Chapter 9: Government Surveillance, Cybersecurity and Cyber Operations

HTML VERSION

Chapter 9:
Government Surveillance, Cybersecurity and Cyber Operations

I. Introduction

The National Security Act, 2017 (“NSA 2017”) was passed as law in June 2019, and has accomplished the following:

• established the National Security and Intelligence Review Agency (“NSIRA”);
• clarified how the existing Communications Security Establishment (“CSE”) functions under the new national security framework; and
• established an independent Intelligence Commissioner.

[See National Security Act, 2017; Orders in Council, PC 2019-1088 and 2019-1091.]

These elements of the new national security framework are material to government foreign intelligence surveillance, cybersecurity, defensive cyber operations, and active cyber operations.

II. Bodies and Offices Under the New Framework

This section provides an overview of the NSIRA, CSE, and Intelligence Commissioner.

The NSIRA’s general purpose is to oversee the national security and intelligence activities of various government bodies, and to investigate complaints. One of its key functions is to submit an annual report to the Prime Minister on CSE and CSIS activities. The Prime Minister must thereafter make such reports public before Parliament. In certain cases, NSIRA must also submit reports to the Intelligence Commissioner. The NSIRA’s membership is appointed by the Governor in Council, in consultation with the Prime Minister and others. It may furthermore coordinate its efforts with the OPC, and can demand information relevant to its mandate from FINTRAC.

[See NSIRAA, ss.4(1)-(2), 8(1), 15.1, 32-40; ICA, s.24; Privacy Act, ss.37(5), 64(3) (added by NSA 2017, ss.37.1-37.2); PCMLTFA, s.53.4.]

The CSE is Canada’s agency and authority with respect to intelligence of electronic signals, and cybersecurity for government and other critical computer networks. The mandate of the CSE includes foreign intelligence gathering, cybersecurity, and taking online protective action inclusive of “defensive” and “active” cyber operations. The CSE may also receive information from FINTRAC in respect of money laundering and terrorist financing investigations. Its foreign intelligence and cybersecurity actions are subject to authorization by the National Defence Minister (the “Minister”), as well as the Intelligence Commissioner in non-emergency situations. The CSE’s cyber operations (“defensive” and “active”) only require authorization by the Minister, who must issue the authorization in consultation with the Minister of Foreign Affairs.

[See CSEA, ss.15-21, 28-30, 40; PCMLTFA, s.55(3)(f) (added by NSA 2017, s.88).]

The Intelligence Commissioner reviews Ministerial decisions on intelligence gathering and cybersecurity activities—but not the CSE’s cyber operations—with due consideration placed on privacy interests. He or she also has a broad power to receive “any information”—which presumably includes personal information—from various bodies including the CSE and CSIS. With regard to the Commissioner’s reporting obligations, every review of a Ministerial decision must be reported to the NSIRA. In addition, the Commissioner must submit an annual report to the Prime Minister on his/her activities, and that report must thereafter be made public before Parliament. The Commissioner’s role is quasi-judicial in nature, and can only be filled by a retired Superior Court judge.

[See ICA, ss.4(1), 12-22, 25.]

III. Constitutional Law Discussion

As described in subsection II of Chapter 1, the right to privacy has a “quasi-constitutional” status in Canada. The powers of the new CSE have the clear potential to erode various constitutional rights, namely the following within the Canadian Charter of Rights and Freedoms (“Charter”):

• freedom of expression;
• right to life, liberty, and security of the person; and
• right to be secure against unreasonable search or seizure.

[See Canadian Charter of Rights and Freedoms, ss.2(b), 7, 8; DOJ Charter Statement (June 20, 2017); Jones v. Tsige, 2012 ONCA 32 at paras. 39-46; R. v. Jarvis, 2019 SCC 10 at paras. 57-68; OPC, “Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners” (Oct 1-2, 2019).]

The potential for constitutional infringement has been acknowledged by Parliament through legislation. The Charter is referenced in the preambles of the NSA 2017, CSEA, and CSISA. For good measure, the Charter is also referenced in the bodies of the CSEA and CSISA.

[See NSA 2017 at Preamble; CSEA at Preamble, s.22(1); CSISA at Preamble, ss.12.1(3.1), 20.1(22).]

In order to balance the new surveillance, cybersecurity and cyber operation powers with existing constitutional rights, the CSE is explicitly prohibited from:

• directing its activities at a Canadian or any person in Canada;
• infringing the Charter;
• directing a cyber operation at any portion of the global information infrastructure in Canada;
• launching a cyber operation without valid Ministerial authorization;
• contravening another Act of Parliament; and
• obtaining information contrary to the reasonable expectation of privacy of a Canadian or a person in Canada.

However, except for the requirement of Ministerial authorization, all of these prohibitions are subject to stipulated exceptions. The constitutional complexities begin here.

[See CSEA, ss.22-23.]

In addition to the stipulated exceptions, the CSE may also have various tacit grounds for exceptions. For example, the CSE is statutorily justified to perform certain acts that “would otherwise constitute offences.” Moreover, any of the CSE’s authorized activities can expressly be carried out “despite any other legislation of Canada or a foreign state.” Execution of an authorization is immune from liability, short of causing death, bodily harm, obstruction of justice, or obstruction of democracy (when the authorization is for a cyber operation).

[See CSEA, ss.3, 22(4), 26-30, 32(1), 49-51. See also CSISA, s.20.1 (added by NSA 2017, s.101).]

There are protections afforded to Canadians, and any person in Canada, with respect to publicly available personal information, and incidentally acquired personal information. Case law suggests that these protections would extend to aggregated data in pools. However, by statute, such protections do not apply in the presence of the Minister’s cybersecurity authorization, when such authorization is in “furtherance of the cybersecurity and information assurance aspect of [the CSE’s] mandate.”

[See CSEA, ss.21(1), 22(4), 23(1)(a) and (4), 24, 27; BC v. Philip Morris Int’l, 2018 SCC 36 paras. 24-26.]

Moreover, in emergency situations, a CSE authorization for foreign intelligence gathering or cybersecurity can be obtained from the Minister orally, without any requirement for prior review by the Commissioner. Such emergency authorizations are valid for only five days, but may still have a considerable impact on privacy interests. For example, an emergency may provide grounds for the CSE to intercept sensitive communications, and thereafter disclose those sensitive communications to “any appropriate person”. Notably, this emergency power can apply to communications made with a reasonable expectation of privacy.

[See CSEA, ss.40, 42-46; Criminal Code, s.183 “private communication”.]

While the express and tacit derogation of privacy interests have yet to be tested under the Charter, the prospect of unjustified infringement is clear. Moreover, the prospect of unjustified infringement is bound to increase, since:

• all Canadian private commissioners have recently signed a joint resolution to pressure their governments to increase privacy law protections; and
• increased privacy protection by statute will ostensibly increase the net level of constitutional protection afforded to privacy interests.

[See OPC, “Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners” (Oct 1-2, 2019); Jones v. Tsige, 2012 ONCA 32 at paras. 39-46.]

IV. Conclusion

There is limited precedent on many constitutional law issues in the context of privacy, big data and national security. However, the grounds for challenging a cyber surveillance operation are becoming clearer and stronger as privacy law reform takes place. Whether a Charter infringement exists—and is justified—are questions that should be argued by legal counsel familiar with Charter and government surveillance jurisprudence.