Security and privacy at mega events – Integrating privacy and public safety in the 21st century
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Second Annual Privacy and Access Symposium
October 3, 2011
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
Mega events such as the Olympic Games in Vancouver, the G20 in Toronto and, with a different twist, the Stanley Cup riots in Vancouver, are forcing us to give a second look at the integration of public safety and privacy considerations in these unique circumstances.
Today, I will address:
- how the context for public safety and privacy is changing—or not;
- how our legal framework addresses current challenges—or not;
- I will give you specific examples of how we handled the issue in the context of the Vancouver Olympics;
- And finally, I will propose a modernized legal approach to address the new context of privacy and public safety.
I say we need to take a second look because a lot of what we have taken for granted in relation to the protection of privacy in the context of maintaining public safety has changed and we need to adapt our legal response.
For the sake of discussion, I will summarize the most relevant changes to three:
- The first one, I will call the abstraction of surveillance. We are used to seeing increased police presence at big events. Because we see them we know they are watching us. With video surveillance, ubiquitous but not obvious, we do not necessarily know we are being watched.
With varying image retention capacity, we do not know for how long we are being watched or by whom. We are also used to the police having to approach us and ask who we are if they want to find out our identity. And we can exercise the right to refuse to reveal it.
With facial recognition, the matching of identity to an image means we can be identified without knowing, without the possibility of exercising any right to privacy. As privacy professionals, we need to apply the established principles of necessity and transparency in this new public safety context.
- The second change, I will call the individualization of surveillance. Another assumption we need to rethink is the scope of public safety measures.
Traditionally, we assumed that public safety surveillance was mostly targeted at specific individuals for their connection with criminal activities. Now, however dutiful and law abiding, we are all caught in this web of safety measures that range from metal detectors to RFID chips to broad databases—under a cloud of general suspicion and individualized surveillance.
That is in my view, should be the greatest cause of concern for privacy professionals: as the right to privacy defines, among other aspects, the relationship between the state and citizens, we need to ensure that the pressures and techniques for ensuring public safety do not compromise the fundamental principles that govern that relationship.
- The third change I will mention is the transparency of the Internet. That is what I refer to as the “new twist” that forces a second look at privacy protection in the face of the potential for privacy violation on social networks and the Internet, and that is also the area where I believe the deficiencies of our legal framework are most apparent.
What is the law on citizens capturing images of other citizens and broadcasting them online? What is the law on law enforcement authorities using these now public images to prosecute?
The question is raised around the Vancouver riots of last June and the B.C. Information and Privacy Commissioner is looking into it. We have commissioned research to try and scope the relevant legal and policy issues and I will refer to that research further.
Having identified three main changes, we also need to assert what has not and cannot change—and I can summarize that to three points as well:
- Citizens need to trust that the state will protect them and respect their fundamental right to privacy. That is a matter of democracy and social cohesion. In case we take it for granted, a quick look at current unrest in the Arab world reminds us of the importance of that bond of trust between States and citizens.
- Privacy is central to our personal integrity and personal fulfillment. It is the space to be free, to be ourselves. And while that may sound abstract, empirical studies remind us of the negative impact of lack of privacy on innovation; others put in question the impact of invasion of privacy on personal development of youth—being labeled through online advertising, being looked up, being exposed by others, etc.
- Finally, Canadians’ attachment to their privacy is not changing either—our own 2011 Survey Report shows that 65% of Canadians consider that protecting personal information is one of the most important issues facing our country in the next 10 years. This is confirmed by media activity around the issue, whether in relation to perimeter security, lawful access or issues in the private sector.
So if privacy pressures are changing but privacy principles are immutable, what gives?
That is the beauty of it—technological developments can breach privacy or enhance privacy—that is our choice.
That means that we must have a societal debate on how to preserve our fundamental right to privacy in a new public safety context, and that it is the role of privacy professionals to bring structure to that debate.
To structure that debate, and to structure public policy analysis around the issue, The OPC has issued an analytical framework entitled A Matter of Trust – Integrating Privacy and Public Safety in the 21st Century,which is available on our website.
I will use that framework to address the specific issue of privacy at mega events and then explain how we approached the specific challenge of ensuring privacy protection at the 2010 Vancouver Olympics. But first, l would like to address the specific challenges we face in relation to protecting privacy at media events, then describe how we approached that challenge in relation to the 2010 Vancouver Olympics, and finally describe our systematic approach to the integration of public safety and privacy in unprecedented context in relation to identified public safety threats and technological advances.
But first, we need to consider,
- The current legal framework for protecting privacy in Canada; and
- The special case of mega events.
Canadian legislation – An incomplete privacy framework
As we all know, federally, the Canadian legal privacy framework is mainly composed of three legal instruments:
- The Privacy Act which applies to about 250 federal institutions;
- The Personal Information Protection and Electronic Documents, which applies to the private sector everywhere in Canada, except in British Columbia, Alberta and Quebec, three provinces that have their own private-sector privacy legislation; and
- The Canadian Charter of Rights and Freedoms, deducted from section 8.
I call this an incomplete framework for several reasons.
Firstly, Canadian public sector privacy legislation is only partly up to the task of securing privacy rights in this climate. Our Office has asked for Privacy Act reform for many years and several of these reforms are relevant to protecting privacy in the context of surety at mega events.
The Privacy Act, for example, does not articulate fully the necessity test which, on the basis of the Oakes decision, is the foundation of legitimacy of privacy encroachment in the name of public safety. To be allowed to collect personal information, a government institution need only show that the collection relates directly to an operating program or activity of the institution.
That is hardly a significant limitation on collecting personal information for security purposes.
Secondly, the rules in the Privacy Act limiting disclosure of personal information also have little teeth in security matters. The general rule governing disclosure is to require the consent of the individual to whom the individual relates. However, section 8(2) lists several fairly generous exceptions to this general rule. In addition, these exceptions are “subject to any other Act of Parliament.” In short, any other federal legislation can trump even the already generous disclosure provisions in the Privacy Act.
At the same time, a host of laws permit surveillance, the collection of personal information and its use and disclosure in criminal and national security matters— the Criminal Code, the Canadian Security Intelligence Service Act, the Aeronautics Act, the National Defence Act and Canada’s anti-money laundering legislation among them. These laws each contain limits on the intrusive powers they enact.
However, critics rightly warn that some of these laws make it too easy to get carried away on the security side of the equation.
The private sector law, which at least has the advantage of having been adopted after information technology became the way to do business—which is not the case for the public sector law—is still not keeping up with regulating the crosswalk between private sector data and access by public authorities—an issue of particular relevance in the case of security at mega events.
In the face of such limits to privacy legislation, we have had to turn to constitutional law. The ultimate legislative protection of privacy comes from the Charter of Rights.
Privacy rights have been read into sections 7 and 8 of the Charter—the right to life, liberty and security of the person, and the right to be secure against unreasonable search or seizure, respectively.
But even our courts have recognized that the reconciliation of public safety needs and privacy protection needs to be more fully articulated than it is in statutes.
A series of decisions from the Supreme Court of Canada provide some parameters for integrating privacy and public safety. For the sake of our discussion, I would remind us of the general criteria that have emerged in the interpretation of section 8 of the Charter.
While the right to safety is seen as a pre-condition to the enjoyment of all other rights, including privacy, it may only intrude upon privacy only if justified according to the following considerations:
- The nature of the apprehended public safety risk;
- The potential consequences of not taking protective measures;
- The availability of alternative measures; and
- The likelihood of the contemplated danger actually existing.
Moreover, the invasion of privacy must be justified according to valid objectives and assessed against reasonable expectations of privacy. What constitutes a “reasonable expectation of privacy” varies with the context.
While this provides a principled framework, it leaves several emerging questions unanswered, questions that seem to fall in between these instruments. For example,
- What use can law enforcement authorities make of information posted on social networks?
- What rights do citizens have to “denounce” reprehensible acts by publishing personal information on the Internet?
- What rights or obligations do Internet service providers (ISPs) have in collaborating with law enforcement authorities?
These are all questions that were raised around the Vancouver riots in June or the London riots, without a clear position in policy or law. And that is a global concern in relation to the Canadian legal framework for privacy: it is sectarian and therefore patchy. There are rules for federal public institutions, there are rules for the private sector but there are gaps in between: What are the privacy obligations of political parties? What are privacy rights against intrusion by individuals? How should private-sector privacy obligations be interpreted when ISPs are faced with information requests in relation to public safety at mega events? Those are questions that remain to be clarified.
In particular, the new phenomenon of citizen journalism is a new frontier that, as privacy professionals, we must explore. Our Office has commissioned research that tackles the reality of privacy challenges in the context of citizen journalism, which is particularly prevalent at mega events.
The Special Case of Mega events
In this changing privacy context, how do we deal with “mega events?”
Let us look first at what makes mega events different from the usual set of considerations to integrate privacy and public safety:
- Mega events attract large numbers of people in concentrated areas—if you look at the issues addressed in the report on the Stanley Cup riots in Vancouver, two central issues were the ratio of police officers to visitors and the appropriateness of the concentration of people; that is what brings authorities to seek backup from technology and intelligence: for example, video surveillance, intelligence gathering on possible participants—we saw all of these leading up to the Olympics and discussed them with the Integrated Security Unit;
- Another factor is that mega events often attract visitors from outside the host country, which increases the need for intelligence gathering ahead of time;
- The authorities in charge have the right and the need to a high level of secrecy to ensure effectiveness, and that is an additional challenge for us, privacy officials, to keep public safety authorities accountable;
- Particularly in mega events, public safety measures are developed on the basis of worst case scenarios; therefore, necessarily, speculation rather than evidence of verifiable necessity;
- And finally, the new twist: citizens take on the role of journalists or enforcers and capture images and personal information, broadcasting it on the Net.
An adapted approach at the Vancouver Olympics
Let me turn to how we tried to navigate through these challenges in relation to the 2010 Vancouver Olympic Games.
In February and March of 2010, Canada hosted the Winter Olympic and Paralympic Games. This was Canada’s first international mega event of the post-9/11 era. Even before 9/11, we knew the risks facing the Olympics. The 1972 Munich Games brought terrorism to the modern Olympics, followed by lesser, but still serious, violence at the 1996 Atlanta Olympics. The history of previous Olympics, the events of 9/11 and a plethora of terrorist incidents since 2001 made it clear that the Vancouver Winter Games needed a thorough security plan.
For more than a year leading up to the Games, our Office, in conjunction with the Office of the Information and Privacy Commissioner of British Columbia, was in communication with the Integrated Security Unit responsible for Olympic security. The federal and British Columbia Commissioners had three goals:
- To promote privacy rights before, during and after the Games;
- To ensure that security measures that might infringe on privacy were reasonable and proportionate to the risk; and
- To hold authorities accountable for putting in place measures that both protected security and safeguarded privacy rights.
Without sufficient attention to privacy concerns, surveillance measures at the Games could easily have gone off the rails.
Security background checks were to be conducted on an estimated 100,000 people who were expected to need accredited access to secure zones within sporting venues or other Olympic facilities. Police had access to a variety of security databases and could automatically recheck the security status of people right up to the end of the Games. Games venues were protected by electronic perimeter security systems.
Checkpoints were set up to screen visitors to the Olympic venues and to screen authorized vehicles. The RCMP hired a private contractor, which in turn hired thousands of private sector staff to conduct these checks. About 900 closed circuit cameras were to be deployed at Olympic venues. An additional 50 to 70 cameras were to be deployed in urban areas outside venues.
And the security measures applied during the Games, as with those in place for the G8 and G20 meetings last summer, were only part of the issue. Olympic Games and other mega events can leave behind a pernicious legacy. Large-scale security surveillance systems, initially installed for security at mega events, often remain long after the event is over.
This can easily lead to a "Field of Dreams" scenario where, because we have built the surveillance systems, they—the institutions of the state—will come to want to use them long after the mega event ends. That was the issue at the Athens Olympic Games—resulting in the resignation of the equivalent to the Privacy Commissioner for Greece.
A surveillance infrastructure, largely a positive and necessary measure for the mega event, can thus evolve into a dangerous negative—an unwarranted increase in the “background” level of surveillance for society as a whole.
We met with the Integrated Security Unit a year ahead of time, putting to them the essential legal questions to hold them accountable to protect privacy at the Olympics:
- What was the nature of the threat and how were the public safety measures strictly tailored to responding to that threat?
- What would be the consequences of not taking such measures? Were the least intrusive measures possible chosen?
- In relation to governance, how were the authorities ensuring the right to privacy in the security arrangements?
- Would someone in the RCMP be specifically responsible for protecting the massive amounts of personal information collected at the Games?
- How would the RCMP ensure that the experience of the Games did not instill in the force a culture of surveillance, that it did not create a precedent in the minds of officers or the institution for such unprecedented intrusions?
- To what extent would personal information be shared with foreign law enforcement and security agencies or with private security contractors?
- Would citizens have access—within the reasonable limits of national security requirements—to their information, and would they be given a right to request correction of that information?
We received complete answers to our questions and we were kept informed of developments as they arose. We monitored media and activists’ reports, and we would seek an explanation any time we had concerns.
The RCMP accepted our recommendation to name a Chief Privacy Officer, posted that person’s name and contact information on its website, and it is my understanding that no significant issues were raised.
The result, and I give full credit to the ISU, was that even advocates in British Columbia were generally satisfied that privacy had been properly integrated.
A proactive and systematic approach
While our experience at the Olympics was positive, it highlighted the need for a structured legal framework to integrate privacy to public safety measures in the 21st Century.
As privacy professionals, we cannot second-guess law enforcement or national security authorities, but we must keep them accountable for respecting the right to privacy.
With that in mind, and with the Vancouver Olympics and G8 and G20 meetings still fresh in our thinking, the Office of the Privacy Commissioner of Canada released a reference guide last fall to help policy-makers and other practitioners integrate privacy into significant security initiatives. Essentially, our objective was to structure the debate in the reconciliation of privacy and safety concerns. We wanted to ground the discussion in facts and in law, rather than allow fear and emotion to prevail.
The point of this reference guide, entitled A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century, is not to provide the right answers, which we cannot realistically predetermine. Rather, it is to raise the right questions—as we did with the Olympics—in order to help us all provide and protect privacy.
Our Office took advice from experts in both privacy and security, drawn from academia and the legal community; civil society and community outreach; politics and intelligence; law enforcement and oversight.
With their input, we developed a framework to help policy-makers, practitioners and citizens think through the issues as they integrate privacy protections with new public safety and national security objectives.
Understanding this framework requires clarity on two legal concepts: first, what is “personal information” and, secondly, what is a “reasonable expectation of privacy.” The document discusses both key definitions. Then it offers an analytical framework in four specific stages of consideration for privacy—conception, design, implementation and review—for the development and implementation of security programs and policies.
We believe that this logical progression can usefully be applied by security agencies, policy-makers or others searching for that elusive equilibrium between public security and privacy rights.
Stage one addresses the legitimacy test. It concerns the rationale and justification for collecting personal information when a policy or program is conceived. This requires considering the “four-part test” used by courts and lawyers to see whether a law or program can justifiably supersede or intrude upon rights such as privacy. The elements of this test flow from the Supreme Court of Canada decision in R. v. Oakes, which set out principles to determine whether the violation of a Charter right is justifiable in a free and democratic society. Those principles are as follows:
- Necessity: There must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat);
- Proportionality: The measure (or specific execution of an invasive power) must be carefully targeted and suitably tailored so as to be viewed as reasonably proportionate to the privacy (or any other) right being curtailed;
- Effectiveness: The measure must be shown empirically to be effective at treating the issue, and clearly connected to solving the problem; and finally,
- Minimal intrusiveness: The measure must be the least invasive available (in other words, we must ensure that less intrusive investigation measures have been exhausted).
Other jurisprudence on the limits of police powers can assist in assessing the legitimacy of security initiatives that affect privacy interests. In R. v. Godoy, for example, the Supreme Court determined that the justification for using police powers and interfering with individual liberty turns on a number of factors.
These include the specific duty performed by the police, the extent to which the interference with individual liberty is required to perform the duty, the importance of the duty in relation to the public good, the nature of the liberty being interfered with and the nature and extent of that interference.
Once the basis for collection is established at stage one, stage two addresses data protection and involves the proper security, use (such as linkages of data), disclosure and maintenance of information collected. This requires considering a set of internationally recognized standards, the Fair Information Principles, which guide both commercial and government organizations.
These standards serve as the basic foundation for many countries’ data protection laws. As most of you know, the standards address multiple issues, including accountability, focused collection, use and disclosure, openness and creating mechanisms to challenge compliance.
Stage three addresses control and accountability—it elaborates on the need for ongoing governance during program operations. Internal mechanisms should be considered as possible levers to sustain an appreciation of privacy issues. There are several aspects to this:
- Clear organizational roles and responsibilities for personal information handling, including regular review for accuracy and continued relevance of sensitive personal information;
- Accessible, plain-language documentation about privacy policies and practices;
- Strong internal audit capacity for privacy issues, especially about access, security safeguards and information transfer;
- Detailed agreements if the sharing of personal information is involved;
- Regular public reporting and publication of Privacy Impact Assessment (PIA) information;
- Straightforward internal processes for handling and reporting of potential complaints, problems or data breaches;
- Ongoing privacy training for both front line staff and management; and
- Accountability of senior management for the privacy element of programs, including the designation of chief privacy officers.
The reference guide concludes—at stage four—with oversight through a call for external controls and suggestions for longer-term review and oversight of organizations to ensure that privacy and sound personal information handling practices are developed around public safety and security initiatives.
These external controls are needed to address the common thread that runs through the many legislative reviews, inquiries and reports about Canada’s national security regimes—findings of poor information handling practices, patchwork accountability mechanisms and limited oversight.
In a democratic society, national security programs must be subject to independent, external review mechanisms that are proportional to the scope of the powers and potential invasion of privacy. Public security programs cannot be exempted from oversight mechanisms.
The context in which future mega events will take place may well change, but this reference guide provides a flexible point of reference to ensure that the fundamental right to privacy is protected in the evolving context of security.
A new twist in surveillance at mega events: The Vancouver Riots
While this is a complete framework for public safety and privacy professionals, it does not extend to what I call the “new twist” of citizen journalism and law enforcement access to public available incriminating images which seem to have become endemic to mega events. We saw it at the June 15 Stanley Cup riot in Vancouver.
The riot brought to the fore in a very dramatic manner some major privacy implications of the communications technologies that envelop us all. Here it was less an issue of state surveillance, at least initially.
Instead, we witnessed extensive surveillance by citizens—or citizen journalists, if you prefer—followed by widespread disclosure of images on the Internet and by requests by police for citizens to hand over what information they had.
In 1994, investigators looking into an earlier Vancouver hockey riot had created a “wall of shame” where they posted photos of people taking part in the riot to help investigators. The Internet was still in its infancy as a social communications tool, as was digital photography for the consumer market. Citizens who might be able to identify riot participants had to go physically to the place where the photos were posted.
No one else saw the photos unless a newspaper or television program published them. There was no instantaneous, global dissemination of the images. This meant that the police largely controlled the release of identifying information about the alleged offenders.
However, with this year’s riot, the Internet, digital cameras, cell phones and fast-moving social networks permitted the immediate and global sharing of hundreds of thousands of photographs and videos taken both by riot participants and by observers. The police have also used the Internet as a tool to get the public’s health in identifying unknown offenders—a digital “wall of shame.”
With the 2011 riot, investigations were no longer limited to the police. Employers, business owners and the general public took part through sharing images, setting up websites containing those images and “naming and shaming” individuals on the Internet. In short, with the help of social media, members of the public began conducting their own investigations, coming to their own conclusions and sometimes administering their own versions of justice. Some alleged rioters lost jobs, sponsorships, scholarships, reputations and the right to compete in professional sporting events.
It goes beyond the mandate of the Office of the Privacy Commissioner of Canada to determine whether this new form of administering justice is appropriate. However, it certainly is within our mandate to look at the privacy implications of citizen journalism. We hope that the research I mentioned earlier, commissioned by our Office to explore the state of law in Canada about citizen journalism, new surveillance technologies and the use of social media, will start to structure a debate on the best legal response to protect privacy in the context of this new phenomenon.
As Canada’s National Security Policy makes clear, one of the most important challenges for our democracy in tackling security threats is to ensure that “we do not inadvertently erode the very liberties and values we are determined to uphold.”
The public safety context has changed, but the privacy principles that govern public safety responses have not.
As Chief Justice McLaughlin states, we must distinguish between principles and modalities.
Privacy principles cannot change. But their modalities of application must change to preserve the principles in a changing context of modalities of threat.
The challenge for privacy professionals is to be flexible on modalities to preserve the integrity of principles.
We hope our reference document offers an analytical framework to apply established principles of privacy law to changing modalities of public safety.
- Date modified: