'Difficult to determine' scope of privacy breach in Five Eyes data sharing

It's impossible to know how many Canadians had their personal data shared by the country's electronic spy agency in a metadata glitch, according to its watchdog.

Jean-Pierre Plouffe, commissioner of theCommunications Security Establishment (CSE),told a Senate committee Monday thatdata wereerased from the agency's system, making it difficult to find out the number of people impacted.

"It is impossible to know the exact figure.After a certain amount of time, data disappears. They have a deadline after which system data is deleted."

• Canada's electronic spy service to take more prominent role in ISIS fight
• Canada's electronic spy agency stops sharing some metadata
• CSE worried about how its use of Canadian metadata might be viewed

A month ago, Plouffe tabled his annual report in the House of Commons, revealingfor the first time that CSE illegally and unintentionally shared metadata with Canada's Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand.

That data may include Canadians' personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.

"It's not accidental," Plouffe said in an interview about the CSE breaking the law. "It's because of a lack of due diligence."

Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada.

If the spy agency comes across Canadians' information, the law requiresit todelete the data from its systems.

No idea how longproblem lasted

The commissioner said CSE disclosedthe metadata glitch as it prepared its 2014 annual report.

"When they discovered it, they didn't know for how long the problem existed," said Plouffe, who still doesn't know if the glitch lasted months or years.

When Conservative Senator Claude Carignan asked "How many Canadians were affected by this error?" the commissioner could not answer.

Plouffe explained that the spy agency intercepts millions of pieces of metadata each year. But it erases data after a certain deadline to make room in the system.

"It is very difficult to determine the number of Canadians affected," said Plouffe.

'First CSE non-compliance'

This is the first time the commissioner has saidhis office has ever discovered a non-compliance issue with CSE.

Plouffe says even if Canada's intelligence allies did receive some Canadianinformation, theoretically they should not act upon it, according to the policy.

All of the Five Eyes partners' data is stored in Washington. Plouffe checked with the U.S. National Security Agency inJanuary 2015and was told it wasn't aware of any Canadian's personal information being compromised.

• CSE monitors millions of Canadianemailsto government
• CSE: What do we know about Canada's eavesdropping agency?

However, Canada has stopped sharing certain metadata with international partners. Defence Minister Harjit Sajjan said last month that sharing won't resume until he's satisfied that the proper protections are in place.

Unacceptable 'from A to Z'

Ontario's former privacy commissioner,Ann Cavoukian, says CSE never should havecollected the metadata in the first place and wants the practice to end.

"It has been illegally collected," said Cavoukian. "It's unscrupulous they're doing this...The whole thing from A to Z is unacceptable."

Cavoukian questions how it's possible that the metadata isn't tracked.

"I just think it's unconscionable that they have no idea how much metadata has been collected, where it is and they're saying now it's all deleted.That's irresponsible."

In an email, a communications adviser said the federal privacy commissioner's officeis in discussions with CSE and can't comment further at this time.

"We wanted to follow up to seek further clarity on the issues raised in the report, including how much personal information of Canadians was involved and what ultimately happened to the information, and whether appropriate protective measures were taken," wrote spokeswomanTobi Cohen.