A North American perspective on terrorism, national security and privacy: Continuing to strike a balance
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
3rd Asia Pacific Forum on Privacy and Data Protection
March 25, 2002
Auckland, New Zealand
Privacy Commissioner of Canada
(Check Against Delivery)
My North American perspective on the response to the September 11th attacks is, in fact, a Canadian perspective. As Canada's Privacy Commissioner, I can't speak for the United States or Mexico. But that doesn't mean my Canadian perspective isn't affected by what happens in those two countries, especially the United States.
Let me begin with three important realities.
First, Canada was not the specific target of the September 11th attacks. Opinion polls show that most Canadians don't consider themselves targets of terrorists, so there is less public demand and domestic political pressure than in the US for invasive state powers to fight terrorism.
Second, our relationship with the US is close, especially in matters of trade. The need for an open border produces pressures to adopt security measures in Canada that will satisfy US concerns so goods and people can continue moving across that border.
Third, the US and Canada take different approaches to privacy protection. In the US, the defence of privacy is primarily left to individuals and lobby groups. Canada has a Privacy Commissioner, appointed by Parliament to champion the privacy rights of Canadians, and to act wherever and whenever Canadians' privacy rights are threatened. The government must take my views into account when formulating policy or legislation with privacy implications.
Canada's principal legislative response to the September 11th attacks was the Anti-Terrorism Act, introduced in October, 2001.
The act, amending over a dozen statutes and creating one new one, strengthened state powers to investigate and prosecute suspected terrorists and terrorist organisations.
Much of the debate over this legislation in Parliament, the media, and among the general public focused on its potential impact on civil liberties and rules of due process. Given my mandate, I limited my attention to its specific privacy implications.
There were several.
The act expanded the range of state surveillance, provided additional authority to monitor financial transactions, and made it easier to obtain a wiretap warrant. It granted new authority to compel individuals to give evidence about third parties. And it imposed restrictions on the disclosure to individuals of information about them that was held by government institutions.
I reviewed the draft legislation with one overriding principle in mind: privacy is a fundamental human right. It cannot be infringed without compelling justification. Any proposal to curtail or limit privacy must, in my view, meet four tests: it must be demonstrably necessary to meet a specific need; it must be likely to be effective in meeting that need; it must be proportional to the magnitude and importance of the problem; and there must be no less privacy-invasive way of achieving the same end.
Applying those four tests to this legislation, it was clear to me that, with one glaring exception, the additional powers granted to the state to were reasonable and proportional, in light of the threat posed by terrorism.
The exception was this.
Under existing provisions in Canada's privacy legislation, an individual's access to his or her own personal information can be denied if there are legitimate security or law enforcement reasons. When that happens, the individual can complain to me, and I have the right to see the information and ensure that the government or organization is not acting unreasonably. Where my intervention doesn't resolve the matter, it can be referred to the Federal Court for determination.
The government wanted to ensure that a Federal Court judge could not, on reviewing an application from an individual, order the disclosure of the information. The possibility of that happening might deter foreign countries from sharing sensitive security information with Canada.
That makes sense, but the provisions went much further.
Rather than just prohibit disclosure about and to a given individual, the provisions would have permitted the Attorney-General to issue certificates prohibiting the disclosure of any information under the privacy statutes. That would have made it possible for the Minister to issue blanket certificates that applied to an entire agency or department of the Government, or indeed to every agency and department.
Worse, when a certificate was issued, Canada's privacy statutes-in their entirety-would not apply. This meant that, if an individual's personal information was the object of a certificate, not only would he be unable to obtain access to his information, there would be nothing to prevent that information being used or disclosed contrary to the privacy laws. If blanket certificates were issued, all Canadians would lose those protections, including the right to an independent review by the Privacy Commissioner. Our rights to privacy under law could, in effect, have been abrogated at ministerial discretion.
This was excessive. It did not meet the four tests I've just set out, and would have constituted an unjustifiable breach of the privacy rights of Canadians.
I succeeded in persuading the government to introduce amendments to preserve the operation of Canada's privacy laws, including my right to investigate a complaint. The act now allows a certificate to be issued only after a court or tribunal has ordered release of information, and the issuance of that certificate can be appealed to the Federal Court of Appeal. My powers as Privacy Commissioner to investigate any given complaint and make recommendations up to that point remain intact.
Moreover, a certificate can only apply to information about a particular individual. And when a certificate is issued, all the other privacy-protecting provisions of the legislation remain intact.
Those who challenged the anti-terrorism bill on civil liberties grounds managed to get a sunset clause inserted, mandating review after five years of its provisions for preventative arrests and investigative hearings.
That made sense for their concerns. But a sunset clause wouldn't have prevented privacy abuses during the period the law was in effect-and privacy, once violated, can't be reclaimed. So my focus was to have the law amended at the outset, rather than reviewed later.
The government also introduced legislation authorising air carriers to divulge passenger information to the customs and immigration authorities of a foreign state. They could release any personal information that the foreign state requested. The purpose of the request, and whether or not there were any safeguards on the subsequent use and disclosure of that information, were immaterial.
This legislation was prompted by the refusal of the United States to allow Canadian aircraft to land in the US unless our government agreed to this. Given the interdependence of the Canadian and US economies, the Canadian government had little choice but to amend its privacy laws to permit the release of passengers' personal information to US authorities.
But I was determined to ensure that this could not be used by Canadian government agencies to circumvent the Privacy Act and collect personal information that otherwise would have been unavailable to them. I persuaded the government to introduce amendments so that no personal information provided to a foreign state could be re-appropriated by the Canadian government, except for purposes of national security, public safety, or defence.
Opinion polls show that, with the initial shock of September 11th beginning to wear off, Canadians are refocusing on everyday concerns of family, work and community, but with a new and vivid awareness of what a dangerous place the world can be.
In this new climate of apprehension, governments at both the national and provincial levels are exploring techniques to bolster public safety and national security. Many of these initiatives pre-date the events of September 11th, of course. But they are now being pursued and applied with greater speed and vigour.
Background checks on employees, in both the public and private sector, are being undertaken in more and more companies and industries, along with more intensive workplace monitoring.
Airports are considering and testing biometric technologies to identify passengers. Identification documents are being re-engineered to enhance security and reduce the risk of forgery, and the spectre of a national identification card has once again reared its head-this despite the fact that no one has been able to show how biometric identification or a national identification card would have prevented the September 11 attacks or would prevent future attacks.
This is a classic example of a privacy infringement that makes us feel safer without actually making us any safer. It's also instructive to note that most of the pressure for the adoption of these high-tech security measures is coming from the companies that manufacture and market the technology.
I monitor these developments and their applications closely, applying the four tests of justification that I described to you earlier.
One initiative of great concern to me is the use of video surveillance in public areas. It is usually proposed as a crime-fighting tool, but its proponents are now playing the anti-terrorism angle as well.
This is one of the greatest threats to privacy in Canada.
I've examined the arguments in support of video surveillance. Not one of the four tests for justification of privacy infringements has been met. Crime rates in Canada are declining, and our streets are not infested with terrorists. And there is no evidence that video surveillance prevents crime or terrorism. With those two tests unmet, the question of proportionality does not even arise. Finally, there are far more effective alternatives that are less privacy-invasive.
So I've travelled the country speaking out against video surveillance of public places, and I'm happy to say that the public and the media are starting to ask hard questions of their police forces. This is another example of how a Privacy Commissioner can protect rights. Canadians and their elected representatives appear to understand that well-intentioned measures to bolster security must not unnecessarily erode our privacy. But they sometimes need to be reminded, or nudged, or even pushed hard. That's the job of a vigilant Privacy Commissioner.
I will never allow my office to stand in the way of the genuine security of Canadians. After September 11th, it's more imperative than ever that I walk a careful line in that respect. But I will not stand aside and see privacy rights sacrificed to hysteria.
We must never lose sight of what it is we want to protect with all these security measures: a free and open society based on individual autonomy and mutual respect. At the heart of a free society lies the fundamental right of privacy. It's the role of a Privacy Commissioner to make sure that we preserve the first by protecting the second.
- Date modified: