By Asha Sivarajah

May 8, 2024

Data is the new gold; not just for Big Tech, but for law enforcement agencies as well.

While it is widely known that Canadian law enforcement agencies have been contracting third party data collection and AI tools to assist in their investigative efforts, little is known about how these tools are vetted. Earlier this year, the Office of the Privacy Commissioner released the results of its investigation into the RCMP’s Project Wide Awake (PWA), with findings focusing closely on the RCMP’s use of Babel X from U.S. ‘threat-intelligence’ company Babel Street. Babel X scrapes online data from password-protected sources, including social media accounts and location-based applications. In his report, Commissioner Dufresne found the RCMP’s use of Babel X failed to meet transparency obligations under the Privacy Act.

The alarm bells on Babel X were rung in 2020, when a complaint was lodged to then Privacy Commissioner Daniel Therrien. The RCMP ultimately did not implement the Commissioner’s recommendations to “cease collecting personal information from sources that required logins until it completed a compliance review with Canada’s privacy laws.” From 2016-2023, the RCMP has paid out $1.6 million dollars to Babel Street in contracts.

While the RCMP has the authority to collect personal information without the knowledge or consent of those involved, they are required to avoid unwarranted surveillance. These concerns were already addressed in the Commissioner’s previous investigation into the RCMP’s use of facial recognition software Clearview AI.

Recent fallout over Babel X begs the question, do we already have the tools to build transparency around public surveillance, and if so, why aren’t we using them?

When it comes to online surveillance, there must be accountability mechanisms that extend to public institutions to ensure that the right to privacy is meaningfully upheld.

As Canada’s Bill C-27 makes its rounds in the House of Commons with substantial improvements to consumer privacy protections, similar efforts must be made to embolden the privacy rights of citizens from public institutions. Under the Privacy Act, the Commissioner holds investigative powers over the federal government’s use of personal information, but does not have the authority to issue binding decisions. Independent privacy regulators are only as powerful as the law that governs their authority.

The EU’s 2018 General Data Protection Regulation (GDPR), which is considered the ‘gold standard’ for privacy legislation, provides a compelling framework to safeguard the misuse of personal data by government bodies. Under the GDPR, data protection authorities can temporarily or permanently ban public bodies from conducting data collection practices if they are found to violate the legislation. In certain EU countries, governments may also be subject to administrative fines for breach of the GDPR.

A softer approach can be seen in Switzerland’s 2023 Federal Data Protection Act. Under the act, the Data Protection and Information Commissioner (FDPIC) has the power to issue binding decisions over the data collection practices of government bodies. The FDPIC, however, cannot levy fines. The accountability mechanisms and elevated powers of privacy regulators in both laws outline a path towards embedding privacy rights into public-sector operations.

When it comes to online surveillance, there must be accountability mechanisms that extend to public institutions to ensure that the right to privacy is meaningfully upheld. Canada’s Privacy Commissioner should have the authority to issue moratoriums, or ‘pauses’, on open-source intelligence gathering tools used by law enforcement until proper judicial reviews can be conducted and recommendations can be implemented. Similar to the GDPR, the Commissioner should be granted the authority to permanently ban third-party tools that fail to comply with Canada’s privacy legislation.

Beyond legal reform, there needs to be more participatory engagement in setting the digital policy agenda – especially when it comes to online surveillance. This includes engagement with academics and civil society organizations who are aware of how open-source data collection and automated decision-making in policing can have disparate impacts on historically marginalized groups.

The mere existence of the Privacy Act – and an independent regulatory body to oversee its implementation – signals just how far we’ve come as a country to empower our institutions to be as transparent and effective as possible. But if we want to instill trust in our public institutions, there is still more to be done.

Asha Sivarajah is a Master of Public Policy candidate at the Max Bell School of Public Policy at McGill University, with prior experience at the Canadian International Council (CIC) and as a researcher in El Salvador. Asha now seeks to leverage her research and advocacy experience to design policies that help advance human rights protections, particularly in the data & technology sector.