Last month, a British Columbia Provincial Nomination Program (“BC PNP”) officer requested that one of my employer clients provide payroll documents for individuals who were not a part of the BC PNP application. We politely pointed out that the employer could not do this without the third party employees’ consent, as to provide the documents without their consent would be contrary to BC’s Personal Information Privacy Act. Alternatively, the BC PNP had to at least provide the statutory authority to compel the production of these third party documents The British Columbia Office of the Information & Privacy Commissioner confirmed that we were correct. The BC PNP officer respected our position, and the events left me confident in the Province of British Columbia’s respect for personal privacy.
We were of course not the first to navigate the complicated intersection between the government’s administering its immigration programs the right to privacy, which pursuant to numerous Supreme Court of Canada is a quasi-constitutional right. For example, as noted in the following “Findings under the Privacy Act,” Citizenship and Immigration Canada (“CIC”) recently agreed with the Office of the Privacy Commissioner of Canada that it was an unreasonable breach of privacy for CIC to request the tax information of potential employers of Live-in Caregivers:
Three individuals who wished to employ live-in caregivers from the Philippines complained to this Office that the Canadian Embassy in Manila was asking them to provide sensitive income tax information before it would issue visas to their prospective caregivers. The individuals were worried about sending tax documents containing their social insurance numbers (SINs) and detailed information about their financial situation to a foreign country, especially with identity fraud having become such a major concern.
Citizenship and Immigration Canada (CIC) explained that the Live-In Caregiver Program (LCP) brings qualified caregivers to Canada in situations where there are no Canadians or permanent residents available to fill certain positions. Canadians wishing to hire a caregiver from abroad are required to have their job offer validated through Human Resources Development Canada (HRDC) and to sign a form declaring that they can financially support the person they will employ.
After the job offer was validated by HRDC, the Visa Section of the Canadian Embassy in Manila asked the prospective employers to send their Notice of Assessment for the last two years, their T-4 slips and a letter from their employer confirming employment.
CIC claimed that the information was necessary to determine the bona fides of an employment offer and to confirm that the employers were financially capable of supporting a caregiver.
When questioned about its authority to collect income tax information for the purpose of issuing visas to third parties, CIC referred to section 203 of theImmigration and Refugee Protection Regulations. A review of that document indicated that the visa officer must determine if the job offer is genuine and if the employment of the foreign national is likely to have a neutral or positive economic effect on the labour market in Canada.
In the previous Annual Report, the former Commissioner stated his position concerning the collection of income tax information without legislative authority. He explained that he found it untenable that an income tax return can be demanded from an individual for a purpose other than that required by law. Canadians should never be required to compromise a fundamental right in order to do business with the Government.
This Office presented those arguments to CIC and, as a result, the Embassy in Manila confirmed that it has ceased asking for income tax information for the purpose of issuing visas to live-in caregivers.
I highlighted the above portion of the report because I think it is an especially salient observation.
The Reforms to the TFWP
On June 20, 2014, the Conservative Government of Canada introduced significant reforms to the Temporary Foreign Worker Program (“TFWP”), and released a 41-page PDF outlining the future of the program. Buried on page 17 of the PDF is the following statement:
Furthermore, as of Fall 2014, ESDC will be able to compel banks and payroll companies to provide bank records and payroll documents to help inspectors verify that employers are complying with the rules of the TFWP.
Apparently the Government of Canada has a sufficient enough distrust of Canadian businesses that it believes it is necessary to bypass employers and require that banks provide employee payroll information instead.
The reason that reform of the TFWP is being delayed to the fall of 2014 is presumably because the Government of Canada needs to amend the Immigration and Refugee Protection Regulations in order to compel banks and payroll companies to disclose their clients sensitive information.
PIPEDA and R v. Spencer
Section 7(3) of Canada’s Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”) provides that an organization may disclose information about an individual without their consent if:
(3) … an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
(a) made to, in the Province of Quebec, an advocate or notary or, in any other province, a barrister or solicitor who is representing the organization;
(b) for the purpose of collecting a debt owed by the individual to the organization;
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;
Until recently, many, including apparently the Government of Canada, believed that PIPEDA s. 7(3) provided the legislative authority for the Government of Canada to compel organizations to disclose personal information of third parties without their consent. However, on June 13, 2014, the Supreme Court of Canada (the “SCC”) held in R v. Spencer, 2014 SCC 43 (“Spencer“) that the right to privacy in Canada is stronger than that.
In Spencer, the Saskatoon Police Service relied on s. 7(3)(c.1)(ii) of PIPEDA to obtain without a warrant account information about an individual from an Internet Service Provider. The accused argued that this breached s. 8 of the Canadian Charter of Rights and Freedoms, which provides that:
Everyone has the right to be secure against unreasonable search or seizure.
As noted by the SCC in Spencer:
Under s. 8 of the Charter , “[e]veryone has the right to be secure against unreasonable search or seizure.” This Court has long emphasized the need for a purposive approach to s. 8 that emphasizes the protection of privacy as a prerequisite to individual security, self-fulfilment and autonomy as well as to the maintenance of a thriving democratic society.
In determining that s. 7(3) of PIPEDA did not authorize the police to compel production of third party documents, the Supreme Court of Canada determined that:
“Lawful authority” in s. 7(3)(c.1)(ii) of PIPEDA must be contrasted with s. 7(3)(c), which provides that personal information may be disclosed without consent where “required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records”. The reference to “lawful authority” in s. 7(3)(c.1)(ii) must mean something other than a “subpoena or warrant”. “Lawful authority” may include several things. It may refer to the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy. It may refer to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law: Collins. As the intervener the Privacy Commissioner of Canada submitted, interpreting “lawful authority” as requiring more than a bare request by law enforcement gives this term a meaningful role to play in the context of s. 7(3) and should be preferred over alternative meanings that do not do so. In short, I agree with the Ontario Court of Appeal in Ward on this point that neither s. 487.014(1) of the Code, nor PIPEDA creates any police search and seizure powers: para. 46.
The notion that “Lawful Authority” requires exigent circumstances or that a law be “reasonable” will likely be a significant hurdle for the Government of Canada to overcome should it actually try to compel banks to provide their clients information without consent.
The Erosion of Your Privacy
Of course, this somewhat surprising flippant attitude towards privacy is not only occurring in the immigration context. In the tax context, the 2014 omnibus Budget Implement Act which will require Canadian banks to provide their customers’ account information to the United States Internal Revenue Agency. As Professor Arthur Cockfield recently wrote in the Globe and Mail, the threats to the privacy of millions in Canada risks being compromised:
The proposed law applies to a broad class of U.S. expatriates and Canadians who could now be subject to fines, interest penalties, criminal sanctions, and denial of entry into the United States. Under the proposed approach, Canadian banks will have to look to their records on birth places, residences, Social Insurance Numbers and other information to see if any “U.S. person” holds an account. “U.S. person” is a defined term that includes many more people in Canada than almost anyone realizes. It includes U.S. citizens and non-citizens with various personal or economic ties to the United States (for example, former green card holders now residing in Canada).
Canadian snowbirds who travel to the United States for part of each year may also be caught in the tax web if they are deemed to be U.S. persons under facts and circumstances tests. So-called ‘accidental Americans’, including Canadians with U.S. citizen parents who have never stepped foot in the United States, are also swept up in the net. Finally, any Canadians who jointly hold accounts with a U.S. person for family or business purposes will see their sensitive financial information shipped south of the border too.
All Canadian businesses that are partly owned by a “U.S. person” will also have their sensitive financial account information disclosed to the IRS. This includes confidential information that, if improperly revealed to competitor firms, could harm the ability of Canadian businesses to compete against U.S. firms. In light of recent disclosures surrounding U.S. state-sponsored corporate espionage, the Canadian business community should be yelling to the rooftops about this commercial confidentiality concern.
The concerns that I have over the continued erosion of privacy, and the legislative procedural manner in which it is occurring, are perhaps best summarized by Chantal Bernier, Assistant Privacy Commissioner of Canada, who, when speaking before the Senate Standing Committee on Transport and Communications said that:
With respect to Parliamentary oversight, one of our consistent concerns about the API/PNR program is the lack of transparency and the degree to which the details of the program are contained in regulations and are negotiated secretly with other countries. While we understand that international negotiations require a degree of secrecy, transparency requires that secrecy be kept to a minimum so that law abiding citizens have a proper understanding of the system put in place and the level of intrusion that is proposed.
Fundamental questions about the API/PNR Program such as the data elements that are provided to CBSA, how this information can be used, with whom it may be shared and how long it is retained cannot be found in the Customs Act. To a large degree, these matters have been shaped by negotiations with other jurisdictions, most notably with the European Union.
A new PNR Agreement is currently being negotiated with the European Union. Based on the Agreement between the EU and US that was approved earlier this year, we are concerned that, under a new Canada-EU Agreement, the amount of information collected by CBSA will increase, it will be used for more purposes, and it will be retained longer.
In doing research for this blog post,I stumbled upon the following report from the Office of the Privacy Commissioner of Canada, which gives rise to additional concerns.
A Canadian woman wanted to hire a Bangladeshi man as a live-in caregiver for her child. The man applied for a work permit at the Canadian High Commission in Dhaka and supplied all the necessary documents.
To strengthen the man’s application, the woman asked her MP to send a letter of support to the High Commission. She also asked the MP to attach to his letter copies of personal documents such as her passport and federal income tax assessment, which included her date of birth, Social Insurance Number and other personal information.
The MP’s office forwarded all this information to officials of Citizenship and Immigration Canada at the Canadian High Commission in Dhaka.
The man’s application for a work permit was refused. Following standard practice, the Immigration official returned to the man the entire contents of his file, which included not only his documents, but also the woman’s personal documents sent by the MP’s office.
According to the woman, the man then shared her personal information with family and friends. She was concerned that this disclosure could result in identity theft or jeopardize her safety if she travelled to Bangladesh. She complained to our Office.
Citizenship and Immigration acknowledged that it did not have the complainant’s consent and that her personal information should not have been disclosed to the man. At our request, officials apologized to the complainant in a letter.