Appearance before the Standing Committee on Public Safety and National Security (SECU) on Bill C-59, An Act respecting national security matters

December 7, 2017
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Bill C-59 introduces a wide range of measures intended to strengthen Canada’s national security framework in a manner that safeguards the rights and freedoms of Canadians.  On the whole, I find it represents a step in the right direction but, as other commentators have noted, its weakest part is the Security of Canada Information Sharing Act (SCISA), which contains provisions related to information sharing and privacy. Professor Forcese, for instance, gave these sections a failing grade.  I was glad to hear Minister Goodale last week say that SCISA was probably a part most deserving of scrutiny. I hope your study will result in much needed improvements to these rules.  

In previous Parliamentary briefs and in a submission on the federal government’s national security consultation, I highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of ordinary, law-abiding Canadians (particularly through privacy sensitive retention and destruction practices).  Specifically, I indicated that the “law should prescribe clear and reasonable standards for the sharing, collection, use and retention of personal information, and compliance with these standards should be subject to independent and effective review mechanisms.”  It is with this analysis in mind that I offer the following comments and recommendations. The full list of recommendations is attached to this statement.

Effective review and oversight

Bill C-59 would create a new expert review body with broad jurisdiction to examine the activities of all departments and agencies involved in national security. Recently, Parliament also created through Bill C-22 a new National Security and Intelligence Committee of Parliamentarians. Both of these  bodies will be able to share confidential information and generally cooperate so as to produce well informed and comprehensive reviews that reflect considerations by experts and elected officials.

These developments are most welcome but they are clearly insufficient. In my view, effective review of national security activities must include both parliamentary and expert review, and the latter must include both national security and privacy experts. Why privacy experts? Because the work of national security agencies depends in large part on personal information; it is their "lifeblood". The OPC is the federal centre of expertise in privacy and personal data protection. Canadians are concerned that anti-terrorism efforts in government not unduly impede their privacy rights, and they expect my Office to play a role in ensuring balance.

Bill C-59 is oddly silent on the role of my Office.  It does not amend the Privacy Act, so my existing authorities appear to be untouched, but the only body with explicit authority to play a role in relation to Part 5, the renamed Security of Canada Information Disclosure Act, is the National Security and Intelligence Review Agency. I refer you to section 9 of Part 5 and section 39 of Part 1. The ETHI Committee in its study of SCISA has already noted the ambiguity in the interplay between that Act and the Privacy Act and it has called for amendments to clarify that the Privacy Act continues to apply to all personal information disclosed pursuant to SCISA. I have provided to your committee amendments that would confirm the application of the Privacy Act and OPC's role, which I am told the government wants to maintain.   

There is, however, no ambiguity on whether my Office would be able to share confidential information with the NSIRA and the new committee of parliamentarians. We would not, and actually we would be prohibited by existing provisions in the Privacy Act from sharing such information. This means that the comprehensive review process offered in Bill C-59 as a fundamental element to bring balance between security and respect for rights would stop short of the objective, by leaving privacy experts out of integrated review. I am at a loss to understand why. If the fear is of duplication between our work and that of other review bodies, I would gladly explain how bringing the OPC firmly within the family of review bodies would not only bring required expertise but would enhance efficiency and reduce overlaps.

Need for rigorous standards for information disclosure and receipt (collection)

When Bill C-51 enacted Security of Canada Information Sharing Act (SCISA), I indicated that among my concerns was the fact that the relevance standard for sharing was set too low, and that there was an absence of clear data retention and recordkeeping requirements and a lack of information-sharing agreements and privacy impact assessments.

The relevance test is too permissive because it casts too wide a net and creates undue risks for ordinary citizens who pose no threat to national security. The government seems to recognize that a relevance standard does not sufficiently protect privacy because it is suggesting changes to section 5 of SCIDA. In its response to ETHI, the government said: "The key issue regarding the threshold is the need to establish specific decision making parameters for the discloser of information that will protect individual privacy but not cause undue delays in the information sharing process." The proposed new section 5, particularly paragraph 5(1)(b), incorporates some aspects of a necessity threshold but falls short of adopting what officials refer to as "strict necessity".

In order to adequately protect privacy rights, this limited progress in increasing the threshold for disclosure would have to be accompanied by more complete changes to the standard applicable to receiving institutions.    Information sharing involves two parties and, to protect rights, rules are also required for receiving institutions.  If relevance is not adequate for disclosing institutions, it is also inadequate, even more so, for receiving agencies. And the delay considerations that may apply to disclosure affect receiving departments very differently. These institutions are perfectly capable of applying the classic, internationally established necessity test, and should be required to do so.

We understand that the government intention is for receiving institutions to continue to be governed by the Privacy Act, or their specific enabling legislation where applicable.  The current Privacy Act threshold is relevance.  As your committee recommended in its May 2017 report on Canada's national security framework, we also recommend that a dual threshold be adopted for information sharing, with necessity and proportionality applying to receiving institutions.

Need for rigorous standards for retention (destruction)

Even if one accepts that government sharing of information related to law-abiding citizens may lead to the identification of new threats to national security, once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained. Otherwise national security agencies will be able to keep a profile on all of us.

This is consistent with the conclusions of our review of CBSA's Scenario-Based Targeting initiative, summarized in my latest annual report to Parliament, and it is one of the principles upheld by the European Court of Justice in the Passenger Name and Record case, decided in July 2017.

In addition, if the threshold for collecting or receiving information is higher than the standard for disclosure (which is currently the case at least for CSIS, which is held to a necessity test for collection), then rules are required to ensure that information is discarded without delay either when the collection test is not met or if the receiving institution is of the view that the disclosure standard was not satisfied.

Conclusion

My complete recommendations, annexed to this statement, include some that I have made in the past and do not have time to explain in the time allotted. I also intend to write a fuller submission prior to the end of your study. In the meantime, I would be glad to answer any questions you may have.

Annex:  Recommendations

A. Effective review and oversight

1. Amend section 39 of Part 1 to clarify any ambiguity regarding the role of the Privacy Commissioner and add a provision to the following effect:   “Nothing in this Act or any other Act of Parliament^{Footnote 1} should be construed as limiting the powers of the Privacy Commissioner to conduct an investigation to ensure compliance with sections 4 to 8 of the Privacy Act.”
2. The OPC should be among the review bodies having the legal authority and flexibility to share confidential information obtained in the course of their work and to determine when and how to cooperate to avoid duplication, increase efficiency and produce more comprehensive reports. Sections 22 and 23 of the National Security Committee of Parliamentarians Act should be used as a model to provide all review bodies with similar authority to share information “related to the fulfillment of the mandate” of the other review bodies.  These provisions could be transposed in the form of parallel amendments to: 
1. the Privacy Act;
2. Part 1 of C-59, which creates and empowers the NSIRA, and;
3. the National Security Committee of Parliamentarians Act.

B. Rigorous standards for information disclosure and receipt (collection)

3. Amend Bill C-59 to require the necessity and proportionality threshold to apply to receiving institutions, either by way of an amendment to SCIDA or by way of a consequential amendment to section 4 of the Privacy Act.In this way, a dual threshold would apply to national security information sharing: the new s.5 of SCIDA would apply to disclosing institutions and receiving institutions would be governed by a necessity and proportionality threshold.

C. Rigorous standards for retention (destruction) of information

4. That Bill C-59 be amended to impose on recipient institutions retention and destruction rules in respect of personal information that does not meet or no longer meets the recipient’s threshold for collecting the information.   More specifically, we recommend an explicit provision for record disposal by receiving institutions in these three instances: 
   1. any personal information that does not meet their collection threshold;
   2. any personal information that the recipient institution does not believe “will contribute to the exercise of its jurisdiction or the carrying out of its responsibilities”; and,
   3. any personal information which, after analysis, leads to  the opinion that the individual concerned is not a threat to national security.

D. Record keeping

5. Amend subsection 9(1) of SCIDA so that its record keeping obligations apply not only to disclosing institutions  but also to recipient institutions.
6. Add a new subsection to section 9 of SCIDA:  "For greater certainty, the Government of Canada institution must also, on request by the Privacy Commissioner under s.34 of the Privacy Act, provide the Commissioner with a copy of any record requested that it prepared under subsection (1).”

E. Information Sharing Agreements and Privacy Impact Assessments

7. That information-sharing agreements and privacy impact assessments be made into legal requirements either by way of amendment to Bill C-59 in the national security context, or more generally, by way of amendments to the Privacy Act.

F. Extend Improved SCIDA Standards to All National Security Information Sharing

8. That the rules and standards under SCIDA, amended as proposed above, should be extended to all domestic intra-governmental national security information sharing.