Evidence of meeting #90 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Brenda McPhail  Director, Privacy, Technology and Surveillance Project, Canadian Civil Liberties Association
Christian Leuprecht  Professor, Department of Political Science, Royal Military College of Canada, As an Individual
Hayley McNorton  Research Assistant, Department of Political Science, Royal Military College of Canada, As an Individual
Cara Zwibel  Acting General Counsel, Canadian Civil Liberties Association
Lex Gill  Advocate, National Security Program, Canadian Civil Liberties Association

9:10 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, you're right.

We reviewed various elements under the Security of Canada Information Sharing Act, discussed in our most recent annual report. We, in fact, did a review of a CBSA program that uses scenario-based screening of travellers in order to identify threats.

The threat could involve national security, criminal activity or something else. Therefore, reviews of those types of programs—one of many at CBSA—should target not only national security initiatives, but also programs designed to identify criminal and other threats.

9:10 a.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

Thank you.

In terms of the datasets that the Canadian Security Intelligence Service will be collecting, do you think the bill sets out an adequate definition?

I'll start with that question and follow up with my next question in a moment.

9:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

There is no doubt that the concept of datasets is very broadly defined, something that could prove problematic without oversight mechanisms or legal standards. To my mind, the two safeguards are more or less adequate in relation to the various stages leading to the use and exploitation of the datasets.

The jumping off point is Judge Noël's Federal Court decision, indicating that CSIS had compiled and retained information on individuals who were not threats. Judge Noël also said that he had heard evidence to the effect that the information in question could be helpful to identify threats.

My view on the dataset provisions is that efforts should be made to use the value of that intelligence—which is very broadly defined, I agree—but with different filters to ensure the data are not retained for an excessive period of time. The Federal Court normally conducts a review within 90 days, which is a pretty good method. CSIS's exploitation of the data, relying on the necessity test, is the standard we think should be used for information-sharing purposes.

It would be tough to call the provisions inadequate. The ultimate use of the data depends on necessity. For two years now, I have advocated for the necessity test in information sharing.

I am asking parliamentarians to apply the same necessity standard in the Security of Canada Information Sharing Act to information sharing, in the case of receiving institutions.

9:15 a.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

I am going to stay on the topic of datasets.

The definition is rather broad. On one hand, we heard from witnesses on Tuesday about the benefits of having a broader definition; they claimed that it would keep agencies from having to play a constant game of catch-up. The pace of technological change is something that comes to mind.

On the other hand, I wonder whether there isn't cause for concern, since we don't know what this type of data collection—which the various agencies need to carry out their mandate—will look like in five or 10 years.

9:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, there is a risk, but I think it is being managed properly, more or less.

The definition could probably be narrower but then national security agencies, such as CSIS, would be deprived of the information they need for their work. However, there is a risk. How can the risk be reduced? The answer is through independent and effective review mechanisms.

The part of Bill C-59 that deals with CSIS has a number of filters exercised by independent members of the executive of the government and the Canadian Security Intelligence Service based on high standards, including necessity. Overall, I think it's a fair balance.

9:15 a.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

Okay.

My last question is about the Communications Security Establishment (CSE) mentioned in part 3 of the bill.

Despite the fact that its mandate is to address foreign threats, do you think, in the operations that the CSE will now be able to conduct, there is a risk of casting a large net that could subject Canadians in the information infrastructure to phishing?

9:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Through collection, the CSE can gather a lot of information. It's sort of the same dynamic as CSIS and the concept of dataset.

The starting point allows for a fairly vast collection of information. However, not only does a provision, clause 25, require the CSE to enforce measures to protect privacy, but those measures are clearly defined elsewhere in the bill, in clauses 35 and 44 as well as other clauses.

Not only does the CSE have a general duty to protect privacy, but privacy is very clearly defined in some provisions. Once again, this ultimately leads us to the following conclusion: the information must be essential to the CSE's mandate before CSE analyzes, stores, uses and exploits the information.

Once again, we are working with the test of necessity. I would even say strict necessity, when we talk about what is essential to the CSE's mandate.

9:20 a.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Dubé.

Mr. Picard, you have seven minutes.

9:20 a.m.

Liberal

Michel Picard Liberal Montarville, QC

Thank you, Mr. Chair.

Mr. Therrien, it's good to see you again. Your expertise is recognized, and we greatly appreciate the rigour of your comments.

I will use your big concern to try to move the debate forward, especially since we are at the most important stage where we can make significant changes. Let's try to see what we can do about this.

I would like to ask a quick question, to start.

Are your office's security clearances problematic or are they preventing you from being part of the bigger picture?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

A number of our employees have the required security clearance.

9:20 a.m.

Liberal

Michel Picard Liberal Montarville, QC

Okay.

In the surveys you have carried out in the past, including the ones in which I participated for the department, it was clear that the concern is there. It's undeniable, which is normal, considering that the reality is what it is.

In 2017, we have started to feel that people are grasping the reality of the threat, but please correct me if you see things differently. They see what is happening abroad, and they are slowly starting to accept negotiations and compromises. It is always a matter of striking a balance between rights and freedoms and security. It's a never-ending juggling act and it's almost impossible to solve.

Do you feel that people are starting to rethink what they accept as an untouchable privacy threshold and what they would agree to compromise on and give up?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

People's opinions vary over time.

Let me use an example based on clear circumstances. As a result of Edward Snowden's revelations, there has, of course, been a spike in public concerns about respect for rights, including the right to privacy. After a terrorist event, the scales usually tip the other way.

I suggest that you assume that the public is concerned about both physical security and their rights. Depending on the events, those concerns may fluctuate.

In my opinion, your job, mine and that of the executive power is to put in place legal rules that respect the balance over a certain period of time, regardless of revelations and terrorist events. Legal rules must also take into account any realities in time. Then there should be a review.

The bill provides a number of good suggestions, but I think we have a role to play in ensuring that officers apply those rules correctly on a daily basis.

9:20 a.m.

Liberal

Michel Picard Liberal Montarville, QC

The debate about privacy is undeniable and accepted, and it must be protected.

Let's try to be more practical and take a micromanagement approach. Since we are still in the theoretical realm, it may be appropriate to provide a tangible example.

Could you give me one or two specific examples of privacy information to put it in the context of information sharing or national security?

What sort of information are you referring to?

A person's name may not be enough. Is buying a plane ticket to go to Europe in two weeks an example of the type of personal information you are referring to or is it more specific information?

Could you give us one or two hypothetical examples—we will not use names—so that we can have a more concrete foundation for the debate?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Take the case of travellers, since that is a good example. Many people travel. In fact, almost all of us travel.

It is normal for decisions on overseeing admission to different countries to include a national security component. Of the millions, if not tens of millions of travellers, only a tiny minority pose a problem for national security, but everyone needs to be analyzed. CSIS, in the case of Canada, must have access to the names of travellers, to ensure that they do not pose threats to national security.

There are no specific rules that require CSIS to dispose of the information when it concludes that 99.9% of people do not pose a threat.

9:25 a.m.

Liberal

Michel Picard Liberal Montarville, QC

It's a different story in the case of metadata, correct?

Under the new bill, what is not relevant must be destroyed.

9:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Right, in part 4 of the bill, which deals with datasets, the conclusion is that the information must be destroyed. The Federal Court must analyze those datasets and authorize or not authorize their retention after 90 days. This is exactly the kind of measure I recommend in the case of information sharing. If it's good for datasets, it should be good for information sharing under part 5 as well.

December 7th, 2017 / 9:25 a.m.

Liberal

Michel Picard Liberal Montarville, QC

Information sharing is problematic. Objective information is may or may not be valuable if it is not contextualized. Information sharing depends precisely on this relationship between information and context. When there are two stakeholders, two or more organizations, we wonder whether the necessity threshold should be used.

When you talk about what is strictly necessary, are we referring to relevance? Here, I'm sort of calling on the lawyer in you. How will that be managed?

An organization may consider a piece of information important and necessary, but the recipient may disagree. The opposite can happen. An organization may consider a piece of information only somewhat useful, whereas the agency with which it interacts is waiting for that information because its context, which the other organization cannot access, justifies it. In this case, the two thresholds for assessing the information seem problematic to me.

9:25 a.m.

Liberal

The Chair Liberal John McKay

Be very brief, please.

9:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's just that things are not always very clear, especially for the department that discloses the information and is not an expert on national security. I agree that, for the institution that discloses the information, the standard is a little more permissive. The new section 5 is not perfect, but it does the job. Its application ensures that the institution that discloses the information—the Department of Agriculture, for example, does not have many national security experts—feels empowered to do so. That's good.

When CSIS receives information, it must analyze it. It knows what it needs for its work and what is superfluous. After the analysis, CSIS should have not only the power but also the legal obligation to dispose of any information that it no longer needs for its work.

9:25 a.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Picard.

Mr. Motz, you have five minutes, please.

9:25 a.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Thank you, Commissioner and your team, for being here.

You indicated in your recommendations—and thank you for providing some additions—specifically in recommendation A, in removing ambiguity, I suppose, with respect to the role of the Privacy Commissioner, that you should be among the review bodies having the legal authority and flexibility to share confidential information. I'm just curious, besides you and your background, does your office have the expertise to understand the ramifications and overall impacts of national security and the intel sharing?

9:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We have about 10 employees who have the security clearance and who review these issues from time to time and who, yes, have the expertise to know the context.

To give the other side of the coin, if we're not involved, it would mean that the expertise we have garnered through our work generally vis-à-vis all departments would not benefit national security agencies. That's something to bear in mind.

9:25 a.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Would you see a change in the mandate of your organization with the passage of Bill C-59? If so, would you require the allocation of more resources to manage those changes?

9:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

If my recommendations are adopted, no. We don't need an army of people. We have a broad mandate. We supervise the private sector as well. I don't envisage that we would need more resources.

9:30 a.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Would you see the national security and intelligence review agency as a positive addition, through standardized practices, without allocating resources from protecting Canadians to the compliance and red tape practices?