Information & Ethics Committee on Jan. 31st, 2017

Thank you.

Good afternoon. My name is Laura Tribe, and I am the executive director of OpenMedia. We are a digital rights organization that works to keep the Internet open, affordable, and surveillance-free. Given our work, it seems pretty fitting that I'm joining you by digital link from Vancouver this afternoon.

Since Bill C-51 was first announced, OpenMedia has been actively campaigning alongside many other groups against this reckless, dangerous, and ineffective legislation. We believe Bill C-51 should be repealed in its entirety, and that the Security of Canada Information Sharing Act, or SCISA, is one of the most problematic components within Bill C-51.

OpenMedia and our community believe that when the previous federal government passed SCISA, it weakened the privacy rules that keep us all safe. SCISA contributes to an alarming privacy deficit that makes all Canadians less secure. This privacy deficit is dangerous and will have lasting consequences for the health of our democracy, for our liberty, and for our daily lives.

I want to begin by commending this committee's recently published recommendations on reforms to the Privacy Act. As you are all aware, the Privacy Act has not been meaningfully updated since its introduction in the 1980s, and OpenMedia agrees wholeheartedly with this committee and the federal Privacy Commissioner that the Privacy Act must be brought into the digital age with the addition of strong, meaningful, and modern protections.

Specifically, we support your recommendations that the Privacy Act be strengthened to require that government activities related to the collection and sharing of information be necessary and proportionate.

We also strongly support your call to impose overarching limitations on the retention of data and to strengthen transparency reporting requirements for government institutions.

We believe the recommendations set out in your December report will substantively improve privacy protection and have the potential to help mitigate at least some of the serious problems with SCISA.

As you know, the government recently concluded the public phase of its consultation into a range of national security issues, including Bill C-51 and SCISA. Unfortunately, the green paper that was published at the outset of the public consultation focused far more on the desires of police than on the privacy needs of Canadians, with many issues, including those around information sharing, being framed in a highly one-sided way that ignores the reasons the public is so concerned in the first place.

Despite the misleadingly benign portrait of SCISA painted by this green paper, from a privacy perspective there are very serious problems with this legislation. Today I will be speaking to the three main concerns brought forward by the OpenMedia community.

OpenMedia's first concern is that SCISA enables domestic dragnet information sharing that security experts warn is counterproductive. As you know, SCISA authorizes all federal institutions to disclose Canadians' private information to no fewer than 17 separate government agencies.

Anything that relates to the sweepingly broad definition of “activities that undermine the security of Canada” can be disclosed. I echo the concerns of the BCCLA's Micheal Vonn that not only does SCISA have, and I quote, “no requirement for individualized grounds for data collection”, but that it seems “likely it was enacted precisely for the purposes of bulk data acquisition.”

This is deeply problematic. To participate in modern life, citizens must share lots of information with our government. This information should not be repurposed into an open-ended intelligence dragnet.

Previous witnesses have raised specific examples that shed light on just how problematic the type of information sharing facilitated by SCISA can be: CIPPIC's Tamir Israel cited recent examples of government targeting journalists and peaceful indigenous activists and expressed concern that SCISA could be leveraged to share information about their activities in spite of the supposed exception for activities of “advocacy, protest, dissent and artistic expression”, and the BCCLA's Micheal Vonn pointed to the extraordinary data collection powers of FINTRAC and how its counterbalancing privacy protections have been “decidedly unsettled by SCISA to the point where its constitutionality may be at issue.”

OpenMedia believes the principles of necessity and proportionality are workable mechanisms for sharing or receiving threat data, and there is no need for SCISA's expanded definitions of security in this context.

To safeguard Canadians, information sharing of data entrusted to government agencies should only occur in narrow circumstances, and the Privacy Commissioner must be empowered to assess the overall necessity and proportionality of any and all information-sharing activities.

Additionally, all government institutions should be required to keep thorough records of when they disclose our private information, including to foreign governments, and information sharing in general should only occur subject to formalized agreements.

OpenMedia's second major concern with SCISA is that inappropriate information sharing with foreign governments can have a devastating impact on the lives of individual Canadians. In recent years, over 200 Canadians have publicly come forward to say their personal or professional lives have been ruined due to information disclosures with foreign governments, despite never having broken the law, and we'll never know how many others who have been impacted have chosen to stay silent.

Some have faced career limitations, while others have had to deal with travel restrictions. False charges that were subsequently dropped or dismissed, never resulting in criminal records, or even brief contact with the mental health system can create flags with life-changing consequences. These stories underline a very real threat regarding the government's handling of our sensitive data: that without safeguards in place, government bureaucrats will simply act recklessly and make life-impacting mistakes.

Canada's security agencies, the designated recipients of information under SCISA, routinely and on a large scale share information with their counterparts in the U.S. When mistakes are made, the impact on individual Canadians can be profoundly damaging. We need look no further than the case of Maher Arar to see that. These long-standing problems have been exacerbated by the Trump administration's recent decision to eliminate all U.S. Privacy Act protections for foreigners, including Canadians. As Professor Michael Geist points out,

the order should raise significant concerns about government data shared with U.S. authorities as well as the collection of Canadian personal information by U.S. agencies. Given the close integration between U.S. and Canadian agencies—as well as the fact that Canadian Internet traffic frequently traverses into the U.S.—there are serious implications for Canadian privacy.

These concerns are compounded by the Trump administration's expressed openness to returning to torture policies that were largely discontinued by the previous administration. Sadly, should SCISA remain in place, more examples like that of Maher Arar are not unlikely.

OpenMedia's third concern is the way that reckless information sharing harms our digital economy. Leading Canadian business figures, including the heads of Hootsuite, Slack, Shopify, and OpenText, have warned that the information-sharing provisions of SCISA will harm the Canadian economy by undermining trust in our commerce and trade. In an open letter published shortly after Bill C-51 was first proposed, these business leaders had this warning:

The data disclosures on innocent Canadians and those travelling to Canada for business or recreation could make our clients leave us for European shores, where privacy is valued. Duplicated data flowing between multiple unsecured federal government and foreign government databases leaves Canadians and Canadian businesses even more open to being victimized by data breaches, cyber criminals and identity theft.

A second letter from the business community, published last month in response to the government's national security consultation, reiterated these concerns and called for the legislation to be fully scrapped, saying:

We hope your government will listen to Canadians, the business community and experts by starting over with new legislation that respects our collective desire for security overall. Privacy and data integrity safeguards represent security in its most clear and basic sense. Let’s start with this understanding and work from there.

For all these reasons, OpenMedia believes that the Security of Canada Information Sharing Act should be completely repealed, alongside the rest of Bill C-51. As one of our community members told us recently:

Repeal it completely and do it now. If the Liberal government believes some sort of bill is needed, then write a new bill from scratch only after thorough consultations with legal experts and citizens to ensure Canadian rights and freedom are preserved.

Strong privacy rights need to be at the heart of any healthy democracy because they are the foundation of many other democratic rights we hold dear. We all deserve effective legal measures to protect the privacy of every resident of Canada against intrusion by government entities or malicious actors and abuse by law enforcement. Canadians deserve at least the same high level of privacy safeguards for our digital homes as we do for our brick-and-mortar homes, if not higher, given the highly sensitive data stores and interactions that are increasingly housed online.

For many Canadians, security is privacy, in the most human sense of that word. Repeated revelations of intrusive government surveillance, whether that be spying by CSE, the new powers in SCISA, or other elements of Bill C-51, have left Canadians fearful for their personal security. This committee's work can play a significant role in ensuring that Canada can address those fears and become a global leader in reining in excessive digital surveillance practices. Let's lead by example and help set a new global standard for privacy protection in a digital age.

Thank you.

Thanks very much, and good afternoon, Mr. Chair and members of the committee.

My name is David Elder. I am an executive committee member of the privacy and access law section of the Canadian Bar Association. I also co-lead the privacy and data protection practice at Stikeman Elliott LLP. I was formerly the chief privacy officer for a major Canadian telecommunications company, and I have been practising privacy law for over 20 years.

Thank you for the invitation to present the CBA's view on the Security of Canada Information Sharing Act.

The CBA is a national association of over 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is seeking improvements in the law and the administration of justice, and it is that perspective that brings us to appear before you today.

Our submission to the committee on SCISA was prepared by a CBA national security working group, with contributions from the privacy and access law section as well as other sections. The section's membership represents lawyers with in-depth knowledge in the areas of privacy law and access to information from every part of the country, drawn from private practice, industry, and government sectors.

Our section also worked on the CBA submission this past fall in response to the government's national security green paper, and the year before that on the CBA submission to the public safety and national security committee respecting Bill C-51, part of which contains SCISA.

I'll now address the substance of our submission.

The CBA supports information sharing for the purpose of national security when that sharing is necessary, proportionate, and accompanied by adequate measures against potential abuse. However, sharing too much information or sharing information for unrestricted purposes can lead to harmful consequences. Moreover, such oversharing is contrary to the principles underlying privacy laws in Canada.

SCISA has significantly expanded intragovernmental information sharing for national security purposes in Canada, including the sharing of potentially sensitive personal information, without precise definitions, basic privacy protections, or clear limitations on the purposes for sharing. While some helpful changes were made to SCISA before its final passage into law in 2015, the statute still causes concern on several fronts.

The CBA has four main concerns with the law as enacted.

The first is independent oversight. SCISA includes a number of useful guiding principles for information sharing, including the principle that originators should retain control over shared information and the principle that information should be disclosed under the act only to institutions carrying out responsibilities in respect of activities that undermine the security of Canada.

However, to be meaningful, SCISA must include a robust oversight and accountability mechanism to enforce these principles. In the CBA's view, any oversight body should have independence from the government institutions that will be sharing information under the act in order to avoid any potential conflicts of interest.

There may be several oversight models that could work in this regard. The committee of parliamentarians that was proposed in Bill C-22 could be one such option. Existing institutions, such as the Office of the Privacy Commissioner of Canada, might also work.

Whatever oversight mechanism is pursued, in order to better facilitate the review of activities carried out under SCISA, the CBA submits that regulations should be introduced requiring disclosing institutions to keep a record of all disclosures made under SCISA and requiring receiving institutions to maintain records of subsequent use and disclosure of information received pursuant to SCISA. If such records do not exist, it will be nearly impossible for any oversight body to determine whether the guiding principles of the act are indeed being respected.

The second concern is balanced information sharing.

The CBA notes that subsection 5(1) of SCISA permits disclosure among the 17 government institutions listed in the schedules of the act if the information is relevant to the recipient institution's jurisdiction or responsibilities under an act of Parliament or another lawful authority respecting national security. In the CBA's view, mere relevance is a very low standard for what should be an exceptional sharing of information between government institutions, and this could allow for unnecessary and overbroad sharing of information, undermining the privacy rights of Canadians. The CBA agrees with the previous submissions of the Privacy Commissioner of Canada and others that a test of necessity would better balance the objectives of SCISA with privacy rights and principles. In other words, in order for information to be shared with another institution, such sharing must not only be relevant to the receiving institution's mandate respecting national security, but also have to be necessary in order to allow the receiving institution to fulfill that mandate.

The CBA is also of the view that the existing schedule 3 to SCISA, which lists the institutions with which information may be shared under the act, should be expanded to include references to the specific sections of the statute supervised or implemented by those institutions that might relate to national security concerns. Greater specificity would assist both disclosing and receiving institutions, as well as any oversight body, in assessing whether disclosure to another institution might be appropriate.

Our third concern with SCISA is the lack of restrictions around subsequent use and disclosure of information disclosed to an institution under section 5 of SCISA. More specifically, the current provision seems to allow for the subsequent disclosure by a recipient institution to other non-designated government institutions, to individuals, to foreign governments, or even to the private sector, and for purposes unrelated to national security.

In the CBA's view, the information sharing between government institutions contemplated by SCISA should be seen as an extraordinary measure designed to fulfill an explicit narrow purpose. Accordingly, SCISA must be designed to eliminate what is sometimes called “purpose creep”, including potential disclosure to third parties.

The CBA is particularly concerned about subsequent use and further disclosures by a receiving institution when the information has been obtained by the disclosing institution through the exercise of extraordinary powers, such as powers to compel production of information or enter premises. It would be inappropriate for a receiving institution to be able to leverage, for purposes unrelated to national security, any investigation and enforcement powers not conferred on the receiving institution by Parliament. SCISA should not allow receiving institutions to obtain indirectly that which they cannot obtain directly.

Fourth, the CBA is concerned about reliability of information.

The CBA is concerned that SCISA includes few effective checks and balances on information sharing or safeguards to ensure that shared information is reliable. The Arar commission stressed the importance of precautions to ensure that information is accurate and reliable before it is shared. Omitting safeguards in SCISA ignores lessons learned through the Arar saga and the recommendations of the Arar commission, and risks repeating the same mistakes.

In conclusion, once again the CBA appreciates the opportunity to share our views on SCISA. We support balanced information sharing for the purpose of national security when it is necessary and proportionate, and is accompanied by safeguards that are adequate to protect individual privacy rights and to ensure the reliability of any information shared pursuant to the act.

I'd be pleased to respond to any questions the committee members may have.

Thank you very much.

I'm not sure that we've necessarily seen that there was such a problem in the previous regime that it needed to be completely thrown out with a blank cheque handed to these authorities, but—

I'm not sure that it was proven, when the statute was originally introduced, that it was so necessary, that there was something so wrong with the way that the Privacy Act worked in allowing information sharing among government departments.

We've certainly seen evidence of, and royal commissions referring to, the challenges of information sharing between government departments that exist and national security agencies. If you accept that as a premise, then the challenge is to come up with the appropriate tool. I think one of the big problems that we have overall is that this is using a sledgehammer when perhaps a ball-peen hammer or something more precise would do.

This statute provides licence for bulk data movement from one department to another. I don't have any concern, when it's justifiable and proportionate in the circumstances, with the RCMP and CSIS working on exactly the same file. I don't have a problem if, let's say, the employment insurance folks have reason to suspect that there is something sketchy going on, and they provide that information to the RCMP when it relates to national security. What I find particularly problematic is the scale at which information movement could take place, and the lack of accountability.

I'm not sure. Certainly since 2001—

I would simply be speculating, but I would assume it would relate to pandemics.

It seems like a longer list than is necessary. I would think that Canada should be focusing its efforts with respect to national security, rather than diffusing them across a whole bunch of organizations.

I think my first suggestion would be to scrap it.

It would be to scrap this statute, SCISA, and take a look at what is already in the Privacy Act, because every one of these organizations is subject to the Privacy Act, and the Privacy Act already has a scheme that allows one government institution to disclose information to another government institution, and it would naturally fall into that. If it needs to be tweaked, I think there probably are some places where it could be tweaked, but I think there is so much that is negative in this statute that we would be better off to do without it than to tinker with it.

Yes.