Information & Ethics Committee on June 14th, 2016

Thank you, Mr. Chair, and thank you for the opportunity to address this committee on the issue of the reform of the Privacy Act.

I have had a chance to review the commissioner's recommendations for Privacy Act reform and I am generally supportive of these proposals. I'm going to be focusing my remarks today on a few specific issues that are united by the theme of transparency.

Greater transparency with respect to how personal information is collected, used, and disclosed by government enhances privacy by exposing practices to comment and review and by enabling appropriate oversight and accountability. At the same time, transparency is essential to maintaining public confidence in how government handles personal information.

The call for transparency must be situated within our rapidly changing information environment. Not only does technology now enable an unprecedented level of data collection and storage, but enhanced analytic capacity has also significantly altered the value of information in both public and private sectors. This increased value provides temptations to overcollect personal information, to share it, to mine it, or to compile it across departments and sectors for analysis and to retain it beyond the period required for the original purposes of collection.

In this regard, I would emphasize the importance of the recommendation of the commissioner to amend the Privacy Act to make explicit a “necessity” requirement for the collection of personal information, along with a clear definition of what “necessary” means.

The goal of this recommendation is to curtail the practice of overcollection of personal information. Overcollection runs counter to the expectations of the public, who provide information to government for specific and limited purposes. It also exposes Canadians to enhanced risks of negligence, misconduct, or cyberattack, which can result in data breaches.

Data minimization is an important principle that is supported by data protection authorities around the world and reflected in privacy legislation. The principle should be explicit and up front in a reformed Privacy Act.

Data minimization also has a role to play in enhancing transparency. Not only do clear limits on the collection of personal information serve transparency goals, but overcollection also encourages the repurposing of information, improper use, and over-sharing.

The requirement to limit collection of information to specific and necessary purposes is tied to the further requirement on government to collect personal information directly from the individual, where possible. This obviously increases transparency, as it makes individuals directly aware of the collection.

However, there are many exceptions to this general rule. These exceptions include circumstances in which information is disclosed to an investigative body at their request in relation to an investigation or the enforcement of any law, or when it's disclosed to government actors under court order or subpoena. Although such exceptions may be necessary, they need to be considered in the evolving data context in which we find ourselves.

Private sector companies now collect vast stores of personal information, and this information often includes very detailed core biographical information. It should be a matter of great concern, therefore, that the permissive exceptions in both PIPEDA and the Criminal Code enable the flow of massive amounts of personal information from the private sector to government without the knowledge or consent of the individual.

Such requests or orders are often, although not always, made in the course of criminal or national security investigations. The collection is not transparent to the individuals affected, and the practices as a whole are largely not transparent to the broader public and to the office of the Privacy Commissioner.

We've heard the most about this issue in relation to telecommunications companies that are regularly asked or ordered to provide detailed information to police and other government agents. It should be noted, however, that many other companies collect personal information about individuals that is highly revelatory about their activities and choices. It is important not to dismiss this issue as less significant because of the potentially anti-social behaviour of the targeted individuals. Court orders and requests for information can and do encompass the personal information of a large number of Canadians who are not suspected of anything. The problem of tower dump warrants, for example, was recently highlighted in a case before the Ontario Supreme Court. The original warrant in that case sought highly detailed personal information on about 43,000 individuals, the vast majority of whom had done nothing other than use their cellphones in a certain area at a particular time.

Keep in mind that the capacity to run sophisticated analytics will increase the attractiveness of obtaining large volumes of data from the private sector in order to search for an individual linked to a particular pattern of activity.

Without adequate transparency regarding the collection of personal information from the private sector, there is no way for the public to be satisfied that such powers are not abused. Recent efforts to improve transparency—for example, ISED's voluntary transparency reporting guidelines—have focused on private sector transparency. In other words, there has been an attempt to provide a framework for the voluntary reporting by telecommunications companies of the number of requests they receive from government authorities, the number they comply with, and so on. However, not only are these guidelines entirely voluntary, but they are limited to the telecommunications sector, whereas disclosures may be sought from any private sector company.

They also only address transparency reporting by the companies themselves. There are no legislated obligations on government actors to report in a meaningful way, whether publicly or to the Office of the Privacy Commissioner of Canada, on their harvesting of personal information from private sector companies. I note that the recent attempt by the OPC to audit the RCMP's use of warrantless requests for subscriber data came to an end when it became clear that the RCMP did not keep specific records of these practices.

In my view, a modernization of the Privacy Act should directly address this enhanced capacity of government institutions to access the vast stores of personal information in the hands of the private sector. The same legislation that permits the collection of personal information from private sector companies should include transparency reporting requirements when such collection takes place. In addition, legislative guidance should be provided on how government actors who obtain personal information from the private sector, either by request or under court order, should deal with this information. Specifically, limits on the use and retention of this data should be imposed.

It's true that the Criminal Code and PIPEDA enable police forces and investigative bodies under both federal and provincial jurisdiction to obtain personal information from the private sector under the same terms and conditions, and that reform of the Privacy Act in this respect will not address transparency and accountability of provincial actors. This suggests that issues of transparency and accountability of this kind might also be fruitfully addressed in the Criminal Code and in PIPEDA—the reform of which this committee is also considering—but this is no reason not to address it in the Privacy Act. To the extent that government institutions are engaged in the indirect collection of personal information, the Privacy Act should provide for transparency and accountability with respect to such activities.

Another transparency issue raised by the commissioner relates to information sharing within government. Technological changes have made it easier for government agencies and departments to share personal information, and they do so on what the commissioner describes as a massive scale.

The Privacy Act enables personal information sharing within and between governments, domestically and internationally—in specific circumstances for investigations in law enforcement, for example, or for purposes consistent with those for which it was collected. Commissioner Therrien seeks amendments that would require information sharing within and between governments to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with the legislation, but it would also offer a measure of transparency to a public that has a right to know whether, and in what circumstances, information they provide to one agency or department will be shared with another, or whether and under what conditions their personal information may be shared with provincial or foreign governments.

Another important transparency issue is mandatory data breach reporting.

Treasury Board Secretariat currently requires that departments inform the OPC of data security breaches, but the commissioner has noted that not all comply. As a result, he is asking that the legislation be amended to include a mandatory breach notification requirement. Parliament has recently amended PIPEDA to include such a requirement. Once these provisions take effect, the private sector will be held to a higher standard than the public sector unless the Privacy Act is also amended.

Any amendments to the federal Privacy Act to address data security breach reporting would have to take into account the need for the commissioner and for affected individuals to be notified when there has been a breach that meets a certain threshold for potential harm, as will be the case under PIPEDA.

The PIPEDA amendments will also require organizations to keep records of all breaches of security safeguards, regardless of whether they meet the harm threshold that triggers a formal reporting requirement. Parliament should impose a requirement on those bodies governed by the Privacy Act to keep and to submit records of this kind to the OPC. Such records would be helpful in identifying patterns or trends within a single department or institution, or across departments or institutions. The ability to identify issues proactively and to address them either where they arise or across the federal government can only enhance data security, something which is becoming even more urgent in a time of growing cybersecurity threats.

I'm going to stop my comments there.

Thank you very much, Mr. Chair.

Thank you very much for inviting me to participate in what I think is an important initiative. The Privacy Act is out of date, and Canadians urgently need a new and strong law that speaks to the tremendous technological changes and political economic shifts that have occurred since the 1980s.

In general, I am in agreement with and grateful for the proposals made by the Privacy Commissioner. At the same time, I should make it clear that I am not a lawyer, and nor do I have any legal expertise. I speak as a university professor who has been engaged in the social sciences. I direct the Surveillance Studies Centre at Queen's University.

My last book was Surveillance after Snowden. The large-scale team project I direct at the moment is called Big Data Surveillance. The book that I'm currently working on is The Culture of Surveillance. I mention these simply to give you some sense of the angle from which I am coming and from which I speak, which is the broad context of this act rather than the details.

Let me start by pointing out that there's a publication our research team brought out a couple of years ago. It's called Transparent Lives: Surveillance in Canada. It's a highly accessible study of the trends in surveillance today. I commend it to the committee. You can get it from any good bookstore, or it is downloadable online.

It is also available in French, under the title Vivre à nu: La surveillance au Canada.

This book encapsulates the key issues about surveillance in the 21st century and gives a comprehensive background, for anyone who would like to see it, for the need for a changed privacy law.

The trends that it examines, and for which it offers Canadian examples, include the rapid pace of increasing surveillance, the role of security concerns in prompting surveillance, the blurring of public and private sectors—Snowden's disclosures make this very clear—the ambiguity of personal information, the growth of mobile and location-based surveillance, the embedding of surveillance in everyday environments—sometimes discussed as the Internet of Things—the growth of biometrics, and social surveillance on Facebook, Twitter, and other media.

The Privacy Act is premised on some rather fixed ideas about personal information in terms of who collects it and where, if at all, it travels. Today, fluidity rather than fixity is the order of the day. Words such as “databases” define the old document, and this suggests silos in contrast to the multiple conduits through which data flow today. Information was seen then as pertaining to those specific sites, and sharing information could only happen under certain circumstances.

There still, of course, need to be limits on this practice, as we've just heard, and it has to be acknowledged at the same time that information sharing today exists on a scale that wasn't dreamed of in the 1980s, a scale that would be very difficult to quantify, let alone control.

It also occurs across boundaries assumed by the distinction between government activities and commercial ones in the two main federal laws of 1982 and 2004. The easy traffic in each direction between these domains was never envisioned in the 1982 act, and this is a key issue to be confronted in any review.

At the same time, surveillance can and does happen without there being any obvious handles for identifying personal information. The very category of personal information is badly blurred today. Once you could have imagined that this category would cover such matters as name, address, telephone, and perhaps some official identifier such as the social insurance number. Today, license plates captured by highway cameras count, and although this is controversial, so do IP addresses on computers.

Moreover, one can be identified through facial recognition. The software, for example, that is routinely used by Facebook doesn't even require a Facebook account in order for it to function. Indeed, it's relatively straightforward to identify people with no obvious identifying information provided. A Montreal study recently showed that 98% could be positively identified with birthdate, gender, and postal code without names and addresses being known.

The post-Snowden debate over whether or not metadata around phone and Internet messages count as personal data is another example. This is supposedly contextual, sometimes dismissed misleadingly as phone book-like information rather than content, but metadata is frequently more revealing, not less.

The two items mentioned refer to socio-technical and political-economic changes that have occurred over the past 40 years, and I wish to turn to matters of research and education, on which the commissioner also speaks.

On the one hand, much more research is required to properly understand the momentous changes that have occurred since the 1980s. It must be stressed that these are both socio-technical and political-economic changes and cannot safely be reduced to technical and legal categories.

For a number of years the commissioner has overseen a very successful program of funded research under the contribution scheme, but given the magnitude of the issues and their centrality to matters from national security to domestic life, much more is needed if the law governing the uses of personal data is to be kept up to date in a way that genuinely addresses all whose lives are touched by surveillance of all kinds, which is everyone.

This research program could be expanded under the act as a background to the revision of the Privacy Act, but it could also be widened by requests for surveillance and privacy research by the Tri-Council or by the Royal Society of Canada for a dedicated report on surveillance and privacy law in Canada. I suggest that such study is needed before the law can be revised.

On the education front, it is clear that much has to be done here, and this too could be coordinated by the Privacy Commissioner with an expanded brief.

In the 1980s, computing still meant primarily what were called “mainframes”, and the era of personal computing—not to mention the popular diffusion of distributed systems, mobile devices, and the cloud—was yet to flower. In that decade, if you wished to connect with others, for example, or with what would emerge in the 1990s as the Internet, you had to use a cumbersome system of plugging your land-line phone handset into rubber sockets—I don't know if anybody remembers that; it was called an acoustic coupler—to create a very uncertain data link modem.

Today computer devices and networks have proliferated in ways that demand fresh approaches to what I think should be called “digital citizenship suitable for all ages”. All Canadians need to know their rights, understand the issues, and engage actively and in an informed way. This is not a minority option. This is not something on the side. This again could be initiated by the commissioner. It could accompany the new law and could refer to the work of many other agencies where such matters are central, and in my little brief I've put some references for you.

While I believe all the above are essential components of a revised privacy law, it seems to me that the nature of the debate also has to shift to consider carefully the underlying ethical direction that should be encouraged to enable the most just and fairest uses of digital media and personal information and to exploit the best purposes of the great potential of digital technologies.

The very notion of privacy, of course, has undergone considerable change since the 1980s. These are not minor or peripheral matters and cannot be addressed in merely technical or legal ways. It's not only that privacy in some narrow sense might be violated by the misuse of these powerful technologies, but rather that our opportunities to live as free and fulfilled human beings are enhanced or curtailed by surveillance, whether by government or corporation.

As Eric Stoddart argues, much monitoring and tracking today is the surveillance of others. We would do well to consider how surveillance could be harnessed for human flourishing, which would be surveillance for others.

Thank you very much.

Thank you.

I thank you for inviting me to appear before you today. I appreciate the opportunity. I have prepared a written submission for your committee. It's currently being translated and will be distributed to you. My comments will be a summary of that submission. I welcome your further questions.

The basic point I want to stress to you today is that Privacy Act reform must take account of the Canadian Charter of Rights and Freedoms and its protections for privacy. We should not think that compliance with the Privacy Act means compliance with the charter, and we should not think that strengthening the Privacy Act's adherence to fair information principles means that it's thereby consistent with the charter's protection for privacy.

It's crucial that we understand this, for we're now in an era when the government collects large amounts of information about individuals and shares this both within government and with other governments, including foreign governments. This is not just for the provision of social services but for law enforcement and national security purposes, as both the prior witnesses stressed as well. Indeed, when the former government introduced Bill C-51 and the new Security of Canada Information Sharing Act, Canadians were told that because the Privacy Act applied and the Privacy Commissioner would provide review, there would be an appropriate balance between protecting the privacy of citizens and ensuring national security. This is an illusion, and it's a dangerous one.

The Privacy Act is quasi-constitutional legislation, that's true. The Supreme Court has said that multiple times. However, it should not be equated with the constitutional protection of privacy rights. The Privacy Act is based on what have come to be known internationally as “fair information principles”. Its basic model is a response to the growth of the administrative state and its accompanying information practices. An individual seeking government services in a social welfare state context has an interest in receiving those services. The administration of those services requires personal information to be collected and processed, so the individual interest in relation to this personal information is not about preventing its collection, use, or disclosure, but in preventing the overcollection of personal information or its subsequent uses or disclosures for different purposes, as well as in ensuring that the information is accurate. The central individual entitlement is to have access to the information the state holds about oneself, and to correct it for inaccuracies. This law was never really meant to apply to the context of law enforcement and national security in any robust way, and many of its exceptions capture those uses.

In contrast, the constitutional protection of privacy in Canada has developed largely in relation to section 8 of the charter, although privacy has also been protected through section 7. Its central paradigm is its search and seizure context, where the state seeks information in relation to law enforcement investigations. Here the individual interest lies completely in opposition to the state interest. It is a coercive relationship. The central individual entitlement is to have state access protected through the warrant requirement and the reasonable and probable grounds standard. These are two different frameworks, but they need to be integrated if we think the Privacy Act has anything to say to the increasing information practices the government employs in the context of law enforcement and national security. Charter review should be built into a strengthened Privacy Act review, particularly in this context.

In light of this, I have four recommendation I want to offer to you. Again, those are outlined in the written submission.

First is an interpretive principle. We recommend that the Privacy Act should include a reference to privacy rights protected by the Canadian Charter of Rights and Freedoms. Put a reference to it in the purpose section to allow for arguments to be made in reference to the Charter of Rights and Freedoms.

Our second recommendation is that government information practices should be reviewed for compliance with charter rights. The necessity standard that the Office of the Privacy Commissioner of Canada is advocating is not adequate. It's better than what we have, and it's good in many contexts, but it's not adequate.

Why do I say that? Charter rights can be at issue with the collection, use, or disclosure of personal information. The charter is engaged when there's a reasonable expectation of privacy; it's not simply when personal information is collected, used, or disclosed, but where there's a reasonable expectation of privacy. The Supreme Court of Canada has repeatedly held that information that has been collected by the state for one purpose can retain a residual reasonable expectation of privacy in relation to other purposes, including disclosure to foreign states.

Engaging in something like a necessity test modelled after the Oakes test for section 1, which is what the Privacy Commissioner advocates, is not going to be adequate in this context. Why? The section 8 reasonable and probable grounds test, which is the basic standard, is not a test that says the state gets access to information if it is necessary for a law enforcement purpose; it's a test that says that “...law enforcement goals hold sway only at the point marked by the probable effectiveness of reaching that goal.” This idea of probable effectiveness is not part of the the section 1 jurisprudence to date.

It's actually quite unclear when a breach of either section 7 or section 8 of the charter can be upheld under section 1 of the charter. That's because there's an internal balancing in section 1 as well as as one in section 7, and courts are loath to uphold them under section 1, so we should not be quick to regularize some kind of section 1 analysis until we actually import the charter privacy protections, particularly in the context of state use of this information for law enforcement and national security purposes.

Therefore, we recommend that the use or disclosure of personal information for law enforcement investigative or national security purposes should be subject to a review that reflects the protection of an individual's charter rights under sections 7 and 8, and not simply be reviewed on a necessity standard.

Our third recommendation is that the Office of the Privacy Commissioner be empowered to undertake charter review of government information practices. Charter review of these information practices should not be a burden placed on ordinary Canadians to both discover information practices that are difficult for them to see and understand—to come to know what those practices are—and to challenge them in court. It should not be a burden on the individuals to initially challenge these things in court in a context where we have an access to justice crisis in this country. Instead, we should build it into the Office of the Privacy Commissioner's function.

However, it's also important that this be reviewed on a standard of correctness in the courts. It should not be built into an administrative process such that the courts are then reviewing charter complaints on a reasonableness standard. It should be correctness.

Therefore, we recommend that the exemptions, particularly those under sections 7 and 8 of the Privacy Act for uses and disclosures of personal information without consent, should be subject to charter review conducted by the Privacy Commissioner, subject to judicial review on a standard of correctness.

Our fourth recommendation is that you strengthen the obligation of accuracy under the Privacy Act.

Inaccurate information can have grave consequences on fundamental rights and freedoms. This is one of the tragic lessons from the Arar commission. Currently the obligation of accuracy is in subsection 6(2) of the act. It applies to uses of personal information, but it should apply to uses and disclosures of information, not just uses. It's currently confined to administrative purposes, and it should be broadened to all the purposes that it's used for.

I think that the act should also be modernized to recognize what academics are increasingly terming “algorithmic responsibility”—that is, the idea that the issue is not just the accuracy of the information that's collected, used, or disclosed, but the accuracy of information processing methods used by the government.

In an era of big data, an era when vast amounts of information are being collected and analyzed in different ways, we need to be concerned about the accuracy of those methods of analysis. We need to be concerned that they're not building in biases, for example, or other forms of inaccuracy. Therefore, we recommend that subsection 6(2) of the act be amended to impose an obligation to ensure the accuracy of any personal information that is used or disclosed by the institution for all purposes. The obligation of accuracy should also apply to methods of information processing.

I'll end my comments there.

Thank you.

The trend in jurisprudence is that when you have an administrative decision-maker, such as the Office of the Privacy Commissioner, the courts are highly deferential, including sometimes with respect to charter issues. It's something that the David Asper Centre has been tracking and is concerned about. They're concerned that on charter issues, the courts actually have the last say on a standard of correctness. That's worth putting in.

The rest is, yes, to build in the charter review initially, because you can have Privacy Act compliance that still raises charter issues. You can have information sharing that is perfectly compliant with the Privacy Act as it now stands, or even compliant with the Privacy Act if you amend it according to the Privacy Commissioner's recommendations, but would still raise charter issues.

That charter review shouldn't be bolted on after the fact and the burden of it be placed on citizens. It should be built in from the start.

I would say that the written agreements are a start. Again, I would want charter compliance built into them, because some of this information sharing can raise charter issues, and these need to be flagged early on.

The charter jurisprudence is clear in saying that just because one government institution has information that it has collected for one purpose doesn't mean it can use it for subsequent purposes; sometimes a charter issue is flagged, and there needs to be charter compliance. That can also happen with sharing it with foreign states.

Section 8 was triggered in the Wakeling decision, although there was a disagreement on whether the provisions in the Criminal Code were reasonable. In the end, they were found to be reasonable.

The written agreements are a start, then, but you need the charter review of the information sharing, because some of it will raise charter issues, but not all of it, hopefully. You thus need to build it in at the beginning.

I would also say that whenever some of this information is shared, particularly with foreign governments, the accuracy issue is enormous, so building in an obligation of accuracy is important.

I don't see how the current obligation of accuracy actually applies, because it's about use for administrative purposes. If you're sharing this information for national security purposes or for transnational law enforcement purposes, it seems to me it's not part of that, but it's crucial that accuracy be built in. You could, through regulations, specify perhaps what that might mean in particular circumstances, but I think it's an absolutely crucial amendment.

With respect to the written agreements—and I think the commissioner refers to written agreements in a prescribed form—that the devil's going to be in the details. It will depend to a very large extent on what that prescribed form is, how detailed those written agreements are, and what the exceptions are. I think there's always a risk, particularly in the law enforcement and national security arena, of creating broad exceptions or limitations on what is disclosed.

Obviously the tension is the balance between privacy and security in that context, but the effectiveness of any written agreements, I think, really will depend on what is required to be in those written agreements, how transparent they will actually be, and to what extent exemptions from those requirements would blunt their effectiveness.

The only thing I wanted to say was that I couldn't hear very clearly what the question was. The mike didn't seem to be picking up the questioner.

Okay. Yes, I think the comments of Lisa Austin spoke directly to that and I think that's the way that I would answer.

The one point of the written agreement that I'm not sure about or that I would put as a question to you to think about is that when information-sharing practices are set up, it seems to me that it's not just about having an agreement in place that you write up: you're going to have some technical tools for dealing with the data, especially if you're dealing with large amounts of data that you're sharing in different ways, so what's the oversight for the technical system that you're setting up?

The written agreement seems like an advance over what the situation is now. I agree with the Office of the Privacy Commissioner's submissions on that point, but isn't there also oversight of the technical infrastructure that we're creating? How do you make sure that it is reviewed properly as well, and in a transparent manner? That is something to think about.

It's a great question. I haven't finished writing the book yet, but what we're working on is looking at the ways in which.... Well, it's in contrast with the situation in the 1980s, when these kinds of issues were still seen as relatively discrete in that they didn't apply to everyone. In what I'm calling a surveillance culture, people have a kind of surveillance imaginary, a sense of what's going on, and engage in practices that relate to surveillance, whether it's avoiding certain kinds of surveillance or actively participating in them or complying or negotiating or whatever.

In talking about surveillance culture, I'm trying to draw attention to the fact that there's no point in talking about a surveillance state anymore, or even a surveillance society, although those are important concepts. We have to think about the ways in which people in everyday life interact in numerous ways, and increasingly, with all kinds of surveillance.

Of course, I'm understanding surveillance in the broad sense of any kind of activity or experience of gathering and analyzing personal information for all kinds of purposes, whether they be for influence, control, management, or whatever. I'm working with a fairly wide definition of surveillance that, again, was not envisaged by those who were writing the Privacy Act in the 1980s. I'm thinking of situations, for example, where people are engaged with social media and are actually very aware of the kinds of risks that they take in certain kinds of communication, certain kinds of web-browsing, and so on and so forth.

That culture of surveillance that is developing in many different aspects actually has an effect on the ways in which surveillance is carried out and privacy is maintained, and for all that some say that privacy is less of a matter of interest to younger people who are using social media, in fact you discover that there's a very sophisticated and complex understanding of privacy. This relates both to the big issues of the charter, for example, and to the small issues, such as which particular party you do or do not want your own communications to be open to.

Therefore, I'm thinking of something that is developing in Canada and in other countries that affects our understanding of what it is to be enjoying privacy, our understanding of what it is to be under surveillance, and how those understandings and those practices make a difference to the ways in which surveillance actually works—to its very efficacy—and also to privacy.

Under the act, for law enforcement purposes it's permissible to disclose personal information without consent upon the request of an agency that's listed in the regulations. If there's a reasonable expectation of privacy in that information, you need a warrant for that. Under the Privacy Act, if you're requested and you hand it over, that's fine, but under the charter, you might need a warrant. You can be Privacy Act-compliant but have a problem with the charter.

It's the same with foreign governments. Under the Privacy Act, information can be shared with foreign governments through an arrangement—it doesn't even have to be written—and there is no Privacy Act issue, but there could be a charter issue. Wakeling v. United States of America is a Supreme Court of Canada decision that suggests that section 8 of the charter is engaged when information is shared with a foreign state. That was information that was actually lawfully collected through a Canadian wiretap in that case.

You can have information that the government has and shares with a foreign state. The Privacy Act says that's perfectly okay if it's pursuant to an arrangement and it's for law enforcement purposes, but the charter might say to wait a minute and that you need a heightened set of protections in those particular circumstances. It might be a warrant or it might not be a warrant; it might be subsequent protections on the uses of that information. “Safeguards” is the language that the Supreme Court of Canada tends to use, but it's not currently in the act.