Thursday, February 5, 2015

C-51 and Privacy - The End of Purposive Analysis by Greg

The British Columbia Civil Liberties Association notes that part of the reason for concern with Bill C-51 lies in a significant intrusion into Canadians' privacy. But the problem with the Conservatives' anti-terrorism legislation is even more striking than it might appear at first glance.

Federal government institutions - including CSIS and the RCMP - are governed by the Privacy Act (Canada) in their collection, use and disclosure of personal information. And the Privacy Act sets clear requirements as to the circumstances in which personal information may be collected, used or disclosed: collection is permitted only if the information "relates directly to an operating program or activity of the institution" (section 4), and use and disclosure is limited to a closed set of purposes along with the initial purpose for collection or consistent purposes (sections 7 and 8, respectively).

Like most public-sector privacy legislation, the Privacy Act expressly authorizes the disclosure of personal information for law enforcement or investigative purposes (section 8(1)(e)). And while the Privacy Act's language may be somewhat outdated in defining those purposes, it would be a relatively simple matter to amend that permitted type of use and disclosure within the existing statutory framework which also offers some statutory protection for privacy.

Instead, Bill C-51 creates an entirely new standard. A new list of government institutions will be established by schedule. C-51 will authorize the disclosure of personal information to those institutions without any apparent purpose requirement, so long as the information is "relevant to the recipient institution's jurisdiction or responsibilities". 

In other words, rather than requiring that a disclosure of personal information be justified, C-51 states that the mere fact that the recipient has some national security function is justification for the disclosure of every shred of personal information in the hands of any other government institution. And C-51 may arguably override the Privacy Act's protection against cross-institution disclosure by setting up a prohibition against civil proceedings for the disclosure of information, but absolutely no provisions offering any protection for privacy (including even basic offence provisions for the abuse of its terms).

Mind you, the interaction between C-51 and the Privacy Act is unclear. The Privacy Act would still apply in principle to recipient government institutions, though the same "security trumps everything" approach that underlies C-51 in the first place would likely be applied as justification to treat recipients' data banks as exempt (and thus not subject to personal information requests by individuals). And any collecting institution which was scheduled under C-51 but not under the Privacy Act would face absolutely no accountability for its use of Canadians' private personal information supplied by government institutions.

Moreover, it's not clear how the purpose analysis in the Privacy Act would apply to information supplied without an initial purpose even for existing government institutions. If the purpose for collection of data by the recipient is the mere fact that it has been listed as having some national security function, does that then mean the Privacy Act's "consistent purpose" analysis allows the institution to use and disclose the information on an equally indiscriminate basis?

In sum, it's a radical change in course for the Government of Canada to suggest that the bare fact that an office has some national security function serves as justification for it to collect, and other institutions to supply, potentially massive amounts of personal information which have nothing to do with any specific investigation or basis for suspicion (or indeed any existing program or activity). And there's a real risk that a wholesale data dump from other government institutions to security agencies will be accompanied by no meaningful ability to test what's been shared and why.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please contact me at gfingas@grj.ca if you require legal advice related to labour, employment or privacy issues.