Conference on Law and Contemporary Affairs
University of Toronto

Privacy in the Information Age: an Oxymoron?

January 26, 1995
Toronto, Ontario

Bruce Phillips
Privacy Commissioner of Canada

Discussing privacy and technology in the same breath reminds me of an analogy once drawn about Canada's relationship with the United States. It is like a mouse sleeping next to an elephant. You hope the elephant doesn't roll over. Sometimes, rather than simply rolling over, technology positively clamours to dance on privacy's head. Nowhere is this more evident than in our recent history of employee monitoring, government and private sector data matching, zealous telemarketing, surveillance cameras on street-corners, smart cards, scanners and sophisticated tracking devices.

Of course, much technology is not evil. It can be and is used for the good of humankind. However, technology, if applied unwisely, carelessly or with malevolence, can quickly destroy privacy, a vital component of the human rights that all democracies profess to cherish. And the force with which technology and the commercial forces behind it confront privacy is enormous.

Privacy is not simply an abstract notion that intrigues academics, confounds their students, but matters to no one else. Intrusions into our personal lives have concrete, real-world consequences. They shape how we lead our lives. The limits of our personal privacy define in large part the limits of our freedom. As Mr. Justice La Forest stated in the Supreme Court's 1990 Duarte decision, "it has long been recognized that this freedom not to be compelled to share our confidences with others is the very hallmark of a free society".

What is privacy? In one sense, it means protection against physical intrusions against the person, such as assaults, or physical searches by police. It can be the right to protection from intrusions against one's property, such as one's home. It may mean the right to protection from surveillance by cameras or eavesdropping devices or, perhaps, researchers. It may mean the right not to have your personality appropriated.

At this conference, the issue is law in an information age. The most relevant aspect of privacy is therefore the right to control of information about oneself , or privacy of information. In the era of easy manipulation of data, privacy of information has become the central focus of privacy advocates. In the 1988 decision, Dyment, Mr. Justice Lamer cited a government task force report about the importance of privacy of information:

"This notion of privacy [of information] derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain as he sees fit."

"In modern society especially", Mr. Justice Lamer continued, "retention of information about oneself is extremely important. If the privacy of the individual is to be protected, we cannot afford to wait to vindicate it only after it has been violated. Yet when we place the legal protection afforded to personal information alongside the immense forces that, deliberately or not, are working to diminish privacy, we see a precarious imbalance."

Let me make it clear that privacy advocates do not wish to stop technology in its tracks. They are not biblical Davids , or Luddites. They merely want to ensure that technology does not overwhelm what they seek to protect, a fundamental, easily exhausted and increasingly besieged human right.

And privacy is exhaustible. Once you lose it, it cannot be regained or regenerated. Just look at Prince Charles and Lady Diana, the players in one of the world's favourite soap operas. Can either of them ever hope to regain the privacy that they have lost through the interception of their telephone calls? On a more plebian level, can someone who tests HIV positive regain control of this sensitive personal information once it has been released into the community? A loss of control over this information can have devastating consequences for a person already facing an overwhelming crisis. Can someone whose personal information is intercepted on the information highway ever hope to re-establish control over that information?

And, amidst these threats to our privacy, we find a set of laws touching on privacy that are dangerously porous , this despite a range of legal protections ranging from international and constitutional law, data protection legislation, specific sectoral legislation to the common law and judicial decisions. I do not propose to drag you through the mire of privacy laws in this country. I simply want to remind you of the inadequate set of defences we have established to confront threats to our privacy.

Article 3 of the Universal Declaration of Human Rights states that everyone has the right to life, liberty and security of the person. Article 12 states that "no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation."

The International Covenant on Civil and Political Rights contains almost identical language. Canada has also sought to enhance privacy protection through international vehicles other than international law. In 1984, Canada joined 22 other industrialized nations by adhering to the OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data.

The guidelines are intended to harmonize data protection laws and practices among OECD member countries by establishing minimum standards for handling personal information. Unlike the other international instruments mentioned above, which protect privacy rights in general, the Guidelines protect only one aspect of privacy , the privacy of personal data. The OECD Guidelines apply both to the public and private sectors. However, they constitute a voluntary code of conduct. They are not legally binding on governments or the private sector of OECD member countries.

Canada also has constitutional privacy protections, perhaps not through explicit language in the Charter, but through thoughtful interpretations of the Charter by Canadian courts, including the Supreme Court of Canada. Court decisions interpreting the Charter as offering privacy protection have most often arisen in the context of the criminal law. However, the Supreme Court has also made it clear that the Charter is relevant to privacy concerns outside the criminal context.

For the past 17 years, Canadians have had data protection legislation at the federal level, first through the privacy provisions of the Canadian Human Rights Act, then through the 1983 Privacy Act. Some 150 federal government institutions have been required to comply with the Privacy Act, a fair information practices code modeled on internationally accepted data protection principles.

The federal Privacy Act regulates the collection, use and disclosure of personal information by these federal government institutions. It establishes the right of individuals to see files about them and to request correction of erroneous information on those files. The Act sets standards for retaining and disposing of personal information.

The Act also creates my office, the Privacy Commissioner of Canada. I function as an ombudsman rather than an enforcer. My office receives inquiries and complaints from the Canadian public about the handling of personal information by the federal government. It investigates those complaints and conducts audits of the personal information holdings of government bodies. I try to rely on suasion to ensure compliance with the Act, since I have no powers of enforcement.

In every province and territory of Canada, broadly similar legislation governs the personal information handling practices of provincial and, sometimes, municipal bodies. Quebec remains the only province to have extended general data protection legislation to the private sector.

Federal and provincial data protection legislation is supplemented and sometimes overridden by more specific legislation. For example, the confidentiality provisions of the federal Income Tax Act would take precedence if there is a conflict with the federal Privacy Act.

Beyond this lie the statutory privacy torts in several provinces, the Quebec Civil Code privacy protections, and other specific legislation governing the collection and handling of personal information. This would include credit reporting legislation and laws protecting hospital records.

Add to this list of enactments, constitutional documents and international conventions the many professional obligations of confidentiality, plus ethical guidelines. The result is a complex, yet incomplete, web of privacy laws and protections in Canada.

The law seems particularly ill-suited to address the many issues flowing from many new information technologies, especially since so many of the issues are generated in the lightly regulated private sector.

What obligations should we place on carriers of information on the electronic highway? Should we impose on them the obligation to make their facilities secure, to the extent that this can be done? What obligations should those who control personal information , governments, banks, hospitals, employers and marketers, have to safeguard personal information transmitted on the highway? Should we oblige the players on the information highway to use technology to safeguard privacy by building strong "firewalls" and offering encryption services?

Encryption is increasingly an issue. Encryption prevents others from learning the content of your communications. Most of us accept the right of others to prevent us from learning about their communications. However, should we be permitted to keep all our secrets from governments? Should governments, in the name of national security or the pursuit of crime, prohibit forms of encryption that they cannot break? If governments are to have this right, what limits should be set to prevent them using powerful new technologies to intercept and monitor communications indiscriminately?

Who will explain all the privacy implications of the information highway to Canadians so that they can make informed decisions about protecting their privacy? Should individuals who use the Internet have the right to send anonymous messages via the many "remailers" that are springing up on the Internet? Should you have the right to read Internet newsgroups without others tracking and publishing your reading preferences? Should you be able to use credit and debit cards without leaving a data trail for commercial interests to collect, use and abuse as they see fit?

Above all, how can we, in this federal country, as one country in a sea of others, regulate the flows of personal information that now drift about the ether? One astute observer has remarked that protecting privacy in the computer age is like trying to change the tires on a moving car. Still, my office is attempting to address some of the basic issues relating to privacy on the information highway. Last month, I submitted a series of recommendations to Industry Canada about protecting privacy on the highway. I will highlight them here just briefly.

First, the federal government should enact legislation to protect privacy on the information highway in both the public and private sectors. It should also encourage provinces to enact complementary legislation. As most of you will know, this represents a call for a fundamental evolution in privacy law. At present, such laws generally regulate the public sector only. However, the information highway, with its intertwined public and private sector components, will be inadequately supervised if the private sector is left unregulated.

This legislation governing the information highway should at a minimum, set out clear rules that:

• limit the collection of personal information to the details essential to providing the good or service;
• require carriers and controllers to explain their data protection practices and the privacy implications of new technology to clients;
• give individuals control over the personal details that are transmitted on the highway;
• prohibit unrelated disclosure of personal information without the individuals's explicit consent , the confidentiality of electronic communications must be protected;
• provide individuals with access to their personal information and oblige carriers and controllers to ensure the information is accurate and up-to-date;
• prohibit charging for privacy protection;
• establish an independent oversight mechanism to monitor privacy protection on the information highway and provide individuals a means of redress for improper collection, handling and disclosure of personal information.

Carriers of personal information should have an obligation to make their facilities secure. Controllers of personal information should not transmit sensitive personal information unless that information can be protected from interception or unless the individual to whom it relates gives informed consent to the transmission.

I have called for further study about how to resolve the competing law enforcement and individual privacy interests involved in the use of encryption technologies.

For two applications of information highway technologies, I have proposed specific rules. First, unless the user consents, electronic mail should be considered a private communication. Employers should therefore have no right to monitor or intercept e- mail communications that are not directed to them. Second, except in compelling circumstances, information about a person's whereabouts that is available through geo-positioning technology should be used only to facilitate a technical communications link with that person , and only if the person wants such a link.

These recommendations cover only a fraction of the issues flowing from information technologies. But they represent an important start in a very fast race.

Perhaps some of the students in this audience would like to pick up the baton. Many of you may be looking for a direction in your future law career. For those who cannot bear the prospect of looking a real estate deed in the face, may I suggest exploring the multitude of issues generated by the collision between technology and privacy.

This is not a field for those who like the comfort of legal precedents, for so much of your work here will take place in uncharted territory. But if the thought appeals to you of taking a career path that will stimulate you and help you provide an increasingly important service to Canadians, please consider privacy. Those who enter this field will be in many ways be the spiritual successors of those who were in the legal profession when the Charter of Rights came into force. You will have the chance to be part of the action. And action, I promise you, there will be. I am not going to attempt to lecture in detail on the law relating to privacy. The law professors at this university are quite capable of doing that. Besides, twenty minutes is hardly adequate to examine

What gives us privacy protection in Canada is a patchwork. By definition, patchwork means there are holes. Even the experts cannot fully grasp the limitations and scope of our privacy laws. And now we face the onslaught of the technologies associated with the information highway. Privacy may be entering the stage of Internet shock.

You have the chance to get in on the act at a relatively early stage in the development of privacy principles and laws. The federal Privacy Act is a mere 12 years old. There is almost no general data protection legislation covering the private sector in Canada, the one exception being Quebec. (but health records legislation and credit reporting legislation) Yet technology and calls for increased marketplace competitiveness are generating ever more intrusive forms of privacy violations.