Thank you very much, Mr. Chair, to you and to the committee.
My name is Micheal Vonn, and I'm the policy director of the B.C. CLA.
I gather that there has been a great deal of general agreement among privacy and civil liberties organizations on SCISA, as I'm going to refer to it. My association is certainly among those that have called for the complete repeal of the act, but rather than repeat concerns that you may be very familiar with at this stage, 25 witnesses in, I'm going to try to address some matters that I believe have not had as much discussion and that I hope will assist you in your deliberations.
The two matters I'm hoping to address are, first, the seriousness of the disruption caused by SCISA's blurring of the mandate of critically important federal institutions, and second, the evidence that rebuts the hope that other legislation will act as a moderating effect on SCISA.
On the first topic, which is the question of mandate, FINTRAC provides a ready example. The Office of the Privacy Commissioner of Canada does an intermittent audit of FINTRAC, and these audits have consistently found troubling overcollection and retention of personal data. Obviously, there are some discrete remedies that are available to address some of these issues, as indicated by the recommendations in the OPC's report, but in the main, because the standard of suspicion is very low and the prejudice to individuals is very high, FINTRAC itself has long maintained that one of its primary safeguards for privacy is its independence from law enforcement. Now, with the almost unfettered access to information sharing authorized by SCISA, the independence of FINTRAC in this regard is essentially fictional.
The kind of screening mechanism that is the basis for a regime like FINTRAC's is founded on a necessary balancing. The entire enterprise, of course, is one that can only be justified under very compelling need. FINTRAC has extraordinary powers of data gathering. Personal information that clearly commands a reasonable expectation of privacy is nevertheless compelled by the law in such a way that vast over-reporting is a given. Indeed, only the tiniest fraction of reported individuals and entities are ever found to be conducting themselves in any problematic way. To balance this state of extreme prejudice to innocent parties, we require sufficient counterbalancing protections. The basis for that balancing in the FINTRAC regime is now decidedly unsettled by SCISA, even to the point where its constitutionality may be at issue.
The effect on the mandate of federal agencies covered by SCISA may indeed be difficult to assess in the short term, but indications are already very troubling. Because I happen to work in a very broad sphere of rights advocacy, I am in a position to tell you, for example, that health policy advocates are now having to reconsider policy positions and proposals in light of the fact that there is very little confidence in the privacy protections afforded to patient information held by Health Canada, because of the sweeping nature of the access that is granted through SCISA.
Even more so, Veterans Affairs is likely to have grave difficulty convincing Canadian veterans that their extremely sensitive and highly prejudicial personal information, such as physical and mental health information, is appropriately protected. We may of course recall that it was just a few short years ago that Canada saw what I would argue was its single most appalling medical privacy scandal in relation to veterans' medical information. Sean Bruyea, a veteran's advocate, had his confidential medical files passed around by federal bureaucrats in an apparent effort to discredit him and his advocacy on behalf of veterans. This, you will recall, was an extremely high-profile national scandal, in which this veteran's medical information found its way even into ministerial briefing notes.
The unprecedented all-of-government information-sharing capacity afforded by SCISA can only be seen to undermine whatever trust has been rebuilt between veterans and the federal government since the Bruyea scandal. It obviously has a negative impact on the very mandate of Veterans Affairs.
Moving now to my second point, I would like to highlight not only that SCISA has no requirement for individualized grounds for data collection and can facilitate the sharing of entire databases but that it also seems likely that it was enacted precisely for the purpose of bulk data acquisition. It does not seem likely that the model of information sharing that is in SCISA is meant to address merely the possible need for clarification of the disclosures that were permissible under the Privacy Act. I note that during the Vancouver Olympics, when the police were discovered to have purchased a military-grade sonic weapon, they said they were only planning to use it as a giant megaphone, yet they did not buy a giant megaphone: they bought a sonic cannon. Similarly, we did not get an amendment to the Privacy Act: we got SCISA.
This fall we have seen a litany of incidents in which CSIS in particular has been seen to be unmoored from lawfulness in important aspects of its primary activities. It must be noted that the alarm and concern that has been sounded so strongly, not least by the Federal Court, pertains mainly to the collection, use, and retention of bulk data. Sadly, we have learned that section 12 of the CSIS Act, which is the standard for strict necessity, has proved to be very little barrier to CSIS accessing bulk data. As we know from the only SIRC audit ever done, released this fall, SIRC found no evidence to indicate that CSIS had appropriately considered the threshold as required in the CSIS Act in the collection of their bulk data. As a result, it is possible at this juncture that the vast majority, or even everything, in the CSIS bulk data holdings constitutes illegal spying on Canadians.
It has been argued that the troublingly low thresholds for sharing information in SCISA are tempered by the Privacy Act and other governing legislation, including the CSIS Act. Certainly recent events give us no reason to be confident that they are operating as meaningful protections. Not only have some of the recently discovered violations of the CSIS Act been going on for over a decade, but none of them appears to have been remedied. Indeed, there is widespread concern that they will not be remedied and will be condoned with after-the-fact legislation, which will further corrode public trust.
At this juncture, we simply have too much evidence to the contrary to accept that SCISA has checks and balances that will mitigate the unprecedented scale of information disclosure that it allows. The reality is that these other legislated potential checks have been failing utterly to meaningfully constrain bulk data acquisitions. It is untenable to claim at this juncture that finding out about a decade's worth of illegal spying is the system working; it is clearly the system not working.
The notion that we have an effective limitation to SCISA in other legislation has thus far not proved true. It is nevertheless not the model that should be applied. It is SCISA itself, which was never justified and which actually undermines the very mandates of some of its included agencies, that must be repealed. Amendments, in our position, and clarifications on disclosure powers, if they are needed, should be part of the Privacy Act.
Those are my prepared comments. Thank you very much.