The Disastrous Privacy Consequences of Bill C-51
The Conservative’s new anti-terrorism bill would lead to a massive expansion in sharing personal information across the government. By Michael Geist.
The House of Commons debate over Bill C-51, the anti-terrorism bill, began yesterday with strong opposition from the NDP, disappointing support from the Liberals, and an effort to politicize seemingly any criticism or analysis from the Conservative government. With the government already serving notice that it will limit debate, the hopes for a non-partisan, in-depth analysis of the anti-terrorism legislation may have already been dashed. This is an incredibly troubling development since the proposed legislation has all the hallmarks of being pulled together quickly with limited analysis. Yet both the Conservatives and Liberals seem content to stick to breezy talking points rather than genuinely work toward a bill that provides Canadians with better safeguards against security threats while also preserving privacy and instituting effective oversight.
The only detailed review to date has come from Professors Kent Roach and Craig Forcese. Their ongoing work – three lengthy background papers so far (Advocating or Promoting Terrorism, new CSIS powers, expanded information sharing) – provides by far the most exhaustive analysis of the bill and is a must-read for anyone concerned with the issue. Indeed, once you have read their work, it becomes readily apparent that all should be concerned with this legislation. Much of the focus to date has been on the lack of oversight and the expansive new powers granted to CSIS. However, the privacy implications of Bill C-51′s information sharing provisions also cry out for study and reform.
At first glance, expanding information sharing within government seems like a good idea since the consequences of failing to head-off a terrorist attack because one government institution was unaware of what another knew could be devastating. Given the lack of Liberal study (it is simply not possible that the party fully assessed the legislation before pledging its support), it perhaps unsurprising that leader Justin Trudeau identifies expanded information sharing as one of the positive aspects of the bill.
However, Bill C-51′s Security of Canada Information Sharing Act, a bill within the bill, goes far further than sharing information related to terrorist activity. As Roach and Forcese persuasively argue, the bill effectively creates a “total information awareness” approach that represents a radical shift away from our traditional understanding of public sector privacy protection.
Daniel Therrien, the Privacy Commissioner of Canada appointed by this government less than a year ago, was the first to focus on the privacy implications of Bill C-51. Within hours of release of the bill, Therrien warned:
At this early stage, I can say that I am concerned with the breadth of the new authorities to be conferred by the proposed new Security of Canada Information Sharing Act. This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats. It is not clear that this would be a proportional measure that respects the privacy rights of Canadians. In the public discussion on Bill C-51, it will be important to be clear about whose information would be shared with national security agencies, for which specific purpose and under what conditions, including any applicable safeguards.
Roach and Forcese dig further into this issue, concluding that the information sharing provisions are excessive and unbalanced. There is much to digest, but the privacy concerns largely come down to three linked issues:
- First, the bill permits information sharing across government for an incredibly wide range of purposes, most of which have nothing to do with terrorism (“It is, quite simply, the broadest concept of security that we have ever seen codified into law in Canada.”).
- Second, the scope of sharing is remarkably broad: 17 government institutions with the prospect of cabinet expansion as well as further disclosure “to any person, for any purpose.”
- Third, the oversight over public sector privacy has long been viewed as inadequate. In fact, calls for Privacy Act reform date back over three decades. The notion that the law is equipped to deal with this massive expansion in sharing personal information is simply not credible.
A more detailed look at each issue follows below. The cumulative effect is to grant government near-total power to share information for purposes that extend far beyond terrorism with few safeguards or privacy protections.
1. Information sharing purposes
The bill opens the door to information sharing due to “activity that undermines the security of Canada.” Rather than using the CSIS Act definition, however, it creates a new expansive definition that covers:
any activity, including any of the following activities, if it undermines the sovereignty, security or territorial integrity of Canada or the lives or the security of the people of Canada:
(a) interference with the capability of the Government of Canada in relation to intelligence, defence, border operations, public safety, the administration of justice, diplomatic or consular relations, or the economic or financial stability of Canada;
(b) changing or unduly influencing a government in Canada by force or unlawful means;
(c) espionage, sabotage or covert foreign-influenced activities;
(e) proliferation of nuclear, chemical, radiological or biological weapons;
(f) interference with critical infrastructure;
(g) interference with the global information infrastructure, as defined in section 273.61 of the National Defence Act; [that provision reads: “‘global information infrastructure’ includes electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, systems or networks.”]
(h) an activity that causes serious harm to a person or their property because of that person’s association with Canada; and
(i) an activity that takes place in Canada and undermines the security of another state. For greater certainty, it does not include lawful advocacy, protest, dissent and artistic expression.
Terrorism is included within the definition, but several of these provisions would seemingly allow for information sharing for almost any investigative purpose, particularly “public safety” and the “economic or financial stability of Canada” (think of the government’s recent reaction to the proposed CP strike, which was said to have major implications for the protection of the Canadian economy).
2. Scope of Sharing
The government not only opens the door to sharing information for a myriad of non-terrorism purposes, but it also permits access for a broad array of government institutions and departments. The bill currently identifies the following 17 institutions and departments:
- Canadian Border Services Agency
- Canada Revenue Agency
- Canadian Armed Forces
- Canadian Food Inspection Agency
- Canadian Nuclear Safety Commission
- Citizen and Immigration
- Foreign Affairs, Trade, and Development
- National Defence
- Public Safety
- Public Health Agency
That list can grow, however, with cabinet empowered to add institutions and departments by regulation. Moreover, the inclusion of CSE, which has been the focal point of the Internet surveillance debate due to the Snowden revelations, suggests that CSE information could be readily shared across government departments despite repeated claims that its work does not target Canadians.
In addition to this form of information sharing, the bill also permits additional use and disclosure of information “in accordance with the law…to any person, for any purpose.” Section 6 states:
For greater certainty, nothing in this Act prevents a head, or their delegate, who receives information under subsection 5(1) from, in accordance with the law, using that information, or further disclosing it to any person, for any purpose.
Roach and Forcese note that “in accordance with the law” is unclear, leaving the prospect of literally permitting disclosure to anyone for any reason.
3. Woeful Oversight
Since the enactment of the Privacy Act in 1983, every federal privacy commissioner has urged the government of the day to strengthen it. Those calls have grown louder over the past decade as PIPEDA places tougher obligations on the private sector than the government places on itself. The law as it currently stands has weak annual reporting requirements from government agencies, does not provide much protection to Canadians from abusive treatment by foreign states, does not give the Privacy Commissioner order-making power, does not provide redress in cases involving harm, does not prevent over-collection of personal information, does not protect against surveillance where the data is not recorded, and does not feature security breach disclosure requirements. The expansion on information sharing without addressing the oversight and safeguards of the Privacy Act should simply be a non-starter.
This post was originally published here.