Home / 4) Security of Canada Information Sharing Act

4) Security of Canada Information Sharing Act


The Security of Canada Information Sharing Act (the “Information Sharing Act”) was enacted as part of Bill C-51.  It gives expanded powers to federal government agencies to collect and share Canadians’ personal information, ostensibly for the purposes of “national security”, but not in the way that term is usually used.  The federal Privacy Commissioner’s office describes the surveillance capacity given to government agencies under the Act as “unprecedented.”

How does it work?

The Information Sharing Act gives listed federal bodies (said to represent more than 100 agencies) the ability to disclose Canadians’ personal information to other government institutions that have mandates or responsibilities that are relevant to the detection, identification, analysis, prevention, investigation or disruption of “activities that undermine the security of Canada”.  This term – “activities that undermine the security of Canada”- is a special concept that is entirely new to Canadian law.  It is so broad that, according to the Act, it goes far beyond public safety and includes aspects of ordinary public life ranging from “the administration of justice” to Canada’s financial and economic stability.

The Act does not require individualized suspicion as a basis for information sharing amongst government agencies.  There is no impediment in the Act to having entire databases shared with CSIS or the RCMP.  The standard for “sharing” is very, very low.

Is political activity and artistic expression protected from surveillance under this law?

It is true that “advocacy, protest, dissent and artistic expression” are exempted from the definition of “activities that undermine the security of Canada” in the Act.  But this is not the same as saying that government can’t spy on those activities and share the information they capture during that surveillance.  

The government’s Green Paper on national security makes this clear.  The Paper notes that violence is obviously not exempted from the list of “activities that undermine the security of Canada” so it’s possible of course that the powers of the Act will indeed extend to surveillance of advocacy, protest, dissent or artistic expression in cases where the detection, identification, analysis, prevention or disruption of violence could even potentially, possibly be at issue.

What does that mean when you take it to the bank to cash it in?  It means that the creation of the “advocacy exemption” is a largely symbolic and not a substantive protection of rights.  The bar is so low that effectively “having a look around just in case” is sufficient justification for sharing massive amounts of information under the Act.

Was there a problem that the Act was trying to address? 

No compelling reason for the introduction of the legislation has ever been given.  In their recent response to the government’s Green Paper, Professors Roach and Forcese cite a CSIS briefing note from 2014 that set out some concerns about a lack of clarity with respect to sharing information for national security purposes.

The briefing note did not call for the wholesale re-visioning of information sharing to address this concern about clarity, but rather suggested that “With appropriate direction and framework in place, significant improvements are possible to encourage information sharing for national security purposes, on the basis of existing legislative authorities.”

But instead of the careful and measured approach called for, legislation of monumental overbreadth was enacted, which compounded the lack of clarity and
paved the way for a massive increase in already illegal data holdings by security intelligence.

Back up… did you just say “illegal”? 

The intelligence alliance called the Five Eyes (US, UK, Australia, New Zealand and Canada) is having rather a bad time of it with respect to findings that they are conducting illegal surveillance on a massive scale.

Our good friends at Privacy International just achieved a landmark ruling in the UK.  The Investigatory Powers Tribunal ruled that British security agencies have secretly and unlawfully collected massive volumes of personal data in breach of article 8 of the European Convention of Huminfo-sharingan Rights and that this unlawful activity has been ongoing for years and years.

The illegal data gathered include bulk personal datasets – for example, medical and tax records, individual biographical details, commercial and financial activities, communications and travel data.

The ruling confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country were being spied on. 

And there is a very eerie echo in all of this with what we learned only a few weeks ago about our own, comparable intelligence data holdings.

Granted, unlike the situation in the UK, it was not front page news.   Probably you heard nothing about it.  It was in the annual report from SIRC, which is the body that reviews the activities of CSIS.  The media coverage of that report focused on the review of the new CSIS threat disruption powers, which is a very important subject as well.  But unfortunately it managed to steal all the thunder from the bombshells later in the report about SIRC’s first examination into the CSIS data acquisition program, including bulk datasets. That report is an extremely damning one, and documents a situation disturbingly similar to the situation recently disclosed in the UK.

SIRC advises that within CSIS’s own data classifications, there are two types of datasets, one that is “referential”, which on the argument that they are openly sourced and publicly available, CSIS says are not “collected” under the authority of s. 12 of the CSIS Act and therefore have to meet no standard of collection.  SIRC does not comment on the legal interpretation that underpins this theory of “collection that is not collection”.  The second type of datasets are the non-referential datasets, which CSIS considers are “collected” under the authority of the CSIS Act, so must meet the collection threshold of “strictly necessary”.

Despite its characteristically calm and measured tone, what SIRC has to report on this matter is extremely alarming.  Bottom line: SIRC does not agree that all the “publicly available” “openly sourced” data is in fact, publicly available and openly sourced, so there are definitely red flags in that category.  But even more deeply troubling, as regards the datasets that clearly fall under the requirement for ‘strict necessity’: “SIRC found no evidence to indicate that CSIS had appropriately considered the threshold as required in the CSIS Act.”

No evidence of appropriate consideration of the applicable legal standard for bulk data collection of private information.

It is simply impossible to read this as indicating anything other than contempt for the need to abide by the applicable law in this arena.  This is so serious a matter that SIRC called for the immediate halt to the acquisition of bulk datasets until there is a system to confirm compliance with the law. 

In short, CSIS already engages in a secret data collection that is completely unmoored from the legal requirements in the CSIS Act (aka: illegal) to which we now add the near free-for-all of what can be gathered under the Information Sharing Act’s powers.

No indications that any of this is making anyone any “safer”info-agreements

The security benefits of this approach are at best entirely speculative and infinitely more likely to undermine rather than enhance effectiveness.

The Act is so far from the mark of what is needed for national security that  Roach and Forcese note in their report: “The Act allows for the government to share just about everything while it rejects the Air India commission’s recommendation that CSIS must share intelligence about terrorist offences, if not to the police then to someone who is in charge and who can take responsibility for the proper use of the information.”

Why would security intelligence be trying to gobble up (“ingest” is the word they use) whole databases of personal information about Canadians?  You have to read deep into the SIRC report to see what they have to say to that question.  Here it is: “… SIRC was told that the data can be used to identify previously unknown individuals of interest by linking together types of information which have mirrored threat behaviour.”

Profiling.  They mean profiling.

Is profiling in the national security context necessary to keep us safe?  Certainly not.

Here’s what the best authorities on the subject have to say:

No serious, verifiable evidence has been produced by the proponents of compulsory suspicionless [bulk] data collection to show that the data mining and profiling by means of the bulk data in general… is even suitable to the ends supposedly being pursued – let alone that it is effective.

It doesn’t work.  It subjects individuals and entire targeted communities to hideous discrimination and prejudice.  And it doesn’t work.

The government has cleared the way to the wholesale importation of raw data to feed the machine of this flawed and dangerous approach.  And there are almost no effective limits on the surveillance that is empowered.  It is clear in the legislation that CSIS should not be importing data under the Information Sharing Act that it cannot legally collect under the CSIS Act.  Only we’ve just been told in no uncertain terms that those legal standards are being ignored.  And it is anyone’s guess for how long that has been the case.

The Bottom Line:

The Information Sharing Act was ill advised when it was introduced, it is even more so now that we have some insight into the shocking state of the current security intelligence data collections of personal information.  The unprecedented surveillance that the Act enables will facilitate precisely the kind of profiling that is both dangerous to individuals and communities and ineffective at increasing public safety.

The Act should be repealed and replaced with the careful and measured approach that was called for in the first place to ensure needed information sharing for national security purposes and appropriate and meaningful protection for lawful Canadians’ personal information.