Remarks to the Standing Senate Committee on National Security, Defence and Veterans Affairs - November 18, 2024

The Honourable Simon Noël, K.C., Intelligence Commissioner

November 18, 2024

Check against delivery

Thank you, Mr. Chair, and Senators for the invitation.

My comments today are informed by my legal and judicial background, including my time as Designated Judge of the Federal Court, and by my experience as Intelligence Commissioner – which I will refer to as the IC.

In one sentence, my mandate as IC is to approve, or not, certain national security activities planned by the Communications Security Establishment (CSE) and Canadian Security Intelligence Service and authorized by their respective ministers.

In that sense, the IC fulfills an oversight role, as opposed to a review role. My approval is required before the activities can be conducted. The IC’s approval is necessary because the activities the Minister authorizes may be contrary to the law or breach the reasonable expectation of privacy of Canadians. My job is to ensure that the Minister has struck an appropriate balance between the national security objectives on the one hand, and the Charter and important privacy rights on the other.

I support the objectives of the bill. In the context of my work, I see the usefulness and benefits of a national approach for the effective governance of cybersecurity activities. However, I have a few comments to share.

As IC, I must approve, among other things, ministerial cybersecurity authorizations for non-federal entities that have been designated as being of importance to the federal government. Examples include the health and energy sectors.

A non-federal institution may request cybersecurity assistance or support from CSE. If the cybersecurity activities that CSE wishes to undertake in support of the non-federal entity could contravene legislation or lead to the collection of information that infringes on the privacy of Canadians, the Minister must authorize the activities. I must then approve the ministerial authorization.

When I review ministerial cybersecurity authorizations, my primary concern is that the breach of privacy rights is justified, which means that it is necessary and proportionate, and that there are adequate measures in place to limit any impact on the privacy of Canadians.

CSE does not target the collection of personal information of Canadians when it conducts cybersecurity activities. However, there can nevertheless be a reasonable expectation of privacy even in technical information – as confirmed by the Supreme Court of Canada[1].

In my experience as IC, when CSE conducts cybersecurity activities, there will be the collection of information in which there is a reasonable expectation of privacy. This means there is effectively a seizure of private information. If I approve the ministerial authorization, it is because the correct balance has been struck.

Certain elements of Bill C-26 highlight how the treatment of ministerial orders are different than in the context of the CSE Act where the IC plays a role.

In Bill C-26, there is no pre-approval of activities where those activities may be contrary to the law. In particular, there are two areas I want to highlight for your consideration:

·         First, the proposed section 15.4 of the Telecommunications Act allows the minister to essentially compel the production of any information in support of orders. This information could include personal information – which under broad exceptions, could then be widely disclosed.

·         Second, as you have heard other witnesses say, part 2 allows for the regulators to carry out the equivalent of unwarranted searches – where again, personal information could be collected.

The glaring absentee in these situations is the Canadian public. It’s Canadians’ personal information that could be collected.

Whether under Part 1 or Part 2, the CSE will play a vital role and will be the holder of this information, in a technological form or otherwise, which will contain elements for which we have a reasonable expectation of privacy.

In light of the invasive nature of the Bill, it is important that meaningful safeguards be part of it so that Canadians have confidence in the cybersecurity system.

I’ll be happy to answer any questions.

 

[1] R. v. Bykovets, 2024 SCC 6

Page details

Date modified: