Information & Ethics Committee on Nov. 22nd, 2016

Do you mean whether it's a necessity in terms of maybe not being necessary for this legislation to be adopted at all, or as a threshold for transactions and information?

I would say that, yes, it is our main concern. It is not our only concern, of course, but it is the issue that I relate most directly to the ultimate risk, which is, I think, the risk to law-abiding citizens.

Absolutely. I'm not disputing that at all.

The question is whether the previous authorities were sufficient, whether this new legislation was necessary, and, regardless, whether there are appropriate safeguards to ensure that this worthwhile activity does not create risks beyond those that are necessary.

Again, I would point out the risk to law-abiding citizens, to taxpayers, to travellers. There's no rule at this point in this bill that says that after information has been analyzed with a view to detecting national security threats, as it should be—that for the vast majority, for 99.99% of the people, whose information is shared—it should be destroyed ASAP.

It's the latter. There's nothing in SCISA that legally requires this type of review or analysis.

I can do a review, as I'm doing, on my own initiative. I can investigate complaints, if they are made. However, in this type of area, the people who may complain don't know what's happening, so it's unlikely that there will be complaints raised to my office.

Of course, there are other oversight bodies that can act. However, in terms of, as you put it, internal controls, governance mechanisms, they exist, but they are wholly administrative. There's no legal requirement to have them.

I will say yes, and I can expand that to say the law facilitates, as a legal matter, information sharing. The safeguards—and you say, the “controls”, but I'll say the “safeguards”—to ensure that these activities are not excessive are administrative and not legally required for the most part.

I'll repeat that there are no legally required controls. There is a reference in the preamble to SCISA that says, among other things, that information sharing should occur responsibly. That's advice given by Parliament to departments, and I'm sure this advice in the preamble will lead to certain actions within the public service. However, it's left completely to the public service to determine what kind of controls or governance structure they will put in place to live by this principle of responsible information sharing.

We don't need to be overly prescriptive, but I think there need to be some high-end controls, safeguards, and governance mechanisms to ensure that this broad authority given by Parliament is exercised responsibly.

It starts with the legislation itself, so I would say that the standard matters and rules around retention matter. It should not be for the bureaucracy to decide how long they are going to keep the information. There should be rules of law on this.

There should be a legal requirement to have agreements whereby you bring the general principles to something more down to earth—what kind of information will be shared for what purpose, etc. Some accountability mechanisms in these agreements would be helpful.

Review of the agreements by review bodies like me, like SIRC, and so on would be helpful, because that will put an expert lens on whether the agreements strike the right balance. It will inform the review bodies as to how to direct their case investigations further down the road.

The latter is certainly possible. I don't see why SIRC, the OPC, or other review bodies would not be able to see the complete text of agreements. There may be some cases in which certain provisions should not be disclosed to the public for reasons of undermining methods of operation, but, by and large, I think the agreements could be public, subject to few and limited exceptions.

I feel there are insufficient safeguards in the legislation to prevent that kind of risk from materializing. I'm not saying that government officials involved in national security are in bad faith and are looking to do surveillance of the population, but the safeguards are insufficient.

It's not just a theoretical concern. We have seen cases in the recent past where there has been excessive, sometimes unlawful, collection or retention of information. Think of the report of the CSE commissioner who found that the CSE had disclosed metadata to other countries illegally. Think of the recent judgment by the Federal Court that found that CSIS had unlawfully retained the metadata of a large number of law-abiding individuals who are not threats to national security because CSIS felt it needed to keep that information for analytical purposes.

These are not theoretical risks. These are real things, real concerns. Do we want a country where the security service has a lot of information about most citizens with a view to detecting national security threats? Is that the country we want to live in?

We have seen real cases in which CSIS had in its bank of information the information about many people who did not represent a threat. Is that the country we want?

I would start with a threshold, but review is also important. To me, in order to have the right balance, you need the right safeguards and the threshold. The issue of relevance versus necessity is very important, but you also need review of these activities by independent review bodies. It's the combination of the two that I think elevates the possibility of having a balanced system.

It is alarming.