Canada is embarking on the most substantial overhaul of its national security institutions and governance in over three decades. Should C-59, a national security bill, become law, part four of the bill will amend the legislation governing the Canadian Security Intelligence Service (CSIS), in several significant ways. CSIS, also known as “the service,” is Canada’s domestic spy agency, whose primary mandate is investigating threats to Canada’s security. Craig Forcese and Kent Roach already highlighted the proposed reforms to CSIS’s threat-disruption powers. Another notable addition to the service’s capabilities is the authority to collect, retain and use “datasets” in support of CSIS’s domestic and foreign intelligence mandates.
The dataset regime is in part an answer to a 2016 decision of the Federal Court of Canada regarding CSIS’s retention of metadata associated with lawfully collected communications. The court found that the service’s indefinite retention of associated data that was not directly threat-related was based on an erroneous interpretation of the CSIS Act. While the court acknowledged the intelligence value of data analytics, it questioned whether the CSIS Act, now more than 30 years old, was keeping pace with changing technology. In response, C-59 creates a new regime that provides a clear legal authority for the collection and retention of information that is not definitively threat related, thereby enabling the service to leverage the power of data analytics.
Datasets are defined in Bill C-59 as a collection of information stored as an electronic record and characterized by a common subject matter. Dataset collection is governed by the new regime if the datasets contain personal information—defined under Canada’s privacy legislation, as information about an identifiable individual—and do not directly and immediately relate to activities that represent a threat to the security of Canada. Depending on the circumstances, personally identifying information can be anything from your ethnicity to your telephone number or what college you attended.
Under the bill, datasets are classified as either publicly available, Canadian, or foreign—depending on their content. A Canadian dataset is one that predominantly relates to Canadians or persons within Canada, while a foreign dataset predominantly relates to non-Canadians outside Canada.
Before diving further into the details, it’s important to note that in the early 1990s, the Supreme Court of Canada rejected the American Fourth Amendment third-party doctrine. This means that in Canada, the fact that information has been voluntarily disclosed to a third party does not necessarily diminish a person’s reasonable expectation of privacy in that information vis a vis the state or the protection against unreasonable search or seizure afforded by section 8 of the Canadian Charter of Rights and Freedoms.
To collect any dataset, CSIS must be satisfied that it is relevant to the performance of its duties and functions under the CSIS Act. These duties include investigating threats to the security of Canada, conducting security assessments for other government departments, providing advice to ministers on security related matters, and assisting the Ministers of Foreign Affairs or National Defence through the collection of foreign intelligence within Canada. If you are thinking to yourself, “wow, relevance is an incredibly low threshold for the warrantless collection of untold quantities of personal information,” you are right.
However, before bringing a Canadian dataset in the door, CSIS must be convinced that it falls within a pre-approved class of datasets authorized for collection by the Minister of Public Safety. The classes authorized by the Minister are also subject to review on a reasonableness standard by the new Intelligence Commissioner (IC); a retired judge appointed by the Prime Minister for a term of five years. The retention and use of datasets are then subject to a series of safeguards and restrictions under the CSIS Act.
To retain a Canadian dataset for longer than 90 days, CSIS must obtain an authorization from the Federal Court. To retain a foreign dataset, CSIS needs the authorization of the Minister of Public Safety and the approval of the IC. An authorization may only be issued if the court or minister is satisfied that the dataset is likely to assist CSIS in the performance of its duties and functions. Both issuing authorities can impose any terms and conditions on the retention and use of a dataset that they consider advisable in the public interest. Prior to obtaining an authorization CSIS cannot use the information in the dataset to derive intelligence except in exigent circumstances where life, individual safety or perishable information of significant value to national security is at risk. Canadian datasets can be retained for up to two years, while foreign datasets authorizations are legally retained for a maximum of five years.
Publicly available datasets, on the other hand, can be retained indefinitely without authorization so long as all irrelevant personal information is deleted. “Publicly available” is not defined in the CSIS Act. This has raised concern amongst privacy advocates that CSIS will be able to leverage private information that has been hacked or stolen and placed online. A common example used to illustrate this concern is the leaked confidential customer information stolen from Ashley Madison.
Addressing this issue before a committee of the House of Commons last month, a CSIS official testified that the service does not consider hacked or stolen datasets to be “publicly available.” Despite this public statement, Canada’s Privacy Commissioner recently called upon the government to amend the bill to explicitly preclude the collection of hacked and stolen information without a warrant or ministerial authorization.
Once a dataset is retained, the Bill defines two types of data analytics that can be performed on the datasets: “queries” meaning a specific search relating to a person or entity within one or more dataset, and “exploitation” defined as computational analysis of one or more datasets for the purpose of obtaining intelligence that would not otherwise be apparent. Querying or exploiting a Canadian or foreign dataset must be “strictly necessary” to the service’s domestic intelligence mandates. This replicates the strictly necessary standard by which CSIS can collect, analyze and retain information related to threats to the security of Canada under the current legislation.
Safeguards & Review
A key safeguard in this new dataset regime is that all Canadian and foreign datasets will be fenced off from the rest of CSIS’s holdings and accessible to a limited number of persons specially designated by the CSIS director. Only once the results of query or exploitation are fruitful and their retention is determined to be “strictly necessary,” can a designated person flip the result to the other side of the fence so that it can be used by CSIS officers to further a domestic intelligence investigation. If not retained, all results must be destroyed.
Every step of this process must be recorded, including an analyst’s justification for conducting a query and the basis for retaining results. The bill also requires periodic and random auditing, and all auditing reports must be provided to the National Security Intelligence and Review Agency (NSIRA), a new review body introduced in Part 1 of the bill with the authority to investigate the activities of all national security agencies. What’s more, should NSIRA be of the opinion that the querying or exploitation of a dataset may not be in compliance with the law they can refer the matter to the Federal Court of Canada.
While the threshold for CSIS’s initial collection is low, the structure of the proposed dataset regime reflects the reality of modern data analytics in the national security context: before you get the data there is often little means of determining its accuracy and definitive value, the privacy interests at stake, or how the data will ultimately be leveraged to advance an intelligence investigation. By that logic, any attempt to create a warranted regime for bulk data collection in the domestic intelligence context would invariably result in nothing more than a rubber stamp. Instead, by placing judicial control at the retention stage, establishing a higher threshold for use, mandating robust safeguards, and giving the review body some teeth, this bill may prove to be both constitutionally viable and operationally feasible.