Mr. Chair, another deeply problematic aspect of Bill C-51 that has not been touched are changes to the Immigration and Refugee Protection Act that undid important protections for named persons in security certificate proceedings. Bill C-51 limited the requirement for disclosure of relevant information to special advocates and introduced a series of procedural barriers which further disadvantaged the rights of the named person.
In our legal challenge, CCLA has argued that these amendments are an unconstitutional violation of the section 7 guarantee to a hearing before an independent and impartial tribunal. Our Supreme Court has affirmed that the individual named in the security certificate “must be given an opportunity to know the case to meet, and an opportunity to meet the case”, an impossible exercise in the absence of a coherent legal framework for full disclosure.
This committee recognized as much in May 2017 when it recommended amending IRPA in order to give special advocates full access to complete security certificate files. We urge that Bill C-59 be amended to correct this issue.
We move now to the new elements of the new national security landscape that Bill C-59 has introduced. Our written submission will address a much wider range of issues in relation to the CSE Act, but we would like to highlight two parts today.
First, the proposed active and defensive cyber-operations aspects of the CSE's mandate essentially allow the establishment to engage in secret and largely unconstrained state-sponsored hacking and disruption. The limitation of not directing these activities at Canadian infrastructure is clearly inadequate given the inherently interconnected nature of the digital ecosystem. Such activities are also bound to impact the privacy expression and security interests of Canadians and persons in Canada, and may threaten the integrity of communications tools such as encryption and anonymity software that are vital for the protection of human rights in the digital age.
In the case of CSIS's disruption powers, which are in some ways analogous to these new aspects of CSE's mandate, the government has set out a complex framework for prior judicial authorization and a longer list of prohibited activities. While we do not concede the adequacy of that framework, it is notable that, in contrast, CSE's cyber-operations activities involve no meaningful privacy protections, require only secret ministerial authorization, and involve only after-the-fact review.
Second, while the majority of CSE's activities cannot be directed at Canadians or persons in Canada, this is an inadequate safeguard against CSE's overreach in the face of unselected bulk collection. Bill C-59 exacerbates this privacy risk by creating a series of exceptions for the collection of Canadian data, including one which allows its acquisition, use, analysis, retention, and disclosure, so long as it is publicly available.
This definition is so broad that it plausibly includes information in which individuals have a strong privacy interest, and potentially allows for the collection of private data obtained by hacks, leaks, or other illicit means. Furthermore, it may encourage the creation of grey markets for data that would otherwise never have been available to government—a client with deep pockets.
The government has failed to demonstrate why this exception, as worded, is necessary or proportionate, or what risk it is meant to mitigate in the first place.