Mr. Chair and members of the committee, I am here this morning with Patricia Kosseim, who is our general counsel, and Lara Ives, who is the director general of audit and review.
Thank you for the invitation to discuss Bill .
As you know, Bill introduces a wide range of measures intended to strengthen Canada's national security framework in a manner that safeguards the rights and freedoms of Canadians. On the whole, I find it represents a step in the right direction, but as other commentators have noted, its weakest part is the Security of Canada Information Sharing Act, or SCISA, which contains provisions related to information sharing and privacy. Professor Forcese, for instance, gave these sections a failing grade. I was therefore glad to hear last week say that SCISA was probably the part most deserving of scrutiny. I hope your study will result in much-needed improvements to these rules.
In previous parliamentary briefs, I highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of ordinary law-abiding Canadians, particularly through privacy-sensitive retention and destruction practices. Specifically, I indicated that the law should prescribe two things essentially, which are useful to bear in mind. First is clear and reasonable standards for the sharing, collection, use and retention of personal information”, so substantive rules. Second is that compliance with these standards should be subject to independent and effective review mechanisms.
It is with this analysis in mind that I offer the following comments and recommendations. While I will focus in my remarks on SCISA, this analysis, looking at two types of issues, is also relevant for other parts of Bill , including parts 3 and 4. The full list of our recommendations is attached to this statement.
Bill would create a new expert review body, the NSIRA, with broad jurisdiction to examine the activities of all departments and agencies involved in national security. Recently, Parliament also created, through Bill , a new National Security and Intelligence Committee of Parliamentarians. Both of these bodies will be able to share confidential information and generally co-operate so as to produce well-informed and comprehensive reviews that reflect considerations both by experts and by elected officials.
These developments are most welcome, but they are, in my view, clearly insufficient. In my view, effective review of national security activities must include both parliamentary and expert review, and the latter must include both national security and privacy experts. Why privacy experts? Because the work of national security agencies depends in large part on personal information. It is what they call their “lifeblood”. The OPC is the federal centre of expertise in privacy and personal data protection. Canadians are concerned that anti-terrorism efforts in government not unduly impede their privacy rights, and they expect my office to play a role in ensuring that balance.
Bill is oddly silent on the role of my office. It does not amend the Privacy Act, so my existing authorities appear to be untouched. The only body with explicit authority to play a role in relation to part 5, the renamed SCIDA, or security of canada information disclosure act, is the NSIRA, the national security and intelligence review agency.
The ethics committee, in its study of SCISA, has already noted the ambiguity in the interplay between that act and the Privacy Act. It has called for amendments to clarify that the Privacy Act continues to apply to all personal information disclosed pursuant to SCISA. I have provided to your committee amendments that would confirm the application of the Privacy Act and the OPC's role, which I am told the government wants to maintain.
However, there is no ambiguity on whether my office would be able, with Bill , to share confidential information with the NSIRA and the new committee of parliamentarians. We would not have that authority, and actually we would be prohibited by existing provisions in the Privacy Act from sharing such information.
This means that the comprehensive review process offered in Bill , as a fundamental element to bring balance between security and respect for rights, would stop short of the objective by leaving privacy experts out of integrated review. I am at a loss to understand why. If the fear is of duplication between our work and that of other review bodies, I would gladly explain through the question period how bringing the OPC firmly within the family of review bodies would not only bring required expertise but would actually enhance efficiency and reduce overlap.
When Bill enacted the Security of Canada Information Sharing Act, known as SCISA, I indicated that among my concerns was the fact that the relevance standard for sharing was set too low, and that there was an absence of clear data retention and recordkeeping requirements and a lack of information-sharing agreements and privacy impact assessments.
The relevance test is too permissive because it casts too wide a net and creates undue risks for ordinary citizens who pose no threat to national security. The government seems to recognize that a relevance standard does not sufficiently protect privacy because it is suggesting changes to section 5 of SCISA.
In its response to the Standing Committee on Access to Information, Privacy and Ethics, the government said the following:
The key issue regarding the threshold is the need to establish specific decision making parameters for the discloser of information that will protect individual privacy but not cause undue delays in the information sharing process.
I agree with that assessment. The proposed new section 5, particularly paragraph 5(1)(b), incorporates some aspects of a necessity threshold but falls short of adopting what officials refer to as “strict necessity”.
In order to adequately protect privacy rights, under new section 5, this limited progress in increasing the threshold for disclosure would have to be accompanied by more complete changes to the standard applicable to receiving institutions, in other words, the security agencies receiving the information in question.
Information sharing involves two parties and, to protect rights, rules are also required for receiving institutions. If relevance is not adequate for disclosing institutions, it is also inadequate, even more so, for receiving agencies.
And the delay considerations that may apply to disclosure affect receiving departments very differently. These institutions are perfectly capable of applying the classic, internationally established necessity test, and should be required to do so.
We understand that the government intention is for receiving institutions to continue to be governed by the Privacy Act, or their specific enabling legislation where applicable. The current Privacy Act threshold is relevance.
As your committee recommended in its May 2017 report on Canada's national security framework, we also recommend that a dual threshold be adopted for information sharing—that set out in amended section 5 for disclosing institutions, and that of necessity and proportionality for receiving institutions.
Even if one accepts that government sharing of information related to law-abiding citizens may lead to the identification of new threats to national security, once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained. Otherwise national security agencies will be able to keep a profile on all of us.
This is consistent with the conclusions of our review of the Canada Border Services Agency's scenario-based targeting initiative, summarized in my latest annual report to Parliament, and it is one of the principles upheld by the European Court of Justice in the passenger name and record case, decided in July 2017.
In addition, if the threshold for collecting or receiving information is higher than the standard for disclosure—which is currently the case at least for CSIS and would be the case if you adopt a dual threshold, that is, one for disclosing institutions and one for receiving institutions—then, rules are required to ensure that information is discarded without delay either when the collection test is not met or if the receiving institution is of the view that the disclosure standard was not satisfied.
In conclusion, my complete recommendations, annexed to this statement, include some that I have made in the past and do not have time to explain in the time allotted this morning. I also intend to write a fuller submission prior to the end of your study.
My team and I would be glad to answer any questions you may have.
I start my analysis with the need to have good, clear, sufficiently high legal standards, including thresholds. That's where the issue of relevance for contributing to the mandate or being necessary comes in, so there are substantive legal safeguards.
The second element of well-balanced national security legislation requires strong, independent, effective review. On the substantive legal safeguards side, I accept that to apply the necessity test may pose problems for disclosing institutions, which is the main point the government made in responding to the ethics committee, and which may have been a contributing factor to your committee when you suggested a dual threshold.
I accept that a threshold lower than necessity helps disclosing institutions do a difficult task while having safeguards. However, receiving institutions—essentially national security agencies—know very well what their mandate is and what they need to do their job. There, the necessity threshold, which is the international norm, should apply fully.
That's the main substantive recommendation I'm making, which is again where this committee was at not long ago.
The second substantive rule is as follows. If there is a difference between the thresholds applicable to disclosing and receiving institutions which would be the result of a dual threshold, it's easier for disclosing institutions to disclose, but the threshold for receivers is higher. Point one is, what do we do about this gap, if the receiving institution has received something that is not necessary?
Point two is, if the receiving institution has received information about a law-abiding citizen—travellers are the best example—to identify in the mass of travellers the extremely few who may pose a threat to national security, there should be legal rules to require the receiving institution to get rid of the information, to destroy the information, to no longer retain the information if there's a gap between the two thresholds, or if, in relation to a given individual, the analysis leads to the conclusion that the person is not a threat and therefore that their information should not sit in the records of CSIS or the CSE or the intelligence apparatus. These are the substantive rules.
In terms of effective review, it is clear that the creation of the new NSIRA is an important improvement. The fact that it will be able to share information with the committee of parliamentarians creates a good step in the right direction, in that you have integrated review applicable to all departments—not only three as at the current time—and you have elected officials and experts who can talk to one another and reach a well-informed decision.
What we think we can bring to the picture—and we're not in the picture, at least not completely—with Bill is that the lifeblood, la matière première, the main tool that national security agencies have to do their job is information, and that includes personal information. We're the experts in how to deal with personal information in a way that respects privacy rights. We're not saying that NSIRA would be without any knowledge of the relevant issues, but there is an issue of core importance to the work of national security agencies, that of privacy, where we're the experts, and we think we can add value to the rest of the architecture.
Mr. Chair, I think we need to ask ourselves why we are here. I think one of the challenges we've had is that we hear a lot of tactics, but we don't hear a lot about what the strategy is and what the ultimate rationale is behind this. The rationale is that, as Canadians, we've long lived in an environment where we believed we have been safe by virtue of where we are in the world, which is very far away from all the troubles in the world. I would submit that this is no longer the case. The fundamental conditions have changed. The security threats and vectors are much broader and much deeper than they have ever been.
If you think about hypersonic manoeuvrable cruise missiles, intercontinental ballistic missiles, cyberspace, violent extremism, terrorism ideology, and also matters such as the globalization of organized crime, these are all things that we can't just keep away from our borders. They affect us here now, and they affect us every day. The security environment has fundamentally changed. The premise that we're somehow safe because we're far away from the troubles in the world simply no longer applies.
We've also, of course, seen these threats specifically associated with certain entities. This is often what's referred to as the four-plus-one issue: the four countries—China, Russia, North Korea, and Iran—and the plus one is transnational terrorism. In Canada we don't have a systematic human foreign intelligence service, so we rely disproportionately on our signals intelligence service to provide us the foreign intelligence we need to get domain awareness.
We also have the benefit of being part of the Five Eyes community. This membership should not be taken lightly. There is an international security hierarchy in the world. If you think about this as a pyramid, the United States is at the top and the Five Eyes community is below that. That means we need to be able to continue to be effective contributors to that community if we want to benefit from that community. The benefit from that community has precisely been that we have been able effectively to underinvest relative to most of our allies in defence, in security, and in intelligence because we have this force multiplier capability of domain awareness and overcoming the fallacy of composition that we wouldn't otherwise have. We need to balance here our obligations and the benefits to the community with the constraints that we impose on our own community.
We've also seen a fundamental change in the intelligence business as a result of two events, if you will. One is the advent of the Internet and of large data. The bad guys have been exploiting those systematically, and I would submit that in Canada we have been a little bit too easy on the bad guys who exploit the Internet and data, and too hard and making life a little bit too difficult for the people who are actually trying to disrupt, rein in, detect, and defend us against these nefarious entities. We need to strike a balance between the good guys and the bad guys. Of course, the advent of 9/11 has fundamentally changed the intelligence community and also the expectations the public has of the state in terms of keeping them safe and secure.
More than ever before, in light of the threats I've outlined, we are relying on intelligence to help us anticipate the security and safety challenges for Canada and to be able to mitigate those challenges effectively.
My fourth and final submission on this point is that, as a result of the Snowden revelations, much of the public has some skepticism about how the community operates. We are not here because there's in any way some large-scale violation of the professionalism or the capabilities in which the community does its job. We have the odd issue that comes up. Usually those issues are first identified by the community itself and then brought to the appropriate offices. We have a professional community, but we have the public that is skeptical, so I think the primary purpose of review here is to reassure the public that in a rule-of-law society and in a constitutional society everything is indeed on the up and up.
The other problem is that we have a massive public misunderstanding of what the community does, why it does it, and how it operates. That's as a result of the media, because where we see the community operate is largely on television where there are shows about law enforcement, intelligence, terrorism, and whatnot. If you watch those shows about the systematic violations of the rule of law and of constitutionalism, it makes for great television, but it is simply not how the community operates. However, this is what most Canadians and much of the public think is happening, reinforced by some of the ways the revelations by Edward Snowden have been interpreted and misinterpreted in much of the public discourse.
I would also say we need to be careful, then, in Canada with the security culture that we've created. In the Five Eyes community, we have, by far, the most restrictive privacy regime. This is a choice that we have made as Canadians, that what we are doing here is.... Other countries that have more rigorous parliamentary and other review mechanisms than Canada have also given their community more latitude in terms of how it can act, what it can do, and how it can do it.
In Canada, I'm a little concerned that, on the one hand, we're imposing considerable constraints on the ability of the community to be agile and flexible to continue to reassure the safety and security of Canadians, while at the same time, imposing this very strict review regime which, yes, is necessary to reassure the public, but we need to make sure we strike an effective balance here.
I hear lots of people constantly talk about privacy as if review were only about privacy, which, of course, is nonsense. There is review; there is oversight, yes, and there is compliance review, but review is also about efficacy. Are Canadians getting what they pay for from the community? Currently, nobody is really able to ask that question. We will now, as a result of these mechanisms, have the ability to ask those questions, and effectively, these committees will also be peer review for the community. Are they doing the best job they possibly can with the best methods and the best approaches that are available to them?
This discussion that it is simply about privacy, to me, misconstrues the broader benefits and payoffs of a more robust review regime by parliamentarians and by the now-revised community of review bodies that will have a broader remit overall.
I'll close on six questions that we need to ask ourselves when we try to introduce this type of legislation. What are the methods that should be used to hold the intelligence and security agencies to account? What ISAs, intelligence security agencies, should fall in the remit of those accountability bodies? Who is staffing those accountability bodies? What relationship does the accountability body have with the political executive? To what information does the accountability body have access? If there is more than one accountability body, how do they coordinate, and how do they prevent duplication?
This dovetails now with Ms. McNorton's recommendations that follow directly from some of these issues that we have laid out here that people need to think about when we implement such legislation.
Mr. Chair, to enhance intelligence accountability, we have suggested five recommendations.
The first is that Bill does not describe if and how NSIRA, which is the national security and intelligence review agency, will support the National Security and Intelligence Committee of Parliamentarians. In the existing system, the committee of parliamentarians could apply to OCSE, the office of the CSE commissioner, the Security Intelligence Review Committee, or the Civilian Review and Complaints Commission, if they needed additional assistance. However, if Bill C-59 is passed, it will only apply to NSIRA or the CRCC. In regard to this recommendation, we consider how much support NSIRA will give the committee of parliamentarians and what kind of support they will give the committee of parliamentarians.
The second suggestion is that the Civilian Review and Complaints Commission should retain its ability to review issues and investigate complaints related to national security. The existing legislation giving NSIRA the ability to review matters related to national security issues goes against the recommendations from the O'Connor commission. Also, in the end, it would give the CRCC undue influence over what NSIRA reviews in regard to national security, because NSIRA will remain the principal point of contact for the complaints and reviews, which it would then refer to NSIRA.
The third recommendation is that NSIRA should have the ability to conduct joint investigations with provincial police and complaint bodies. The CRCC has this power as well. Basically, a lot of the federal intelligence and security agencies work with provincial police bodies, so that is also a consideration.
NSIRA should develop and establish standards for intelligence accountability.
Last, NSIRA should take reasonable steps to co-operate with the committee of parliamentarians to avoid unnecessary duplication of work in relation to the fulfillment of their respective mandates.
Yes, my apologies to the committee for coming in late.
Thank you, Mr. Chair, and members of the committee. The Canadian Civil Liberties Association appreciates the opportunity to make submissions with respect to Bill .
CCLA was a vocal critic of the Anti-terrorism Act passed in the last Parliament and initiated a constitutional challenge to a number of aspects of that law, which remains in abeyance pending consideration of Bill . While this new bill has partially addressed some of Bill 's constitutional deficits, it has certainly not resolved all of them. The bill also grants our national security agencies a number of extraordinary new powers that have not been adequately justified and that do give rise to very real civil liberties concerns. The government has framed this bill as being about protecting both national security and rights, and CCLA supports both of these goals, and our comments and recommendations are made in that spirit.
We will begin by identifying the positive changes Bill makes to former Bill , outline the issues that remain unaddressed, and finally, set out the new problems created by Bill C-59.
Since we certainly can't cover everything in 10 minutes, we'll also be filing a more detailed written submission. Beginning with the items that Bill has improved, we are reassured by the government's amendments to the terrorist speech offences. Without these amendments, the provisions violate sections 2 and 7 of the charter and may also undermine community-based deradicalization efforts. While the amended offence is arguably unnecessary, given the large number of pre-existing terrorism offences in the Criminal Code, counselling offences are a known quantity in the criminal law and follow a clear legal framework. However, the language of “terrorism offence” in the amendment would be better changed to “terrorist activity”, which is a defined term in the code.
On information sharing, Bill adds new proportionality and reporting requirements, which is a distinct improvement over the largely unaccountable system introduced in Bill . However, the definition of “threats to the security of Canada” that triggers information disclosure remains unduly broad and circular. It is not clear why this definition is so much broader than the one included in the CSIS Act, and we remain concerned that constitutionally protected acts of advocacy, protest, dissent, or artistic expression, particularly by environmental and indigenous activists, will continue to be swept up in the process.
One of the most controversial aspects of Bill was the threat reduction powers granted to CSIS and the accompanying warrant provisions that appeared to allow for judicially sanctioned charter breaches. We do not doubt that there are times when CSIS may see an opportunity to take action to reduce the threat to the security of Canada. What is unclear is why this goal cannot be achieved through better communication and co-operation between CSIS, the RCMP, and other law enforcement bodies. This is a very significant shift in mandate that appears to ignore the historical reasons for separating law enforcement and intelligence in the first place, and there has been no convincing case made for why this shift is necessary.
Moreover, the legal framework for the exercise of these powers established in Bill was deeply problematic and clearly unconstitutional in our view. The scheme as modified by Bill is an improvement. It establishes clearer contours around what actions are permitted and what is prohibited, and the warrant scheme appears to be intended to ensure that the charter rights of individuals are respected. If CSIS is to continue to have these powers there are a number of ways in which we believe the scheme should be improved.
First, the requirement for CSIS to consult with other federal departments or agencies to see if they can reduce the threat should be amended to clarify that if a law enforcement body is better placed to do so, CSIS should not pursue threat reduction. Second, the list of measures set out in proposed section 21.1(1.1) only require a warrant where CSIS determines that they may violate the law or limit a charter right. A warrant should be required in any case where these measures will be pursued by CSIS. It is vital that the determination of whether a law is being violated or a charter right limited not be left solely to CSIS.
Finally, the new national security and intelligence review agency should be required to report on the number of warrants issued under proposed section 21.1, and the number of requests that were refused. SIRC does so now, and reducing reporting requirements is not consistent with Bill 's stated goal of enhancing accountability.
Some of the most problematic aspects of Bill received only cosmetic improvement or none at all. As this committee is aware, the passenger protect program continues to raise serious constitutional problems. The process by which individuals are placed on the list remains opaque, and proposed redress mechanisms are inadequate. Bill also fails to correct the flawed appeals procedure, which parallels the system in place for security certificates prior to the Supreme Court's Charkaoui decision in 2007.
While the no-fly list is undoubtedly different from being named in a security certificate, both have the ability to substantially interfere with the constitutionally protected rights and liberties of an individual and to seriously impact their lives and families. The current process allows the use of hearsay and secret evidence, without access to a special advocate able to test that evidence or to represent the interests of the listed person.
This committee recognized these profound issues in May when it recommended the use of special advocates in no-fly list proceedings, among other safeguards, and yet Bill does not address these concerns. It should do so by adopting this committee's initial recommendation. We would note that the terrorist entities list raised similar issues.
Mr. Chair, another deeply problematic aspect of Bill that has not been touched are changes to the Immigration and Refugee Protection Act that undid important protections for named persons in security certificate proceedings. Bill limited the requirement for disclosure of relevant information to special advocates and introduced a series of procedural barriers which further disadvantaged the rights of the named person.
In our legal challenge, CCLA has argued that these amendments are an unconstitutional violation of the section 7 guarantee to a hearing before an independent and impartial tribunal. Our Supreme Court has affirmed that the individual named in the security certificate “must be given an opportunity to know the case to meet, and an opportunity to meet the case”, an impossible exercise in the absence of a coherent legal framework for full disclosure.
This committee recognized as much in May 2017 when it recommended amending IRPA in order to give special advocates full access to complete security certificate files. We urge that Bill be amended to correct this issue.
We move now to the new elements of the new national security landscape that Bill has introduced. Our written submission will address a much wider range of issues in relation to the CSE Act, but we would like to highlight two parts today.
First, the proposed active and defensive cyber-operations aspects of the CSE's mandate essentially allow the establishment to engage in secret and largely unconstrained state-sponsored hacking and disruption. The limitation of not directing these activities at Canadian infrastructure is clearly inadequate given the inherently interconnected nature of the digital ecosystem. Such activities are also bound to impact the privacy expression and security interests of Canadians and persons in Canada, and may threaten the integrity of communications tools such as encryption and anonymity software that are vital for the protection of human rights in the digital age.
In the case of CSIS's disruption powers, which are in some ways analogous to these new aspects of CSE's mandate, the government has set out a complex framework for prior judicial authorization and a longer list of prohibited activities. While we do not concede the adequacy of that framework, it is notable that, in contrast, CSE's cyber-operations activities involve no meaningful privacy protections, require only secret ministerial authorization, and involve only after-the-fact review.
Second, while the majority of CSE's activities cannot be directed at Canadians or persons in Canada, this is an inadequate safeguard against CSE's overreach in the face of unselected bulk collection. Bill exacerbates this privacy risk by creating a series of exceptions for the collection of Canadian data, including one which allows its acquisition, use, analysis, retention, and disclosure, so long as it is publicly available.
This definition is so broad that it plausibly includes information in which individuals have a strong privacy interest, and potentially allows for the collection of private data obtained by hacks, leaks, or other illicit means. Furthermore, it may encourage the creation of grey markets for data that would otherwise never have been available to government—a client with deep pockets.
The government has failed to demonstrate why this exception, as worded, is necessary or proportionate, or what risk it is meant to mitigate in the first place.
The government has failed to demonstrate why this publicly available information exception as worded is necessary or proportionate, or what risks it's meant to mitigate in the first place. The CSE has identified a need to access reports on the global infrastructure as a justification for this provision, yet a more narrowly defined list of information types would easily respond to such a need.
While section 7 specifies that privacy must be considered, the nature of the protection is vague; the regulations setting out the scope of protection are likely to be secret, and the potential for invasive information collection and abuse is high.
The parallel term “publicly available dataset” in the CSIS Act remains undefined but appears to replicate the same types of problems.
Finally, we welcome the new accountability mechanisms in Bill and strongly support the creation of the new, integrated review body, and the introduction of an intelligence commissioner with the ability to exercise quasi-judicial oversight. However, we are concerned that significant gaps remain. The commissioner only issues reasons when rejecting an authorization. The reasons are kept secret from the public. There is no adversarial input. The authorizations will continue to be issued on a class basis, and there is no framework for appeal or review of decisions except by the minister and the intelligence agencies themselves.
Without amendments that strengthen the role of the commissioner, his or her ability to exercise meaningful oversight and control will be limited in practice.
We welcome questions from the committee about these issues and other aspects of Bill .
The government's proposed establishment of an act for CSE itself is a huge improvement and innovation over the current situation, where it is embedded in the National Defence Act.
I would say that on cybersecurity in this country, by and large not only do we have our head in the sand, but we need to do much better, especially at the intelligence sharing. The CCTX, the new mechanism to exchange cyber-intelligence, is a good improvement here. One challenge we have had is that CSE is, by law, extremely restricted as to what it can share with the private sector, and under what conditions. In this area, you ultimately need to prevent, anticipate, and have effective and timely intelligence sharing, given how quickly cyber-challenges and threats move. It is integral.
Other countries are much further ahead, if you look at Australia, the Netherlands, Israel, or the United Kingdom. This is what's sometimes known as phase two. If we cannot effectively protect our cyber-infrastructure, that is going to have a deleterious consequence for our economy, because people will only invest in innovation, in R and D, in the Canadian economy if those elements are then also protected. Why would you invest, if that's going to be immediately stolen? We know this country has done particularly poorly on the innovation agenda, and luckily, this government is trying to improve Canada's innovation capacity. That will not be effective if we can't then also ensure that the cyber-domain is effectively protected.