To strike a balance between national security and privacy, several witnesses said that the best option would be to repeal SCISA because of its shortcomings and scope and start again in order to find a new solution.[93]

However, for the purpose of finding a solution, witnesses who want to amend[94] SCISA and even those who want to repeal the Act consider it a priority to modify SCISA to include legal standards that limit the scope of its provisions. Indeed, several witnesses expressed concern about the lack of legal standards. Including such standards would better protect Canadians’ privacy. A number of witnesses suggested changes to limit the Act’s scope, for example with regard to the number of federal institutions subject to SCISA, the threshold in SCISA for disclosure, the definition of “activity that undermines the security of Canada,” and the legal effects of SCISA and its interaction with other legislation.

5.1 General Concerns About the Lack of Legal Standards

Commissioner Therrien is concerned that SCISA does not include legal standards to protect the privacy of Canadians: “The obligation to disclose information in a manner that is consistent with privacy protection should therefore become an enforceable legal standard, as is the case with the rules governing the disclosure of information.”[95] In his view, to strike the right balance between national security and privacy protection and to “ensure that not too much information is shared and retained,”[96] “you need the right safeguards and the threshold.”[97] Commissioner Therrien said his concerns are not theoretical, but real:

We have seen cases in the recent past where there has been excessive, sometimes unlawful, collection or retention of information. Think of the report of the CSE commissioner who found that the CSE had disclosed metadata to other countries illegally. Think of the recent judgment by the Federal Court that found that CSIS had unlawfully retained the metadata of a large number of law-abiding individuals who are not threats to national security because CSIS felt it needed to keep that information for analytical purposes.[98]

Several witnesses made similar comments and said that one way to reduce SCISA’s impact on privacy is to include adequate safeguards.[99]

Mr. Karanicolas of the CLD said that sharing information needs to be done “according to clear and carefully constructed rules to ensure that the system operates and that the system can’t be pushed in abusive directions.”[100] In his opinion, witnesses’ recommendations to amend SCISA to include safeguards are a means of striking a balance between national security and privacy.[101] Similarly, Ms. Austin argued that “the questions about overbreadth, safeguards, protections, and thresholds all become really important in striking that balance fairly.”[102] Ms. Vonn also argued that Canadians “want the pre-stage protections to make sure that you have justification and authorization, and then by all means give law enforcement the tools they need to do their job.”[103] Mr. Fraser remarked that “a whole lot of mischief could go on within the ambit of this statute. I think we need to make sure we’re putting appropriate fences around that information.”[104]

Lastly, Mr. Forcese noted as follows:

In the world of big data, the boundaries between collection and use are beginning to blur because of the amount of information that is currently in circulation and easily extractable from the public domain. In the absence of safeguards on how information is amalgamated by an agency and then what it can do with that information, I think that we run the risk that the net result is that the government knows more about people than it would otherwise know.[105]

5.2 Institutions Able to Disclose Information Under the Security of Canada Information Sharing Act and Recipient Institutions in Schedule 3

Subsection 5(1) of SCISA permits a hundred or so institutions[106] to disclose information to 17 recipient institutions listed in Schedule 3 to SCISA.

Some witnesses said that the list of institutions authorized to disclose information should be reduced.[107] However, Mr. Anil Kapoor, Barrister, argued that this list is not a problem if the disclosure threshold is changed to one of necessity.[108] He said that these institutions could possess useful information in the context of a national security investigation.[109]

Several witnesses noted that the list of recipient institutions in Schedule 3 to SCISA casts too wide a net and must be reduced.[110] According to Mr. Wesley Wark, a professor at the University of Ottawa, the institution list in Schedule 3 to SCISA should “include only core elements of the Canadian security and intelligence community,”[111] and as it stands, many of the entities on the list do not play a predominant role in national security matters.[112] Similarly, Mr. Kapoor said that the key players in national security are CSIS, the RCMP, the CSE, the Department of National Defence and the CBSA, and that these are the organizations that should be the main recipients.[113] He believes information should be directed to the main stakeholders. For example, he said that the Department of Transport’s national security remit could be seen as a “knock-on remit.”[114]

However, Mr. Blais, Chair of SIRC, explained his view of things by arguing that several of these institutions fulfill a national security role:

For example, the role of the Canada Border Services Agency is different from what it was 15 or 20 years ago. Currently, the agency directly addresses the possibility that some foreigners are entering Canada, while representing a terrorism threat. The same is true of organized crime, and the Department of Finance has a role to play in that area. The Department of Transport must deal with potentially dangerous situations that occur on board airplanes and trains or in stations.

That is why the government decided to put all these institutions in Schedule 3, even if the percentage of security information that they may provide is 2%, 10% or 80%. The government didn't want any department with security-related information to be left out.[115]

Mr. Evans of the CRCC also argued that national security is a broad field and that the number of recipient institutions in Schedule 3 to SCISA could even be higher.[116]

Mr. Elder of the CBA said that it is difficult to know whether there are too many recipient institutions in Schedule 3 to SCISA: “That’s because for a number of these listed institutions, it’s not obvious — to me, anyway — exactly what their responsibilities and authorities that relate to national security are. For some of them it’s a bit more obvious; for some of them it’s not obvious at all.”[117] That is why the “CBA recommends that Schedule 3 to SCISA be amended to list not only the names of potential recipient institutions and their designated heads, but also the specific sections of the statutes supervised or implemented by those institutions that may conceivably relate to national security concerns.”[118] As a result, “[g]reater specificity would assist both disclosing and receiving institutions, as well as any oversight body in assessing whether disclosure to another institution might be appropriate.”[119]

To this end, the Committee asked the institutions listed in Schedule 3 to SCISA to send it a letter explaining their respective role in national security. These letters are attached as Appendix A to this report.

In light of the evidence, the Committee recommends:

Recommendation 1

That the Government of Canada further study which recipient institutions should be listed in Schedule 3 to the Security of Canada Information Sharing Act to ensure that only institutions directly relevant to Canada’s national security framework are listed.

Recommendation 2

That the Government of Canada amend Schedule 3 to the Security of Canada Information Sharing Act to list not only the names of potential recipient institutions and their designated heads, but also the specific sections of the statutes administered or implemented by those institutions that may conceivably relate to national security concerns.

5.3 Definition of “Activity That Undermines the Security of Canada”

Under subsection 5(1) of SCISA, one of the criteria a Government of Canada institution must meet to disclose information is that this information must be in respect of activities that undermine the security of Canada, including in respect of their detection, identification, analysis, prevention, investigation or disruption. The scope of the information that can be disclosed depends therefore on the definition of “activity that undermines the security of Canada” set out in section 2 of SCISA. This definition reads as follows:

• activity that undermines the security of Canada means any activity, including any of the following activities, if it undermines the sovereignty, security or territorial integrity of Canada or the lives or the security of the people of Canada:
• (a) interference with the capability of the Government of Canada in relation to intelligence, defence, border operations, public safety, the administration of justice, diplomatic or consular relations, or the economic or financial stability of Canada;
• (b) changing or unduly influencing a government in Canada by force or unlawful means;
• (c) espionage, sabotage or covert foreign-influenced activities;
• (d) terrorism;
• (e) proliferation of nuclear, chemical, radiological or biological weapons;
• (f) interference with critical infrastructure;
• (g) interference with the global information infrastructure, as defined in section 273.61 of the National Defence Act;
• (h) an activity that causes serious harm to a person or their property because of that person’s association with Canada; and
• (i) an activity that takes place in Canada and undermines the security of another state.
• For greater certainty, it does not include advocacy, protest, dissent and artistic expression.

In general, many witnesses argued that the definition of “activity that undermines the security of Canada” is far too broad.[120] However, several representatives of federal institutions argued that this broad definition was justified.[121]

Ms. Pillay of the CCLA said that the definition of “activity that undermines the security of Canada” “can capture all sorts of unnecessary and disproportionate information on legitimate activities, thereby effectively relegating Canadians to being potential suspects.”[122] Mr. Mia argued that the definition of “activity that undermines the security of Canada” is vague, it includes a non-exhaustive list and other elements can be added to it.[123] He is concerned that the current definition “is going to put all sorts of innocent Canadians onto the national security radar when they should not be.”[124]

Mr. Forcese said that the definition of “activity that undermines the security of Canada” includes many terms that are not defined in SCISA and that this presents a danger that the Act will be inconsistently applied.[125]

Mr. Roach believes it is difficult for Canadians to have confidence in information sharing under SCISA because of the current definition of “activity that undermines the security of Canada”:

I would underline that for Canadians to have confidence in this information sharing, there need to be more limits in the legislation and also more transparency about the information sharing. … It’s very difficult to ask civil society and the public not to have concerns, and indeed suspicions, about information sharing when we have such a radical, broad definition of “activities that undermine the security of Canada”, including not only legitimate topics like terrorism but also, for example, an activity that takes place in Canada and undermines the security of another state.[126]

To demonstrate the scope of the definition of “activity that undermines the security of Canada,” several witnesses compared it with the narrower definition of “threats to the security of Canada” in the Canadian Security Intelligence Service Act[127] (CSIS Act).[128] Mr. Forcese noted that it is “difficult to overstate how broad this definition is, even as contrasted with the existing broad national security definitions such as ‘threats to the security of Canada’ in the CSIS Act.”[129]

This definition reads as follows:

• threats to the security of Canada means
• (a) espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage;
• (b) foreign influenced activities within or relating to Canada that are detrimental to the interests of Canada and are clandestine or deceptive or involve a threat to any person;
• (c) activities within or relating to Canada directed toward or in support of the threat or use of acts of serious violence against persons or property for the purpose of achieving a political, religious or ideological objective within Canada or a foreign state, and
• (d) activities directed toward undermining by covert unlawful acts, or directed toward or intended ultimately to lead to the destruction or overthrow by violence of, the constitutionally established system of government in Canada.
• but does not include lawful advocacy, protest or dissent, unless carried on in conjunction with any of the activities referred to in paragraphs (a) to (d).[130]

Mr. Davies of the Department of Public Safety and Emergency Preparedness agreed that the definition of “activity that undermines the security of Canada” is broader than “threats to the security of Canada” in the CSIS Act.[131] However, he argued that “SCISA’s definition is broader to capture the role not only of CSIS but also of all departments and agencies with a national security jurisdiction or responsibility.”[132] Ms. Sheppard of the Department of Justice said that the definition of “activity that undermines the security of Canada” was designed that way because, as it was “intended to apply to all institutions and to cover all the mandates of the recipient institutions, and to be evergreen and evolve with threats, it is conceptual.”[133] She added that the definition of “threats to the security of Canada” in the CSIS Act, the Security of Information Act and the Criminal Code were sources of inspiration for the definition of “activity that undermines the security of Canada.” However, these acts weren’t cross-referenced because the department didn’t want to bind the new definition to “the interpretation of other statutes.”[134] Moreover, “with the Criminal Code, there was concern that people might have to prove mens rea [sic] before disclosing.”[135]

Nevertheless, according to several witnesses, it would have been better to adopt a narrower definition of “activity that undermines the security of Canada.”[136] However, Mr. Elder[137] and Mr. Fraser[138], both lawyers, said that the definition of “activity that undermines the security of Canada” did not pose a problem.

Mr. Forcese and Mr. Roach made a recommendation to

replace [the] overbroad definition of ‘activities that undermine the security of Canada’ with the more limited and established definition of ‘threats to the security of Canada’ from s.2 of the CSIS Act. This would avoid the radical expansion of security interests currently encompassed by the ‘undermining the security of Canada’ concept.[139]

Mr. Karanicolas[140] of the CLD, Ms. Vonn[141] of the BCCLA and Ms. Austin, Professor, University of Toronto[142] supported Mr. Forcese and Mr. Roach’s recommendation. Mr. Wark also commented in this regard, noting that the definition of “threats to the security of Canada” in the CSIS Act covers what is necessary to allow “the kind of information sharing that is necessary and appropriate to securing Canadians’ safety.”[143] However, Mr. Davies of the Department of Public Safety and Emergency Preparedness questioned whether “all the other 16 departments and agencies would see themselves within the CSIS Act.”[144]

Lastly, the definition of “activity that undermines the security of Canada” includes this passage: “For greater certainty, it does not include advocacy, protest, dissent and artistic expression.” Mr. Forcese explained that this “list was originally qualified by the word ‘lawful’, but under pressures from civil society groups, the last Parliament deleted the word ‘lawful’. […] By simply dropping the word ‘lawful’, however, the new act seems to preclude new information-sharing powers in relation to any sort of protest, advocacy, or dissent, no matter how violent.”[145] Ms. Pillay[146] of the CCLA and Mr. Mia[147] of the CMLA also expressed concerns about this. According to Mr. Forcese, the National Security Green Paper, 2016[148] “says that the exception does not include ‘violent actions.’”[149] He said that it is “a policy position, not something that is binding or in the least evident from the actual statute.”[150] When SCISA was passed, Mr. Forcese had proposed “that ‘lawful’ be dropped but then recommended the same compromise found in the definition of ‘terrorist activity’ in the Criminal Code. We recommended excluding both lawful and unlawful protest and advocacy, but only so long as it was not tied to violence.”[151] Mr. Forcese and Mr. Roach made the following recommendation: “Mirror the exemption to the information-sharing regime on s.83.01(b)(ii) (E) of the Criminal Code, thereby exempting ‘advocacy, protest, dissent, or stoppage of work that is not intended to result in the conduct or harm referred to in any of clauses A to C.’ (i.e., essentially that is not intended to endanger life, health or safety).”[152]

In light of the evidence, the Committee recommends:

Recommendation 3

That the Government of Canada repeal the definition of “activity that undermines the security of Canada” in section 2 of the Security of Canada Information Sharing Act and replace it with a narrower definition such as the definition of “threats to the security of Canada” in the Canadian Security Intelligence Service Act.

5.4 Established Thresholds for Sharing Information

A number of witnesses addressed the threshold stipulated in SCISA for sharing information. Pursuant to subsection 5(1) of SCISA, the information disclosed by a Government of Canada institution must be relevant to the recipient institution’s jurisdiction or responsibilities under an Act of Parliament or another lawful authority. The criterion for sharing information is therefore relevance.

During his appearance, Mr. Davies of the Department of Public Safety and Emergency Preparedness explained the relevance threshold:

As a threshold, “relevant” allows institutions to disclose information when it is linked to the mandate of the recipient institution. “Relevant” also integrates important aspects of responsible information sharing. In particular, to reasonably determine whether information is relevant, the institution must assess whether the information is accurate and reliable. Finally, “relevant” requires that the connection be real and present at the time of disclosure. Information cannot be disclosed on the basis that it is potentially relevant or will likely be relevant at some time in the future.[153]

However, many witnesses believe that relevance is too low a standard and that a more rigorous threshold is needed for sharing information.[154]

Commissioner Therrien described his concerns to the Committee:

Setting such a low standard is a key reason why the risks to law-abiding citizens are excessive. If the necessity or strictly necessary criteria is adequate for CSIS to collect, analyze and retain information, as has been the case since its inception, it's unclear to us why this standard can’t be adopted for all departments and agencies with a stake in national security. Necessity is the international privacy standard.[155]

In his submission, Commissioner Therrien added that “necessity and proportionality, which the OPC recommended in its review of SCISA should apply to all domestic information sharing.”[156]

CSE Commissioner Jean-Pierre Plouffe also said that he supported the necessity test proposed by Commissioner Therrien.[157] Similarly, Mr. Evans of the CRCC is in favour of imposing a necessity test on the recipient institution.[158]

Other witnesses raised concerns about how relevance would affect privacy. Mr. Elder of the CBA said that “mere relevance is a very low standard … and this could allow for unnecessary and overbroad sharing of information, undermining the privacy rights of Canadians.”[159] Mr. Israel, lawyer with CIPPIC, considered relevance to be too broad a standard, stating that it “is perhaps the lowest and least-defined legal evidentiary standard”[160] and could be used to “justify generalized information sharing.”[161] Mr. Roach commented that relevance “allows data mining.”[162]

A number of witnesses stressed that necessity and proportionality should be the standard:

• “The CBA recommends that section 5(1) of SCISA be amended to allow a government institution to disclose information to a designated recipient institution only where the information is both relevant to the recipient institution’s mandate respecting national security and ‘strictly necessary’ to fulfill that mandate.”[163] CBA
• “As noted, the justification found at subsection 5(1) is relevance, which is not, in my view, a tight enough criterion as it does not provide any rigorous guidance and does not allow for any real accountability. Relevance needs to be replaced by some form of language about necessity and should include a measure of proportionality that is linked to mandates and to threats.”[164] Mr. Wark, Professor
• “The ‘necessary’ test would impose some rigour that at least has the prospect of doing so more efficiently than a relevancy test would.”[165] Mr. Kapoor, Barrister
• “OpenMedia believes the principles of necessity and proportionality are workable mechanisms for sharing or receiving threat data, and there is no need for SCISA's expanded definitions of security in this context.”[166] Ms. Tribe, OpenMedia
• “As recommended by Privacy Commissioner, amend s.5 to require shared information be ‘necessary’ or ‘proportionate’ and not simply ‘relevant’ to the receiving institution’s security jurisdiction.”[167] Mr. Roach and Mr. Forcese, Professors
• “For the recipient organization, I think they should collect only the information that's necessary for their operations, the information that relates to their statutory obligations related to threats to the security of Canada. As an example, if there was a written request for particular information and the head of that institution, which is listed in schedule 3 of the act, certified that the information was necessary for their lawful activities, and each request was subject to scrutiny and oversight, it would be a very significant improvement on the act.”[168] Mr. Fraser, Lawyer
• “[I]nformation sharing is a critical component in countering terrorist activities, but such information sharing must be effective. This means that the information collected must be reliable and subject to constitutional requirements of necessity and proportionality and constitutional safeguards including caveats on use, retention, access, and dissemination. All of these, and legally enforceable provisions, are missing in the SCISA.”[169] Ms. Pillay, CCLA
• “CIPPIC would therefore encourage two amendments to correct the existing potential overbreadth in SCISA. First, we would replace the relevance standard within the act with one of proportionality and necessity. Second, we would encourage … an amendment to the Privacy Act that would adopt an overarching proportionality and necessity requirement that would apply across all government sharing practices, regardless of the specific Privacy Act exception under which they are occurring. This would, as we indicated in our previous testimony, apply to information sharing done under SCISA, as well. The addition of an explicit necessity and proportionality obligation would create a more precise framework for information sharing than that currently embodied in paragraph 8(2)(e) and paragraph 8(2)(m), employing the known standards of necessity and proportionality, which agencies have experience employing in a national security context.”[170] Mr. Israel, CIPPIC
• “The Privacy Commissioner has also recommended that rather than the current standard, which dictates that certain federal government institutions may share information among themselves so long as it is relevant to the identification of national security threats, a standard of being necessary should be put in place. We support this recommendation, and add the note that if we're talking about security, data minimization, whereby organizations seek to limit material stored to what is strictly necessary, is a cardinal principle of digital security.”[171] Mr. Karanicolas, CLD
• “There have been a number of suggestions that you can change the ‘relevance’ standard to one of necessity. I think that would be an improvement for sure, so in those terms I would support it.”[172] Ms. Austin, Professor

However, a number of federal institutions highlighted concerns about raising the communication threshold. As Mr. Davies of the Department of Public Safety and Emergency Preparedness stated, “If the threshold's too low, there are, obviously, negative privacy impacts. If it's too high, the benefits to national security and the viability of the act are threatened.”[173]

According to Mr. Davies, changing from relevance to a more restrictive threshold such as necessity could have an impact on institutions that do not have a national security mandate, as they would be required to know the exact mandate of the institution receiving the information.[174] Ms. Geddes of CSIS emphasized that the current threshold is appropriate. She explained that her organization sometimes deals “with partners who are not national security experts,”[175] such as Global Affairs Canada. This institution has consular officials all over the world who are sensitized to national security issues but are not national security experts. Raising the threshold “would create some challenges and would put an awful lot of pressure on a consular officer to determine whether such-and-such is relevant or not. I think that would be a very difficult position to put them in.”[176] Mr. Davies stated that “if you go up to the necessity standard, then there will more than likely be less information going to the national security agencies. … You would have to talk to the non-national security agencies that are probably most vulnerable to understanding what national security necessity is for those receiving it.”[177] Mr. Linder of IRCC stated as follows:

If it were a test of necessity, we would need to be convinced with a lot more information that were [sic] necessary, in fact, not simply relevant. And what would that mean in practice? I think that would mean that our national security agencies, the investigative bodies that were requesting information from us, would possibly have to give us a lot more national security information for us to make that determination and be satisfied that it was, in fact, necessary and not simply relevant.

Could we do that? Absolutely, but it's worth considering whether the benefit of having that higher standard is outweighed by having more sensitive national security information in circulation, in order for us to make that determination. More generally—and I think this is possibly the intent—it obviously would put a chilling effect on the amount of information we would disclose under SCISA. That would be a necessary outcome.[178]

Mr. Burt from the Department of National Defence stated that subjecting recipient institutions to a necessity test, in other words, allowing institutions to receive only information that was necessary to their mandate, would raise the bar: “It would be a more difficult bar to meet for sharing, but it would depend on how it was formulated.”[179]

In his submission to the Committee, Commissioner Therrien suggested an alternative that could address the concerns of federal institutions:

As an alternative to adopting a “necessity and proportionality” standard for information-sharing across the board, consideration could be given to adopting dual thresholds, one for the disclosing institutions, and another for the 17 recipient institutions. An important point raised by departmental officials during the current review of SCISA by the Standing Committee on Access to Information, Privacy and Ethics is that because front line staff in non-listed departments do not necessarily have the requisite expertise or experience to make real-time and nuanced decisions as to what is necessary and proportional for purposes of carrying out a national security mandate, the onus of the higher threshold would be shifted to the 17 recipient departments that do have the capacity to make such decisions in an informed manner. The Committee discussed the issue of a “dual threshold” and this would appear a reasonable solution under the following condition. In order to close the triage gap between these two different thresholds, the 17 recipient departments should be responsible for selectively receiving and retaining only information that meets the higher threshold of necessity and proportionality (subject to any further limits imposed by their enabling laws), and under a positive legal obligation to return or destroy information that does not.[180]

Other witnesses stated that another way to ease institutions’ fears would be to provide training on information-sharing thresholds.[181] Mr. Israel of CIPPIC also recommended “training units within different government agencies, potentially within the existing ATIP [Access to Information and Privacy] infrastructure that most government agencies have, to have expertise so that in-house capabilities can be developed to identify threat-related data.”[182]

In light of the evidence, the Committee recommends:

Recommendation 4

That the Government of Canada amend subsection 5(1) of the Security of Canada Information Sharing Act so that any sharing of information under the Act would have to meet the standard of necessity and proportionality.

5.5 The Legal Effects of the Security of Canada Information Sharing Act, and its Interaction with Other Judicial Authorities

During the hearings, a number of witnesses stated that the interaction between SCISA and other judicial authorities seemed to have some unanticipated consequences that could affect Canadians’ privacy. In fact, witnesses mentioned numerous effects of SCISA that should be addressed, including the primacy of SCISA over the Privacy Act, the impact of SCISA on the mandate of institutions listed in Schedule 3 to that Act and the requirement for federal institutions to have a warrant to obtain certain information.

To begin with, the witnesses stated that it was unclear whether or not the Privacy Act took precedence over SCISA, which means that the legal protections covering privacy would not apply to information sharing under SCISA. Furthermore, they explained that the broad scope of SCISA could expand the mandate of the Government of Canada institutions listed in Schedule 3 to the Act. Lastly, some witnesses were concerned that SCISA authorizes the sharing of information that would have previously required a warrant.

5.5.1 The Interaction Between the Security of Canada Information Sharing Act and the Privacy Act

As stated previously, various witnesses raised concerns about the possibility that SCISA could have primacy over the Privacy Act and the potential impact on Canadians’ privacy should that be the case.

Subsection 5(1) of SCISA uses the following language: “Subject to any provision of any other Act of Parliament, or of any regulation made under such an Act, that prohibits or restricts the disclosure of information.” It therefore appears that the new information-sharing powers are subordinated to other applicable federal laws or regulations. Mr. Forcese and Mr. Mia nevertheless claimed that the meaning of these terms is vague and a source of confusion.[183]

5.5.1.1 The Perspective of Some Witnesses

Several witnesses indicated that there is ambiguity with regard to the interaction between SCISA and the Privacy Act and that is it not clear which takes precedence.[184] According to Mr. Forcese and Mr. Roach, it appears that SCISA must respect the provisions of the Privacy Act:[185] “Section 5 of the new act says that it’s subject to other existing acts that constrain or control the disclosure of information, which would suggest the Privacy Act.”[186] According to some witnesses, however, the National Security Green Paper, 2016[187] appears to offer a different interpretation.[188] Mr. Forcese gave the following explanation: “They say that because the new Security of Canada Information Sharing Act authorizes disclosure, it satisfies a lawful authority exception to the Privacy Act, effectively trumping it.”[189] The Privacy Act authorizes a federal institution to disclose personal information about an individual without that person’s consent when it is “for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure.”[190] Mr. Forcese explained as follows:

The Privacy Act itself has an exception saying that where some other active statute authorizes disclosure, then the Privacy Act rules don’t apply, so you get into a bit of a circle. The new act says subject to other laws, the Privacy Act says subject to permission in new laws, so which prevails?[191]

The CBA outlined in its brief the consequences of this confusion:

The Privacy Act does not address when information ‘received’ or ‘shared’ by another government institution is considered necessary, or automatically subject to the requirements that apply to information that is ‘collected’. It is unclear that personal information shared under SCISA would continue to be covered by the remaining protections under the Privacy Act.[192]

The CBA therefore “recommends clarifying the interaction between the Privacy Act and SCISA.”[193] During his appearance, Mr. Elder commented that “[t]he Privacy Act would generally be presumed to govern, but the Privacy Act has explicit exceptions for situations in which another law is applicable.”[194] Mr. Karanicolas of the CLD indicated that “we believe this should be resolved by clarifying that the Privacy Act does indeed apply to the Security of Canada Information Sharing Act.”[195]

5.5.1.2 The Perspective of Federal Institutions

Mr. Davies of the Department of Public Safety and Emergency Preparedness explained the interpretation given to the expression “Subject to any provision of any other Act of Parliament, or of any regulation made under such an Act, that prohibits or restricts the disclosure of information” as it relates to the Privacy Act:

[I]f there is a legal restriction or prohibition on disclosing information, SCISA does not apply.

The Privacy Act includes a general restriction on disclosing personal information without the consent of the related individual. However, as noted in section 8 of the Privacy Act, it also includes a list of situations in which personal information can be disclosed despite this general restriction. For example, personal information may be disclosed for the purpose for which the information was collected. In addition, personal information may be disclosed in accordance with disclosure authorities in other acts of Parliament, such as SCISA.

When they receive information disclosed under SCISA’s authorities, as noted in section 4 of the Privacy Act, departments and agencies must still ensure that personal information “relates directly” to an operating program or activity before they collect it.[196]

5.5.1.3 The Committee’s Recommendations

In light of the evidence, the Committee recommends:

Recommendation 5

That the Government of Canada amend the Security of Canada Information Sharing Act:

a) to clarify that the Privacy Act takes precedence over the Security of Canada Information Sharing Act.

b) to stipulate that the Privacy Act continues to apply to all personal information disclosed pursuant to the Security of Canada Information Sharing Act.

5.5.2 Broadening the Mandate of Federal Institutions and Requiring a Warrant to Obtain Certain Information

5.5.2.1 Broadening the Mandate of Federal Institutions

Some witnesses indicated that SCISA could serve to broaden the mandate of the institutions listed in Schedule 3 to that Act.[197] Indeed, the standard of “relevance” to the recipient institution’s mandate as the threshold for sharing information could lead to an expansion of institutions’ mandates.

Mr. Roach and Mr. Forcese therefore make the following recommendation: “Amend s.5 to make crystal clear that receiving recipients must operate within their existing mandates and legal authorities.”[198]

Ms. Vonn of the BCCLA also mentioned “the seriousness of the disruption caused by SCISA’s blurring of the mandate of critically important federal institutions.”[199] For example, she said that “FINTRAC [Financial Transactions and Reports Analysis Centre of Canada] itself has long maintained that one of its primary safeguards for privacy is its independence from law enforcement,”[200] but that from now on because of “the almost unfettered access to information sharing authorized by SCISA, the independence of FINTRAC in this regard is essentially fictional.”[201] CSE Commissioner Jean-Pierre Plouffe,[202] as well as Mr. Evans[203] of the CRCC, said they were in favour of an amendment to SCISA to clarify that the Act does not change the mandate of federal institutions.

Several representatives of federal institutions nevertheless maintained that SCISA does not modify their mandate in any way, and that they always operate within their mandate.[204]

5.5.2.2 The Requirement for a Warrant to Obtain Certain Information

During his appearance, Commissioner Therrien made reference to the recent decision[205] of Justice Noël of the Federal Court, which mentioned that “since the adoption of Bill C-51, CSIS is now obtaining information from the Canada Revenue Agency that previously required a warrant.”[206] According to Mr. Therrien, “At this time, CSIS is obtaining the information without a warrant because the Security of Canada Information Sharing Act makes this activity possible. … Some cases used to require warrants, but they don’t anymore.”[207] It therefore appears that there are instances where information shared under SCISA could involve interests protected by the Canadian Charter of Rights and Freedoms, such as the expectation of privacy.[208] In its brief to the Committee, the International Civil Liberties Monitoring Group indicated that “it is not clear how SCISA affects the need for agencies to obtain warrants to access certain forms of information that would otherwise require judicial approval.”[209]

Mr. Wark explained the situation as follows:

[I]f an entity in SCISA possesses information under its own lawful mandate, and it has the grounds, which according to the act are as overly broad as these grounds might be, to share that information with another entity, then the receiving entity — in this case, perhaps, CSIS or the RCMP — would be receiving that information under the lawful authority of the original collector. From its perspective, as long as those receiving agencies had an appropriate mandate to receive that information, then they wouldn’t require a secondary warrant to acquire it.[210]

Mr. Israel of CIPPIC also proffered an explanation:

[I]f it received it through SCISA legitimately, then it now has legitimately received that information, and it doesn’t need to rely on its authority within the CSIS Act, which already has a necessity limitation built into it. I think it’s subject to interpretation either way, but SCISA could be seen as overturning that decision in a way that would allow CSIS to legitimately receive metadata, which it could not collect on its own footing, and to then retain it indefinitely.[211]

According to witnesses, it appears therefore that SCISA would enable federal institutions to obtain indirectly what they do not have a right to obtain directly. As such, Mr. Kapoor indicated that there should be an amendment “to preserve section 8 rights in the criminal prosecution realm, and there should be a requirement that a warrant be obtained.”[212]

Mr. Wark, on the other hand, does not believe that SCISA affects the collection powers of federal institutions.[213] Likewise, Ms. Sheppard from the Department of Justice pointed out that SCISA “does not affect collection. It only deals with disclosure. If, for example, you need a warrant to collect information, SCISA would not interfere with that. That would prevail in circumstances where it would be required.”[214] She added:

As long as the threshold in SCISA is met — as long as it’s relevant to the national security jurisdiction or responsibilities of the recipient institution — it can be disclosed, but it always operates subject to any other law that limits disclosure. For example, if there was something in the disclosing institution’s operating legislation that prevented that, SCISA does not override it. It only deals with disclosure, and the threshold has to be met for disclosure to occur. It’s up to the recipient. Whether it’s proactively disclosed or by request, they have to make sure that they are authorized to collect it.[215]

Mr. Forcese pointed out, however, that although from the government’s point of view, SCISA does not create new collection powers, everything depends on how collection is defined:

Sufficiently broad information sharing allows for the pooling of information within the hands of one agency. The information that would not legally have been able to accrue in one agency is now available to it. Technically that’s not collection in the sense that it’s not been extracted from outside of government from an individual, but rather it’s the amalgamation of information in a database in the hands of an agency.[216]

5.5.2.3 The Committee’s Recommendations

In light of the evidence, the Committee recommends:

Recommendation 6

That the Government of Canada amend section 5 of the Security of Canada Information Sharing Act to clearly stipulate that the recipient institution must respect its mandate and current legislative and collection powers.