Bill C-59 (Historical)

The 90-day period in Bill C-59 applies to the specific situation of the collection of datasets by CSIS. In a model where it's conceivable that more information may be required at the front end, but an exercise is required to funnel this to less information at some point, it's important that this period of analysis not be too long so as to give time to security agencies to do the analysis they need to do.

Ninety days strikes me as a very reasonable period. Should it be 90 days throughout regardless of whether it's CSIS, CSC, or others? We would have to look at it, but 90 days is a good rule of thumb.

The best example would be, again, that of travellers. The information about travellers, many of whom are not a risk to national security, may be relevant and may contribute to the mandate of the receiving agency, to use the words of the new section 5, because in the mass of travellers there might be some who are a threat. To have information on a more permissive relevancy or contribution standard may be acceptable at the front end. However, when that information is then received and analyzed by the national security agency and the agency determines that the individual is not a threat, on what basis should the information be used and, moreover, retained by the agency? The retention of information about 99.9% of the travellers who are not a threat is not necessary to its work, to its mandate.

In looking at Bill C-59 as a whole with all of its parts, I'm struck by the fact that parts 3 and 4 have essentially the standards. I understand that relevance and necessity are somewhat esoteric notions, but in parts 3 and 4, the government and you as parliamentarians are seized with a bill that recognizes that there is a need for the higher necessity threshold in some circumstances.

CSIS and the CSE will not be able to use and exploit the personal information of individuals unless it meets a necessity test. If it's good for parts 3 and 4, I'm saying it should be good for part 5.

Yes, there is a risk, but I think it is being managed properly, more or less.

The definition could probably be narrower but then national security agencies, such as CSIS, would be deprived of the information they need for their work. However, there is a risk. How can the risk be reduced? The answer is through independent and effective review mechanisms.

The part of Bill C-59 that deals with CSIS has a number of filters exercised by independent members of the executive of the government and the Canadian Security Intelligence Service based on high standards, including necessity. Overall, I think it's a fair balance.

I start my analysis with the need to have good, clear, sufficiently high legal standards, including thresholds. That's where the issue of relevance for contributing to the mandate or being necessary comes in, so there are substantive legal safeguards.

The second element of well-balanced national security legislation requires strong, independent, effective review. On the substantive legal safeguards side, I accept that to apply the necessity test may pose problems for disclosing institutions, which is the main point the government made in responding to the ethics committee, and which may have been a contributing factor to your committee when you suggested a dual threshold.

I accept that a threshold lower than necessity helps disclosing institutions do a difficult task while having safeguards. However, receiving institutions—essentially national security agencies—know very well what their mandate is and what they need to do their job. There, the necessity threshold, which is the international norm, should apply fully.

That's the main substantive recommendation I'm making, which is again where this committee was at not long ago.

The second substantive rule is as follows. If there is a difference between the thresholds applicable to disclosing and receiving institutions which would be the result of a dual threshold, it's easier for disclosing institutions to disclose, but the threshold for receivers is higher. Point one is, what do we do about this gap, if the receiving institution has received something that is not necessary?

Point two is, if the receiving institution has received information about a law-abiding citizen—travellers are the best example—to identify in the mass of travellers the extremely few who may pose a threat to national security, there should be legal rules to require the receiving institution to get rid of the information, to destroy the information, to no longer retain the information if there's a gap between the two thresholds, or if, in relation to a given individual, the analysis leads to the conclusion that the person is not a threat and therefore that their information should not sit in the records of CSIS or the CSE or the intelligence apparatus. These are the substantive rules.

In terms of effective review, it is clear that the creation of the new NSIRA is an important improvement. The fact that it will be able to share information with the committee of parliamentarians creates a good step in the right direction, in that you have integrated review applicable to all departments—not only three as at the current time—and you have elected officials and experts who can talk to one another and reach a well-informed decision.

What we think we can bring to the picture—and we're not in the picture, at least not completely—with Bill C-59 is that the lifeblood, la matière première, the main tool that national security agencies have to do their job is information, and that includes personal information. We're the experts in how to deal with personal information in a way that respects privacy rights. We're not saying that NSIRA would be without any knowledge of the relevant issues, but there is an issue of core importance to the work of national security agencies, that of privacy, where we're the experts, and we think we can add value to the rest of the architecture.

Thank you, Mr. Chair.

Mr. Chair and members of the committee, I am here this morning with Patricia Kosseim, who is our general counsel, and Lara Ives, who is the director general of audit and review.

Thank you for the invitation to discuss Bill C-59.

As you know, Bill C-59 introduces a wide range of measures intended to strengthen Canada's national security framework in a manner that safeguards the rights and freedoms of Canadians. On the whole, I find it represents a step in the right direction, but as other commentators have noted, its weakest part is the Security of Canada Information Sharing Act, or SCISA, which contains provisions related to information sharing and privacy. Professor Forcese, for instance, gave these sections a failing grade. I was therefore glad to hear Minister Goodale last week say that SCISA was probably the part most deserving of scrutiny. I hope your study will result in much-needed improvements to these rules.

In previous parliamentary briefs, I highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of ordinary law-abiding Canadians, particularly through privacy-sensitive retention and destruction practices. Specifically, I indicated that the law should prescribe two things essentially, which are useful to bear in mind. First is clear and reasonable standards for the sharing, collection, use and retention of personal information”, so substantive rules. Second is that compliance with these standards should be subject to independent and effective review mechanisms.

It is with this analysis in mind that I offer the following comments and recommendations. While I will focus in my remarks on SCISA, this analysis, looking at two types of issues, is also relevant for other parts of Bill C-59, including parts 3 and 4. The full list of our recommendations is attached to this statement.

Bill C-59 would create a new expert review body, the NSIRA, with broad jurisdiction to examine the activities of all departments and agencies involved in national security. Recently, Parliament also created, through Bill C-22, a new National Security and Intelligence Committee of Parliamentarians. Both of these bodies will be able to share confidential information and generally co-operate so as to produce well-informed and comprehensive reviews that reflect considerations both by experts and by elected officials.

These developments are most welcome, but they are, in my view, clearly insufficient. In my view, effective review of national security activities must include both parliamentary and expert review, and the latter must include both national security and privacy experts. Why privacy experts? Because the work of national security agencies depends in large part on personal information. It is what they call their “lifeblood”. The OPC is the federal centre of expertise in privacy and personal data protection. Canadians are concerned that anti-terrorism efforts in government not unduly impede their privacy rights, and they expect my office to play a role in ensuring that balance.

Bill C-59 is oddly silent on the role of my office. It does not amend the Privacy Act, so my existing authorities appear to be untouched. The only body with explicit authority to play a role in relation to part 5, the renamed SCIDA, or security of canada information disclosure act, is the NSIRA, the national security and intelligence review agency.

The ethics committee, in its study of SCISA, has already noted the ambiguity in the interplay between that act and the Privacy Act. It has called for amendments to clarify that the Privacy Act continues to apply to all personal information disclosed pursuant to SCISA. I have provided to your committee amendments that would confirm the application of the Privacy Act and the OPC's role, which I am told the government wants to maintain.

However, there is no ambiguity on whether my office would be able, with Bill C-59, to share confidential information with the NSIRA and the new committee of parliamentarians. We would not have that authority, and actually we would be prohibited by existing provisions in the Privacy Act from sharing such information.

This means that the comprehensive review process offered in Bill C-59, as a fundamental element to bring balance between security and respect for rights, would stop short of the objective by leaving privacy experts out of integrated review. I am at a loss to understand why. If the fear is of duplication between our work and that of other review bodies, I would gladly explain through the question period how bringing the OPC firmly within the family of review bodies would not only bring required expertise but would actually enhance efficiency and reduce overlap.

When Bill C-51 enacted the Security of Canada Information Sharing Act, known as SCISA, I indicated that among my concerns was the fact that the relevance standard for sharing was set too low, and that there was an absence of clear data retention and recordkeeping requirements and a lack of information-sharing agreements and privacy impact assessments.

The relevance test is too permissive because it casts too wide a net and creates undue risks for ordinary citizens who pose no threat to national security. The government seems to recognize that a relevance standard does not sufficiently protect privacy because it is suggesting changes to section 5 of SCISA.

In its response to the Standing Committee on Access to Information, Privacy and Ethics, the government said the following:

The key issue regarding the threshold is the need to establish specific decision making parameters for the discloser of information that will protect individual privacy but not cause undue delays in the information sharing process.

I agree with that assessment. The proposed new section 5, particularly paragraph 5(1)(b), incorporates some aspects of a necessity threshold but falls short of adopting what officials refer to as “strict necessity”.

In order to adequately protect privacy rights, under new section 5, this limited progress in increasing the threshold for disclosure would have to be accompanied by more complete changes to the standard applicable to receiving institutions, in other words, the security agencies receiving the information in question.

Information sharing involves two parties and, to protect rights, rules are also required for receiving institutions. If relevance is not adequate for disclosing institutions, it is also inadequate, even more so, for receiving agencies.

And the delay considerations that may apply to disclosure affect receiving departments very differently. These institutions are perfectly capable of applying the classic, internationally established necessity test, and should be required to do so.

We understand that the government intention is for receiving institutions to continue to be governed by the Privacy Act, or their specific enabling legislation where applicable. The current Privacy Act threshold is relevance.

As your committee recommended in its May 2017 report on Canada's national security framework, we also recommend that a dual threshold be adopted for information sharing—that set out in amended section 5 for disclosing institutions, and that of necessity and proportionality for receiving institutions.

Even if one accepts that government sharing of information related to law-abiding citizens may lead to the identification of new threats to national security, once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained. Otherwise national security agencies will be able to keep a profile on all of us.

This is consistent with the conclusions of our review of the Canada Border Services Agency's scenario-based targeting initiative, summarized in my latest annual report to Parliament, and it is one of the principles upheld by the European Court of Justice in the passenger name and record case, decided in July 2017.

In addition, if the threshold for collecting or receiving information is higher than the standard for disclosure—which is currently the case at least for CSIS and would be the case if you adopt a dual threshold, that is, one for disclosing institutions and one for receiving institutions—then, rules are required to ensure that information is discarded without delay either when the collection test is not met or if the receiving institution is of the view that the disclosure standard was not satisfied.

In conclusion, my complete recommendations, annexed to this statement, include some that I have made in the past and do not have time to explain in the time allotted this morning. I also intend to write a fuller submission prior to the end of your study.

My team and I would be glad to answer any questions you may have.

Mr. Motz, I greatly appreciate the opportunity. I'll be very brief on this. I think these are very important issues and of course no piece of legislation, as sweeping as it might be, is going to capture them all, but there's lots of work to be done to truly modernize Canadian intelligence.

I'll give you my short list—there's a longer list—and Professor Carvin referred to these things in a different kind of dimension. I think Canada needs a comprehensive national security strategy. We've only issued such a thing once back in 2004, and we need a commitment to updating it. I think that we need, crucially, because Bill C-59 in terms of new powers is all about collection, an integrated, properly resourced, centralized intelligence assessment function. This is one of the great gaps in the system.

I think—this is a subject for another debate—we need a dedicated foreign intelligence agency distinct from CSIS. We need to move forward, as I said, with the proposed national security transparency charter. We need a revision and an updating of the Security of Information Act, which was part of the old Bill C-51 and is now I think completely out of date. We need modernized access legislation, particularly to resolve issues around access to basic subscriber information. There's more but that's my short list.

I would just add very briefly that probably the ideal thing would be to have a balance between legislative direction and regulation in detail. I think one of the things that Bill C-59 does in particular through its accountability provisions is to ensure that if that combination of legislative direction and ministerial regulation isn't working properly, that will appear in the kinds of review reports and reporting to the minister that the body will do.

I would also say that although this remains a work-in-progress on the part of the government, I think it will be very important to roll out as quickly as possible the government's commitments on national security transparency, what has sometimes been referred to as the transparency charter. Transparency is a second dimension to accountability that I think will help ensure that balance between legislative direction and ministerial regulation is effective.