Striking a balance between privacy and national security
Address given at the 2016 Canadian Telecom Summit
June 8, 2016
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good morning and thank you for the opportunity to speak about national security and privacy.
This is an important opportunity for me because I cannot think of another sector that has greater access to the opinions, the interests and the activities of Canadians than those of you in the vital field of telecommunications.
Every email sent, every website visited, every mobile app downloaded, every television show watched, every text message and every phone call—if anybody actually still uses that feature—travels through your networks and has been made possible through your devices.
Canadians have entrusted you with their digital lives, and in the 21st Century where so much of what we do—of who we are—is tied to our online activity, it is an immense responsibility.
At the heart of this relationship, of course, is respect for privacy. You know as well as I do that Canadians value their privacy and most say they prefer to do business with companies that respect privacy rights. In our most recent poll of Canadians, 9 out of 10 told us they were concerned about privacy and, meanwhile, 81% said they are more likely to choose to do business with a company specifically because it has a good reputation for privacy practices.
But they also want their government to act on their behalf in protecting their safety and security. Given your unique and privileged position, you know how important all this data is to government and law enforcement agencies.
Governments around the world are collecting more and more data about their citizens, often through intermediaries such as the organizations you represent.
Over the last several years, my Office has advocated strongly for privacy rights while, I believe, also demonstrating an understanding of the very real threats to public safety in Canada—including threats to the security of our information systems.
What is critical is balance. Law enforcement needs to be able to protect us, including when we are online, but their work must be done in ways that are consistent with the rule of law.
Today, I would like to focus the bulk of my remarks on national security and privacy, and how we might strike a better balance between the two. I will talk about information sharing under Bill C-51, the adequacy of Canada’s privacy laws in the wake of recent changes in European law, transparency reporting and lawful access, as well as hot-button issues touching government surveillance—encryption and metadata.
With respect to Bill C-51, the Anti-terrorism Act, 2015, I have been discussing my Office’s concerns since it was first introduced in January of last year so this might be familiar to many of you.
The new law is meant to facilitate the sharing of information among federal institutions to better protect the safety and security of Canadians.
While we recognize that greater information sharing could lead to the identification and suppression of security threats, we are concerned about the Act’s thresholds or standards for information sharing and the lack of independent oversight and review.
While the new government has already committed to amending the law to create an all-party committee to monitor and oversee the operations of national security agencies, it has thus far not addressed our concerns regarding thresholds.
Thresholds limit the scope of an institution’s use of powers and the possible harm that could arise from misuse. In this case, low thresholds create risks of mass surveillance and profiling.
The current standard dictates that certain federal government institutions may share information amongst themselves so long as it is “relevant” to the identification of national security threats. In our view, that threshold is inadequate and could expose the personal information of law-abiding Canadians. A more reasonable threshold would be to allow sharing where “necessary.”
The government has committed to consulting widely on potential changes to the Act beyond parliamentary review. I will certainly welcome the opportunity to share our views as part of this process.
In the meantime, my Office will direct significant resources towards audit and review activities to ensure information sharing between federal institutions for the purposes of national security duly respects the Privacy Act. I hope that what we find in the course of that review will inform the consultations on how C-51 might be amended.
Standards for the collection of personal information are not important only in the context of national security legislation. In a recent submission to Parliament, we have asked that the necessity standard apply to the collection of personal information by any government institution under the Privacy Act.
Raising standards would not only improve privacy protections for Canadians, they would go a long way towards reducing the risk to international trade that would result from Canada losing its status as a country offering adequate protection to the personal data of EU citizens.
As I’m sure you know, a major issue making international headlines is the dispute between the European Union and United States over transatlantic data flows.
The Safe Harbour Agreement that permitted the transfer of European citizens’ data to the U.S. was deemed invalid by the European Court of Justice last fall, touching off efforts to strike a new deal to ensure the continued flow of data.
At the heart of the matter was whether EU citizens are adequately protected when their personal information is transferred to the U.S. The European Court found they were not, in part due to the risk of mass surveillance resulting from what it deemed to be weak U.S. laws.
Canadian privacy laws were found adequate by the EU in the early 2000s, but that assessment will have to be revisited in the next few years. Following the Snowden revelations, adequacy is no longer just about commercial sector privacy legislation; it includes national security laws. In that context, legal standards for the collection of personal information will matter.
Transparency reporting and lawful access
Of course Bill C-51 is not the only recent surveillance-related legislation to cause us concern. Bill C-13, the Protecting Canadians from Online Crime Act, has also raised many questions about how law enforcement obtains access to telecommunications data.
Since the Bill became law in December 2014, we have worked with both telecommunication service providers and what is now Innovation, Science and Economic Development Canada to encourage companies to provide helpful information for Canadians.
We provided input into the department’s transparency guidelines, which establish standards for transparency and accountability reports from companies that share personal information with law enforcement.
At the same time, we published a comparative analysis of transparency reports published voluntarily by some telecommunications companies—which we commend for taking this initiative. We concluded that while the reporting schemes had gaps, these reports can help Canadians make more informed choices and better understand how and when government agencies access personal information held by private sector organizations.
Going forward, we hope companies follow the guidelines and that we begin to see more consistent transparency reporting. For those companies that have not yet produced such reports, we hope they will see the value of transparency and get on board. If not, we may resume our call for legislative changes in this area.
Private sector reporting, however, provides only part of the picture. Greater transparency from the public sector is just as important. It is, after all, the public sector that is seeking and receiving this sort of information.
As such, we have called on federal institutions to maintain accurate records and to report publicly on the nature, purpose and number of lawful access requests they make to telecommunications companies. In fact, this was part of our most recent recommendations on Privacy Act reform.
It’s also worth noting that I am not the lone champion on this front. Last fall during the 37th International Conference of Data Protection and Privacy Commissioners in Amsterdam, we proposed a resolution on transparency reporting that was supported by our international counterparts.
Collectively we called on governments around the world to boost transparency with respect to lawful access requests for personal information held by companies, and for companies to do their due diligence before responding to government requests for personal information.
Over the last number of months, however, some in the law enforcement community appear to be trying to resurrect the debate on warrantless access—a debate many of us in the privacy community thought was put to bed following a landmark Supreme Court of Canada ruling.
R v. Spencer concluded subscriber information linked with specific Internet activity should not be obtained without a warrant, except in very precise circumstances such as to prevent imminent body harm or if the information does not raise a reasonable expectation of privacy.
Since this ruling, many telecommunications companies and Internet service providers have — rightly so in my mind — required warrants or production orders as a matter of course when police officers come calling for confidential subscriber data.
But law enforcement says it has made their jobs impossible. The RCMP Commissioner and the Canadian Chiefs of Police have since called for a new law to expand warrantless access, yet is consistent with both the Charter and Canadian values.
How one might square that circle is not exactly clear.
I maintain that impartial oversight in the form of judicial authorization is critical before sensitive personal information may be turned over to the State and I believe the courts are best placed to balance the interests of the police and the privacy rights of individuals.
Warrantless access should only be permitted in exceptional circumstances and I would urge ISPs and other private sector companies to continue to be vigilant when faced with police requests for subscriber data.
With respect to government surveillance, some of you may know that this was identified among the four strategic privacy priorities that will guide the work my Office does over the next five years.
Our goal is to contribute to the adoption and implementation of laws and other measures that protect both national security and privacy.
Recent disputes over encryption between law enforcement and device manufacturers in both the U.S. and Canada have raised many questions about this delicate balance between security and privacy.
Generally speaking, I would argue that encryption is extremely important for the protection of personal information. Companies that manufacture telecommunications devices have a responsibility to protect the personal information of their customers.
That being said, companies are also subject to laws and judicial warrants that require access to personal information that may be legitimately needed in cases where public safety is at risk.
Still, the law needs to bear in mind the realities of technology. If you break encryption, or create an exception to the protection provided by encryption technologically, what impact will that have for the population more broadly?
Finding the right balance between encryption and the needs of law enforcement is a tough nut to crack and I don't think anyone has the exact answer as to where to draw the line at this point.
This is definitely a debate we need to have in Canada.
On another matter, I’d like to say a few words about the sensitivity of metadata which came up recently in the context of surveillance. In his annual report to Parliament in January on the Communications Security Establishment, Commissioner Jean-Pierre Plouffe revealed that the electronic spy agency had breached privacy rules and the National Defence Act by inadvertently sharing metadata with its Five Eyes partners.
While the metadata was said to contain Canadian identity information, the CSE ultimately assessed the privacy impact as low given the safeguards it had put in place and because it did not contain enough data or context to identify specific individuals.
As you likely know, our research has found that metadata can actually be quite revealing. It can include all sorts of information related to phone calls, emails, social networking and Internet browsing activities.
When combined, it can say a lot about a specific individual—a fact confirmed in a recent analysis of the National Security Agency’s phone metadata program by Stanford University researchers. Looking specifically at telephone metadata, for example, the numbers dialed and the length of calls, researchers were able to conclude that one individual likely suffered from a cardiac arrhythmia, while another likely owned a semi-automatic rifle.
In R. v. Spencer, the Supreme Court of Canada held that a name and address of a subscriber linked with a particular IP address ultimately provided the police with the identity of an Internet subscriber which corresponded to a particular Internet activity in question.
The Court recognized that individuals can enjoy a reasonable expectation of privacy in information that links their identity to a piece of metadata, in that case, an IP address, and that police violated the Charter when it obtained this information from an ISP without a warrant.
All this to say government institutions that collect or are considering collecting such information should not underestimate what metadata can reveal about an individual. The same goes for private-sector organizations—ISPs, social media sites and device manufacturers—that may be asked to disclose such data to government institutions or that may disclose to other third parties for marketing, analytical or other purposes.
Given the ubiquitous nature of metadata and the powerful inferences that can be drawn about specific individuals, government institutions and private-sector organizations must be prudent about their collection, use and disclosure activities.
In closing, I hope I have given you a good sense of where my Office stands when it comes to privacy and national security. And I hope you will consider what I said on transparency reporting and metadata as useful advice.
Canadians value security in the face of threats confronting the world today, but they also care deeply about their privacy. They want to ensure laws and procedures are in place that respect our values, and they want the police and national security agencies to do their job lawfully.
Canadians have also told us they want to do business with companies that respect their privacy and are upfront about their personal information-handling practices. They want greater transparency so institutions can earn their trust.
At the end of the day, we live in a country governed by the rule of law—a democratic country that promotes and respects human rights.
Still, we need to be vigilant if we are to ensure that the privacy rights of Canadians remain protected.
Now, I wanted to make one very final note today — not in relation to the theme of privacy and national security, but something I think many of you here may find of interest nonetheless. As you probably know, consent has been the cornerstone of our federal private sector privacy law, PIPEDA. However, in this increasingly complex market, many are questioning how Canadians can meaningfully consent to the collection, use and disclosure of their personal information. We recently launched a consultation on the foundational issue of consent in today’s digital world. We hope to identify improvements to the current consent model and bring clearer definition to the roles and responsibilities of the various players who could implement them. We will then apply those improvements within our jurisdiction and recommend other changes to Parliament as appropriate. I hope that if this something you agree is important, that you will engage in the discussion leading toward solutions.
- Date modified: