Mr. Speaker, how can we ensure that law enforcement and CSIS have the resources they need to access digital data and effectively combat organized crime and threats to national security without descending into an era of widespread, intrusive and excessive surveillance?
That is the question that we are facing today in this debate on Bill C-22. How can we modernize our law enforcement without infringing on people's right to privacy?
Bill C‑22 seeks to strike a balance. I understand that we will likely be able to find out in committee if this balance was struck.
We in the Bloc Québécois have a number of questions about what is being proposed, although we support the goal of properly equipping our law enforcement agencies. We have questions about a number of aspects.
The first question concerns the proposed new orders. The government wants to simplify the work of law enforcement when it comes to conducting investigations. How? It is creating a new order. The order will allow law enforcement to simply ask an Internet or electronic service provider whether or not a person is a subscriber.
All that a police officer needs to make this request is a suspicion, and a suspicion is not much at all. A suspicion is the lowest bar there is in Canadian criminal law. Police officers are often asked to have “reasonable grounds to believe” that a crime has been committed. This remains the current state of the law today.
Why are police officers required to have reasonable grounds to believe that a crime has been committed? It is to prevent fishing expeditions and to ensure that police officers have a minimum amount of evidence before obtaining people's personal data.
The other order provided for in Bill C-22 concerns the production of subscriber information. Once again, the burden of proof that law enforcement agencies would be required to meet is low. If they have a phone number, for example, or an IP address, they only need to have a suspicion that a crime has been committed or is about to be committed. That is a very low threshold, and it does not take much. They will be able to go before a court to obtain an order for the production of information. They will be able to obtain the name and address of the person to whom the IP address belongs and track them down. Is it possible to strike a balance with such a measure when the burden of proof is lowered? We will have to ask this question and listen to privacy experts, because a police officer might be strongly tempted to quickly file a request for the production of documents, given that it will now be much easier to do so.
Another point that is quite concerning and that will raise questions is that, under Bill C‑22, the Minister of Public Safety will first have to determine which service providers would be required to develop technical capabilities.
We need to understand where we are going with this. Right now, some telephone or social media service providers do not really keep the data they have because they are not interested in it, since they are only in business for commercial purposes. They might keep some data for the purpose of commercial profiling, but they might not keep it for a very long time or in an orderly fashion, since they have no commercial interest in doing so.
Essentially, however, what the government is proposing with Bill C‑22 is to require service providers to have the technical capability to retain metadata for one year, including the geolocation data of its subscribers. They will also be required to ensure that they can provide this information within a relatively short period of time, on the grounds that law enforcement may need it in order to know where a specific person was on a specific date.
Of course, we understand how incredibly efficient this will be for law enforcement, because as soon as they have reason to suspect that a crime has been committed, they will be able to retrieve location data to determine where a person was on a specific date.
It will help, but it raises some very legitimate concerns, because, as my colleague mentioned, a database will be created containing millions and millions of location data points for each individual. Each one of us has a phone, which means that with data from the past year, it would be possible to determine where we were at any given time.
This is meant to target criminals, of course, but 99.9% of people in Canada are not criminals and their data are going to be captured somewhere. Any time that a large amount of data like that exists somewhere, it can attract organized crime. We know about hackers, but countless other situations come to mind if we think of all the metadata to be stored. I understand that people would be concerned about this. Questions must be asked, because these data banks will not be created by the government, but by businesses. They will be required to conserve these data, but what kind of data protection will be required? There are examples. A few years back, fraud was committed at Desjardins. Sometimes the mechanisms are good, but insiders have bad intentions. A year's worth of geolocation metadata is practically a treasure trove for hackers. The mind reels just thinking about it.
Another concern we have is about the National Security and Intelligence Review Agency. Normally, one would expect this agency to be given more financial and legal authority, as well as material resources, to do its job and to reassure us, at least a little, about this new surveillance system that is being put in place. One of our concerns is that, when interventions are made, the agency will not be notified until 12 months later. There are other countries, such as Australia, where the agency is notified in real time. However, 12 months is already quite far removed from the abuse of authority, if any abuse occurred, so we have a concern on that front.
Next, we have concerns regarding funding. The government has announced across-the-board cuts that will affect this agency in particular. These cuts amount to 15%. If law enforcement agencies are being granted expanded powers and significant amounts of personal data will be stored with service providers, we would at least like to be assured that the agency will have the resources it needs to take action.
I also have questions about the regulatory powers that are being granted. Since April, the government has adopted the unfortunate habit of frequently proposing to proceed by regulatory means, so there are concerns. How will the government determine what exactly constitutes a service provider? Some banks are concerned. Will they be included in that definition? If they provide banking services, will they have to retain that data as well? The minister's power to act through regulatory means and ministerial orders raises some concerns for us, as does this bill's alignment with Quebec's new Bill 25, which seeks to protect personal information and which forced businesses and organizations in Quebec to adapt to protect data. Is the federal government going to add another layer of protection? That will need to be done properly. We need to be careful about this so as not to duplicate legislative protections.