Thanks very much to the committee for their kind invitation. I'm sorry I can't be there in person this time.
My name is Michael Karanicolas, and I am employed as the senior legal officer for the Centre for Law and Democracy, an NGO based in Halifax. We work to promote foundational rights for democracy, with a particular emphasis on freedom of expression and increasingly on privacy, given that many of the biggest threats to freedom of expression currently present in overly intrusive surveillance systems. Indeed, the nexus between bulk data collection and inhibitions on speech has been widely noted, including by the UN special rapporteur on freedom of opinion and expression.
It is also recognized under international human rights law that states need to put in place effective systems to address terrorism and other threats to security. Among other things, this is necessary to uphold democracy and the whole system of respect for human rights, including freedom of expression. At the same time, international law establishes the clear necessity for balancing security against other fundamental human rights, including privacy.
I do want to mention at the outset that I was greatly troubled by the overall tone of the “Our Security, Our Rights” green paper. It presented readers with a series of ticking-bomb scenarios, seemingly designed to bolster support for expanding powers by painting a picture that focused on the limits of Canada's police and security agencies and the ways in which terrorists are apparently outwitting them. Although the green paper gives a perfunctory nod to civil rights concerns, the green paper could have been improved, or at least balanced, by including scenarios in which these powers are and have been misused.
The green paper also muddies the waters regarding the limits of information sharing by noting, on page 27, that it helps law enforcement by facilitating information sharing without worries about whether the actions violate the Privacy Act. However, just two pages later, the paper's decision-making chart states, as its final step, that information may not be shared if the disclosure runs contrary to another law. We believe this should be resolved by clarifying that the Privacy Act does indeed apply to the Security of Canada Information Sharing Act.
The Privacy Commissioner has also recommended that rather than the current standard, which dictates that certain federal government institutions may share information among themselves so long as it is relevant to the identification of national security threats, a standard of being necessary should be put in place. We support this recommendation, and add the note that if we're talking about security, data minimization, whereby organizations seek to limit material stored to what is strictly necessary, is a cardinal principle of digital security. We can look south of the border for lessons on this, as over-storage was one of the reasons last year's hack of the U.S. Office of Personnel Management was so catastrophic.
I think we can also look south of the border for a fairly striking lesson on why it's so important to craft this legislation carefully, with as little scope for potential abuse as possible. It's easy to look at people who one might broadly trust to exercise their powers responsibly and to forget that one of the consequences of democracy is that the nature and state of the people in charge can change very quickly, potentially bringing into power people whose definitions of phrases like “activities that undermine the security of Canada” may be dangerously expansive. Flexibility, as the green paper seemingly welcomes, is very much a double-edged sword.
In that vein, we support the recommendations of Professors Roach and Forcese that the language of “undermine the security of Canada” should be narrowed so that the application of the act is limited to “threats to the security of Canada”, as established in the CSIS Act, and that the act should mirror the language found in item 83.01(1)(b)(ii)(E) of the Criminal Code on the exceptions, whereby “advocacy, protest, dissent or stoppage of work that is not intended to result in the conduct or harm referred to in any of clauses (A) to (C)”—i.e., endangering life, health, or security—should not be subject to the act.
We also broadly support the Privacy Commissioner's recommendation that in addition to parliamentary review, institutions permitted to receive information for national security purposes should be subject to expert or administrative independent review. We noted with alarm that 14 of the 17 entities authorized to receive information for national security purposes under the SCISA are not subject to dedicated independent review or oversight. As well, of the 17 entities authorized to collect information under the SCISA, only two had indicated that privacy impact assessments, a fundamental step, were necessary and were under development. There are several models of independent oversight to look to here, including the United Kingdom and Australia, both of which have a dedicated independent monitoring system in place.
I'm going to be brief here because I think that a lot of our recommendations will echo what you've heard from others.
To wrap up, although the online world certainly presents novel challenges to law enforcement, it is worth noting that the tool kit available to our security agencies today is vastly more powerful when compared to their investigative capabilities 20 or 30 years ago. That's true both in relative terms and in absolute terms. This requires carefully crafted limits to protect and safeguard fundamental human rights.
Thank you.