At the Forefront: Canada and its Privacy Laws
Tenth Annual National Conference
Organized by Privacy & American Business
June 23, 2004
Washington, D.C.
Address by Jennifer Stoddart
Privacy Commissioner of Canada
I am very pleased to be here today participating in this important event, and I am very much looking forward to continuing to exchange ideas and perspectives on privacy with you. This is the tenth year that this conference has been held, and that is a milestone. It is an indication of how far we have come in our understanding of privacy as a fundamental human right, and how our ideas on how to apply practical methods to achieve privacy protection have evolved. This year, we are talking about the how to's of privacy protection, not the why should we's.
I also note with great interest the title of the Conference this year is "Managing the Privacy Revolution", which is intriguing. Revolutions are exciting, they are chaotic, they are unpredictable and unsettling. Revolutions tend to manage us, instead of the other way around. Perhaps we are at the stage in the "Privacy Revolution" that seems inevitable in any major cultural shift — when forces in society attempt to restore equilibrium by either trying to go back to the way things used to be, or by pushing harder to get others to catch up.
I am here today to talk to you about the Canadian experience and perspective on privacy law. Perhaps I could start off by sharing some of the insights of one of our nation's great cultural contributions to the world, communications guru Marshall McLuhan. I would bet that most of you have heard his name and perhaps are familiar with his famous aphorism that "the medium is the message" He has been referred to as the Oracle of the Electronic Age, and it is certainly eerie that his ruminations on media and culture and electronic connectivity seem to have so clearly predicted the development of the Internet. McLuhan rose to fame as the rebellious icon of communications studies during his time as director of the Centre for Culture and Technology at the University of Toronto, and he seems to have invented the sound bite — witty ironic phrases with such resonance that they have been woven into our common usage.
Maybe you remember some of these — "global village", "information overload" "if it works it's obsolete", "the user is the content" and "technologies are not simply inventions which people employ but are the means by which people are re-invented".
In 1962, McLuhan published a book called The Gutenberg Galaxy. It describes the emergence of what he called Gutenberg Man — our species, changed irrevocably by the advent of a new technology — in that particular case, by moveable type and the printing press. McLuhan argued that the printing press, by creating the portable book that could be read in private, fragmented society and alienated us from each other. He saw electronic media as a return to a collective and tribal way of perceiving the world around us — a sort of shared cave wall.
Well, we are certainly connected now, and perhaps in some ways that we never anticipated. It is a very small world indeed when it comes to information sharing. Sometimes that is a very, very good thing, such as when we are trying to deal with the outbreak of a communicable disease such as SARS, or Mad Cow disease. Sometimes it is frightening and disturbing, such as when ordinary, law abiding citizens find that personal information given in good faith to a doctor or a bank or an insurance company or a travel agency can end up in a government data base, to be mined for potential wrongdoing. The post 9-11 environment has vastly accelerated the development of technologies that automatically collect, store and analyse huge amounts of electronic data on just about everyone in the global village.
And since, as we all know, there is no such thing as a digital border, the security of our personal information is also a collective endeavor. We are in this together. The directions and decisions taken here in Washington and in state capitals around America can have a direct impact on the privacy of Canadians. The decisions and directions that we take in our framework of privacy laws will affect you, as well, whether through national security or commercial activity.
The Canadian Experience
I'd like to take a moment at this point to outline the Canadian legislative framework for privacy protection, as we take a somewhat different approach than what is done here in the U.S. Our two nations have historically shared so much more than a border — we share a language, values, great friendship and support, economic interdependence and many cultural similarities. At the same time, many of our approaches to issues and problems are quite different, and the way we view privacy protection is a good example of that. I find many things to admire in your system, and I will expand on that later, but first I would like to talk about how we do things north of the border.
The Privacy Commissioner of Canada is an independent Officer of Parliament, appointed for a fixed term of seven years to protect privacy rights, to advocate for privacy rights and the protection of personal information, to investigate complaints from the public, and to promote the understanding and awareness of privacy issues.
As Commissioner, I report directly to the House of Commons and the Senate, and my office is independent of any other part of government. Our office oversees two pieces of federal legislation. The Privacy Act has been in effect for more than 20 years in Canada. It protects personal information held by more than 150 government departments, agencies and institutions. The Privacy Act limits the collection, use and disclosure of personal information by government, and gives Canadians right to access and correct that information. The Personal Information Protection and Electronic Documents Act — also known as PIPEDA — protects personal information held by private sector businesses and organizations. This act stipulates that organizations must obtain consent for collecting, using and disclosing personal information in the course of commercial activities. PIPEDA was phased in over a period of three years starting in 2001. It now covers the personal information of customers and employees of the federally regulated sector of our economy, such as banks and financial institutions, and the collection, use and disclosure of customers' personal information in the course of any commercial activity in a province. The law also applies to information collected, used or disclosed across provincial, territorial or national boundaries, an aspect that raises some serious concerns that I will touch on later.
We have multi-jurisdictional issues to consider in our application of privacy laws, just as you must consider the balance of state and federal powers here. PIPEDA was drafted to be flexible and pragmatic in this regard. The Act may be replaced by legislation that has been found to be "substantially similar" to the federal law. So far, only Québec's legislation has been found to be substantially similar, although we are expecting the same determination to be made for new legislation in Alberta and British Columbia any day now.
There are no comprehensive laws here that are comparable to PIPEDA at either the state or federal level, and in the case of government held personal records, there is no federal oversight body comparable to the Office of the Privacy Commissioner. The function of the office is to allow a specific and official voice on privacy to be heard during the formation of our national policies and laws. It's my job to put my hand up and say, "hold on there," when government is contemplating measures that could invade Canadians' privacy or compromise our rights to determine how our personal information is used. I believe that this is an extremely valuable role. Our office has had a great impact in several areas and I would like to give you a few examples.
Putting Privacy on the Table
Last year, our government launched a national consultation on the "need " for a National Identity Card for all Canadians — partly in response to the perceived need to provide stronger identity documents at the U.S. border. Our office came out strongly in opposition to this idea, which would involve a complex national identity system of databases, communications networks, card readers, and an array of policies and procedures to address issues such as security, privacy and manageability. Our office recommended that this idea be dropped as unworkable and unjustified, which is what seems to have happened. However, we stand at the ready to examine this idea critically again when it is resurrected, as I think it probably will be.
Our office was also very involved in responding to Canadians' concerns about a proposed database of our foreign travel activities. The database was originally meant to include more than 30 data elements on airline travelers, including where and with whom we travel, method of payment for tickets, contact addresses and telephone numbers, even dietary and health-related requirements. Under certain information sharing provisions of our Customs Act, this information could have been made available for almost unlimited government and police purposes. Due in part to our office's intervention, this initiative has been scaled back considerably. We continue to work with government officials on this issue.
Our office is moving proactively to bring privacy concerns forward for debate in some new areas as well. We are quite concerned with the issues around the cross-border transfer of data. The debate over transborder data issues such as passenger information transfer and the outsourcing of information for processing is emerging as a key issue for us.
Our office is embarking on a new project to map out the flow of Canadians' personal information as it crosses borders. We want to know what information is collected, particularly by security forces, we want to know where it goes and what protections and rights may apply. We are concerned with the potential implications of the USA PATRIOT Act as well as with other international information sharing agreements that may impact Canadians' privacy in the public and private sectors.
As you may know, the Privacy Commissioner of British Columbia is giving particular scrutiny to this issue, as it may affect the processing of provincial health information. Commissioner David Loukidelis has asked the FBI, U.S. Attorney General John Ashcroft, and Chief Privacy Officer Nuala O'Connor Kelly , as well as Canadian Privacy Commissioners, for their input on this. We will be providing a detailed submission from our office. We have also been raising these concerns with federal officials in discussions over the past few months.
Another recent case that some of you may be familiar with illustrates the public feeling about outsourcing personal information. Statistics Canada, our national census taking organization, was forced to back away from plans to have census forms containing sensitive personal information about Canadians processed by the U.S. based company Lockheed Martin. In an open letter to the Canadian public, the head of Statistics Canada acknowledged the public perceptions that privacy might be compromised by the use of outside contractors. While the agency maintains this was never the case, and that strict security measures were in place, in this case, perception was reality.
Contrasting the U.S. / Canadian Regimes
I said earlier that there are some aspects to the overall framework for privacy protection in the U.S that I think could be useful to us in the Canadian context. Our approach in Canada is based on an ombudsman model. My role as Privacy Commissioner is one of persuasion and recommendation. You may be surprised to know that I do not have enforcement or order making powers — I can't make any government department or any business do things in a particular way. My office works to resolve complaints through negotiation, behind the scenes discussion, and constructive criticism. We do have powers to summon witnesses, administer oaths and compel the production of evidence, although our office has had to use this power only once in the past 20 years. We may also turn to the Federal Court to review cases where access to information has been denied to individuals.
But our main strength lies in shedding light on practices that are not good for privacy, and in encouraging compliance. Our office works mainly behind the scenes, although a few cases are debated in federal court each year. I would like to say that we are looking with interest at the regulatory approach in the U.S which focuses on specific remedies to specific issues, instead of the development of comprehensive legislation. For example, I believe we may learn from your approach in the Children's Online Privacy Protection Act (COPPA), and the delightfully named CAN-SPAM Act. I salute the FTC for taking a leadership role in these areas, and for its work on the difficult issues of ID theft and RFIDs. The FTC's consumer protection mission, which guards against unfairness, deception and pretexting, embraces privacy. This leads to real advances in privacy protection by enforcing the private sector's promises about how they collect, use and secure consumers' personal information.
I also admire the energy and enthusiasm of your congressmen, senators and an informed, alert public in challenging privacy invasive government and business initiatives. Class action suits, public opinion and outspoken privacy advocates have in several instances forced U.S. governments and businesses to change their ways.
I'm thinking of the action taken against the use of radio frequency identification chips on your side of the border by consumers, and by strong advocacy groups such as the Electronic Privacy Information Centre, The American Civil Liberties Union, and the Privacy Rights Clearing House. It is gratifying to see this groundswell of public opinion take shape. Similarly, vocal opposition derailed Operation TIPS — a program that would have enlisted couriers and the home service industry, among others, as government snoops. The Computer Assisted Passenger Prescreening System (CAPPS II) has been delayed by Congress asking questions and freezing funding. Yours has always been a more litigious society, and threats of lawsuits from aggressive attorneys have forced several companies to change their practices to include better privacy rights. This combination of informed, privacy - aware consumers, political action, strong advocacy and legal recourse can be a powerful mixture. Canadians have sometimes been accused of being "too nice ", too polite, too passive. Perhaps we can learn a thing or two from you.
We're all in this together
I said earlier that it is a small world. Nowhere is that more evident than in the issues of national security and border protection. We share a continent with you. We are aware that border control issues are of the utmost importance to the United States. Our office has never stood in the way of legitimate security enhancements — we recognize that the right to individual privacy is not absolute, but must be tempered with recognition of the need in some cases to protect larger interests.
However, our office is concerned with the growing number and type of information sharing agreements that are proliferating under the "Smart Borders" declaration. Our government has created a new agency — the Canadian Border Services Agency — that will work with your government on common border security issues. Don't get me wrong — it is a good thing for our governments to work together to enhance border security and to maintain vigilance against terrorism and organized crime. That is clearly of benefit to both our nations.
But we are concerned about the increasing development of measures to screen ordinary people before they ever get to the border, or contemplate crossing it, by collecting large amounts of personal information in pre-screening and profiling programs. Canada and the U.S. have created several integrated border enforcement teams, and information —including information on watch lists -- is shared among law enforcement agencies. And there is nothing wrong with that in principle. But when larger and larger quantities of information are shared from larger and larger numbers of databases, including commercial databases of consumer information, the risk that mistakes will be made becomes larger as well.
More individuals may be unfairly scrutinized, inconvenienced, delayed — perhaps even incarcerated unjustly. Our office has received and is investigating a privacy complaint from Maher Arar — a name you may recognize. This Canadian citizen, born in Syria, was detained by U.S. officials in New York in 2002, while returning to Canada after a vacation in Tunisia. He was deported to Syria, even though he was carrying a Canadian passport. Mr. Arar, who is now back in Canada, alleges that he was tortured in Syria and that Canadian law enforcement agencies were complicit. A judicial inquiry will be looking into the matter, including how and for what purpose information on this individual was shared between our governments. This is not the time or place for a full discussion of this case, nor would I presume to pre-judge the work of the inquiry or our investigation into the privacy complaint. I raise this only as an example of the potential impact of agreements that share personal information about individuals across borders.
Information Sharing and PIPEDA
This spring, I made an appearance before our Senate Standing Committee on Transportation and Communications to comment on Bill C-7, the Public Safety Act. The Act provides authority for our national law enforcement agencies to require air carriers and air travel reservation systems to provide them with information about passengers. The Act also amended PIPEDA — the Personal Information and Protection of Electronic Documents Act — allowing the collection and disclosure of this information without the consent of customers.
This passenger information is to be used to assess the risk that passengers might pose a threat to national security and transportation security. Amending our consumer protection legislation to allow private sector organizations to collect this information without consent is deeply troubling to us. This enables, and in fact forces, private businesses to act as agents of the state. I am interested in sharing concerns with you on this issue, as your private sector faces similar obligations under the USA PATRIOT Act.
I started off today by quoting Marshall McLuhan and his insight about the medium being the message. He also said "The more the data banks record about each one of us, the less we exist." I would like you to think about the idea that we have the right to say no to technology. Just because we can collect huge quantities of data about individuals does not mean that we should, or that society will be safer if we do. Information is not knowledge, and knowledge is not wisdom, and we desperately need wisdom to face the challenges and opportunities of the electronic age.
So when we talk about "Managing the Privacy Revolution", let us be sure we are talking about how to move privacy principles and practices forward, instead of turning back or giving up in the face of difficulties. I believe that the decisions our nations make now about privacy and whether or not we truly value it will shape the kind of society our children inherit. Will the personal information of our sons and daughters as they shop, travel, buy insurance, have medical tests, get speeding or parking tickets, take out library books, attend college, apply for mortgages, sign up for political parties or send email be available to any government agency that wants it? Will the right to privacy become a quaint, old fashioned concept? I find it hard to believe that this could happen in America, where the concept of privacy is so deeply rooted, and enshrined in the Fourth Amendment of your Constitution. Like you, we Canadians place a high value on the right to privacy. While sometimes difficult to define and noticed most in its absence, this is a deeply held belief that transcends our differences of nationality and legal frameworks. I look forward to our two communities of privacy advocates working together more closely in the future to meet the challenges that are surely coming our way. We have much to learn from each other.
Thank you for your interest this afternoon in hearing the perspective of your neighbour to the north. I am most interested in hearing from you as well, and if you have any comments or questions, I would be happy to answer them now. |
