Information & Ethics Committee on Dec. 13th, 2016

Thank you very much, Mr. Chair, to you and to the committee.

My name is Micheal Vonn, and I'm the policy director of the B.C. CLA.

I gather that there has been a great deal of general agreement among privacy and civil liberties organizations on SCISA, as I'm going to refer to it. My association is certainly among those that have called for the complete repeal of the act, but rather than repeat concerns that you may be very familiar with at this stage, 25 witnesses in, I'm going to try to address some matters that I believe have not had as much discussion and that I hope will assist you in your deliberations.

The two matters I'm hoping to address are, first, the seriousness of the disruption caused by SCISA's blurring of the mandate of critically important federal institutions, and second, the evidence that rebuts the hope that other legislation will act as a moderating effect on SCISA.

On the first topic, which is the question of mandate, FINTRAC provides a ready example. The Office of the Privacy Commissioner of Canada does an intermittent audit of FINTRAC, and these audits have consistently found troubling overcollection and retention of personal data. Obviously, there are some discrete remedies that are available to address some of these issues, as indicated by the recommendations in the OPC's report, but in the main, because the standard of suspicion is very low and the prejudice to individuals is very high, FINTRAC itself has long maintained that one of its primary safeguards for privacy is its independence from law enforcement. Now, with the almost unfettered access to information sharing authorized by SCISA, the independence of FINTRAC in this regard is essentially fictional.

The kind of screening mechanism that is the basis for a regime like FINTRAC's is founded on a necessary balancing. The entire enterprise, of course, is one that can only be justified under very compelling need. FINTRAC has extraordinary powers of data gathering. Personal information that clearly commands a reasonable expectation of privacy is nevertheless compelled by the law in such a way that vast over-reporting is a given. Indeed, only the tiniest fraction of reported individuals and entities are ever found to be conducting themselves in any problematic way. To balance this state of extreme prejudice to innocent parties, we require sufficient counterbalancing protections. The basis for that balancing in the FINTRAC regime is now decidedly unsettled by SCISA, even to the point where its constitutionality may be at issue.

The effect on the mandate of federal agencies covered by SCISA may indeed be difficult to assess in the short term, but indications are already very troubling. Because I happen to work in a very broad sphere of rights advocacy, I am in a position to tell you, for example, that health policy advocates are now having to reconsider policy positions and proposals in light of the fact that there is very little confidence in the privacy protections afforded to patient information held by Health Canada, because of the sweeping nature of the access that is granted through SCISA.

Even more so, Veterans Affairs is likely to have grave difficulty convincing Canadian veterans that their extremely sensitive and highly prejudicial personal information, such as physical and mental health information, is appropriately protected. We may of course recall that it was just a few short years ago that Canada saw what I would argue was its single most appalling medical privacy scandal in relation to veterans' medical information. Sean Bruyea, a veteran's advocate, had his confidential medical files passed around by federal bureaucrats in an apparent effort to discredit him and his advocacy on behalf of veterans. This, you will recall, was an extremely high-profile national scandal, in which this veteran's medical information found its way even into ministerial briefing notes.

The unprecedented all-of-government information-sharing capacity afforded by SCISA can only be seen to undermine whatever trust has been rebuilt between veterans and the federal government since the Bruyea scandal. It obviously has a negative impact on the very mandate of Veterans Affairs.

Moving now to my second point, I would like to highlight not only that SCISA has no requirement for individualized grounds for data collection and can facilitate the sharing of entire databases but that it also seems likely that it was enacted precisely for the purpose of bulk data acquisition. It does not seem likely that the model of information sharing that is in SCISA is meant to address merely the possible need for clarification of the disclosures that were permissible under the Privacy Act. I note that during the Vancouver Olympics, when the police were discovered to have purchased a military-grade sonic weapon, they said they were only planning to use it as a giant megaphone, yet they did not buy a giant megaphone: they bought a sonic cannon. Similarly, we did not get an amendment to the Privacy Act: we got SCISA.

This fall we have seen a litany of incidents in which CSIS in particular has been seen to be unmoored from lawfulness in important aspects of its primary activities. It must be noted that the alarm and concern that has been sounded so strongly, not least by the Federal Court, pertains mainly to the collection, use, and retention of bulk data. Sadly, we have learned that section 12 of the CSIS Act, which is the standard for strict necessity, has proved to be very little barrier to CSIS accessing bulk data. As we know from the only SIRC audit ever done, released this fall, SIRC found no evidence to indicate that CSIS had appropriately considered the threshold as required in the CSIS Act in the collection of their bulk data. As a result, it is possible at this juncture that the vast majority, or even everything, in the CSIS bulk data holdings constitutes illegal spying on Canadians.

It has been argued that the troublingly low thresholds for sharing information in SCISA are tempered by the Privacy Act and other governing legislation, including the CSIS Act. Certainly recent events give us no reason to be confident that they are operating as meaningful protections. Not only have some of the recently discovered violations of the CSIS Act been going on for over a decade, but none of them appears to have been remedied. Indeed, there is widespread concern that they will not be remedied and will be condoned with after-the-fact legislation, which will further corrode public trust.

At this juncture, we simply have too much evidence to the contrary to accept that SCISA has checks and balances that will mitigate the unprecedented scale of information disclosure that it allows. The reality is that these other legislated potential checks have been failing utterly to meaningfully constrain bulk data acquisitions. It is untenable to claim at this juncture that finding out about a decade's worth of illegal spying is the system working; it is clearly the system not working.

The notion that we have an effective limitation to SCISA in other legislation has thus far not proved true. It is nevertheless not the model that should be applied. It is SCISA itself, which was never justified and which actually undermines the very mandates of some of its included agencies, that must be repealed. Amendments, in our position, and clarifications on disclosure powers, if they are needed, should be part of the Privacy Act.

Those are my prepared comments. Thank you very much.

Thanks very much to the committee for their kind invitation. I'm sorry I can't be there in person this time.

My name is Michael Karanicolas, and I am employed as the senior legal officer for the Centre for Law and Democracy, an NGO based in Halifax. We work to promote foundational rights for democracy, with a particular emphasis on freedom of expression and increasingly on privacy, given that many of the biggest threats to freedom of expression currently present in overly intrusive surveillance systems. Indeed, the nexus between bulk data collection and inhibitions on speech has been widely noted, including by the UN special rapporteur on freedom of opinion and expression.

It is also recognized under international human rights law that states need to put in place effective systems to address terrorism and other threats to security. Among other things, this is necessary to uphold democracy and the whole system of respect for human rights, including freedom of expression. At the same time, international law establishes the clear necessity for balancing security against other fundamental human rights, including privacy.

I do want to mention at the outset that I was greatly troubled by the overall tone of the “Our Security, Our Rights” green paper. It presented readers with a series of ticking-bomb scenarios, seemingly designed to bolster support for expanding powers by painting a picture that focused on the limits of Canada's police and security agencies and the ways in which terrorists are apparently outwitting them. Although the green paper gives a perfunctory nod to civil rights concerns, the green paper could have been improved, or at least balanced, by including scenarios in which these powers are and have been misused.

The green paper also muddies the waters regarding the limits of information sharing by noting, on page 27, that it helps law enforcement by facilitating information sharing without worries about whether the actions violate the Privacy Act. However, just two pages later, the paper's decision-making chart states, as its final step, that information may not be shared if the disclosure runs contrary to another law. We believe this should be resolved by clarifying that the Privacy Act does indeed apply to the Security of Canada Information Sharing Act.

The Privacy Commissioner has also recommended that rather than the current standard, which dictates that certain federal government institutions may share information among themselves so long as it is relevant to the identification of national security threats, a standard of being necessary should be put in place. We support this recommendation, and add the note that if we're talking about security, data minimization, whereby organizations seek to limit material stored to what is strictly necessary, is a cardinal principle of digital security. We can look south of the border for lessons on this, as over-storage was one of the reasons last year's hack of the U.S. Office of Personnel Management was so catastrophic.

I think we can also look south of the border for a fairly striking lesson on why it's so important to craft this legislation carefully, with as little scope for potential abuse as possible. It's easy to look at people who one might broadly trust to exercise their powers responsibly and to forget that one of the consequences of democracy is that the nature and state of the people in charge can change very quickly, potentially bringing into power people whose definitions of phrases like “activities that undermine the security of Canada” may be dangerously expansive. Flexibility, as the green paper seemingly welcomes, is very much a double-edged sword.

In that vein, we support the recommendations of Professors Roach and Forcese that the language of “undermine the security of Canada” should be narrowed so that the application of the act is limited to “threats to the security of Canada”, as established in the CSIS Act, and that the act should mirror the language found in item 83.01(1)(b)(ii)(E) of the Criminal Code on the exceptions, whereby “advocacy, protest, dissent or stoppage of work that is not intended to result in the conduct or harm referred to in any of clauses (A) to (C)”—i.e., endangering life, health, or security—should not be subject to the act.

We also broadly support the Privacy Commissioner's recommendation that in addition to parliamentary review, institutions permitted to receive information for national security purposes should be subject to expert or administrative independent review. We noted with alarm that 14 of the 17 entities authorized to receive information for national security purposes under the SCISA are not subject to dedicated independent review or oversight. As well, of the 17 entities authorized to collect information under the SCISA, only two had indicated that privacy impact assessments, a fundamental step, were necessary and were under development. There are several models of independent oversight to look to here, including the United Kingdom and Australia, both of which have a dedicated independent monitoring system in place.

I'm going to be brief here because I think that a lot of our recommendations will echo what you've heard from others.

To wrap up, although the online world certainly presents novel challenges to law enforcement, it is worth noting that the tool kit available to our security agencies today is vastly more powerful when compared to their investigative capabilities 20 or 30 years ago. That's true both in relative terms and in absolute terms. This requires carefully crafted limits to protect and safeguard fundamental human rights.

Thank you.

Thank you.

Thank you for inviting me, and I congratulate you on the report you released yesterday on the Privacy Act. I was looking at it quickly on the plane this morning and I look forward to reading it more carefully later; it looks excellent.

Today the focus of my remarks is that I want to outline why I believe that the Security of Canada Information Sharing Act, or SCISA, as I'll call it, is constitutionally deficient and should be repealed. I agree with the commentators who have argued for that. Even if it's the view of this committee that it should not be repealed, I hope that if you think about ways to make it less problematic, you will do so with a strong emphasis on charter rights in thinking that through. That's what I'm going to focus on here.

Canada's constitutional jurisprudence is very clear that information-sharing practices within the government and with foreign states can attract charter scrutiny. Just because the state has collected information for one purpose does not mean there is no remaining reasonable expectation of privacy in that information. This is the crucial point. It's absolutely clear from the Supreme Court of Canada's jurisprudence on section 8.

Generally there can be a reasonable expectation of privacy in information the government already has for some purpose, and where there's a reasonable expectation of privacy, the starting point for constitutional analysis under section 8 is that the state should not get access to this information unless there is prior authorization on a standard of reasonable and probable grounds. Departures from these protections can be authorized by law, but those laws must be reasonable. In other words, such departures require constitutional justification. It's also difficult to establish such a justification in the absence of reasonable safeguards for this information, and again jurisprudence is speaking a lot about the need for safeguards in doing this kind of reasonableness analysis. That comes out strongly in the Wakeling decision.

The question, then, is.... SCISA allows information sharing on a standard of relevance. There is no prior authorization, and as I'll outline, almost no safeguards are mandated in the act. This is a clear departure from that starting point, and the question is, can you justify this constitutionally? I think one of the main problems with this whole justification question is the basic problem that I think the Privacy Commissioner of Canada and all his provincial and territorial counterparts have laid out in their submission on the government's national security green paper, in which they state “...we have yet to hear a clear explanation, with practical examples, of how the previous law prevented the sharing of information needed for national security purposes.”

You have clear questions from very serious commentators in Canada saying you haven't met the threshold for public justification for this act at all, and given that there are these departures from what I'm arguing are clear constitutional standards, there's a real dilemma here.

What we do have in Canada are two sets of very careful recommendations regarding information sharing that come out of the Air India inquiry and the Arar commission. Many of these recommendations are narrower in scope than what SCISA provides. For example, the Air India inquiry's information-sharing recommendations concern very specific types of targeted sharing among a small number of institutions, rather than the broad sharing contemplated by SCISA, and some of the recommendations in the Air India inquiry are actually stronger than what SCISA provides. For example, they recommended that CSIS be required to share information with the RCMP, and you don't see this reflected in the act.

With the Arar commission, many recommendations also touch on information sharing, but notably when the Arar commission discusses the Privacy Act, it speaks favourably of the existing exemptions. It says exceptions for consistent use in law enforcement in the public interest are all fine. It does not say that a new authorization is required that would engage paragraph 8(2)(b) of the Privacy Act. That's the provision that says you can share information “for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure”. That's the provision in SCISA that many people interpret as opening the door to this broad sharing. The Arar commission did not ask for that. It said the existing exemptions and the way they were being used was perfectly fine, and it also indicated that the proper scope of the consistent use exemption should be informed by charter jurisprudence.

The Arar commission does not talk about the need for new information-sharing powers, but it does talk a lot about the need for written agreements, the requirement of caveats when sharing with foreign states, issues of accuracy and reliability of information, and the need to protect human rights.

None of these latter considerations are strongly reflected in SCISA. We have instead a list of guiding principles that are not requirements. It gives very weak support for caveats. It talks about information-sharing arrangements, but not written agreements, which were very key to the Arar commission report. There's nothing about accuracy and reliability. There's nothing about sharing with foreign states and the potential human rights implications of doing so. There is weak language that they may make regulations about disclosures and record-keeping.

The Supreme Court of Canada jurisprudence suggests that the absence of appropriate safeguards for the sharing of data can undermine claims that the law is reasonable. We don't see any of that here, yet we have these strong reports in the Canadian public sphere that ask for all of these things.

I think that raises a serious question. We don't have the public justification for broad information sharing. What we do have is strong justification for a much narrower set of information sharing in SCISA, and in some cases stronger practices than we see in SCISA. It would be very difficult to justify, I think, the breadth of this act constitutionally.

There are other aspects. I think the sheer breadth of language like “activities that undermine the security of Canada” in this act is overbroad and also is going to raise those problems with respect to justification. You've heard that from other witnesses, so I won't belabour that point.

There have been a number of suggestions that you can change the “relevance” standard to one of necessity. I think that would be an improvement for sure, so in those terms I would support it. I think you should also think through how that might still remain problematic from a constitutional perspective. For example, the Privacy Commissioner of Canada makes this recommendation on the basis that necessity is the standard that CSIS must follow in relation to its investigative powers, as stated in section 12 of the CSIS Act. However, CSIS actually has to seek a warrant where its investigations intrude upon a reasonable expectation of privacy. The warrant provisions of the CSIS Act are a different part of the act, and they require prior judicial authorization. They require that such authorization meet a higher standard than necessity, that there are reasonable and probable grounds that such an intrusion is required, and that there is evidence that other investigative methods have failed or are likely to fail.

The reasonable and probable grounds standard is not simply a test of necessity. When many people talk about the necessity test, what they like to provide as an example from the constitutional context is the section 1 test. The section 1 test is dominated by ideas of minimal impairment. A minimal impairment analysis would be something like, “Do you need this information in order to reach your goal, and, in doing so, do you intrude upon privacy as little as possible?”, but reasonable and probable grounds contemplates that sometimes you do not get to pursue your goal, even if this pursuit is minimally impairing. Reasonable and probable grounds includes the idea of the likely effectiveness of reaching that investigatory goal, so even if you're not going to build in some kind of prior authorization threshold—although I still think that's a good idea—there's a need for efficacy review here. Are the powers effective? Are you actually meeting your goal? I don't see that anywhere in SCISA at all. At most, paragraph 4(d) gives you the guiding principle that

the provision of feedback as to how shared information is used and as to whether it is useful in protecting against activities that undermine the security of Canada facilitates effective and responsible information sharing;

“Feedback” in a guiding principle is not what's needed. There has to be some burden of proof that information sharing is effective—if not beforehand, then at least after the fact.

In conclusion, I want to echo some of the comments that Micheal Vonn was discussing with respect to the issues of bulk access. Much of the discussion of SCISA that the government provides in its green paper proceeds as if the government institutions will decide to share information about specific individuals at discrete points in time rather than share institutionally held datasets for the purpose of more sophisticated analytics, including automated data processing. However, many believe that the latter is precisely what SCISA at least enables, even if it's not being done now—I don't know—and this raises additional privacy concerns.

Many of these types of analytic techniques rely upon access to the personal information of individuals who are themselves under no suspicion at all. There are a number of privacy considerations there, but the considerations that touch upon charter issues are broader than that. There are a lot of freedom-of-association concerns that come with some techniques, especially when the data involved is either social media information or metadata information, whereby people's social networks can be mapped. There are freedom of expression issues at stake, as we've already heard from the Centre for Law and Democracy.

There are also equality concerns. How are these techniques being used? Are biases being built in, either in relation to the datasets that are being used or the types of algorithms that come out in respect to processing this information? There's emerging literature regarding algorithmic responsibility, and a lot of concern about how information is being processed and whether that leads to problematic biases and inaccuracies.

None of those concerns are possibly met by SCISA as it is drafted right now. As Micheal Vonn from the B.C. Civil Liberties Association indicated, there's a sense that if we overhaul the Privacy Act, that might temper some of the problems with SCISA. Sure, it will temper them, but I think that SCISA itself raises a lot of really specific charter questions, some of them about privacy and some of them about these related sets of issues in the national security context that on their own require justification and that the legislation as it stands is seriously deficient on.

Thank you.

I am, yes.

Certainly I agree. We don't actually even know what “undermining the security of Canada” means. It's unprecedented in Canadian law. It's terra incognita. Certainly it would be an improvement to go to the definitions that we are familiar with.

I don't know the report, so I don't want to talk about that specific report.

When you depart from a warrant...because you're not going to be dealing with that when you're dealing with use and disclosure, but when the government already has information, and the constitutional jurisprudence says there's still a reasonable expectation of privacy—not necessarily on all of it, but it can still attract a reasonable expectation of privacy—there's a constitutional question when there's further sharing of it or some subsequent use that's not the use that it was collected for, so the constitution is in play there.

Does that mean you need a warrant? No, the courts have allowed departures from warrant requirements in all sorts of contexts, but you still have to think through the charter question about whether this is reasonable or not.

I don't think this information should be shared without some review happening, at least after the fact. Part of what the reasonable and probable grounds says is that you have this threshold that gets you to the question of whether you are likely to get evidence, but what about after-the-fact efficacy review, so that if it turns out you're not actually meeting any intelligence goal or national security goal, you shut down whatever that information-sharing practice was?

In the absence of that, is the law reasonable? I don't think so, in the absence of some of the other sorts of safeguards, such as written agreements. The act talks about arrangements; they're in the guiding principles. The act doesn't require that there be rules around data retention and other sorts of protections.

I still don't understand why you want the relevance threshold when already under SCISA no one is going to get into trouble for good-faith sharing. If you have a necessity standard and that person is saying “I don't know” but in good faith says that they think this meets the necessity threshold, where's the concern?

Yes, because there's already a protection for the good-faith use of the act, so I don't know why you need an extra protection for the people sharing.

No. It's not sufficient from my perspective.

Again, what we've just learned about what's happened about SIRC reviewing CSIS and its bulk data holdings should give us no confidence that we are going to be able to get the kinds of privacy protections that Canadians expect for the information for which they have a reasonable expectation of privacy. Ten years running, we have seen bulk data collection that is illegal, although SIRC had the obligation not to collect it unless it was strictly necessary.

Again, we cannot say that we have a system of oversight that is effectively dealing with, in this case, the illegal—let alone problematic—information sharing that's going on in this sphere.

I would echo that there needs to be an independent civilian oversight rather than bundling this into the Privacy Commissioner.

I'll start by saying what I should have said at the outset as well, which is that I want to also congratulate you on the reforms to the Privacy Act, which look great. There's a lot of good stuff in there.

Generally speaking, we've talked about how this is a privacy concern, but it also touches on freedom of expression and freedom of association. There's a broad and specialized basket of issues that come up, and I think they should be dealt with by a dedicated oversight body.

That's a very broad statement, so it's tough to fully endorse it. I do think that information sharing by itself is not necessarily a bad thing. As you point out, obviously agencies need to be able to work together, and if you have two agencies with a different mandate, and one of them has information that is of relevance to the other's duty, certainly information sharing is not necessarily negative. It just needs to be done, first of all, with respect to the principle of data minimization. You need to look very carefully at the organization's mandate to see what kind of information it is keeping, what kind of information it is sharing, and what kind of warehouse it is building, and be sure that is done in a way that's going to keep this information secure and protect the privacy of Canadians. Then beyond that, I would say there's a strong need for clear rules to be put in place.

I don't think we're hostile to sharing information. I think our broad point is that it needs to be done according to clear and carefully constructed rules to ensure that the system operates and that the system can't be pushed in abusive directions.