Protecting Privacy in a Global Economy
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Digital Earth 2001: Beyond Information Infrastructure
June 28, 2001
Fredericton, New Brunswick
Privacy Commissioner of Canada
(Check Against Delivery)
The idea of a Digital Earth is an exciting one. It promises powerful tools that will enable us to assemble, grasp, and analyze vast amounts of information about the physical and social world we inhabit. It's something that will be valuable and interesting to so many of world's citizens, in every profession and discipline, from every walk of life.
I'm pleased to see that the title of this conference is "Beyond Information Infrastructure," because that suggests that the Digital Earth Initiative is being seen as more than a purely technological issue. Ultimately, information about the world we live in-natural, cultural, economic, social, and political information-is information about the people in it. What's done with that information has important consequences for people. Control of that information is a critical issue.
Control of personal information is what privacy is all about. As promising as the Digital Earth concept is, it raises serious questions about personal information and privacy. There are the things with obvious privacy implications, like the Global Positioning System with its potential for surveillance, tracking, and bombarding us with advertising, or geographic information systems that purport to reveal information about our income, our interests, or our political inclinations under the rubric "you are where you live."
But more generally than that, I think you will find that there is personal information to be gleaned from nearly everything you collect and use in the Digital Earth Initiative. And that means that you have to see privacy as part of the design problem. Privacy has to be recognized as an important element of it, as with any information system, and has to be built into it from the outset.
I want to talk to you today about privacy, first, as a fundamental value, and then, as a key element of information systems. But before I do that, let me tell you a little about what I do.
As the Privacy Commissioner of Canada, I am an officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians.
I don't work for, or report to, the government. I work for and report directly to the people of Canada, through Parliament.
I am mandated to oversee and enforce two federal privacy statutes: the Privacy Act, which gives Canadians rights of control over and access to their personal information held by federal government institutions, and the new Personal Information Protection and Electronic Documents Act, which began coming into effect in January and which for the first time gives Canadians clear privacy rights in their dealings with private sector organizations.
I also have a legislative mandate to raise public awareness and understanding about privacy, and to research privacy issues and provide independent advice to Parliament and the government.
So, why privacy? What's so important about privacy that Canada has two laws and an Officer of Parliament appointed to protect it?
What's important about privacy is that it's a fundamental human right.
Privacy is a critical element of a free society-it's "at the heart of liberty in a modern state," as Justice Laforest of the Supreme Court of Canada once said.
That's because there can be no real freedom without privacy. There's no freedom if at any moment someone may be, either metaphorically or literally, looking over our shoulder. We have no freedom if we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment.
In fact, many have suggested that privacy is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, any freedom you can name.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
And that's why privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy.
We cannot continue to have a free, open, and democratic society unless the right to privacy is respected.
It's often said that the privacy of the individual has to be balanced against the interests of society. That's a misstatement of the issue. The interests of society include the privacy of individuals. When privacy is lost, the individual feels it, of course, but society is the real loser.
That doesn't mean that privacy is an absolute right. Sometimes some privacy does have to be sacrificed to advance other crucial social objectives.
But when someone proposes a limitation on privacy as a trade-off for some other objective, we have to pose hard, insistent questions: Is there really a need that clearly outweighs the loss of privacy? Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way to achieve the same thing?
Because if we make too many trade-offs, accept too many calls to give up a little privacy here, a little privacy there, soon we'll have no real privacy, and no real freedom.
So how is privacy threatened? How has privacy suddenly become the word on everyone's lips, the central concern of electronic commerce, and a focus of legislation around the world?
I think that defining privacy helps us to understand how it's at risk. That understanding, in turn, helps to see why privacy is of such critical importance today.
It used to be common to define privacy as the right to be let alone, and that's still how a lot of people understand it. It's that gut-level concern that people have about wanting to go about their peaceable, lawful business without being monitored or bothered.
But there's another kind of privacy invasion that's less obvious, and that's the collection and compiling of information about us without our knowledge or consent.
That's why I define privacy as the right to control access to one's person and to information about oneself.
And it's this broader, informational concept of privacy that leads me to believe that privacy will be the defining issue of this new decade.
That's because we are at a crossroads.
Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have to go to a lot of trouble to compile a detailed dossier on any individual.
So unless you were very famous, or very important, or... had done something really bad, your privacy was pretty safe.
But the move to electronic record-keeping is eating away at those barriers-barriers of time and distance and cost-that once guarded our privacy from all but the most determined of snoops.
Now some stranger at a computer keyboard can compile an amazingly detailed dossier on your whole life, literally in minutes.
The choices we make in confronting these threats to privacy will determine what kind of world we leave for our children and grandchildren.
In Canada, one of the choices we've made as a society is to enact privacy legislation, in1983, with the Privacy Act, and in 2000, with the Personal Information Protection and Electronic Documents Act. That act came into effect on January 1st of this year.
In describing how our legislation works, I'm going to focus on the private sector legislation, but, with some variations, most of what I say about privacy protection in the private sector is also true in the public sector.
The new act applies to personal information collected, used, or disclosed in the course of commercial activities. At the heart of the act is a model code for the protection of personal information, which was developed jointly by business, government, and consumer groups. The code is based on the OECD principles of fair information practices, which are accepted around the world as the basic model for dealing with personal information.
What the new act says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization can collect, use or disclose personal information about you without your consent.
It can collect, use or disclose that information only for the purpose for which you gave consent.
Even with consent, it can only collect information that a reasonable person would consider appropriate under the circumstances.
You have the right to see the personal information that is held about you, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if people's rights are violated.
The act is coming into effect in stages. It has applied since January of this year to personal information, other than health information, of customers or employees of works, undertakings, or businesses under federal jurisdiction-principally banks, telecommunications, broadcasting, and interprovincial or international transportation.
It also applies to personal information-again, other than health information-when it's sold or otherwise disclosed across provincial or national borders for consideration.
The exclusion of personal health information was a last-minute compromise, to give the health care sector time to work out the problems it saw with complying with the legislation. In about six months from now, in January 2002, that exclusion will end. The act will then apply to personal health information about employees or customers of federal works, undertakings, or businesses, or that's disclosed across borders for consideration.
The final phase-in stage for the act is 2004. At that time, it will extend to all commercial activities in Canada, with one important exception. Where provinces have passed substantially similar privacy legislation, the Federal Government may exempt organizations and activities under provincial jurisdiction from the application of the federal legislation, and the provincial law will apply. Federally-regulated businesses in those provinces will continue to be governed by the federal act. So will personal information in all interprovincial and international transactions by organizations in the course of commercial activities.
In short, eventually we'll have seamless privacy protection in Canada. All of the private sector will be required to comply with the federal law or a substantially similar provincial one.
My approach to the investigation and resolution of citizens' complaints under the act is generally non-confrontational. I don't have direct order-making powers. I'm an ombudsman, and I try to resolve complaints through mediation and discussion.
But the law does have teeth to investigate complaints, I-and through me my investigators- can subpoena witnesses, and, if necessary, can enter and search premises. Where I find that an organization is violating privacy rights and it refuses to modify its conduct or remedy the situation, I can use the power of disclosure-and therefore of public embarrassment-to nudge things along-I can make it public in a report to Parliament or in a press release. I can also go to the Federal Court and ask it to order an organization to come into compliance with the law, and I can also ask the court to award damages to the complainant.
But I hope that the Private Sector will cooperate voluntarily, and I will rarely-if ever-have to use these powers.
We've also embarked on a major public information campaign, informing Canadians of the new legislated privacy protections, and reminding private sector organizations of their responsibilities under the act.
Now, to come back to the Digital Earth Initiative. What's it got to do with privacy?
From one perspective, geographic information systems don't seem to have much to do with privacy, or maybe even with people. They can be seen as abstract, impersonal information about land and resources.
I don't think there's many people here who actually believe that, and I think it's pretty far from the viewpoint of the Digital Earth Initiative. Just a look at the Digital Earth website confirms what I said earlier: that information about the world we live in is ultimately information about the people who live in it.
Even taking a very restrictive view, however-that geographic information is factual information about land and resources-it's easy to see privacy implications.
Geographic information systems are a powerful tool to integrate personal information by tying it to its geographic location. Much of that geographic information is local in nature, often extremely local and small-scale. Combined with personal information, that has the potential to be much more privacy-invasive than many other information technologies.
Just to give you one example, we've seen the use of geographic information systems to classify smaller and smaller urban units by such factors as annual income, purchasing habits, and use of the health care system. In a very fine-grained analysis, that can inadvertently result in the identification of a specific individual. Census information in Canada, for example, is sometimes broken down to the postal code level. That's supposed to make it anonymous, but in fact it's not unknown for a postal code to have only a single resident.
Even when something like that doesn't happen, this kind of practice still raises the question of the privacy of identifiable groups. A statistical study of a small neighbourhood that finds high rates of mental health problems is an obvious example. A study of an identifiable group that finds high rates of HIV infection is another.
Integrated personal and geographic information is useful for marketing purposes, and that's where a lot of the focus has been. But it offers a lot of other potential uses. Law enforcement, for example, might well want to have that kind of information about the residents of a neighbourhood-particularly for keeping track, as the marketers do now, of people whose spending or income or lifestyle don't seem to match the neighbourhood they live in.
This is where I take encouragement from a conference theme like "Beyond Information Infrastructure," because what we have here is more than a technological issue, requiring a technological response. This is a human issue requiring a human response. It requires us to make choices about what kind of world we want.
Having said that, I do think that there are specifically technological things that you need to do. And I wonder whether in every instance you really are ready to move "beyond information infrastructure."
Because, if you've built privacy into the information infrastructure of an initiative, good: start thinking about what the world will be like when it's in place. But if privacy didn't play a key role in that infrastructure, if you didn't build it in from the outset.maybe you're still at square one.
Let me suggest three pieces of advice.
The first is this: any information system needs privacy protection built in. Digital Earth is no exception. Privacy must be an essential component. Technology should serve our values, and be determined by them-not the other way around. The fundamental right of privacy should determine the architecture of the system.
So, what does that mean: building privacy into the system?
Well, for example you've got to build the system to limit use of personal information. You've got to be careful to build your system to resist what privacy advocates call "function creep," where information collected for one purpose becomes used for another, unrelated one.
This is not fanciful, or trivial. I mentioned a moment ago the potential usefulness to law enforcement of geographic information systems. I don't think that's happened yet, but we have seen countless examples of function creep.
Perhaps the best-known Canadian example is the Social Insurance Number, which began as a simple file number for social benefits and has expanded ever since, to the point that it threatens to become a national identifier. Something similar happened in the US with the Social Security Number.
Other countries provide starker examples. Targeted security cameras become generalized surveillance systems. Forensic DNA identification schemes become population registries. Roadblocks to stop impaired drivers become warrantless searches for drugs.
We must not allow this to happen with the personal information that's collected, deduced, and generated by geographic information systems. The systems have to be built such that they do not allow this.
Another thing I think you have to recognize is that not everything you're doing in Digital Earth is startlingly new. Some of it, to privacy advocates, qualifies as an old problem.
Collecting a lot of personal information for various reasons and then sifting it, playing with it, putting it together in new, interesting, unforeseen ways to ask new, interesting, unforeseen questions-that's data mining.
And so I will say to you what we say to data miners: you may think it's wonderful, but if you use personal information for new purposes, without consent, without being open about it to consumers, and without providing them a right of access, you are violating fair information practices. It's a challenge to find a way of doing data mining that respects fair information practices-but that's the job of data miners, to rise to the challenge. It's not up to the rest of us to abandon our rights just because respecting them entails a little difficulty.
My second piece of advice is that the way to ensure that privacy is built in is to do Privacy Impact Assessments.
A Privacy Impact Assessment is a risk assessment tool that's been adapted from the Environmental Impact Assessment process.
It allows you to forecast a proposal's impacts on privacy, assess its compliance with legislation and principles, and determine what's required to fix any problems there may be. It helps you avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy.
You need to do Privacy Impact Assessments at the earliest point in your projects. Try to get an impartial review of them. Get someone who knows privacy to have a look at them.
If they're done properly-and on a routine basis when any changes are made to a project-Privacy Impact Assessments will often reveal problem areas that will require the attention of the project architects.
Allocating time and resources to conducting a Privacy Impact Assessment may be a real challenge, but I would encourage it as a means of avoiding future problems, such as unexpected criticism by a Privacy Commissioner. And more and more jurisdictions have such officials and privacy protection laws.
That brings me to my final piece of advice: I urge you to consult with the privacy protection agencies in your jurisdiction. If you establish a dialogue early in the game, you can save yourself a lot of problems.
Often, we're not brought in to comment on these projects during their development, and by the time we see them, the privacy problems are built right in. When that happens, our ability to provide constructive comments is limited.
To sum up, let me say once again how impressed I am with the promise of the Digital Earth Initiative. The Digital Earth is a marvelous concept, adding extraordinary depth, richness, and complexity to that exciting new world we call "cyberspace."
But we must never forget that when we go to cyberspace, we don't really go anywhere. We always remain in the real world. The Digital Earth is part of the real world. It has real-world problems, real-world consequences, real-world challenges.
One of those challenges is to protect privacy.
As I said earlier, we're at a crossroads.
We can't rely on privacy by default. It won't take care of itself. Left to itself, or to the market, it will wither-and with it, freedom will slip from our grasp. It's up to us to ensure that real privacy, and with it, real freedom, is strengthened, preserved, and protected.
And so I urge you: respect that fundamental human right of privacy. Build a system that respects it, that recognizes the right of individuals to control their information. That will be a tremendous achievement, a Digital Earth that will enrichen the real world. As the saying goes, more or less: build it and we will come.
- Date modified: