Personal Data Protection Issues in a Globalized World

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 3rd Conference of Francophonie Personal Data Protection and Privacy Commissioners

November 3, 2009
Madrid, Spain

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)

  • The key point in this presentation is obvious: globalization and the attendant intensification of data sharing require not only stronger personal data protection at the national level, but also increased international co-operation.
  • It may be obvious, but it merits our consideration. As personal data protection authorities, we need to identify the issues involved in globalization and the strategies required to deal with personal data protection.
  • These are the two key issues I will address in my presentation. However, to begin with, we need to define what we mean by “globalization.”
  • I use the term in reference to the more relaxed territorial, institutional and trade boundaries that lead to increased mobility of people, intensified trade, worldwide access to information, and the interdependence of states in dealing with common challenges such as pollution, pandemics, terrorism and organized crime.
  • Bill Clinton described globalization as a “world without walls.” I like to use this expression because it provides a vivid illustration of the challenge of protecting personal data that stems from it.
  • And, since we are stating the obvious, allow me to insist that privacy protection is increasingly important as globalization proceeds apace. There are many examples around the world of ruined reputations and lives affected by the inappropriate sharing of personal information.
  • In Canada, we were reminded of this by one momentous incident.
  • Maher Arar, a Syrian-born Canadian, young father of two children, and perfectly ordinary computer specialist, became a symbol of this new reality. In September 2002, Maher Arar was detained in New York while coming home to Canada after a holiday. The Canadian Security Intelligence Service had gathered personal data about him as a person of peripheral interest while engaged in the surveillance of someone else. This personal data had been transmitted to the Royal Canadian Mounted Police, which in turn shared it with American authorities. It was on the basis of this intelligence, in the course of conducting surveillance on another person, that the United States returned Maher Arar to Syria, where he was detained and tortured for one year.

    Canadian authorities eventually managed to have him released, and a board of inquiry brought to light all the shortcomings of our personal data-sharing practices. Mr. Arar was compensated for his suffering, to the extent that compensation is possible.
  • This tragedy clearly brought home to Canadians the lessons that underpin my remarks today:
    1. Regulating personal data management is as important as respecting fundamental rights, not only because the right to privacy is a fundamental right, but also because respect for all fundamental rights depends on doing so.
    2. Intergovernmental sharing of personal data should only occur under strict conditions, including the following:
      • Only with states that respect fundamental rights and that protect personal data; and
      • Even with democratic states, only on condition that they do not pass on the personal data we share with them to other states that do not respect fundamental rights or that do not allow for personal data protection.

In short, any state that wishes to be involved politically or economically in globalization must guarantee that it will protect personal data, in view of the major repercussions that may result from violating such protection in a globalized world.

  1. The repercussions of globalization on the protection of personal data:
    • In my opinion, the Maher Arar case highlights the major effects of globalization on privacy:
      1. The phenomenon of “data divestiture,” to which Professor Karim Benyekhlef referred in an article on international standards for privacy protection and the information highway, describes this loss of control over information, whether it is spread by an individual over a social network, or shared by a government under a co-operation agreement:
        • The scope of information dissemination, including personal data, is unprecedented;
        • Access to such information is unprecedented;
        • The authority over such information is so fragmented that the State loses control over data protection and the individual loses control, not only over the information, but also over any recourse in the event of a violation.
      2. The complexity of personal data management stemming from the sharing of such data: owing to technology and international co-operation, companies and states are increasingly relying on common databases:
        • The sharing of personal data comes about either as a result of intergovernmental agreements for reasons of national security, combating organized crime or, in special cases, managing pandemics.
        • It also comes about as a result of the common use of technological infrastructures such as servers or electronic transmission cables.
        • Shared personal data is also in jeopardy because of the discrepancies among various data protection regimes: a state that does not protect data because of a lack of adequate standards threatens the privacy of all individuals whose personal data is being shared.
      3. The potential seriousness of inappropriate personal data sharing:
        • The Maher Arar situation is an extreme case, but it demonstrates the vulnerability that results from the global sharing of information. Daniel Solove has spoken about this issue very convincingly in The Future of Reputation.
        • The seriousness stems from the scope of the information and its sensitive nature: in a context as tense as national security, for example, personal data can easily fall under a cloud of suspicion that can lead to serious restrictions on an individual’s freedom.
      4. A fourth impact of globalization is intergovernmental pressure. As I mentioned at the outset, because globalization is defined among other things by the interdependence of states, privacy protection becomes subject to this interdependence and a state may now be subjected to the requirements of another in how it handles personal data.
        • Canada is deeply affected by this because of its proximity to the United States and the intensification of U.S. security measures:
          • We share with the U.S. a 6,000 km border to the south and a more than 2,000 km border to the northwest. The U.S. is our largest economic trading partner and to maintain the flow of people and goods, we need to negotiate firmly, albeit not always successfully, to protect the privacy of Canadians.
          • While threats to national security are nothing new—we can all remember the Cold War—ways of attacking national security have changed.
          • This change has a major impact on privacy protection measures because the traditional threats from other states—which required the surveillance of other states with information considered a state secret—have morphed into threats from individuals, and surveillance focussed to a greater extent on personal data.
          • In short, not only have national security measures intensified, increasing the challenge of protecting personal data, but there has also been a transformation of these measures, which increasingly involves personal data collection.
      5. Lastly, it is important to mention the repercussions stemming from technological vulnerability: personal data is now stored in electronic databases susceptible to cyber attacks, leaks and human error. Globalization increases the risk of attacks as repercussions become more severe.
  2. Appropriate protection strategies:
    • Now that I have summarized the main repercussions of globalization on the management of personal data, I will move on to the second part of my talk: what protection strategies are needed to deal with these new challenges.
    • I will break down my summary into four parts. The protection of personal data rests on:
      1. A robust national legislative framework that reflects a country’s privacy values;
      2. A governance structure that has the level of independence and the resources needed to implement this legislative framework;
      3. International standards that govern the management of personal data shared among states; and
      4. A physical and technological infrastructure required to protect personal data against deliberate or accidental privacy violations, and technological expertise within personal data protection authorities in order to follow technological developments or express an opinion on technological risks and work together with governments in cybersecurity programs.
    • Although we have all these tools in Canada, I can still give you a number of examples of how even our robust system is being seriously tested:
      • Widespread Internet use by Canadians, even very young Canadians, requires growing vigilance by service providers and greater efforts to educate the public. This was clearly demonstrated in our Facebook investigation.
      • The growing use of the Internet in government transactions forces us to enact new standards and to implement new cybersecurity measures to protect electronic communication with the government and within government.
      • The growing rate of personal data sharing between states is forcing us to become increasingly vigilant in order to comply with existing standards.
    • Here are a few pitfalls that illustrate the need for solid legislative and administrative protection of personal data:
      • Under the Western Hemisphere Travel Initiative (WHTI), the United States requires a passport or an enhanced driver’s licence to cross the border in a vehicle. The enhanced driver’s licence contains more information than an ordinary driver’s licence, as well as an RFID chip. It was impossible to avoid this requirement, but we were able to obtain two major privacy protection measures: (1) the driver’s licence comes with a protective sleeve that prevents any illegitemate remote reading; and (2) all intelligence data about Canadians remains in Canada—American officers can only access this information by reading the barcode. We were able to adequately protect the rights of Canadians in this context because of the robust legislative and institutional privacy protection mechanisms in Canada.
    • In the fight against global organized crime and money laundering, the Financial Transactions and Reports Analysis Centre of Canada (or FINTRAC) is responsible for compiling personal information connected to suspicious transactions. Our audit of FINTRAC processes showed that the pressure on financial institutions to report all potentially suspect transactions has given rise to the excessive disclosure of personal data.
    • Our audit of the Specified Persons List highlights another example of the vulnerability of privacy protection under the weight of the global war on terror. One of our conclusions was that the list was being distributed to airline companies without all of the required protection measures.
    • This new state of affairs—by which I mean increased sharing of data, including of personal data, and the widespread dissemination of such data through information technology—requires that we, those responsible for protecting privacy rights, need to be more alert in order to manage the necessary sharing of personal data fairly.
    • The desire of our countries and their citizens to share in the opportunities provided by globalization, whether in trade or policy matters, means that if we want to be players in this new dynamic, we must have the legislative and institutional tools needed to protect individuals.
    • In short:
      1. We need to be aware of all social, technological and political developments that threaten personal data protection. For instance:
        1. We must keep abreast of trends among young people’s use of social networks on the Internet;
        2. We must review all national security measures to determine their impact on privacy—information sharing among enforcement agencies, surveillance technologies, and sharing between states; and
        3. We must submit concrete legislative proposals to our governments for safeguarding personal data in a new context.
      2. To our respective states and to commercial entities, we must recommend policies and technological infrastructure that are suited to this new information‑sharing environment.

        Specifically, this means being aware of security protection measures on a technical level and actively implementing them. We need to recruit the right people into our various organizations and become technological hotshots capable of working together with government cybersecurity organizations.
      3. We must also encourage our respective governments to give careful thought to redefining the right to privacy in a new context of national security and technological powers.
    • In short, we can’t stop progress and we can’t stop globalization. On the contrary, we must take advantage of it.
    • But to benefit from it, we must be in a position to give our citizens, and the citizens of the countries we deal with, the assurance that their personal data is being protected in this context of unprecedented data sharing.

Thank you.

Date modified: