Canadian Club of Toronto
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
March 26, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
I want to talk to you today about privacy as individuals. I know many of you are interested in what privacy law means to your business, and we can give you lots of information about that. But if you reflect on why privacy should be important to you, you'll also understand better why it's going to be increasingly important to lots of other people, and therefore why it's also good business.
But I must admit that it's a pleasant surprise to see so many people here today, because privacy isn't a top-of-mind issue for most of us in our day-to-day lives.
In fact, it's a lot like our health. As long as everything is fine, we don't tend to think very much about it as we go about our business. But if we lose our health, if we're not feeling well, it gets our attention pretty fast.
The same is true of privacy. It's an instinctive human need, but we mainly recognize its importance on those occasions when we feel its absence.
We pull our curtains at home, because we don't want strangers observing us as we go about our private lives. A peeping Tom, or even having the neighbors watching too closely, is psychologically very disturbing, even if no tangible harm is being done.
We don't like it when someone reads over our shoulder on an airplane or on the subway, because it's an encroachment on our privacy.
Anyone who has ever experienced a burglary, or even a car break-in, knows that the sense of violation, of intrusion into our private space, can be even more upsetting than the loss of actual property.
So privacy is an intrinsic human need. And it's also a fundamental human right, recognized in the United Nations Declaration of Human Rights.
That's because there can be no real freedom without privacy. In fact, many have suggested that privacy is the right from which all others flow, freedom of speech, freedom of association, freedom of choice, any freedom you can name.
None of us wants to go through life feeling that any moment someone may be, either metaphorically or literally, looking over our shoulder. If we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment, we are not truly free.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
But I know that some people say, "that's fine in theory, but I'm an honest person, I have nothing to hide."
Sure you do.
Everyone has some things in their lives that they are willing to have some people know, but not others, and certainly not everyone, not because those things are terrible, but because they're private.
Would you want your employer to know that you may be genetically predisposed to cancer or to heart disease? You might not have a problem until you're 80, but meanwhile it might cost you a job opportunity, a promotion, or the ability to get insurance.
Would you like a casual acquaintance to be able to click onto the Internet and read the court records that detail all the allegations your former spouse made about you when you were getting a divorce?
Suppose you have a very close friend who moved to Las Vegas, so you fly down there four times a year to visit him. You don't go near a casino, but to anyone looking at a credit card record of your plane ticket purchases, you probably look like a compulsive gambler. So would you like your banker to look at your credit card printouts when you apply for a loan or a mortgage?
That's why the freedom to choose who finds out what about you is the very essence of privacy - which I would define as the right to control access to oneself and to information about oneself.
But today, in an age when information crosses oceans and continents at the click of a button, when information, personal information, has itself become a commodity, that right to privacy is under threat as never before.
I have said many times since I became Privacy Commissioner seven months ago, and I'll say it again today: I believe that privacy will be the defining issue of this new decade.
That's because we are at a crossroads: The choices we make now, the paths we follow over the next few months and years, will to a very large extent decide what kind of society we leave to our children and grandchildren.
Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have to go to a lot of trouble to compile a detailed dossier on any individual.
So unless you were very famous, or very important, or had done something really bad, your privacy was pretty safe.
But now the move to electronic record-keeping is eating away at those barriers - barriers of time and distance and cost - that once guarded our privacy from all but the most determined of snoops.
Now some stranger at a computer keyboard can compile an amazingly detailed dossier on your whole life, literally in minutes.
On top of that, we're now under almost constant surveillance, cameras record us at the bank machine, at the corner store, in the taxi, at the casino, and new biometric recognition technologies can rob us of our anonymity. And, of course, those little plastic cards you use to enter or leave your workplace or your parking garage mean that some computer is recording every coming and going.
The personal information that is being collected about every one of us, every day, just as a matter of routine, is mind-boggling. Debit card records, credit card records, medical records, telephone records, the movies we rent, the Web sites we access, all recorded, all accessible.
The surveillance is so pervasive that we as individuals really have no idea who has what information about us, let alone what's being done with it.
The data banks are bursting with our personal information. Any spill, by accident or by design, can be a privacy disaster.
So privacy is important. And it's under threat as never before. And the challenges grow more complex every day.
Take genetic privacy, for example.
The science of genetics offers the promise of unimaginable benefits for humankind. It may lead, in time, to eradicating many of the most terrible diseases and afflictions.
But already today, anyone with access to your genetic profile can have information that previously was available only to God, what diseases or afflictions you're programmed to suffer in the future, your physical strengths and weaknesses, perhaps even how long you're likely to live.
Who is entitled to have access to this sort of information?
Does your employer have a right to know? What about your insurance company, which already demands access to all your other medical information?
These aren't just theoretical concerns.
The Council for Responsible Genetics in the United States has already identified more than 200 cases of genetic discrimination in employment.
These were cases where people lost a job or were denied a job even though the statistical risk that they would develop a debilitating condition was small, even though the condition would not be likely to arise until years or even decades later, or where the condition was entirely treatable.
And then there's the issue of the genetic rights of your relatives. Your genetic profile may be unique - but you share big chunks of it with your parents, your brothers and sisters, your children and grandchildren.
So genetic information about you is also genetic information about other people. Information that you're predisposed to some unfortunate condition could harm not only you, it could stigmatize your children, your brothers and sisters, your grandchildren, whole generations.
So even if you're willing to provide your genetic information to your insurance company or, say, to the government through your health records, what about the privacy rights of all those other people who might be affected? Should they have the right to block your disclosure of this kind of information, to protect their own interests?
And what about your right not to know? Many people say they wouldn't want to know that they're at particular risk of developing some painful illness 20 years down the road, or of dying young. They don't want their palms read, and they don't want their DNA read.
But those same people might be compelled to give their insurance company access to their medical information, including genetic information, in order to get coverage.
Can we, as a society, allow a situation where an insurance company, or the government, would be privy to your most intimate personal information, and would know more about you than you do?
These are incredibly complex privacy issues, and there's an endlessly growing number of them.
There's the issue of biometrics.
I mentioned earlier that video surveillance is growing more pervasive and sophisticated. Now biometric technology makes it possible to digitally scan your facial characteristics from any video or photo, match them against photos in a data bank, say your driver's licence photos, for instance, and instantly identify who you are, without your knowledge, from a distance.
You think that's far-fetched? At this year's Super Bowl in January, the Tampa Bay police videotaped more than 100,000 people as they entered the stadium, and used biometrics to put them all into a sort of instantaneous digital lineup that identified 19 people with known criminal records.
And it's been reported recently that Ontario police are using biometric identification technology right here, in this province's casinos.
If we tolerate the unrestricted spread of biometrics, it will mean that you can be identified from a distance when you're entering any given building, or carrying out any activity. Or perhaps mis-identified, perhaps someone else will be identified as you, because it's acknowledged that this technology can never be 100 per cent accurate. And all this information may be recorded somewhere, without you ever knowing about it.
This loss of our right to anonymity, the right to go about our lives without anyone knowing who we are, unless we choose to identify ourselves, would be a tragic, fundamental loss of privacy. And it's potentially right around the corner, unless we as a society say No, unless we insist on clear rules and limits.
And then there's the issue of "smart cards."
The Ontario government, for one, has said that it wants to combine all the crucial information about each of us, our birth certificate, our driver's licence, our health information, and who knows what else, on a single card.
I have a number of problems with this.
First, a single card like that would tend to very quickly become a universal identity card, a kind of internal passport. There are a lot of other countries where you can be stopped on the street and asked for "your papers, please." We don't do that in Canada, and we don't need a create a circumstance that would open the door to it.
Second, a single card like that opens the door to far too many opportunities for data matching and cross-over uses of your personal information. Whether all the information is actually embedded in microchips on the card, or whether the single card simply provides access to information in various data banks, the outcome is the same, one card opens the door to all, or nearly all, the most sensitive personal information about you.
The government may insist that the different kinds of information would only be used separately for separate purposes. But it's a slippery slope. How long do you think it would be, for instance, before someone argues that if the police pull you over and ask to check your driver's licence, it only makes sense that they be able to protect themselves by checking your health information to see if you're psychologically disturbed?
And then there's the issue of security. If so much personal information about every citizen were available through a single card, imagine how attractive that card, and the linked information that backs it up, could become to muggers, hackers and criminals of every description.
But, of course, the Ontario government has an answer to that, too. A PIN number obviously wouldn't be enough for such a sensitive card. So it's considering fingerprinting or retina-scanning every citizen, and then using biometrics to identify us. They seem to think that's efficient. I think it's outrageous.
But do you see what I mean? One intrusion on privacy breeds another, until we face a whole potential cascade of privacy invasions. That's why I say that we are at a crossroads, why I say that privacy will be the defining issue of this decade.
Now, you may be saying, Why is the federal Privacy Commissioner talking critically about something the Ontario government is doing? And what does the Privacy Commissioner of Canada do, anyway?
Well, I am an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians. The Privacy Commissioner of Canada does not work for or report to the government. He works for and reports directly to the people of Canada, through our national Parliament.
I am mandated to oversee and enforce two critical pieces of national privacy legislation: the Privacy Act that governs the federal public sector, and the new Personal Information Protection and Electronic Documents Act, that began coming into effect in January and that for the first time gives Canadians clear privacy rights in their dealings with private sector organizations.
What the new law says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization covered under the law can collect, use or disclose personal information about you without your consent.
It can collect, use or disclose that information only for the purpose for which you gave consent.
You have the right to see the personal information that is held about you, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if your rights are violated.
Right now, the law applies to the federally-regulated private sector, that is, primarily to banks, broadcasters, telecommunications and transportation companies, and to personal information that is sold across provincial or national borders, for instance by credit reporting agencies. But in less than three years, as of January 1, 2004, it will ensure a seamless web of private sector privacy protection right across Canada.
With the help of my Office, I investigate complaints, conduct audits, research privacy issues and provide independent advice to Parliament and the government, and do everything possible to raise public awareness and understanding about everything pertaining to privacy.
It is my responsibility, and honour - as the Privacy Commissioner of Canada to stand up for the privacy rights of all Canadians. And the right to privacy is not divisible.
It cannot be respected federally and violated provincially. It cannot be respected in one part of the country and violated in another. The door to our personal information is either closed or open. If it is open, it makes little practical difference which level of government has done the opening, our privacy is lost.
This is made very clear in the federal privacy law for the private sector, which I just mentioned. In provinces that don't have substantially similar privacy legislation in place by the beginning of 2004, the federal Act will apply to the whole commercial private sector.
And to make that determination, the Privacy Commissioner of Canada is mandated to report to Parliament on the extent to which provincial government's have passed legislation that is substantially similar.
That is why I accepted an invitation last month to address a committee of the Ontario Legislature that was examining the provincial government's proposed health information privacy legislation.
I thought it important to let them, and through them the people of Ontario, know that this legislation was not substantially similar. It was radically, and sadly, different.
Though it was called health information privacy legislation, it was actually health information access legislation. It would have allowed the Minister of Health, the government, and literally anyone designated by regulation, to have the same access to your most sensitive health information as your own doctor.
I am very glad that the Ontario government decided to let this bill die on the order paper. I very, very much hope that it won't be brought back in anything resembling its original form. I hope that the government will instead introduce entirely new legislation that genuinely respects and protects health privacy.
But I certainly wouldn't want you to think that I'm singling out the Ontario government. The privacy challenges and opportunities we face are many, and there's certainly no shortage of them in the federal jurisdiction where my responsibilities lie.
Last week, for instance, I asked the Minister of Citizenship and Immigration to change the process by which mail coming from outside Canada is sometimes opened to look for fraudulent immigration documents.
Though the law was being fully respected, I found it wrong from a privacy point of view that letters weighing under 30 grams could be opened only by consent or with a warrant, while heavier envelopes could be opened without restriction, even though they are no less mail. What's being done is being entirely in good faith and for a very legitimate public policy purpose. But there's a way to do it that would be more respectful of privacy rights.
And that's one of the most interesting things about the privacy challenges we face: The greatest threats to privacy seldom come from those who deliberately want to do harm.
Rather, they come more and more from well-intentioned people who say that a bit of privacy needs to be sacrificed on the altar of some greater good, better customer service, more efficient delivery of government services, or the prevention of crime.
And sometimes a trade-off does have to be made. In a complicated society like ours, privacy is not an absolute. It's always a balancing act. But if we make too many trade-offs, accept too many "reasonable" calls to give up a little privacy here, a little privacy there, soon we'll have no real privacy, and no real freedom.
So if you agree with me that privacy is important.and if you agree with me that we are at a crossroads .I hope you'll also agree with me that we have to learn to do a better job of saying No, No as individuals to those who ask us for personal information they don't really need, and No as a society to those who try to tell us there's always some consideration more important than privacy.
Privacy is not a partisan issue, nor a political one. It is not an issue of left or right, of federal versus provincial, or of business versus government.
It is an issue that goes to the core of our shared values as Canadians, and of our fundamental rights as Canadians.
I am honoured, and humbled, to be entrusted with the responsibility of working to protect this fundamental right of privacy. With your help and support, with the help and support of all Canadians, I'm confident that together we can make the wisest turn at that crossroads I've been talking about.
- Date modified: