Information & Ethics Committee on Dec. 13th, 2016

I think the recommendations that have been spelled out, first by the Privacy Commissioner and then by Roach and Forcese, are a good start. I think that expanding the role of the Privacy Commissioner, as it appears is being done—particularly the move to order-making power, which I was ambivalent about—is a good step in this regard. I was ambivalent about it regarding the private sector; applying it to the public sector I think is quite good.

It's a big question to answer. Generally speaking, it's just about putting proper safeguards in place. That's kind of a vague answer, but I can unpack it more carefully with respect to specific aspects of it if you want.

Proper oversight is key. I just mentioned how I don't necessarily have the full picture. It's important to have an oversight body that has access and can view the full picture. There can be a danger in terms of stovepipe oversight, whereby oftentimes the overall harm of a particular system is greater than the segmented harm of each individual component of it, so it's important to allow an oversight body to get the full picture and to have access to classified information that would let them fully see if the measures that are being taken are appropriate to the needs of the security agencies.

I want to echo what we heard previously about the need to make the case not only internally in that regard but also to Canadians, and to show why we necessarily need to expand our powers more than they've already been done.

I think that we've seen that the tool kit, the level of powers of investigation, of data processing, of law enforcement and security agencies have all expanded exponentially over the past few decades, and I don't necessarily think that there's been a concomitant understanding about the implications of this to privacy rights of Canadians. I think there needs to be a consideration of the significant expansion of information sharing and surveillance that has taken place in the historical context, but also I think context is important in terms of the threats that we face today. Terrorism has been around for a long time, and I think we need to ask ourselves if we are necessarily facing unprecedented threats. Are we facing threats that are greater than they were during the FLQ crisis, greater than the U.K. faced in the 1980s from the IRA?

These are challenges that we've dealt with previously, and we've been able to establish safeguards in place that properly respect Canadians' privacy rights. I'm not sure if the case has been made that there's a new challenge that justifies additional legislation.

Sure. Thank you very much for the question. It's part of why I wanted to bring up the issue of the mandate of the various agencies.

As I'm pointing out, the real-life effects of this are right now. People who are talking about such issues as how we are going to make an effective national pharmacare system in Canada meaningful for people's health are saying, “Oh, dear; what about SCISA and the fact that Health Canada is impacted by this detrimental impact on patients' information rights?” That is affecting people in their ability to essentially govern ourselves, benefit our health, etc. On a very real level, these discussions right now are impeding our ability to effectively govern ourselves.

On an individual level, it has mass implications. As I say, I am of the opinion—and I share it with various of my colleagues—that if you were going to do one thing to reduce the abuse power of SCISA, make it so that you could not have bulk data transfers as part of it.

If there was confusion about what individual suspicion standards of information sharing should have happened in the past, again, we could have clarified those in the Privacy Act. Instead, we enacted an act in which it was very clear that bulk data transfers were facilitated. The kinds of profiling that bulk data is used for have a devastating impact not only on some individuals, which they have brought to our attention that they do not deserve—they may find themselves on the no-fly list, the slow fly list, or other various aspects, on the basis of profiling without any individualized suspicion—but entire communities are impacted by being under the threat of racial and religious profiling.

I could go on about this subject for quite a while, but I'm going to keep it narrowed to those examples because I think they speak to both the front-end chill and the ultimate impact of where we do have very reasonable grounds for suspecting SCISA was essentially enacted, which is about the bulk data holdings.

I would just add that I agree with those comments. I think there's a real and serious issue about trust in government when you have an act that contemplates the sharing of the entire government with these recipient institutions. I think there would be a lot more support if it was information sharing within the recipient institutions and understanding that they share certain kinds of national security interests, but when it's the entire government, then you undermine the trust of Canadians, who often have no choice but to share information for all sorts of government purposes. I think that is really an important aspect that is not taken into account here with the sheer breadth of the sharing that's contemplated here.

I'll add to what my colleague said. I think it might be useful just to flesh out a little an example of why when datasets are combined they can be way more privacy intrusive than the sets considered in isolation. I can give you an example from the private sector that helps to make this point.

There is an app that was published and was called “Girls Around Me”. Basically, it combined two sets of publicly available information: information from Facebook profiles, which is generally about people's pictures and their likes, dislikes, interests, and what have you, and then information from Foursquare, which allows people to use their iPhones to check into a particular thing, such as “I'm at this restaurant, I'm at this movie theatre, I'm at this bar”, or whatever. Combining those two datasets, which in isolation have their own concerns but are not super-intrusive, basically creates this stalking app that allows people to look at their phone and say that in this restaurant there is a girl, here's what she looks like, here's what her interests are, and here's everything about her.

Again, you take these two datasets in isolation and then put them together, and suddenly you have something that is far more intrusive than the two taken separately. That's an example from the private sector, but I think it does illustrate the harm and the concerns that can come about when these datasets are combined, particularly echoing what my colleague said about the fact that, in dealing with the government, people don't necessarily have a choice when they're sharing this information. When you're dealing with communities that are under risk and already have a good reason to be suspicious of their interactions with government, I think these are very good illustrations of the kinds of concerns that come into play.

Our view is that the repeal of the act is certainly the preferred methodology for bringing accountability to this question.

I'm very suspect of “more powers equals greater efficacy”. At the same time that the civil liberties organization is very much of the view that there is more than one good and that national security is a powerful good, we want to ensure that the appropriate tools are in the hands of our intelligence agencies. In order to do that, we need to understand the problem in greater specificity. If the problem was literally that there was some difficulty in understanding what the provisions already allowed for in the exemptions for disclosure in the Privacy Act were, then clarifying those exemptions is clearly the tool that we need to address those.

Again, if that were required in order to get appropriate information sharing on an individual basis, we would be very much in favour and and would roll up our sleeves to help draft that provision.

I can't speak to general provisions in other legislation. I would defer to some of my colleagues in the national security space with respect to specific agencies and their mandates.

I was surprised that it's not in SCISA, given that it's clear that this also empowers sharing with foreign governments. Why is there not a provision that it must be part of the set of protections, given everything the Arar commission says? Again, that goes to my general point that I think those kinds of safeguards, I would say, are pretty much constitutionally required, not just as a recommendation of the Arar commission. I think it's problematic that they're not there in this act.

I can jump in.

Thank you very much for your question.

Currently ministerial directions expressly allow for the sharing and importation of information that might contribute to or be derived from torture. One of the things that my association has called for—along with many colleagues, including Amnesty International—is the immediate repeal of those ministerial directions of some years' duration that do allow for or make provision for.... They're supposed to be scrupulously scrutinized in terms of their necessity, but, as I say, it flies in the face of international law and human rights protections to say that this can be effective.

We know that very little actionable intelligence is derived from torture, and security agencies will confirm this. Not only is torture a grave human rights violation, but it produces no actionable intelligence. You are very, very likely to get faulty intelligence from information derived from torture, and yet we continue to have in Canada an allowance for such information. Torture-tainted information is, I would suggest, a deep human rights scandal in this country and one that, as I say, we voiced in terms of the national security consultation.

Certainly, as I say, repealing those ministerial directives would be stage one, and then expressly prohibiting such torture-tainted information would be very, very welcome.