Privacy watchdog calls for higher standards in protecting citizens from surveillance
These were some of the key points of a report recently released by Canada’s Privacy Commissioner Daniel Therrien.
“We are left with 20th-century tools to deal with 21st-century problems,” Therrien’s said in his office’s 2015-2016 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act. “And in the meantime, 90 per cent of Canadians feel they are losing control of their personal information and expect to be better protected.”
Therrien derided the failure of federal agencies and departments to conduct assessments on privacy impact. The commissioner’s report recommended that legislation requiring government departments and agencies to conduct Privacy Impact Assessment (PIA) be put in place prior to implementation of programs.
For example, he said, in the 2013 case of the Canada Border Service Agency (CBSA) High Integrity Personnel Security Screening Standard, the privacy commissioner’s office was not consulted prior to implementation and a PIA was received upon the program’s implementation.
“As a result, the new and more invasive screening measures began without our input and a related complaint under the Privacy Act followed,” Therrien said. “A legislative requirement to complete a PIA prior to implementation could have resulted in privacy risks being highlighted and mitigated early on.”
The commissioner also outlined the dangers of the Bill C-51, brought in by the former Conservative government, which introduced sweeping data-gathering powers for intelligence and law enforcement agencies.
Bill C-51 received Royal Assent in June 2015 as the Anti-Terrorism Act, 2015, and came into force in August 2015. It introduced the Security of Canada Information Sharing Act (SCISA).
The commissioner’s office had expressed serious concerns in submissions to a number of Parliamentary committees studying the bill, including the Senate Committee on National Defence and Security.
The Liberal government created a parliamentary to a committee to look into the legislation and has promised to repeal elements of C-51 that pose risks to privacy.
“While the question of oversight has, in part, been addressed, our concerns regarding thresholds remain,” the report said.
The danger of information sharing was illustrated in the 2014-15 Annual Report of the Office of the CSE Commissioner (the CSE’s oversight authority). The report revealed that due to a filtering technique that became defective, not properly minimized information on the communication activities of Canadians were shared with Canada’s “Five Eyes” partners—the signals intelligence agencies of Australia, New Zealand, the United Kingdom and the United States. To minimize information means to remove, alter, or mask certain its contents so that certain person or persons connected with the communication could not be identified.
SCISA’s current standard dictates that certain federal government institutions may share information amongst themselves so long as it is “relevant” to the identification of national security threats.
“In our view, that threshold is inadequate and could expose the personal information of law-abiding Canadians,” the report said. “A more reasonable threshold would be to allow sharing where necessary.”
The Office of the Privacy Commissioner identified several key concerns which SCISA. Among them were:
- The act is broadly worded and leaves much discretion to federal entities to interpret and define “activities that undermine the security of Canada”, potentially resulting in an inconsistent approach in its application.
- The scale of information sharing that could occur under this act is unprecedented. The potential for sharing on a much larger scale combined with advances in technology allow for personal information to be analyzed algorithmically to spot trends, predict behaviour and potentially profile ordinary Canadians with a view to identifying security threats among them. “Our intent in future reviews will be to examine whether law-abiding citizens are indeed subject to these broad sharing powers and if so, under what circumstances,” the report said.
- Fourteen of the 17 entities authorized to receive information for national security purposes under the SCISA are not subject to dedicated independent review or oversight.
- There are legal authorities that existed before the SCISA that permit the collection and disclosure of information for national security purposes. Some of these authorities are also very broad, including the common law powers vested in the police and others and the crown prerogative of defence.
The Office of the Privacy Commissioner said it realizes that in the face of today’s threats, Canadians value but they also deeply care about their privacy. Finding the right balance is” absolutely critical.”
“In pursuit of a better balance, we have recommended, for example, changing SCISA’s information sharing threshold from ‘relevance’ to ‘necessity,’ that private and public sector institutions follow through on transparency reporting; and amending the National Defence Act to add legal safeguards for protecting personal information collected and used by the CSE,” the report said.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…