Media Centre

Privacy Law Reform:  Responding to a Networked World

McCarthy Tétrault Speaker Series

February 3, 2005
Halifax, Nova Scotia

Address by Heather Black
Assistant Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Canadians need to reflect seriously about the impact of information technologies on their lives. They need in particular to examine the impact of those technologies on the fundamental human right we call privacy. This forum provides one important opportunity to do just that.

We are taking the opportunity of being asked to participate in this prestigious lecture series to outline our concerns about the existing framework for the protection of personal information in Canada. In particular, I will outline why we think the legislative status quo is no longer adequate because of developments in global outsourcing, new security legislation and e-government — to name just a few of the challenges to informational privacy.

Canada's federal Privacy Act came into force in 1983 — a mere 22 years ago in calendar time, but eons ago in terms of information technology. When the Privacy Act was being debated and drafted, the public Internet did not exist. "Google" sounded like something that a baby might do. The "supercomputers" of the era — if they could even be called that by today's standards — would now be laughed off the block. In short, many of the technologies that pose such significant threats to privacy now did not exist then. The surveillance potential of digital video, linked networks, global positioning systems, black boxes in cars, genetic testing, biometric identifiers and radio frequency identification devices (RFIDs) was still the stuff of science fiction.

The Privacy Act, and its much younger private sector sibling, the Personal Information Protection and Electronic Documents Act, face a world characterized increasingly by the term "globalization," with extensive outsourcing of personal information processing and storage by both governments and the private sector.

The federal Privacy Act and our private sector data protection laws also come from another era in another important sense. Both laws were enacted before the events of September 11, 2001. The thirst for personal information, the thirst to aggregate this information, the thirst to analyze this information, have increased dramatically since the events of that day as have government attempts to justify access to our personal information. How information technologies are used will decide whether they become anything else but the villain in relation to the evolution of privacy.

We aspire to live in an open and democratic society that shows respect for fundamental human rights. Increasingly, the highly interrelated environment in which we live and our relations with other democratic societies, subordinate information rights to a global security agenda.

True, Canada is a signatory to several international instruments that stress the seminal importance of privacy. The Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, both speak of the right to the protection of the law against arbitrary interference with privacy. Our own Supreme Court is gradually fleshing out a privacy right through the Charter of Rights. But amidst all the advances in information technology, all the developments relating to globalization, all the pressure to increase surveillance in the name of national security, and the institutionalization of a climate of fear, we are still left with the same tired, misleadingly named, and often inadequate public sector data protection law.

It is important to understand the limitations of the federal Privacy Act. The Act encapsulates a broad set of "fair information practices" that have been developed over the years by the international data protection community. The Privacy Act is essentially a regulatory statute that puts some order into the ways that federal government institutions collect, use and disclose information about individuals, and how individuals can gain access to information. The Privacy Act is meant to place checks and balances on the power of the government.

But it is not truly a law that provides extensive protection to privacy. It is not toothless, but often the best it can do is gum vigorously at threats to privacy.

Let's not forget the impact on individuals when federal government institutions collect, use and disclose personal information about them. We may frequently consider the actions of government as simply "administrative," but those administrative actions can have profound effects on the way we lead our lives, the services to which we are entitled, the benefits we may receive, and sometimes even the liberties we enjoy.

There have been ample opportunities to make the Privacy Act more relevant to our technological reality and our modern world. In 1987, a House of Commons committee recommended substantial changes to a Privacy Act that was then less than five years old.

Eight years ago, in 1997, another House of Commons committee recommended a substantial overhaul and strengthening of the Privacy Act. The committee's report spoke of the danger posed by blindly joining behind a steady march of what some might term technological "progress." It also advocated what we might call "truth in advertising" by recommending that the Privacy Act be renamed to reflect what it truly is — legislation regulating the handling of personal information, but not a comprehensive privacy law covering all aspects of privacy.

The earlier, 1987, Commons committee recommended that in the area of what was called "computer-matching", the Privacy Act be amended to ensure that the linking of personal records was conducted only when demonstrably necessary and under the continued vigilant oversight of the Privacy Commissioner of Canada. This recommendation has fallen on deaf ears. A similar recommendation proposed by the 1997 committee has also met with silence. Yet it is this linkage, this aggregation of personal information, that some argue poses one of the greatest privacy threats we face today.

In fact one of the few attempts to amend the Privacy Act came, not out of a sense of wanting to enhance privacy, but rather to diminish it.

In its initial form, the Anti-terrorism Act would have allowed the Attorney General to issue a certificate in national security or national defense matters that would effectively exclude the application of the Privacy Act. Fortunately, that provision was significantly changed to allow continuing oversight by the Privacy Commissioner.

Too little has changed with the Privacy Act, while much needs to change. The Personal Information Protection and Electronic Documents Act (PIPEDA) is less deficient in this regard, since it was enacted in the digital era, although it could not anticipate the growing pressures after September 11 to allow private sector databases to be used as part of the surveillance apparatus of the state.

Let me highlight some of the most important deficiencies in the Privacy Act.

When it was first enacted, the Privacy Act was set up to be a data protection law based on each government department holding its information separately and predominantly in paper-based filing systems. Yet now automated data bases can be shared with what sometimes appears to be little more than legislative whim. In 2000, the Federal Court of Appeal¹ issued an important decision that showed the very limited utility of the federal Privacy Act in controlling the onward disclosure of information collected for one purpose so that it can be matched with other data.

The Court of Appeal concluded that the disclosure provision — section 8 — of the Privacy Act enables Parliament to confer on any Minister through a given statute a wide discretion to disclose information collected by the Minister's department. The Court of Appeal did not accept the argument that the Privacy Act requires that personal information be disclosed only for the purpose for which it was collected or for a use consistent with that purpose. It found that the Privacy Act allows personal information under the control of a government institution to be disclosed for any purpose in accordance with any Act of Parliament or regulation that authorizes its disclosure. The following year, the Supreme Court of Canada stated that it "agreed substantially" with the Federal Court of Appeal's interpretation of the Act.

I am particularly troubled by the lack of effective controls in the Act on transborder data flows. There has been a steady increase in the transfer of personal information from government to government, particularly since September 11, and from government to companies abroad for processing — the consequences of globalized economies. The Privacy Act contains nothing to impose safeguards on third parties who hold and process personal information about Canadians. There are, at the present time, no binding federal Treasury Board policies in this area, though some developments in that area are being considered. The Privacy Act should contain specific wording defining the responsibilities of those who transfer personal information outside the federal public sector and indeed, outside Canada.

We also need to address the impact of the USA PATRIOT ACT, and outsourcing in general, on personal information in the hands of the Canadian private sector. This issue came to a head with the review undertaken by BC's Information and Privacy Commissioner of the privacy implications of the USA PATRIOT ACT for personal information about Canadians. That law greatly increases the ease with which the FBI can get access to personal information held by companies in the United States, including information held there about Canadians. Canada already has extensive information sharing agreements with the United States at the governmental level, so the USA PATRIOT ACT may do little to change the dynamics of information flows between the Government of Canada and US agencies. However, the simple decision by a Canadian company to send personal information to the United States for processing may effectively nullify the privacy protections introduced by our private sector data protection legislation, PIPEDA — this, in spite of the principle of PIPEDA which states that Canadian organizations are responsible for personal information that has been transferred to a third party for processing. Canadians, who feel they have a reasonably sound mechanism for protecting their personal information in the hands of organizations in Canada, will no doubt be dismayed to learn that those protections often vanish if those organizations transfer their personal information abroad.

Data matching is a continuing concern. The Privacy Act does not specifically discuss data matching. Treasury Board guidelines require departments to submit data-matching proposals to our office for our review and comments, but this rarely happens. Given the intrusive nature of data matching, it is our view that the duty to report it should be set out in law.

Another significant problem with the current Privacy Act lies in its subordination to other legislation. As you may know, PIPEDA takes primacy over subsequently enacted legislation, unless Parliament expressly declares otherwise. However, the Privacy Act contains no such provisions. It certainly should. The Privacy Act should prevail over any other Act that does not contain an express notwithstanding clause. That would in part compensate for the lack of an express constitutional right to privacy.

The Privacy Act also gives the Privacy Commissioner of Canada only the powers of an ombudsman, with no powers of enforcement. Models in several other jurisdictions, both in Canada and abroad, give powers of enforcement. It is time to review the merits of such powers for the Privacy Commissioner of Canada.

There are many other deficiencies in the Act. I will not explore them in detail here. They include overly broad exceptions to the right of access to one's personal information held by government, the failure of the Act to cover several important federal institutions, including Parliament limited redress to the courts, and the lack of effective limits on the collection of personal information by government in the first place.

I have painted a rather bleak picture of our federal Privacy Act. I can assure you that I will be much more positive about the privacy of Canadians if the Act is strengthened in the ways I have identified.

While we're on the topic of Privacy Act reform I want to explore one additional issue that has become increasingly germane in the era of e-government, or Government On-Line as the federal government calls it.

That is the tension between the traditional method of protecting personal information through what are called data silos, and the thrust of e-government for the pooling of personal information.

Those concerned about protecting privacy have long maintained that keeping personal information in distinct databases, or data silos, helps protect against its misuse. The data silo compartmentalizes the information. This helps protect against someone — a government employee, for example — getting access to more information about a citizen than the employee needs for his or her work.

The importance of data silos can be seen, in a backhanded way, by examining the attempt by the US Defense Advanced Research Projects Agency (DARPA) a few years ago to explore a scheme first entitled "Total Information Awareness." Former US President Clinton's privacy adviser, Professor Peter Swire, offered a stinging critique² of Total Information Awareness, a research project that he likened to a "vacuum cleaner for government, public-record, and private databases." A public outcry led to the denial of funding for the program, but some privacy advocates expect it to appear in another guise.

Maximizing information sharing among US government agencies would be accomplished in part by ending data silos — an implicit but clear recognition that data silos are an impediment to total surveillance and an equally clear recognition that data silos protect privacy.

Data silos are not a perfect means to protect privacy. They result in the duplication of personal information, as various government agencies need to collect the same personal information about an individual. But they have largely been seen as a protection against intrusive governments.

Unfortunately, data silos are antithetical to notions of e-government, or "Government On-Line". And we know that e-government is a major focus across Canada. The October 1999 Speech from the Throne set a goal of making the federal government "the most connected to its citizens," so that Canadians could obtain access to all government information and services on-line. Atlantic Canada On-Line, an alliance formed among the four Atlantic Canada provinces, has similar goals.

E-government will almost inevitably result in the greater pooling of personal information to enhance cooperation and coordination between government agencies that have common programs. This can translate into less redundancy of information holdings and greater government efficiency. But can Canadians still be protected against the misuse of personal information by their governments? The most recent attempt to align laws and technological realities can be seen in Quebec where the government has recently introduced Bill 86, amending the Access to Information legislation to facilitate e-government and to provide threshold standards for outsourcing data, among other things.

I suggest that we may be able to accept the pooling of information characteristic of e-government, yet not surrender in terms of privacy. But the fact of e-government provides all the more reason for a more effective privacy framework, one that requires a higher level of justification for collecting personal information in the first place, and stricter adherence to the principle that personal information should only be used for the purposes for which it was collected.

Professor Pierre Trudel of the Université de Montréal³ argues that privacy can be protected even in this networked world of government, but says that doing so will require a significant shift in our privacy rules. The focus will no longer be on whether a particular piece of personal information is in possession of a government institution, since that information will effectively be in possession of all the institutions in the network, but on whether an institution should have the right to obtain access to that information to make a decision.

In other words, privacy can be accommodated in a system of pooled personal information if the legal framework more tightly regulates the conditions under which each agent of the state can obtain access to that information. Instituting more effective controls on access by government institutions to this pool of information will help ensure that information is used only for the purposes for which it was obtained.

The focus will not be entirely on access. There must also be more effective limits on the collection of personal information in the first place — something woefully lacking in our current Privacy Act. In a world of pooled information, it will be necessary to justify the collection of all personal information. This means that the purposes for which the information will be used must also be clearly articulated.

This system will need to be transparent, to ensure the trust of the citizens. And it will require that each institution that may have access to the pooled information is considered the legal holder of the information. As a result, each institution would share responsibility for protecting the confidentiality of the information. The legal framework governing the pooled information would also compel each institution to introduce measures to ensure the security of personal information.

This is only part of the picture of how we might effectively protect privacy even in an environment where data silos give way to pooled personal information. Even from this preliminary picture, you can see that protecting privacy in this world of e-government and pooled information requires a much more stringent set of privacy laws than we now have.

E-government is upon us. Couple this with the increased ability to intrude that flows from other advances in technology, and the growing pressure to intrude that arises from the current climate of fear driving many governments, and you have a compelling case for an immediate and dramatic strengthening of our federal privacy laws. But despite this, despite calls for reform by Commons committees 18 years ago, and repeated eight years ago, despite calls for change by privacy advocates, nothing of substance has changed with our federal Privacy Act. If we are serious about protecting our privacy, we really can't afford to wait any longer.

In this context, the Commissioner and I were encouraged to meet with the Honourable Irwin Cotler, Minister of Justice to discuss a reform agenda for the Privacy Act. As a result, a working group composed of officials from the Department of Justice and our office has begun discussions on possible reforms.

Canada rightly prides itself on its Charter of Rights and its reputation as a rule-based society. In the information age, it is time to articulate our information rights in more compelling ways by giving ourselves a modern legislative framework adapted to the realities of technology, globalization and electronic government.

¹ Re Privacy Act (Can.) [2000] 3 F.C. 82; Privacy Act (Can.) (Re), [2001] 3 S.C.R. 905, 2001 SCC 89.
² Professor Peter Swire, former Chief Counselor for Privacy, "Critiquing the Idea of Total Information Awareness", address to International Association of Privacy Officers, February 27, 2003.
³ Pierre Trudel, « Renforcer la protection de la vie privée dans l'État en réseau : l'aire de partage de données personelles, » Revue française d'administration publique n° 110, 2004, pp. 257-266. Professor Trudel notes that his analysis is not intended to deal with the collection and use of information by police forces.