Venice Commission - Report on a rule of law and human rights compliant regulation of spyware

Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).

Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/

Canada

1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?

The Canadian legal framework does not use or define the term “spyware”. We interpret “spyware” to refer to software that is installed or deployed on an electronic device and which enables the covert collection of data from that device. In Canada, this investigative technique is more commonly referred to as an on-device investigative tool or implant.
Canada has signed onto the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware.
There is no explicit prohibition on the use of on-device investigative tools or implants in criminal or intelligence investigations. The Canadian legal framework provides for judicial authorizations to conduct targeted investigations through the use of these tools. The collection of personal information by government institutions must also comply with applicable privacy legislation, such as the Privacy Act.

2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?

3. What kind of data, if any, could be collected with spyware?

In the criminal law context, pursuant to judicial authorizations, covert electronic surveillance tools can be deployed enabling the interceptions of private communications, transmission data and/or the acquisition of static data from electronic devices.

4. Has there been any official evaluation of the need for, or added value of, spyware?

The House of Common’s Standing Committee on Access to Information, Privacy and Ethics prepared a report about the Device Investigative Tools Used By The Royal Canadian Mounted Police And Related Issues. This report examines the benefits and risks of the use of on-device investigative tools and examines egislative and non-legislative measures that could be considered to better regulate these types of tools in Canada.
The Federal Court of Canada, in 2019 FC 141, addressed the legal basis for authorization the installation of implants on devices and identified associated search protocols to be used in association with them.

5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?

In both the criminal law and intelligence contexts, the courts authorize the use of targeted surveillance.

6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?

There are numerous oversight and review bodies in Canada for the activities of the security services. For example:
The National Security and Intelligence Review Agency (NSIRA) is an independent and external review body that reports to Parliament. NSIRA is empowered to review Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. Following a review, NSIRA may make findings or recommendations that is considers appropriate. NSIRA also investigates public complaints regarding key national security agencies and activities, as well as complaints related to security clearances. Following an investigation, NSIRA must provide a report containing findings of the investigation and any recommendations that it considers appropriate. Findings and recommendations made by NSIRA are non-binding.
The National Security and Intelligence Committee of Parliamentarians
(NSICOP) is a committee of Parliamentarians that has a broad mandate, including to review any activity carried out by a department that relates to national security or intelligence, unless the activity is an ongoing operation and the appropriate Minister determines that the review would be injuries to national security. NSICOP submits an annual report to the Prime Minister (which is then tabled in Parliament), which includes the findings and recommendations (non-binding) that were made during the previous year.
The Civilian Review and Complaints Commission for the RCMP (CRCC) is a legislated independent agency established under the RCMP Act that ensures that public complaints made about the conduct of RCMP members are examined fairly and impartially (except for national security complaints, which are referred to NSIRA). The CRCC also has the authority to conduct reviews of specified RCMP activities for the purpose of ensuring accordance with legislation, regulation, ministerial direction, or RCMP policies, procedures or guidelines. The CRCC can make findings and recommendations (non-binding). Note: there is a Bill (C-20) currently before Parliament that would replace the CRCC with a new Public Complaints and Review Commission under separate legislation.
The Office of the Privacy Commissioner of Canada (OPC) is independent of government and reports to Parliament. The OPC oversees compliance with the federal Privacy Act. The OPC can investigate complaints received from individuals relating to how government institutions handle individuals’ personal information, and it can also at its own discretion carry out investigations to ensure that government institutions are complying with their collection, retention, use and disclosure obligations in respect of personal information. While the OPC can make findings and recommendations, it cannot force a government institution to take any specific action.
The recommendations of the above bodies are not legally binding.

7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?

In the criminal law context, sections 196 and 196.1 of the Criminal Code provide requirements for after-the-fact written notice to be provided to persons whose private communications have been intercepted pursuant to an authorization or in warrantless situations of urgency where there is imminent risk of harm. Further, while not a “notification mechanism”, the constitutionally required disclosure process in criminal proceedings may also provide information to an accused person about investigative measures that were taken against them during the course of a criminal investigation.
Individuals are free to make complaints to the above-noted oversight/review bodies, or may challenge the actions of investigative agencies in court.