OPC recommended four 'important enhancements' to proposed regulations
The Office of the Privacy Commissioner of Canada recently responded to proposed regulations governing the examination of travellers’ digital devices by the Canada Border Services Agency upon entry to Canada.
The proposed regulations relate to legislative changes under Bill S-7, which seek to clarify the circumstances in which border officers and preclearance officers may examine documents stored on personal digital devices.
In its written submission, the OPC identified numerous procedural and accountability requirements, which it believed are missing from Bill S-7 and should be included within the legal framework for the examination of digital devices. These requirements are as follows:
- Imposing record-keeping requirements related to device searches, including obligations to document indicators justifying the search;
- Ensuring technical requirements are in place to limit the scope of the search to only what is stored on a device;
- Establishing rules for password collection and retention limits;
- Implementing mechanisms for complaints, redress, and independent oversight.
The OPC noted that these requirements intend to address key issues raised over the course of two OPC investigations related to the examination of digital devices by CBSA officers in 2019 and 2020. During the investigations, the OPC uncovered failures by the CBSA to follow its internal policy requirements and proposed a legal framework in support of a higher threshold for examining digital devices at borders.
The OPC also observed that the proposed regulations broadly address two existing policy requirements. In particular, they specify the types of information that must be recorded by an officer examining a digital device and require officers to take necessary steps to ensure only documents stored on the device are accessible during the examination.
Regardless, the OPC still recommended four “important enhancements” to the proposed regulations. These are: (1) note-taking requirements; (2) disabling network connectivity; (3) password collection and retention; and (4) solicitor-client privileged information.
Notetaking requirements
According to the OPC, appropriate notetaking is essential to ensuring accountability and facilitating retrospective review and oversight over device searches. It observed that the proposed regulations enumerated seven types of information required to be recorded when a digital device is examined.
“One of the most important elements in the list is the requirement to record the basis for the examination, which would require the officer to articulate their rationale for conducting the search in accordance with the law and the defined threshold,” the OPC wrote.
The OPC suggested that the list be amended to include additional elements to enhance the articulation of the rationale for conducting the search, such as noting down any communication with the traveller that may be relevant to the circumstances of the examination, and whether the search was resultant or not and the steps taken following that determination.
Disabling network connectivity
The OPC recommended that the proposed regulations include more specific technical requirements to ensure that the scope of an examination is limited to documents stored locally on a digital device.
“Certain technical steps and procedures should be specified by the regulations as necessary to ensure there is no connection to a network, including, but not necessarily limited to: activating ‘airplane mode,’ deactivating connection to a Wi-Fi network, and ensuring a device is not sharing a connection with another device via Bluetooth or otherwise,” the OPC wrote.
Password collection and retention
The OPC considered passwords and passcodes to be “sensitive personal information” when paired with other identifiers or if it is matched with the device it unlocks. Moreover, the sensitivity of a passcode “may be increased” if it is reused across multiple accounts or activities.
“Accordingly, we recommend the regulations include specific provisions directing the methods and circumstances for password and passcode collection, including specifying that an officer must not retain a password or passcode in instances where the examination of a digital device is non-resultant,” the OPC wrote.
Solicitor-client privileged information
The OPC noticed that the proposed draft regulations failed to address an amendment to Bill S-7, which requires the inclusion of measures to be taken by an officer if a person asserts that a document to be examined is subject to a privilege under the law of evidence, solicitor-client privilege, professional secrecy of advocates and notaries, or litigation privilege.
“We recommend the CBSA include its current policy requirements for dealing with solicitor-client privileged information, and other types of sensitive information of this nature, within the proposed regulations,” the OPC wrote.