Information Law and Privacy Section Annual Seminar

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

November 27, 2001
Ottawa, Ontario

George Radwanski
Privacy Commissioner of Canada

(Check Against Delivery)


You're here to talk about two related but distinct areas of the law: access to information, and privacy. I want to talk to you about what privacy is, and about why it's such a fundamental human right. In the process, I'll be contrasting it with the right of access to information. And I'll talk about my role in the protection of privacy.

Privacy, as you all know, is a fundamental human right. It's recognized as such in the United Nations, Universal Declaration of Human Rights. And in the words of former Supreme Court Justice La Forest, "Privacy is at the heart of liberty in a modern state."

Why is privacy so fundamental? Well, first of all because it's an innate human need.

When we're at home at night, we close our blinds. That's not because we're hiding anything. It is simply because we're uncomfortable being observed. We have a need for a private space.

If someone reads over our shoulder on an airplane, we're uncomfortable. We feel that they have intruded on us. We have no reason to hide what we're reading. It's just not anyone else's business.

If you've ever had your home or even your car broken into, you'll know that the sense of personal violation can be even worse than the loss of whatever was stolen.

So it's not necessarily about having something to hide. But even where we do have something to hide, there's nothing necessarily wrong or anti-social about that. We all have things to hide-not because we're doing anything wrong but simply because it's nobody's business and could be used to our disadvantage. We have legitimate reasons for keeping some things to ourselves, everything from our credit card numbers, to our medical conditions, to the kinds of movies we watch, to the ways we choose to spend our leisure time.

And sometimes we just want to protect ourselves against misinterpretation. If you fly frequently to Las Vegas to visit a sick friend, the records of your plane trips may make you look like a compulsive gambler. If you like giving fine wine as gifts, your credit card records from the LCBO can suggest a completely different story.

And that's why privacy is not only an innate human need, it's also essential to human freedom. If you have to go through life knowing that everything you buy, everywhere you go, everyone you meet, anything you do may be observed, recorded, scrutinized, cross-referenced, judged, maybe misinterpreted and used against you by persons unknown-if you have to go through life like that, you're not truly free.

Maybe you'll think twice about that book purchase, because it might reflect badly on your literary taste. Maybe you won't take that trip to Las Vegas, because someone might draw the wrong conclusion about you and it could cost you a job or a loan you've applied for.

I could give you lots of examples, but I think the point is clear. Lack of privacy makes us less free, and the more easily our privacy can be invaded-whether by private interest or by agents of the state-the less freedom we have. That's why lack of privacy is in fact a hallmark of so many totalitarian societies.

So that's why privacy is a fundamental human right.

Now, what are some of the implications of that being the case?

Well, one implication is that it has to be distinguished from rights of a lesser order. Rights exist in a hierarchy, and a fundamental human right like privacy has to be treated differently from an administrative right.

An example is the right of access to government information. This right is often paired with privacy. That's understandable. The Privacy Act and the Access to Information Act were introduced in Parliament together in the same bill. Both acts have provisions distinguishing personal information from other information. Responding to some Information Act requests may require understanding the provisions of the Privacy Act.

But the relation between these two rights is superficial. It's a mistake to see them as two sides of the same coin.

The right of access, and the idea of a more open government, is important, no question about it. I'm a former journalist, and I know the value of being able to get information about how government and bureaucratic decisions are made. Access to information is a useful tool that can make the public more aware, and hence government more accountable.

But that's an enhancement of democracy. It's different than privacy, which is at the very heart of democracy.

We have had democratic societies for a long time, and access to government information for a relatively short one. There are many democratic societies that do not allow access to government information, and they are nonetheless democratic.

You can't say the same about privacy. You can't have autonomous individuals who have freedom of conscience, of association, and of thought, unless their private lives and thoughts are free of the attention of the neighbours and the scrutiny of the state-unless, in other words, they have privacy. Destroy privacy and you destroy freedom.

That's why privacy law and access to information law cannot properly be treated in tandem. Their scope is different, their implications and their affects on human lives are different, their issues are different and their relative importance is different.

This means that any attempts at parallelism, at believing that any issues that arise regarding one act necessarily translate over to the other, are bound to be misguided.

Let me now turn to what I consider an interesting aspect of privacy as a fundamental right-the fact that it's best protected by a specialized ombudsman, an Officer of Parliament. That distinguishes it from many other fundamental rights-those rights guaranteed in the Charter, for example, which are protected by the courts.

Privacy is different. Privacy in Canada, and in almost all jurisdictions that have privacy laws, is protected by specialist offices such as mine.

This might seem paradoxical to some of you. If a right is so fundamental, shouldn't the full majesty of the legal system and the courts be brought to bear to protect it? Why leave it up to an Officer of Parliament?

Well, one reason is that a specialist office doesn't have to wait until privacy is violated before defending it. An office like mine can intervene to protect privacy wherever it's threatened, including when legislatures, either deliberately or inadvertently, are on the verge of sacrificing privacy in the interest of some other objective.

We've seen this over the last month with Bill C-36, the federal government's anti-terrorism legislation.

I've made it clear from the outset that I will not allow my office to stand in the way of public security. We have to ensure that the government has the means to fight terrorism. But I've also made it clear that I will not stand by and see the privacy rights of all Canadians swept aside.

I've said repeatedly, if we have to choose between security and privacy, we must do it calmly, carefully, and case by case. If the government thinks it needs to infringe privacy in the name of security, it must be specific and limited in what it is proposing. It must justify its proposals according to the criteria of necessity, effectiveness, proportionality, and the absence of a less privacy-intrusive alternative.

On the whole, Bill C-36 showed careful attention to this analysis. But there was one significant lapse that would have had dire consequences for the privacy rights of all Canadians, if it had been allowed to stand.

As you know, under existing provisions in the Privacy Act and the Personal Information Protection and Electronic Documents Act, access to personal information can be denied if there are legitimate security or law enforcement reasons. When that happens, the individual can complain to me, and I have the right to see the information and ensure that the government or organization is not acting unreasonably. And, where my intervention doesn't resolve the matter, it can be referred to the Federal Court for determination.

The government wanted to ensure that a Federal Court judge could not, on reviewing an application from an individual, order the disclosure of the information. It wanted to ensure that the possibility of such forced disclosure would not deter foreign countries from sharing sensitive anti-terrorism information with Canada.

That makes sense, but the provisions went much further.

Rather than just prohibit disclosure about and to a given individual, the provisions would have permitted the Attorney-General to issue certificates prohibiting the disclosure of any information under the Privacy Act and the PIPED Act. That would have made it possible for the Minister to issue blanket certificates that applied to an entire agency or department of the Government, or indeed to every agency and department.

Worse, when a certificate was issued, the Privacy Act or the PIPED Act-in their entirety-would not apply. This meant that if an individual's personal information was the object of a certificate, he would not only be unable to obtain access to his information. There would be nothing to prevent the information from being used or disclosed contrary to the Privacy Act or the PIPED Act. If blanket certificates were issued, all Canadians would lose those protections, including the right to an independent review by the Privacy Commissioner. Our rights to privacy under law could, in effect, have been abrogated at ministerial discretion.

I recommended several amendments. As I'm sure you're aware, my concerns and recommendations were fully addressed in the amendments introduced by the government.

As the bill reads now, a certificate can be issued only after a court or tribunal has ordered release of information, and the issuance of that certificate can be appealed to the Federal Court of Appeal. My powers as Privacy Commissioner to investigate any given complaint and make recommendations up to that point remain intact.

Moreover, a certificate can only apply to information about a particular individual. And when a certificate is issued, all the other privacy-protecting provisions of the legislation remain intact.

So this is one way that a specialist office is most effective in protecting privacy. You're better off catching these things at the drafting stage than challenging them later in court. I can get the attention of parliamentarians by virtue of my role as an Officer of Parliament-even if I sometimes have to, as in this case, be aggressive about ensuring that privacy doesn't get lost in the shuffle. And, as in this case again, it's often only a specialist who catches the privacy implications innocuously buried in legislation.

Another reason that a specialist office such as mine is needed to protect privacy is that the nature of privacy, and the threats to it, demand something other than a narrowly legalistic view of the law. Like you, I'm trained in law, and I have a deep respect for the courts. But black-letter law just can't always meet the challenge of the nuances of privacy. It doesn't permit the level of discretion, sensitivity, and flexibility required to give effect to privacy as a right.

And it simply can't move as fast as an office like mine can. That's critical, because the field of privacy changes so quickly.

For example, the definition of personal information in the Privacy Act refers to information "recorded in any form." That was how the threat to privacy was understood in 1983. It was expected to be all-inclusive.

No one was thinking of biometric scanning of faces for instantaneous comparison with photos in data bases. No one, in short, envisaged the capturing of personal information without it being recorded. No one was thinking of real-time video monitoring. That's why more recent legislation-the Personal Information and Electronic Documents Act-doesn't refer to recorded in any form.

The drafters of the Privacy Act back in the early 1980s couldn't have foreseen these things, much less written provisions into the law for them. Laws can be amended, of course, but it's very difficult for the amendment process to move as quickly as technology changes.

So, if we rely on the letter of the law for the protection of privacy, what was intended to be all-inclusive very quickly turns out to be exclusive. What was intended to enshrine and strengthen a fundamental right ends up limiting it and making it useless in the face of the most egregious violations.

An office like mine has the ability to take this into account. We're able to provide both principles and flexibility-and it's that combination of firmly held and understood principles and flexibility in the face of real-world circumstances that makes them the appropriate vehicle for the protection of privacy.

A good example of this occurred a few months ago, when it was brought to my attention that customs officers were routinely opening international mail. They were opening not only parcels but letters that crossed a certain threshold of weight.

Now, it became apparent very quickly that this was not a violation of the letter of the Privacy Act. The law permitted the customs officers to do this. If someone had tried to object to this practice in court, they wouldn't have got far, regardless of whether the judge saw-as any judge would-that there was something seriously amiss.

The law was meant to allow for the opening of parcels, but not to sweep ordinary letters into the picture. The problem was that it distinguished parcels from mail by using an arbitrary weight designation. That probably made sense when the law was drafted. But times change. Use of courier services, with ordinary mail encased in heavy courier envelopes, turns legitimate mail into parcels simply by reason of this arbitrary designation.

Applying the letter of the law was simple here-but it didn't make any sense. It turned the law into a needlessly blunt instrument. That's why I'm very glad that the Minister of National Revenue, Mr. Cauchon, agreed to change customs procedures to exclude the weight of outer envelopes in distinguishing mail from parcels.

I must admit, I'm very conscious of the irony of suggesting to a group of Department of Justice lawyers that you not focus excessively on the letter of the law.

But this question of flexibility is really crucial when it comes to dealing with privacy rights. Another example is the way it came up in a recent complaint to my Office about video surveillance.

This is possibly the biggest privacy issue our society faces. It threatens to expand rapidly in this country, the way it has in the U.K., unless we put limits on it. And it goes to the heart of our privacy rights, and calls into question the adequacy of our laws.

First, it confronts us with something that, though it's not written into statute, is at the heart of the courts' interpretation of our privacy rights: the "reasonable expectation" of privacy.

That's a notion that seems on its face to be useful and sensible. But what if someone loudly and repeatedly says that in a workplace or on a public street, no one should expect any privacy?

Does the reasonable expectation of privacy disappear? Maybe. You've been told not to expect any.

But does the fundamental right of privacy disappear? No, it doesn't.

So I think we need to get away from that standard of the reasonable expectation of privacy, and think about an entitlement to privacy that can't be conjured away by fiat. And while the courts may be awhile arriving at that point, there's no reason an Officer of Parliament can't do it now. It's the position that makes sense, given what we know of the real world.

For a start, then, I don't accept that you have no reasonable expectation of privacy on a public street just because it's public, or just because someone posts signs telling you that you are being watched. Privacy is fundamentally altered if you cannot walk down the street unobserved by the state. Notices that you should have a reduced expectation of privacy do not suffice to deprive you of a fundamental right.

And what's the effect of this?

Well, it's become commonplace to note the chilling effect of surveillance, the censorship that people impose on their own actions and behaviour when they know they are being watched. Or even more notoriously, when they don't know whether they are being watched, but know that they can be at any time.

It's one thing to be seen on the street. It's quite another to be seen, analyzed, compared against databases, identified, matched to other information about yourself-in short, scrutinized.

You will notice that I didn't say anything about "recorded."

That's not because recording is unimportant. Obviously it makes a difference. Being seen is not the same as being recorded, and while we can not reasonably complain about being seen on the street, we can about being recorded.

But all those scrutinizing activities, all those things that we normally believe can only be justified by reasonable suspicion of someone: they can be conducted without recording our activities.

And there is the rub, as far as applying the Privacy Act goes. It applies to information that is recorded. It doesn't apply to surveillance that just watches without relying on recording.

So when the RCMP installed video surveillance equipment on a public street in Kelowna, the letter of the law told me that recording the everyday activities of ordinary citizens, without any suspicion of wrongdoing, couldn't be supported. The spirit of the law told me that switching off the recording aspect of the operation wasn't enough. What I asked of the RCMP in this case was that they look beyond the strict wording of the law and look at the protection of privacy as a fundamental value. While they haven't come around to that way of thinking yet, I'm hopeful that continuing discussions will get us there-and I won't give up until they do.

I should emphasize that looking at the spirit and not just the letter of the law doesn't always mean a more expansive reading. Recently, after investigation of a complaint under the Personal Information Protection and Electronic Documents Act, I concluded that a strict and literal reading of the statute would in fact sweep in too much.

A physician complained to me that a marketing firm was improperly disclosing his personal information by gathering and selling data on his prescribing patterns without his consent.

As you know, the PIPED Act stipulates that, with a few exceptions, consent is an indispensable condition of any collection and disclosure of personal information in the course of commercial activities.

The marketing firm gathers information related to medical prescriptions-names, identification numbers, telephone numbers, and prescribing details of physicians-from pharmacies and other sources. It gathers the information, and discloses it, without obtaining the consent of the physicians. The information is then used to produce customized information products, which typically identify physicians and rank them by monthly prescribing activity for various types or classes of drugs. That information is then sold to pharmaceutical sales representatives.

So, there was no dispute about the facts in this case. The marketing firm was collecting, using, and disclosing the information without consent.

The real question, though, was whether this was personal information within, not just the literal wording, but the meaning, scope, and purpose of the act.

I concluded that for the most part, personal information must be about an individual and not merely associated with the individual by name, for example. A prescription is not in any meaningful sense "about" the physician. It doesn't tell us how he goes about his activities, whether he is casual or formal, whether he works mornings or afternoons, who he meets, where he goes, what view he holds or any of the other many details that could constitute personal information.

Rather I concluded that a prescription is what might best be called a "work product"-the outcome of the professional interaction between the physician and the patient. It's information not about the physician but about something once removed, namely the professional process that led to its issuance.

Any other approach would not, in my view, have been consistent with the stated purpose of the Act, which is to strike a balance between the right of the individual to privacy and the need for society and its organizations for information. If the prescribing patterns of a physician- for instance a tendancy to prescribe one medication rather than another for a given aliment were considered to be information "about" the physician, then we would logically have to say the same thing about identifiable patterns regarding the work products in a whole lot of other activities.

Does the chef in a restaurant mainly focus on cooking fish, does he or she have a heavy hand with the tarragon or use very little salt? Does a contractor use the very newest roofing materials, or mainly stick with what was popular 10 years ago? Regarding such things as "personal information" could have been the end of all sorts of legitimate commercial consumer reporting that doesn't fall within the exemption for journalistic activities. For that matter, it could have meant that such things as letters written by employees in the course of their employment, legal opinions, or reports prepared by employees for use by management would also have had to be considered personal information.

So as Privacy Commissioner, I have to be very conscious of the implications of my decisions. I can't just rely on the letter of the law. I have to look forward to what the effect of my decision will be. I was conscious, in analyzing the material that was before me, that a strict reading of privacy law could have the effect of blocking legitimate public interests. If I had not looked at the matter flexibly, with the intent of the statute in mind, I would have risked bringing privacy into disrepute.

This kind of oversight, combining principles and flexibility, is the centrepiece of my role as Privacy Commissioner. It's what I believe is the advantage that an independent Officer of Parliament has over a court.

My job is to interpret the law, broadly or narrowly, as best advances privacy. And it's to bring to the law common sense, fairness, a sense of practical reality, and a consciousness of the public interest. I believe that this combination of principles and flexibility is the most appropriate means to protect a right as fundamental as privacy.

Thank you.

Date modified: