I call the meeting to order.
Good morning, colleagues. This is the last meeting we'll have, I think, before the impending adjournment of the House of Commons for the Christmas break. We are continuing our study of the Security of Canada Information Sharing Act.
Colleagues, I don't want to get into the discussion right now; I just want to let you know that after today we will have heard from about 25 witnesses on this matter. According to my discussions with the clerk, we have about 70 witnesses who are scheduled or who have been suggested for the committee to hear from. This puts us at about the one-third point if we are going to hear from all of the witnesses. We'll need to make a decision—if not today, as soon as we get back—in regard to how much longer we wish to continue and when the committee feels that it has heard sufficient evidence on this matter.
I'm leaving that out there. It's not for discussion at this particular time, but just as a thought that you ought to have, because we'll need to make some decisions when we return about where we would like to go.
At any rate, we are pleased to have with us today, from the British Columbia Civil Liberties Association, Micheal Vonn, who is joining us by video, and, from the Centre for Law and Democracy, Michael Karanicolas, who has been here recently. An individual who is here before us and actually in the room is Lisa Austin, who is an associate professor from the University of Toronto's faculty of law and the David Asper Centre for Constitutional Rights. We thank each of you for taking the time to be with us here at this committee this morning.
I'm sure that all of you are familiar with our process here. You have up to 10 minutes for a presentation. I'd like you to stay as close as possible to that. I'll give you a little bit of leeway, but if you start stretching it out near 15 minutes, you might see me intervene.
We'll start with the British Columbia Civil Liberties Association, please, for up to 10 minutes.
Thank you very much, Mr. Chair, to you and to the committee.
My name is Micheal Vonn, and I'm the policy director of the B.C. CLA.
I gather that there has been a great deal of general agreement among privacy and civil liberties organizations on SCISA, as I'm going to refer to it. My association is certainly among those that have called for the complete repeal of the act, but rather than repeat concerns that you may be very familiar with at this stage, 25 witnesses in, I'm going to try to address some matters that I believe have not had as much discussion and that I hope will assist you in your deliberations.
The two matters I'm hoping to address are, first, the seriousness of the disruption caused by SCISA's blurring of the mandate of critically important federal institutions, and second, the evidence that rebuts the hope that other legislation will act as a moderating effect on SCISA.
On the first topic, which is the question of mandate, FINTRAC provides a ready example. The Office of the Privacy Commissioner of Canada does an intermittent audit of FINTRAC, and these audits have consistently found troubling overcollection and retention of personal data. Obviously, there are some discrete remedies that are available to address some of these issues, as indicated by the recommendations in the OPC's report, but in the main, because the standard of suspicion is very low and the prejudice to individuals is very high, FINTRAC itself has long maintained that one of its primary safeguards for privacy is its independence from law enforcement. Now, with the almost unfettered access to information sharing authorized by SCISA, the independence of FINTRAC in this regard is essentially fictional.
The kind of screening mechanism that is the basis for a regime like FINTRAC's is founded on a necessary balancing. The entire enterprise, of course, is one that can only be justified under very compelling need. FINTRAC has extraordinary powers of data gathering. Personal information that clearly commands a reasonable expectation of privacy is nevertheless compelled by the law in such a way that vast over-reporting is a given. Indeed, only the tiniest fraction of reported individuals and entities are ever found to be conducting themselves in any problematic way. To balance this state of extreme prejudice to innocent parties, we require sufficient counterbalancing protections. The basis for that balancing in the FINTRAC regime is now decidedly unsettled by SCISA, even to the point where its constitutionality may be at issue.
The effect on the mandate of federal agencies covered by SCISA may indeed be difficult to assess in the short term, but indications are already very troubling. Because I happen to work in a very broad sphere of rights advocacy, I am in a position to tell you, for example, that health policy advocates are now having to reconsider policy positions and proposals in light of the fact that there is very little confidence in the privacy protections afforded to patient information held by Health Canada, because of the sweeping nature of the access that is granted through SCISA.
Even more so, Veterans Affairs is likely to have grave difficulty convincing Canadian veterans that their extremely sensitive and highly prejudicial personal information, such as physical and mental health information, is appropriately protected. We may of course recall that it was just a few short years ago that Canada saw what I would argue was its single most appalling medical privacy scandal in relation to veterans' medical information. Sean Bruyea, a veteran's advocate, had his confidential medical files passed around by federal bureaucrats in an apparent effort to discredit him and his advocacy on behalf of veterans. This, you will recall, was an extremely high-profile national scandal, in which this veteran's medical information found its way even into ministerial briefing notes.
The unprecedented all-of-government information-sharing capacity afforded by SCISA can only be seen to undermine whatever trust has been rebuilt between veterans and the federal government since the Bruyea scandal. It obviously has a negative impact on the very mandate of Veterans Affairs.
Moving now to my second point, I would like to highlight not only that SCISA has no requirement for individualized grounds for data collection and can facilitate the sharing of entire databases but that it also seems likely that it was enacted precisely for the purpose of bulk data acquisition. It does not seem likely that the model of information sharing that is in SCISA is meant to address merely the possible need for clarification of the disclosures that were permissible under the Privacy Act. I note that during the Vancouver Olympics, when the police were discovered to have purchased a military-grade sonic weapon, they said they were only planning to use it as a giant megaphone, yet they did not buy a giant megaphone: they bought a sonic cannon. Similarly, we did not get an amendment to the Privacy Act: we got SCISA.
This fall we have seen a litany of incidents in which CSIS in particular has been seen to be unmoored from lawfulness in important aspects of its primary activities. It must be noted that the alarm and concern that has been sounded so strongly, not least by the Federal Court, pertains mainly to the collection, use, and retention of bulk data. Sadly, we have learned that section 12 of the CSIS Act, which is the standard for strict necessity, has proved to be very little barrier to CSIS accessing bulk data. As we know from the only SIRC audit ever done, released this fall, SIRC found no evidence to indicate that CSIS had appropriately considered the threshold as required in the CSIS Act in the collection of their bulk data. As a result, it is possible at this juncture that the vast majority, or even everything, in the CSIS bulk data holdings constitutes illegal spying on Canadians.
It has been argued that the troublingly low thresholds for sharing information in SCISA are tempered by the Privacy Act and other governing legislation, including the CSIS Act. Certainly recent events give us no reason to be confident that they are operating as meaningful protections. Not only have some of the recently discovered violations of the CSIS Act been going on for over a decade, but none of them appears to have been remedied. Indeed, there is widespread concern that they will not be remedied and will be condoned with after-the-fact legislation, which will further corrode public trust.
At this juncture, we simply have too much evidence to the contrary to accept that SCISA has checks and balances that will mitigate the unprecedented scale of information disclosure that it allows. The reality is that these other legislated potential checks have been failing utterly to meaningfully constrain bulk data acquisitions. It is untenable to claim at this juncture that finding out about a decade's worth of illegal spying is the system working; it is clearly the system not working.
The notion that we have an effective limitation to SCISA in other legislation has thus far not proved true. It is nevertheless not the model that should be applied. It is SCISA itself, which was never justified and which actually undermines the very mandates of some of its included agencies, that must be repealed. Amendments, in our position, and clarifications on disclosure powers, if they are needed, should be part of the Privacy Act.
Those are my prepared comments. Thank you very much.
Thanks very much to the committee for their kind invitation. I'm sorry I can't be there in person this time.
My name is Michael Karanicolas, and I am employed as the senior legal officer for the Centre for Law and Democracy, an NGO based in Halifax. We work to promote foundational rights for democracy, with a particular emphasis on freedom of expression and increasingly on privacy, given that many of the biggest threats to freedom of expression currently present in overly intrusive surveillance systems. Indeed, the nexus between bulk data collection and inhibitions on speech has been widely noted, including by the UN special rapporteur on freedom of opinion and expression.
It is also recognized under international human rights law that states need to put in place effective systems to address terrorism and other threats to security. Among other things, this is necessary to uphold democracy and the whole system of respect for human rights, including freedom of expression. At the same time, international law establishes the clear necessity for balancing security against other fundamental human rights, including privacy.
I do want to mention at the outset that I was greatly troubled by the overall tone of the “Our Security, Our Rights” green paper. It presented readers with a series of ticking-bomb scenarios, seemingly designed to bolster support for expanding powers by painting a picture that focused on the limits of Canada's police and security agencies and the ways in which terrorists are apparently outwitting them. Although the green paper gives a perfunctory nod to civil rights concerns, the green paper could have been improved, or at least balanced, by including scenarios in which these powers are and have been misused.
The green paper also muddies the waters regarding the limits of information sharing by noting, on page 27, that it helps law enforcement by facilitating information sharing without worries about whether the actions violate the Privacy Act. However, just two pages later, the paper's decision-making chart states, as its final step, that information may not be shared if the disclosure runs contrary to another law. We believe this should be resolved by clarifying that the Privacy Act does indeed apply to the Security of Canada Information Sharing Act.
The Privacy Commissioner has also recommended that rather than the current standard, which dictates that certain federal government institutions may share information among themselves so long as it is relevant to the identification of national security threats, a standard of being necessary should be put in place. We support this recommendation, and add the note that if we're talking about security, data minimization, whereby organizations seek to limit material stored to what is strictly necessary, is a cardinal principle of digital security. We can look south of the border for lessons on this, as over-storage was one of the reasons last year's hack of the U.S. Office of Personnel Management was so catastrophic.
I think we can also look south of the border for a fairly striking lesson on why it's so important to craft this legislation carefully, with as little scope for potential abuse as possible. It's easy to look at people who one might broadly trust to exercise their powers responsibly and to forget that one of the consequences of democracy is that the nature and state of the people in charge can change very quickly, potentially bringing into power people whose definitions of phrases like “activities that undermine the security of Canada” may be dangerously expansive. Flexibility, as the green paper seemingly welcomes, is very much a double-edged sword.
In that vein, we support the recommendations of Professors Roach and Forcese that the language of “undermine the security of Canada” should be narrowed so that the application of the act is limited to “threats to the security of Canada”, as established in the CSIS Act, and that the act should mirror the language found in item 83.01(1)(b)(ii)(E) of the Criminal Code on the exceptions, whereby “advocacy, protest, dissent or stoppage of work that is not intended to result in the conduct or harm referred to in any of clauses (A) to (C)”—i.e., endangering life, health, or security—should not be subject to the act.
We also broadly support the Privacy Commissioner's recommendation that in addition to parliamentary review, institutions permitted to receive information for national security purposes should be subject to expert or administrative independent review. We noted with alarm that 14 of the 17 entities authorized to receive information for national security purposes under the SCISA are not subject to dedicated independent review or oversight. As well, of the 17 entities authorized to collect information under the SCISA, only two had indicated that privacy impact assessments, a fundamental step, were necessary and were under development. There are several models of independent oversight to look to here, including the United Kingdom and Australia, both of which have a dedicated independent monitoring system in place.
I'm going to be brief here because I think that a lot of our recommendations will echo what you've heard from others.
To wrap up, although the online world certainly presents novel challenges to law enforcement, it is worth noting that the tool kit available to our security agencies today is vastly more powerful when compared to their investigative capabilities 20 or 30 years ago. That's true both in relative terms and in absolute terms. This requires carefully crafted limits to protect and safeguard fundamental human rights.
Thank you for inviting me, and I congratulate you on the report you released yesterday on the Privacy Act. I was looking at it quickly on the plane this morning and I look forward to reading it more carefully later; it looks excellent.
Today the focus of my remarks is that I want to outline why I believe that the Security of Canada Information Sharing Act, or SCISA, as I'll call it, is constitutionally deficient and should be repealed. I agree with the commentators who have argued for that. Even if it's the view of this committee that it should not be repealed, I hope that if you think about ways to make it less problematic, you will do so with a strong emphasis on charter rights in thinking that through. That's what I'm going to focus on here.
Canada's constitutional jurisprudence is very clear that information-sharing practices within the government and with foreign states can attract charter scrutiny. Just because the state has collected information for one purpose does not mean there is no remaining reasonable expectation of privacy in that information. This is the crucial point. It's absolutely clear from the Supreme Court of Canada's jurisprudence on section 8.
Generally there can be a reasonable expectation of privacy in information the government already has for some purpose, and where there's a reasonable expectation of privacy, the starting point for constitutional analysis under section 8 is that the state should not get access to this information unless there is prior authorization on a standard of reasonable and probable grounds. Departures from these protections can be authorized by law, but those laws must be reasonable. In other words, such departures require constitutional justification. It's also difficult to establish such a justification in the absence of reasonable safeguards for this information, and again jurisprudence is speaking a lot about the need for safeguards in doing this kind of reasonableness analysis. That comes out strongly in the Wakeling decision.
The question, then, is.... SCISA allows information sharing on a standard of relevance. There is no prior authorization, and as I'll outline, almost no safeguards are mandated in the act. This is a clear departure from that starting point, and the question is, can you justify this constitutionally? I think one of the main problems with this whole justification question is the basic problem that I think the Privacy Commissioner of Canada and all his provincial and territorial counterparts have laid out in their submission on the government's national security green paper, in which they state “...we have yet to hear a clear explanation, with practical examples, of how the previous law prevented the sharing of information needed for national security purposes.”
You have clear questions from very serious commentators in Canada saying you haven't met the threshold for public justification for this act at all, and given that there are these departures from what I'm arguing are clear constitutional standards, there's a real dilemma here.
What we do have in Canada are two sets of very careful recommendations regarding information sharing that come out of the Air India inquiry and the Arar commission. Many of these recommendations are narrower in scope than what SCISA provides. For example, the Air India inquiry's information-sharing recommendations concern very specific types of targeted sharing among a small number of institutions, rather than the broad sharing contemplated by SCISA, and some of the recommendations in the Air India inquiry are actually stronger than what SCISA provides. For example, they recommended that CSIS be required to share information with the RCMP, and you don't see this reflected in the act.
With the Arar commission, many recommendations also touch on information sharing, but notably when the Arar commission discusses the Privacy Act, it speaks favourably of the existing exemptions. It says exceptions for consistent use in law enforcement in the public interest are all fine. It does not say that a new authorization is required that would engage paragraph 8(2)(b) of the Privacy Act. That's the provision that says you can share information “for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure”. That's the provision in SCISA that many people interpret as opening the door to this broad sharing. The Arar commission did not ask for that. It said the existing exemptions and the way they were being used was perfectly fine, and it also indicated that the proper scope of the consistent use exemption should be informed by charter jurisprudence.
The Arar commission does not talk about the need for new information-sharing powers, but it does talk a lot about the need for written agreements, the requirement of caveats when sharing with foreign states, issues of accuracy and reliability of information, and the need to protect human rights.
None of these latter considerations are strongly reflected in SCISA. We have instead a list of guiding principles that are not requirements. It gives very weak support for caveats. It talks about information-sharing arrangements, but not written agreements, which were very key to the Arar commission report. There's nothing about accuracy and reliability. There's nothing about sharing with foreign states and the potential human rights implications of doing so. There is weak language that they may make regulations about disclosures and record-keeping.
The Supreme Court of Canada jurisprudence suggests that the absence of appropriate safeguards for the sharing of data can undermine claims that the law is reasonable. We don't see any of that here, yet we have these strong reports in the Canadian public sphere that ask for all of these things.
I think that raises a serious question. We don't have the public justification for broad information sharing. What we do have is strong justification for a much narrower set of information sharing in SCISA, and in some cases stronger practices than we see in SCISA. It would be very difficult to justify, I think, the breadth of this act constitutionally.
There are other aspects. I think the sheer breadth of language like “activities that undermine the security of Canada” in this act is overbroad and also is going to raise those problems with respect to justification. You've heard that from other witnesses, so I won't belabour that point.
There have been a number of suggestions that you can change the “relevance” standard to one of necessity. I think that would be an improvement for sure, so in those terms I would support it. I think you should also think through how that might still remain problematic from a constitutional perspective. For example, the Privacy Commissioner of Canada makes this recommendation on the basis that necessity is the standard that CSIS must follow in relation to its investigative powers, as stated in section 12 of the CSIS Act. However, CSIS actually has to seek a warrant where its investigations intrude upon a reasonable expectation of privacy. The warrant provisions of the CSIS Act are a different part of the act, and they require prior judicial authorization. They require that such authorization meet a higher standard than necessity, that there are reasonable and probable grounds that such an intrusion is required, and that there is evidence that other investigative methods have failed or are likely to fail.
The reasonable and probable grounds standard is not simply a test of necessity. When many people talk about the necessity test, what they like to provide as an example from the constitutional context is the section 1 test. The section 1 test is dominated by ideas of minimal impairment. A minimal impairment analysis would be something like, “Do you need this information in order to reach your goal, and, in doing so, do you intrude upon privacy as little as possible?”, but reasonable and probable grounds contemplates that sometimes you do not get to pursue your goal, even if this pursuit is minimally impairing. Reasonable and probable grounds includes the idea of the likely effectiveness of reaching that investigatory goal, so even if you're not going to build in some kind of prior authorization threshold—although I still think that's a good idea—there's a need for efficacy review here. Are the powers effective? Are you actually meeting your goal? I don't see that anywhere in SCISA at all. At most, paragraph 4(d) gives you the guiding principle that
||the provision of feedback as to how shared information is used and as to whether it is useful in protecting against activities that undermine the security of Canada facilitates effective and responsible information sharing;
“Feedback” in a guiding principle is not what's needed. There has to be some burden of proof that information sharing is effective—if not beforehand, then at least after the fact.
In conclusion, I want to echo some of the comments that Micheal Vonn was discussing with respect to the issues of bulk access. Much of the discussion of SCISA that the government provides in its green paper proceeds as if the government institutions will decide to share information about specific individuals at discrete points in time rather than share institutionally held datasets for the purpose of more sophisticated analytics, including automated data processing. However, many believe that the latter is precisely what SCISA at least enables, even if it's not being done now—I don't know—and this raises additional privacy concerns.
Many of these types of analytic techniques rely upon access to the personal information of individuals who are themselves under no suspicion at all. There are a number of privacy considerations there, but the considerations that touch upon charter issues are broader than that. There are a lot of freedom-of-association concerns that come with some techniques, especially when the data involved is either social media information or metadata information, whereby people's social networks can be mapped. There are freedom of expression issues at stake, as we've already heard from the Centre for Law and Democracy.
There are also equality concerns. How are these techniques being used? Are biases being built in, either in relation to the datasets that are being used or the types of algorithms that come out in respect to processing this information? There's emerging literature regarding algorithmic responsibility, and a lot of concern about how information is being processed and whether that leads to problematic biases and inaccuracies.
None of those concerns are possibly met by SCISA as it is drafted right now. As Micheal Vonn from the B.C. Civil Liberties Association indicated, there's a sense that if we overhaul the Privacy Act, that might temper some of the problems with SCISA. Sure, it will temper them, but I think that SCISA itself raises a lot of really specific charter questions, some of them about privacy and some of them about these related sets of issues in the national security context that on their own require justification and that the legislation as it stands is seriously deficient on.
I don't know the report, so I don't want to talk about that specific report.
When you depart from a warrant...because you're not going to be dealing with that when you're dealing with use and disclosure, but when the government already has information, and the constitutional jurisprudence says there's still a reasonable expectation of privacy—not necessarily on all of it, but it can still attract a reasonable expectation of privacy—there's a constitutional question when there's further sharing of it or some subsequent use that's not the use that it was collected for, so the constitution is in play there.
Does that mean you need a warrant? No, the courts have allowed departures from warrant requirements in all sorts of contexts, but you still have to think through the charter question about whether this is reasonable or not.
I don't think this information should be shared without some review happening, at least after the fact. Part of what the reasonable and probable grounds says is that you have this threshold that gets you to the question of whether you are likely to get evidence, but what about after-the-fact efficacy review, so that if it turns out you're not actually meeting any intelligence goal or national security goal, you shut down whatever that information-sharing practice was?
In the absence of that, is the law reasonable? I don't think so, in the absence of some of the other sorts of safeguards, such as written agreements. The act talks about arrangements; they're in the guiding principles. The act doesn't require that there be rules around data retention and other sorts of protections.
Sure. Thank you very much for the question. It's part of why I wanted to bring up the issue of the mandate of the various agencies.
As I'm pointing out, the real-life effects of this are right now. People who are talking about such issues as how we are going to make an effective national pharmacare system in Canada meaningful for people's health are saying, “Oh, dear; what about SCISA and the fact that Health Canada is impacted by this detrimental impact on patients' information rights?” That is affecting people in their ability to essentially govern ourselves, benefit our health, etc. On a very real level, these discussions right now are impeding our ability to effectively govern ourselves.
On an individual level, it has mass implications. As I say, I am of the opinion—and I share it with various of my colleagues—that if you were going to do one thing to reduce the abuse power of SCISA, make it so that you could not have bulk data transfers as part of it.
If there was confusion about what individual suspicion standards of information sharing should have happened in the past, again, we could have clarified those in the Privacy Act. Instead, we enacted an act in which it was very clear that bulk data transfers were facilitated. The kinds of profiling that bulk data is used for have a devastating impact not only on some individuals, which they have brought to our attention that they do not deserve—they may find themselves on the no-fly list, the slow fly list, or other various aspects, on the basis of profiling without any individualized suspicion—but entire communities are impacted by being under the threat of racial and religious profiling.
I could go on about this subject for quite a while, but I'm going to keep it narrowed to those examples because I think they speak to both the front-end chill and the ultimate impact of where we do have very reasonable grounds for suspecting SCISA was essentially enacted, which is about the bulk data holdings.
I'll add to what my colleague said. I think it might be useful just to flesh out a little an example of why when datasets are combined they can be way more privacy intrusive than the sets considered in isolation. I can give you an example from the private sector that helps to make this point.
There is an app that was published and was called “Girls Around Me”. Basically, it combined two sets of publicly available information: information from Facebook profiles, which is generally about people's pictures and their likes, dislikes, interests, and what have you, and then information from Foursquare, which allows people to use their iPhones to check into a particular thing, such as “I'm at this restaurant, I'm at this movie theatre, I'm at this bar”, or whatever. Combining those two datasets, which in isolation have their own concerns but are not super-intrusive, basically creates this stalking app that allows people to look at their phone and say that in this restaurant there is a girl, here's what she looks like, here's what her interests are, and here's everything about her.
Again, you take these two datasets in isolation and then put them together, and suddenly you have something that is far more intrusive than the two taken separately. That's an example from the private sector, but I think it does illustrate the harm and the concerns that can come about when these datasets are combined, particularly echoing what my colleague said about the fact that, in dealing with the government, people don't necessarily have a choice when they're sharing this information. When you're dealing with communities that are under risk and already have a good reason to be suspicious of their interactions with government, I think these are very good illustrations of the kinds of concerns that come into play.
I believe we need to hear from this minister regarding the MyDemocracy.ca program that she has. Changing or retaining Canada's electoral system has been an important topic over the past year. A special committee was formed to study the issue, and it reported earlier this month. I myself travelled with the committee during part of its tour through the western provinces and territories.
However, the minister was somewhat dismissive of the committee's report. She conducted her own parallel consultations on the topic and has now has launched a third party survey on democratic values, ostensibly to consult Canadians indirectly instead of through a referendum, as recommended by the special committee.
We've heard much about the survey at MyDemocracy.ca of late. It asks a series of oddly drafted questions with many conditionals or what-if statements. It doesn't actually ask what system a responder would prefer and does not give the option to call for a referendum. It allows responses from out-of-country IP addresses, which is interesting too, if a responder provides a Canadian postal code.
Most interestingly for this committee, it asks for significant demographic information, which may be used to identify individuals. This last point has attracted the attention of the Privacy Commissioner, who is now investigating the survey due to his concerns about Canadians' privacy.
While he's conducting the investigation, we can't call the commissioner. We certainly can't question the commissioner while an investigation is in process. We will wait until he has completed his investigation before we can hear from him.
In the meantime, I think we should provide the a chance to tell the committee more about this survey. The survey has been met with widespread and, I would say perhaps, universal ridicule, which discredits the process itself. The fact that the process is under investigation by the Privacy Commissioner also means that perhaps the most important thing we can ask this Parliament about is what our democracy will look like in the future.
She stated in question period last week that the survey protects respondents' privacy pursuant to the act. That's what she said. Time certainly did not allow for her to discuss specifics. In contrast, by appearing before the committee, she would have the time for a detailed discussion of an important concern for privacy in light of an important national discussion.
There are many questions we could ask her, and there's substantial expertise now around this table on privacy matters from the numerous witnesses we've heard from and the study we have completed. Many of these questions have in fact been asked in the House and have not really been answered. For instance, what will the government do with all of this information that it is collecting as part of the study? Will the information be destroyed at the conclusion of the study? If not, what further use would be made of people's demographic information, together with their answers to these value questions about opinions on democratic reform?
This is a timely issue. It's an important one for Canadians. I think this is the place where it should happen.
In terms of scheduling, we won't be meeting again until late January. There should be ample time for the clerk to find an agreeable time for the minister.
I would move that we have the appear before the committee.
Thank you very much. I just wanted to take a moment to speak in favour of the motion.
One of the things we've been discussing even in the context of our study of SCISA has been a necessity test. It was very interesting to hear that as part of the government's survey, Canadians have to submit information having to do with their level of income, for instance, and a bunch of other things that I don't think are obviously necessary to the government getting their opinion on what kind of voting system we would like to have.
I think there are some interesting questions that bear even on issues that we're discussing in the context of our study. It might be helpful to get the point of view of the minister to better understand why she believes this information is necessary.
Also, it would be good to get a better idea of what they are going to do with that information. When the minister has been asked questions about why the government would want that kind of demographic information on respondents, her answers, frankly, have been quite evasive in the House. She says, you know, it's not a requirement that you provide that information in order to complete the survey. Presumably Canadians are filling out that survey not because they care to know whether Vox Pop Labs thinks they are an innovator or a guardian but because they want their preference to be registered. Although she has refused to say, it does say on the website that if you don't provide that information, then your preferences and the information that's actually germane to democratic reform—if anything really is out of that survey—isn't counted.
I think having her come here with more time might allow us to get a better answer from her as to whether or not it serves any purpose at all, other than to get that opinion on whether you fit into whatever categories the company that designed the survey came up with. I think filling out that survey if you're not prepared to provide that information would be very useful.
In our last study that has been referred to today on the Privacy Act, we talked about government exploring ways to see the Privacy Act apply to minister's offices. I think this MyDemocracy.ca survey is a great example of why Canadians might want the Privacy Act to apply to ministers' offices, because one wonders really what the point of collecting that information is, if it isn't ultimately for some kind of profiling or outreach. I don't see that profiling people is useful to government with respect to their preferences about democratic reform. I can imagine how it would be useful to the Liberal Party of Canada. Therefore, I think getting some more precise answers from the Minister of Democratic Institutions as to why it's important to government to have that information would be very good.
For all those reasons, Mr. Chair, I do support this motion.
To our witnesses, thank you for your patience.
I know we've heard concerns from many of our witnesses about the necessity versus “undermines the security of Canada”. If I understand the positions correctly from our witnesses, we have two who want to repeal the act completely and start over, or not start over, and Mr. Karanicolas, if I understand you correctly, you want to perhaps not necessarily abolish the act completely, but make numerous changes.
Many Canadians—and I think of the people in my own riding, when I knock on doors and when I meet people—if they thought that an intelligence-gathering agency or a security enforcement agency of some sort, a law enforcement agency, possessed information that undermined the security of Canada, they might feel that it may be appropriate to share information that undermined the security of Canada with a more appropriate agency to exercise its judgment and deal properly with that information.
Perhaps make the case again, or explain it in a way that would resonate with residents who have concerns about those who would undermine the security of Canada.
Perhaps we'll start with Ms. Austin.
Thanks for the question. I think it's a great question.
The one thing that strikes me in examples like this, and the one you're giving too, is that as I said before, there is much broader popular support for information sharing within agencies that have a national security mandate. Where I think the trust issue becomes much more problematic is when you say, “Oh, this isn't about an intelligence-gathering agency or an enforcement agency possessing information and then sharing it with some agency that they think is more appropriate. This is about any government department sharing with these recipient institutions.”
The sheer breadth of the information sharing contemplated here is part of the problem with the basic justification for this. The specific targeted improvements on how information is shared come out of the Arar commission and the Air India inquiry, and there's, I think, great support. It's always a case of the devil's in the details, right? I think specific information sharing within agencies with national security mandates, with appropriate protections and accountability, sounds all right. Broad information sharing that also contemplates bulk access in ways that haven't been disclosed publicly, with potential additional concerns around equality and profiling and association and expression, is part of the problem here.
Justifying this act based on examples around narrow information sharing is part of the issue. I think people accept the narrow information sharing. It's the breadth of what's contemplated here that's the problem.
Thank you for that question.
More attention needs to be paid in SCISA to this incredible breadth, as I've been saying about so many agencies involved in potentially sharing information with a small group. As you said, some of them themselves have a tangential relationship with national security.
I would just point back to the Arar commission's report, which suggested that some of the existing exemptions in the Privacy Act—including the public interest exemption that says where there's a public interest that outweighs the privacy interest of the information, information can be disclosed—met all sorts of needs.
Again, my question around the overbreadth of this act is, why not...? Obviously I've said you should repeal it. If that's not the case, why not scale it down to a much narrower set of institutions that are sharing information? If it so happens that there's information that some other unrelated agency has that they think really should be shared, why isn't the public interest exemption perfectly adequate? It's already right there in the act. Again, in terms of justifying the overbreadth, I'm having trouble seeing that broad scope of the act, and a lot of the examples being offered as to why it's needed contemplate a much narrower set of information sharing, which I think you have a much greater chance of getting Canadians on board with.