Is CSIS Running Afoul of Canadian Privacy Laws?
Privacy rights are of utmost importance in a complex interdependent society. Having reached an apex of unprecedented iteration, human activity requires the protection of one’s identity and personal information. Private communications are increasingly being compromised while at the same time identity theft multiplies. Canadians are thus advised to remain vigilant, and to be cautious in the dissemination of sensitive material.
Technological man is particularly vulnerable to encroachments on privacy. The digital age has transformed the very notion, and its erosion is directly linked to the rise of information technology. Internet is the obvious culprit; a double-edged sword, if you will. Certainly, its invention has revolutionized the way humans communicate. The obstacles of time and space have been eviscerated, leading to greater fluidity. By contrast, the Internet has empowered digital malefactors. Piracy, hacking, fraud, and surveillance have risen exponentially. A recent example is that of Sony, whose servers were infiltrated by sophisticated hackers. The result was a massive privacy breach. Subscribers were not amused.
A more traditional, yet equally prevalent, actor in the realm of privacy rights is the federal government. Its branches and institutions have access to considerable information for a variety of purposes. For one, the state relies on private information in the design of policy. An obvious example is the Census, compiled every five years. Privacy is also involved in the control of criminal conduct. Law enforcement authorities are endowed with considerable powers, but warrants must be obtained to enter a domicile, or to conduct a search. Barring the rare exception, the Courts are stellar in defending this fundamental right. There are few cases where an offender will be convicted on the basis of evidence illicitly obtained.
Notwithstanding its rigorous protections, privacy remains vulnerable to improper state action. Public safety and national security are often cited as justifications for increased investigative powers. Intelligence sharing is another threat to personal information. Coordinated security strategies have crystallized between the United States and Canada, especially after the 9/11 terrorist attacks. A recent example is the controversial Aeronautical Safety Act. All Canadian aircrafts flying over the United States must now provide the personal information of all passengers to American intelligence authorities. Experts aren’t convinced of the constitutionality of such a measure.
It has been said that with great power comes great responsibility. This aphorism can certainly be applied to the protection of personal information. For the state, being empowered to access our private information, it must adhere to its responsibility of acting lawfully. To be sure, the state must protect the personal information of Canadians and coordinate its usage through legally-defined parameters. Otherwise, public confidence may be shattered beyond repair.
The CSIS Case Study
Confidence in the state’s protection of personal information took a severe blow last week. As reported by the CBC, a cable released by WikiLeaks revealed that CSIS routinely transfers the personal information of Canadians to American intelligence agencies. There are particular cases where disclosure is automatic. Namely, all Canadians suspected of, but not charged with, “terrorist-related activity” can expect to find their names in American intelligence databases.
Individuals prone to having their information disclosed are not limited to the above category. According to the cable, CSIS will also transmit the information of individuals merely associated with others suspected of terrorist-related activity. No evidence is required to ground the claim. Said individuals are then flagged in the Visa Viper database, as well as by the US National Counterterrorism Centre. This ensures that the named persons are unlikely to be admitted to the United States and, in some cases, suspects will be prevented from boarding aircrafts flying over US airspace.
The process by which determinations are made is classic administrative justice. That is, determinations undertaken by administrative officials without judicial oversight. A threat assessment is conducted by a committee of Canadian security executives from CSIS and the RCMP. Lawyers from the Department of Justice also participate, often to play devil’s advocate in challenging the information underlying the suspicions. However, the final decision is subject to written directives from the Minister of Public Safety, as well as internal CSIS policies.
Shared security priorities explain why the information is conveyed to the United States. This is corroborated by executive testimony. According to an anonymous intelligence source interviewed by the CBC, CSIS feels obligated to cooperate. The common perception is that our shared border is porous and that Canada is a terrorist haven. Thus, in the event that Canada did not disclose the identity of a person suspected of terrorist activity, and the person went on to commit a terrorist act in the US, bilateral relations would be seriously affected.
It goes without saying that public security is a paramount social interest. The same can be said for the protection of personal information, as a corollary of personal integrity. A balance must necessarily be struck between both objectives, where the pursuit of one does not come at the other’s expense. Canada’s privacy laws reflect the need for compromise. There will indeed be instances where law enforcement can only be achieved in breach of privacy. But how far these exceptions go, and how far the law will accommodate them, is a different issue. It must first be determined whether CSIS is in conformity with the law, or at the limit of legality.
The Privacy Act
The Privacy Act is Canada’s foremost privacy law. Its ambit extends to regulating federal control of Canadians’ personal information, subject to prescribed limitations. The purpose of the Act is relatively straightforward. Section 2 prescribes that its aim is to “protect the privacy of individuals with respect to personal information about themselves held by a government institution.” The law also ensures that individuals can petition for access to that information. And, if disclosure is refused by the state, recourse can be filed at the Federal Court of Canada.
Despite its rigorous protections, the Privacy Act offers considerable latitude to government institutions. A few sections will be useful to demonstrate. Section 8 prescribes that personal
information under the control of a government institution shall not be disclosed (to an external body) without the consent of the individual to whom it relates. This is followed by several subsections fleshing out exceptions to this general rule. The one most relevant to our analysis is subsection 8(2)(f). Here, it is stipulated that:
“Personal information under the control of a government institution [in this case, CSIS] may be disclosed under an agreement or arrangement between the Government of Canada…and the government of a foreign state, or any institution of any such government or organization, for the purpose of administering or enforcing any law, or carrying out a lawful investigation.”
The section gives explicit recognition to the imperatives of criminal investigations. Investigatory undertakings would be compromised if disclosure could not proceed otherwise. The point of contention arises with what is regarded as a “lawful investigation.” The inclusion of the word “lawful” creates a distinction from those in contravention of the law. Examples of unlawful investigations could entail any investigatory activity undertaken without a warrant, or where information was disclosed without reasonable and probable grounds of suspicion.
The inclusion of the term “lawful” implies determining whether an investigation proceeded on legal grounds. However, as per longstanding Common Law principles, the state cannot act as the arbiter of its own actions. That role is reserved to the judiciary; the only impartial actor able to assess the conflicting interests of individuals and the state. By contrast, CSIS divulges personal information without judicial oversight. The evidence it uses to ground its suspicions aren’t independently assessed. As a result, the rights of Canadians may be infringed, without an opportunity to make full answer and defence, or to contest the information being communicated.
The second point of contention arises from the authorization given “for the purpose of administering or enforcing any law.” The vagueness of the passage gives us pause. The lack of specificity provides fertile ground for abuse or contention. Battles over interpretation can ensue and practices may continue unsanctioned before the Courts are seized to evaluate. A limitation is undoubtedly prescribed by the Canadian Charter of Rights and Freedoms. For if the administration or enforcement of a law resulted in a breach of constitutional protections, the state would have to demonstrate that the breach could be justified as a reasonable limitation under section 1.
The present case raises significant issues as to the right to life, liberty, and security of the person. The release of personal information to US authorities can have serious repercussions where suspicions are unwarranted. Secret determinations cloistered from judicial oversight are constitutionally repugnant. Suspects are denied due process, the right to make full answer and defence, and to challenge the veracity of impugned information. Further questions are raised with regards to section 8 of the Charter, which protects the individual against unreasonable search and seizure. One’s information may indeed be shared with the US.
It would not be foolhardy to assume that section 8(2)(f) may someday be the subject of a constitutional challenge. Only then will we know whether it conforms to the rule of law, and whether CSIS can legally disclose personal information without reasonable grounds to believe a crime has been, or is about to be, committed.
Constitutionality of Section 8(2)(f) of the Privacy Act
Section 7 of the Canadian Charter of Rights and Freedoms exists to protect the individual’s right to life, liberty and security of the person. The section also guarantees that the individual will not be deprived of that right, “except in accordance with the principles of fundamental justice.”
A cardinal principle of fundamental justice relates to due process of law. According to this postulate, individuals are entitled to a fair hearing in front of an impartial tribunal; have the right to make full answer and defence to any charges or allegations; and have the right to the full disclosure of the evidence held against them. The observance of due process is nothing new. Inherited from the British Common Law tradition, due process is specifically enshrined to protect citizens from arbitrary decision-making. This protection is all the more pressing when the consequence may be an abridgement of their rights or freedoms.
The disclosure of private information to foreign states does not automatically create a violation of due process. If an investigation is conducted in accordance with the law, and if reasonable grounds to believe an offence will be committed can be articulated, then disclosure will likely be upheld. The same cannot be said for the CSIS proceedings. Here, the privacy of individuals is violated without assessment of whether the evidence is sufficient to ground the suspicions against them. The process is undoubtedly arbitrary and is a prima facie violation of section 7. Due process is circumvented in the absence of judicial oversight.
Issues relevant to this case were raised in the case of Singh v. Minister of Employment and Immigration (1985.) Until this case was decided, the determination of whether a person qualified for “convention refugee” status was decided in secret. A constitutional challenge was raised by the petitioners, claiming due process has been infringed.
The Supreme Court agreed. In its ruling, the Court held that secretive deliberations do not comport with the principles of fundamental justice. The deliberations did not allow the claimant an opportunity to know the case against him, and failed to provide an independent assessment of the relevant evidence. Further, the Immigration Act, as it then stood, did not provide the claimant an opportunity to contest the information adduced against him. This resulted in potentially arbitrary decisions, with serious constitutional consequences.
The Singh case’s factual circumstances may differ from the CSIS procedures. The determination of convention refugee status is admittedly different than flagging someone for purported terrorist-related activity. The relevant point, however, relates to due process. The issues noted in the Singh case are replicated in CSIS’ assessment procedures. Regardless of the type of deliberation, due process must be ensured where the consequences affect constitutional protections. The imperatives of national security are of considerable importance. Doubtful is it that this importance is sufficient to displace the principles of fundamental justice.
Another Charter protection affected by CSIS’ procedures relates to unreasonable search and seizure. Far from being restricted to physical searches, this section protects the individual against state encroachment on privacy. This protection is multifarious. It applies against illegal state surveillance of communications, and other forms of privacy breaches. More specifically, it protects the individual in every context where a reasonable expectation of privacy exists.
The issue raised here extends beyond the gathering of information by CSIS operatives. The question pertains to whether the information may be communicated to the United States without reasonable grounds. In the absence of verifiable evidence, the transmission of personal information to the United States is a prima facie violation of section 8 of the Charter. CSIS can invoke section 8(2)(f) of the Privacy Act. But, since the constitutionality of this section has yet to be determined, one cannot be certain whether it would actually pass the test.
A helpful starting point would be to distinguish the circumstances in which disclosure to the US would be acceptable. The prevention of crime surely justifies the sharing of information. The nuance relates to how the information was obtained.
The first example where disclosure is acceptable relates to information gathered in the course of a lawful investigation. Here, the authorities would have obtained a warrant, authorizing them to amass information on a given individual. The threshold required to obtain a warrant would guarantee due process would be observed. It would ensure that authorities could not proceed haphazardly. Clear evidentiary safeguards would also be in place to prevent arbitrariness.
The obtention of a warrant would further be premised on judicial oversight. According to the leading authority on the matter, two requirements must be fulfilled in order to obtain a warrant. First, a judicial authority must be able to “assess the conflicting interests of the individual and the state in a neutral and impartial manner before the search is authorized.” And, secondly, “reasonable probable grounds to believe that an offence has been, or will be committed, must be established under oath and must satisfy the judicial authority.” (Canada (Director of Investigation and Research) v. Southam Inc. (1997)).
These requirements having been followed, disclosure to a foreign government could indeed be justified. But the CSIS process falls short of these rigorous requirements. First, information is amassed without the individual’s knowledge or consent. The information is of a private nature and is conferred with constitutional protection. The second problematic aspect is disclosure to the US government. Doing so compounds the breach occasioned by the former, thus resulting in a double infringement on privacy rights. It is doubtful this practice would survive a constitutional challenge.
The balancing of social interests lies at the heart of any legal contention. In the present case, we are confronted with the weighing of an individual’s right to privacy against the imperatives of national security. The legal analyst’s task is thus to reconcile these competing interests. Society would be at loss if either was left to erode, as both are necessary to the proper functioning of a constitutional polity.
That being said, the advancement of national security cannot serve to erode the requirements of due process. It is one thing for legally-obtained information to be passed on to our foremost strategic ally. It is quite another to disclose unverified information without the scrutiny of judicial oversight.
Clarification of current privacy legislation is sorely required. The processes by which CSIS handles Canadians’ information deserve greater clarity, as well as safeguards to ensure their adherence to the rule of law. It is easy to rebuff concerns by claiming that only suspected terrorists are affected by the current framework. But if the process isn’t clarified, the categories may expand to ensnare individuals in other walks of life. Is this a desirable outcome?
Lawrence David Bisse is a graduate of Concordia University’s Department of Political Science. He will be attending McGill University’s Faculty of Law as of September 2011. Contact him at: firstname.lastname@example.org