Privacy by Sebastien Wiertz (CC BY 2.0) https://www.flickr.com/photos/wiertz/6092000030/sizes/l/
The government yesterday introduced Bill C-44, the Protection of Canada from Terrorists Act. While some were expecting significant new surveillance, decreased warrant thresholds, and detention measures, this bill is a response to several court decisions, not to the attacks last week in Ottawa and Quebec. A second bill – which might use the U.K. legislative response to terror attacks as a model – is a future possibility, but policy decisions, cabinet approval, legal drafting, and constitutional reviews take time.
Bill C-44, which was to have been tabled on the day of the Ottawa attack, responds to two key issues involving CSIS, Canada’s domestic intelligence agency. The first involves a federal court case from late last year in which Justice Richard Mosley, a federal court judge, issued a stinging rebuke to Canada’s intelligence agencies (CSEC and CSIS) and the Justice Department, ruling that they misled the court when they applied for warrants to permit the interception of electronic communications. Mosley’s concern stemmed from warrants involving two individuals that were issued in 2009 permitting the interception of communications both in Canada and abroad using Canadian equipment. At the time, the Canadian intelligence agencies did not disclose that they might ask their foreign counterparts (namely the “five eyes” partners in the U.S., U.K., Australia, and New Zealand) to intercept the foreign communications.
Two shocking terror attacks on Canadian soil, one striking at the very heart of the Canadian parliament buildings and both leaving behind dead soldiers. Office buildings, shopping centres, and classrooms placed under lockdown for hours with many confronting violence first hand that is rarely associated with Canada.
Last week’s terror events will leave many searching for answers and seeking assurances from political and security leaders that they will take steps to prevent it from happening again. There will be an obvious temptation to look to the law to “fix” the issue, and if the past is a guide, stronger anti-terror legislation and warnings that Canadians may need to surrender more of their privacy and civil liberties in the name of greater security will soon follow.
My weekly technology law column (Toronto Star version, homepage version) notes that if there are legal solutions that would help foster better security, they should unquestionably be considered. Yet Canada should proceed with caution and recognize that past experience suggests that the unintended consequences that may arise from poorly analyzed legislation may do more harm than good.
The Expansion of Personal Information Disclosure Without Consent: Unpacking the Government’s Weak Response to Digital Privacy Act Concerns
Bill S-4, the government’s Digital Privacy Act, was sent for review to the Industry Committee yesterday. The committee review, which comes before second reading, represents what is likely to be the last opportunity to fix a bill that was supposed to be a good news story for the government but has caused serious concern within the Canadian privacy community. While there are several concerns (I raised them in my appearance before the Senate committee that first studied the bill), the chief one involves the potential expansion of voluntary disclosure of personal information without consent or court oversight. Bill S-4 proposes that:
“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
Translate the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
The government is clearly aware that this is a major concern as it attempted to answer the critics during debate over Bill S-4 in the House of Commons yesterday. Unfortunately, the responses were incredibly weak. I’ve identified at least six responses from government sources below.
While it was overshadowed by the headlines over potential copyright reform, Peter Van Loan, the government’s House leader, disclosed last week that the government is planning to send Bill S-4, the Digital Privacy Act, to the Industry Committee for review prior to second reading. The bill, which has proven controversial due to a provision that expands the possibility of voluntary disclosure of subscriber information and relatively weak security breach disclosure rules, will be open to more significant reforms that previously thought possible (my remarks before the Senate committee can be found here). Under Parliamentary rules, referring a bill before second reading allows the committee to alter the scope of the bill.
In the aftermath of the Supreme Court of Canada’s Spencer decision, I argued that the decision upholding the reasonable expectation of privacy in subscriber information contradicted the government’s claims supporting Bills C-13 and S-4, leaving the government’s lawful access strategy in tatters. I noted that it faced a choice:
The Canadian government could adopt the “bury our heads in the sand approach” by leaving the provision unchanged, knowing that it will be unused or subject to challenge. That would run counter to the spirit of the Supreme Court ruling, however, and do nothing to assist law enforcement.
Yesterday, the government did just that, as Bill C-13 passed another legislative hurdle with the reported committee version of the bill was approved by the House. During the debate, the government insisted that the legislation is consistent with the Spencer decision. While it is true that the voluntary warrantless disclosure provision does not directly contradict the Spencer decision, the reality is that it has been rendered largely moot. In other words, the government is touting a legislative solution to assist law enforcement that the police will not use and that telecom companies will ignore.