Thank you for this invitation.
The BCCLA is on record as calling for the complete repeal of Bill C-51 and we have views on almost every aspect of the national security framework, which I would be very pleased to share with you. However, for the duration of my prepared remarks, I wish to make a substantive contribution to your deliberations on a topic that is receiving surprisingly little airtime given it's importance, and that is the new Security of Canada Information Sharing Act.
The unprecedented expansion of the surveillance powers in this act, along with the controversial new CSIS threat disruption powers, were the main points of opposition heard by the thousands of citizens who took to the streets to protest the introduction of Bill C-51. My discussion on the Security of Canada Information Sharing Act will focus on our new understanding of what is happening with the collection of datasets of personal information in the security intelligence realm.
If time permits, or perhaps during questions, I would be very pleased to unpack the ramifications of the act in further detail, including how it intersects with issues of profiling, but it is critical, in our view, that we first squarely set this discussion within the recent findings of unlawful data collection within the Five Eyes.
You will doubtless have seen today's headlines from the U.K. that the investigatory powers tribunal has ruled that British security agencies have secretly and unlawfully collected massive volumes of personal data in breach of article 8 of the European Convention on Human Rights, and that this unlawful activity has been going on for years and years.
The illegal data holdings include bulk personal datasets, which might include medical and tax records, individual biographical details, commercial and financial details, communications, and travel data. The ruling confirms that for over a decade U.K. security services unlawfully concealed both the extent of their surveillance capacities and the fact that innocent people across the country had been spied upon. This is an eerie echo of what we here in Canada learned only a few weeks ago about our own comparable intelligence data holdings.
Granted, unlike the situation in the U.K., it was not front page news. The media coverage of SIRC's just-released annual report focused on the review of the new threat disruption powers, which is, by no means, a surprise. However, largely unexplored in the public discourse was the report of SIRC's first-ever examination into CSIS data acquisition programs, including bulk datasets, and that report was an extremely damning one, very much in keeping with the situation that was recently disclosed in the U.K.
SIRC advises that within CSIS's own data classifications there are two types of datasets. The first type they refer to as “referential”, which, on the argument that they are openly sourced and publicly available, CSIS says are not collected under the authority of section 12 of the CSIS Act and therefore have to meet no standard of collection. SIRC does not comment on the legal interpretation that underpins this theory of collection that is not collection.
The second type of dataset is the “unreferential” datasets, which CSIS does consider to be collected under the authority of the CSIS Act and must, therefore, meet the collection threshold of being strictly necessary. Despite its characteristic calm and measured tones, what SIRC has to report in this matter is extremely alarming. The bottom line is this. SIRC does not agree that all of the publicly available, openly sourced data is in fact publicly available and openly sourced, so there are definitely red flags in that category. Even more troubling, however, as regards the datasets that clearly fall under the requirement for strict necessity, “SIRC found no evidence to indicate that CSIS had appropriately considered the threshold as required in the CSIS Act.”
It found no evidence of appropriate consideration of the applicable legal standard to bulk data collection of Canadians' private information. It is simply impossible to read this as indicating anything other than contempt for the need to abide by the applicable laws in this arena. This is so serious a matter that SIRC called for the immediate halt to the acquisition of bulk datasets until there can be a system to confirm compliance with the law. This, then, is the situation, one completely unmoored from the legal requirements in the CSIS Act, to which we add the near free-for-all of the information sharing act's powers.
You will recall that the Security of Canada Information Sharing Act applies to national security concerns defined so broadly that the definition has never before been seen in Canadian law. It constitutes a bar so low that there is hardly anything that cannot be argued to be within its purview. It spans far beyond public safety into ordinary public life, encompassing everything from the administration of justice to the country's economic or financial well-being.
There's no need, under the legislation, for individualized suspicion as the basis for individual information sharing, and indeed no impediment to entire databases of personal information being disclosed on the grounds that they may be relevant to an institution's mandate to detect, identify, analyze, prevent, investigate, or disrupt an activity that undermines the security of Canada—again, as defined so broadly in the act as to encompass huge swaths of ordinary public life. It is difficult to imagine a database held by a federal agency that couldn't be argued for on such grounds. Perhaps it was thought that a possible mechanism to prevent the obvious threat of inappropriate data disclosure might be, by virtue of the CSIS Act, that CSIS would be unable to collect, retain, or use such vast categories of Canadians' private information because they would not fall under the legal standard that CSIS is to apply to its data holdings. However, we have just been told, in no uncertain terms, that those legal standards are being ignored. It is anyone's guess for how long that situation has existed. As I say, this is SIRC's first-ever review of these data holdings.
Further, we need to keep alive to the fact that there was never a compelling case for the legislation in the first place. In their recent response to the government's green paper, Professors Roach and Forcese cite a CSIS briefing note of 2014 that sets out some concerns about the lack of clarity with respect to information sharing for national security purposes. The briefing note did not call for the wholesale revisioning of information sharing to address this concern about clarity but rather suggested, “With appropriate direction and framework in place, significant improvements are possible to encourage information sharing for national security purposes, on the basis [of] existing legislative authorities.”
Instead of the careful and measured approach called for, legislation of monumental overbreadth was enacted, which compounded the lack of clarity and paved the way for a massive increase in already illegal data holdings by security intelligence. Ordinary citizens thus have every justification for concern that their personal information can be disclosed under the vast sweep of the act, which the Privacy Commissioner of Canada confirms is unprecedented. Meanwhile, the security benefits of this approach are, at best, entirely speculative and infinitely more likely to actually undermine rather than enhance effectiveness. The act is so far from hitting the mark of what is needful for national security that, as Roach and Forcese note, “The Act allows the government to share just about everything while it rejects the Air India commission’s recommendation that CSIS must share intelligence about terrorist offences, if not to the police than to someone who is in charge and who can take responsibility for the proper use of the information.”
It was ill advised when it was introduced, and it is even more so now that we have some insight into the shocking state of the current data holdings. The act should be repealed and replaced with the careful, measured approach that was called for in the first place to ensure that needed information sharing for national security purposes can occur within appropriate and meaningful protections for lawful Canadians' personal information. Thank you very much.