The Walrus, The Carpenter, Privacy, and Pigs With Wings

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Privacy and Data Security Summit
International Association of Privacy Professionals

February 19, 2004
Washington, D.C.

Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

---

Many of you will remember Lewis Carroll's poem about the Walrus and the Carpenter — the one that begins, "'The time has come,' the Walrus said, 'To talk of many things.'" Among the many things the Walrus wanted to talk of were "why the sea is boiling hot and whether pigs have wings." I think about this poem often when I read about global warming or genetic technology. What I want to talk about today are not pigs with wings, but information with wings. If you insist on hearing about pigs, I can't help you. I can talk about cows, however, and in keeping with the spirit of Mr. Carroll, who gave us the Mad Hatter, they're mad cows.

Recently a cow in the U.S. was found to be infected with bovine spongiform encephalopathy or "mad cow disease." This gave rise to an urgent investigation, which revealed that the cow originated in Canada. This brought home to all of us, in a very vivid way, the degree to which the Canadian and U.S. food chains are integrated. It also highlighted the degree to which the market in personal information connected with food supplies is integrated.

In Canada, we have an industry organization called the Canadian Cattle Identification Agency, which helps us respond to outbreaks of cattle disease. Beef producers purchase identifying ear-tags for their cattle, and their names, addresses, and telephone numbers are registered against the tags in the Agency's database. They then apply the tags to any cattle permanently leaving their ranch or farm. In the event of a disease outbreak, the Agency can trace back the origins of all the ear-tagged cattle involved.

This is an important program, obviously. But it has privacy implications. The matching of the personal information in that database with the tagged cattle can tell you a lot about the person. As one ranchers' representative in the U.S. commented, information about how many cattle someone owns, breeds, or sells is "personal, just like the amount of money in your bank account is personal."

You may have read of a pilot project for what amounts to pigs with wings in Prince Edward Island involving the tracing of pork by DNA, from farm to slaughterhouse to meat-cutting plant right through to the supermarket. Again, the usefulness of this, in dealing with problems of contamination in the food supply, is obvious. But, even though we're talking about the animals' DNA and not our own, there are still privacy implications. The process of matching these products to the farmers and producers involved entails collection, use, and disclosure of personal information. Putting all that information into a database raises questions about how it will be maintained, how long the information will be retained, and who will have access to it.

We can regulate the privacy aspects of this in Canada, and I'll talk in a moment about Canadian privacy protection laws. But what about when this information crosses over to the U.S.? Meat producers in Canada want to cooperate and ensure that the food supply is safe and reliable. That doesn't mean that they necessarily want their names and other personal information sold without their consent to marketers in the U.S.

Let me turn now to the Canadian approach to privacy protection, and how it dovetails with Canadian approaches to business. This has implications both for companies that do business in Canada, and for companies operating in Canada that transfer or disclose personal information outside Canada's borders.

Public opinion surveys and focus groups consistently demonstrate that ethics and human rights are important to Canadians. This influences Canadian attitudes to business.

The high premium that Canadians place on human rights applies to privacy as well (It's an interesting twist that, in polls, people in the U.S. consistently place a higher value on privacy than Canadians do. But Canada, unlike the U.S. has opted for overarching national data protection standards).

Canada began on this route in 1984 when it signed the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The first legislative data protection in the private sector came in 1993 in Quebec, partly in response to the European Union's interest in data protection, which would eventually lead to the Data Protection Directive of 1995.

By the end of the decade it was widely recognized at the federal level that a legislative model was needed. The Model Code became the basis for the Personal Information Protection and Electronic Documents Act, or PIPEDA for short, passed just over three years ago. This is the federal data protection law governing the private sector, which has come into force progressively since 2000 and since January 1^st this year it applies to all collection, use, and disclosure of personal information in commercial activities, except where a substantially similar provincial law applies. It influences how Canadian companies conduct business both in Canada and abroad, and it has a powerful impact on foreign enterprises that do business in or with Canada.

The implications are most significant for countries that don't have overarching national data protection legislation of their own, like our largest trading partner, the U.S.

Privacy protection, as we all know, has to work in a globalized context. I don't want to overstate the challenge that this presents: Canada and EU member states are fully and successfully engaged in trade with the U.S. So it's by no means impossible. But the fact remains that enforcing national standards of privacy protection is complicated when personal information crosses national borders.

Canadians, with their concerns about data protection addressed in Canada by PIPEDA, still have reason for concern about their personal information when it crosses into the U.S. They may be reluctant to consent to disclosures of their personal information into jurisdictions that in their view give it less protection than it gets in Canada. And they may be very forceful about asserting their rights. This needs to be understood by companies in the U.S. that collect, use, or disclose the personal information of Canadians.

For example, if companies subject to PIPEDA want to disclose personal information — if they want, say, to sell or trade a mailing list — they require the consent of the person to whom the information relates. If they transfer personal information abroad for processing, they remain responsible for it, and they're required to use contractual or other means to ensure that it's treated in a manner consistent with PIPEDA.

If personal information is collected, used, or disclosed in Canada without their consent — and since January 2004 this applies to any company conducting commercial operations in Canada except in Quebec, which has its own substantially similar law — they can complain under PIPEDA.

Now, most of our complaints, if they're well-founded, are dealt with without recourse to the courts, and our focus is very much on settlement. But the fact is that individuals have a right under PIPEDA, independent of any action we take with respect to their complaint, to apply to the Federal Court of Canada for a hearing of their complaint once a report has been made. The Court can award damages and order compliance for information processing practices.

So you can see why we think it's very important that companies, not just in Canada but doing business with Canada, develop a full understanding of this legislation. In fact, the Office of the Privacy Commissioner fully expects to receive complaints from individuals about information collection practices of U.S. companies operating branch activities in Canada

I want to turn briefly now to another subject of shared concern between Canada and its international partners, and that is the impact of national security issues on personal information in international business transactions.

Just as mad cows have raised our awareness of the integration of our food supplies, so the post-9/11 security situation has heightened our understanding of collective security. We are tied together in our security concerns, and the means by which we address those concerns have international implications for privacy.

In their recent book The Governance of Privacy, Colin Bennett and Charles Raab noted the contradiction between governments enhancing privacy protections in the private sector while diminishing them in the public sector in response to concerns about terrorism.

Such a contradiction might make a government seem hypocritical, and might discourage it from being so privacy-invasive in the public sector. Bennett and Raab hint at that view. But it might just as likely have the opposite effect. It might encourage governments to enlist the private sector, with its personal information holdings, in the war on terrorism.

This is not fanciful speculation. In Canada, personal information that's collected by airlines and travel agencies — about our travel histories, activities and destinations — now has to be turned over to national security authorities for scrutiny. Our Office was very outspoken in its opposition to this, and succeeded in limiting the scope of the information collected and the period for which it's retained, but it remains the case that this is a troubling prospect. Canada as a nation has put restrictions on how private sector companies collect, use and disclose our personal information. We've come up with ways of controlling it when it leaves our borders. But we may be powerless to stop law enforcement and national security agencies from commandeering commercial information, and using it, in ways that are dramatically at odds with fair information principles.

I think that we all share these concerns. In a world of mad cows crossing borders and information on the wing, the security of our personal information is a collective endeavour. The challenge of protecting privacy and at the same time ensuring security against crime and terrorism, the challenge of doing business in our own way while ensuring that we can trade and cooperate with others: These questions preoccupy us in Canada, and we have responded in the commercial context by the PIPEDA legislation which sets clear standards for commercial personal information management. We carry these concerns into the areas of national safety and collective security where we will continue to exercise vigilance to ensure that safety and security are not achieved at too high a cost.