Don't repeat past mistakes, Privacy Commissioner warns as government reviews national security framework
December 6, 2016
Commissioner Therrien and his provincial and territorial counterparts are stressing the need to address privacy risks related to information sharing and collection of metadata; raising concerns about government proposals on police access to basic subscriber data and encrypted communications
The government's initiative to modernize Canada's national security framework should draw from lessons of the post-9-11 world, including commissions of inquiry and Edward Snowden's revelations of mass surveillance, says the federal Privacy Commissioner.
The importance of strengthening privacy protections is highlighted in a formal submission to the government's public consultation on Canada's national security framework signed by Commissioner Daniel Therrien and all provincial and territorial privacy commissioners and ombudspersons. Commissioner Therrien was joined by Jean Chartier, President of the Commission d'accès à l'information du Québec and Brian Beamish, Ontario Information and Privacy Commissioner, at a press conference to unveil and discuss the submission Tuesday.
"Everyone can agree that the police and national security agencies need adequate tools to protect us, and that these tools need to be adapted to the digital world," says Commissioner Therrien.
"But state powers have already been significantly expanded, particularly with Bills C-51 and C-13. At the same time, we have seen too many cases of inappropriate and sometimes illegal conduct by state officials that have impacted on the rights of ordinary citizens not suspected of criminal or terrorist activities. In my view, those serious incidents were caused by deficient legal standards that failed to set appropriate limits on government actions," he says.
"These key lessons from history remind us that clear safeguards are needed to protect rights and prevent abuse, that national security agencies must be subject to effective review, and that any new state powers must be justified on the basis of evidence. Government should only propose and Parliament should only approve new state powers if they are demonstrated to be necessary and proportionate – not merely convenient."
The importance of considering the impact of surveillance measures on rights is emphasized throughout the submission, which addresses issues such as collection and use of metadata by national security agencies and law enforcement; encryption; information sharing by government and oversight.
"In my view, this is not the time to further expand state powers and reduce individual rights. Rather, it is time to enhance both legal standards and oversight to ensure that we do not repeat past mistakes and that we ultimately achieve real balance between security and respect for basic individual rights," says Commissioner Therrien.
While agreeing generally that law enforcement and national security investigators must be able to work as effectively in the digital world as they do in the physical, the Commissioner disputes the notion that legal thresholds and safeguards must be reduced. To the contrary, safeguards which have long been part of our legal traditions must be maintained. They should, however, be adapted to the realities of modern communication tools, which hold and transmit extremely sensitive personal information.
"First and foremost, it is important to maintain the role of judges in the authorization of warrants for the collection of metadata by law enforcement. Maintaining a judicial role is critical because judges have the necessary independence to ensure the protection of human rights."
Bill C-13, the Protecting Canadians from Online Crime Act, already lowered the legal thresholds required to access metadata. Under that legislation, a production order for certain types of metadata can be obtained from a judge on only "reasonable grounds to suspect." Yet law enforcement officials would like existing standards to be further reduced. Do police officers really need access to metadata on less than a reasonable suspicion?
"It is unclear to us why these low thresholds do not give law enforcement adequate tools to do their job," Commissioner Therrien says. "Recent cases of metadata collection show that existing standards for accessing metadata should actually be tightened and privacy protections should be enhanced."
The government's consultation discussion paper also considers issues related to metadata in the context of national security, but fails to reflect the fact that metadata – far from being benign – can reveal much more about people than the actual content of their communications.
"While the government maintains that metadata is essential for identifying threats, recent cases demonstrate that CSE and CSIS activities related to metadata can affect the privacy of a large number of Canadians who are not threats to national security. These activities should be governed by stronger legal safeguards," says the Commissioner.
The government's paper stresses how encryption can be a significant obstacle to lawful investigations and the enforcement of judicial orders.
However, the paper gives little weight to the fact that encryption is an essential tool for the protection of personal information and security of electronic devices such as smart phones, according to the Commissioner. He says there's no obvious way to give systemic access to government without simultaneously creating an important risk for the population at large and urges Parliament to proceed cautiously before attempting to legislate solutions in this complex area.
The Commissioner notes that the government is not without rules to assist law enforcement agencies in addressing encryption issues. For instance, Bill C-13 introduced a provision that empowers a judge to attach an assistance order to any search warrant or other form of electronic surveillance. These orders compel any named person, including a suspect, to help "give effect" to the authorization, and these have been used in investigations to defeat security features or compel decryption keys.
"Given the experience and factors noted, we believe it preferable to explore the realm of technical solutions that might support discrete, lawfully authorized access to specific encrypted devices, as opposed to imposing new legislative requirements."
The submission notes that Bill C-51 put the privacy of ordinary Canadians at risk with the dramatic expansion of the scale and scope of government information sharing – a problem exacerbated by seriously deficient privacy protections.
Commissioner Therrien is calling on the government to reconsider changes under Bill C-51 that allow for the sharing of personal information deemed merely "relevant" to the detection of new security threats.
"Setting such a low standard is a key reason the risks to law abiding citizens are excessive," he says. "If 'strictly necessary' is adequate for CSIS to collect, analyze and retain information, it is unclear to us why this cannot be adopted for all departments and agencies involved in national security."
The submission points out that the government has not clearly justified its need for the new information sharing provisions. It calls for clear limits on how long information be retained; requirements for written information agreements; and a legal obligation to conduct Privacy Impact Assessments to assess and mitigate risks to privacy in all national security programs.
The submission also notes that the information sharing provisions stemming from Bill C-51 are not the only mechanism by which information-sharing for national security purposes takes place. Safeguards such as necessity and proportionality should apply to all domestic information sharing.
Commissioner Therrien says it's also important that Parliament, following the lessons of the Arar inquiry, take steps to reduce the risk that information sharing with international partners will lead to serious human rights abuses and violations of Canada's international obligations.
Commissioner Therrien welcomes the government's plan to create a new National Security and Intelligence Committee of Parliamentarians as a good first step towards democratic accountability. However, he maintains that a review by experts with in-depth knowledge of both the operations of national security agencies and relevant laws is also necessary to ensure rights are effectively protected.
He notes that many departments and agencies with national security obligations, including the Canada Border Services Agency and the Privy Council Office, are not currently subject to dedicated, expert review.
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector privacy law.
Office of the Privacy Commissioner of Canada