“He can either stand with us or with the Child Pornographers” With those words, in response to a question from Liberal MP Francis Scarpaleggia, Public Safety Minister, Vic Toews may have put an end to Bill C-30, The Investigating and Preventing Criminal Electronic Communications Act. The short title of the bill, which no doubt gave rise to Toews comments, is the Protecting Children from Internet Predators Act. Also known as Lawful Access legislation, or dubbed by some wags as “Awful” Access Legislation, the bill was intended to enhance the ability of law enforcement agencies to conduct electronic surveillance – much of which no doubt is linked to investigation of child pornography activities – by requiring telecommunications service providers to implement and maintain systems and methods to monitor and intercept communications as well as allow them to more quickly respond to requests from law enforcement agencies for basic subscriber information.
Many believe that the Bill is now dead, such was the outrage over Toews comments and the opposition to the Bill from privacy advocates, including Canada’s Privacy Commissioner and the Privacy Commissioners of Ontario and British Columbia. However, it is more likely that the Bill will be allowed to die on the Order Paper when Parliament is prorogued, as is expected some time this Fall, and then re-introduced in a new form, with a new sponsor and a more coordinated effort to obtain buy in from interested stake holders.
So what is all the fuss about? Supporters of the legislation, such as CSIS Chief, Richard Fadden are reported by the Canadian Press as having written to Minister Toews describing the powers given to law enforcement and security agencies as “vital” to protecting national security The Canadian Association of Chiefs of Police (CACP) has also expressed support for the legislation. In a Press Release, President of the CACP, Chief Dale McFee states: “The CACP has endorsed lawful access legislation since it was first introduced by government in 2002. Canadians more than understand the exponential growth in technology which has occurred over the last few decades. Yet, law enforcement is being asked to protect the communities we serve based on legislation introduced in 1975 - the days of the rotary phone.”
On the other hand, the Privacy Commissioner of Canada is concerned about the necessity of such legislative measures and their balance with privacy rights. In a release issued by her office shortly after the introduction of the legislation, she made the point that she is, “not necessarily opposed to legislation that modernizes police powers online – but it must demonstrably help protect the public, respect fundamental privacy principles established in Canadian law and be subject to proper oversight.”
Where to draw the line between security and privacy is a matter that has received much attention over the past few years, and the answer is not an easy one. The issues are complex; the technology is even more complex.
In a 2010 Reference Document, A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century, the Privacy Commissioner of Canada outlined her approach for analyzing privacy issues in relation to the policy goal of national security and public safety. Similarly, in 2003 the Ontario Information and Privacy Commissioner published National Security in a Post-9/11 World: The Rise of Surveillance … the Demise of Privacy? which provided an overview of the main anti-terrorist initiatives introduced following the events of September 11, 2001 and the factors that her office believes governments should consider to ensure that such national security measures, particularly surveillance technologies, are implemented in a manner that minimizes their impact on privacy.
Both Commissioners express concern that measures being contemplated and those introduced in legislation such as Bill C-30 are overly broad in scope. They will result in general surveillance of the public without a focus on the groups and individuals that do in fact pose a threat to the public. These concerns are not limited to internet surveillance, but have also been expressed in connection with the privacy implications of aviation security measures, border crossing security initiatives, including the perimeter security discussions with the united States authorities and the privacy issues raised by Anti-Money Laundering and Terrorist Financing legislation and the activities of the financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
In the Reference Document noted above, the Federal Commissioner outlines a three stage analysis that governments and those who assist them in establishing security measures that may have an impact on individual privacy ought to undertake. The first stage requires an identification of the rationale and the justification for collecting personal information. The Commissioner looks to the considerations that courts have adopted in order to ascertain whether laws can justifiably supersede rights guaranteed under the Charter of Rights and Freedoms. This analysis requires a consideration of the necessity of the measure, its proportionality when measured against the privacy rights affected, its effectiveness and an analysis of whether the measure is as minimally intrusive as possible. The second step requires an analysis of the security measures in place to ensure that the personal information collected is protected and used only for the purposes for which it has been collected. Finally, there must be some reasonable form of ongoing governance of the program and ongoing analysis of the effectiveness of the measures as analyzed under step one. She also recommends some form of external controls by an independent oversight mechanism.
As noted, this analysis is recommended not just for internet surveillance measures, but for any measure where personal information is being collected in the name of public safety and security. Indeed, the Information and Privacy Commissioner of British Columbia recently applied a similar analysis in connection with a BC government initiative to expand the collection of personal information about current and future employees through the use of criminal record checks. She also applied a balancing analysis between the need of the employer to collect the information and the privacy rights of the employees involved. She found that the criminal record check process was not supportable for all employees. Indeed, the Government was not only collecting such information in respect of positions where the collection could not be justified, given the nature and responsibilities of the position, but it was collecting more information than was necessary to perform the record check. “In some instances, government is also unnecessarily conducting ongoing or multiple criminal record checks on the same employee. Governments should not be undertaking regular updates on current employees’ criminal record history without a justifiable reason for an additional check.”
In this regard, we have recently received reports that Public Works and Government Services Canada (PWGSC) may also be looking at instituting a criminal records check policy for the directors, and possibly officers, of companies that intend to bid on government contracts. We trust that the analysis recommended by the Privacy Commissioner will be undertaken and that such a measure will only be introduced if it can be justified and that it will only be applied to situations where it can be an effective tool.
An abstract of this article was originally published in FrontLine Security, published by Beacon Publishing Inc., Issue 3, 2012.