or governments of a number of First Nations are expressly enumerated as are specific pieces of legislation relating to agreements with First Nations (s.8(2)(f)(iv)-(vii.1).

Background

• Section 8(2)(f) will not apply if a more specific statute authorizes the disclosure. See Wakeling v. United States of America, 2014 SCC 72, where specific Criminal Code provisions authorized the disclosure (paras. 24-28 per Moldaver J.).
• While paragraph 8(2)(f) can authorize disclosure on the part of a government institution, it is not a substitute for legal authority to conduct a “search” within the meaning of section 8 of the Charter. R. v. Flintroy, 2018 BCSC 1777. Where there exists a reasonable expectation of privacy as to the personal information in question, specific legal authority, such as a search warrant is still required.

Prepared by: Legal

---

Q 5: Relationship between Privacy Act and Library and Archives Canada

How does the Privacy Act impact LAC’s activities?

Response / Key Messages

• Government institutions can disclose personal information without consent to LAC for archival purposes, but the Privacy Act continues to apply to that information (s.8(2)(i)).
• However, LAC has slightly more flexibility to disclose personal information without consent for research or statistical purposes.
• Subject to any other Act of Parliament, personal information that has been transferred to LAC by a government institution for historical or archival purposes can be disclosed to any person or body for research or statistical purposes if:
  • the information is of a nature that disclosure would not constitute an unwarranted invasion of the individual’s privacy
  • the disclosure is pursuant to s.8(2)(j) or (k)
  • 110 years have elapsed following the birth of the individual
  • or where information was obtained via census or survey, 92 years have elapsed (s.8(3) PA and s.6 Privacy Regulations)

Background

• Unlike under s.8(2)(m), the assessment of whether disclosure constitutes an “unwarranted invasion of privacy” under s.6(a) Privacy Regulations is not limited to the head of the institution and can be undertaken by other members of staff.
• Where an individual has been deceased for less than 20 years, but 110 years have elapsed since their birth, information can be disclosed if it is held by LAC but not if held by another government institution (s.3(m) PA and s.6(c) Privacy Regulations).
• However, where “material” is placed with LAC by or on behalf of persons or organizations other than government institutions, the Privacy Act and the Access to Information Act do not apply to that information (s.69(1)(b) PA; s.68(c) ATIA).

Prepared by: Legal

---

Q 6: Age Verification for Porn Sites

What is your position on Age verification for porn sites? Would this violate Canadians’ privacy?

Response / Key Messages

• My office is acutely aware of the importance of protecting children and young people online. In fact, I have made protecting children’s privacy a strategic priority.
• We understand that age verification is a potential tool in efforts to protect children online, particularly to prevent children from accessing certain content such as pornography.
• Age verification is not without privacy implications and its use must be carefully considered. Concerns have been raised around the collection, use and retention of personal information in the roll-out of age verification tools.
• The technology around age verification is also in constant evolution; there may be important opportunities to develop effective tools while minimizing the impact on individual privacy.
• I am aware of Bill S-210, which is meant to restrict young persons’ online access to sexually explicit material and that involves provisions relating to age verification. I look forward to providing my views to Parliament should I be called to testify on this Bill.

Background

• Bill S-210, An Act to restrict young persons’ online access to sexually explicit material, would make it an offence for organizations to make sexually explicit material available online to young persons for commercial purposes. Section 6 sets out three defences to the offence, the first of which is if the organization believed the person accessing the material was at least 18 years old through implementing a prescribed age-verification method.
• Internationally, the UK Online Safety Act (s. 81) includes a duty to ensure, by the use of age verification or estimation (or both) that children are not normally able to encounter content that is regulated provider pornographic content. Australia’s Online Safety Act (s. 46) requires steps to be taken to ensure that technological or other measures are in effect to prevent access by children to certain material.

Prepared by: Legal

---

Q 7: Protecting Children Online

How can you protect children online without jeopardizing everyone’s privacy in doing so?

Response / Key Messages

• There are a number of measures that are important to protecting children online, including: strong digital education, easy to understand and use parental controls, implementing child-centered design for websites specifically directed at children and, in certain circumstances, employing suitable age verification mechanisms.
• Age verification is a challenging issue which involves considering: 1) the risks to children (including access to harmful, inappropriate or illegal information, or exposure to potentially harmful data practices); 2) the privacy risks associated with various age verification techniques; and 3) the impact of limiting access to legal information (including for privacy-conscious individuals who are wary of providing information to an age verification service).
• Principles and standards for privacy-respectful age verification are currently being developed by DPAs and groups such as the ISO. This is particularly important in jurisdictions that have passed laws requiring age verification.

Background

• ISO Standard (in development): ISO/IEC WD 27566-1 – Information security, cybersecurity and privacy protection for age assurance systems.
• DPA guidance to date:
  • UK ICO: Age assurance for the Children’s Code
  • France CNIL: Online age verification: balancing privacy and the protection of minors
  • Spain AEPD: Decalogue of principles: Age verification and protection of minors from inappropriate content

Prepared by: PRPA

---

Q 8: OPC actions on protecting children’s privacy

What is the OPC doing on these issues given your priorities of protecting children’s privacy and keeping up with technology?

Response / Key Messages

• My Office sits on an international working group with other DPAs focused on age verification with the goal of sharing information on age verification methods and to work towards a common international approach to the data protection and privacy implications of age assurance methods.
• Other jurisdictions, such as the UK and Europe, have legal requirements to implement age verification or age estimation to restrict access to content. As such, a number of our counterparts have already released guidance and other tools on age verification.
• My Office has identified age verification as a future topic for guidance, that will be particularly important should Bill C-27 pass given its provisions specific to minors.

Background

• Article 35(1)(j) EU Digital Services Act: providers of very large online platforms and search engines are required to put in place “reasonable, proportionate and effective mitigation measures” which may include measures to protect the rights of the child, “including age verification and parental control tools” and tools aimed at helping minors signal abuse or obtain support, as appropriate.
• The European Commission has set up a task force on age verification with Member States for the implementation of the Digital Services Act. The objective is to foster cooperation with national authorities of member states with expertise in the field to identify best practices and standards in age verification.
• In the UK’s Online Safety Act, organizations are required to take steps to protect children’s safety. For example, providers must prevent children of any age from encountering primary priority content that is harmful to children through age verification or age estimation (s. 81). Providers may only conclude that it is not possible for children to access a service if age assurance is used. Primary priority content includes pornographic content, content that encourages, promotes or provides instructions for suicide, among other examples.

Prepared by: PRPA

---