Bill C-51 (Historical)

I start from the premise that whatever you do, please don't add another definition of “terrorism”. From an operational perspective, that would be terrible.

I don't remember the details, but I do remember that when Bill C-51 was being worked on, the definition in the CSIS act wasn't adopted because there was a view at the time, by some, that it really didn't cover a couple of things that should be covered if you were worried about national security.

I guess I would support the view that you should pick one of the two and embed it in this legislation. I think Mr. Edelmann is absolutely right. If people don't understand what the committee is mandated to do and what its parameters are, I think it would be very difficult to gain its support in public. I think he is entirely correct in that matter.

Especially when you have a committee that's going to be working in secret, it would be helpful to know what the committee is doing and what are the boundaries of what the committee is expected to be looking at.

With respect to our recommendation of which definition to use, we made submissions at the time of the passage of Bill C-51 about why the definition in the information sharing act was problematic, in the sense that it's extremely broad. It is not helpful in that respect, because that leads to an overreach and then a dilution of the resources you have with respect to looking at the relevant information. If you have a mandate that's extremely broad or amorphous, the committee may not have the focus, or there won't be the confidence that the committee is focused on the issues that actually matter.

The flip side is that if you have a definition that's too narrow, it may be siloed or not able to look at other issues. This is the problem that arises with respect to.... If the information sharing act is going to continue with its very broad definition, then it makes sense to have a committee that has a similarly broad mandate. Our ideal scenario, or what our suggestion would be, is to restrict the definition in the information sharing act to an appropriate scope that would then reflect that of the committee as to what actually are concerns around national security.

I can say that this concern arose from both sides. As I said, many of the sections were involved in the drafting of this document. One of the concerns that was raised with this actually came from the military law section, and it had to do with whether or not you were going to get buy-in from the national security establishment itself. The concern is around both the public and the individuals, the people who are working under the agencies, having confidence in what the purpose is. What is this committee doing? Why are they doing what they're doing? Does it make sense? What is the definition that you're working on with national security? Why are you trying to undertake this study or asking for this information?

With an unclear mandate.... The reason that the mandate is unclear is that, after Bill C-51, we now have a multiplicity of definitions of national security floating around in our legislation. The question is, are we dealing with this extremely broad definition that is in the information sharing act, or are we dealing with a more restricted definition that is in the CSIS act or in other pieces of legislation that generally refer back to the CSIS act with respect to that definition?

It creates some concerns on both sides around understanding what this committee is doing, and why. In terms of the public, what is this committee doing and what is its mandate? Also, from the perspective of the agencies that are under review, there is concern in terms of understanding why the committee is engaging with them and having those working relationships with those agencies.

That, Mr. Chairman, is quite the question.

I start from the premise that, except for the three or four core national security entities, all of the others that are listed in the annex to the act do national security part time. I think that's an important thing to keep in mind. It means that the committee of parliamentarians will only be nipping in and nipping out of CBSA, because a large chunk of what they do has absolutely nothing to do with national security.

I think I said during my remarks that I believe that one of the shortcomings in the current bill is that it doesn't provide for a full exchange of information between the review bodies and the committee of parliamentarians. I think that if you, the House, and the Senate eventually put in a provision ensuring that, clauses 14 and 16 don't become so important. It means that the committee can utilize the existing review bodies, which have full access across the board. Someone I think made reference to Bill C-51 and the sharing of information. As long as information is being shared and originates from one of the core national security agencies, I think the review bodies and the committee of parliamentarians should have access.

That's sort of a roundabout answer, because I don't think there's a perfect answer to your question.

After the Bibeau incident on Parliament Hill a while ago, three or four police bodies did enquiries and investigations. None of them were really made public. A committee of Parliament didn't really look at them. The situation is somewhat analogous. A lot of this stuff can be looked at in camera—I think, anyway—not even in secret. I think there's an important distinction to be drawn. When something happens in public, a lot of what happens and the response by various agencies can be looked at without people being sworn to the level of top secret. I don't think it's as large a problem in the circumstances that you set out as it might be if you were talking about espionage or the proliferation of nuclear weapons, for example.

Thank you very much.

The Canadian Bar Association is a national association that represents 36,000 lawyers, notaries, law professors and law students across Canada.

The association's main objectives are to improve the law and the administration of justice. The brief provided to the committee was prepared by the sections of immigration law, criminal law, consumption tax law, customs and trade law, military law, as well as the CBA national privacy and access law section.

As you can see, the large number of Canadian Bar Association sections involved in preparing this has to do in large part with the broad scope of the concerns around national security in the legal context. We are generally supportive of the creation of a committee of parliamentarians dealing with national security review and oversight; it is important to understand it in the context of the overall framework and the existing framework.

There are still some major holes or problems, and a lot of those discussions are happening in the context of the green paper. It's a bit difficult, in some ways, to comment on the current composition of the committee without being privy to the overall vision for the framework of the national security oversight mechanisms.

The role of the committee would be twofold, and what's important with respect to both these aspects [Technical difficulty—Editor] the representatives who are on the committee in terms of the parliamentarians themselves. The second aspect is with respect to the institutional framework. Given the fact that parliamentarians are neither long-term experts—or that not all members of the committee would be long-term experts—nor would they be full-time in dealing with review, the creation of the institutional aspects of the parliamentary review committee are obviously important. It will be important that it be properly funded as well in terms of being able to provide the institutional knowledge and ability going forward.

I'll have comments both with respect to the mandate and with respect to the tools that are available to the committee.

With respect to the role of the committee, the role of having the parliamentarians in place would be for the higher-level and broad issues within the national security infrastructure in terms of policy and law. It would be very difficult, in our view, for the committee to get involved in the minutiae of complaints or of specific items with respect to the individual agencies. Thus, it continues to be important that the individual agencies that currently do not have independent oversight.... The Canada Border Services Agency is a good example of that, in which we have a very large law enforcement agency that's very heavily involved in the national security context, with no oversight whatsoever outside of the ministerial chain of command.

Also, with respect to the co-operation amongst those agencies, we've seen a broad expansion of the sharing of information between agencies, in particular with the information sharing act that was brought into law with Bill C-51, which has increased the co-operation in information sharing between the agencies, but we continue to see the restrictions on the ability of those agencies to communicate with each other.

In this piece of legislation, we also see a continuing of that siloing effect, in the sense that the committee is not able to share information with the oversight agencies that they would not otherwise have access to. This again creates a problem, where the committee may be aware of things that might be relevant to SIRC, but if that wouldn't otherwise be available to SIRC, the committee is prohibited from telling them about it.

There are some concerns with respect to how the overall framework is going to work and how this fits into it. We are happy to continue to be involved in providing commentary and assistance in developing that framework, but with the information we currently have and the current framework we're working with, we have some concerns with the bill.

The first is with respect to the mandate. We have a reference to “national security” in the mandate, but it's not clear which definition of national security is being referred to or what the scope is. There are two in particular, the one that we see in the CSIS act, which is used quite broadly in other national security-related issues, and then the one in the information sharing act, which is significantly broader. It's unclear which scope of national security the legislature or the drafters have in mind as to whether or not it's the broader one. Presumably, it is, but some clarity on that aspect would be helpful, although you have our comments on the information sharing act where we had concerns about the overbreadth of that definition of national security and the reasons why that's problematic.

There's a second issue with respect to the mandate. Having a clear mandate in terms of having a committee of parliamentarians is a very important mechanism to provide confidence. When we're dealing with the national security context where a lot of things happen in secret and are not accessible to the public, it is important that the public have confidence that the committee actually can and will do its job. We have comments on the composition and functioning of the committee, but I won't belabour them. I'll refer you to our written materials on that basis.

With respect to the the ability of the committee to undertake studies, clause 8 provides some unnecessary restrictions and gives a great deal of control to the ministers in paragraphs 8(b) and 8(c). In other words, on the broad legislative policy issues that are set out in paragraph 8(a), there doesn't appear to be any restriction, but paragraphs 8(b) and 8(c) would appear to create significant control by the ministers over the topics or issues that the committee could look into. It's unclear to us why those would be necessary. In fact, they should be deleted.

The other aspect of the work of the committee that is of significant concern is the access to information that the committee will have. These problems arise in both clauses 14 and 16 of the act as currently drafted.

I won't go into the individual paragraphs of clause 14, but it's unclear why, on the one hand.... Either there's trust in the committee.... It's clear—there's no question—that there does need to be trust in the committee, both from the public side and from the national security establishment or the people who are involved in doing national security work. If there's no buy-in, for lack of a better term, from those agencies and from the people working for those agencies, obviously the committee will be hampered in its work. But with clarity in terms of its mandate, if there's trust in the committee and the structure itself, it's unclear why these types of limitations on access to information are necessary or even desirable, because either we have a committee that can be trusted or we don't. If it cannot be trusted, it shouldn't be doing this work at all, and if it can be trusted, then the restrictions only serve to undermine the confidence of the public in what the committee can and cannot do, as the ministers have a great deal of control both over the mandate and the topics, but also over the information that the committee might be able to have access to.

With that, I think I've used most of my 10 minutes. I'm more than happy to answer questions. I thank you for your invitation.

Thank you.

I think the importance of maintaining a balance between need to know and need to share, which has been an ongoing tension in the entire western intelligence world since the 9/11 attacks, is of critical importance. The problem I see in SCISA is that the balance was never properly thought through, and certainly was not found in terms of the legislative language adopted.

In response to the particular question about whether SCISA was a kind of back door to authorizing new information-gathering and intelligence-gathering powers—and this is a concern that many people raised in the context of the original debate over Bill C-51—frankly, I don't see that in SCISA or even implicitly in its knock-on effects. It doesn't change, as I think you probably heard. Certainly other committees have heard from government officials that it doesn't change the actual mandates and lawful information-gathering activities of any of the agencies listed in SCISA. It is purely about information sharing. Information sharing may trigger—and this is my colleague Tamir's point—additional intelligence gathering and investigations by agencies that receive information, but that activity could occur only under their existing lawful mandates.

Thank you, Mr. Chair. I will try to keep my comments brief so that we do have time for full questions.

Thank you, as well, to the members of the committee and to you, Mr. Chair, for having me back here again.

My name is Tamir Israel. I am the staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic. CIPPIC is a public interest clinic based at the University of Ottawa's Centre for Law, Technology and Society in the Faculty of Law. Our mandate is to advance the public interest in policy debates arising at the intersection of law and technology.

We are pleased to have the opportunity to testify before you today on the study of the Security of Canada Information Sharing Act, which I will refer to as SCISA.

As you are aware, SCISA was introduced last year as a central component of Bill C-51. In CIPPIC's view, SCISA constituted one of the more problematic elements of that legislative initiative, and it remains so.

Participation in modern life requires Canadians to entrust ever-growing amounts of data to their government, including sensitive financial, health, and other information. Providing such information to the government does not mean, however, that Canadians sacrifice privacy interests in this data, nor should it.

Core and long-standing privacy concepts such as necessity and proportionality, concepts intended to facilitate threat identification and prevention in a tailored manner, are wholly absent from SCISA, raising the legitimate concern that its mechanisms will be used in a manner that is disproportionate and that impacts heavily on the privacy of Canadians who have done nothing wrong.

SCISA's challenges arise in part from the regime it establishes, but also in part from gaps in the pre-existing framework that it expands and in which it was inserted. I will touch on a few of these problems, addressing specifically the relevance standard, the definition of security threats, and the lack of safeguards, which are issues you've heard of already. I will try to provide additional context and propose some solutions as I go along, some from within SCISA itself and some comprising amendments to additional regimes that come from without.

In particular, while I don't go into it in detail in my comments here, you've heard from many witnesses, as well as from Professor Wark here that the need for an external expert review body is paramount to maintaining the overall proportionality of Canada's national security framework, and that's no less the case with respect to the operation of SCISA in general.

I'll begin with a discussion of the relevance standard. It is one of the two core limiting principles within SCISA's information-sharing apparatus. It is an over-broad standard that's insufficient. Relevance requires the presence of a reasonable basis on which to believe that the information in question relates to, in this instance, the mandate of a SCISA recipient's organization, and to activities that undermine the security of Canada.

Relevance is perhaps the lowest and least-defined legal evidentiary standard. While CIPPIC would hope that a court ultimately interpreting the relevance standard in SCISA, and taking into account constitutional jurisprudence, would impart into it considerations of immediacy and imminence, we are concerned that the standard will be used to justify generalized information sharing.

This is indeed precisely what occurred in the United States with the National Security Agency. In powers newly granted to the NSA in 2006, the relevance standard was inserted as a key limiter intended to ensure the powers in question were employed only in the context of specific and immediate investigations of security threats. This relevance standard, however, was used to expand the powers in question rather than to limit them. Specifically, relevance had been defined to mean any piece of information that may one day be relevant to an investigation, facilitating a domestic dragnet program that involved the wholesale collection of everyday domestic and international call records in the United States on a regular basis.

The reaction of the USA PATRIOT Act co-author, Jim Sensenbrenner, who is a congressman, upon discovering the scope of application arising from this relevance standard, following disclosures by former NSA contractor, Edward Snowden, is telling. I quote:

“We had thought that the 2006 amendment, by putting the word 'relevant' in, was narrowing what the NSA could collect. Instead, the NSA convinced the Fisa court that the relevance clause was an expansive rather than contractive standard, and that's what brought about the metadata collection, which amounts to trillions of phone calls.”

While Canadian jurisprudence may well arrive at a different conclusion as to the definition of “relevance” in the context of SCISA, CIPPIC is concerned that there is insufficient guidance within the act as it is currently drafted to ensure it is applied in a proportionate and narrowly tailored manner.

On the other hand, we have yet to hear a compelling case for a general departure from the existing exceptions already embodied in the Privacy Act, which SCISA envisions. Under the Privacy Act, there are two existing operative exceptions that agencies can already rely upon when attempting to share threat-related information with other government agencies. Paragraph 8(2)(e) provides an upon-request exception permitting government agencies to share citizen information with investigative agencies, if asked to do so, for the purpose of carrying out a lawful investigation. In addition, paragraph 8(2)(m) allows proactive disclosure of personal information where the government institution believes the public interest in disclosure clearly outweighs any resulting invasion of privacy.

In the government consultation paper currently being discussed as well as in testimony before this committee, the argument is advanced that these exceptions are insufficient, primarily because agencies lacking a security mandate lack the expertise or incident-specific knowledge to fully utilize the information sharing permitted by these exceptions. This may be the case, but it is by no means clear how SCISA's adoption of a highly permissive and open-ended standard will remedy this.

On the one hand, non-security agencies receiving specific requests from security agencies for data under paragraph 8(2)(e) are able to rely on the requesting agency's guidance. On the other, agencies are no better placed to identify the relevance of specific items of information to unknown or unknowable security threats than they are to assess whether disclosure of such specific items will be in the public interest, as they are already permitted to do under paragraph 8(2)(m). In any non-generalized context, the information being shared will need some specific quality inherently indicating its relation to a known threat for the exceptions to apply. Assessments of necessity and proportionality can occur as readily in such contexts as can assessments of relevance.

CIPPIC would therefore encourage two amendments to correct the existing potential overbreadth in SCISA. First, we would replace the relevance standard within the act with one of proportionality and necessity. Second, we would encourage, as we have in our previous appearance before you, an amendment to the Privacy Act that would adopt an overarching proportionality and necessity requirement that would apply across all government sharing practices, regardless of the specific Privacy Act exception under which they are occurring. This would, as we indicated in our previous testimony, apply to information sharing done under SCISA, as well.

The addition of an explicit necessity and proportionality obligation would create a more precise framework for information sharing than that currently embodied in paragraph 8(2)(e) and paragraph 8(2)(m), employing the known standards of necessity and proportionality, which agencies have experience employing in a national security context. Overlapping protection in both the Privacy Act and SCISA would permit the Privacy Commissioner of Canada to oversee protection-related information-sharing practices while allowing other oversight and review agencies to assess necessity and proportionality within the context of their respective mandates. Supplementing these changes, we would encourage training units within different government agencies, potentially within the existing ATIP infrastructure that most government agencies have, to have expertise so that in-house capabilities can be developed to identify threat-related data.

A little bit more briefly, the “undermining the security of Canada” standard is the other key limiter adopted by SCISA, and you've heard some of this from other witnesses. We would concur with the testimony of these other witnesses in raising concerns that this standard is excessively broad. To assist the committee in its assessment of this overbreadth, we would like to provide two examples of how this overbreadth can lead to disproportionate or undesirable information sharing in a few definite contexts.

Specifically, SCISA's definition of security includes cybersecurity and a broad definition of cybersecurity. A single cybersecurity incident, however, can implicate the private information of hundreds of thousands of Canadians. All data affected incidentally by such a cybersecurity incident could be relevant, and the underlying security breach could be viewed as relevant to activities that undermine the security of Canada and, hence, could be subject to exceptions in SCISA. Given this potential for over-sharing, other jurisdictions have sought to address cybersecurity in an explicit manner that is distinct from other investigative contexts, and that specifically addresses these issues.

Additionally, while SCISA excludes advocacy, protest, dissent, and artistic expression from its definition of security, CIPPIC remains concerned that SCISA's security concept remains sufficiently ambiguous to undermine core democratic functions. We have seen government agencies recently targeting journalists, for example, in attempts to identify potential sources attempting to uncover police corruption. We have also seen the targeting of indigenous activists, not on the basis of their participation in protests per se but on the basis that such participation potentially poses a criminal threat to aboriginal public order events.

It is not clear to us that the prevailing exemption for advocacy and protest would exclude SCISA's being leveraged in these contexts for the purpose of preventing interference with public order. We are aware that the opposite conclusion is also possible and that the exception put in place is overbroad and doesn't allow for information sharing, even in contexts where violence may be the issue, but we feel it is sufficiently ambiguous to allow for either interpretation, and that is an ongoing concern for us.

Finally, CIPPIC is concerned that SCISA will be used as an avenue to feed domestic Canadian data into the Five Eyes integrated infrastructure in an unintended and unanticipated manner. CSE is Canada's lead Five Eyes agency and is a legitimate recipient of personal information under SCISA. While the framework under which CSE and its Five Eyes agency partners operate is presented as nominally excluding or limiting the impact on Five Eyes residents, and the permissive powers and activities granted to these agencies presume these underlying conditions to exist, SCISA could undermine those presumptions by allowing another direct avenue for Canadian information to flow into this apparatus.

Turning briefly to the lack of safeguards in SCISA, CIPPIC joins other experts in voicing our concern at the prospect of the nearly limitless post-collection retention that SCISA may facilitate. The Federal Court recently issued, as Professor Wark just mentioned, a decision heavily criticizing CSIS for its ongoing retention of large amounts of Canadian metadata that was not identified as necessary to any security threat and indeed was explicitly identified as not necessary to the resolution of any security threat.

In our analysis, SCISA could be perceived as providing CSIS with a justification for long-term retention of similar data, were that data disclosed to it through SCISA's information-sharing mechanisms. But we also note, more importantly, that other agencies such as the RCMP and CSE lack any form of retention obligations. We would suggest that the remedying of this lack of retention obligation would be best achieved through overarching amendments to the Privacy Act that would apply across all of government and impose an overarching retention obligation.

In addition, other overarching safeguards that could be adopted within the Privacy Act could provide additional safeguards and a better framework for legitimate information within a modified and reduced SCISA. These safeguards could include the adoption of privacy impact assessments and a more robust enforcement of the Privacy Act.

Those are my opening comments for today. I would be pleased to take your questions.

Thank you.

Thank you.

Chair and members of the committee, I am grateful for the opportunity to appear before you to provide some views on the Security of Canada Information Sharing Act, or SCISA, which is now embedded in Canadian law following the passage of Bill C-51, the omnibus anti-terrorism legislation introduced by the previous government in 2015.

C-51 provisions came into force, as you know, in August 2015. The Liberal Party promised to repeal the problematic elements of Bill C-51 and is currently engaged in the process of public consultations on elements of Canada's national security, but the government's plans with respect to any possible amendments to SCISA, in particular, have not been revealed.

SCISA appeared as part 1 of Bill C-51 in 2015. I was invited to appear before the Standing Committee on Public Safety and National Security on March 24, 2015 to testify on Bill C-51 as a whole. In my testimony, I divided the measures advanced in Bill C-51 into three baskets: first, those elements that can genuinely advance security capabilities in a reasonable and proportional way; second, those that do not advance our security capabilities or fail to maintain the vital security-rights balance; and third, those that, I think, deserve to be put on hold for deeper reflection.

In March 2015, I placed SCISA, or part 1 of C-51, in the first basket, of appropriate security enhancements. I also argued, and I quote myself, that SCISA “would greatly benefit from some detailed amendments...to bring greater clarity, heighten...efficacy, reduce...overbreadth, and bolster the security-rights balance.” Despite considerable public criticism of SCISA, no amendments were made to the act before it was passed into law. Nothing that has come to my attention since the passage of SCISA in unaltered form changes my essential view—that SCISA can and should be amended.

In terms of advancing security capabilities, the purpose of SCISA is, presumably, to try to ensure appropriate information sharing through exhortation, through a broadening of the information-sharing regime to encompass a large number of listed entities, and to allow for expanded information sharing under an altered definition of “threat”.

The committee has heard from eminent legal academics versed in national security matters, from a civil society actor, from the Canadian Civil Liberties Association, from government officials, and, earlier today, from the Privacy Commissioner of Canada. The perspective I offer is informed by my understanding of how intelligence and security systems regulate their information systems. I'm sorry if what follows sounds a little philosophical, but it has a practical point.

The specifics of SCISA need to be examined in the context of five guiding principles that should inform any effective information-sharing system for intelligence and security purposes within government. These principles have long been recognized and are as follows: the need to know, the need to share, the need to secure, the need to avoid information overload, and the need to be accountable. These needs shape an effective and reasonable information-sharing regime in a democratic system. They encompass lawful mandates as well as privacy and civil liberties protections. They are meant to interact to ensure balance between over-ingestion and under-ingestion of information. They are deceptively simple in the literal sense of their meaning, but not easy to operationalize as a package.

I want to just run through these five principles briefly.

The “need to know” principle refers to limits on information sharing that are shaped by the lawful mandates and operational needs of the agencies involved and by the requirements of information security. The more sensitive the information—the more that information might reveal details of intelligence sources and methods—the more intensively does the “need to know” principle come into play. “Need to know” can also be infected by non-operational imperatives, including bureaucratic politics, management styles, and personal proclivities on the part of officials working in the security and intelligence system. It is important that the “need to know” principle operate appropriately as a limiting factor, but it is equally important that the principle not be shaped by extraneous dynamics.

The “need to know” provisions in SCISA are generally weak and under-defined. Paragraph 4(e), under “Guiding principles”, sets out in a very general way the authorized actors in the revamped information-sharing regime. Subsection 5(1) of SCISA posits a need to know based on the notion of relevance, again a very general and potentially overbroad measure.

While it would never be possible to strictly operationalize a “need to know” function, because to do so might be to hamstring any information-sharing regime, SCISA errs, in my view, on the side of unhelpful generalizations, compounded by the implication of subsection 5(2) that, once information sharing is set in motion, it can continue down an undetermined path of further disclosure.

One remedy to consider would be to import a version of the limitation set out for CSIS in its act in section 2, through the use of a strictly necessary yardstick for information sharing.

Justice Noël, in a recent Federal Court ruling on CSIS warrants and the retention of metadata, has reminded us of the historical context of that CSIS-limiting clause. As Justice Noël indicated, it may be time to review the strictures of the CSIS Act, but if the strictly necessary provisions of the act are deemed worthy of maintaining, then their applicability to an information-sharing regime for national security purposes seems, to me, obvious.

Then there is the need-to-share principle.

The need-to-share principle rules SCISA. This might be regarded as an “Oh, duh” moment, but the problem is that the principle rules in a completely unbalanced way that, among other problems, might have an impact on the very objective it seeks: more effective information sharing in the interests of national security. There are three problems, I think, with SCISA in its adopted form.

The first is the large number of entities listed for participation in SCISA's schedule 3. This list stretches the meaning of the core security and intelligence community to include many entities with only a very marginal role in national security matters. The list can be further shaped by Governor in Council orders that would not necessarily be in the public domain.

Many of the listed entities will be only bit players, at best, in the scheme. The recent annual report of the Privacy Commissioner gives substance to this reality, as he found that in the first five months of SCISA, only five institutions utilized powers in the act. A bigger problem is that while agencies outside the core security and intelligence community might on occasion have valuable information in their possession, they lack the attributes of rigour, methods, and understanding of national security matters.

The SCISA entities listed in schedule 3 should, in my view, include only core elements of the Canadian security and intelligence community. These can be identified and, in keeping with this, the list should be considerably reduced from the 17 named organizations. Moreover, I think there should be a requirement that all listed entities have a common formal memorandum of understanding to guide their information-sharing practices internally.

A second problem is the expansive justification for information sharing provided in SCISA. As noted, the justification found at subsection 5(1) is relevance, which is not, in my view, a tight enough criterion as it does not provide any rigorous guidance and does not allow for any real accountability. Relevance needs to be replaced by some form of language about necessity and should include a measure of proportionality that is linked to mandates and to threats.

The third and arguably the mother of all these problems is the question of how SCISA defines the nature of the information to be shared. SCISA adopts a new definition at section 2 regarding “activity that undermines the security of Canada”, and I know you've heard a lot about that. This is a more expansive and open-ended definition than that provided in the CSIS Act, and I have heard no good argument for the change.

While I appreciate that the drafters of the legislation may have felt that a broader definition of the kinds of threats that now impact on Canada may have been required, on balance the definition they provided does not advance the public interest and has sown confusion and, in my view, many misplaced ideas about the powers provided for SCISA. A replacement use of the definition of threat in section 2 of the CSIS Act advances many of the same objectives, is an established criterion, and would provide greater clarity.

In particular, paragraph 2(i) of SCISA, as it currently stands, introduces a very dangerous dimension to government powers insofar as it opens the door to foreign interference in the domestic politics and sovereignty of Canada. It is also unclear to me how the SCISA definition of undermining the security of Canada operates for CSIS—one of the core agencies in the national security information-sharing regime—alongside its own mandate of threats to the security of Canada differently defined.

Fourth is the need to avoid information overload. Very briefly on this, one reason that it is important to find the right equilibrium between the competing demands of the need to know and the need to share involves the potential problem of information overload. If agencies and departments under SCISA are flooded with information that is ultimately not necessary to national security, not only does this information flood waste resources and personnel and impose additional burdens in terms of information security but it also hinders the overall operational effectiveness that is so important in a security and intelligence system that must constantly adjust its work according to its own calculations of threat and risk and that is always under immense resource constraints.

A too-expansive information system is not a precautionary measure; it can simply be an unnecessary burden. Too much information can be worse than too little.

The need to avoid the information-overload principle cannot be directly legislated. It has to be a product of the proper balance between need to know and need to share.

With regard to the need to secure, although SCISA contains an element of exhortation, particularly in sections 3 and 4, there is no exhortation regarding the related requirement in any information-sharing regime, and in particular in a more expansive system, for the careful protection of shared information. In an age of increased cyber-threats and in the face of the usual human proclivities for error and mishap, an expanded information-sharing regime must be accompanied by greater information-security practices. There is nothing of the sort in SCISA.

One way that such practices can be subject to internal self-examination in the departments and agencies involved in information-sharing is through mandated privacy impact assessments, but I note that in the 2015-16 annual report to Parliament by the Privacy Commissioner, only two of the 17 entities authorized to collect information under SCISA had deemed privacy impact assessments to be necessary. Even in those two cases, the privacy impact assessments, which under Treasury Board guidelines are meant to inform policies prior to their being fully implemented, were still being developed.

Another measure that could be considered in amendments to SCISA would be to provide an authorized role for departmental security officers in monitoring and reporting on information security measures.

Thank you, Mr. Chair and members of the committee, for inviting me to discuss the Security of Canada Information Sharing Act, or SCISA, which was enacted under Bill C-51, the Anti-terrorism Act, 2015.

When Bill C-51 was introduced in Parliament in early 2015, I expressed strong reservations, which remain true today. In my remarks this morning, I'll briefly summarize these reservations and will then encourage you to review national security information sharing issues more broadly. Finally, I'll explain the review we have undertaken of how SCISA has operated so far and how other legal authorities are used by federal institutions to share information for national security purposes.

My first point is that the justification for SCISA should be made clearer. I recognize at a general level that greater information sharing may sometimes lead to the detection and suppression of security threats, but we have yet to hear a clear explanation, with practical examples, of how the previous law prevented the sharing of information needed for national security purposes. A clearer articulation of the problems with the past law would help define a proportionate solution.

Second, I remain concerned that SCISA authorizes information to be shared where it's merely relevant to national security goals. Setting such a low standard is a key reason why the risks to law-abiding citizens are excessive. If the necessity or strictly necessary criteria is adequate for CSIS to collect, analyze and retain information, as has been the case since its inception, it's unclear to us why this standard can’t be adopted for all departments and agencies with a stake in national security. Necessity is the international privacy standard.

On a side note, the issue of standards leads me to the preamble of the act, which you discussed with government officials last week. This preamble indicates that information is to be shared among departments in a manner that is consistent with the charter and the protection of privacy. However, this is not a true legal standard, but rather a wish or a pious hope.

As we indicated in our submissions to Parliament last year, we believe that effective privacy protection requires more than guiding principles that don't have the force of law. It requires the adoption of real legal standards. The obligation to disclose information in a manner that is consistent with privacy protection should therefore become an enforceable legal standard, as is the case with the rules governing the disclosure of information. To that end, SCISA should adopt not only the principle of necessity, but also that of proportionality.

Third, independent review of information-sharing activities is incomplete, given that 14 of the 17 receiving institutions under SCISA don't have dedicated review bodies. A parliamentary review, such as the one suggested by Bill C-22, will help but is insufficient. All departments involved in national security also need to be reviewed by independent experts.

Fourth, retention rules should be clarified. If the government maintains that the sharing of information about ordinary citizens—such as travellers or taxpayers—is necessary to identify new threats, national security agencies should be required to dispose of that information after these analyses and when the vast majority of individuals have been cleared of any terrorist activities.

Fifth, the law should require written information agreements. Required elements to be addressed in these agreements should include the personal information being shared, the specific purposes for the sharing, and limitations on secondary use or onward transfer. Other measures should be prescribed by the regulations, such as safeguards, retention periods and accountability measures.

While SCISA was an important addition to the Canadian legal framework related to national security, it is intended to be one element of a much larger whole. Limiting your review to SCISA will give you a very incomplete picture of national security information-sharing activities. I would therefore encourage you to also examine information-sharing with international partners and domestic information-sharing under legal authorities other than SCISA. Knowing more about other authorities will give you a better insight into whether SCISA is really necessary.

When Bill C-51 was tabled, I committed to examining and reporting on how its implementation would ensure compliance with the Privacy Act and inform the public debate. Our findings following the first phase of our review of the first six months of SCISA implementation are tabled in the most recent annual report. We have identified a number of concerns and offered recommendations. The OPC has concluded that the privacy impact of the new authorities conferred by SCISA was not properly evaluated during implementation, and we recommended that formal privacy impact assessments be performed.

The OPC also found several weaknesses with a Public Safety Canada guidance document intended to help departments implement SCISA. Although Public Safety Canada agreed to improve the guidance, no changes have been made a year after the OPC provided recommendations aimed at minimizing privacy risks. During our review, the OPC sent a questionnaire to all federal institutions to determine how often SCISA was used and, more particularly, whether it had been used to share information about persons suspected of terrorist activities or about law-abiding citizens. Most institutions told us that they had not used SCISA during the review period, but that they relied, instead, on other authorities.

So, there is information sharing for national security purposes, but most institutions told us that they are relying on other sources of authority than SCISA.

Five institutions told us that they have used SCISA for a total of 58 disclosures and 52 receipts of information. Institutions also told us that all SCISA information-sharing activities in the first six months following implementation concerned persons suspected of terrorism.

During phase 2 of our audit, we will review departmental records to verify whether that information is accurate and whether information sharing under authorities other than SCISA concerned suspects or persons not suspected of terrorist activities.

The goal of this review is to provide as clear a picture as possible on the use of SCISA, and other laws, in order to inform public and parliamentary debate as we head toward the government's planned review of Bill C-51. We would like that review of Bill C-51 to occur with a clear, factual, evidentiary basis, as opposed to simply a discussion of principles, however important the principles are.

With that, I would be happy to take your questions.