Friday, October 30, 2009

Privacy Commissioner speaks out on lawful access

The Privacy Commissioner of Canada has recently provided parliamentarians with her opinion on the new lawful access bills that are winding their way through the Commons. I have to say I was nodding my head while I read it:

Letter to the Standing Committee on Public Safety and National Security regarding the Commissioner's initial analysis on the privacy implications on Bills C-46 and C-47 - October 27, 2009

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Standing Committee on Public Safety and National Security, regarding her initial analysis on the privacy implications on Bills C-46, the Investigative Powers for the 21st Century Act (IP21C), and C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA)

October 27, 2009

Mr. Garry Breitkreuz, MP Chair of the Standing Committee on Public Safety and National Security 131 Queen Street – 6th floor House of Commons Ottawa, Ontario K1A 0A6

Dear Mr. Breitkreuz:

I am writing to provide the members of the Standing Committee on Public Safety and National Security with some preliminary views on the privacy implications stemming from Bills C-46 and C-47. As you are aware, I am often called upon to comment on legislation that will result in new or expanded forms of personal information being collected by federal government institutions. Those views, and analysis conducted by my Office, are specifically undertaken to support the deliberations of Parliament.

It must be stated at the outset that we recognize the concerns of law enforcement and national security authorities with the speed of developments in information technology and the anonymity they afford. Bills C-46 and C-47 seek to address the consequent public safety challenges and that objective is valid. That said, whenever new surveillance powers or programs are proposed, it is my view that there must be demonstrated necessity, proportionality and effectiveness. They should also be the least-invasive alternative available. These tests are all the more important in the area of public safety, as the use of surveillance powers by authorities can have deep and lasting impact on peoples’ lives.

The consequences for individuals as their personal information is collected and shared among authorities in various countries can escalate far beyond the initial objectives of public safety. Recent international reports, Canadian court rulings and federal commissions of inquiry have shown this clearly. Proper protections for privacy in this area reside in the strict limitation of invasive powers to what is demonstrably necessary to ensure public safety and in strong measures for accountability, commensurate with the powers vested. It is a matter of protecting human rights and assuring public trust.

Taking into account the real challenges of law enforcement and national security agencies in the Internet age and the fundamental right to privacy that underpins our democratic society, and after careful study and extensive consultation this past summer, I have concluded that elements of the proposed legislation raise significant privacy concerns. These must be addressed by proponents of the bills.

I would draw to the attention of this Committee, and all Parliamentarians, that the proposed legislation contains many provisions that would increase the level of access by law enforcement and national security authorities to personal information. In that regard, it is important that Parliament be satisfied that:

The need for these provisions has been clearly demonstrated,

The lowered legal requirements for use of invasive powers is justified,

The lessons of similar initiatives in other countries are considered, and

The oversight, reporting and accountability mechanisms are carefully calibrated, to ensure they mirror the breadth and scope of new powers

Analytical approach and consultations

It is important to note that our Office approached the examination of both pieces of legislation with fresh eyes and an open mind. While previous iterations or initiatives – like the 1999 Justice Canada initiative, the 2005 public consultation or the 2007 Public Safety request for submissions on Customer Name and Address access – may have served as background, they did not colour our analysis. Instead, since the legislation was tabled this past summer, our Office carefully read and analysed the two bills anew.

We also wanted to hear from informed experts, therefore between June and September of this year, my staff met with representatives of Justice Canada and Public Safety Canada, provincial privacy commissioners, the telecommunications industry (manufacturers, service providers and associations), law enforcement (RCMP and the Canadian Association of Chiefs of Police), civil society groups, academic specialists, as well as subject experts in the fields of information policy, network security, criminal law and intelligence operations. These conversations helped our Office identify the privacy issues raised by the two bills, which relate to the following areas:

Necessity: Though isolated anecdotes abound, and extreme incidents are generally referred to, no systematic case has yet been made that demonstrates a need to circumvent the current legal regime for judicial authorization to obtain personal information. Before all else, law enforcement and national security authorities need to explain how the current provisions on judicial warrants do not meet their needs.

Necessity given international obligations: A principal rationale cited for the need to update Canada’s interception and surveillance regime – as proposed in C-46 and C-47 – is ratification of the Council of Europe Convention on Cybercrime. However, many of the powers introduced in the proposed legislation go far beyond the legal requirements of the Convention. Our analysis would suggest that Canada has already met most of the substantive legal changes required. Certainly some caution should be exercised, given the fact that similar legal initiatives in the US and UK led to significant concerns in relation to privacy.

Proportionality of thresholds: Canadian law imposes rigorous thresholds of evidence for authorities to obtain access to personal information. They form the heart of protections that Parliament put in place to protect privacy in Canada. The downward movement from reasonable grounds to believe to reasonable grounds to suspect in some cases (for some production orders) - or to no threshold of evidence at all (for subscriber data access) - must be shown to be a proportionate response to safety and security imperatives. As it stands, the new powers envisaged are not limited to a specific range or seriousness of criminality, or to a specific level of urgency. In the case of Bill C-47, there is not even a requirement for the commission of a crime to justify access to personal information without a warrant. The onus lies with proponents of the legislation to demonstrate the need for lowered thresholds to obtain personal information.

Proportionality of oversight and review mechanisms: Only prior court authorization serves as rigorous privacy protection. Should Parliament allow law enforcement and national security authorities to circumvent the courts to obtain personal information, the corresponding oversight mechanisms must be established. My Office is clearly implicated at several points in Bill C-47, wherein my staff may review the records created by officers at the RCMP or Competition Bureau as they exercise new powers. Given the scale envisaged, with upwards of thousands of individuals in the RCMP alone potentially empowered to access subscriber data, it would be difficult for us, within our current resources, to offer any assurance to

Parliamentarians or Canadians of proper auditing. Still, review after the fact arrives too late. Privacy has already been breached, it is difficult to properly assess the circumstances, and there is no remedy for the ultimate outcome of the breach.

Demonstrated effectiveness through clear public reporting and accountability: In Bill C-47, audits are conducted internally and not required annually, while follow-up reporting to the responsible Minister and my Office are discretionary, as opposed to regular requirements. This will not afford objective, timely assessment of privacy risks or breaches. It is my view that, should the powers envisaged be granted, copies of those reports from the RCMP and Competition Bureau should be provided to the Minister and my Office on an annual basis. My audit and review staff can then proceed accordingly.

Flowing from these concerns, we would look forward to a constructive dialogue with the Committee on the following points or alternatives:

Examine warrant provisions in the Criminal Code. Rather than creating blanket, open access for authorities to search subscriber data, as in Bill C-47, there are other investigative options or legal changes to consider. Emergency provisions to conduct search, seizure or interception without a warrant in exigent circumstances are already in the Criminal Code. A similar provision for production and assistance orders should be considered to address the issue police have described in obtaining data.

Review the process for court authorization in Canada. If the underlying problem resides in Canada’s current warrant system, this is where the government’s attention should be directed, as opposed to limiting court oversight. Law enforcement and national security authorities should state the shortcomings they identify in the court warrant system so they can be addressed to adapt the system to the new challenges of the Internet age rather than sacrifice the principles that underpin the very society we seek to protect.

Tailor the scope of new powers. Any regime that circumvents court authorization raises significant privacy issues. If Parliament chooses to grant the proposed powers, they must be restricted in their application to the investigation of crimes or threats where such an invasion of privacy is justified. That is the Canadian legal tradition.

Revisit oversight regime. Internal audit, reporting with self-discretion and the role of external review bodies need to be strengthened with provisions for specific reporting requirements, regular review, dedicated resources for oversight and transparent mechanisms for accountability to assure the Canadian public.

Parliament should consider a five-year review for Bill C-46. While Bill C-47 has such a provision, Bill C-46 would also merit close review by Parliament, given how the two pieces of legislation interact. These reviews should be conducted with an eye to demonstrated evidence of effectiveness, minimal invasion of privacy and clear operation within bounds of the law.

Require annual public reporting. Yearly statistics on the use, results and effectiveness of new powers (subscriber data requests, preservation demands, tracking warrants, etc.) should be required by statute. Besides bolstering accountability, these reports would usefully support Parliament’s five-year review of the powers.

Review the regulations flowing from both bills. Given the important administrative, procedural and technical details involved, Parliament should conduct full committee reviews and hear from all interested stakeholders on both legislation and regulations. This should occur before either bill comes into force.

In summary, we urge Parliament to review Bills C-46 and C-47 in light of the following questions:

In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?

Based on this initial analysis, my Office will be preparing a full submission for your consideration, in anticipation of your Committee’s study of the legislation. Given the public interest in this issue, we anticipate posting this letter on our website in the near future. I would like to thank you for your attention to this critical issue and look forward to discussing the initiative further when meetings on the bills commence.


Original signed by

Jennifer Stoddart

Privacy Commissioner of Canada

Well said.

No comments: