Information & Ethics Committee on Nov. 3rd, 2016

Yes, absolutely. We're a net beneficiary of intelligence sharing. At one point, the RCMP was saying that it was receiving 75 times more information from allied services than it was sending out. We have to be cognizant of our place in the international information-sharing infrastructure.

These, in part, are some of the drivers around some of the other concerns that have been raised in other contexts about how we manage the flow of intelligence into, say, the court system, but that's a big, long story. The bottom line is that it's essential for us to be an active participant in that consortium.

Yes, I completely agree.

I would also point out that after the 9/11 attacks, the international community recognized that this needed to be done. In Canada, as Professor Forcese has just said, we have a certain place. We are a net recipient of this information, and it's important for us to rely upon it.

Having said that, we also know that there have to be checks and balances with respect to Canada's role in the Five Eyes, what it tasks its partners to do, and what it says it's doing here in Canada versus what's actually happening in terms of the relationship with the Five Eyes partners.

As Ms. Pillay has said, information sharing is a modern reality. We should participate in it, but we need checks and balances in the form of an adequate review structure. Although the Privacy Commissioner obviously has some role here, if we had a dedicated national security review—if the activities of, say, SIRC, the Security Intelligence Review Committee, were expanded, as Justice O'Connor recommended in Arar—we would have greater confidence that the information sharing that must take place with our allies, both in and out, is done in as responsible a manner as possible.

The problem is that this act is silent about foreign information sharing. Even its operative principles do not actualize what Justice O'Connor said was important, which was that when we share information or receive information from allies, we should be cognizant of the reliability, lack of reliability, or, as is often the case with intelligence, unknown reliability of that information.

Only in the broadest sense. The privacy rules in different jurisdictions are quite variable.

In relation to international information sharing, which was your prior question about Five Eyes, for the most part, there's relatively little law that I'm aware of within the Five Eyes that would govern that carefully and thoroughly.

On the other hand, one of the differences is that for the most part, the Five Eyes allies have more robust review and more comprehensive review. When you talk about international information sharing, the difficulty is always reconciling domestic review by domestic review bodies with an internationalized process that might implicate the interests of foreign states. I'm not sure that anyone has yet derived a perfect solution to that conundrum.

In terms of domestic privacy laws, they're quite variable. I would say that Canada, relative to some of the Five Eyes, has quite robust domestic privacy laws.

This is not just a plug, but based on your question, we have released just this week, with our international partners, a report on information sharing and surveillance. The CCLA has included a chapter in that report on the Re (X) case. The other partners who have written include information sharing laws in the United States, Russia, Kenya, South Africa, and India. We'd be happy to make that report available to you.

The U.S. is part of the Five Eyes.

I would say, in part, as I've noted, there isn't specific statutory law that would govern that sort of arrangement, and the current act that is the subject matter of today's hearing doesn't deal with international information sharing on its face.

As you may be aware, there are ministerial directives from the Minister of Public Safety dating from 2011 and directed at the Canada Border Services Agency, CSIS, and the RCMP that are designed to govern circumstances where there is a prospect that outbound information sharing could induce maltreatment or torture, and they also try to grapple with the prospect that inbound information sharing may be the product of torture.

The bottom line is that the ministerial directives put in place protocols to minimize those risks, but in truth, at the end of the day, the ministerial directives also leave the door open in the most dire circumstances to sharing if, at least in the views of the responsible officials, the risk of torture can somehow be mitigated.

The problem, of course, in all those circumstances is that you can't necessarily control what will happen in response to the information once it's shared. The Arar commission report took the view that even when there's a bona fide security reason, there will be circumstances when you have to decline to share, and that's probably the honest truth of the matter. It is an enormous moral and ethical dilemma that the law has difficulty reconciling.

I would describe the new law as an effort to wallpaper cracks in the roof. In other words, it superimposes a new legal regime on existing legal rules that are themselves an arcane patchwork and difficult to construe.

Just to give you one example, CBSA, the Border Services Agency, implements several statutes as part of its mandate, and these statutes each have provisions on information sharing in the interest of national security, broadly defined. However, they all use different terms and are drafted in different ways, so the same agency is applying different standards under different statutes.

If I were to make an overarching recommendation, it wouldn't be to create a Security of Canada Information Sharing Act that papers over all these cracks. It would be to go into the statute books of all these agencies and clean up all the differential rules that apply to govern information sharing.

I would also add that the Privacy Act itself has a number of exceptions that allow private information to be shared, including a public interest override. In circumstances where the agency takes the view that there's public interest in information sharing that supersedes the privacy interests of the individual, it can be shared.

In sum, it's not entirely clear to me what problem this act was trying to solve, other than to signal to government that we're going to share more.

Thank you for the question.

I would absolutely say that more needs to be done, and obviously my two fellow witnesses are experts on talking about what can be done.

In short, as I've mentioned, we've called for an integrated review. A review would be different from oversight, as Professor Forcese has often said. The review comes after the fact, but it provides an accountability that's currently missing, and given that we have many of these agencies now working, as I mentioned already, in an increasingly integrated fashion, we need some sort of structure that can work in an integrated fashion to provide that review.

Then within agencies, I personally think that there ought to be some sort of—the translator's word was “monitoring”. There ought to be some sort of monitoring mechanism. There would have to be some protocols in place to govern what is being shared, and when, and why.

Thank you very much for the question.

I think this is an area that we should probably just leave to the courts, and I would favour simply deleting section 9 of SCISA. The Supreme Court is now developing jurisprudence with respect to charter damages, which would include damages for violation of rights of privacy. The court has done so in a way that recognizes a broad range of reasons for awarding damages, compensation for pecuniary and non-pecuniary losses, vindication, and deterrence, but is also respectful of governmental justifications. What the court says is that once you have established an entitlement to damages, it is up to the government to justify why damages would be inappropriate or why some alternative remedy would be better. In my view, subsection 24(1) of the charter provides a more flexible mechanism for responding to damages.

Having said that, I would also add that damages cannot be a substitute for effective review, because as Justice O'Connor stressed, most people do not know if information is being shared about them. Mr. Arar and other Canadians who were tortured in Syria, in part because of Canadian information sharing, knew because of the devastating consequences that they experienced, but you or I would not know right now if information about us is being shared, so although damages should be available, we should not rely upon damages, and we need a better review structure to do independent audits of information sharing practices.

The only persuasive position I heard during the Bill C-51 debates was in relation, say, to weapons proliferation, weapons of mass destruction. Those sorts of matters could fall outside the scope of the threat to the security of Canada definition within the CSIS Act, so you would want to have a slightly broader definition to encompass those sorts of issues.

You could come up with something that's not as sweeping as the present definition in proposed section 2 that would address those sorts of bona fide concerns.

I think that I would probably share what I heard Professor Forcese say at the outset. We were very concerned when the word “lawful” existed, but then we were also concerned when it was withdrawn, because of the implications. At first we welcomed it, but then we were concerned about what the implications might be.