The federal government is failing to protect the privacy of law-abiding Canadians under a sweeping new information-sharing regime, warns Canada's privacy watchdog.
Daniel Therrien tabled his annual report in Parliament today, flagging serious concerns about key elements of the anti-terror legislation brought in by the former Conservative government with the passage of Bill C-51.
The privacy commissioner said there was no proper evaluation before key parts of that law went into effect — and not enough oversight now to keep the new powers in check.
Therrien said he was alarmed to learn that federal agencies and departments did not carry out assessments on privacy impact — what he called a "key tool" to limit risk.
The Liberal government has promised to repeal "problematic" elements of the anti-terror legislation, and has struck a parliamentary committee to oversee the security provisions.
Legal standards required
Therrien called that a "positive first step," but said it falls short of what's really needed to protect Canadians.
In addition to more robust oversight, there must be high legal standards around information sharing, he said.
"In the recent discussion paper published by the government on how C-51 could potentially be amended, they don't talk about legal standards and I think that's an important weakness in the consultation process," he said.
A preliminary review of data from the first six months the Security of Canada Information Sharing Act came into force in August 2015 revealed a "limited use" so far, but Therrien warned the potential for large-scale sharing combined with technological advances could allow personal information to be "analyzed algorithmically to spot trends, predict behaviour and potentially profile ordinary Canadians with a view to identifying security threats among them."
The act expanded the exchange of federally held information about activity that "undermines the security of Canada."
Therrien said it could lead to sharing information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security.
Therrien also raised the alarm about Canada's electronic spy agency downplaying the impact of potential security breaches from metadata, which is information that describes other data like email addresses or telephone numbers, but not the actual content.
"Metadata can, in fact, reveal very sensitive information about individuals' activities, associates, interests and lives," he said. "I must say here that in my view, it serves the interest of no one to downplay the significance of privacy breaches."
Communications Security Establishment Canada stopped sharing certain metadata with international partners earlier this year after discovering it had not been sufficiently protecting that information before passing it on.
The over-arching theme of Therrien's report is that regulation, laws and oversight are not keeping pace with fast-moving technology. He even pointed to potential privacy risks from health and fitness monitoring devices.