Follow-up letter to the Standing Committee on Public Safety and National Security regarding the review of Bill C-59, An Act Respecting National Security Matters

On March 19, 2018, the Privacy Commissioner of Canada, Daniel Therrien, sent the following letter to the Standing Committee on Public Safety and National Security to support the Committee's review of Bill C-59, An Act Respecting National Security Matters. It provides further clarification for a letter he submitted to the Committee on March 5, 2018. Both letters follow-up on his December 2017 appearance before the Standing Committee on the subject of Bill C-59.

Bill C-59 is the legislation proposed by the Government of Canada following its public consultation on Canada’s national security framework. Commissioner Therrien, along with his provincial and territorial counterparts, made a formal submission to the government’s consultation in December 2016.

March 19, 2018

The Honourable John McKay, M.P.
Chair, Standing Committee on Public Safety and National Security
House of Commons
Ottawa, Ontario K1A 0A6

Dear Mr. Chair:

I am writing today as a brief follow-up to our submission of March 5, 2018, on Bill C-59, An Act Respecting National Security Matters.

One of the most important recommendations I made to protect the privacy rights of law-abiding citizens who are no threat to national security is recommendation 5(iii), which suggests that a government institution that initially receives personal information as necessary to its mandate should be required to dispose of that information if, after analysis, the institution concludes that the person is not a threat to national security. The underlying premise is that while it may be reasonable for government institutions to share information about large numbers of individuals, most of whom are law abiding, to identify new threats, once persons have been determined to not be a threat, their information should not be retained in the holdings of national security agencies.

As I mentioned in my March 5 submission, my Office saw a recent example of this during a review of the Canada Border Services Agency (CBSA)’s Scenario Based Targeting Program. My recommendation is also consistent with the decision of the European Court of Justice in the Passenger Name and Record case involving Canada, decided in July 2017.^{Footnote 1} In that case, the highest court in the European Union held that retention of information of individuals who were found to pose no threat to national security did not meet legal requirements of necessity and proportionality and was incompatible with fundamental human rights.

While I believe there are strong policy and legal reasons that support recommendation 5(iii), I realize this may be seen as uncharted territory for national security agencies and therefore imprudent in their view. It is for that reason that I wish to make the following points.

First, this recommendation is analogous to the regime that would apply to CSIS under part 4 of Bill C-59. Under these provisions, as you know, the authority conferred on CSIS to collect information is extended considerably through the “datasets” provisions. Canadian datasets, which can include information about individuals found not to be threats to national security, can be retained only if their retention is likely to assist CSIS in the performance of its mandate.

Second, my recommendation rests on another precedent, since the principle that in my view should apply to recipient institutions, under Part 5 of Bill C-59, already applies to private organizations under Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). I am referring here to principle 4.5 in Schedule 1 to PIPEDA, which provides that: “Personal information shall be retained only as long as necessary for the fulfilment of (the) purposes” for which the information was collected. In the context of Part 5 of Bill C-59, this would mean that personal information collected by a recipient institution for the purpose of detecting new threats should no longer be retained once that purpose has been fulfilled (except of course for those who have been identified as posing a threat to national security) or, if Part 4’s analogy is applied, unless the information is necessary for the continued performance of the recipient institution’s mandate.

This leads me to suggest that recommendation 5(iii) could be achieved through the following language, which would be added as a new provision of SCIDA:

A Government of Canada institution that receives personal information under this Act shall only retain it for so long as is reasonably necessary for the fulfillment of the purpose for which it was received, or for other purposes necessary to the exercise of that institution’s jurisdiction or the carrying out of its responsibilities under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada.

An amendment of this nature would mitigate against potential for ongoing suspicion of people who have been determined to not be a threat and, I believe, is necessary to adequately protect the privacy rights of law abiding citizens.

Thank you once again for the opportunity to clarify my views and I hope these points are helpful to Committee Members as you conclude your study and clause-by-clause consideration of this Bill.

Sincerely,

Encl.

c.c.:
Jean-Marie David
Clerk of the Committee