Good morning everyone. Welcome to the 33rd meeting of the Standing Committee on Access to Information, Privacy and Ethics.
Today we welcome Mr. Craig Forcese, professor at the Faculty of Law of the University of Ottawa, and Mr. Kent Roach, professor at the Faculty of Law and Munk School, University of Toronto, as well as Ms. Sukanya Pillay, executive director and general counsel of the Canadian Civil Liberties Association.
We thank you for being here.
I will give the floor to Mr. Forcese for 10 minutes. He will be followed by Mr. Roach and then Ms. Pillay.
Mr. Forcese, you have the floor.
Thanks for having me here today.
Let me begin by noting that the topic of our conversation today, information sharing for national security purposes, is an essential one. Information sharing is essential to national security. That truth was recognized in the 9/11 commission report in the United States and it was also recognized in Canada by the Arar commission report, which was, in fact, an inquiry on how poor information sharing can precipitate human rights abuses. It was also recognized by the Air India commission, which was an inquiry into the systemic failure of information sharing.
In the presentation that Kent Roach and I have prepared, we aim to do two things. First, I'll identify the key challenges in national security information sharing. Then my colleague Kent Roach will outline suggestions on refining one core component of the governing law, specifically the Security of Canada Information Sharing Act, or the SCISA, an act that was part of Bill in 2015.
As a first point, Canadian information-sharing laws in the area of national security are a muddled patchwork. As an internal CSIS briefing note that predated Bill noted,
||Currently, departments and agencies rely on a patchwork of legislative authorities to guide information sharing....Generally, enabling legislation of most departments and agencies does not unambiguously permit the effective sharing of information for national security purposes.
The question is, however, what to do about this. The CSIS briefing note goes on to state that:
|Existing legislative authorities and information-sharing arrangements often allow for the sharing of information for national security purposes. With appropriate direction and framework in place, significant improvements are possible to encourage information sharing for national security purposes, on the basis [of] existing legislative authorities.
Instead, Bill responded to legitimate concerns about siloed information by throwing wide open the barn doors on information sharing, but in such a complex and unnuanced way that the only certain consequence will be less privacy for Canadians.
I'll enumerate now some of our concerns about the 2015 Security of Canada Information Sharing Act, the one enacted by Bill .
First, the act allows those within the Government of Canada to share information about the new and vast concept of “activities that undermine the security of Canada”. It is difficult to overstate how broad this definition is, even as contrasted with the existing broad national security definitions such as “threats to the security of Canada” in the CSIS Act or the national security concept in the Security of Information Act, Canada's official secrets law.
The only exemption of the SCISA definition of “activities that undermine the security of Canada” is for “advocacy, protest, dissent and artistic expression”. This list was originally qualified by the word “lawful”, but under pressures from civil society groups, the last Parliament deleted the word “lawful”.
We were astonished by this change. We had proposed that “lawful” be dropped but then recommended the same compromise found in the definition of “terrorist activity” in the Criminal Code. We recommended excluding both lawful and unlawful protest and advocacy, but only so long as it was not tied to violence.
Violent protest or advocacy of a sufficient scale can be a national security issue, justifying information sharing. By simply dropping the word “lawful”, however, the new act seems to preclude new information-sharing powers in relation to any sort of protest, advocacy, or dissent, no matter how violent.
Government lawyers will find a way to work around this carelessly drafted exception. Indeed, the government's green paper has invented a solution. It says that the exception does not include “violent actions”. This is sensible, but it is not a standard set out in the actual law. It is a policy position, not something that is binding or in the least evident from the actual statute.
Second, the overbreadth of both the concept of security and the carve-out from it is then compounded by the operative provisions in the act.
In its key operative provision, the act contemplates that more than 100 government institutions may, unless other laws prohibit them from doing so, disclose information to 17, and potentially more, federal institutions if relevant to the receiving body's jurisdiction or responsibilities in relation to “activities that undermine the security of Canada, including in respect of their detection, identification, analysis, prevention, investigation or disruption”. All these terms are not defined, even though they are capable of definition. Without definition, whether by amending the act or through regulation, there is a danger that many terms in the new act will be inconsistently applied—a danger that the Privacy Commissioner has already raised.
Third, in the absence of more carefully articulated standards, the only safeguard is that the new information-sharing power is, in subsection 5(1) of the act, “Subject to any provision of any other Act of Parliament, or of any regulation...that prohibits or restricts the disclosure of information”.
What that means is a bit unclear, but we believe that the existing act, the Security of Canada Information Sharing Act, must comply with, among other things, the Privacy Act. That is not an ideal safeguard, given the many exceptions in the Privacy Act. It is something, and yet we are not sure how to read the government's recent green paper documents. They say that because the new Security of Canada Information Sharing Act authorizes disclosure, it satisfies a lawful authority exception to the Privacy Act, effectively trumping it.
The bottom line is that the new act's entire architecture creates confusion and uncertainty, and this requires a remedy.
My colleague Kent Roach will discuss some of our proposals.
I'd like to thank the committee for inviting us and for allowing me to appear remotely. I realize this isn't ideal.
First of all, as someone who worked on both the Arar and Air India commissions, I want to underline what my colleague said. We need to get information sharing right, and this act, which was hastily and very poorly drafted, does not get information sharing right.
With the Arar saga we see the dangers of sharing information that is not reliable and is not strictly necessary for the mandate of a receiving institution. That underlines the extreme dangers that can come from too much or inappropriate information sharing.
Just as importantly, however, the Air India commission showed the dangers of not sharing enough information. Indeed, one of things that is absent from this act was a recommendation by Justice Major that there be mandatory information sharing by CSIS about specific information relevant to the prosecution of terrorism offences.
Rather than devising a system that focuses on a particular form of information sharing, what we see in the Security of Canada Information Sharing Act is section 2, which is a radical departure even from the broad definition of threats to the security of Canada under the CSIS Act, which has been with us since 1984. In terms of amendments, one of the first things that should be looked at is trimming the overly broad definition of section 2.
I would underline that for Canadians to have confidence in this information sharing, there need to be more limits in the legislation and also more transparency about the information sharing, because as my colleague has pointed out, if over 100 departments can potentially share information under this act with 17 or more recipient institutions, all of this is done through legal interpretations that the public has no access to. It's very difficult to ask civil society and the public not to have concerns, and indeed suspicions, about information sharing when we have such a radical, broad definition of “activities that undermine the security of Canada”, including not only legitimate topics like terrorism but also, for example, an activity that takes place in Canada and undermines the security of another state. In my view, it's very important to go back to section 2.
Section 4 of the act has a number of guiding principles, and these guiding principles are fine as far as they go, although I would like to see more emphasis put on the reliability of the information that is shared. Justice O'Connor in the Arar commission report stressed that there need to be assurances that the reliability of the information is discussed, and also the respect for caveats, which is mentioned in section 4.
The problem with section 4 right now is simply that principles are placed out there, but there are no teeth, unless there's a requirement for protocols through regulations or through amendments of the statutes. The Privacy Commissioner has also noted this.
As my colleague has noted, sections 5 and 6 are extremely poorly drafted. They need to be made precisely clear, because unfortunately the green paper reflects a fundamental ambiguity in how this act is going to be interpreted.
Certainly the interpretation that we thought was the viable one and the preferential one, which was that this act did not have an independent trumping force over the Privacy Act, is partly negated in the green paper. The green paper gives us some idea of how government lawyers are interpreting this legislation, and unfortunately the interpretation, like section 5 and section 6, is about as clear as mud, so it is very, very important to address those two very fundamental sections.
Also, we would support what the Privacy Commissioner has said, which was that the issue should not simply be sharing of all relevant information but that there should be some requirement of necessity. We would just add that Supreme Court jurisprudence, like the jurisprudence in Wakeling, suggests that information sharing—not simply information acquisition, but information sharing, such as is authorized by this legislation—is subject to the charter, and so a standard of necessity or proportionality would be much more likely to withstand charter scrutiny than one of mere relevance.
I would also underline again why this provision and the CSIS threat disruption are probably the two most controversial parts of Bill in their reference not only to detection, identification, and analysis but also to prevention or disruption, so I think it has to be made clearer that this does not expand the mandates of all of the recipient institutions.
In addition, again on the theme of why so many people in civil society are rightly suspicious about this act, section 9 provides a very broad immunity from civil consequences. Not only does this raise the spectre of allowing the sort of information sharing that harmed Maher Arar and many other people, but it also puts yet another barrier to getting civil compensation should information sharing—and in particular I would stress information sharing about security threats—impose harm on people who may very well want to seek compensation for it and who may very well want to restore their reputation.
Just because Mr. Arar's reputation, at least in Canada, has been restored, we should not forget that this was because of the extraordinary event of a public inquiry. Perhaps one of the most objectionable parts of Bill is that it allows a very broad, overly broad, permissive regime for information sharing. It does so in an unclear, poorly drafted manner, and it does not ensure that there be mandatory information sharing about that information that is most relevant to direct threats to the real security interests of people in Canada.
Thank you very much.
Thank you for the opportunity to be here today.
The Canadian Civil Liberties Association is a non-partisan, independent, non-governmental organization that for 52 years has worked to protect rights and liberties and particularly to fight against injustice and wrongdoing. We support constitutionally compliant government action that provides effective security. I feel that this is an important context in which to begin my comments today.
We have serious concerns about the Security of Canada Information Sharing Act, which I will refer to as SCISA, and we are concerned by further confusions introduced by the green paper. I will outline five considerations here today.
First, information sharing is a critical component in countering terrorist activities, but such information sharing must be effective. This means that the information collected must be reliable and subject to constitutional requirements of necessity and proportionality and constitutional safeguards including caveats on use, retention, access, and dissemination. All of these, and legally enforceable provisions, are missing in the SCISA.
The scope of permitted information sharing is drawn from the definition in the act of “activities that undermine the security of Canada”, which we find to be astoundingly overbroad and which can capture all sorts of unnecessary and disproportionate information on legitimate activities, thereby effectively relegating Canadians to being potential suspects.
Further, the information sharing scheme superimposes vast information sharing on top of imperfect information-sharing structures already existent in Canada. In effect, there are 17 agencies, only three of which have any review structures, in over 100 departments. Again, this is information sharing with inadequate or non-existent review structures.
While we understand that the SCISA may have introduced some clarity for hesitating zealous officials who will now feel they have a green light to go ahead and share certain information, the scheme does absolutely nothing to ensure the reliability of the information or to ensure that constitutional principles of necessity and proportionality and the safeguards of caveats are observed.
Third, increased and integrated information collection and sharing powers are not matched in this act by increased and integrated review structures, and this is a serious concern for CCLA. Our country has witnessed the severe injustices of mistaken and faulty and even failed information sharing. Three federal commissions of inquiry—Arar, Iacobucci, and Air India—have provided observations and lessons that are not implemented or even, it seems, reflected in SCISA.
My second-last point is that SCISA engages section 7 of the charter rights of individuals. The definition of activities that undermine the security of Canada is unconstitutionally vague and can impact the security and liberty rights of individuals as found in section 7.
As the scheme is structured, violations can occur without the knowledge of an affected person, and even if there is knowledge, without an appropriate review structure there's nowhere to bring a complaint, given the absence of any one review structure with jurisdiction to review all the agencies empowered to share information.
In the past, government has stated that the Privacy Commissioner and the Auditor General have review powers, but their mandates and resources do not provide the jurisdiction and powers that would be required to properly review the information sharing that exists under the SCISA.
As CCLA has observed in its application, which is on hold before the courts, even the three existing review bodies for CSIS, the CSE, and the RCMP have no powers to compel the government to follow specific interpretations of the law. Further, the secrecy under which the sharing occurs renders any defence against illegal sharing illusory.
Finally, CCLA is seriously concerned that information sharing implicates section 8 of the charter as set out by the Supreme Court of Canada in its interpretations in Wakeling. SCISA permits a form of disclosure of information that is unreasonable within the meaning of section 8, and there are no checks and balances on such sharing.
It's very difficult, because information moves and is very difficult to track and can accrue in different places and different databases.
The accrual of information in the hands of different agencies is a perennial problem, so there are safeguards. The first safeguard is on collection, in that historically, privacy has been about restricting the capacity of government to collect information in the first place. Then, once it's collected, there's the issue of retention and use, so safeguards include limitations on how long information can be retained in a given database before it must be expunged, as well as information on how it can be used, and in “use” of information, we also include sharing.
Putting in place protocols that mitigate the spread of information through government agencies is probably the best we can do, coupled with effective auditing thereafter to ensure compliance and conformity with those dictates.
I suspect Ms. Pillay may also have some views on that as well.
I agree with everything that Professor Forcese has just said.
In addition to collection and retention and use, we're also concerned about access, and we're very concerned about what happens in the absence of caveat. If there aren't any written agreements as to how this information was collected and how it should be used and if there are no limits around how it's used and who it's shared with, once that information leaves the hands of A, it's effectively out of the control of A. As I mentioned at the outset, we're very concerned about injustices that can occur when a piece of information is mistakenly shared, or when, as in the case of Maher Arar, the information that is shared is full of error and innuendo that can result in serious harm to an individual.
I also mentioned, as did Professor Roach, the many issues that came up in the Air India inquiry, namely the concerns around information that was mistakenly withheld between agencies. None of that is properly addressed or cured by SCISA, nor is any illumination provided by the green paper.
If people can hear me, I wouldn't mind quickly addressing that and one other point that was raised.
The concern would be paragraph 2(i), where if your constituent is doing an activity that takes place in Canada and undermines the security of another state, even a repressive state, there is a possibility that the information not only will be shared, but if you look at section 5, the criteria is relevance to, among other things, detection and prevention.
One of the concerns about relevance is that it allows data mining. That relevance to detection and prevention can include a vast range of information that on its own may be innocuous, but when combined with more information that is available through computer data banks can reveal quite a bit.
The last thing I would say goes back to what my colleagues have talked about, the importance of review. I think it's very important for this committee not to just look at this act in isolation. The absence of credible review for all of the institutions, combined with the fact that the government appears in the green paper to at least be seriously considering getting more data from metadata and other things feeds into what I would say is a justifiable lack of confidence that many Canadians have about how this information, once it is collected by one part of government, is going to be shared, stored, and accessed by other parts of government.
Only in the broadest sense. The privacy rules in different jurisdictions are quite variable.
In relation to international information sharing, which was your prior question about Five Eyes, for the most part, there's relatively little law that I'm aware of within the Five Eyes that would govern that carefully and thoroughly.
On the other hand, one of the differences is that for the most part, the Five Eyes allies have more robust review and more comprehensive review. When you talk about international information sharing, the difficulty is always reconciling domestic review by domestic review bodies with an internationalized process that might implicate the interests of foreign states. I'm not sure that anyone has yet derived a perfect solution to that conundrum.
In terms of domestic privacy laws, they're quite variable. I would say that Canada, relative to some of the Five Eyes, has quite robust domestic privacy laws.
I would say, in part, as I've noted, there isn't specific statutory law that would govern that sort of arrangement, and the current act that is the subject matter of today's hearing doesn't deal with international information sharing on its face.
As you may be aware, there are ministerial directives from the Minister of Public Safety dating from 2011 and directed at the Canada Border Services Agency, CSIS, and the RCMP that are designed to govern circumstances where there is a prospect that outbound information sharing could induce maltreatment or torture, and they also try to grapple with the prospect that inbound information sharing may be the product of torture.
The bottom line is that the ministerial directives put in place protocols to minimize those risks, but in truth, at the end of the day, the ministerial directives also leave the door open in the most dire circumstances to sharing if, at least in the views of the responsible officials, the risk of torture can somehow be mitigated.
The problem, of course, in all those circumstances is that you can't necessarily control what will happen in response to the information once it's shared. The Arar commission report took the view that even when there's a bona fide security reason, there will be circumstances when you have to decline to share, and that's probably the honest truth of the matter. It is an enormous moral and ethical dilemma that the law has difficulty reconciling.
I would describe the new law as an effort to wallpaper cracks in the roof. In other words, it superimposes a new legal regime on existing legal rules that are themselves an arcane patchwork and difficult to construe.
Just to give you one example, CBSA, the Border Services Agency, implements several statutes as part of its mandate, and these statutes each have provisions on information sharing in the interest of national security, broadly defined. However, they all use different terms and are drafted in different ways, so the same agency is applying different standards under different statutes.
If I were to make an overarching recommendation, it wouldn't be to create a Security of Canada Information Sharing Act that papers over all these cracks. It would be to go into the statute books of all these agencies and clean up all the differential rules that apply to govern information sharing.
I would also add that the Privacy Act itself has a number of exceptions that allow private information to be shared, including a public interest override. In circumstances where the agency takes the view that there's public interest in information sharing that supersedes the privacy interests of the individual, it can be shared.
In sum, it's not entirely clear to me what problem this act was trying to solve, other than to signal to government that we're going to share more.
Thank you for the question.
I would absolutely say that more needs to be done, and obviously my two fellow witnesses are experts on talking about what can be done.
In short, as I've mentioned, we've called for an integrated review. A review would be different from oversight, as Professor Forcese has often said. The review comes after the fact, but it provides an accountability that's currently missing, and given that we have many of these agencies now working, as I mentioned already, in an increasingly integrated fashion, we need some sort of structure that can work in an integrated fashion to provide that review.
Then within agencies, I personally think that there ought to be some sort of—the translator's word was “monitoring”. There ought to be some sort of monitoring mechanism. There would have to be some protocols in place to govern what is being shared, and when, and why.
Thank you very much for the question.
I think this is an area that we should probably just leave to the courts, and I would favour simply deleting section 9 of SCISA. The Supreme Court is now developing jurisprudence with respect to charter damages, which would include damages for violation of rights of privacy. The court has done so in a way that recognizes a broad range of reasons for awarding damages, compensation for pecuniary and non-pecuniary losses, vindication, and deterrence, but is also respectful of governmental justifications. What the court says is that once you have established an entitlement to damages, it is up to the government to justify why damages would be inappropriate or why some alternative remedy would be better. In my view, subsection 24(1) of the charter provides a more flexible mechanism for responding to damages.
Having said that, I would also add that damages cannot be a substitute for effective review, because as Justice O'Connor stressed, most people do not know if information is being shared about them. Mr. Arar and other Canadians who were tortured in Syria, in part because of Canadian information sharing, knew because of the devastating consequences that they experienced, but you or I would not know right now if information about us is being shared, so although damages should be available, we should not rely upon damages, and we need a better review structure to do independent audits of information sharing practices.
The story behind the Air India issue wasn't about inadequate law but about operational practices.
As for the resistance to information sharing, first of all, the RCMP and CSIS are not really affected by the new act in terms of information sharing. Existing provisions that have existed for 30 years, as you indicated, allow for sharing information between those bodies. Frankly, this act does nothing to enhance or moderate or do anything for the information sharing between the RCMP and CSIS.
The question that is raised by your comments is why CSIS would resist sharing information with the RCMP, which has been a recurring issue as recently as the Toronto 18. That has to do with what is known as “intelligence to evidence”. CSIS is concerned that if it shares information with the RCMP, that sensitive information will be disclosable in court because of the scope of our Criminal Code and charter disclosure rules. It has nothing to do with this law. It has to do with the way we've structured this intelligence-to-evidence conundrum.
That is the reason the Air India commission recommended that there be a proviso putting in place a system for CSIS to disclose to a third party—they proposed a national security adviser—who would decide whether that information should be prioritized for intelligence purposes or for evidentiary purposes in a criminal trial. CSIS would not be making the decision at the end of the day. Someone outside CSIS would ensure that if there was a need for use in a criminal trial, it would be available.
This is Kent's area more than mine, so perhaps I'll leave him some room to talk too.
The honest answer to that is that we don't know. We have never had an accounting of the events of that day, other than some redacted reports from the police as to the security situation on the Hill. That can be juxtaposed with the Australian response to a similar incident in December 2014 and the British response to the murder of fusilier Lee Rigby in 2013, in which comprehensive reports were issued that looked at the landscape of security service actions and described where there were operational failures how they could improve.
In other words, we haven't done a “lessons learned”. That means it's next to impossible to look at the events of October 2014 and say definitively that if we had had this act at that time, things would have turned out differently.
My suspicion, based on what is on the public record, which is mostly journalistic accounts, is that the provisions of Bill were not responsive in any real way to the events of October 2014. I can't deny that in some of our work I've discussed how Bill not only overreacts in some of the ways we've discussed in terms of overbreadth, but also underreacts by not actually addressing the points that were raised in our last exchange about what caused the Air India disaster.
That is the awkward relationship between CSIS and the police, which means that we don't bring our A game to terrorism investigations. I like to call it “the tail wagging the national security dog in Canada”. The inability to reconcile those two agencies in terms of their information-sharing practices, I think, undergirds a lot of the workarounds that you see in various places in Canadian law, including Bill .
The recommendation I would make to the current government is to fix that conundrum, much as the British have done between MI5 and the British police, which they did after the disasters of 7/7. Once we have fixed that, let's look and see whether there is a need for all these other measures that, on their face, seem so extreme.
CCLA has always taken the position that we didn't know why Bill was needed. We knew that we had had these tragic events. We all agreed that they were tragic, but we did not know what the gaps were in the October 2014 existing laws that Bill C-51 was remedying. What we do know is that Bill C-51 introduced a whole new set of problems, and very serious problems, and that's what we're concerned about.
I guess my summation would be that the open-wound problems we see in Bill need to be addressed. I would also completely agree with Professors Forcese and Roach, as they've said at other times, that the problems we have with respect to intelligence and evidence have to be addressed. It comes full circle, in a way, to the question you asked two questions ago and to what I referred to in my opening statement, which is that nothing in SCISA ensures that we have reliable information. If our goal is to keep Canadians safe and to protect against threats of terrorism and terrorist activity, we must have reliable information, and we don't have that.
We've referred in our submissions elsewhere to William Binney, who was a whistle-blower in the U.S. You've all heard this analogy before, but it's worth repeating today: if you're looking for a needle in a haystack, don't create more hay. I'm afraid that's what we've done, but it's not as benign as just more hay. There are also other problems.
That's a hard question, because it means going through a lot of statutes, and it's a lot of work. I would be hoping that the Department of Justice would help.
I'll give you an example within the context of the concept of terrorism, which obviously is a pertinent one for this conversation. There's a definition of something called “terrorist activity” in the Criminal Code. There's the concept of a “terrorism offence” in the Criminal Code. The Security of Canada Information Sharing Act talks about “terrorism”. The Immigration and Refugee protection Act talks about “terrorism”. Some of the provisions that relate to CBSA talk about terrorism-related activities. In other words, there's a proliferation of terms, and some of those terms, when they're applied in the context of actually ending up in front of a court, have been interpreted differently. The concept of terrorism in the immigration law has been construed differently by the Supreme Court from the definition of terrorist activity in the Criminal Code.
Imagine now that you have all these different terms, and you're the official who's trying to decide whether you should share information because of the invocation of terrorism in the Security of Canada Information Sharing Act. Which definition do you choose? My preference would be to have a consolidated definition of all the issues we think should fall within national security, one that is significantly less broad than what's presently in section 2, and to make sure that it becomes the hub in a bigger wheel. It would be the hub for the information-sharing provisions that exist in other statutes, so it would be a consolidated definition. That requires a lot of renovation, though, of the existing statutes, and that will be a lot of work, but it's probably a worthy endeavour, because I think it would simplify life.
I'll reiterate one of my core points at the outset, which is that even with the best legal language in the world, you're still dependent on people construing it, which means that you need independent review to ensure that those construals are reasonable.
I would be more surgical in terms of the analogy to blowing up Bill .
I think there are aspects of Bill C-51 that don't stand either a constitutional or a reasonableness test. The new speech crime of promotion and advocacy “of terrorism offences in general” is so sweeping that it encompasses speech that is potentially quite far removed from actual violence. There's no justification for it. Also, I think it underappreciates the extent to which speech that is closely affiliated with violence is already a terrorism crime under 15 or 14 existing terrorism crimes that existed before Bill C-51.
There are other aspects that are more complex, though. Take, for example, the CSIS threat reduction powers. You'll have different views on this. I am of the view that a case can be made that CSIS should have the capacity to act kinetically in limited circumstances—that is, to do more than be a watcher. How you craft that, though, is very different from the way it's been crafted in Bill .
The other limit presently in Bill in terms of the circumstances in which CSIS can act is quite extreme. The prospect that CSIS, with a Federal Court warrant, could violate the charter is anathema to our constitutional tradition. More than that, it isn't actually responsive to the sorts of practices that one sees in other jurisdictions where they have deployed threat reduction successfully.
In the U.K. context, threat reduction by MI5 is generally spearheaded in a manner that facilitates criminal trials. Disruption in a U.K. context, based on what's in the public record, typically is that they make sure this person is arrested for not paying their local taxes. They may have a terrorism fear, but they can't act on it, so the police will bring a bona fide prosecution on some other grounds. Therefore, that's disruption. The criminal justice system is closely twinned there.
We haven't forced that twinning in the way that Bill has been crafted. The fear that Professor Roach and I have is that it could actually prove counterproductive. CSIS threat reduction could be counterproductive to a criminal law solution to terrorism.
In the interest of full disclosure, Professor Roach and I are doing a doubleheader today. We're up in front of the standing committee on Bill . Those thoughts are in the can, so to speak.
I would say that Bill provides a necessary remedy: that is, investing parliamentarians, for the first time in Canadian history, in a national security review function. That said, I would echo the concerns about the scope of information disclosure. It's not just that the government can, in certain circumstances, decline to provide information; there are actually mandatory exclusions, which are actually quite unusual as compared to our Five Eyes partners.
In the U.K. the exclusions of information are discretionary, and there's a protocol that the executive branch and the parliamentary committee have negotiated that says that those exclusions will only be used in the rarest of circumstances. In other words, they won't exercise their discretion to deny information.
In our system there's a whole cadre of information that will be ultimately excluded automatically. I would add that among the information that will automatically be denied the Bill committee are ongoing law enforcement investigations. It sounds sensible, except when you consider that the RCMP currently still has an ongoing investigation into Air India.
Thank you for that clarification. It was very instructive, once again.
I would like to go back to a point which was mentioned by several experts, as well as by the Privacy Commissioner, which is that expansive information sharing opens the door to federal government surveillance.
Does the Security of Canada Information Sharing Act contain new means the government could use to collect information, or does it simply provide a framework for information sharing?
According to certain experts, this could increase the surveillance of citizens by the government.
Can you confirm that the Security of Canada Information Sharing Act contains new powers allowing the government to collect more information than what was already permitted by law?
Perhaps Ms. Pillay could answer that question.
I'm going to duck the first question, about why it happened, because that would require me to make a political judgment, and I'm no more qualified than anyone on the street to make that political judgment. The honest answer is that I don't know why it happened. There are probably a number of reasons.
Your second question is an important one. These are real issues. National security is an acute issue. How we grapple with it is an acute issue, both legally and operationally. One of the difficulties we have in Canada is that we're not sufficiently discursive on it; that is, the expertise in the area tends to be monopolized within government. Government tends to be close-lipped on national security issues. There is no diffusion of expertise, because we don't have a conversation, or at least up until this point we haven't had a conversation.
One of the things both Professor Roach and I said in the aftermath of Bill was that aside from whatever you think about the merits of Bill C-51, we can't have a process like this again. We need to have a more premeditated policy discussion. I think the idea of a consultation process in national security, which we've never had before, is a very valuable one.
Professor Roach and I have said that we have concerns about aspects of the green paper, and we do. We do not, however, have concerns about the existence of the green paper. We welcome the consultations that are under way across the country, which you mentioned. As private individuals trying to keep up, we welcome them, but we're finding them somewhat exhausting. That will help then encourage insight and expertise in this area and cultivate expertise outside of government.
I suppose that I would have to provide the same answer that I gave a bit earlier, which is that we asked the question when Bill came out: why was this necessary? We had existing laws in place already. We have never received an appropriate answer, and I don't know why.
I do know that it is not a mere aspiration to say that we have to ensure that we have our constitutional safeguards in place and in mind. I would urge this committee to remember that it is not a choice necessarily between security and civil liberties; to the contrary, I think that we can only have effective security when we ensure that our civil liberties are there.
Civil liberties do not prevent, in the context of SCISA, for example, relevant, necessary, and proportional information from being shared; rather, they ensure that only relevant, necessary, and proportional information is being shared.
We have a wealth of information provided from three federal commissions of inquiry that speak directly to these issues of information. I would very much urge this honourable committee to consider that and to implement it in any recommendations that you make.
I'll start, and then Kent can jump in.
The Wakeling case involved information shared by the RCMP to American authorities under what's known as part VI of the Criminal Code, which is the wiretapping provision. It was a lawfully gathered wiretap that complied with the charter, and that information was then transmitted to the United States. The Supreme Court concluded that even though the information was lawfully collected, it was still subject to charter privacy protections that had to govern the manner of information sharing.
In that case the RCMP, under part VI of the Criminal Code, was successful in defending the constitutionality of that information sharing, because there was enough architecture in part VI that defined who was going to receive the information and it imposed safeguards on how that information would be transmitted. The court along the way, incidentally, made a point of noting the Arar case as an example of where things can go awry in information sharing.
Now transpose the holding in that case to the context for CSIS under the CSIS Act and for the Communications Security Establishment under the National Defence Act. There is none of the architecture that rendered the Criminal Code constitutional. None of that architecture is found in the CSIS Act or the National Defence Act, and yet those two agencies, CSIS and CSE, are elemental bodies in information sharing for the purposes of supporting Five Eyes activities and others.
I think Professor Roach and I were surprised that the government didn't take the opportunity in either Bill , or before that in Bill , to introduce that architecture to put this vital information sharing on sounder constitutional footing.
Well, I think it depends on who you ask. SIRC of course has grown in terms of its budget and staffing in response to the new CSIS powers to do threat reduction and now CSIS's operations overseas. At the end of the day, any kind of review body is going to be a partial audit. You're not going to be able, in any given year, to audit all of the activities of a service, and that's by necessity. You are not going to be able to match the scale and scope of agency activities.
On the other hand, if you put in place a triage system within the review body to decide what you're going to audit this year and decided to take into account the legal issues and the constitutional issues that might be raised by this practice, its notoriety, and how new and novel it is, then I think that a reasonably well-resourced SIRC or super-SIRC would probably put a priority on information sharing when it came up in the cycle of auditing, because of the sensitivities around it.
The consequence, of course, is that they're not necessarily reviewing other things, so at the end of the day, any review body is going to engage in triage. When you ask about resourcing, it's how much triage you are willing to pay for. Historically I think that SIRC has been underfunded relative to the growth in CSIS since 9/11. It's starting to catch up now.
To respond to Mr. Massé, I would say that this was done during the previous Parliament, in Bill .
The mistake too many governments make is to respond to unique, one-time situations by passing laws. Sometimes those laws are too radical and have unexpected consequences. Moreover, they are not necessarily adopted in the public interest, but rather in the political interest of a government. Unfortunately, many members in the previous Parliament fell into the trap.
That said, I would like to go back to the issue of the oversight of national security organizations and by the organization that will be created if Bill is adopted.
What do you think of the idea that existing oversight bodies, and the one that will be made up of parliamentarians, examine information in real time rather than information on past situations? Would it be appropriate that all of the oversight organizations, including the one made up of parliamentarians, have the information immediately, and not after the fact?
My question is addressed to you, Mr. Forcese.
There is a discussion quite often about review versus oversight. There is some confusion about the terms, but in Canadian practice, oversight means command, control, and coordination. The oversight entity authorizes or has a role in authorizing activities.
Review is looking at the performance of the agency against standards. Typically it examines whether the conduct of the agency was legal and was in accordance with ministerial directives.
Review is after the fact, in the sense that you need agency action before you can review it, but review can be close to actual in the sense that the review doesn't necessarily have to be 20 years after the fact or a year after the fact or a month after the fact. My understanding from SIRC is that increasingly their review is more approximate in time to the actual operation, so it's still after the fact, but it's not that much after the fact.
The same thing should probably be true for the parliamentary committee under Bill ; that is, it is competent to do review. It does not do command and control oversight, and I think it would not be proper for that body to do command and control oversight. It does review, but I don't think it should fear doing review that's approximate in time to the actual operations, as long as it doesn't impede those operations.
Where this might become controversial is the extent to which the executive branch can deny the committee the information it requires to do this more timely review.
Members, I wasn't expecting to chair. If you would allow me, I have a few questions.
We've learned over recent years, mainly through the CBC, of various programs by CSE, such as EONBLUE, whereby captures were put at the Internet backbone and the impact and inspection was used to scan vast amounts of data that go through the Internet.
There are other programs like Levitation, if I'm not mistaken, which screened 10 to 15 million downloads for suspicious events and then transmitted the results to our security agencies.
Another one was Wi-Fi at a Canadian airport, where metadata of Canadians was stored and analyzed as part of a pilot project.
CSE gathers a lot of information. It's not supposed to spy on Canadians, but can inadvertently do so. When it has that information, based on SCISA as it's written, if a law enforcement agency wants that data about a Canadian, technically it would need a warrant, in the wake of Spencer and Wakeling.
This is an area of some confusion.
I mentioned briefly a few moments ago that there is a lot of uncertainty in this area as to how various statutory rules are being construed by the government. One area of uncertainty is over the practice of what's known as deminimization. CSE, as part of its foreign intelligence conduct and its activities, may acquire metadata and that metadata may include metadata from a Canadian source because of the nature of the Internet. It's not directing its activities at Canadians, but it's sweeping up some of this Canadian data in its operations.
Thereafter, when it shares its analytical work products dealing with that metadata, it is supposed to minimize Canadian identifying information. In other words, it redacts the Canadian identifying information. Those redactions can be lifted in relation to CSIS and the RCMP on request.
The question that remains unanswered in my mind is, what is the legal basis for that request? From what I've seen, it's clear that it has to comply with the Privacy Act in that all parties agree that it has to comply with the Privacy Act. There is an investigation, and CSIS is entitled to ask for the redactions to be lifted as part of its investigation.
What is unclear to me is whether they also come with a warrant, because if they don't come with a warrant, then information that CSIS could not lawfully collect itself is nevertheless put in play within CSIS by virtue of the inadvertent collection by CSE, and that CSE collection has never been supervised by an independent judge. Therefore, it's an open question in my mind as to whether, when CSIS or the RCMP comes looking for those redactions to be lifted, they comes supplied with a warrant. In other words, I don't know.
I admit that I may talk to people who tend to already be interested in this issue, but certainly I've talked to people who aren't.
However, I saw a coming together of Canadians on and a concern about the scope of information sharing that I hadn't seen before in recent years. Based on that and based on the response that CCLA had to the application that we brought and the very specific grounds in our application that referred to SCISA in particular and also broadly to Bill C-51, my answer is that we had a swell of support among Canadians.
I would also point out that other colleagues among civil liberties organizations had petitions that were signed by hundreds of thousands of Canadians, so I think that Canadians are very concerned. We don't want an all-government all-knowing all-the-time society. We don't want an all-surveillance society.
We also recognize in this country that legitimate dissent and protest and disagreement and counter-speech are constitutionally protected rights in Canada, regardless of whether those opinions are directed at the Canadian government or a government anywhere else in the world. Provided that they don't engage in violence, these are activities that are protected. My view, based on the evidence of who signed up and who donated to the campaigns that we launched in this regard, is that Canadians are very much on board with protecting our privacy and making sure that any information shared is necessary and proportional.