Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act

Submission to the House of Commons Standing Committee on Justice and Human Rights

June 9, 2014

Mike Wallace, M.P.
Chair, Standing Committee on Justice and Human Rights
Sixth Floor, 131 Queen Street
House of Commons
Ottawa ON K1A 0A6

Dear Mr. Wallace:

Thank you for the invitation from the Committee to present the views of the Office of the Privacy Commissioner of Canada (OPC) in connection with Bill C-13, the Protecting Canadians from Online Crime Act.  To date, your study has raised a range of legal, policy and technical issues.  As a result, we felt specific written comments would enable your members to make the most of the time during our appearance in connection with your study of the Bill.

Welcome measures

Our Office views the first aim of the Bill – those parts tackling online bullying, harassment and the circulation of intimate images – as commendable.  The OPC has long viewed public awareness of internet safety issues as a key part of our education role and privacy can clearly help protect victims of cyberbullying and allow them to recover.  For example, our participation in the recent case A.B. v. Bragg Communications Inc. before the Supreme Court was an effort to promote the privacy rights of victims of online harassment. 

Online stalking, cyber-bullying and other forms of internet exploitation are a pressing social issue that is of serious concern to Canadians, especially parents, teachers and police.  We agree with previous witnesses in your study that better education, public discussion, legal reform and prosecutorial efforts all play a part.  As well, children need access to resources that help them understand and navigate online risks, use technology responsibly, and behave ethically online. 

Online bullying has a deeply invasive privacy component – after all, privacy has been defined ultimately as the right to be left alone.  Criminalization of distribution of intimate images without consent and extending Criminal Code provisions to cover new channels of communication will send an important signal; namely, that misuse of technology and personal information to victimize others is wrong and will carry consequences. 

The Bill also has a secondary goal: to introduce some new investigatory powers for police.  Given the complexity of the issues under consideration in your study, it is our view that the Parliamentary review would benefit from a division of the Bill into its constituent parts.  From a privacy perspective, the offence provisions are largely uncontroversial.  They could be quickly dealt with by this House and sent on to the Senate for review.  The lawful access components, which we believe deserve more cautious contemplation, would then benefit from a specifically focused and targeted study.

In the following submission, given our advisory capacity to Parliament, we wish to highlight four specific privacy issues arising from these new powers that we feel merit close scrutiny:

• Thresholds for the use of the new powers and procedures; 
• Range of departments, agencies and officials who can use new powers;
• Informal requests, voluntary disclosure, and legal immunity, and;
• Reporting on the use of the powers.

Thresholds for the use of the new powers and procedures

One of the initial complexities in the Bill is the varying legal thresholds brought into play by the array of investigative powers and procedures.  The bulk of the new powers may be used where investigators have a reasonable suspicion of wrongdoing, not a reasonable belief.  The 'reasonable suspicion' standard is a materially lower and less privacy protective standard for investigators to meet than the traditional, default standard of 'reasonable and probable grounds' that must exist before an individual’s privacy may be intruded upon.

‘Reasonable suspicion’ has been recognized as an appropriate legal threshold in exigent circumstances, where a search is not invasive or one’s expectation of privacy may be significantly reduced as a result of participation in a highly regulated activity (i.e. driving) or context (i.e. border crossings and schools).  In our view, the rationale for resort to a lower and less privacy protective legal threshold has not been established to access and collect private data, including highly sensitive data generated in the course of individuals’ private, Internet-based communications from the sanctity of their own homes.

The following chart identifies the proposed power, examples of information that can be obtained and the relevant threshold: 

Investigative Power	Example of data obtained	Threshold
Preservation demand  - 21 days (s. 487.012)	N/A	suspicion
Preservation order –  three months  (s. 487.013)	N/A	suspicion
General production order (s. 487.014)	Any stored data	belief
Production order to trace specified communication (s. 487.015)	Email, IP and MAC addresses	suspicion
Production order – transmission data (s. 487.016)	Internet Protocol (IP) addresses, website domains and pages, file sharing and other protocols, packet numbers, search engine search terms and email addresses	suspicion
Production order – tracking data (s. 487.017)	Location information, GPS coordinates	suspicion
Production data – financial data (s. 487.018)	Account holder information, types of products held, date of account, current address	suspicion
Warrant for tracking device – transactions and things (s. 492.1(1))	Locations of credit or bank card usage, movements of vehicles	suspicion
Warrant for tracking device – individuals (s. 492.1(2))	Location of tracked individual (via personal mobile device)	belief
Warrant for transmission data recorder (s. 492.2)	See above	suspicion

Transmission data provides a useful example of how authorities can obtain sensitive records via a reduced legal threshold under the new regime.  While ‘reasonable suspicion’ to access “transmission data” uses the precedent of the standard currently required to use  a dial number recorder (DNR), the information  and records comprising “transmission data” as it is defined in the Bill would be significantly more revealing than a simple record of telephone calls (obtained with a DNR). 

In short, the premise that the data covered by the new provisions attracts only a limited expectation of privacy such that reduced legal thresholds are acceptable may not bear out.  Records of these sorts capture all manner of sensitive personal information that should be protected by an appropriately rigorous legal threshold.  We believe suspicion will be too low a threshold for such revealing information in many cases, particularly in our digital era when every transaction, every message, every online search and every call or movement leaves a recorded trace and is, therefore, potentially subject to collection

As a result, while “reasonable suspicion” may be appropriate for preservation of data, we suggest that the traditional standard of “reasonable grounds to believe” be used for the new production orders and warrants for which the “reasonable suspicion” standard is being proposed.   A more compelling case for the use of a reduced legal threshold must be presented and thoroughly examined.

Range of departments, agencies and officials who can use new powers

Another aspect of the Bill to consider is the wide range of governmental authorities and governmental bodies – well beyond police - that will be able to use the new investigative powers.   A very broad range of state actors - at all levels of government - will be able to utilize all the new investigative powers including, for example, demanding the preservation of data, seeking production of personal records or private communications, or requesting warrants to collect tracking data associated with vehicles, transactions or individuals. 

The language proposed for section 487.011 defines a public officer as anyone “appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this Act or any other Act of Parliament.”  So it is important to be clear who will be empowered by the Bill.

In addition to police officers, mayors, wardens, reeves, sheriffs, certain airline pilots, customs officers, fisheries officers and any federal or provincial officer whose duties include the enforcement of federal laws may also access these investigative tools, tracking warrants and production orders.

While many law enforcement and security agencies already have robust oversight and reporting requirements (e.g. the RCMP and CSIS) other government bodies implicated by this definition have no dedicated review and no requirement to provide public reporting (e.g. CBSA and DND).  We would argue that the broad scope of powers, extending to such a range of government departments and agencies, calls for caution given existing gaps in accountability and oversight mechanisms. 

We would recommend retaining clear designated categories for “public officers” rather than adopting an open-ended definition.  In this way, the departments and agencies authorized by law to make use of these tools are clearly indicated and specifically limited to those whose legislated duties require that they have access to the new powers.

Informal requests, voluntary disclosure, and legal immunity

Another concern – and core to our concerns for proper privacy protection - relates to new language in section 487.0195 of the Criminal Code to extend legal immunity.  This will cover instances where companies or individuals provide information to government agencies in circumstances where there is no warrant or other judicial oversight of the information exchange.  Similar protection from liability exists currently (s. 487.014).  However, there is an important change made by the Bill, namely the removal of the requirement that a criminal offence or a breach of another federal law be under investigation. 

As a result, the new provision allows public and peace officers complete discretion to request that organizations voluntarily provide any information (there are no limits on the types of data that may be obtained in this way) and in any circumstances (there are no longer any limits) without risk of criminal or civil liability for the organization in question.  We view the proposed section 487.0195 as problematic for a number of reasons. 

First, we believe that third-party data holders should not be encouraged to voluntarily disclose customers’ sensitive personal information on behalf of – and without notice to – affected individuals. 

Canadians expect that their service providers will keep their information confidential and that personal information will not be shared with government authorities without their express consent, clear lawful authority or a warrant.

Second, the proposed section 487.0195 grants public and peace officers full discretion with respect to their reliance on this provision.   As a result, commercial organizations will be left to assess the relative merits and legitimacy of each request.  In view of the legal immunity offered them, they may lack the incentives to challenge or refuse such requests.  This result is not in keeping with Canadians’ expectations that law enforcement (and, indeed, privacy protection) will be consistent, rules-based and subject to appropriate oversight.

Third, it is our view that this provision will exacerbate existing confusion with respect to organizations’ obligations under paragraph 7(3)(c.1) of the Personal Information Protection and Electronic Documents Act (PIPEDA).  Under this provision, an organization may disclose personal information to a government institution or part of a government institution without the knowledge or consent of the individual only if the government institution has requested it; has identified its ‘lawful authority’; and has indicated that the information requested is for the purpose of law enforcement.

At present, there is a significant degree of confusion around what constitutes the ‘lawful authority’ that must exist for paragraph 7(3)(c.1) to authorize an organization to provide information to law enforcement officials without the affected individual’s consent.  We are concerned that the language of the proposed section 487.0195 could be misinterpreted as a new source of “lawful authority” to request personal information for the purposes of paragraph 7(3)(c.1) of PIPEDA.  This could result in a significant increase in requests for and disclosures of personal information without court oversight, a practice we already understand may be substantial. 

To avoid adding to this confusion, we recommend that the proposed section 487.0195 be deleted or clarified to explicitly state that it does not, in itself, constitute “lawful authority” for the purposes of paragraph 7(3)c.1.   

Reporting on the use of the powers

On a related point, the lack of provisions for public reporting by government authorities on the use of the new powers is a concern.  As outlined above, the types of data being preserved and accessed with these new techniques can be sensitive.  Location data, histories of movements and transactions, networks of contacts –
these all can paint a vivid portrait of an individual.

Members should bear in mind that Canada has a solid precedent to consider already in law.  Since 1977, the Annual Report on the Use of Electronic Surveillance tabled annually in Parliament (pursuant to Criminal Code section 195) has provided a model for reporting on sensitive investigations. 

We believe the same provisions could be applied to the new powers.  That would provide Parliamentarians with ongoing insight into the usage, results and overall effectiveness of the new measures. Should Parliament ultimately decide not to split the bill for further study, we would then recommend provisions for an ongoing five-year review of the powers, to measure the effectiveness of these proposed amendments and their privacy impact, overall.

Conclusion

Thank you once again for the opportunity to present the Committee with our views on the proposal.  We are looking forward to the discussion and any questions of your Members in connection with the current study.

Sincerely,

cc: Jean-François Pagé, Clerk