Appearance before the Senate Standing Committee National Security and Defence on Bill C-51, the Anti-Terrorism Act, 2015

April 23, 2015
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Good afternoon, Mr. Chair and members of the Committee. Thank you for the invitation to discuss Bill C-51, the Anti-Terrorism Act, 2015. You have by now received my submission articulating my concerns with this Bill, which I also shared with the Standing Committee on Public Safety and National Security of the House of Commons. 

As Privacy Commissioner of Canada, I am of the view that Part 1 of Bill C-51, which contemplates information-sharing for national security purposes between all government departments and 17 specified agencies, is excessive and lacks balance. While I appreciate that information-sharing as contemplated by the Bill may sometimes lead to the identification of new threats, I believe this end is accomplished at much too great a cost to privacy. The Bill would potentially lead to disproportionately large amounts of personal information of ordinary, law-abiding citizens being collected and shared. This sets up the prospect of profiling and Big Data analytics on all Canadians. In short, the means chosen are excessive to achieve the end.

It would be entirely possible for Bill C-51 to protect both security and privacy. In order to have a balanced approach,  the Bill should have reasonable thresholds and effective review. First, regarding reasonable thresholds, I recommend that the Bill be amended to ensure that only information which is “necessary” is shared, rather than the proposed threshold of “relevance.” It is the standard of “relevance” which exposes the personal information of law-abiding citizens. Notions of proportionality and balance dictate that this change is made in order to prevent overbroad sharing of information.

It has been suggested that this recommendation would require departments to become experts in national security to appropriately assess the necessity of the information prior to sharing it. There is a simple solution to this: amend the Bill to obligate receiving departments to conduct such an assessment upon receipt of the information, and regularly thereafter, and immediately destroy information which is not necessary to fulfill their mandate.  Replacing relevance by necessity would also address the dichotomy between the threshold of one of the main recipients, CSIS, whose governing legislation confines it to collecting information which is “strictly necessary.” If necessity is good enough for CSIS, why would it not apply to all recipient agencies?

Second, regarding oversight: I remain concerned that 14 of the 17 receiving agencies are not subject to effective independent review. Furthermore, while national security agencies will be able to share information much more easily, existing review or oversight bodies, my Office included, are hidebound by jurisdictional limitations and prohibitions against information sharing amongst themselves.

While my Office will have a role in reviewing how the provisions of this Bill will take effect, I wish to reiterate that the Privacy Act confines my compliance activities to matters which involve personal information. No review body has jurisdiction to review the general lawfulness or effectiveness of the activities of 14 of the 17 receiving agencies.

Furthermore, given the breadth of the information sharing contemplated by this Bill, and my other responsibilities under the Privacy Act and PIPEDA, my Office’s review may not be fully effective with its current level of resources. I will adjust our work priorities as much as possible, but directing my review powers towards activities related to C-51 will likely come at the expense of reviewing other important programs and initiatives, both in the public and private sectors.

Some final observations: the Minister of Public Safety has indicated there are several privacy protections envisaged by Bill C-51. While I agree there are some, I believe they fall quite short of what a balanced approach would require. For example, Privacy Impact Assessments are a useful risk-mitigation tool but, as policy instruments, they do not have the power of law behind them. In fact, their use is discretionary. Furthermore, on the issue of records retention and how long information shared under C-51 will be kept, we have heard that such details may be delineated in Regulations. This is a weak safeguard, as nothing would preclude the adoption of very long periods of retention.

In my view, Parliament has an important role to ensure that if information-sharing powers are greatly increased through the law, as they are with Bill C-51, commensurate information protection safeguards should also be adopted as enforceable legal standards, and not as general principles found in the preamble to Part 1. This is why, in addition to raising thresholds, I recommend that information-sharing agreements be required and in writing, and that records be duly kept regarding their use so that oversight bodies, like my Office, can conduct meaningful review. I also recommend that the law require that information shared under C-51 be retained by receiving institutions only as long as necessary.

With that, I welcome the opportunity to respond to your questions.