National Security and Privacy in 2015
Remarks at the Privacy and Access 20/20 Conference
November 12, 2015
Vancouver, British Columbia
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good morning and thank you Commissioner Denham and the Office of the Information and Privacy Commissioner of British Columbia for this invitation.
The issues topping the agenda of this conference—national security, the right to be forgotten, Big Data and youth privacy, to name a few—are the very issues my Office grapples with on a daily basis in our policy, research, outreach and investigative work.
The theme is the future of privacy. There are those who think privacy is dead in the age of Big Data, the Internet of things, the mobile environment, and new laws that increase government surveillance.
Rather than looking at these factors and concluding privacy is dead, I would instead say that it faces serious challenges. And today, I want to discuss some of our Office’s work to address what we see as some of the key ones going forward.
As promised, I will focus my presentation on the subject of surveillance in Canada and around the world. In doing so, I will put forward some constructive ideas on how privacy can be better protected in the face of risks contained in recently adopted laws in Canada.
In particular, I will focus on thresholds for information sharing and the importance of oversight and transparency. I will talk a bit about some of the work our Office has done on government surveillance and lawful access, and our path forward as we seek to improve privacy safeguards.
But first, I want to touch on the privacy priorities that will shape and guide our work over the next five years.
I have said that the overarching goal of my mandate is to increase the control Canadians have over their personal information. To this end, we have identified four privacy priorities following extensive discussions, in many parts of the country, with the public and stakeholders – including many of you. Those privacy priorities are:
- The Economics of Personal Information, which refers to the commoditization of personal information;
- Reputation and Privacy, which covers the privacy risks of a person’s future being harmed by their digital past;
- The Body as Information, which speaks to privacy concerns related to the increased use of highly sensitive health, genetic and biometric information; and, finally
- Government Surveillance, which I will discuss in greater depth during my time today.
Economics of Personal Information
For the Economics of Personal Information, our goal is enhancing privacy protection and trust, so that individuals may confidently participate in the digital economy.
Our key challenge: as the value of personal information grows, so does the incentive for organizations to collect it.
But just how this is happening is not always clear to individuals and, without knowledge; one cannot provide meaningful consent to the collection, use and disclosure of their personal information.
The consent based model of personal information protection was conceived at a time when transactions had clearly defined moments at which information was exchanged. Whether an individual was interacting with a bank or making an insurance claim, transactions were visible and often predictable. Individuals generally knew what organizations they were dealing with, what information was being collected, and what the information would be used for.
Today, with Big Data, cloud computing, online behavioural advertising, and the Internet of Things, the environment is much different. Traditional point to point transfers of data are being replaced with data flows through distributed systems, making it difficult for individuals to know the identity of organizations processing their data and for what purposes.
Though special care was taken to make the principles behind Canada’s private sector privacy laws technology neutral, the complexity of today’s information ecosystem is nonetheless posing challenges to obtaining and providing meaningful consent.
As we have seen with our Office’s research on predictive analytics and in our ongoing work on the Internet of Things, new technologies and business models have resulted in a fast paced, dynamic environment where unprecedented amounts of personal information are collected by and shared among a myriad of unseen players who use it for a host of purposes, both existing and those not yet conceived of.
And so, in the short term—that is next spring—we will produce a discussion paper outlining the various challenges associated with the current consent model. We will explore potential solutions, such as industry codes and other forms of self-regulation; greater accountability, which some suggest would place responsibility more on those who are able to assess risk; and enhanced regulation, including the definition of no-go zones where personal information should always be protected.
In the medium term, we will identify what improvements could be made to enhance the current model, we will apply the solutions that are within our jurisdiction and, where appropriate, we will recommend legislative changes.
Reputation and Privacy
On Reputation and Privacy, our goal is creating an environment where people can use the Internet to explore their interests without fear that their digital trace will lead to unfair treatment.
Since the beginning of social media, much has been written about online reputation and how it can affect people’s lives. The impact of the online world has led to a shift in the way reputations are formed, and society is grappling with the effects on social relationships and professional opportunities. We need a more robust discussion about the kinds of recourse available to people who object to the personal information that is posted about them online.
What others post about us—intentionally or by mistake; maliciously or as a matter of public record—can be very difficult to erase.
And when we look at mechanisms for deleting or correcting information, it is clear that the various parties involved—including organizations, legislators, technologists, educators and individuals—play a role in influencing how online reputations are shaped.
As a result, we want to help increase digital literacy, paying special attention to vulnerable groups, such as youth and seniors.
We will issue a discussion paper, consult and then establish a position on the right to be forgotten or other recourse mechanisms in the Canadian context. In addition, we will also contribute to possible technological solutions, such as privacy by obscurity, anonymization and automatic deletion mechanisms.
Body as Information
Under the Body as Information, our goal is promoting respect for the privacy and integrity of the human body as the vessel of our most intimate personal information.
With the advent of wearable computers, tracking technology and Internet-connected smart devices, the lines that once separated three distinct zones of privacy—informational privacy, bodily privacy and territorial privacy—are becoming increasingly blurred.
This has rendered personal information more intimately sensitive than ever and greatly magnified the potential for privacy incursions.
Today, a global industry has arisen capitalizing on information about the body—from the digitally measuring people’s weight, height, and heart rate, to blood analysis and genetic testing. The innovations being developed go beyond fitness trackers to include biomedical advances that promise real benefits for both patients and the health care system as a whole.
However, information technologies used to extract information both about and from our bodies carry the most intimate and sensitive personal information. We also see an increasing reliance on biometric data as a means to identify and authenticate individuals for a host of purposes, by law enforcement, and within workplaces and schools.
The issue of strong safeguards, who controls the information, how it is shared and used, and the sensitivity of context, is of utmost importance.
And so, going forward, we will: provide guidance to businesses and technology developers on how to build privacy protections into products and services; and educate users on the privacy risks associated with wearable devices and direct-to-consumer genetic testing, and offer them advice on how to protect themselves.
Finally, Government Surveillance. Here, our goal is contributing to the adoption and implementation of laws and other measures that protect both national security and privacy.
Given my past experience at Justice Canada, I can attest to the fact that our world has changed. I am very much attuned to the reality of the national security threat. But while Canadians want to feel secure, they do not want measures to achieve this goal to come at any and all costs to their privacy. They want a balanced approach.
With respect to Bill C-51, you may remember that our Office made a submission to Parliament last spring outlining our concerns about the legislation, which came into force in August under the title: Security of Canada Information Sharing Act (or SCISA).
Of course, since then, a new government has been elected. It has committed to bringing forth changes to the law and consulting on them. And we welcome an opportunity to share our views.
What I can tell you now is that our concerns have not changed. We believe the law’s information sharing provisions are excessive and lack balance. We support more appropriate thresholds for sharing so that personal information is provided when it is not merely “relevant,” but “necessary” to a recipient institution’s mandate or “proportionate” to the national security need to be met.
We also have concerns about the fact that 14 of the 17 agencies receiving information for national security purposes are not subject to dedicated independent review or oversight.
With respect to oversight, we have recommended that the activities of federal law enforcement and security institutions be subject to independent and effective review.
Security and intelligence oversight was among the topics discussed during the 37th International Conference of Data Protection and Privacy Commissioners in Amsterdam two weeks ago. Commissioners acknowledged the strain on public trust caused by revelations about state surveillance coupled with a lack of transparency and fragmented oversight.
We agreed to promote necessity, proportionality and lawfulness in intelligence and security activities, along with greater transparency. The recommendations made by my Office in relation to Bill C-51 are consistent with this commitment.
As others have pointed out, Canada is the one Five Eyes country that does not have parliamentary oversight. In its electoral platform, the new government has promised to “create an all-party committee to monitor and oversee the operations of every government department and agency with national security responsibilities.” This is a welcome development.
Canada today also lacks the ability to have an expert examination of information sharing across intelligence and law enforcement organizations. While the CSE, CSIS and the RCMP often collaborate on matters of mutual interest and have dedicated oversight bodies to review their work, those bodies face impediments to conducting joint reviews. I will continue to advocate for greater information sharing authorities among oversight bodies, so that we can follow the trail of information as it moves from one national security agency to another.
Information sharing thresholds
While our spring submission recommended improvements to oversight, it also made clear that no level of review can make up for inadequate standards.
Effective oversight is important. But, establishing adequate standards in the form of appropriate information sharing thresholds can prevent problems from happening in the first place. Thresholds limit the scope of an institution’s use of powers and the possible harm that could arise from misuse.
As our submission made clear, it should not be left for national security agencies to determine the limits of their powers. Furthermore, the law should prescribe clear and reasonable standards for the sharing, collection, use and retention of personal information.
In considering ways to amend C-51’s thresholds, we have looked at examples both within and outside our borders. Indeed, Canada is not alone in modifying its laws in order to increase information sharing among authorities to better protect public safety.
A number of European countries have proposed or passed laws that address information sharing for national security purposes. While thresholds vary, there are examples that make the case for more than simple relevance. A bill introduced in Switzerland, for instance, would provide a legislative basis for the operation of the country’s intelligence agencies. This would create an obligation for sharing information that would permit the detection of a concrete threat to national security when such information is needed—not merely relevant—for an intelligence agency’s duties.
The concept of proportionality is also central to EU constitutional law and especially its privacy and human rights law.
There are even provisions in Canada that specifically limit information sharing to instances where it is necessary and proportionate to do so. For example, the Immigration and Refugee Protection Act regulations state that information about individuals in certain contexts, such as visa, asylum and refugee status, can be shared with foreign governments only when “necessary, relevant and proportionate” to achieving a stated purpose. We will recommend that a similar threshold should also apply to information sharing under SCISA.
Review of Application of SCISA
As I noted, we welcome both the new government’s commitment to consult on changes, along with an opportunity to share our views. But, at the same time, we are also preparing to use our powers should the law only be amended to add parliamentary oversight.
In such case, we will use our existing powers to review how information sharing is occurring between federal institutions for the purposes of national security.
We will direct significant resources towards compliance activities to ensure that information sharing made possible under SCISA duly respects the Privacy Act; and we will advise Parliament and Canadians of our findings in order to inform both public debate and potential future amendments to the law.
Bill C-51 was not the only surveillance-related legislation to come into effect recently that caused us concern. Bill C-13, the Protecting Canadians from Online Crime Act, became law last December.
Our submission to Parliament raised concerns about the Bill’s immunity provision, which protects from legal liability those who voluntarily disclose personal information in response to warrantless government requests for access to personal information.
Further, we raised concern about the lack of a reporting mechanism that would allow Canadians to hold government to account for the use of Bill C-13’s new powers as well as warrantless requests.
Since then, we have worked with both telecommunication service providers and Industry Canada to provide helpful information for Canadians.
Specifically, we provided input into Industry Canada’s transparency guidelines issued in June. The guidelines establish standards for transparency and accountability reports from companies that share personal information with law enforcement.
At the same time, we published a comparative analysis of transparency reports that have already been published voluntarily by some telecommunications companies. We concluded that while the reporting schemes had gaps, these reports can help Canadians make informed choices and better understand how and when government agencies access personal information held by private sector organizations.
Going forward, we hope companies follow the guidelines and that we begin to see more consistent transparency reporting. If not, we may call for legislative changes.
Overall, this reporting marks a good first step toward improving transparency.
And just a few weeks ago, we made our plan global. During the International Conference in Amsterdam, we proposed a resolution on this subject that was supported by my international counterparts. It urges private organizations to publish transparency reports on the number of requests made, nature of responses and legal basis of government institutions for access to personal information of their customers and employees.
It also calls on governments to maintain accurate records and to report publicly on the nature, purpose and number of lawful access requests they make and to remove hurdles to transparency reporting.
In the Canadian context, to match the momentum started within the private sector, we also want to see federal institutions issue transparency reports about the requests they make to companies.
Today’s structure for public reporting on electronic surveillance was enacted in the 1970’s. It applies to wiretapping and covert video surveillance and has only been expanded narrowly in recent years due to developments in case law.
A modernized approach, built for today’s communications and surveillance capabilities, would give citizens and Parliament greater insight into how federal institutions are using their lawful access powers.
As we noted in June, private sector reporting provides only a part of the picture. Further transparency from the public sector would help shed light on how the benefits to society brought by these powers lines up with their privacy risks.
In closing, I hope I have given you a better idea of where my Office stands on matters of surveillance, thresholds for information sharing, transparency and lawful access, and I hope you also have a clearer picture of our key privacy priorities moving forward.
In particular, I remain very concerned about Bill C-51 and the information sharing it permits between federal departments–particularly when you look at that in the context of other laws that have come into force, such as Bill C-13, along with the recent revelations about national security monitoring activities.
All of this leads to the possibility of intrusive monitoring and profiling of Canadians, and I think that we should all be greatly concerned about that.
What gives me reason for optimism, however, is that, while Canadians value security in the face of threats confronting the world today, they also care very deeply about their privacy and want to protect it. They want to do business with companies that respect their privacy and are upfront about their personal information-handling practices. They want to ensure laws and procedures are in place to keep government institutions in check. They want greater transparency so institutions can earn their trust.
What gives me further optimism is that we live in a country governed by the rule of law—a democratic country that promotes and respects human rights.
As a result, I remain confident that we can protect ourselves from the threats we face, while also protecting our privacy rights.
- Date modified: