Evaluating the Security of Canada Information Sharing Act

Canada’s federal Conservative Government introduced Bill C-51 (known as the Anti-terrorism Act, 2015) in Parliament on Friday, January 30. The Office of the Privacy Commissioner of Canada (OPC) immediately sounded a privacy alarm regarding the new information-sharing provisions in the proposed legislation. In particular, Canada’s new Privacy Commissioner Daniel Therrien warned that the new legislation “would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats.”

Background

The legislative and political context leading up to Bill C-51 was discussed in a previous post “Will 2015 Bring State Surveillance Modernization to Canada?” In short, Bill C-51 is an election-year piece of legislation that has been specifically written in response to perceived increased threats to Canada’s security in the wake of an attack on Canada’s Parliament and soldiers in Canada in October 2014.

The proposed legislation is a multi-part bill. It contains several major reforms regarding how governmental institutions and law enforcement agencies may share information and respond to terrorist threats and propaganda. In addition to facilitating the sharing of information that could be relevant to an investigation into activities that undermine the security of Canada, the bill contains provisions that would permit the removal of terrorist propaganda from websites, expand criminal offences to include advocating or promoting the commission of terrorism offences in general, expand the powers of the Canadian Security Intelligence Service (CSIS) and overhaul Canada’s “no-fly list” program, among other things.

With so much packed into a single piece of legislation, we will review the various proposals over several Privacy Tracker posts. This first post will be devoted to the Security of Canada Information Sharing Act, which is contained in Part 1 of Bill C-51 and which provided the comments of Commissioner Therrien.

The Case for the Security of Information Protection Act

In making the case for the measures introduced in Bill C-51, Prime Minister Stephen Harper emphasized in his speech announcing Bill C-51, that there was no greater responsibility of any Canadian government than to keep Canadians safe and to keep Canada secure. Harper specifically referred to the need to protect Canada from “jihadi terrorism,” which he characterized as a danger to Canadians at home and abroad and that it would be a “grave mistake” to ignore the threats of “jihadi terrorism.”

To combat terrorist threats, the government believes that greater information sharing and coordination is required in order to keep up with rapidly changing tactics of terrorists. Thus, the explicit purpose of the Security of Canada Information Sharing Act is “to encourage and facilitate the sharing of information among Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada” (s. 3). The heart of the act is s. 5, which permits a governmental institution to share information on its own initiative or upon request with certain designated government institutions that are responsible for aspects of the investigation of, prevention of and response to national security threats.

The Government of Canada states that the act is necessary because “some institutions lack a clear authority to share national security-relevant information and, in some cases, legal barriers prevent or delay the sharing of key information.” In making the claim that the act is proportional to the threat, the Government of Canada takes the position that the act contains sufficient safeguards for Canadians. In particular, those safeguards include:

• The recipients of information under the act are limited and designated by the legislation;
• The information that is to be shared must be relevant to the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada;
• The Privacy Act and other legislative restrictions on the collection, use and disclosure of information (except where amended by the act) will continue to apply, and
• Oversight by the OPC, the Auditor General of Canada, the Security Intelligence Review Committee, the Office of the Communications Security Establishment Commissioner, and the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police.

Warning Bells

The need for coordination and information sharing in response to terrorist threats cannot be seriously doubted. Rightly or wrongly, the Canadian government and a material segment of Canada’s population believe the Canada is at war against the proliferation of terrorist activities, including “lone wolf” operators and terrorist propaganda. In theory, ensuring better, more accurate and timelier information is gathered and coordinated could be liberty-enhancing, not only by preventing terrorism but by excluding innocent Canadians from investigation and detention. Critics note, however, that the claimed benefits of the proposed information sharing rests on speculation.

In that context it is difficult to evaluate whether the information sharing permitted by the Act, and the resulting loss of privacy, will be proportional to the benefits of the act. However, one emerging criticism is that the test for sharing may be so low as to tip the balance towards unrestrained sharing that will encourage over-collection of information about Canadians. The spectre is being raised of governmental institutions becoming instrumentalities of generalized surveillance by national security organizations in Canada unless there is powerful oversight.

Indeed, Commissioner Therrien reacted with a statement raising the potential for over-broad sharing under the act:

“At this early stage, I can say that I am concerned with the breadth of the new authorities to be conferred by the proposed new Security of Canada Information Sharing Act. This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats. It is not clear that this would be a proportional measure that respects the privacy rights of Canadians. In the public discussion on Bill C-51, it will be important to be clear about whose information would be shared with national security agencies, for which specific purpose and under what conditions, including any applicable safeguards.”

Furthermore, there has been broad criticism that these new information-sharing powers have not been matched with coordinated oversight. The lack of effective oversight has been a long-running criticism of the OPC. During the tenure Chantal Bernier, interim privacy commissioner of Canada prior to the appointment of Commissioner Therrien, the OPC issued a special report to Parliament entitled “Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance.” The report identified the need for concrete action to permit coordinated reviews by oversight authorities with respect to information sharing. [Full disclosure: My colleague Chantal Bernier led the OPC when the report was tabled in Parliament.]

In his statement on Bill C-51, Commissioner Therrien amplified these concerns, stating:

“I am also concerned that the proposed changes to information sharing authorities are not accompanied by measures to fill gaps in the national security oversight regime. Three national security agencies in Canada are subject to dedicated independent oversight of all of their activities. However, most of the organizations that would receive and use more personal information under the legislation introduced today are not. Gaps in the oversight regime were identified long ago, notably by Justice O’Connor in the report he made at the conclusion of the Arar Inquiry. Extending the jurisdiction of oversight bodies would be an important step towards the greater transparency that Canadians expect.”

Modernization or Free-For-All?

The main protection in the act for Canadians is that the information that would be shared under the act would be shared only with specific government institutions that have responsibility for aspects of Canada’s national security (s. 5(1)), and only if it is relevant to the responsibilities of those government institutions.

Schedule 3 lists the potential recipient institutions as including the Canadian Armed forces, the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, the Communications Security Establishment, the Canadian Border Services Agency and the Department of Foreign Affairs. The list also includes organizations with significant sectoral national security roles, such as the Canadian Food Inspection Agency, the Canadian Nuclear Safety Commission, the Financial Transactions and Reports Analysis Centre of Canada and the Public Health Agency of Canada. However, the list includes departments with more general responsibilities too, such as the Department of Finance, the Department of Health and the Department of Transport.

The fact that information may only be shared with specific institutions provides little comfort to critics. An institution who receives the information may to the extent otherwise permitted by the law use and further share the information to any person for any purpose (s. 6).

Furthermore, there are no practical restraints on the types of information that may be shared with these specific institutions. The sole criterion is “relevance” to the recipient institution’s jurisdiction. In particular, the information must be relevant to the recipient institution’s jurisdiction or responsibilities under an Act of Parliament or another lawful authority for the detection, identification, analysis, prevention, investigation or disruption of activities that undermines the “sovereignty, security or territorial integrity of Canada or the lives or the security of the people of Canada.”

The government has been careful to state that lawful advocacy, protest, dissent and artistic expression are not activities that undermine the security of Canada (s. 2). However, the types of activities that could fall within the definition are quite broad. The act sets out ten examples of activities that undermine the security of Canada (s. 2):

• Interference with the capability of government administration in relation to the machinery of government intelligence, defense, border operations, public safety, the administration of justice or diplomatic or consular relations;
• Interference with the capability of government administration in relation to economic or financial stability of Canada;
• Changing or unduly influencing a federal, provincial or municipal government in Canada by force or unlawful means;
• Espionage, sabotage or covert foreign-influenced activities;
• Terrorism;
• Proliferation of nuclear, chemical, radiological or biological weapons;
• Interference with critical infrastructure;
• Interference with the global information communications infrastructure (Internet, satellites, telecommunications, etc.);
• Activities that cause serious harm to a person or their property because of that person’s association with Canada, and
• An activity that takes place in Canada and undermines the security of another state.

On its face, it does not appear that the information has to relate specifically to one of these types of threats. Rather, the information simply needs to be relevant to the jurisdiction of the recipient institution to investigate or prevent these types of threats. The act is silent regarding who gets to decide what is relevant. Furthermore, once shared, the information may be used for any purpose and any disclosure of the information can be made subject only to other legal restrictions (s. 6). Accountability will be difficult, since the act contains an immunity provision. Provided a person acts in good faith, there is no civil recourse for the sharing or over-sharing of information (s. 9).

The bill does contain “principles” that are supposed to guide the information sharing (s. 4). Oddly, this section of the act might come into force at a different date (potentially later than the information-sharing provision of the act). This is curious and disturbing since the principles contain accountability safeguards. There is the possibility, therefore, that the government could declare the sharing provisions to come into force without these safeguards. The safeguards include:

• There should be respect for caveats on and originator control over shared information.
• If institutions share information regularly, there should be formalized information-sharing arrangements.
• Effective and responsible information sharing should include feedback as to how the shared information was used and whether it was useful.
• Only those within an institution who need the information in respect of the institution’s jurisdiction or responsibilities in respect activities that undermine the security of Canada should receive information disclosed under the act.

Lost Opportunity to Modernize Oversight

The Security of Canada Information Sharing Act is a lost opportunity to modernize the oversight of Canada’s surveillance program through coordinated oversight. Although the Government of Canada points to the continued application of the Privacy Act and the oversight of the privacy commissioner as well as certain oversight authorities for CSIS, the Communications Security Establishment and the RCMP, it is difficult for critics to accept that these will be sufficient. Even prior to this expanded proposal for inter-agency information sharing, the OPC raised concerns with accountability in the Canadian intelligence community. The OPC made numerous recommendations, including:

Improving Transparency. The OPC recommended augmenting existing review and reporting mechanisms through:

• Reporting statistics annually on instances in which the Communications Security Establishment Canada (CSEC) assists other Canadian federal agencies when it receives requests for interception, as well as tabling annual reports by CSEC to Parliament.

• Extending existing reporting requirements on use of surveillance in Public Safety Canada’s annual reports, separating domestic and foreign mandates, and those activities that are authorized by warrant and those that are warrantless.

• Updating public disclosure providing an overview of Canada’s intelligence community and engage in a dialogue regarding mandates and how Canada’s intelligence community cooperates with global partners.

• Reporting on consideration, rejection or implementation of recommendations from previous commissions of inquiry and policy reviews of Canada’s Intelligence Community.

Modernizing Privacy Laws. The OPC recommended modernizing Canada’s privacy protections by:

• Reforming existing privacy legislation to require privacy impact assessments prior to implementing new programs.

• Strengthening provisions relating to exchange of information with foreign authorities to ensure that there is an investigative foundation for information and to ensure clear rules for cooperation.

• Expanding grounds for recourse to the Federal Court.

• Permitting the OPC to cooperate with other oversight bodies governing Canadian intelligence agencies.

• Regulating use of and access to online sources and social networking sites by government agencies.

Strengthening Accountability Mechanisms. The OPC recommended strengthening accountability by:

• Bolstering the powers of oversight bodies, particularly with respect to joint reviews.

• Clarifying legislative authority for certain intelligence gathering activities.

• Increasing the role of Parliament in oversight.

It appears that none of these recommendations have been incorporated into the proposed act.