ARCHIVED - Letter to the Honourable Elinor Caplan, Minister of Revenue
September 26, 2002
The Honourable Elinor Caplan
Minister of National Revenue
555 Mackenzie Avenue
Dear Minister Caplan:
I am deeply troubled by the intention of the Canada Customs and Revenue Agency (CCRA) to establish, beginning next month, a massive "Big Brother" database on the foreign travel activities of all law-abiding Canadians.
The CCRA intends to do this by retaining for six years the Advance Passenger Information/Passenger Name Record (API/PNR) information on every air traveller entering Canada.
The CCRA was given the right to obtain this information from airlines under amendments to the Customs Act that were passed last year. At the time, however, the CCRA explicitly undertook that it would use this information only to identify arriving passengers who merited secondary screening, and would not retain the information at all in the case of the vast majority of travellers.
Advance Passenger Information comprises the name, date of birth, gender, travel document type/number/date of issue, citizenship and/or nationality, and Passenger Name Record Number of every traveller entering Canada.
The Passenger Name Record is far more detailed, including such information as all the destinations to which the traveller flew, form of payment for the ticket, seat selection, number of pieces of baggage checked, date the booking was made, etc.
In addition to the original purpose of identifying individuals for secondary screening on arrival, the CCRA now intends to keep all this information in a massive database to use not only for other, unspecified Customs purposes, but also to share with other departments and institutions in all the ways permitted by section 107 of the Customs Act.
Section 107 permits sharing of Customs information for a range of specific purposes as well as for some very broadly stated purposes. The information can be provided, for instance, to any person legally entitled to the information by reason of an Act of Parliament, to any prescribed persons for any prescribed purposes, and to any person for any purpose where the Minister deems the disclosure to be in the public interest.
In other words, this database of detailed personal information about Canadians and their travel activities will be available for virtually any purpose the government deems appropriate - for income tax purposes, for data matches with other departments, for criminal investigation "fishing expeditions."
Senior officials of the CCRA have assured me that information in the API/PNR database will be shared with officials other than customs officers only in strictest accordance with the provisions of section 107 of the Customs Act. I appreciate this assurance and do not doubt it. Yet the difficulty remains that the provisions themselves are so broad that this powerful and intrusive database, once established, will be available for an almost limitless array of possible future uses.
This is an unprecedented intrusion on the privacy rights of Canadians. It is, to the best of my knowledge, the first time the federal government has set out to build a database on all Canadians using personal information obtained from third parties without their individual consent, for purposes not of providing any service to individuals but rather of having the information available to potentially use against them.
The extraordinary nature of this initiative is underscored by the fact the Commissioner of the CCRA informed me, in a letter dated September 4, 2002, that all this API/PNR information "will be stored in an enforcement database."
A review of the data banks in Info Source indicates that existing enforcement databases contain information only on suspected violators of Customs laws. In striking contrast, the API/PNR database will contain for the most part information on millions of Canadians who are under no particular suspicion of having committed Customs violations.
This new enforcement database will therefore constitute an unprecedented move to treat every Canadian as a suspect. Every single Canadian travelling outside Canada, even on vacation, will automatically have his or her personal information placed in the database. But since the CCRA has never claimed to regard most Canadians as major violators of Customs law, it follows that we will all be in this enforcement data base for reasons of being suspected of something else - indeed, anything else. The overwhelming majority of this information is unlikely to ever be used for Customs purposes, and its only real potential use is under the sharing provisions of section 107 of the Customs Act, which have no relation to Customs purposes.
Very frankly, the government of Canada has no business systematically recording and tracking where all law-abiding Canadians travel, with whom we travel, or how often we travel. And the government of Canada has no business compiling databases of personal information about Canadians solely for the purpose of having this information available to use against us if and when it becomes expedient to do so. Such behavior violates the key principles of respect for privacy rights and fair information practices, and has no place in a free society.
Ever since the CCRA informed my Office in June about the intended creation of this database, I have been trying to persuade you and your senior officials to reconsider and at least modify this course of action. Having been entirely unsuccessful to date, I believe that in view of the imminent launch of this initiative I now have no alternative but to make my concerns public through this letter and appeal to you once again to reconsider.
It is my duty as Privacy Commissioner of Canada to inform you that in my view and that of my Office, the creation and intended uses of this database lack appropriate Parliamentary authority and are in apparent contravention of the Privacy Act.
Let me address each of these concerns in turn.
Lack of Parliamentary authority:
When the pertinent amendments to the Customs Act were before Parliament, the CCRA explicitly undertook that API/PNR information would not be retained at all, except in those comparatively few instances where it had been used for the administrative purpose of selecting individuals for secondary screening at the port of entry.
Indeed, Customs officers were not even to come into actual possession of all API/PNR information. Rather, they were to have access to airline reservations systems via dedicated computer workstations. Automated queries were to be run on the PNR data for each flight, seeking for instance those passengers who had booked at the last minute, paid in cash and checked no baggage. If this produced, say, five names out of the 350 passengers on the flight, the Customs agent could review the individual records of those five passengers.
In explaining this process, a January 16, 2001, CCRA document entitled Advanced Passenger Information/Passenger Name Record Project that was provided to my Office states:
"At no time will any of the records on the system be electronically saved by the reviewing officer. The only record that will be created from the data is the printout of the record(s) that the reviewing officer has deemed to be of a nature to require follow-up consideration."
Even more specifically, in a January 30, 2001 letter to me that accompanied this CCRA document, Mr. Denis Lefebvre, Assistant Commissioner, Customs Branch, of the CCRA, stated:
"As far as retention of the information is concerned, the attached document explains in more detail the situations in which we would retain the personal information collected as part of this initiative. In short, however, I would reiterate that data not viewed or used by a reviewing officer would be destroyed within 24 hours."
On the basis of these explicit and unequivocal undertakings that there would be no general retention of API/PNR data, I expressed no privacy objection to this proposed amendment to the Customs Act and did not need to avail myself of the opportunity to appear before the House of Commons and Senate committees that studied this legislation.
Had there not been such undertakings, I would have expressed the same concerns that I am required to express now, and Parliament would have had the opportunity to consider the merits of such an intrusive initiative.
As it is, Parliament approved a far more limited and vastly less privacy-invasive measure than the one that the CCRA is now preparing to launch. It is therefore my view that the creation of this massive database lacks the appropriate Parliamentary authority.
This view is reinforced by the fact that in section 4.82 of Bill C-55, which deals with access to exactly the same sort of API/PNR information by the RCMP and CSIS, there are specific provisions dealing with retention.
Under that Bill, information collected by CSIS and the RCMP from airlines must be destroyed within seven days, unless it is "reasonably required for the purposes of transportation security or the investigation of threats to the security of Canada." As well, CSIS and the RCMP must review the retained information at least once a year and must order the information to be destroyed if there is no justification for its retention.
By including these provisions in Bill C-55, the government has acknowledged that retention of API/PNR data requires explicit Parliamentary approval, with the setting out of specific terms and conditions to govern any such retention. Since the intended creation of this CCRA database lacks any such Parliamentary approval, let alone any legislated limitations or safeguards, I respectfully suggest that it is unlawful.
Contravention of the Privacy Act
Section 4 of the Privacy Act states:
"No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution."
In the API/PNR scheme as originally described prior to passage of the legislation, the information pertaining to the overwhelming majority of travellers would have been "collected" by the CCRA in only the most minimal, technical sense. It would have been available for automated querying, but the information would not have been seen, let alone acquired, by any Customs official.
The intended six-year database on all travellers entering Canada is, on the contrary, a massive and indeed unprecedented collection. It is far from clear that this type of collection, as distinct from the one originally described, does in fact relate directly to an operating program or activity of the CCRA.
Info Source describes the mandate of the Customs Branch of the CCRA as follows:
"The CCRA works in partnership with law enforcement agencies and federal departments to protect Canadians and society as a whole by preventing illegal and dangerous goods and inadmissible people from entering Canada and monitoring the movement of controlled and regulated goods.
"This branch is responsible for border services including the full range of facilitation, inspection, detention, collection and enforcement activities at all ports of entry."
With regard to the use of API/PNR information, this mandate to prevent illegal and dangerous goods and inadmissible people from entering Canada is presumably still to be discharged in the same way as described in the January 16, 2001, CCRA document - that is, by automated querying of the information, which constitutes only a minimal collection. It is very difficult to imagine that Customs officers would actually access and read the PNR information on hundreds of passengers arriving on each flight.
The CCRA's acquisition and retention of all API/PNR information regarding every arriving traveller must therefore be related to something quite different, namely the gathering of longer-term intelligence.
Indeed, in a July 17, 2002, letter to me in which you seek to respond to the concerns I brought to your attention, you state:
"The mandate of Customs is not limited to the operational task of admitting people and goods into Canada. It includes investigative and intelligence programs that provide customs officers with the information required to target people and goods that may be inadmissible or pose a threat to Canadians. The analysis of travel patterns allows Customs to identify indicators for detection of suspect persons and contraband. Simply put, API/PNR information is part of our existing mandate of risk management."
Unfortunately, I am unable to find anything in the Customs Act, either in its previous form or as amended in 2001, that would constitute a legislative mandate to establish intelligence databases on all law-abiding Canadians.
Were there such a mandate, of course, its potential for grotesque intrusions would be quite limitless. Travel patterns, after all, are not the only "indicator" that could be used to identify who might pose the greatest risk of being a Customs violator - occupation, income level, personal interests, known friends and associates, and a great many other elements of personal information, might well constitute even better indicators. Yet the creation by the state of intelligence databases on all citizens - whether about travel patterns or any other "indicators" - simply to identify the few who seem likeliest to be lawbreakers, has absolutely no place in a free and democratic society like Canada.
In the absence of a clear legislative mandate for intelligence-gathering about all law-abiding citizens, I am therefore unable to be satisfied that the intended collection of API/PNR information, in the form that it is now to take, "relates directly to an operating program or activity" of the CCRA as required by section 4 of the Privacy Act.
Section 6 of the Privacy Act states:
"(1) Personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information."
In my view, the corollary is that the Privacy Act intends that information that has not been used for an administrative purpose shall not be retained.
In its January 16, 2001 document describing the API/PNR initiative, the CCRA clearly took the view that use of the information for an administrative purpose would occur only in those comparatively few instances where querying the database resulted in the data about a given individual actually being viewed by a customs officer. That is why the CCRA undertook that all other API/PNR data would be destroyed within 24 hours.
I believe that this view remains the correct one. Consequently, I am unable to see how the intended retention of all API/PNR data can be consistent with section 6 of the Privacy Act.
Finally, section 7 of the Privacy Act states:
"Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except
a) for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or
b) for a purpose for which the information may be disclosed to the institution under subsection 8(2)."
In testimony before the House of Commons Standing Committee on Finance, your predecessor as Minister of National Revenue, Hon. Martin Cauchon, stated the purpose of giving the CCRA access to API/PNR information to be as follows:
"We are going to have an advance passenger information system, with which we will work with the airline company. The airline company will send the information to the customs officer in advance, prior to their arrival, and he or she will have time to go through the list and check with the data bank. Of course, when people arrive here, we'll pay attention just to those who are of some concern. The others will go through basically without any questioning."
Once the API/PNR information has been used to select individuals for secondary screening, and all the others have been permitted to enter Canada with their goods, this stated purpose will have been fulfilled.
It is difficult to see how retaining the API/PNR information pertaining to the overwhelming majority of law-abiding Canadians who have not been found to present any Customs risk, and turning it into an intelligence database, can be considered to be a use that is the same as, or consistent with, the stated purpose of this initiative.
This is particularly the case since the overwhelming majority of Canadians whose API/PNR information will be stored in the database are likely to continue to be of little or no Customs interest. In fact, the only potential usefulness of all but a tiny fraction of this information would be for sharing with officials other than customs officers under the provisions of section 107 of the Customs Act - certainly not the same use or a consistent use.
Accordingly, I am not persuaded that the intended creation of this database can be consistent with section 7 of the Privacy Act.
I also wish to mention that I have received legal advice that the creation of this database may well be unconstitutional as a violation of Section 8 of the Canadian Charter of Rights and Freedoms.
You have suggested that the CCRA's intended course of action is consistent with the Supreme Court's recent decision in Smith v. Canada, where customs information was shared with Human Resources Development Canada for purposes of identifying unemployment insurance cheats. However, the API/PNR information is far more extensive and more personal, tending to reveal intimate details of the lifestyle and personal choices of the individual; the information will be available under section 107 for a far wider range of government scrutiny for a wide variety of purposes; and other circumstances are significantly different from those of the Smith case.
I note that in your July 17 letter to me, you asserted that the creation of this database will be consistent with the four-pronged test - necessity, effectiveness, proportionality, and absence of a less privacy-invasive alternative - that I have suggested must be applied to any proposed intrusion on privacy in the name of security.
I appreciate your implied acknowledgment of the importance of these tests. However, I regret that I am unable at this time to understand how the intended creation of this "Big Brother" database meets any of them.
With regard to necessity, it is clear that at the time the Customs Act amendments were before Parliament, the CCRA did not consider the retention of all API/PNR information to be at all necessary.
Your letter did not adduce any new evidence or considerations to support necessity, beyond invoking the mandate of CCRA and stating, as I previously quoted, that "the analysis of travel patterns allows Customs to identify indicators for detection of suspect persons and contraband." But what may be helpful is not thereby automatically rendered necessary; otherwise, all law enforcement authorities would be able to claim limitless powers.
With regard to effectiveness, since no clear need for this massive database has been demonstrated, there is no basis on which I could concur that its creation is likely to be effective in meeting this (unspecified) need. However, I note that you made the following statement under the rubric of effectiveness:
"Analysis of passenger information will be extremely important in cases where there is reason to believe, on the basis of intelligence information or through information obtained at the border during routine customs examination, that an individual may be operating as part of a conspiracy related, for example, to the importation of a weapon of mass destruction. In these circumstances, customs officials would be able to use 6 years of historical API/PNR information to identify persons who may be involved in the discovered illegal activity, in order that such persons can be intercepted if they later attempt to enter Canada."
While the spectre of weapons of mass destruction is undoubtedly a frightening one, I must confess that I am unable to understand the point you are making with regard to the likely effectiveness of the intended API/PNR database in protecting us from such a fate.
It is not readily apparent that someone seeking to import a weapon of mass destruction would be likely to do this piecemeal in successive trips, or that he or she would exhibit travel patterns that could be readily identified as consistent with the transport of weapons of mass destruction.
I consider it noteworthy that the RCMP and CSIS, which have primary responsibility for national security, did not consider it necessary to seek prolonged retention of all API/PNR information in the provisions of Bill C-55. It is likewise noteworthy that U.S. authorities have been able to amass very extensive information about the perpetrators of September 11, and their associates, without access to years of API/PNR data.
With regard to proportionality, you stated in your letter only that "the sort of catastrophe that can be brought about by weapons of mass destruction is without a doubt justification for keeping this information." That can only be the case, however, if a massive database on the travel activities of all law-abiding Canadians is demonstrably necessary and likely to be effective in protecting us from such a catastrophe. That demonstration has yet to be made.
On the contrary, I must suggest that it is highly disproportional for the government to begin amassing intelligence files on the personal information and private lives of all Canadians, in the hope that some day, somehow, this might help to identify a terrorist or two. If the purpose is forensic - to have information available after a terrorist act is committed - that is even worse. In a free society, the state cannot build dossiers on the private lives of all its citizens just in case one of them commits a crime. And it is all the more disproportional if this information is also to be available to the state, under section 107 of the Customs Act, for purposes that have nothing to do with anti-terrorism.
Seeking to protect ourselves by needlessly sacrificing the core values and fundamental rights that define our society and determine the quality of our lives, would be the very definition of disproportionality.
It is therefore my duty to recommend, in the strongest possible terms, that you urgently reconsider the plans for the intended creation of this massive, unprecedented and profoundly intrusive database.
I believe that the privacy rights of Canadians can best be respected, without any significant loss of security or effectiveness, by honoring the previous commitment not to retain any API/PNR information except that which emerges from queries and is specifically viewed or used by a reviewing officer.
If, however, you and the government are adamant that the retention of all API/PNR data is necessary to combat terrorism, then as the absolute minimum I recommend - and appeal to you - that the use of this information be strictly limited to anti-terrorism and Customs purposes, and totally exempted from all other sharing provisions of section 107. It should be treated as exceptional security information, not as routine "customs information" within the meaning of section 107 of the Customs Act.
There can be no possible justification for invoking the tragedy of September 11 as the rationale for the creation of an extraordinary, unprecedented, privacy-invasive and gravely troubling database of personal information in direct violation of past undertakings, and then making that database available for a broad range of other potential uses that have nothing to do with anti-terrorism.
Privacy Commissioner of Canada