Protecting Privacy

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks for the Couchiching Summer Conference
Security: Government, Openness and Connections

Orillia, Ontario
August 10, 2008

Address by Jennifer Stoddart
Privacy Commissioner of Canada

To view CPAC webcast of the Privacy Commissioners' speech


Introduction

Thank you so much for this opportunity. I’m very conscious of the long shadow cast by this conference, where leaders, students and other thinkers have gathered to wrestle with global problems for close to 80 years.

Many of the issues that have preoccupied, challenged, even stumped the great minds attending the conference over the decades still confront us today. Privacy is one of those.

In 1971, the conference subject was privacy and a law professor named Edward Ryan stood here and emphasized the pivotal importance of privacy. He said:

The right to privacy - far from being a mere individual claim - is itself a public interest of the highest order, in which may be found the wellsprings of individual creativity and group expression which are the heart of popular government. They cannot be allowed to be imperilled. No more fundamental laws to our ideals is possible than that posed by the possession and potential abuse of overly wide governmental powers in this area.

Which is to say: A vibrant, open, expressive and innovative democracy is threatened when you spy on your citizens.

Professor Ryan made a strong case. Now let me tell you I feel compelled to make it again – with far greater urgency.

I’d like to share some thoughts this morning about how three key factors – technological advances; economic transformation; and the fallout from 9-11 – have dramatically increased the threats that a privacy commissioner – all of us, in fact – are up against.

Has the knowledge explosion changed our relationship with businesses and government – and raised the privacy stakes? Absolutely.

Privacy is really about protecting personal information and the right to control our own personal information. People are at the centre of personal information.

In Canada, two privacy laws protect individuals’ rights over their own personal information – the Privacy Act, which applies to federal departments, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in the private-sector context.

Technological developments

In terms of new challenges for the protection and control of personal information and privacy, let’s start with technology.

Over the past 20 years, advances in information and communications technologies have made it exponentially cheaper and faster to collect, create, share, process and store information. The dramatic proliferation of data has been called an “exaflood.”

It took two centuries for the U.S. Library of Congress to acquire the more than 134 million items in its print collection. With the explosion of digital information, it now takes less than 15 minutes for the world to produce an equivalent amount of information.

Within that Mount Everest of data is a lot of personal information that needs to be properly managed and protected.

Technology and Privacy

Not long ago, the Washington Post wrote that a ballooning database threatened to overwhelm the people who manage a U.S. storehouse for information about suspected terrorists. That database has more than quadrupled in a few years.

The official in charge said his single biggest worry is “long-term quality control” as the database continues to expand.

Here at home, a recent audit by my Office showed the RCMP has its own challenges in managing growing data holdings. We found the RCMP’s exempt databanks were crowded with tens of thousands of national security and criminal operational intelligence records which should not have been there – raising potential risks for people identified in those files.

Powerful new technologies have also created a completely different type of risk for our privacy: the portability of huge aggregates of personal information.

Forty years ago, it would have been very difficult to leave a government building with files containing the personal information of millions of citizens – you’d have needed a truck to cart away the paper. Thirty years ago, you’d have needed crates of floppy disks. Ten years ago, it would still have been tricky to get past security with a hard drive. But today, those files fit on a laptop, a single DVD, a thumb drive.

It has become all too easy for someone to walk out of an office with the personal information of huge numbers of people in a briefcase. Little devices such as laptops have an alarming tendency to go missing – as investigations by my Office have shown. In Britain, the personal information of 25 million families was compromised because two computer disks went missing.

That’s the technology side, but the economic element has also been significant.

Economic Transformations

The economics of information have complicated the relationship between citizens and state, just as it has upset the link between businesses and their clients.

Global competition has converted every industry into an information industry hungry for as much information about their clientele as possible.

Just as with raw goods, data is now transmitted electronically around the world for processing – to wherever it’s cheapest and fastest to analyze, action, reprocess or store it.

As every gigabyte of data becomes cheaper to store, server farms, information warehousing and data mining became more and more commonplace.

Privacy in a Transformed Economy

Again, the privacy implications of such trends are profound.

E-commerce is the most obvious example. In the course of a single transaction, personal information may be gathered and traded between dozens of parties, in many countries. If you buy a book online you can potentially create an international data trail of personal information thousands of miles long.

The large personal data pools from such transactions have become attractive targets for hackers – as we saw in the massive data breach at TJX, the U.S. retail giant that owns Winners and HomeSense stores.

This type of data supply chain is affecting how personal information is handled by the federal government.

Our Citizenship and Immigration department is outsourcing visa processing in China to a private company, as it has already done in a few other countries. This prompts the obvious question of whether personal information held by a private firm will be as well protected as it would be if handled only by Canadian officials.

In China, local security provisions mean applicants’ data may be accessed by Chinese government authorities. Meanwhile, the company selected to process visas suffered an online security breach which exposed the personal information of some 50,000 Indians applying for British visas.

Cloud Computing

All of this is to say that, in both the public and private realms, the idea of a linear supply chain in the information economy – something like Henry Ford’s assembly line – does not map well onto 21st century computing and e-commerce. There is simply too much data being gathered, shared, revised and recombined along each step in the business process.

More and more, all the elements of a transaction are dispersed far and wide, but coalesce to make that exchange possible. Then they disperse back into the ether.

IT gurus now talk about cloud-computing – a poetic metaphor for how our personal information is constantly floating and circulating around the world.

But, with all this sensitive data swirling about, don’t we need some angels in this picture – to ensure proper data protection, protect privacy, build trust and so on? I’ll come back to protection issues a little later.

The National Security Rationale

First, I’d like to talk about another major threat to privacy – the fundamental changes to the way governments approach national security.

Following the 9-11 tragedy, we have seen some long-standing privacy walls begin to fall. Speaking globally, all governments – be they democratic or dictatorial – now routinely collect more information about citizens than ever before.
In some cases, initiatives are raising significant questions for human rights.
In Canada, airlines are required to turn over passenger information to the government. Anti-money laundering and terrorist financing legislation requires banks, jewellers, real estate agents, lawyers, stock brokers, and casino employees to tell government about any clients involved in transactions they judge to be suspicious.

At Kelowna’s airport, travellers are being asked to stand in front of scanners that can see through their clothing as part of a security pilot project. The scanner generates an image of an essentially naked body.

Canada’s no-fly list, meanwhile, involves the secretive use of personal information in a way that profoundly impacts privacy and related rights such as freedom of association and expression and the right to mobility.
I can appreciate the underlying aim of many security programs, however, I often question the approach, efficacy, efficiency or proportionality of certain initiatives.

Some programs aimed at catching criminals and terrorists are casting an overly wide net – and turning all of us into suspects.

Function Creep

Another concern is function creep – the danger governments will be tempted to use all of this personal information they’re collecting for purposes beyond what was originally intended.

Typically, each program is launched with great intentions to combat an immediate problem. Often, in hindsight, these turn out to be very exceptional events. But while the crisis may fade, monitoring continues.

Where are we headed? We can look to our ally, the United Kingdom for an idea of the possible future, although the U.S. has also moved quickly in this direction.

British media reported earlier this year that local councils and other public bodies are using powers provided under legislation designed to thwart terrorism to investigate petty offences such as under-age smoking, parking fines – even the failure to pick up after a dog.

Government Assurances

Politicians and bureaucrats assure us our privacy is safe. But in audit after audit, evaluation after evaluation, report after report, our Office finds problems, security lapses, data breaches, shoddy record keeping and sloppy human errors.

We also often hear the message that if we have done nothing wrong, we have nothing to fear.

During an exchange at a parliamentary committee meeting this spring, an MP who favours strong national security programs wondered aloud: Why exactly should Canadians care if the government collects information about them?

David Flaherty, a prominent academic who was the first Information and Privacy Commissioner for British Columbia, met this inquiry with a quick succession of questions: How much money do you have in the bank? Have you ever seen a psychiatrist? What medications do you take?

We keep such information private not because we have something to hide, or have done something wrong. We do so because it is personal; because it’s ours. It’s no one else’s business.

Future Directions

So far, I have painted a fairly grim picture. But the future is not set in stone – it is not set by politics or technology, but by people.

As I said earlier, if the global circulation of personal data is now compared to the clouds, what we need are a few more angels up there, willing to sing the virtues of privacy.

What would those angels look like?

In today’s wired world, privacy demands a global approach – we need champions to help put in place international privacy solutions.

Many countries have relatively weak privacy laws – if they have them at all. As a result, data shared by governments or companies for one reason can be exploited for a host of other purposes.

Privacy cannot be protected if your vision stops at the border. We require global thinking and global solutions. On this front, I am very heartened by recent efforts by the OECD and APEC.

We also need more Main Street privacy champions. Individual Canadians can help by speaking out about what they expect from the government. I believe they expect their government to adopt security measures that respect fundamental rights. They want the government to ensure their personal information is protected; that their dignity is respected.

And our politicians and government officials? Well – to put it simply – they should listen attentively.

Conclusion

Privacy is a critical element of a free society and there can be no real freedom without it.

Canada is currently on a dangerous path towards a surveillance society. We are beginning to think of more and more everyday situations in terms of “risk” and the previously exceptional collection and use of personal information are becoming normal.

History demonstrates government surveillance is a bit like oil on water – it spreads, so that the personal information of more and more people ends up being recorded and scrutinized.

Breaking these trends is not going to be easy. As with so many other rights and freedoms, privacy is not a battle you fight to win in a decisive way. It’s a battle you will need to re-fight again and again.

We can’t fail. The right to privacy is a public interest of the highest order.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: