Information & Ethics Committee on Jan. 31st, 2017

Thank you.

Good afternoon. My name is Laura Tribe, and I am the executive director of OpenMedia. We are a digital rights organization that works to keep the Internet open, affordable, and surveillance-free. Given our work, it seems pretty fitting that I'm joining you by digital link from Vancouver this afternoon.

Since Bill C-51 was first announced, OpenMedia has been actively campaigning alongside many other groups against this reckless, dangerous, and ineffective legislation. We believe Bill C-51 should be repealed in its entirety, and that the Security of Canada Information Sharing Act, or SCISA, is one of the most problematic components within Bill C-51.

OpenMedia and our community believe that when the previous federal government passed SCISA, it weakened the privacy rules that keep us all safe. SCISA contributes to an alarming privacy deficit that makes all Canadians less secure. This privacy deficit is dangerous and will have lasting consequences for the health of our democracy, for our liberty, and for our daily lives.

I want to begin by commending this committee's recently published recommendations on reforms to the Privacy Act. As you are all aware, the Privacy Act has not been meaningfully updated since its introduction in the 1980s, and OpenMedia agrees wholeheartedly with this committee and the federal Privacy Commissioner that the Privacy Act must be brought into the digital age with the addition of strong, meaningful, and modern protections.

Specifically, we support your recommendations that the Privacy Act be strengthened to require that government activities related to the collection and sharing of information be necessary and proportionate.

We also strongly support your call to impose overarching limitations on the retention of data and to strengthen transparency reporting requirements for government institutions.

We believe the recommendations set out in your December report will substantively improve privacy protection and have the potential to help mitigate at least some of the serious problems with SCISA.

As you know, the government recently concluded the public phase of its consultation into a range of national security issues, including Bill C-51 and SCISA. Unfortunately, the green paper that was published at the outset of the public consultation focused far more on the desires of police than on the privacy needs of Canadians, with many issues, including those around information sharing, being framed in a highly one-sided way that ignores the reasons the public is so concerned in the first place.

Despite the misleadingly benign portrait of SCISA painted by this green paper, from a privacy perspective there are very serious problems with this legislation. Today I will be speaking to the three main concerns brought forward by the OpenMedia community.

OpenMedia's first concern is that SCISA enables domestic dragnet information sharing that security experts warn is counterproductive. As you know, SCISA authorizes all federal institutions to disclose Canadians' private information to no fewer than 17 separate government agencies.

Anything that relates to the sweepingly broad definition of “activities that undermine the security of Canada” can be disclosed. I echo the concerns of the BCCLA's Micheal Vonn that not only does SCISA have, and I quote, “no requirement for individualized grounds for data collection”, but that it seems “likely it was enacted precisely for the purposes of bulk data acquisition.”

This is deeply problematic. To participate in modern life, citizens must share lots of information with our government. This information should not be repurposed into an open-ended intelligence dragnet.

Previous witnesses have raised specific examples that shed light on just how problematic the type of information sharing facilitated by SCISA can be: CIPPIC's Tamir Israel cited recent examples of government targeting journalists and peaceful indigenous activists and expressed concern that SCISA could be leveraged to share information about their activities in spite of the supposed exception for activities of “advocacy, protest, dissent and artistic expression”, and the BCCLA's Micheal Vonn pointed to the extraordinary data collection powers of FINTRAC and how its counterbalancing privacy protections have been “decidedly unsettled by SCISA to the point where its constitutionality may be at issue.”

OpenMedia believes the principles of necessity and proportionality are workable mechanisms for sharing or receiving threat data, and there is no need for SCISA's expanded definitions of security in this context.

To safeguard Canadians, information sharing of data entrusted to government agencies should only occur in narrow circumstances, and the Privacy Commissioner must be empowered to assess the overall necessity and proportionality of any and all information-sharing activities.

Additionally, all government institutions should be required to keep thorough records of when they disclose our private information, including to foreign governments, and information sharing in general should only occur subject to formalized agreements.

OpenMedia's second major concern with SCISA is that inappropriate information sharing with foreign governments can have a devastating impact on the lives of individual Canadians. In recent years, over 200 Canadians have publicly come forward to say their personal or professional lives have been ruined due to information disclosures with foreign governments, despite never having broken the law, and we'll never know how many others who have been impacted have chosen to stay silent.

Some have faced career limitations, while others have had to deal with travel restrictions. False charges that were subsequently dropped or dismissed, never resulting in criminal records, or even brief contact with the mental health system can create flags with life-changing consequences. These stories underline a very real threat regarding the government's handling of our sensitive data: that without safeguards in place, government bureaucrats will simply act recklessly and make life-impacting mistakes.

Canada's security agencies, the designated recipients of information under SCISA, routinely and on a large scale share information with their counterparts in the U.S. When mistakes are made, the impact on individual Canadians can be profoundly damaging. We need look no further than the case of Maher Arar to see that. These long-standing problems have been exacerbated by the Trump administration's recent decision to eliminate all U.S. Privacy Act protections for foreigners, including Canadians. As Professor Michael Geist points out,

the order should raise significant concerns about government data shared with U.S. authorities as well as the collection of Canadian personal information by U.S. agencies. Given the close integration between U.S. and Canadian agencies—as well as the fact that Canadian Internet traffic frequently traverses into the U.S.—there are serious implications for Canadian privacy.

These concerns are compounded by the Trump administration's expressed openness to returning to torture policies that were largely discontinued by the previous administration. Sadly, should SCISA remain in place, more examples like that of Maher Arar are not unlikely.

OpenMedia's third concern is the way that reckless information sharing harms our digital economy. Leading Canadian business figures, including the heads of Hootsuite, Slack, Shopify, and OpenText, have warned that the information-sharing provisions of SCISA will harm the Canadian economy by undermining trust in our commerce and trade. In an open letter published shortly after Bill C-51 was first proposed, these business leaders had this warning:

The data disclosures on innocent Canadians and those travelling to Canada for business or recreation could make our clients leave us for European shores, where privacy is valued. Duplicated data flowing between multiple unsecured federal government and foreign government databases leaves Canadians and Canadian businesses even more open to being victimized by data breaches, cyber criminals and identity theft.

A second letter from the business community, published last month in response to the government's national security consultation, reiterated these concerns and called for the legislation to be fully scrapped, saying:

We hope your government will listen to Canadians, the business community and experts by starting over with new legislation that respects our collective desire for security overall. Privacy and data integrity safeguards represent security in its most clear and basic sense. Let’s start with this understanding and work from there.

For all these reasons, OpenMedia believes that the Security of Canada Information Sharing Act should be completely repealed, alongside the rest of Bill C-51. As one of our community members told us recently:

Repeal it completely and do it now. If the Liberal government believes some sort of bill is needed, then write a new bill from scratch only after thorough consultations with legal experts and citizens to ensure Canadian rights and freedom are preserved.

Strong privacy rights need to be at the heart of any healthy democracy because they are the foundation of many other democratic rights we hold dear. We all deserve effective legal measures to protect the privacy of every resident of Canada against intrusion by government entities or malicious actors and abuse by law enforcement. Canadians deserve at least the same high level of privacy safeguards for our digital homes as we do for our brick-and-mortar homes, if not higher, given the highly sensitive data stores and interactions that are increasingly housed online.

For many Canadians, security is privacy, in the most human sense of that word. Repeated revelations of intrusive government surveillance, whether that be spying by CSE, the new powers in SCISA, or other elements of Bill C-51, have left Canadians fearful for their personal security. This committee's work can play a significant role in ensuring that Canada can address those fears and become a global leader in reining in excessive digital surveillance practices. Let's lead by example and help set a new global standard for privacy protection in a digital age.

Thank you.

Thanks very much, and good afternoon, Mr. Chair and members of the committee.

My name is David Elder. I am an executive committee member of the privacy and access law section of the Canadian Bar Association. I also co-lead the privacy and data protection practice at Stikeman Elliott LLP. I was formerly the chief privacy officer for a major Canadian telecommunications company, and I have been practising privacy law for over 20 years.

Thank you for the invitation to present the CBA's view on the Security of Canada Information Sharing Act.

The CBA is a national association of over 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is seeking improvements in the law and the administration of justice, and it is that perspective that brings us to appear before you today.

Our submission to the committee on SCISA was prepared by a CBA national security working group, with contributions from the privacy and access law section as well as other sections. The section's membership represents lawyers with in-depth knowledge in the areas of privacy law and access to information from every part of the country, drawn from private practice, industry, and government sectors.

Our section also worked on the CBA submission this past fall in response to the government's national security green paper, and the year before that on the CBA submission to the public safety and national security committee respecting Bill C-51, part of which contains SCISA.

I'll now address the substance of our submission.

The CBA supports information sharing for the purpose of national security when that sharing is necessary, proportionate, and accompanied by adequate measures against potential abuse. However, sharing too much information or sharing information for unrestricted purposes can lead to harmful consequences. Moreover, such oversharing is contrary to the principles underlying privacy laws in Canada.

SCISA has significantly expanded intragovernmental information sharing for national security purposes in Canada, including the sharing of potentially sensitive personal information, without precise definitions, basic privacy protections, or clear limitations on the purposes for sharing. While some helpful changes were made to SCISA before its final passage into law in 2015, the statute still causes concern on several fronts.

The CBA has four main concerns with the law as enacted.

The first is independent oversight. SCISA includes a number of useful guiding principles for information sharing, including the principle that originators should retain control over shared information and the principle that information should be disclosed under the act only to institutions carrying out responsibilities in respect of activities that undermine the security of Canada.

However, to be meaningful, SCISA must include a robust oversight and accountability mechanism to enforce these principles. In the CBA's view, any oversight body should have independence from the government institutions that will be sharing information under the act in order to avoid any potential conflicts of interest.

There may be several oversight models that could work in this regard. The committee of parliamentarians that was proposed in Bill C-22 could be one such option. Existing institutions, such as the Office of the Privacy Commissioner of Canada, might also work.

Whatever oversight mechanism is pursued, in order to better facilitate the review of activities carried out under SCISA, the CBA submits that regulations should be introduced requiring disclosing institutions to keep a record of all disclosures made under SCISA and requiring receiving institutions to maintain records of subsequent use and disclosure of information received pursuant to SCISA. If such records do not exist, it will be nearly impossible for any oversight body to determine whether the guiding principles of the act are indeed being respected.

The second concern is balanced information sharing.

The CBA notes that subsection 5(1) of SCISA permits disclosure among the 17 government institutions listed in the schedules of the act if the information is relevant to the recipient institution's jurisdiction or responsibilities under an act of Parliament or another lawful authority respecting national security. In the CBA's view, mere relevance is a very low standard for what should be an exceptional sharing of information between government institutions, and this could allow for unnecessary and overbroad sharing of information, undermining the privacy rights of Canadians. The CBA agrees with the previous submissions of the Privacy Commissioner of Canada and others that a test of necessity would better balance the objectives of SCISA with privacy rights and principles. In other words, in order for information to be shared with another institution, such sharing must not only be relevant to the receiving institution's mandate respecting national security, but also have to be necessary in order to allow the receiving institution to fulfill that mandate.

The CBA is also of the view that the existing schedule 3 to SCISA, which lists the institutions with which information may be shared under the act, should be expanded to include references to the specific sections of the statute supervised or implemented by those institutions that might relate to national security concerns. Greater specificity would assist both disclosing and receiving institutions, as well as any oversight body, in assessing whether disclosure to another institution might be appropriate.

Our third concern with SCISA is the lack of restrictions around subsequent use and disclosure of information disclosed to an institution under section 5 of SCISA. More specifically, the current provision seems to allow for the subsequent disclosure by a recipient institution to other non-designated government institutions, to individuals, to foreign governments, or even to the private sector, and for purposes unrelated to national security.

In the CBA's view, the information sharing between government institutions contemplated by SCISA should be seen as an extraordinary measure designed to fulfill an explicit narrow purpose. Accordingly, SCISA must be designed to eliminate what is sometimes called “purpose creep”, including potential disclosure to third parties.

The CBA is particularly concerned about subsequent use and further disclosures by a receiving institution when the information has been obtained by the disclosing institution through the exercise of extraordinary powers, such as powers to compel production of information or enter premises. It would be inappropriate for a receiving institution to be able to leverage, for purposes unrelated to national security, any investigation and enforcement powers not conferred on the receiving institution by Parliament. SCISA should not allow receiving institutions to obtain indirectly that which they cannot obtain directly.

Fourth, the CBA is concerned about reliability of information.

The CBA is concerned that SCISA includes few effective checks and balances on information sharing or safeguards to ensure that shared information is reliable. The Arar commission stressed the importance of precautions to ensure that information is accurate and reliable before it is shared. Omitting safeguards in SCISA ignores lessons learned through the Arar saga and the recommendations of the Arar commission, and risks repeating the same mistakes.

In conclusion, once again the CBA appreciates the opportunity to share our views on SCISA. We support balanced information sharing for the purpose of national security when it is necessary and proportionate, and is accompanied by safeguards that are adequate to protect individual privacy rights and to ensure the reliability of any information shared pursuant to the act.

I'd be pleased to respond to any questions the committee members may have.

Thank you very much.

Thank you very much to the committee and to the chair for the opportunity to speak with you today about this very important subject.

I will introduce myself. I am a privacy lawyer practising with McInnes Cooper in Halifax. I've been practising law in this area for more than 15 years, and in that time I've had the benefit of advising clients on a full range of privacy, access to information, and technology issues. I've worked with clients who regularly have contact with the police and with the national security authorities looking for information, both through regular lawful channels and, shall we say, informal channels.

I am here in my personal capacity, so I'm not speaking on behalf of any of my clients or any of the associations that I am a member of—I'm a proud CBA member—nor am I speaking on behalf of my firm. This is just me.

This committee has a very important opportunity, and I think we are at a turning point in global history. We have the chance, right now, to take a deep breath, take a step back, and ask some very important questions: who are we as Canadians, and what do we want to be? What kind of country do we want to live in, and are we taking positive steps to make that happen?

Looking south of the border, I am very mindful of a phrase that I first heard said by William Binney, who was one of the first whistle-blowers from the U.S. National Security Agency. He left because he was afraid that what he was being asked to create within that organization was something he called “turnkey totalitarianism”.

If you build an intrusive tool for the most benevolent institution, you can have faith in the people for whom you build it, but you can't be sure that it won't fall into the wrong hands. Setting aside the cynicism I've developed over the last dozen years, even if you absolutely believe what the leaders of our national security and policing agencies say to you—and I understand there will be further testimony from them—you can't be sure that their replacements will necessarily have the same good faith and concern about the rights of citizens. You can't be sure about the good faith and commitment to Canadian values of the next government.

The new U.S. administration has at its disposal the most significant surveillance apparatus ever assembled, and it's being built with Canadian collaboration. This committee needs to look at the here and now, but also look over the horizon for what may come next. The Anti-terrorism Act of 2001 and the Anti-terrorism Act of 2015 are, or could be, the foundation of what could become a massive abuse of Canadian rights.

We also need to look at whether any of this is really necessary or proportional in the first place. We need to look at what we have here and what is going on. On the one hand, recently we've seen that CSIS, with the assistance of Department of Justice lawyers, has lied to courts in order to feed CSIS databases. We've also seen that CSIS has refused to delete the information that it unlawfully retains. Most recently, we've seen that CSIS has been working within government to try to justify its data mining practices and has actually been looking to get more data to put into its massive databases.

Then we have the Security of Canada Information Sharing Act, which is, in my view, a privacy disaster. The privacy of Canadians was previously connected by information silos. Departments could collect information that was reasonably necessary for their purposes. They could share it with other departments for purposes that were consistent with those purposes, and they could share it with law enforcement in other circumstances. There were rules around that. You knew that the information about your Canada Pension Plan contributions or EI claims would not be used for any other purpose, unless the relatively weak hurdles of the Privacy Act—with which everybody here is familiar—were complied with, or unless a judge determined that it was appropriate in those circumstances that the public interest in disclosure outweighed the privacy interest.

Now we have a system whereby CSIS can ask any government department for virtually any data, as long as they think it's relevant to their task. You can try to get insight into how they would calculate that; I'm not sure. They can then get it, and it is no longer covered by the privacy protection of the originating institution.

They might think, for example, that people who visit bad guys are probably bad guys themselves, so let's get all the visitor logs from Correctional Service of Canada and then let's match that up against the Canada Border Services Agency records of people leaving and returning to Canada, and passport applications—and why not all the records of people receiving EI, and then everyone else's tax returns to see who has donated to Muslim charities? This law would allow CSIS or the RCMP to collect, in one massive database, all the information that every other government department has about you, based on the linchpin of that extremely low threshold of relevance.

SCISA does not contain any limit on what organizations like CSIS or the RCMP can do once they build those databases. There is nothing built into SCISA that does that. There is also no internal limit on how much information can be transferred between any government department and any of those institutions listed in the schedule to the act. On top of this, all of this happens in the shadows: there is no oversight within this statute.

As parliamentarians, all you know are the evasive non-answers given to you. There is no oversight, no accountability within this framework. This is essentially a blank cheque giving national security agencies access to some of the most sensitive personal information about Canadians. This is a real problem, and the act should be repealed.

In closing, I would also highlight the presence of section 9 in the statute. It should raise a flag. It should raise a flag very high. It says, “No civil proceedings lie against any person for their disclosure in good faith of information under this Act.”

If a statute has to provide immunity for otherwise unlawful conduct, we should be very careful about authorizing that conduct in the first place and we should be very careful about granting that immunity.

Thank you very much again for this opportunity. I very much look forward to the discussion.

Thank you very much.

I'm not sure that we've necessarily seen that there was such a problem in the previous regime that it needed to be completely thrown out with a blank cheque handed to these authorities, but—

I'm not sure that it was proven, when the statute was originally introduced, that it was so necessary, that there was something so wrong with the way that the Privacy Act worked in allowing information sharing among government departments.

We've certainly seen evidence of, and royal commissions referring to, the challenges of information sharing between government departments that exist and national security agencies. If you accept that as a premise, then the challenge is to come up with the appropriate tool. I think one of the big problems that we have overall is that this is using a sledgehammer when perhaps a ball-peen hammer or something more precise would do.

This statute provides licence for bulk data movement from one department to another. I don't have any concern, when it's justifiable and proportionate in the circumstances, with the RCMP and CSIS working on exactly the same file. I don't have a problem if, let's say, the employment insurance folks have reason to suspect that there is something sketchy going on, and they provide that information to the RCMP when it relates to national security. What I find particularly problematic is the scale at which information movement could take place, and the lack of accountability.

I'm not sure. Certainly since 2001—

I would simply be speculating, but I would assume it would relate to pandemics.

It seems like a longer list than is necessary. I would think that Canada should be focusing its efforts with respect to national security, rather than diffusing them across a whole bunch of organizations.

I think my first suggestion would be to scrap it.

It would be to scrap this statute, SCISA, and take a look at what is already in the Privacy Act, because every one of these organizations is subject to the Privacy Act, and the Privacy Act already has a scheme that allows one government institution to disclose information to another government institution, and it would naturally fall into that. If it needs to be tweaked, I think there probably are some places where it could be tweaked, but I think there is so much that is negative in this statute that we would be better off to do without it than to tinker with it.

Yes.