Bill C-51, the Anti-Terrorism Act, 2015

Submission to the Standing Senate Committee on National Security and Defence

April 16, 2015

Mr. Daniel Lang
Chair, Standing Senate Committee on National Security and Defence
The Senate of Canada
Ottawa, Ontario  K1A 0A4

Dear Mr. Chair:

I am writing today in advance of my scheduled appearance on Bill C-51, the Anti-Terrorism Act, 2015, which was tabled on January 30, 2015. My comments below mirror those which I submitted to the Standing Committee on Public Safety and National Security of the House of Commons on March 5, 2015.

My comments will focus on Part 1 of the Bill, which would create a new Security of Canada Information Sharing Act (SCISA). The purpose of that Act is to encourage and facilitate the sharing of information among federal institutions in order to protect Canada against acts undermining its security. Clearly, protecting the security of Canadians is important, and we recognize that greater information sharing may sometimes lead to the identification and suppression of security threats. However, the scale of information sharing being proposed is unprecedented, the scope of the new powers conferred by the Act is excessive, particularly as these powers affect ordinary Canadians, and the safeguards protecting against unreasonable loss of privacy are seriously deficient. While the potential to know virtually everything about everyone may well identify some new threats, the loss of privacy is clearly excessive. All Canadians would be caught in this web.

National security agencies have an important and difficult mandate in protecting all Canadians from terrorist threats, and I believe they generally strive to do their work in a way that respects human rights. But history has shown us that serious human rights abuses can occur, not only abroad but in Canada, in the name of national security. The MacDonald Commission identified such abuses in the 1980s, which led to the creation of the Canadian Security Intelligence Service (CSIS) and its review body, the Security Intelligence Review Committee (SIRC).^{Footnote 1} More recently, the O'Connor and Iacobucci Commissions confirmed that national security information sharing, the subject matter of the Bill before you, has led to torture in the post 9/11 environment.^{Footnote 2} More recently still, revelations by Edward Snowden have shown how pervasive government surveillance programs can be, including some in place in Canada, and how they can affect all Canadians, not only those suspected of being a terrorist threat.

If adopted in its current form, the Security of Canada Information Sharing Act would make available to 17 federal departments and agencies, which hold some responsibilities in relation to national security, potentially all personal information that any department may hold on Canadians. We reach this conclusion because, as will be explained later, the language used in SCISA to confer information sharing authorities is extremely broad. For instance, all the tax information held by the Canada Revenue Agency, which historically has been highly protected information, would be broadly available if deemed relevant to the detection of new security threats. As well, all information that departments hold about young persons that was obtained for a specific purpose could be further shared with these 17 departments and data mined with a view to identifying those at risk of being radicalized. As another example, in an effort to identify persons who may be engaged as foreign fighters abroad, the Canada Border Services Agency could be asked to provide information on all individuals, including tourists and business persons, who have traveled to countries that are suspected of being transit points to conflict areas.

In sum, the 17 federal departments in question would be in a position to receive information about any or all Canadians’ interactions with government. This information could then be analysed along with information they had previously collected or obtained through other sources, including foreign governments. We are moving very quickly into the world of Big Data, which relies on massive amounts of personal information being analyzed algorithmically to spot trends, predict behaviours and make connections before any specific investigation is initiated or any particular individual is suspected of anything. As a result of SCISA, 17 government institutions involved in national security would have virtually limitless powers to monitor and, with the assistance of Big Data analytics, to profile ordinary Canadians, with a view to identifying security threats among them.

In a country governed by the rule of law, it should not be left for national security agencies to determine the limits of their powers. Generally, the law should prescribe clear and reasonable standards for the sharing, collection, use and retention of personal information, and compliance with these standards should be subject to independent and effective review mechanisms, including the courts. Specifically, the following amendments should be made to ensure that information sharing among federal institutions, under SCISA, takes place in a way that respects the privacy rights of Canadians.

Standards for sharing information

Bill C-51 sets the threshold for sharing Canadians’ personal information far too low, and broadens the scope of information sharing far too much.

SCISA would authorize virtually systematic sharing of information, for broad purposes not all clearly related to national security, through the use of a few key terms: information would be shared if “relevant” to the jurisdiction of a recipient institution in respect of “activities that undermine the security of Canada”, including in respect of the detection, identification, analysis, “prevention” of activities not yet identified, in addition to the investigation or disruption of known threats.

We accept that the detection and prevention of national security threats are legitimate state objectives, but we reference these words in section 5 of SCISA to stress their importance in understanding that information sharing would not be limited to known terrorism suspects; it would include information on everyone, including law-abiding Canadians, if relevant to the detection of threats.

More problematic is the definition of “activities that undermine the security of Canada” which goes further than the existing definitions, untouched by SCISA, of “terrorist activity” in s.83.01 of the Criminal Code and “threat to the security of Canada” in s.2 of the Canadian Security Intelligence Service Act (the CSIS Act). It is not clear why new activities are included and how they all relate to genuine security threats. It is also not clear how SCISA's definition is to apply when the information to be shared relates to an activity that is not mentioned in the mandate of the recipient institution. For instance, what should CSIS do if it receives information that relates to an “activity” included in the SCISA definition that is not mentioned in the definition of “threat to the security of Canada”? Pursuant to s.12 of the CSIS Act, CSIS can only collect information, where strictly necessary, if it relates to a threat as defined in its enabling legislation. Is CSIS to reject information disclosed under SCISA if it does not relate to a threat as defined, or is the definition of threat in the CSIS Act to be read in light of the new SCISA definition and somehow expanded to authorize information sharing under the wider definition?

Equally problematic is that SCISA would authorize information sharing if “relevant” to the jurisdiction of the recipient institution, rather than "necessary" to its mandate or “proportional” to the national security objective to be achieved. We note that relevance is a much broader standard than that established elsewhere with respect to the collection of personal information. As mentioned, CSIS can only collect information where “strictly necessary” to report and advise the Government of Canada in relation to a defined threat. CSIS would seemingly have to reject information disclosed to it under a relevance test, if the information did not also meet the necessity test under s.12 of the CSIS Act. In the case of recipient institutions other than CSIS, the Directive on Privacy Practices as issued by the Treasury Board Secretariat in support of the Privacy Act obligates institutions to limit collection of personal information to what is directly related to and “demonstrably necessary” for the government institution’s programs or activities.^{Footnote 3}

The threshold for information sharing (that is, whether the sharing of information is to be authorized on the basis of relevance, necessity or proportionality) is of central importance to striking the right balance in the protection of privacy rights. Applying a relevance standard, because it exposes the personal information of everyone, would contribute greatly to a society where national security agencies would have virtually limitless powers to monitor and profile ordinary Canadians. Consequently, we recommend that a necessity test be the standard, which would be in line with s.12 of the CSIS Act, that the government interestingly does not believe needs amendment, and the general directive of the Treasury Board Secretariat. However, if a necessity test is deemed too high, Parliament should consider adopting a proportionality and reasonableness test, as is proposed for the new CSIS disruption powers found in Part 4 of
Bill C-51.

While the Preamble to SCISA lists a number of governing principles, including consistency with the Charter and privacy protection, as well as the need for accountable and effective information-sharing, it is not clear that these principles would be binding. We believe effective privacy protection requires more than principles; it requires that the standards recommended below be adopted as statutory requirements under SCISA.

Recommendation 1: Only information which meets the necessity standard, rather than the relevance standard, should be shared with the 17 agencies listed in the Schedule. Alternatively, a recipient department should be required to conduct an assessment of the reasonableness and proportionality of the collection in achieving their mandated national security objective.

Recommendation 2: The definition of "activities undermining the security of Canada" should be reviewed to ensure that it is not overly broad and includes only real threats to security. In the case of conflict between that definition and the jurisdiction of recipient institutions, it should be clarified that the former is not intended to expand the latter.

Record-keeping obligations

Bill C-51 is far too permissive with respect to how shared information is handled. It sets no clear limits on how long information is to be kept.

The Bill is largely silent on the subject of retention and disposal of information shared. There is authority to make regulations "respecting the manner in which records are kept and retained", but there is no clear obligation for receiving institutions to discard information which does not meet their statutory collection standards, or to dispose of information once it has served its purpose. We have seen in other contexts, particularly in our ongoing assessments of Canada’s financial intelligence agency, FINTRAC, but also in our review of the RCMP’s exempt data banks and the audits we conduct of other government institutions that once information is received, it is tempting to retain it regardless of its relevance or value.

Often, we hear the argument that information is kept “just in case” it may be useful later. This is highly problematic in the context of SCISA where large amounts of personal information about law-abiding individuals could be retained for long periods. Not only would SCISA give 17 agencies involved in national security the potential to know everything about everyone, it could allow them to keep this information forever.

Recommendation 3: Bill C-51 should be amended to include as a statutory requirement that personal information that does not meet the recipient institution's legal collection standards should be discarded without delay. SCISA should also require that information, once collected, is retained only as long as necessary. Reviews should be held at regular intervals, prescribed by regulations, to ensure that this principle is respected and that the retention of information is justified. Finally, SCISA should require that proper documentation of all collection and retention decisions be maintained.

Information-Sharing Agreements

Bill C-51 fails to require that information sharing be subject to written agreements.

While the Bill enunciates the importance of information-sharing agreements as a principle and as a practice that is "appropriate", we believe that written agreements should be legally required. Such agreements could provide more specificity beyond the core standards set out in legislation (relevance, necessity or proportionality, retention) for what is to be shared and how, when information is to be retained, when it must be disposed of, and include robust accountability measures to assign responsibility for and review of sharing, including direction on how documentation disclosed or received should be handled.

These agreements, properly crafted, would go a long way to ensure that only appropriate and accurate information is shared. In New Zealand, such agreements are required, and the Privacy Commissioner must be consulted on them. Our experience in reviewing departmental privacy impact assessments (PIAs), which are currently required under a Treasury Board Secretariat directive, is that it has been a highly useful tool in preventing privacy concerns.^{Footnote 4} We suggest that building in a consultation with my Office on information-sharing agreements would be equally useful. Moreover, written agreements would also give oversight bodies something concrete against which to assess information-sharing practices, leading to more meaningful review.

Recommendation 4: Bill C-51 should be amended to include an explicit requirement for written information agreements. More detailed elements of what should be in the agreements could be set out in Regulations. The Office of the Privacy Commissioner should be consulted in the development of these agreements.

Oversight and Review

Bill C-51 exacerbates serious gaps in existing oversight and review mechanisms, and does not facilitate sharing between review bodies. As for affected individuals, the privacy regime provides no judicial recourse for improper collection, use or disclosure of their personal information.

No level of review can address inadequate standards. As stated in the introduction, in order to ensure that privacy rights are respected in the context of SCISA, the law should prescribe clear and reasonable standards for the sharing, collection, use and retention of personal information. Along with such standards, it is equally important that compliance with these standards be subject to independent and effective review mechanisms, including the courts. Independent review is particularly critical because information sharing under SCISA will often occur secretly, and so individuals may not be able to otherwise challenge the disclosure or use of their information.

Although there is currently some level of review, there are obvious gaps: 14 of the 17 agencies listed in Schedule 3 that will receive information for national security purposes are not subject to dedicated independent review or oversight. To fill that gap, the jurisdiction of one or more of the existing review bodies should be extended to include the 14, or a new expert review body with horizontal jurisdiction should be created to review the lawfulness and reasonableness of national security activities. While it is true, as mentioned in the government's backgrounder to Bill C-51, that my Office has the mandate to review the personal information handling practices of all these agencies, the Privacy Act necessarily restricts what we can examine to “personal information” as defined by the Act; we do not have jurisdiction to examine in general the lawfulness of the activities of national security agencies. That said, we do have authority to review compliance with privacy requirements, and I intend to play that role vigorously as it pertains to SCISA. I note, however, that our review may not be fully effective without some additional resources, as the Act will greatly increase information sharing both in volume and in terms of the complexity of the legal issues involved.

Effective review also requires that judicial recourse and remedies be available for aggrieved individuals. The Privacy Act currently provides no judicial recourse for complainants or indeed my Office in cases involving improper collection, use, disclosure or retention of personal information. ^{Footnote 5} All they have right to is a report of non-binding recommendations by my Office with no further enforcement mechanism and no possibility for remedy. This is insufficient and it is reasonable, in the context of this Bill which so widely extends the scale of information sharing between departments and agencies, to give Canadians effective legal remedies in order to pursue their complaints beyond the issuance of my report. I would therefore reiterate the calls my predecessors have made to amend the Privacy Act by broadening the Federal Court review to all grounds beyond just denial of access which is currently the case.^{Footnote 6}

Another obstacle to effective review is that existing review bodies are currently unable to share information amongst themselves. As we and others have stated previously,^{Footnote 7} there is at present no explicit legislative authority to conduct joint reviews of national security operations, nor is there a mechanism whereby information of relevance that may be discovered by one review body could be passed to another. In fact, the confidentiality provisions in the Privacy Act explicitly prevent my Office from sharing information with other review bodies, such as the Security Intelligence Review Committee, the Office of the Communications Security Establishment Commissioner or the Civilian Review and Complaints Commission for the RCMP concerning ongoing investigations into national security practices. A system which proposes removal of silos between government departments for information-sharing purposes must provide for the same removal of silos for the bodies which ensure their activities are compliant with the law.

Other countries have implemented an oversight model which includes review by a Committee of Parliamentarians, while maintaining review by an independent body of experts. Such a model would offer clear advantages in terms of democratic accountability, and the mandates of the Committee of Parliamentarians and the committee of experts could be defined so as to avoid duplication.

Finally, in order to ensure that an appropriate balance between privacy and security is maintained after the implementation of SCISA, a parliamentary review of its provisions and their application should be required three (3) years after its coming into force. This review should be conducted in light of other legislation that has had an impact on information sharing, such as C-13 and C-44. In our view, this would allow for a broader consideration of the cumulative effects such information sharing has had on Canadians.

Recommendation 5: Bill C-51 should be amended to ensure that all 17 agencies in Schedule 3 are subject to independent and effective review, by an expert body and by Parliamentarians; to remove impediments for information exchange between existing review bodies; and to amend the Privacy Act to allow for judicial recourse in cases involving collection, use or disclosure of personal information. The Bill should also include a mandatory period of review after three years.

Conclusion

In the wake of the tragic events of October 2014 in Canada, and similar events elsewhere, Canadians expect that the government will protect them from terrorist threats. But we have heard and continue to hear resounding support for the protection of privacy. Our own polls indicate that privacy protection is still very much front of mind. Over the past weeks, I have been holding meetings with stakeholders to discuss what my Office’s priorities should be for the coming years. At those meetings, I have repeatedly heard that Canadians understand the need to share their information with the government, but that they have concerns about how this information is going to be used. They are particularly concerned with the issue of government surveillance. Bill C-51 does nothing to assuage those fears.

In its current form, Bill C-51 would fail to provide Canadians with what they want and expect: legislation that protects both their safety and their privacy. In my submission, the amendments recommended here are necessary to achieve an appropriate balance which is currently lacking. I welcome the opportunity to discuss these recommendations and speak to any other points I have raised in this letter during my appearance.

Sincerely,