Yesterday, I had the honour of participating in a terrific panel at the University of Ottawa on Bill C-51 alongside colleagues Dean Nathalie Des Rosiers and Joanne St. Lewis (the panel was moderated by the Toronto Star’s Tonda MacCharles and organized by Carissima Mathen). My remarks focused on the privacy implications of Bill C-51, drawing on a recent column on the issue (Toronto Star version, homepage version). My opening comments are posted below.



A Conversation About Bill C-51

Thanks to Carissima Mathen for organizing this panel. It’s a great idea and given that this week looks like the final week for committee hearings, very timely.

It is hard to know where to start with Bill C-51. So I’m not going to start with the bill at all. In fact, I’d like to share my context for reviewing the bill and provide a far more personal take than is typical. There is good reason for doing so – if you have followed the rather limited committee hearings to date, you know that government MPs have made deeply personal comments, raising questions about the loyalty to Canada of some witnesses and whether critics of the bill believe terrorism is a threat.

So, let me be clear. My children go or have gone to a school that has 24 hour security. They get buzzed into the building by a security guard. Their lunch boxes are tagged so that non-tagged bags can be easily identified in case of a threat. My community centre has 24 hour security and requires identification to enter in a manner reminiscent of some embassies. When I go to synagogue, there are armed police who prominently guard the building. All of this is for good reason. There have been attacks in recent months around the world on Jewish synagogues, museums, and grocery stores that has resulted in the murder of innocent civilians.

The terror threat is something that my family feels everyday.

That’s my context for C-51. But my context also comes from being engaged in privacy related issues for most my career. I have a book coming out in a couple of months – an edited volume with contributions from scholars from across the country include Forcese, Roach, Austin, Parsons, and others – on privacy and security in Canada in the post-Snowden environment that shapes my thinking. And that experience, as well as the work of exceptional scholars, leaves me convinced that providing law enforcement with the powers it needs is a far cry from granting it a blank cheque.

The Snowden revelations have made it abundantly clear that given the capability, intelligence agencies and law enforcement will monitor and gather everything they can and then disseminate and data mine that information in every conceivable way. This means tracking everything. Indeed, it is why the nearly weekly reports about an NSA or CSE or GCHQ initiative to gather all Internet communications or hack into private systems no longer shocks. For example, we know that Canadian agencies grab tens of millions of downloads every day from users around the world. We know that Canadian Internet communications pass through routers that collect the metadata on all communications. These are our agencies working on concert with others, yet the activities merit barely a mention.

This is the current reality. I would prefer – in fact, I think we desperately need – far stronger limits on data collection, which is currently indistinguishable from mass surveillance. We also need stronger safeguards on its dissemination, disclosure, and use. And we need far better oversight to ensure that this massive data collection does not run afoul of the law and is not misused.

That too is part of my context for Bill C-51 and which brings me to the information sharing provisions in the bill.

The privacy-related concerns in the bill stem from the Security of Canada Information Sharing Act (SCISA), a bill within the bill, that goes far further than sharing information related to terrorist activity. It does so in three steps.

First, the bill permits information sharing across government for an incredibly wide range of purposes, most of which have nothing to do with terrorism. The government has tried to justify the provisions on the grounds that Canadians would support sharing information for national security purposes, but the bill allows sharing for reasons that would surprise and disturb most Canadians.

The bill opens the door to information sharing due to “activity that undermines the security of Canada.” Rather than using the CSIS Act definition, however, it creates a new expansive definition. Terrorism is included within the definition, but several of these provisions would seemingly allow for information sharing for almost any investigative purpose, particularly “public safety” and the “economic or financial stability of Canada.”

Further, the provision excluding “lawful advocacy” provides little comfort, given the ease with which those protections can be lost due to a municipal violation or other technical issue. Those expressing fears about these provisions covering advocacy or protests have good reason for doing so.

Second, the scope of sharing is exceptionally broad. The government not only opens the door to sharing information for a myriad of non-terrorism purposes, but it also permits access for a broad array of government institutions and departments. The bill currently identifies the following 17 institutions and departments:

• Canadian Border Services Agency

• Canada Revenue Agency

• Canadian Armed Forces

• Canadian Food Inspection Agency

• Canadian Nuclear Safety Commission

• CSIS

• CSE

• Citizen and Immigration

• Finance

• Foreign Affairs, Trade, and Development

• Health

• National Defence

• Public Safety

• Transport

• FINTRAC

• Public Health Agency

• RCMP

That list can grow, however, with cabinet empowered to add institutions and departments by regulation. Moreover, the inclusion of CSE, which as noted has been the focal point of the Internet surveillance debate due to the Snowden revelations, suggests that CSE information could be readily shared across government departments despite repeated claims that its work does not target Canadians.

In addition to this form of information sharing, the bill also permits additional use and disclosure of information “in accordance with the law…to any person, for any purpose.” Section 6 states:

For greater certainty, nothing in this Act prevents a head, or their delegate, who receives information under subsection 5(1) from, in accordance with the law, using that information, or further disclosing it to any person, for any purpose.

It is worth repeating – “disclosing the information to any person, for any purpose.”

Third, oversight is indeed a problem since the privacy protections found in Privacy Act are widely viewed as already outdated. In fact, Bill C-51 effectively neuters the core protections found in the Privacy Act by opening the door to the very kind of information sharing that the law is intended to prevent.

Since the enactment of the Privacy Act in 1983, every federal privacy commissioner has urged the government of the day to strengthen it. Those calls have grown louder over the past decade as PIPEDA places tougher obligations on the private sector than the government places on itself. The law as it currently stands has weak annual reporting requirements from government agencies, does not provide much protection to Canadians from abusive treatment by foreign states, does not give the Privacy Commissioner order-making power, does not provide redress in cases involving harm, does not prevent over-collection of personal information, does not protect against surveillance where the data is not recorded, and does not feature security breach disclosure requirements.

Given its impact, it should come as no surprise that in recent weeks, all privacy commissioners from across the country have spoken out. For example, Privacy Commissioner of Canada Daniel Therrien, appointed by the government less than a year ago and described as an expert by Prime Minister Stephen Harper, slammed the bill:

the scale of information sharing being proposed is unprecedented, the scope of the new powers conferred by the Act is excessive, particularly as these powers affect ordinary Canadians, and the safeguards protecting against unreasonable loss of privacy are seriously deficient. While the potential to know virtually everything about everyone may well identify some new threats, the loss of privacy is clearly excessive. All Canadians would be caught in this web.

All provincial privacy commissioners have offered a similar analysis, jointly calling on the government to withdraw the information sharing aspects of the bill. They also warn of routine surveillance of large portions of the population:

It could be used to authorize, in effect, surveillance across governments in Canada, and abroad, for virtually unlimited purposes. Such a state of affairs would be inconsistent with the rule of law in our democratic state and contrary to the expectations of Canadians.

The privacy community may be unanimous in condemning the information sharing provisions in Bill C-51, but discouragingly Liberal leader Justin Trudeau has pointed to those provisions as one of the positives of the bill.

What he should be saying – along with all opposition MPs and the broader public – is that this bill needs amendment. There may be times when we want government to be able to share information more aggressively to counter a legitimate security threat. Yet that can still occur with amendments that would adopt the CSIS Act approach to security threat (thereby limiting the scope of sharing) and building in stronger oversight through both the Privacy Commissioner of Canada (via the Privacy Act) and addressing the ongoing concerns with CSIS and CSE oversight.