More privacy safeguards in Five Eye’s data sharing sought
The federal privacy commissioner is seeking better oversights and safeguards in the sharing of intelligence data with Canada’s allies in order to better protect the privacy rights of law-abiding Canadians.
In a report that laid bare many of the failings of the government’s ability to ensure the safety of individuals’ private information, Privacy Commissioner David Therrien also warned of the dangers posed by Bill C-51 and the Security of Canada Information Sharing Act (SCISA).
Bill C-51, brought in by the former Conservative government, which introduced sweeping data gathering powers for intelligence and law enforcement agencies.
The Liberal government created a parliamentary to committee to look into the legislation and has promised to repeal elements of C-51 that pose risks to privacy.
Bill C-51 received Royal Assent in June 2015 as the Anti-Terrorism Act, 2015, and came into force in August 2015. It introduced the SCISA which the office of the ombudsman expressed serious concerns in submissions to a number of Parliamentary committees studying the Bill, including the Senate Committee on National Defence and Security.
“While the question of oversight has, in part, been addressed, our concerns regarding thresholds remain,” according to the 2015-2016 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act, presented by the Office of the Privacy Commissioner.
The commissioner also outlined the dangers of data sharing among our allies.
The danger of information sharing was illustrated in the 2014-15 Annual Report of the Office of the CSE Commissioner (the CSE’s oversight authority), which reported that information revealing details about the communication activities of Canadians was, due to a filtering technique that became defective, not being properly minimized (for example, removed, altered, masked or otherwise rendered unidentifiable) before being shared with “Five Eyes” partners—the signals intelligence agencies of Australia, New Zealand, the United Kingdom and the United States.
SCISA’s current standard dictates that certain federal government institutions may share information amongst themselves so long as it is “relevant” to the identification of national security threats.
“In our view, that threshold is inadequate and could expose the personal information of law-abiding Canadians,” the report said. “A more reasonable threshold would be to allow sharing where necessary.”
The Office of the Privacy Commissioner identified several key concerns which SCISA. Among them were:
- The act is broadly worded and leaves much discretion to federal entities to interpret and define “activities that undermine the security of Canada”, potentially resulting in an inconsistent approach in its application.
- The scale of information sharing that could occur under this act is unprecedented. The potential for sharing on a much larger scale combined with advances in technology allow for personal information to be analyzed algorithmically to spot trends, predict behaviour and potentially profile ordinary Canadians with a view to identifying security threats among them. “Our intent in future reviews will be to examine whether law abiding citizens are indeed subject to these broad sharing powers, and if so, under what circumstances,” the report said.
- Fourteen of the 17 entities authorized to receive information for national security purposes under the SCISA are not subject to dedicated independent review or oversight.
- There are legal authorities that existed before the SCISA that permit the collection and disclosure of information for national security purposes. Some of these authorities are also very broad, including the common law powers vested in the police and others and the crown prerogative of defence.
The Office of the Privacy Commissioner said it realizes that in the face of today’s threats, Canadians value but they also deeply care about their privacy. Finding the right balance is” absolutely critical.”
“In pursuit of a better balance, we have recommended, for example, changing SCISA’s information sharing threshold from ‘relevance’ to ‘necessity,’ that private and public sector institutions follow through on transparency reporting; and amending the National Defence Act to add legal safeguards for protecting personal information collected and used by the CSE,” the report said.
Privacy watchdog calls for higher standards in protecting citizens from surveillance
“We are left with 20th-century tools to deal with 21st-century problems,” Therrien said. “And in the meantime, 90 percent of Canadians feel they are losing control of their personal information and expect to be better protected.”
Therrien derided the failure of federal agencies and departments to conduct assessments on privacy impact. The commissioner’s report recommended that legislation is put in place requiring government departments and agencies to conduct Privacy Impact Assessment (PIA) prior to implementation of programs.
For example, he said, in the 2013 case of the Canada Border Service Agency (CBSA) High Integrity Personnel Security Screening Standard, the commissioner’s office was not consulted prior to implementation and a PIA was received upon the program’s implementation.
“As a result, the new and more invasive screening measures began without our input and a related complaint under the Privacy Act followed,” Therrien said. “A legislative requirement to complete a PIA prior to implementation could have resulted in privacy risks being highlighted and mitigated early on.”