3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015

https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 1/6

Appearances before Parliamentary Committees

Bill C­51, the Anti­Terrorism Act, 2015

Submission to the Standing Committee on Public Safety and

National Security of the House of Commons

March 5, 2015

Mr. Daryl Kramp Chair, Standing Committee on Public Safety and National Security131 Queen Street, 6th FloorHouse of CommonsOttawa, Ontario K1A 0A6

Dear Mr. Chair:

I am writing today in reaction to Bill C­51, the Anti­Terrorism Act, 2015, which was tabled onJanuary 30, 2015. My comments will focus on Part 1 of the Bill, which would create a new Securityof Canada Information Sharing Act (SCISA). The purpose of that Act is to encourage and facilitatethe sharing of information among federal institutions in order to protect Canada against actsundermining its security. Clearly, protecting the security of Canadians is important, and werecognize that greater information sharing may sometimes lead to the identification and suppressionof security threats. However, the scale of information sharing being proposed is unprecedented, thescope of the new powers conferred by the Act is excessive, particularly as these powers affectordinary Canadians, and the safeguards protecting against unreasonable loss of privacy are seriouslydeficient. While the potential to know virtually everything about everyone may well identify somenew threats, the loss of privacy is clearly excessive. All Canadians would be caught in this web.

National security agencies have an important and difficult mandate in protecting all Canadians fromterrorist threats, and I believe they generally strive to do their work in a way that respects humanrights. But history has shown us that serious human rights abuses can occur, not only abroad but inCanada, in the name of national security. The MacDonald Commission identified such abuses in the1980s, which led to the creation of the Canadian Security Intelligence Service (CSIS) and its reviewbody, the Security Intelligence Review Committee (SIRC).1 More recently, the O'Connor andIacobucci Commissions confirmed that national security information sharing, the subject matter ofthe Bill before you, has led to torture in the post 9/11 environment.2 More recently still, revelationsby Edward Snowden have shown how pervasive government surveillance programs can be, includingsome in place in Canada, and how they can affect all Canadians, not only those suspected of being aterrorist threat.

If adopted in its current form, the Security of Canada Information Sharing Act would make availableto 17 federal departments and agencies, which hold some responsibilities in relation to nationalsecurity, potentially all personal information that any department may hold on Canadians. We reachthis conclusion because, as will be explained later, the language used in SCISA to confer informationsharing authorities is extremely broad. For instance, all the tax information held by the CanadaRevenue Agency, which historically has been highly protected information, would be broadly

Office of the Privacy Commissioner of Canada

3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015

https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 2/6

available if deemed relevant to the detection of new security threats. As well, all information thatdepartments hold about young persons that was obtained for a specific purpose could be furthershared with these 17 departments and data mined with a view to identifying those at risk of beingradicalized. As another example, in an effort to identify persons who may be engaged as foreignfighters abroad, the Canada Border Services Agency could be asked to provide information on allindividuals, including tourists and business persons, who have traveled to countries that aresuspected of being transit points to conflict areas.

In sum, the 17 federal departments in question would be in a position to receive information aboutany or all Canadians’ interactions with government. This information could then be analysed alongwith information they had previously collected or obtained through other sources, including foreigngovernments. We are moving very quickly into the world of Big Data, which relies on massiveamounts of personal information being analyzed algorithmically to spot trends, predict behavioursand make connections before any specific investigation is initiated or any particular individual issuspected of anything. As a result of SCISA, 17 government institutions involved in national securitywould have virtually limitless powers to monitor and, with the assistance of Big Data analytics, toprofile ordinary Canadians, with a view to identifying security threats among them.

In a country governed by the rule of law, it should not be left for national security agencies todetermine the limits of their powers. Generally, the law should prescribe clear and reasonablestandards for the sharing, collection, use and retention of personal information, and compliance withthese standards should be subject to independent and effective review mechanisms, including thecourts. Specifically, the following amendments should be made to ensure that information sharingamong federal institutions, under SCISA, takes place in a way that respects the privacy rights ofCanadians.

Standards for sharing information

Bill C­51 sets the threshold for sharing Canadians’ personal information far toolow, and broadens the scope of information sharing far too much.

SCISA would authorize virtually systematic sharing of information, for broad purposes not all clearlyrelated to national security, through the use of a few key terms: information would be shared if“relevant” to the jurisdiction of a recipient institution in respect of “activities that undermine thesecurity of Canada”, including in respect of the “detection, identification, analysis, prevention” ofactivities not yet identified, in addition to the investigation or disruption of known threats.

We accept that the detection and prevention of national security threats are legitimate stateobjectives, but we reference these words in section 5 of SCISA to stress their importance inunderstanding that information sharing would not be limited to known terrorism suspects; it wouldinclude information on everyone, including law­abiding Canadians, if relevant to the detection ofthreats.

More problematic is the definition of “activities that undermine the security of Canada” which goesfurther than the existing definitions, untouched by SCISA, of “terrorist activity” in s.83.01 of theCriminal Code and “threat to the security of Canada” in s.2 of the Canadian Security IntelligenceService Act (the CSIS Act). It is not clear why new activities are included and how they all relate togenuine security threats. It is also not clear how SCISA's definition is to apply when the informationto be shared relates to an activity that is not mentioned in the mandate of the recipient institution. For instance, what should CSIS do if it receives information that relates to an “activity” included inthe SCISA definition that is not mentioned in the definition of “threat to the security of Canada”?Pursuant to s.12 of the CSIS Act, CSIS can only collect information, where strictly necessary, if itrelates to a threat as defined in its enabling legislation. Is CSIS to reject information disclosed underSCISA if it does not relate to a threat as defined, or is the definition of threat in the CSIS Act to beread in light of the new SCISA definition and somehow expanded to authorize information sharingunder the wider definition?

3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015

https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 3/6

Equally problematic is that SCISA would authorize information sharing if “relevant” to the jurisdictionof the recipient institution, rather than “necessary” to its mandate or “proportional” to the nationalsecurity objective to be acheived. We note that relevance is a much broader standard than thatestablished elsewhere with respect to the collection of personal information. As mentioned, CSIScan only collect information where “strictly necessary” to report and advise the Government ofCanada in relation to a defined threat. CSIS would seemingly have to reject information disclosed toit under a relevance test, if the information did not also meet the necessity test under s.12 of theCSIS Act. In the case of recipient institutions other than CSIS, the Directive on Privacy Practices asissued by the Treasury Board Secretariat in support of the Privacy Act obligates institutions to limitcollection of personal information to what is directly related to and “demonstrably necessary” for thegovernment institution’s programs or activities.3

The threshold for information sharing (that is, whether the sharing of information is to be authorizedon the based on relevance, necessity or proportionality) is of central importance to striking the rightbalance in the protection of privacy rights. Applying a relevance standard, because it exposes thepersonal information of everyone, would contribute greatly to a society where national securityagencies would have virtually limitless powers to monitor and profile ordinary Canadians. Consequently, we recommend that a necessity test be the standard, which would be in line with s.12of the CSIS Act, that the government interestingly does not believe needs amendment, and thegeneral directive of the Treasury Board Secretariat. However, if a necessity test is deemed too high,Parliament should consider adopting a proportionality and reasonableness test, as is proposed forthe new CSIS disruption powers found in Part 4 of Bill C­51.

While the Preamble to SCISA lists a number of governing principles, including consistency with theCharter and privacy protection, as well as the need for accountable and effective information­sharing, it is not clear that these principles would be binding. We believe effective privacy protectionrequires more than principles; it requires that the standards recommended below be adopted asstatutory requirements under SCISA.

Recommendation 1: Only information which meets the necessity standard, rather than

the relevance standard, should be shared with the 17 agencies listed in the Schedule.

Alternatively, a recipient department should be required to conduct an assessment of the

reasonableness and proportionality of the collection in achieving their mandated national

security objective.

Recommendation 2: The definition of “activities undermining the security of Canada”

should be reviewed to ensure that it is not overly broad and includes only real threats to

security. In the case of conflict between that definition and the jurisdiction of recipient

institutions, it should be clarified that the former is not intended to expand the latter.

Record­keeping obligations

Bill C­51 is far too permissive with respect to how shared information is handled.

It sets no clear limits on how long information is to be kept.

The Bill is largely silent on the subject of retention and disposal of information shared. There isauthority to make regulations “respecting the manner in which records are kept and retained”, butthere is no clear obligation for receiving institutions to discard information which does not meet theirstatutory collection standards, or to dispose of information once it has served its purpose. We haveseen in other contexts, particularly in our ongoing assessments of Canada’s financial intelligenceagency, FINTRAC, but also in our review of the RCMP’s exempt data banks and the audits weconduct of other government institutions that once information is received, it is tempting to retain itregardless of its relevance or value. Often, we hear the argument that information is kept “just incase” it may be useful later. This is highly problematic in the context of SCISA where large amountsof personal information about law­abiding individuals could be retained for long periods. Not onlywould SCISA give 17 agencies involved in national security the potential to know everything about

3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015

https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 4/6

everyone, it could allow them to keep this information forever.

Recommendation 3: Bill C­51 should be amended to include as a statutory requirement

that personal information that does not meet the recipient institution's legal collection

standards should be discarded without delay. SCISA should also require that information,

once collected, is retained only as long as necessary. Reviews should be held at regular

intervals, prescribed by regulations, to ensure that this principle is respected and that the

retention of information is justified. Finally, SCISA should require that proper

documentation of all collection and retention decisions be maintained.

Information­Sharing Agreements

Bill C­51 fails to require that information sharing be subject to written

agreements.

While the Bill enunciates the importance of information­sharing agreements as a principle and as a

practice that is “appropriate”, we believe that written agreements should be legally required. Such

agreements could provide more specificity beyond the core standards set out in legislation

(relevance, necessity or proportionality, retention) for what is to be shared and how, when

information is to be retained, when it must be disposed of, and include robust accountability

measures to assign responsibility for and review of sharing, including direction on how

documentation disclosed or received should be handled.

These agreements, properly crafted, would go a long way to ensure that only appropriate and

accurate information is shared. In New Zealand, such agreements are required, and the Privacy

Commissioner must be consulted on them. Our experience in reviewing departmental privacy

impact assessments (PIAs), which are currently required under a Treasury Board Secretariat

directive, is that it has been a highly useful tool in preventing privacy concerns.4 We suggest that

building in a consultation with my Office on information­sharing agreements would be equally

useful. Moreover, written agreements would also give oversight bodies something concrete against

which to assess information­sharing practices, leading to more meaningful review.

Recommendation 4: Bill C­51 should be amended to include an explicit requirement for

written information agreements. More detailed elements of what should be in the

agreements could be set out in Regulations. The Office of the Privacy Commissioner

should be consulted in the development of these agreements.

Oversight and Review

Bill C­51 exacerbates serious gaps in existing oversight and review mechanisms,

and does not facilitate sharing between review bodies. As for affected

individuals, the privacy regime provides no judicial recourse for improper

collection, use or disclosure of their personal information.

No level of review can address inadequate standards. As stated in the introduction, in order to

ensure that privacy rights are respected in the context of SCISA, the law should prescribe clear and

reasonable standards for the sharing, collection, use and retention of personal information. Along

with such standards, it is equally important that compliance with these standards be subject to

independent and effective review mechanisms, including the courts. Independent review is

particularly critical because information sharing under SCISA will often occur secretly, and so

individuals may not be able to otherwise challenge the disclosure or use of their information.

Although there is currently some level of review, there are obvious gaps: 14 of the 17 agencies

listed in Schedule 3 that will receive information for national security purposes are not subject to

dedicated independent review or oversight. To fill that gap, the jurisdiction of one or more of the

3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015

https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 5/6

existing review bodies should be extended to include the 14, or a new expert review body with

horizontal jurisdiction should be created to review the lawfulness and reasonableness of national

security activities. While it is true, as mentioned in the government's backgrounder to Bill C­51, that

my Office has the mandate to review the personal information handling practices of all these

agencies, the Privacy Act necessarily restricts what we can examine to “personal information” asdefined by the Act; we do not have jurisdiction to examine in general the lawfulness of the activities

of national security agencies. That said, we do have authority to review compliance with privacy

requirements, and I intend to play that role vigorously as it pertains to SCISA. I note, however, that

our review may not be fully effective without some additional resources, as the Act will greatly

increase information sharing both in volume and in terms of the complexity of the legal issues

involved.

Effective review also requires that judicial recourse and remedies be available for aggrieved

individuals. The Privacy Act currently provides no judicial recourse for complainants or indeed myOffice in cases involving improper collection, use, disclosure or retention of personal information.

5

All they have right to is a report of non­binding recommendations by my Office with no further

enforcement mechanism and no possibility for remedy. This is insufficient and it is reasonable, in

the context of this Bill which so widely extends the scale of information sharing between

departments and agencies, to give Canadians effective legal remedies in order to pursue their

complaints beyond the issuance of my report. I would therefore reiterate the calls my predecessors

have made to amend the Privacy Act by broadening the Federal Court review to all grounds beyondjust denial of access which is currently the case.

6

Another obstacle to effective review is that existing review bodies are currently unable to share

information amongst themselves. As we and others have stated previously,7 there is at present no

explicit legislative authority to conduct joint reviews of national security operations, nor is there a

mechanism whereby information of relevance that may be discovered by one review body could be

passed to another. In fact, the confidentiality provisions in the Privacy Act explicitly prevent myOffice from sharing information with other review bodies, such as the Security Intelligence Review

Committee, the Office of the Communications Security Establishment Commissioner or the Civilian

Review and Complaints Commission for the RCMP concerning ongoing investigations into national

security practices. A system which proposes removal of silos between government departments for

information­sharing purposes must provide for the same removal of silos for the bodies which ensure

their activities are compliant with the law.

Other countries have implemented an oversight model which includes review by a Committee of

Parliamentarians, while maintaining review by an independent body of experts. Such a model would

offer clear advantages in terms of democratic accountability, and the mandates of the Committee of

Parliamentarians and the committee of experts could be defined so as to avoid duplication.

Finally, in order to ensure that an appropriate balance between privacy and security is maintained

after the implementation of SCISA, a parliamentary review of its provisions and their application

should be required three (3) years after its coming into force. This review should be conducted in

light of other legislation that has had an impact on information sharing, such as C­13 and C­44. In

our view, this would allow for a broader consideration of the cumulative effects such information

sharing has had on Canadians.

Recommendation 5: Bill C­51 should be amended to ensure that all 17 agencies inSchedule 3 are subject to independent and effective review, by an expert body and byParliamentarians; to remove impediments for information exchange between existingreview bodies; and to amend the Privacy Act to allow for judicial recourse in casesinvolving collection, use or disclosure of personal information. The Bill should also includea mandatory period of review after three years.

Conclusion

3/7/2015 Bill C-51, the Anti-Terrorism Act, 2015 - March 5, 2015

https://www.priv.gc.ca/parl/2015/parl_sub_150305_e.asp 6/6

Date Modified: 2015­03­06

In the wake of the tragic events of October 2014 in Canada, and similar events elsewhere,

Canadians expect that the government will protect them from terrorist threats. But we have heard

and continue to hear resounding support for the protection of privacy. Our own polls indicate that

privacy protection is still very much front of mind. Over the past weeks, I have been holding

meetings with stakeholders to discuss what my Office’s priorities should be for the coming years. At

those meetings, I have repeatedly heard that Canadians understand the need to share their

information with the government, but that they have concerns about how this information is going to

be used. They are particularly concerned with the issue of government surveillance. Bill C­51 does

nothing to assuage those fears.

In its current form, Bill C­51 would fail to provide Canadians with what they want and expect:

legislation that protects both their safety and their privacy. In my submission, the amendments

recommended here are necessary to achieve an appropriate balance which is currently lacking. I

would welcome the opportunity to appear before Committee to discuss these recommendations and

speak to any other points I have raised in this letter.

Sincerely,

Original signed by

Daniel Therrien

Commissioner

1 Royal Commission of Inquiry into Certain Activities of the RCMP, 1981.

2 Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, 2006, and

Internal Inquiry into the Actions of Canadian Officials in Relation to Abdullah Almalki, Ahmad Abou­

Elmaati and Muayyed Nureddin, 2008.

3 Directive on Privacy Practices , section 6.2.8.

4 Directive on Privacy Impact Assessment

5 The Act only allows for individuals to seek judicial review in cases of refusal of access.

6 Addendum to Government Accountability for Personal Information: Reforming the Privacy Act, April

2008.

7 Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, 2006;

Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence

Community in an Era of Cyber­Surveillance, OPC Special Report to Parliament, January 28, 2014.