CSIS May Have Breached Privacy Law When Collecting Geolocation Data, New Report Says

CSIS May Have Breached Privacy Law When Collecting Geolocation Data, New Report Says
A sign for the Canadian Security Intelligence Service building is shown in Ottawa, Canada, on May 14, 2013. (Sean Kilpatrick/The Canadian Press)
Andrew Chen

A new report says the Canadian Security Intelligence Service (CSIS) may have violated a privacy law when it used new technology to pinpoint people’s geolocations without a warrant.

The National Security and Intelligence Review Agency (NSIRA) presented its first annual report on the Security of Canada Information Disclosure Act (SCIDA) to Parliament on Dec. 11.

Parliament enacted SCIDA in 2019 to promote the exchange of intelligence and national security information between federal agencies, and the NSIRA is required to submit an annual report to the Minister of Public Safety and Emergency Preparedness on disclosures made under SCIDA the previous year.

The report (pdf) says CSIS may have have violated Section 8 of the Charter of Rights and Freedoms, which protects against unreasonable search and seizure, when it used publicly available geolocation data to track criminal activities without a warrant. New technologies that collect bulk information and metadata may also gather information from ordinary citizens and intrude on personal privacy.

Generally, Canadian government agencies are required to engage the Department of Justice for legal advice, and must obtain necessary authorizations prior to using these data-collection technologies to ensure that they conform to privacy laws and Charter rights.

The NSIRA, however, found that the procedures are not always followed.

“On a few occasions in recent years, CSIS used new collection techniques without first fully understanding and addressing their legal and policy implications,” the report read.

“In these cases, legal and policy work lagged behind the operational imperative to maintain and improve collection capabilities. This risked—and at times compromised—the lawfulness of the collection activity and the privacy of Canadians.”

The NSIRA said the reason was that “the CSIS lacked the policies or procedures to ensure it sought legal advice to avoid unlawful use of the data.”

The report said the CSIS has also overlooked “multiple indicators” that using the geolocation data might have legal concerns, including internal discussions early on, when concerns about legal risk were raised.

When the agency identifies any national security or intelligence activity that does not conform to Canadian laws, it must report to the relevant minister, and the minister must then forward the report to the attorney general.

On March 16, the agency submitted a report to the Minister of Public Safety Bill Blair describing the possible unlawful activity. Blair has not yet made any comment.

CSIS spokesman John Townsend said the intelligence service identified possible legal risks and sought advice from the Department of Justice, but he did not say when the agency did so, reported The Canadian Press.

“As a result of advice from the Department of Justice, CSIS sequestered information collected by the tool so that an in-depth assessment could be undertaken to ensure that any collected information was lawfully obtained,” Townsend said.

“These examples illustrate how the adoption of new collection technologies also poses a challenge for review bodies, who must equip themselves with the technical expertise needed to ensure that the implications of the technologies being deployed are fully understood,” the report concluded.