Information & Ethics Committee on Nov. 3rd, 2016

Thanks for having me here today.

Let me begin by noting that the topic of our conversation today, information sharing for national security purposes, is an essential one. Information sharing is essential to national security. That truth was recognized in the 9/11 commission report in the United States and it was also recognized in Canada by the Arar commission report, which was, in fact, an inquiry on how poor information sharing can precipitate human rights abuses. It was also recognized by the Air India commission, which was an inquiry into the systemic failure of information sharing.

In the presentation that Kent Roach and I have prepared, we aim to do two things. First, I'll identify the key challenges in national security information sharing. Then my colleague Kent Roach will outline suggestions on refining one core component of the governing law, specifically the Security of Canada Information Sharing Act, or the SCISA, an act that was part of Bill C-51 in 2015.

As a first point, Canadian information-sharing laws in the area of national security are a muddled patchwork. As an internal CSIS briefing note that predated Bill C-51 noted,

Currently, departments and agencies rely on a patchwork of legislative authorities to guide information sharing....Generally, enabling legislation of most departments and agencies does not unambiguously permit the effective sharing of information for national security purposes.

The question is, however, what to do about this. The CSIS briefing note goes on to state that:

Existing legislative authorities and information-sharing arrangements often allow for the sharing of information for national security purposes. With appropriate direction and framework in place, significant improvements are possible to encourage information sharing for national security purposes, on the basis [of] existing legislative authorities.

Instead, Bill C-51 responded to legitimate concerns about siloed information by throwing wide open the barn doors on information sharing, but in such a complex and unnuanced way that the only certain consequence will be less privacy for Canadians.

I'll enumerate now some of our concerns about the 2015 Security of Canada Information Sharing Act, the one enacted by Bill C-51.

First, the act allows those within the Government of Canada to share information about the new and vast concept of “activities that undermine the security of Canada”. It is difficult to overstate how broad this definition is, even as contrasted with the existing broad national security definitions such as “threats to the security of Canada” in the CSIS Act or the national security concept in the Security of Information Act, Canada's official secrets law.

The only exemption of the SCISA definition of “activities that undermine the security of Canada” is for “advocacy, protest, dissent and artistic expression”. This list was originally qualified by the word “lawful”, but under pressures from civil society groups, the last Parliament deleted the word “lawful”.

We were astonished by this change. We had proposed that “lawful” be dropped but then recommended the same compromise found in the definition of “terrorist activity” in the Criminal Code. We recommended excluding both lawful and unlawful protest and advocacy, but only so long as it was not tied to violence.

Violent protest or advocacy of a sufficient scale can be a national security issue, justifying information sharing. By simply dropping the word “lawful”, however, the new act seems to preclude new information-sharing powers in relation to any sort of protest, advocacy, or dissent, no matter how violent.

Government lawyers will find a way to work around this carelessly drafted exception. Indeed, the government's green paper has invented a solution. It says that the exception does not include “violent actions”. This is sensible, but it is not a standard set out in the actual law. It is a policy position, not something that is binding or in the least evident from the actual statute.

Second, the overbreadth of both the concept of security and the carve-out from it is then compounded by the operative provisions in the act.

In its key operative provision, the act contemplates that more than 100 government institutions may, unless other laws prohibit them from doing so, disclose information to 17, and potentially more, federal institutions if relevant to the receiving body's jurisdiction or responsibilities in relation to “activities that undermine the security of Canada, including in respect of their detection, identification, analysis, prevention, investigation or disruption”. All these terms are not defined, even though they are capable of definition. Without definition, whether by amending the act or through regulation, there is a danger that many terms in the new act will be inconsistently applied—a danger that the Privacy Commissioner has already raised.

Third, in the absence of more carefully articulated standards, the only safeguard is that the new information-sharing power is, in subsection 5(1) of the act, “Subject to any provision of any other Act of Parliament, or of any regulation...that prohibits or restricts the disclosure of information”.

What that means is a bit unclear, but we believe that the existing act, the Security of Canada Information Sharing Act, must comply with, among other things, the Privacy Act. That is not an ideal safeguard, given the many exceptions in the Privacy Act. It is something, and yet we are not sure how to read the government's recent green paper documents. They say that because the new Security of Canada Information Sharing Act authorizes disclosure, it satisfies a lawful authority exception to the Privacy Act, effectively trumping it.

The bottom line is that the new act's entire architecture creates confusion and uncertainty, and this requires a remedy.

My colleague Kent Roach will discuss some of our proposals.

I'd like to thank the committee for inviting us and for allowing me to appear remotely. I realize this isn't ideal.

First of all, as someone who worked on both the Arar and Air India commissions, I want to underline what my colleague said. We need to get information sharing right, and this act, which was hastily and very poorly drafted, does not get information sharing right.

With the Arar saga we see the dangers of sharing information that is not reliable and is not strictly necessary for the mandate of a receiving institution. That underlines the extreme dangers that can come from too much or inappropriate information sharing.

Just as importantly, however, the Air India commission showed the dangers of not sharing enough information. Indeed, one of things that is absent from this act was a recommendation by Justice Major that there be mandatory information sharing by CSIS about specific information relevant to the prosecution of terrorism offences.

Rather than devising a system that focuses on a particular form of information sharing, what we see in the Security of Canada Information Sharing Act is section 2, which is a radical departure even from the broad definition of threats to the security of Canada under the CSIS Act, which has been with us since 1984. In terms of amendments, one of the first things that should be looked at is trimming the overly broad definition of section 2.

I would underline that for Canadians to have confidence in this information sharing, there need to be more limits in the legislation and also more transparency about the information sharing, because as my colleague has pointed out, if over 100 departments can potentially share information under this act with 17 or more recipient institutions, all of this is done through legal interpretations that the public has no access to. It's very difficult to ask civil society and the public not to have concerns, and indeed suspicions, about information sharing when we have such a radical, broad definition of “activities that undermine the security of Canada”, including not only legitimate topics like terrorism but also, for example, an activity that takes place in Canada and undermines the security of another state. In my view, it's very important to go back to section 2.

Section 4 of the act has a number of guiding principles, and these guiding principles are fine as far as they go, although I would like to see more emphasis put on the reliability of the information that is shared. Justice O'Connor in the Arar commission report stressed that there need to be assurances that the reliability of the information is discussed, and also the respect for caveats, which is mentioned in section 4.

The problem with section 4 right now is simply that principles are placed out there, but there are no teeth, unless there's a requirement for protocols through regulations or through amendments of the statutes. The Privacy Commissioner has also noted this.

As my colleague has noted, sections 5 and 6 are extremely poorly drafted. They need to be made precisely clear, because unfortunately the green paper reflects a fundamental ambiguity in how this act is going to be interpreted.

Certainly the interpretation that we thought was the viable one and the preferential one, which was that this act did not have an independent trumping force over the Privacy Act, is partly negated in the green paper. The green paper gives us some idea of how government lawyers are interpreting this legislation, and unfortunately the interpretation, like section 5 and section 6, is about as clear as mud, so it is very, very important to address those two very fundamental sections.

Also, we would support what the Privacy Commissioner has said, which was that the issue should not simply be sharing of all relevant information but that there should be some requirement of necessity. We would just add that Supreme Court jurisprudence, like the jurisprudence in Wakeling, suggests that information sharing—not simply information acquisition, but information sharing, such as is authorized by this legislation—is subject to the charter, and so a standard of necessity or proportionality would be much more likely to withstand charter scrutiny than one of mere relevance.

I would also underline again why this provision and the CSIS threat disruption are probably the two most controversial parts of Bill C-51 in their reference not only to detection, identification, and analysis but also to prevention or disruption, so I think it has to be made clearer that this does not expand the mandates of all of the recipient institutions.

In addition, again on the theme of why so many people in civil society are rightly suspicious about this act, section 9 provides a very broad immunity from civil consequences. Not only does this raise the spectre of allowing the sort of information sharing that harmed Maher Arar and many other people, but it also puts yet another barrier to getting civil compensation should information sharing—and in particular I would stress information sharing about security threats—impose harm on people who may very well want to seek compensation for it and who may very well want to restore their reputation.

Just because Mr. Arar's reputation, at least in Canada, has been restored, we should not forget that this was because of the extraordinary event of a public inquiry. Perhaps one of the most objectionable parts of Bill C-51 is that it allows a very broad, overly broad, permissive regime for information sharing. It does so in an unclear, poorly drafted manner, and it does not ensure that there be mandatory information sharing about that information that is most relevant to direct threats to the real security interests of people in Canada.

Thank you very much.

Thank you for the opportunity to be here today.

The Canadian Civil Liberties Association is a non-partisan, independent, non-governmental organization that for 52 years has worked to protect rights and liberties and particularly to fight against injustice and wrongdoing. We support constitutionally compliant government action that provides effective security. I feel that this is an important context in which to begin my comments today.

We have serious concerns about the Security of Canada Information Sharing Act, which I will refer to as SCISA, and we are concerned by further confusions introduced by the green paper. I will outline five considerations here today.

First, information sharing is a critical component in countering terrorist activities, but such information sharing must be effective. This means that the information collected must be reliable and subject to constitutional requirements of necessity and proportionality and constitutional safeguards including caveats on use, retention, access, and dissemination. All of these, and legally enforceable provisions, are missing in the SCISA.

The scope of permitted information sharing is drawn from the definition in the act of “activities that undermine the security of Canada”, which we find to be astoundingly overbroad and which can capture all sorts of unnecessary and disproportionate information on legitimate activities, thereby effectively relegating Canadians to being potential suspects.

Further, the information sharing scheme superimposes vast information sharing on top of imperfect information-sharing structures already existent in Canada. In effect, there are 17 agencies, only three of which have any review structures, in over 100 departments. Again, this is information sharing with inadequate or non-existent review structures.

While we understand that the SCISA may have introduced some clarity for hesitating zealous officials who will now feel they have a green light to go ahead and share certain information, the scheme does absolutely nothing to ensure the reliability of the information or to ensure that constitutional principles of necessity and proportionality and the safeguards of caveats are observed.

Third, increased and integrated information collection and sharing powers are not matched in this act by increased and integrated review structures, and this is a serious concern for CCLA. Our country has witnessed the severe injustices of mistaken and faulty and even failed information sharing. Three federal commissions of inquiry—Arar, Iacobucci, and Air India—have provided observations and lessons that are not implemented or even, it seems, reflected in SCISA.

My second-last point is that SCISA engages section 7 of the charter rights of individuals. The definition of activities that undermine the security of Canada is unconstitutionally vague and can impact the security and liberty rights of individuals as found in section 7.

As the scheme is structured, violations can occur without the knowledge of an affected person, and even if there is knowledge, without an appropriate review structure there's nowhere to bring a complaint, given the absence of any one review structure with jurisdiction to review all the agencies empowered to share information.

In the past, government has stated that the Privacy Commissioner and the Auditor General have review powers, but their mandates and resources do not provide the jurisdiction and powers that would be required to properly review the information sharing that exists under the SCISA.

As CCLA has observed in its application, which is on hold before the courts, even the three existing review bodies for CSIS, the CSE, and the RCMP have no powers to compel the government to follow specific interpretations of the law. Further, the secrecy under which the sharing occurs renders any defence against illegal sharing illusory.

Finally, CCLA is seriously concerned that information sharing implicates section 8 of the charter as set out by the Supreme Court of Canada in its interpretations in Wakeling. SCISA permits a form of disclosure of information that is unreasonable within the meaning of section 8, and there are no checks and balances on such sharing.

Thank you.

Relevance is the broadest concept, in the sense that information can be relevant but at the end of the day prove not to be material or tremendously useful. It's a broad concept. It's roughly analogous to the disclosure standards we demand of the crown for purposes of criminal prosecution.

Necessity dictates that you ask yourself whether the information that you're proposing be shared meets a materiality threshold. Is it material for the purpose of addressing this particular security concern? There's a more direct link, in other words, between the information and the security issue that you're trying to resolve.

At the end of the day—and this might be one of the concerns one has about these legal terms—these legal terms are subject to interpretation and construal within government. While we advance the idea and agree with the privacy commissioner that it's important to have more robust terminology that government lawyers and officials will interpret, at the end of the day it's also vital that there be an independent third party that is capable of scrutinizing the actual application. That would raise some of the issues that Ms. Pillay mentioned in terms of the accountability structure and review bodies.

It's very difficult, because information moves and is very difficult to track and can accrue in different places and different databases.

The accrual of information in the hands of different agencies is a perennial problem, so there are safeguards. The first safeguard is on collection, in that historically, privacy has been about restricting the capacity of government to collect information in the first place. Then, once it's collected, there's the issue of retention and use, so safeguards include limitations on how long information can be retained in a given database before it must be expunged, as well as information on how it can be used, and in “use” of information, we also include sharing.

Putting in place protocols that mitigate the spread of information through government agencies is probably the best we can do, coupled with effective auditing thereafter to ensure compliance and conformity with those dictates.

I suspect Ms. Pillay may also have some views on that as well.

Thank you.

I agree with everything that Professor Forcese has just said.

In addition to collection and retention and use, we're also concerned about access, and we're very concerned about what happens in the absence of caveat. If there aren't any written agreements as to how this information was collected and how it should be used and if there are no limits around how it's used and who it's shared with, once that information leaves the hands of A, it's effectively out of the control of A. As I mentioned at the outset, we're very concerned about injustices that can occur when a piece of information is mistakenly shared, or when, as in the case of Maher Arar, the information that is shared is full of error and innuendo that can result in serious harm to an individual.

I also mentioned, as did Professor Roach, the many issues that came up in the Air India inquiry, namely the concerns around information that was mistakenly withheld between agencies. None of that is properly addressed or cured by SCISA, nor is any illumination provided by the green paper.

Does Kent want to try that?

If people can hear me, I wouldn't mind quickly addressing that and one other point that was raised.

The concern would be paragraph 2(i), where if your constituent is doing an activity that takes place in Canada and undermines the security of another state, even a repressive state, there is a possibility that the information not only will be shared, but if you look at section 5, the criteria is relevance to, among other things, detection and prevention.

One of the concerns about relevance is that it allows data mining. That relevance to detection and prevention can include a vast range of information that on its own may be innocuous, but when combined with more information that is available through computer data banks can reveal quite a bit.

The last thing I would say goes back to what my colleagues have talked about, the importance of review. I think it's very important for this committee not to just look at this act in isolation. The absence of credible review for all of the institutions, combined with the fact that the government appears in the green paper to at least be seriously considering getting more data from metadata and other things feeds into what I would say is a justifiable lack of confidence that many Canadians have about how this information, once it is collected by one part of government, is going to be shared, stored, and accessed by other parts of government.

Yes.

Yes. I participated in one consultation here in Ottawa, and my colleagues participated at an open mike in Toronto.

Yes.

At the Munk School we've hosted one consultation, and we will be hosting another consultation later this month.

As I said in my opening comments, and also with Justice Major's recommendations, I agree about mandatory sharing, about intelligence, and about possible terrorism offences. That would be an example of a mandatory requirement as opposed to the permissive requirement, but it's a much more narrowly focused requirement than we see in section 2 of this act.

I completely agree with Professor Roach. I would just add that in addition to the mandatory sharing, as recommended by Justice Major, the principles of necessity and proportionality exist to allow for sharing when it's precisely that: when it's necessary.

It becomes a question of definition. The problem with section 2 is that the definition is so sweeping that it encompasses things that aren't bona fide national security issues. Essentially, privacy then becomes superseded by more extraneous considerations.