Consultation Paper for the Second Additional Protocol to the Budapest Convention

Submission of the Office of the Privacy Commissioner of Canada (OPC) to Justice Canada

March 22, 2024

Re: Consultation Paper for the Second Additional Protocol to the Budapest Convention

Dear Mr. Sansom,

Thank you for providing a copy of your recent consultation paper and the other background information. We also want to thank you for meeting with us in February to provide a detailed walk-through. We appreciate these efforts and welcome continuing the discussions as needed.

Past input on development of the Second Additional Protocol

As you are aware, the Office of the Privacy Commissioner (OPC) is a long-standing member of the Global Privacy Assembly (GPA), a network of data protection offices from around the world. We lead various GPA working groups, and interact with several committees connected to the Council of Europe, including the committee for data protection, as well as their committee attached to the Budapest Convention, which focuses on cybercrime. In that capacity, we have provided earlier advice on the Protocol proposal on two occasions, in 2019 and 2021; copies of these letters are appended to this submission for your reference.

Changing context of law enforcement and international cooperation

While Canada has demonstrated a longstanding commitment to the Budapest Convention and the development of additional Protocols, the most recent proposals also relate to other government initiatives to broaden investigative powers, upon which the OPC has also been consulted. These initiatives include:

1. prior Justice Canada consultations on access to subscriber data,
2. ongoing negotiations between Canada and the US to develop a bilateral agreement for law enforcement data access further to the 2016 CLOUD Act^{Footnote 1},
3. consultations led by Finance Canada related to the federal regime to combat money laundering and terrorist financing^{Footnote 2}, and, in the national security context,
4. recent Public Safety Canada consultations proposing new search authorities in the context of foreign interference.^{Footnote 3}

Those linkages are an important backdrop to the feedback which follows, and, more specifically, inform where the OPC has identified privacy risks.

These discussions have, at varying stages of their development, incorporated proposals or elements analogous to provisions found in the Second Additional Protocol, as detailed in your consultation paper. We will be focusing our feedback on the following sections:

• direct requests by law enforcement or other competent authorities;
• ordering disclosures of subscriber and traffic data;
• safeguards, data protection, transparency, and oversight; and,
• questions for privacy commissioners on powers and interoperability.

Direct requests by law enforcement

As noted in the paper, Article 7 of the Protocol would empower law enforcement investigators or other competent authorities in one country to obtain subscriber information (as defined in Article 18(3) of the Budapest Convention) from a service provider in another jurisdiction. This raises legal and privacy questions given jurisprudence and constitutional norms differ from state to state, as does effective oversight and review.

Given numerous proposals relating to subscriber data access have emerged in recent years, privacy clearly remains a point of contention across the varied initiatives cited above. That situation will likely persist, given courts in different jurisdictions have their own views on appropriate levels of legal protection, reasonable expectations of privacy, and the impact of emerging technologies and the online environment.^Footnote 4

This same question arose domestically, in the context of comparing federal and provincial regimes for data protection within Canada, when proposals to authorize federal and provincial police access to subscriber data were advanced by the Coordinating Committee of Senior Officials Cybercrime Working Group in 2016.^{Footnote 5} The Criminal Law Policy Section at Justice Canada helped coordinate those discussions, and the question of direct access and oversight mechanisms arose there as well. Federal and provincial privacy commissioners provided feedback on those questions, which is germane to this discussion. We have included a copy for your reference, given that we believe these concerns remain relevant.^{Footnote 6}

As noted in the consultation paper (p. 9), the Supreme Court of Canada examined the appropriate legal thresholds for police access in R. v. Spencer. In that decision, the Court unanimously found that internet users were entitled to a reasonable expectation of privacy in subscriber data. This is only one case among dozens dealing with law enforcement collection of sensitive internet usage data.^{Footnote 7}

More recently, the Supreme Court of Canada’s March 2024 decision in R. v. Bykovets^{Footnote 8} goes a step further. In it, the Court likened IP addresses to a “digital breadcrumb” capable of revealing the “trail of an Internet user’s journey through cyberspace.”^{Footnote 9} Given that, the Court found that an IP address can divulge personal information long before a “Spencer warrant” is obtained.^{Footnote 10} The Court therefore concluded that, even if an IP address does not immediately reveal a user’s identity, it will nevertheless attract a reasonable expectation of privacy.^{Footnote 11} As a result, the Court held, that “judicial oversight in respect of an IP address is the way to accomplish s. 8 [of the Charter’s] goal of preventing infringements on privacy.”^{Footnote 12} As such, it would be difficult to envision a regime that authorized access to subscriber information without judicial authorization being compatible with Canadian law.

The OPC has provided its views on subscriber information before Parliament ^{Footnote 13}, the Courts^{Footnote 14}, and the Government.^{Footnote 15} Our longstanding position, which is supported both in Spencer and subsequent jurisprudence,^{Footnote 16} is that subscriber information should only be accessible with judicial authorization, barring truly exceptional circumstances. As such, given it entails access to subscriber information without judicial authorization, Article 7 would create an access regime for law enforcement that appears misaligned with our own domestic jurisprudence, although that process may be permissible in other jurisdictions.

Decisions about the ratification of the Protocol in general, and Article 7 in particular, should also account for pending legislative developments that could impact information collection and disclosure in public sector contexts. We note Parliament’s current study of Bill C-26, An Act respecting cybersecurity, which is currently before the House of Commons Standing Committee on Public Safety and National Security. This new legal framework may ultimately involve both additional powers to collect and share information, such as subscriber data, from telecommunications and cyber systems operators, in addition to new conditions, constraints, safeguards, or oversight measures, with respect to that collection and sharing.

In summary, while Justice Canada is ultimately best-placed to assess possible avenues for achieving compliance with the Protocol, we believe that reserving the right to opt out of the direct request provision described in Article 7 would likely be the clearest, simplest, and least contentious option from a privacy perspective.^{Footnote 17} Given the other information-sharing elements put in place by the Protocol, discussed further below, we believe it is critical that any proposal conforms to the clear requirement in Canadian jurisprudence for judicial pre-authorization for subscriber information.

Compelled disclosures of subscriber and traffic data

Article 8 of the Protocol and related access provisions described in the consultation paper (p. 10) propose parallel procedures and mechanisms. If these provisions were enacted in domestic law, they could allow Canada to empower a federal or provincial superior court judge to review and approve an incoming order from law enforcement of another jurisdiction. Those provisions could be enabled for use by law enforcement for access to either subscriber information or internet traffic data.

In either case, for access to both types of information, the OPC is of the view that maintaining an independent role for court oversight – at arm’s length from specific investigatory or prosecutorial mandates – more closely aligns with the expectations for independent impartial review articulated by Canadian courts. As the paper notes, judicial authorization at an accepted investigative standard is a vital element in court oversight, exercised prior to use of legal powers to access data (p. 13).

That said, expanding this legal process beyond subscriber information to include traffic data would still have significant privacy implications. As we have noted previously, both before the courts and in advice provided to Parliament, transactional data from online activity can be very sensitive and revealing, as it can provide detailed insights into an individual’s financial status, physical and mental health, and religious or political views.^{Footnote 18}

Should Canada elect not to opt out under Art 8(13), it should ensure that comprehensive, appropriate, and robust safeguards are applied to any sharing of traffic data, including for example, a notification mechanism, oversight, use limitations, and other procedural safeguards, as described in the next section.

Safeguards, transparency, and oversight

Article 13 of the Protocol enumerates a list of additional requirements before the investigative procedures discussed above can be used, many of which are based on well-established data protection principles such as lawful basis for processing, reasonable grounds for search, limiting scope of collection, and so on. Article 14 requires provisions to be in place to ensure data collected is accurate, that the duration of data retention is limited, appropriate security safeguards are applied, and that rights of access are respected.

Of relevance to this discussion is the GPA’s October 2021 Resolution on proper data protection controls and safeguards in the specific context of law enforcement access to data in the private sector.^{Footnote 19} While this Resolution was still at a nascent stage when we last provided input on the Protocol in April 2021, we believe that it offers valuable options for your consideration. We have enclosed a copy for your reference.

The resolution advances eight key requirements for law enforcement access to adhere to data protection principles and appropriate legal safeguards. These include the need for clear legislative authority, a test for necessity and proportionality, mechanisms for public transparency, procedures of individual rights of access, independent oversight, limitations on secondary use, and effective provisions for remedies and redress.

Given the elements highlighted in Articles 13 and 14, we believe Canada’s implementation of the Protocol could be brought into alignment with the core requirements noted in the GPA guidance. We would highlight that other bodies like the OECD and the G7 have subsequently issued similar baseline expectations with comparable principles.^{Footnote 20} Furthermore, we believe that Bill C-27 which is currently before Parliament^{Footnote 21}, and several of Justice Canada’s own proposals for Privacy Act modernization^{Footnote 22} would satisfy many of the core requirements set out in Article 14. Modernizing the Privacy Act for example, to meet these new obligations, would help clarify how domestic law enforcement treat personal information they receive from other jurisdictions. As such, we would take this occasion to encourage the government to prioritize those initiatives.

Data protection powers and interoperability

In terms of the legal powers of privacy commissioners in Canada, it is important to note that there are variances from province to province, as well as between federal and provincial laws. For example, in certain provincial jurisdictions, authorities can suspend/cancel data transfers. Under federal privacy law, our Office has no such authority. We are cognizant that you are consulting provincial authorities on these matters specifically.

From our perspective, while baseline standards for privacy are similar, variations in enforcement can create challenges for collaboration across jurisdictions. This could cause confusion, particularly where jurisdictions abroad are seeking data in Canada for a specific investigation. Lack of clarity around oversight could complicate the Protocol’s provisions (for example, the notice requirements under Article 14, noted on page 15). In our view, consistent and interoperable data protection is critical to ensuring effective collaboration. This reaffirms the importance of Justice Canada’s work to update and modernize the federal Privacy Act.

Conclusion

Thank you once more for consulting with the Office and our provincial counterparts as the work on Canada’s approach to the Protocol continues. We appreciate the time your officials have taken to explain the evolution of the initiative and other background information that you have provided. If you would like additional information on any of the materials cited above, or have any follow-up questions, please feel free to contact Christopher Prince, Senior Policy and Research Analyst, at Christopher.Prince@priv.gc.ca. 

Sincerely,