Lisa M. Austin is an associate professor in the University of Toronto Faculty of Law.
Last week Prime Minister Harper announced the nomination of Daniel Therrien for Privacy Commissioner of Canada. The only specific privacy qualifications that the Prime Minister’s Office has disclosed concern Mr. Therrien’s role in negotiating the privacy principles governing the Canada-U.S. Beyond the Border Accord.
Some key elements of this agreement are worth pointing out. According to the December 2011 Action Plan, one of the aims is to better integrate cross-border law enforcement, notably in relation to national security threats. At the same time the document indicates respect for the “separate constitutional and legal frameworks that protect privacy, civil liberties, and human rights” and also recognizes “the sovereign right of each country to act independently in its own interest and in accordance with its laws.”
The model, in other words, is to embrace information sharing for law enforcement but to leave the protection of privacy and civil liberties to domestic law.
Why is this important?
First, it is not clear that our domestic privacy laws are strong enough to protect Canadians in relation to cross-border data sharing. The federal Office of the Privacy Commissioner of Canada said as much in its submissions to the government’s public consultation on the Beyond the Border accord. The OPC explicitly called for the strengthening of the Privacy Act in order to ensure proper safeguards relating to disclosures of personal information to foreign governments.
Second, the joint statement of privacy principles is not binding and does not give rise to any “rights or obligations.” After the Arar Commission, Canadians are well aware of the need for proper oversight and accountability in relation to cross-border information sharing, and they should demand it.
Third, the joint statement allows for exemptions for the purposes of national security and law enforcement. These are worrisome loopholes if the joint statement is meant to guide a program aimed at information sharing for the purpose of enhanced security and law enforcement.
But even more important than these defects, the model of leaving privacy protection to domestic law is deeply flawed because it allows authorities to leverage differences between domestic legal systems in order to collect and share more information with fewer protections.
A great deal of Canadian communications data is subject to U.S. domestic law. This is because a lot of our Internet traffic is routed through the United States, and also because many Canadians embrace U.S.-based cloud computing and so have their data stored on U.S. servers. American domestic laws – like the controversial FISA 702 authority that allows for warrantless access to the data of non-U.S. persons – do not protect Canadians to the same extent as Canadian law.
It gets worse.
This past fall, Justice Mosley at the Federal Court of Canada released a partially redacted decision regarding the Canadian Security Intelligence Service, Canada’s spy agency, getting assistance from Communications Security Establishment Canada, Canada’s electronic-intelligence agency, for its surveillance. It is clear from this decision that both CSIS and CSEC were operating with legal advice from the Department of Justice that suggested that, for example, CSEC “could request that a foreign agency do within its jurisdiction that which CSIS and CSEC could not do in Canada without a warrant.”
What does this mean? It means that Canadian authorities apparently think they can ask U.S. authorities to spy on Canadians so long as this happens within U.S. jurisdiction according to U.S. domestic law, even when this law is less protective than our own domestic standards. This seems to be the position of the very Department of Justice where Mr. Therrien has served his entire career, the last nine years of which he has been Assistant Deputy Attorney General, Public Safety, Defence and Immigration Portfolio.
It looks like the privacy principles that Mr. Therrien helped to negotiate ensure that Canadian legal standards do not follow Canadian data when it crosses the border. This is not privacy-protective but rather privacy-destructive. And if his involvement in the Beyond the Border Accord is the main evidence of a commitment to privacy that Prime Minister Harper can offer then he is indeed signaling quite unequivocally that the Government of Canada does not care about privacy.