Personal Data Disclosure: Can we Preserve Privacy While at the Same Time Enhance Aviation Security?
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
ACI/IATA AVSEC World 2004 Conference
November 4, 2004
Vancouver, British Columbia
Panel Discussion by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
What are the data privacy issues related to provision of passenger data to governments and how must this data be protected (by airlines, travel agents, global distribution systems and government agencies) before governments (in your instance Canada) allow this information transfer to take place.
Thank you. It is a pleasure to be here at this event that brings together aviation and security experts from all over the world. I will take this opportunity to extend a warm welcome to Canada. You are in one of the most beautiful provinces of this beautiful country. I sincerely hope you take the time to enjoy your stay.
This is the first time I have addressed the aviation community since being appointed Privacy Commissioner of Canada last December.
For those of you who are not familiar with Canadian privacy laws and how they work, I'll describe my role briefly.
Privacy Legislation in Canada
The Privacy Commissioner of Canada is an independent Officer of Parliament, appointed for a fixed term of seven years to advocate for privacy rights and the protection of personal information, to investigate complaints from the public, and to promote the understanding and awareness of privacy issues.
As Commissioner, I report directly to the House of Commons and the Senate, and my office is independent of any other part of government. Our office oversees two pieces of federal privacy legislation.
The Privacy Act, which has been in effect for more than 20 years in Canada, limits the collection, use and disclosure of personal information by government, and gives Canadians certain rights to access and correct that information. As you may know, I have expressed some concerns about the adequacy of the Privacy Act and would like to see it refreshed and strengthened to adequately protect the personal information of Canadians.
The Personal Information Protection and Electronic Documents Act — also known as PIPEDA — protects personal information held by private sector businesses and organizations. It covers the collection, use and disclosure of customers' personal information in the course of any commercial activity in a province. The law also applies to information collected, used or disclosed across provincial, territorial or national boundaries, an aspect that I will touch on later.
My role as Privacy Commissioner is that of an ombudsman. My Office investigates complaints from the public under both Acts, but I don't have the power to issue orders or impose penalties. Instead, we use the tools of persuasion, negotiation and problem solving.
It is very gratifying to see data privacy issues discussed in this forum. I am particularly pleased to discuss the tension between international security and individual privacy rights with you today, as my first Annual Report as Privacy Commissioner of Canada is being tabled in the House of Commons. Many of the privacy issues that have taken our attention in the past year had to do with the debate on how to achieve that particular equilibrium. That is what I would like to address here as well.
The Privacy / Security Equation
So much of the focus of concern surrounding air travel in the past few years has been on security, that ideas about civil liberties and individual rights have often been lost in the debate. In our world, goods, people, and data flow freely around the globe, and our international economy depends on it. We cannot physically shut down our borders or suspend international trade. So we have turned to technology and information management in the pursuit of security in the wake of September 11.
The pursuit of security and the desire for international safety has led to the collection and exchange of vast amounts of passenger information around the world.
I am not convinced that the large scale collection of data about individual travellers makes the world a safer place. I have yet to see proof of this. It has yet to be demonstrated publically that the huge amounts of money that are being spent on collecting information, and on the data management tools for screening and risk assessment have actually lead to a marked increase in security.
However, I am absolutely certain that the increasing accumulation of personal information for passenger profiling is a serious threat to individual privacy. There is the risk that governments may use this information to track people for reasons unrelated to air travel security. For example, here in Canada, recent amendments to our legislation allow Canadian police to scan passenger lists for serious common law offenders for whom arrest warrants have been issued. My Office has registered its strong concern about this "function creep".
There is the very real risk of racial and ethnic profiling — some groups of people will be under greater scrutiny and surveillance not because of anything they have done, but because of where they were born, where their families live, where they like to vacation — or even what kind of meals they eat.
There is certainly the risk of identity theft and fraud - government databases containing sensitive personal information have been compromised through theft or hacking or bribery all around the world, including right here in Canada. However advanced technological systems may become more common, the human factor still exists — and can be exploited. Are we paying enough attention to the selection, working conditions and supervision of those who have access to our personal information?
And there is a huge problem of control. When passenger information collected in one country is given to another, what privacy provisions apply? What restrictions can realistically be placed on how that country uses or discloses the information? Canadian authorities may not be concerned that a passenger ordered a kosher or halal meal, for example, but what if that information is transferred to a data base in another nation? For example, Canadian authorities have agreed to purge some sensitive elements such as meals ordered and health information from the PNR data they receive from carriers. But we don't have a clear idea of how the U.S. authorities will treat the PNR data provided to them by Canadian airlines and passenger reservation systems.
Trans-Border Information Flow
Our Office is taking a close look at trans-border flows of personal information. This is emerging as a central issue for us and others around the world.
The issues raised by the transfer of Passenger Name Record (PNR) and Advanced Passenger Information (API) are at the forefront of our concerns.
We have issues concerning passenger data privacy on two fronts. Vastly simplified, these are:
- The collection of personal information about travellers landing in Canada on international flights, and how to prevent its possible misuse by Canadian government or security institutions, and
- The collection of personal information about travellers from Canada to the United States, and its possible misuse by U.S. government or security institutions
Since 1998, we have been requesting limits on the number of elements collected, and for restrictions on the retention and use of that data. These discussions took place with the Canadian Customs and Revenue Agency, and then with its replacement, the new Canadian Border Services Agency. We received undertakings in 2003 from the Minister of the day that data not required for customs purposes, including meals and health information, would be purged. As well, a strict access and retention schedule was to be put in place. We understand these undertakings are to be formalized in a policy, which we have not yet seen.
The Canadian Border Services Agency has been seeking an adequacy finding from the European Commission in order to allow European based airlines to release API/PNR to them. The concerns expressed in the opinion paper of the Article 29 Data Protection Working Party of the European Commission on the nature and number of data elements collected and disclosed parallel those raised by our Office.
A serious concern raised by in the opinion paper of the Article 29 Data Protection Working Party of the European Commission relates to data access and privacy redress for EU citizens. Our Office shares these concerns regarding the right of foreign nationals to use our Canadian law. One option under consideration is to extend rights under the Privacy Act to passengers who are not resident in Canada. This is being looked at by the Canadian Border Services Agency and the European Commission.
On the second issue, our Office has raised concerns with the Canadian Border Services Agency on its memorandum of understanding regarding the exchange of passenger information with the U.S. The MOU is not yet finalized, but we are encouraged to see our intervention has led to certain modifications. Discussions on this issue are ongoing.
Our concerns are broadly focussed on:
- the number of elements to be shared
- the purpose for which the data may be used
- standards regarding data matching;
- data retention periods;
- use of the shared data for testing programs such as Secure Flight
- passenger notification;
- onward transfers to other governments
The commercial sector as agents of the state
All commercial carriers, charter operators, travel agents and owners of reservations systems must provide API/PNR information about passengers carried to Canada to the Canadian government.
I have argued vehemently against the co-opting of Canadian private sector organizations to collect customers' personal information without consent for law enforcement purposes. Data collected for one purpose — to provide flight service from point A to point B — should not be used for other purposes without the knowledge and consent of the customer. Under the current system, however, that is exactly what is happening.
One of our concerns is the way in which this data is supplied. Airlines are simply giving the Canadian Border Services Agency all the information they have about passengers in their reservation systems. Canadian based airlines that provide passenger information directly to the U.S. do the same.
My understanding of the position taken by commercial air carriers is that filtering or editing this data before providing it to governments would simply be too arduous a task. It is left up to the state organization receiving the information to decide which data elements to retain, and which to purge. As I mentioned, under our agreement with the Canadian authorities, some sensitive elements such as meal and health information will be purged. Canadian Aeronautics Act Regulations describe 29 data elements which may be provided to foreign states — but since air carriers cannot filter or edit what they send, how can they comply with these regulations? It seems to be a classic Catch-22 situation.
Don't get me wrong here — my Office is certainly not opposed to increasing security, particularly aviation security. We have every desire to cooperate with international anti-terrorism measures.
However, I believe we must be critical when sharing personal information with state agencies or other nations for security purposes. There must be identifiable limits on what information is collected by governments, there must be procedures and specific policies in place to ensure the information is used and disclosed only for defined and reasonable purposes. There must be assurances that it is retained no longer than absolutely necessary. I also believe that air carriers and operators of reservations systems should be required to inform customers of the routine provision of their personal information to government and law enforcement agencies.
Attempts to limit the effectiveness of terrorist organizations have linked nations around the world. Many nations are involved in a concerted global effort to increase security. There is a growing body of international cooperation and collaboration on many aspects of aviation security, and a desire for harmonization of practices across the board.
International harmonization of data element requirements and privacy protections for API/PNR information would resolve some highly contradictory problems for carriers, while ensuring a level playing field of privacy protections for international travellers.
A framework for the harmonization should include:
- agreement on standard elements of data
- rights to access, correction and redress
- standards for secure API/PNR data storage systems
- adequate notification of passengers
- an outline of defined and specific allowable uses
- the development of a "push" rather than "pull" system for transferring data elements
- Strict limits for onward transfers of information to other governments
- International oversight
I believe that harmonization of privacy protection for international air passengers will become increasingly important as other nations around the world contemplate setting up their own advance passenger information systems, and the API/PNR data bases proliferate. Hundreds of millions of people from all walks of life fly into destinations all over the world daily — and their personal information flies in with them. These travellers should not be forced to leave their privacy protections at home.
Thank you. I look forward to discussing these ideas further with panel members.
- Date modified: