Privacy Commissioners across Canada raise concerns about Bill C-51
-
Upload
bc-teacher-info -
Category
Documents
-
view
57 -
download
0
description
Transcript of Privacy Commissioners across Canada raise concerns about Bill C-51
3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015
https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 1/6
Appearances before Parliamentary Committees
Bill C51, the AntiTerrorism Act, 2015
Submission to the Standing Committee on Public Safety and
National Security of the House of Commons
March 5, 2015
Mr. Daryl Kramp Chair, Standing Committee on Public Safety and National Security131 Queen Street, 6th FloorHouse of CommonsOttawa, Ontario K1A 0A6
Dear Mr. Chair:
I am writing today in reaction to Bill C51, the AntiTerrorism Act, 2015, which was tabled onJanuary 30, 2015. My comments will focus on Part 1 of the Bill, which would create a new Securityof Canada Information Sharing Act (SCISA). The purpose of that Act is to encourage and facilitatethe sharing of information among federal institutions in order to protect Canada against actsundermining its security. Clearly, protecting the security of Canadians is important, and werecognize that greater information sharing may sometimes lead to the identification and suppressionof security threats. However, the scale of information sharing being proposed is unprecedented, thescope of the new powers conferred by the Act is excessive, particularly as these powers affectordinary Canadians, and the safeguards protecting against unreasonable loss of privacy are seriouslydeficient. While the potential to know virtually everything about everyone may well identify somenew threats, the loss of privacy is clearly excessive. All Canadians would be caught in this web.
National security agencies have an important and difficult mandate in protecting all Canadians fromterrorist threats, and I believe they generally strive to do their work in a way that respects humanrights. But history has shown us that serious human rights abuses can occur, not only abroad but inCanada, in the name of national security. The MacDonald Commission identified such abuses in the1980s, which led to the creation of the Canadian Security Intelligence Service (CSIS) and its reviewbody, the Security Intelligence Review Committee (SIRC).1 More recently, the O'Connor andIacobucci Commissions confirmed that national security information sharing, the subject matter ofthe Bill before you, has led to torture in the post 9/11 environment.2 More recently still, revelationsby Edward Snowden have shown how pervasive government surveillance programs can be, includingsome in place in Canada, and how they can affect all Canadians, not only those suspected of being aterrorist threat.
If adopted in its current form, the Security of Canada Information Sharing Act would make availableto 17 federal departments and agencies, which hold some responsibilities in relation to nationalsecurity, potentially all personal information that any department may hold on Canadians. We reachthis conclusion because, as will be explained later, the language used in SCISA to confer informationsharing authorities is extremely broad. For instance, all the tax information held by the CanadaRevenue Agency, which historically has been highly protected information, would be broadly
Office of the Privacy Commissioner of Canada
3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015
https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 2/6
available if deemed relevant to the detection of new security threats. As well, all information thatdepartments hold about young persons that was obtained for a specific purpose could be furthershared with these 17 departments and data mined with a view to identifying those at risk of beingradicalized. As another example, in an effort to identify persons who may be engaged as foreignfighters abroad, the Canada Border Services Agency could be asked to provide information on allindividuals, including tourists and business persons, who have traveled to countries that aresuspected of being transit points to conflict areas.
In sum, the 17 federal departments in question would be in a position to receive information aboutany or all Canadians’ interactions with government. This information could then be analysed alongwith information they had previously collected or obtained through other sources, including foreigngovernments. We are moving very quickly into the world of Big Data, which relies on massiveamounts of personal information being analyzed algorithmically to spot trends, predict behavioursand make connections before any specific investigation is initiated or any particular individual issuspected of anything. As a result of SCISA, 17 government institutions involved in national securitywould have virtually limitless powers to monitor and, with the assistance of Big Data analytics, toprofile ordinary Canadians, with a view to identifying security threats among them.
In a country governed by the rule of law, it should not be left for national security agencies todetermine the limits of their powers. Generally, the law should prescribe clear and reasonablestandards for the sharing, collection, use and retention of personal information, and compliance withthese standards should be subject to independent and effective review mechanisms, including thecourts. Specifically, the following amendments should be made to ensure that information sharingamong federal institutions, under SCISA, takes place in a way that respects the privacy rights ofCanadians.
Standards for sharing information
Bill C51 sets the threshold for sharing Canadians’ personal information far toolow, and broadens the scope of information sharing far too much.
SCISA would authorize virtually systematic sharing of information, for broad purposes not all clearlyrelated to national security, through the use of a few key terms: information would be shared if“relevant” to the jurisdiction of a recipient institution in respect of “activities that undermine thesecurity of Canada”, including in respect of the “detection, identification, analysis, prevention” ofactivities not yet identified, in addition to the investigation or disruption of known threats.
We accept that the detection and prevention of national security threats are legitimate stateobjectives, but we reference these words in section 5 of SCISA to stress their importance inunderstanding that information sharing would not be limited to known terrorism suspects; it wouldinclude information on everyone, including lawabiding Canadians, if relevant to the detection ofthreats.
More problematic is the definition of “activities that undermine the security of Canada” which goesfurther than the existing definitions, untouched by SCISA, of “terrorist activity” in s.83.01 of theCriminal Code and “threat to the security of Canada” in s.2 of the Canadian Security IntelligenceService Act (the CSIS Act). It is not clear why new activities are included and how they all relate togenuine security threats. It is also not clear how SCISA's definition is to apply when the informationto be shared relates to an activity that is not mentioned in the mandate of the recipient institution. For instance, what should CSIS do if it receives information that relates to an “activity” included inthe SCISA definition that is not mentioned in the definition of “threat to the security of Canada”?Pursuant to s.12 of the CSIS Act, CSIS can only collect information, where strictly necessary, if itrelates to a threat as defined in its enabling legislation. Is CSIS to reject information disclosed underSCISA if it does not relate to a threat as defined, or is the definition of threat in the CSIS Act to beread in light of the new SCISA definition and somehow expanded to authorize information sharingunder the wider definition?
3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015
https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 3/6
Equally problematic is that SCISA would authorize information sharing if “relevant” to the jurisdictionof the recipient institution, rather than “necessary” to its mandate or “proportional” to the nationalsecurity objective to be acheived. We note that relevance is a much broader standard than thatestablished elsewhere with respect to the collection of personal information. As mentioned, CSIScan only collect information where “strictly necessary” to report and advise the Government ofCanada in relation to a defined threat. CSIS would seemingly have to reject information disclosed toit under a relevance test, if the information did not also meet the necessity test under s.12 of theCSIS Act. In the case of recipient institutions other than CSIS, the Directive on Privacy Practices asissued by the Treasury Board Secretariat in support of the Privacy Act obligates institutions to limitcollection of personal information to what is directly related to and “demonstrably necessary” for thegovernment institution’s programs or activities.3
The threshold for information sharing (that is, whether the sharing of information is to be authorizedon the based on relevance, necessity or proportionality) is of central importance to striking the rightbalance in the protection of privacy rights. Applying a relevance standard, because it exposes thepersonal information of everyone, would contribute greatly to a society where national securityagencies would have virtually limitless powers to monitor and profile ordinary Canadians. Consequently, we recommend that a necessity test be the standard, which would be in line with s.12of the CSIS Act, that the government interestingly does not believe needs amendment, and thegeneral directive of the Treasury Board Secretariat. However, if a necessity test is deemed too high,Parliament should consider adopting a proportionality and reasonableness test, as is proposed forthe new CSIS disruption powers found in Part 4 of Bill C51.
While the Preamble to SCISA lists a number of governing principles, including consistency with theCharter and privacy protection, as well as the need for accountable and effective informationsharing, it is not clear that these principles would be binding. We believe effective privacy protectionrequires more than principles; it requires that the standards recommended below be adopted asstatutory requirements under SCISA.
Recommendation 1: Only information which meets the necessity standard, rather than
the relevance standard, should be shared with the 17 agencies listed in the Schedule.
Alternatively, a recipient department should be required to conduct an assessment of the
reasonableness and proportionality of the collection in achieving their mandated national
security objective.
Recommendation 2: The definition of “activities undermining the security of Canada”
should be reviewed to ensure that it is not overly broad and includes only real threats to
security. In the case of conflict between that definition and the jurisdiction of recipient
institutions, it should be clarified that the former is not intended to expand the latter.
Recordkeeping obligations
Bill C51 is far too permissive with respect to how shared information is handled.
It sets no clear limits on how long information is to be kept.
The Bill is largely silent on the subject of retention and disposal of information shared. There isauthority to make regulations “respecting the manner in which records are kept and retained”, butthere is no clear obligation for receiving institutions to discard information which does not meet theirstatutory collection standards, or to dispose of information once it has served its purpose. We haveseen in other contexts, particularly in our ongoing assessments of Canada’s financial intelligenceagency, FINTRAC, but also in our review of the RCMP’s exempt data banks and the audits weconduct of other government institutions that once information is received, it is tempting to retain itregardless of its relevance or value. Often, we hear the argument that information is kept “just incase” it may be useful later. This is highly problematic in the context of SCISA where large amountsof personal information about lawabiding individuals could be retained for long periods. Not onlywould SCISA give 17 agencies involved in national security the potential to know everything about
3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015
https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 4/6
everyone, it could allow them to keep this information forever.
Recommendation 3: Bill C51 should be amended to include as a statutory requirement
that personal information that does not meet the recipient institution's legal collection
standards should be discarded without delay. SCISA should also require that information,
once collected, is retained only as long as necessary. Reviews should be held at regular
intervals, prescribed by regulations, to ensure that this principle is respected and that the
retention of information is justified. Finally, SCISA should require that proper
documentation of all collection and retention decisions be maintained.
InformationSharing Agreements
Bill C51 fails to require that information sharing be subject to written
agreements.
While the Bill enunciates the importance of informationsharing agreements as a principle and as a
practice that is “appropriate”, we believe that written agreements should be legally required. Such
agreements could provide more specificity beyond the core standards set out in legislation
(relevance, necessity or proportionality, retention) for what is to be shared and how, when
information is to be retained, when it must be disposed of, and include robust accountability
measures to assign responsibility for and review of sharing, including direction on how
documentation disclosed or received should be handled.
These agreements, properly crafted, would go a long way to ensure that only appropriate and
accurate information is shared. In New Zealand, such agreements are required, and the Privacy
Commissioner must be consulted on them. Our experience in reviewing departmental privacy
impact assessments (PIAs), which are currently required under a Treasury Board Secretariat
directive, is that it has been a highly useful tool in preventing privacy concerns.4 We suggest that
building in a consultation with my Office on informationsharing agreements would be equally
useful. Moreover, written agreements would also give oversight bodies something concrete against
which to assess informationsharing practices, leading to more meaningful review.
Recommendation 4: Bill C51 should be amended to include an explicit requirement for
written information agreements. More detailed elements of what should be in the
agreements could be set out in Regulations. The Office of the Privacy Commissioner
should be consulted in the development of these agreements.
Oversight and Review
Bill C51 exacerbates serious gaps in existing oversight and review mechanisms,
and does not facilitate sharing between review bodies. As for affected
individuals, the privacy regime provides no judicial recourse for improper
collection, use or disclosure of their personal information.
No level of review can address inadequate standards. As stated in the introduction, in order to
ensure that privacy rights are respected in the context of SCISA, the law should prescribe clear and
reasonable standards for the sharing, collection, use and retention of personal information. Along
with such standards, it is equally important that compliance with these standards be subject to
independent and effective review mechanisms, including the courts. Independent review is
particularly critical because information sharing under SCISA will often occur secretly, and so
individuals may not be able to otherwise challenge the disclosure or use of their information.
Although there is currently some level of review, there are obvious gaps: 14 of the 17 agencies
listed in Schedule 3 that will receive information for national security purposes are not subject to
dedicated independent review or oversight. To fill that gap, the jurisdiction of one or more of the
3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015
https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 5/6
existing review bodies should be extended to include the 14, or a new expert review body with
horizontal jurisdiction should be created to review the lawfulness and reasonableness of national
security activities. While it is true, as mentioned in the government's backgrounder to Bill C51, that
my Office has the mandate to review the personal information handling practices of all these
agencies, the Privacy Act necessarily restricts what we can examine to “personal information” asdefined by the Act; we do not have jurisdiction to examine in general the lawfulness of the activities
of national security agencies. That said, we do have authority to review compliance with privacy
requirements, and I intend to play that role vigorously as it pertains to SCISA. I note, however, that
our review may not be fully effective without some additional resources, as the Act will greatly
increase information sharing both in volume and in terms of the complexity of the legal issues
involved.
Effective review also requires that judicial recourse and remedies be available for aggrieved
individuals. The Privacy Act currently provides no judicial recourse for complainants or indeed myOffice in cases involving improper collection, use, disclosure or retention of personal information.
5
All they have right to is a report of nonbinding recommendations by my Office with no further
enforcement mechanism and no possibility for remedy. This is insufficient and it is reasonable, in
the context of this Bill which so widely extends the scale of information sharing between
departments and agencies, to give Canadians effective legal remedies in order to pursue their
complaints beyond the issuance of my report. I would therefore reiterate the calls my predecessors
have made to amend the Privacy Act by broadening the Federal Court review to all grounds beyondjust denial of access which is currently the case.
6
Another obstacle to effective review is that existing review bodies are currently unable to share
information amongst themselves. As we and others have stated previously,7 there is at present no
explicit legislative authority to conduct joint reviews of national security operations, nor is there a
mechanism whereby information of relevance that may be discovered by one review body could be
passed to another. In fact, the confidentiality provisions in the Privacy Act explicitly prevent myOffice from sharing information with other review bodies, such as the Security Intelligence Review
Committee, the Office of the Communications Security Establishment Commissioner or the Civilian
Review and Complaints Commission for the RCMP concerning ongoing investigations into national
security practices. A system which proposes removal of silos between government departments for
informationsharing purposes must provide for the same removal of silos for the bodies which ensure
their activities are compliant with the law.
Other countries have implemented an oversight model which includes review by a Committee of
Parliamentarians, while maintaining review by an independent body of experts. Such a model would
offer clear advantages in terms of democratic accountability, and the mandates of the Committee of
Parliamentarians and the committee of experts could be defined so as to avoid duplication.
Finally, in order to ensure that an appropriate balance between privacy and security is maintained
after the implementation of SCISA, a parliamentary review of its provisions and their application
should be required three (3) years after its coming into force. This review should be conducted in
light of other legislation that has had an impact on information sharing, such as C13 and C44. In
our view, this would allow for a broader consideration of the cumulative effects such information
sharing has had on Canadians.
Recommendation 5: Bill C51 should be amended to ensure that all 17 agencies inSchedule 3 are subject to independent and effective review, by an expert body and byParliamentarians; to remove impediments for information exchange between existingreview bodies; and to amend the Privacy Act to allow for judicial recourse in casesinvolving collection, use or disclosure of personal information. The Bill should also includea mandatory period of review after three years.
Conclusion
3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015
https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 6/6
Date Modified: 20150306
In the wake of the tragic events of October 2014 in Canada, and similar events elsewhere,
Canadians expect that the government will protect them from terrorist threats. But we have heard
and continue to hear resounding support for the protection of privacy. Our own polls indicate that
privacy protection is still very much front of mind. Over the past weeks, I have been holding
meetings with stakeholders to discuss what my Office’s priorities should be for the coming years. At
those meetings, I have repeatedly heard that Canadians understand the need to share their
information with the government, but that they have concerns about how this information is going to
be used. They are particularly concerned with the issue of government surveillance. Bill C51 does
nothing to assuage those fears.
In its current form, Bill C51 would fail to provide Canadians with what they want and expect:
legislation that protects both their safety and their privacy. In my submission, the amendments
recommended here are necessary to achieve an appropriate balance which is currently lacking. I
would welcome the opportunity to appear before Committee to discuss these recommendations and
speak to any other points I have raised in this letter.
Sincerely,
Original signed by
Daniel Therrien
Commissioner
1 Royal Commission of Inquiry into Certain Activities of the RCMP, 1981.
2 Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, 2006, and
Internal Inquiry into the Actions of Canadian Officials in Relation to Abdullah Almalki, Ahmad Abou
Elmaati and Muayyed Nureddin, 2008.
3 Directive on Privacy Practices , section 6.2.8.
4 Directive on Privacy Impact Assessment
5 The Act only allows for individuals to seek judicial review in cases of refusal of access.
6 Addendum to Government Accountability for Personal Information: Reforming the Privacy Act, April
2008.
7 Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, 2006;
Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence
Community in an Era of CyberSurveillance, OPC Special Report to Parliament, January 28, 2014.