As the world grapples with the recent terrorist attacks in Paris, the policy implications for issues such as the acceptance of refugees and continued military participation in the fight against ISIL have unsurprisingly come to the fore. The attacks have also escalated calls to reconsider plans to reform Canadian privacy and surveillance law, a key election promise from the Trudeau government.
My weekly technology law column (Toronto Star version, homepage version) argues that despite the temptation to slow the re-examination of Canadian privacy and surveillance policy, the government should stay the course. The Liberals voted for Bill C-51, the controversial anti-terror law, during the last Parliament, but promised changes to it if elected. Even in the face of a renewed terror threat, those changes remain essential and should not have an adverse impact on operational efforts to combat terror threats that might surface in Canada.
The Liberals promised to establish an all-party review mechanism similar to those found in many other countries that will bring members of Parliament into the oversight process. The Conservatives’ opposition to increased oversight was always puzzling since oversight alone does not create new limitations on surveillance activities. Rather, it helps ensure that Canada’s surveillance and police agencies operate within the law and restores public confidence in those entrusted with Canadian security.
The other Liberal commitments would similarly address oversight without curtailing surveillance powers. For example, the party promised to increase the powers of the Privacy Commissioner of Canada and to add a mandatory three-year review provision to the law.
Assuming that the oversight issue is addressed, the bigger question is what comes next. There is a risk that the Paris attacks will renew calls to go beyond even Bill C-51, by restricting the use of encryption technologies that are widely used by financial institutions, health care providers, and a growing segment of the public (but may also be used by terrorist groups) as well as restricting a landmark Supreme Court of Canada ruling on the reasonable expectation of privacy in Internet subscriber information.
The security of all Canadians is absolutely crucial, but there is reason to believe that it can be achieved while still respecting individual privacy rights. Recent studies have emphasized the economic importance of encryption, which underlies the burgeoning Internet economy. To create restrictions on the use of encryption products would undermine consumer confidence, create economic harm, and do little to provide increased security.
Moreover, the Supreme Court of Canada’s Spencer decision on the reasonable expectation of privacy in Internet subscriber information merely confirmed what most Internet users already expected, namely that their personal information would not be disclosed to law enforcement without court oversight. The fact that Internet providers may have revealed such information in the past does not provide a compelling reason to eliminate the critical safeguards provided by the warrant process.
Perhaps the biggest challenge for Canadian privacy comes from access to personal information from outside of our borders. Canadian data is frequently transferred to cloud computing services located outside the country or traverses across non-Canadian networks, even when messages are between two Canadians.
The European Union has assumed a leadership role on the issue of global data transfers, with a recent European Court of Justice ruling that may lead to new restrictions on the transfer of data between Europe and the United States. Canada can ill-afford to remain on the sidelines as standards of privacy protection and access for surveillance agencies are developed.
Rather than slowing down work on Canadian privacy and surveillance policy, recent events in Europe point to the urgent need to address the inadequacies of Canadian oversight while also working to develop rules that provide Canadians with stronger assurances that the law is working to safeguard both their security and privacy.