2 JOURNAL OF CONTINGENCIES AND CRISIS MANAGEMENT

The State of in the Canadian State: Fallout from 9/11

Colin Bennettn and Martin Frenchnn

Introduction different senses. First, the is generally regarded as a benefit of state citizen- The literature on privacy and is rich ship. This right is conferred on us by virtue of our and varied. Scholars, journalists, practitioners, national identities, be they Dutch, American, and others from many nations have analysed the British, Canadian, or any other. The privacy and causes and consequences of the excessive collec- data protection laws, which provide us with tion and processing of personal information, and certain guarantees about our personal informa- debated the merits of a range of legal, self- tion, reflect some essential principles of liberal regulatory and technological solutions (Bennett democracy that are either enshrined in constitu- and Grant, 1999). With few exceptions, most of tions (such as in the US Fourth Amendment) or this literature would share the following four deeply embedded in the cultural and historical assumptions: 1) privacy is an individual right; 2) experiences of different societies. privacy is something that we once had but is now Second, contemporary discourse and policy eroding; 3) the privacy problem arises from prescriptions are generally dictated by a para- structural and organisational forces that together digm which suggests that our personal informa- reduce the ability of individuals to control the tion still tends to be held within organisations circulation of their information; and, 4) the that are easily identifiable and that operate organisations that are responsible for privacy within the boundaries of modern territorial invasion can be observed, resisted and regulated states. It is not simply that the forces of because they are subject to the laws of discrete globalisation have necessitated harmonised in- and bounded liberal democratic states. These ternational solutions to the privacy problem; the assumptions constitute the ‘privacy paradigm’ growing policy interdependence has caused a (Bennett and Raab, 2003). proliferation in the number of transnational In contemporary circumstances, each of these actors, and a progressive frequency and regularity assumptions can be questioned. Privacy protec- of networking opportunities. It might be as- tion can be regarded as a social value as much as sumed that this transnational policy-making has it is an individual one (Regan, 1995). To argue caused a concomitant reduction in state sover- that privacy is vanishing, eroding, dying and so eignty. The question is not, any more, whether on (e.g. Whitaker, 1999; Rosen, 2000), assumes data protection policy should be made at the that antecedent agricultural and industrial socie- international or the national governmental levels; ties offered higher ‘‘levels’’ of privacy than data protection policy is, and must be, made at conditions in current post-industrial societies, both levels. Rather, the question is how national an assumption which is highly problematic. The and international regimes interact to respond to sources of privacy invasions are also complex. an inherently transnational policy problem The picture of an embattled individual trying to caused by a global economy. Privacy is a global stem the tide of surveillance flowing from a range problem, and it is being addressed through a of impersonal and invulnerable structural forces repertoire of policy instruments that also know makes good rhetoric for the privacy cause, but it few attachments to traditional conceptions of distorts reality and oversimplifies social and legal and territorial sovereignties (Bennett and political analysis. Privacy problems arise from a Raab, 2003). complex interplay of structure and agency. They This article charts the Canadian policy re- occur when technologies work and when they sponses to the acts of terrorism on 11 September fail, when humans have worthy motives and 2001. In brief, we argue that before 11 Septem- Department of Political Science, when they do not. ber, Canadian privacy protection policy had University of Victoria, Victoria, diverged in some significant ways with that of B.C., V8W 3P5, Canada *E-mail: However, the subject matter of this article [email protected] most closely relates to the last assumption. The the United States. Policy developments were very **E-mail: [email protected] privacy paradigm tends to be state-centric in two much driven by international pressures, but from

Volume 11 Number 1 March 2003 r Blackwell Publishing Ltd 2003, 9600 Garsington Road, Oxford OX4 2DQ, UK and 350 Main Street, Malden, MA 02148, USA THE STATE OF PRIVACY IN THE CANADIAN STATE 3

Europe, rather than from the United States. We data protection laws exists for the regulation of discuss three sets of responses by the Canadian processing in Canadian public government to 11 September, in the areas of law agencies, than in their American counterparts. enforcement, international travel, and Internet These laws are overseen by a network of privacy surveillance. Within these policy fields, the and information commissioners that operate at narrowing rights of suspects, the collecting and both federal and provincial levels (Bennett and processing of passenger information, and the Bayley, 1999). Table 1 provides a current over- monitoring of Internet ‘‘traffic data’’, all indicate view of the status of public sector privacy the diminished importance of privacy post-9/11. legislation in Canada. On these issues, Canadian policy has been forced It is with respect to data protection controls in to converge with that of the United States, thus the private sector, however, that the cross- undermining prior attempts to distinguish Ca- national differences are most notable. On 1 nada as a more privacy-friendly society than the January 2001 the Protection of Personal Informa- US, in which citizens enjoyed a more complete tion and Electronic Documents Act (PIPEDA) set of rights to informational self-determination. came into force in Canada. With this legislation, the Canadian government brought Canada more closely into line with most other countries An Overview of Canadian and (except the US and Japan) within the advanced American Privacy Protection Policy industrial world PIPEDA comes into force in stages. On 1 January 2001 the following business Historically, approaches to the issue of privacy sectors were obliged to comply: banking, tele- protection have differed substantially between communications, broadcasting, airlines, and the United States and Canada. Through statutory transportation companies, as well as any com- and constitutional measures, the control over the pany that sells personal information across collection, processing and disclosure of personal provincial or national borders, including many information tends to be a lot stronger in Canada involved in e-commerce. After 3 years, the law than in the United States. A more complete set of will apply to all commercial activities undertaken

Table 1: Status of public sector privacy legislation in Canada Jurisdiction Name of act Date Oversight agency proclaimed Federal 1982 Privacy Commissioner of Canada Freedom of Information and Protection of 1995 Office of the Act and Privacy Commissioner Freedom of Information and Protection of 1993 Office of the Information Privacy Act and Privacy Commissioner Manitoba Freedom of Information and Protection of 1997 Office of the Manitoba Privacy Act Ombudsman Protection of Personal Information Act 2000 Office of the Ombudsman Newfoundland Privacy Act 1996 Director of Legal Services, Department of Justice Freedom of Information and Protection of 1994 FOI and Protection of Privacy Act Privacy Review Officer Freedom of Information and Protection of 1988 Information and Privacy Privacy Act Commissioner/Ontario Prince Edward Island Freedom of Information and Protection of 2001 Assistant Clerk of the Privacy Act Committee Legislative Assembly An act respecting access to documents held by 1982 La Commission d’acce`s a` public bodies and the protection of personal l’information du Quebec information Saskatchewan Freedom of Information and Protection of 1992 Information, Privacy and Privacy Act Conflict of Interest Commissioner North West Territories/ Access to Information and Protection of 1996 Information and Privacy Nunavut Privacy Act Commissioner Yukon Territory Access to Information and Protection of Privacy Act 1996 Office of the Ombudsman

r Blackwell Publishing Ltd. 2003 Volume 11 Number 1 March 2003 4 JOURNAL OF CONTINGENCIES AND CRISIS MANAGEMENT

Table 2: Status of General Privacy Protection Law for the Private Sector Jurisdiction Act or other official action Date Federal Protection of Personal Information and 2001 Electronic Documents Act Alberta Internal review of issue British Columbia Legislative Committee Report 2001 Government Discussion Paper 2002 Manitoba Discussion Document Published 1999 New Brunswick Discussion Document Published 1998 Newfoundland No known official action Nova Scotia No known official action Ontario Discussion document published. 2001 Bill in preparation Prince Edward Island No known action Quebec Bill C-68 (An Act respecting the Protection 1993 of Personal Information in the Private Sector) Saskatchewan No known action North West Territories/Nunavut No known action Yukon No known action

by the private sector, including companies under processing from European suppliers and clients; provincial or territorial jurisdiction, unless the the ‘‘Safe-Harbour’’ agreement encourages busi- provinces pass ‘‘substantially similar’’ legislation nesses involved in international personal data in the meantime. If they do not, PIPEDA will transmissions to commit themselves to some apply by default to the retail sector, the basic privacy principles. Breaching these princi- manufacturing sector, most insurance compa- ples would constitute an ‘unfair and deceptive’ nies, video-rental outlets, and indeed to most trade practice and would contravene Federal businesses that have face-to-face relations with Trade Commission (FTC) rules. In total, however, consumers. Thus the provincial governments are privacy protection in the private sector is still now deciding whether they want to pass their fragmented and incomplete (Gellman, 1993). own statutes, or to do nothing and surrender an Crude economic analysis would perhaps have important constitutional power to the federal predicted that Canada would not wish to diverge government; a decision that would possibly have in any significant way from American privacy implications for federal/provincial relations be- protection policy for fear that businesses might yond that of privacy (Perrin et al. 2001; Berzins, relocate south of the border to take advantage of 2002). Table 2 presents the current status of the less restrictive regulatory climate. This brief initiatives with regard to private sector privacy sketch serves to demonstrate that Canada chose protection. to take a very different path from its major In the United States, the protection of personal trading-partner to the south. There are some information within private corporations is reliant significant domestic reasons why Canada chose a on the implementation of a more complicated more interventionist policy than did the United patchwork of federal and state laws that only States. apply to quite specific categories of personal information: consumer credit information, video- rental records, insurance records, and so on. Explaining the Divergence More recently, Congress has moved to provide protections for personal privacy within the Typically, differences between Canadian and financial sector (the Gramm-Bleach-Bliley Act) American public policy are explained in terms and to protect children’s privacy (the Children’s of cultural factors. Canadians are supposed to be Online Privacy Protection Act). A highly con- more accepting of state intervention and more troversial set of regulations to protect health suspicious of the unregulated marketplace. This information has also been issued by the Depart- supposed cultural difference does not help to ment of Health and Human Services. Some explain why different data protection policies are businesses have moved to self-regulate in order being pursued. to protect privacy, motivated in part by the need Some comparative poll results suggest that to continue to receive personal information for Canadian and US attitudes about privacy and

Volume 11 Number 1 March 2003 r Blackwell Publishing Ltd. 2003 THE STATE OF PRIVACY IN THE CANADIAN STATE 5

how to protect it are strikingly similar. Seventy- a patchwork (as in the United States). But the eight percent of Americans believe that ‘con- impact of this incoherence on Canadian business sumers have lost all control over how personal has been more serious than has the lack of information about them is circulated and used by coherence in the U.S. been for American busi- companies’; seventy percent of Canadians be- ness. lieve the same. In response to the question: The first difference relates to the early enact- ‘Which type of invasions of privacy worry you ment of a private sector privacy protection law in most today – activities of government agencies or the province of Quebec. For businesses that businesses?’ fifty-two percent of Americans, and operate in different provinces and jurisdictions, fifty-one percent of Canadians say government; the transaction costs of having to deal with forty percent of Americans and thirty-seven different privacy laws and regulations can create percent of Canadians say businesses. In 1994, uncertainty and confusion. Hence, this is a fifty-one percent of Americans reported that they particularly acute problem for provincially regu- felt ‘very concerned’ about threats to personal lated industries, such as insurance and retail. privacy; thirty-seven percent of Canadians felt Such enterprises are obliged to grant rights to that way. The differences in policy response can Quebec consumers that citizens in other parts of be explained neither by greater fears for privacy the country do not enjoy. Some businesses have among the Canadian public than the American, thus harmonised their rules and declared that nor by greater trust of business in the U.S. than their practices in the rest of Canada conform to in Canada (Harris and Westin, 1994:17). the Quebec standard. It is for these reasons that The differences in policy also cannot be the rhetoric about ‘‘marketplace rules-of-the explained in terms of the differential extra- road’’ and ‘‘level-playing fields’’ on the informa- territorial impact of the European Union’s Data tion highway tended to overshadow the tradi- Protection Directive, which stipulates that perso- tional discourse about human rights and civil nal data on Europeans should not flow from the liberties. It is also the reason why the lead EU to countries that cannot guarantee an department was Industry Canada, rather than ‘adequate level of protection’ (EU, 1995). There Justice Canada (Bennett, 1996). is certainly some fear that larger American A second factor relates to the network of trade multinationals can afford to take care of their associations in Canada, which tend to be more interests within the European policy arena more inclusive than their counterparts in the United effectively than their smaller counterparts and States. The impact of ‘‘free-riders’’ in some subsidiaries in Canada. But Canada does rela- industrial sectors is therefore more keenly felt. tively little trade with the EU. The United States The Canadian Marketing Association (CMA), for is significantly more important to the Canadian example, claims that its members are responsible economy, than is the EU. Proportionately, the EU for around eighty percent of the direct-marketing is relatively more important to the US economy activity within Canada. These companies are than it is to the Canadian. The enforcement of expected to abide by the CMA’s privacy code (if Articles 25 and 26 of the EU Directive is far more they wish to remain members). The reputation likely to disrupt the trade in goods and services and indeed economic interests of the majority are from Europe to the United States, than from then harmed by the actions of the minority Europe to Canada. (which may collect and trade in personal data The difference is also not explained by the without regard for consent rules or the mail and presence of a stronger and more vocal ‘‘privacy telephone preference services). The CMA became lobby’’ in Canada. If anything, the privacy the first association in Canada to call for national advocates in the United States have been more legislation to protect privacy in October 1995. influential (especially on issues relating to online The final factor is the existence of a small privacy protection) than have the disparate band network of privacy and information commis- of consumer advocates, civil libertarians, aca- sioners, not present in the United States. Most demic experts and private consultants in Canada, provinces now have such officials, who on who share few common perspectives and inter- occasion can speak forcefully and concertedly ests. The policy process in Canada has not been for stronger privacy protections. Commissioners attended by public debate, or by an enormous have been especially worried that the protection clamouring for reform by outside interests. This is offered by legislation like the federal Privacy Act fairly typical of the policy process for data is circumvented when ‘‘private’’ organisations protection in other countries. There has been a perform ‘‘public’’ functions, and require the use constant, but low-key, stream of media attention, of ‘‘public’’ data to fulfil those obligations. but nothing that would captivate the attention of Together, these factors pushed Canada in the federal politicians and force them to act. direction of the vast majority of advanced We would argue that the main differences are industrial states that have sought comprehensive explained more by domestic political and eco- and statutory solutions to the problem, and away nomic factors. Canadian data protection policy is from the policy of its largest trading partner,

r Blackwell Publishing Ltd. 2003 Volume 11 Number 1 March 2003 6 JOURNAL OF CONTINGENCIES AND CRISIS MANAGEMENT

which continues to rely on an incremental, flowing from the eclipse of privacy interests by fragmented and self-regulatory approach. other, more powerful, organisational interests. One role of the Office of the Privacy Commis- sioner, therefore, is to mitigate the compromises Canadian Privacy Protection Policy made in policy between privacy and other after 11 September interests, and sometimes the Commissioner has been able to justify his critiques of policy through The events of 11 September had the immediate an ultimate appeal to the fundamental nature of effect of shifting the focal point of privacy privacy. However, following 11 September, the protection policy from the traditional problem importance of the fundamental meaning of of domestic harmonisation for economic reasons, privacy, like other fundamental rights, was to the new problem of international harmonisa- immediately diminished. In terms of privacy tion for security reasons. Most notably, initiatives protection, the after-effect of 11 September was to create a ‘‘common security zone’’ within to make the strategic meaning of privacy North America have significant implications for instrumentally more dominant in the discourse. Canadian privacy protection policy. Even though Three sets of responses by the Canadian none of the perpetrators of the 11 September government to 11 September reflect the with- attacks entered the United States via the Cana- drawal of fundamental privacy from the post-9/ dian border, there is nevertheless a perception 11 privacy protection agenda. Although 2001 that Canada provides a safe-haven from which began with the implementation of strong privacy terrorist activity against the United States can be protection legislation (PIPEDA), it ended with planned. For example, U.S. officials have criti- widespread emergency amendments that pose a cised Canadian immigration and refugee laws as significant threat to the privacy rights of Cana- too lax, citing the case of Ahmed Ressam, a failed dians. The most troubling effect of 9/11, however, refugee applicant from Algeria, who was arrested has been the normalisation, in 2002, of an in December 1999 while trying to cross the emergency mentality in numerous policy areas. border into Washington State with explosives in The domination of a strategic approach to privacy the trunk of his car. Ressam was later convicted and the concomitant normalisation of the emer- on charges of plotting to bomb Los Angeles gency mentality are nowhere more evident than International Airport during millennium celebra- in the policy fields of law enforcement, interna- tions. In the name of creating a ‘‘common tional travel, and Internet surveillance. security zone’’ around Canada and the US, a number of Canadian laws and policies are currently under review. With specific regard to privacy protection, however, several legislative Law Enforcement – Powers of Arrest initiatives are worthy of analysis. and Detention To begin this analysis, it would be useful to draw a distinction, however murky, between two By far the most comprehensive response to 11 kinds of privacy: fundamental privacy and strategic September was the Anti-Terrorism Act, (here- privacy. This analytical distinction illuminates the after Bill C-36), an omnibus and varied set of disjuncture in the privacy protection discourse measures designed to enhance the federal between privacy as an essential value, and government’s ability to prevent and detect privacy as a value to be balanced with other terrorist activity. Bill C-36 modifies more than values. In general, and on a sociological level, the twenty pieces of legislation, including the Federal concept of privacy is often used in some Privacy Act and PIPEDA. In its preamble, the Bill fundamental sense. Hence, where privacy de- states that: notes certain fundamental values, its protection is ‘the challenge of eradicating terrorism, with its generally posed as an a priori good. When, for sophisticated and trans-border nature, requires example, the Canadian Privacy Commissioner, enhanced international co-operation and a George Radwanski, refers to privacy as ‘a strengthening of Canada’s capacity to suppress, fundamental human right’ or as ‘an innate investigate and incapacitate terrorist activity’ human need’, he is using the term privacy in (Canada, 2001a) this fundamental sense (Radwanski, 2002a). At the level of public policy, the concept of Bill C-36 creates a brand new category of privacy is rarely framed in a fundamental sense. criminal offence based on new definitions of Rather, the pragmatic mindset of policy makers ‘‘terrorist activity’’, ‘‘terrorist group’’, as well as tends to produce a strategic understanding of ‘‘facilitation’’ and ‘‘participation’’ in terrorist privacy. Where privacy denotes certain strategic activity. The draft legislation initially had a very values, privacy interests are specifically balanced broad definition of terrorism. This definition was against other interests. Hence, the need for narrowed by the time Bill C-36 was passed. institutional privacy protection might be seen as However, the definition remains sufficiently

Volume 11 Number 1 March 2003 r Blackwell Publishing Ltd. 2003 THE STATE OF PRIVACY IN THE CANADIAN STATE 7

broad to give cause for concern. Where the state scrutiny of his oversight. The Commissioner can demonstrate that a threat of terrorism exists - argued: not a difficult task considering the breadth of the ‘‘terrorist activity’’ definition - extensive and ‘The way the law is written, the minister could powerful surveillance and enforcement tools issue a certificate that says, disclosure of informa- tion by CSIS, the Canadian Security Establish- can be brought to bear on suspects. For instance, ment or a department of government, or indeed section 83.18(2)(c) of the act makes indictable the all departments of government, could be taken participation in a terrorist group, regardless of off the table. At that point, not only would there whether or not ‘the accused knows the specific be no possible disclosure and no oversight of nature of any terrorist activity that may be that, but according to this, all the other provisions facilitated or carried out by a terrorist group’ of the Privacy Act would not apply. So there (Canada, 2001a). This section suggests that, would be no limitations on how the information depending on the state’s discretion in the could be used, combined, shared or disclosed. In naming of a terrorist group, one could come effect, these provisions could be used to nullify under the broad powers of surveillance enumer- the Privacy Act by ministerial fiat.’ (Radwanski, 2001a) ated in Bill C-36 by virtue of their association with a suspect organisation. After several weeks of private negotiation and Most controversially, the bill provides police public wrangling, the Minister of Justice intro- forces and government with new and consider- duced a number of amendments to C-36 that able powers, often of a discretionary nature. Bill effectively met the Commissioner’s concerns. C-36 introduces fundamental changes to com- In response, Mr. Radwanski wrote an open monly held rules of justice, notably in matters letter to the Minister praising her action ‘as a such as arrest, detention and wiretapping. The great victory for the privacy rights of all bill also permits preventive detention up to 24 Canadians. You have reaffirmed on behalf of hours without any charge for a criminal offence. the Government of Canada that privacy is a The legislation also makes the authorisation of fundamental human right that, even in times of communications surveillance much easier to gravest crisis, must always benefit from the obtain (Canada, 2001a). The considerable powers maximum protection possible’ (Radwanski, thus provided to law enforcement and security 2001b). This effusive praise prompted one of agencies permit them to interrogate, monitor, the opposition leaders to accuse Radwanski of detain and open files on any individual without ‘climbing down’ under pressure, an accusation any other basis than mere suspicion of participa- that prompted another open letter from the tion in a ‘terrorist activity’, as it is defined in the Privacy Commissioner (Radwanski, 2001c). bill. Arguably, the legislation raises enormous There is no doubt that the narrowing of these potential for racial discrimination. Since 11 provisions constituted a certain victory for the September, anti-racist organisations have Privacy Commissioner’s position. However, in vocally criticised Bill C-36 for targeting visible the wider context of the legislation, the questions minorities. concerning access to personal information under Each of these provisions raises important the Privacy Act and PIPEDA, do seem relatively privacy questions. Many of the reforms involve narrow. Consequently, we conclude that, in the record keeping and disclosure obligations that law enforcement policy field, fundamental priv- have a direct impact on privacy (Austin, 2001). acy has been trimmed out of policy discourse in The Federal Privacy Commissioner, however, two ways. First, in the immediate climate of decided that these wider battles over Canadian emergency following 11 September, the Privacy civil liberties could not be successfully fought. Commissioner was only able to effectively The bill, he concluded, was a ‘‘well-balanced, address the infringement of information privacy well thought-out effort to enhance security to and not privacy more generally. Second, where give law enforcement authorities the measures the Commissioner scrutinised legislation, he also they need to be able to effectively seek to combat was compelled to discuss privacy in a strategic terrorism, while at the same time respecting way. In this regard, the policy discourse focused privacy rights that are maximum possible’’ on privacy as an interest to be balanced with (Radwanski, 2001a). He therefore decided to security. While the Commissioner had never focus his attention on a provision that was claimed that privacy was an absolute right, clearly within his remit – the rights of individuals neither had he ever so frequently juxtaposed his to obtain information about themselves under concerns with security issues. both the Privacy Act and PIPEDA. Following the first reading of Bill C-36, the Privacy Commissioner pointed out that certain International Travel proposed amendments to the Privacy Act not only removed limitations on the state’s On 22 November, not quite two months after use of citizen information, it also removed the the 11 September attacks, the government

r Blackwell Publishing Ltd. 2003 Volume 11 Number 1 March 2003 8 JOURNAL OF CONTINGENCIES AND CRISIS MANAGEMENT

introduced the Public Safety Act, initially known airlines to foreign authorities. This has the as Bill C-42, which, among other things, somewhat peculiar result that the US and other amended the Aeronautics Act with regard to governments could obtain such information, but the disclosure of passenger travel data to law the Canadian Government itself could not. enforcement agencies. A week later, the govern- Nevertheless, Radwanski accepted the amend- ment introduced An Act to Amend the Aero- ment, whilst still articulating concerns over the nautics Act (hereafter Bill C-44), which was unnecessary scope of the bill. created by removing a small section from Bill While Bill C-44 remains intact, Bill C-42, C-42. This law facilitates the sharing of passenger which had a number of problems, was with- lists on flights coming into, and leaving, Canada. drawn in April 2002. The new Public Safety Bill C-44 was hived off for quick passage when Act, now known as Bill C-55, has been sub- it became clear that the broader Bill C-42 – the stantially corrected. However, one section of second and accompanying legislation to C-36 – C-55 remains a source of concern for the would not pass in time to meet a 18 January Privacy Commissioner. Section 4.82 of the Act deadline set by the United States; President would: George W. Bush signed a law in November, 2001 requiring foreign airlines to provide passenger lists and other basic information to U.S. autho- ‘give the RCMP and CSIS unrestricted access to rities. Bill C-44 stipulates: the personal information of all Canadian air travelers, on flights within Canada as well as on ‘an operator of an aircraft departing from Canada international routes [y] In Canada, police forces or of a Canadian aircraft departing from any place cannot normally compel businesses to provide outside Canada may, in accordance with the personal information about citizens unless they regulations, provide to a competent authority in a obtain a warrant. Section 4.82 would entitle the foreign state any information that is in its control national police force and the national security relating to persons on board or expected to be on service to demand personal information about all board the aircraft and that is required by the laws Canadian air travelers without any judicial of the foreign state’ (Canada, 2001b) authorisation.’ (Radwanski, 2002b)

This provision overrides Section 5 of the Personal Information Protection and Electronic Docu- This section has sparked a considerable and ments Act. heated public debate between the Privacy Com- Reflecting on the domestic impact of the missioner, the Solicitor General, and the Minister Canadian-American legislative amalgamation in of Transport. In an exchange with the Solicitor this field, Radwanski remarked: General, the Privacy Commissioner began to distance himself from the practice of justifying all ‘Authorising aircraft operators to disregard the extreme legislative measures with reference to Personal Information Protection and Electronic the terrorist attacks of 11 September (Radwanski, Documents Act and provide the authorities of 2002c). foreign countries with ‘‘any’’ personal informa- And yet, in spite of the Commissioner’s recent tion about Canadian travellers required by the exhortations, the government continues to pro- laws of such countries is an extremely serious duce progressively more invasive policy. The matter. It is particularly troubling when the laws Canada Customs and Revenue Agency (hereafter of those countries, as in the case of the U.S., CCRA) is currently taking steps to compile provide no safeguards or restrictions as to how Advance Passenger Information and Passenger such information may subsequently be used or to what third parties, including other countries, it Name Records in an integrated database. The may be disclosed. It is possible to envisage Advance Passenger Information system contains circumstances in which this could put Canadians a traveller’s name, date of birth, gender, travel at very real risk’ (Radwanski, 2001d) document information, and nationality. The Passenger Name Record system is considerably He was also concerned that the government of more detailed. It lists a traveller’s destination, Canada ‘should not end up with a backdoor method of ticket purchase, seat selection, num- access to information that it might not otherwise ber of pieces of checked luggage, and the date have to Canadians’. He therefore recommended the ticket was booked. The CCRA intends to an amendment that would restrict these agree- keep this information for unspecified customs ments to share information collected for the purposes. The Privacy Commissioner has noted purposes of protecting national security, and that the database could be used for virtually any restricting its further use or disclosure for any purpose the government deems appropriate. other purpose (Radwanski, 2001d). In response, These could include: data matches with other the government tabled an amendment that departments, income tax audits, as well as would prohibit the Canadian government from criminal investigation ‘fishing expeditions’ obtaining information supplied by Canadian (Radwanski, 2002d).

Volume 11 Number 1 March 2003 r Blackwell Publishing Ltd. 2003 THE STATE OF PRIVACY IN THE CANADIAN STATE 9

Internet Surveillance on data-preservation orders. Here, data preser- vation is distinguished from data retention. Data The effects of 11 September seem to be preservation involves serving a judicial order to reverberating as deeply through the cyber world preserve specific information whereas data re- as they are through the real world. As part of the tention is a general requirement to retain a range anti-terrorism package, the Canadian Govern- of data concerning all subscribers. Neither ment also signed the Council of Europe’s practice is likely to be appealing to privacy advo- Convention on Cyber-Crime. The Convention cates, who perceive this distinction as spurious. was broadly accepted by around 30 advanced These, then, are the principal policy initiatives industrial states as necessary following the 11 introduced to date that have a direct bearing on September strike (CoE, 2001). This agreement the collection, processing and disclosure of has a number of implications for the way personal information under Canadian law. As personal information is treated. For instance, in the United States, a range of technological the Convention could require organisations to measures are also being seriously contemplated, provide the government with their encryption including enhanced video-surveillance at airports keys, raising issues of privacy and self-incrimina- with facial recognition capability, retinal and/or tion. Other provisions require laws that allow the hand geometry scanning, more sophisticated state to collect and record the data traffic of profiling of airline passengers, more complex service providers. These provisions would reg- programs of data matching, and so on. There has ularise law enforcement’s use of software like the also been a debate about identity cards. The Carnivore diagnostic tool. The Convention also federal government has announced that immi- stipulates that data be retained for criminal grants to Canada will get a new plastic photo ID investigation. The data warehousing that would card instead of articles that are easily forged. The stem from this stipulation raises concerns about Minister said that the new immigration card, the creation of huge amounts of searchable called the Maple Leaf, will have fraud-proof information about people. With the implementa- technology including laser imprinting and a tion of the Convention, there is concern about magnetic strip to store encoded ‘‘tombstone data’’. the balance shifting further away from privacy in favour of security (Austin, 2001). The Department of Justice, Industry Canada, Conclusions and the Solicitor General co-released a consulta- tion document on ‘‘lawful access’’ on 25 August This summary of some of the policy develop- 2002. In the context of Internet surveillance, or ments since 11 September permits a number of more broadly telecommunications surveillance, tentative conclusions about the ‘‘state of privacy’’ lawful access allows law enforcement agencies to in Canada. And the picture is very ambivalent. intercept communications. The consultation Polls still demonstrate that Canadians are very document opens by noting that surveillance tools concerned about how their privacy is being have been instrumental in securing convictions eroded by a range of social and technological for criminal activity. On the agenda are several threats. On the other hand, a recent Gallup poll amendments to different pieces of legislation. indicated that seventy-two percent of Canadians These amendments would update Canada’s wir- think it is more important for police to intercept etap laws, giving enforcement agencies the communication between suspected terrorists capacity to lawfully snoop on wireless technology. than it is for the government to protect the Most of the amendments up for debate would privacy of the public (Ottawa Citizen, 2001). The require service providers (SPs) to supply infra- cases outlined above permit, nevertheless, three structure that would ensure the state’s capability broad conclusions about the post-9/11 state of to intercept information. There is currently no privacy in Canada. such mechanism in Canadian law. At the outset, Firstly, until 11 September, the Canadian it is unclear as to what organisations will qualify federal political system had been making some as SPs. The working definition states that a SP is important strides towards a more comprehensive ‘a person who owns or operates a transmission set of safeguards for personal data protection. facility that is used by that person or another Public opinion polls were largely supportive of person to provide telecommunications services to wider privacy laws, for both public and private the public in Canada’ (Canada, 2002). Given that sectors, and some clear differences were emer- there are so many different kinds of service ging between Canadian and US policy. To a large providers with different levels of infrastructure extent these trends are still continuing. The (including universities), the lawful access policy provinces are seriously engaged in attempting will likely have quite differential effects. In terms to pass ‘‘substantially similar’’ privacy protection of data protection standards, it is difficult to laws in their jurisdictions. The implementation of understand how principles will be equally PIPEDA has begun, albeit slowly and haltingly, applied. Particularly interesting is the discussion and the Privacy Commissioner is releasing a

r Blackwell Publishing Ltd. 2003 Volume 11 Number 1 March 2003 10 JOURNAL OF CONTINGENCIES AND CRISIS MANAGEMENT

number of quite strong investigative reports on Canadian has been likewise shaped private sector practices. It is tempting to con- by the force of international agreements (espe- clude, therefore, that privacy protection policy cially those struck in Europe). The governance of has become limited to those more mundane privacy in the global economy takes place aspects of privacy protection. The development of through multiple modes of regulation and co- techniques for protecting privacy in the everyday ordination. Simply because privacy standards are world of credit-card purchases and direct-mar- being traded-up and enforced in some arenas, keting practices may appear to be a diversion for does not mean that surveillance practices are privacy advocates and regulators to busy them- being correspondingly reduced. There are suffi- selves with while the ‘‘real business’’ of heigh- cient institutional arenas for the issue to advance tening surveillance for internal security proceeds sufficiently well in some, and at the same time to apace (Bennett and Raab, 2003). But these private regress elsewhere. This article has shown that in sector realms cannot be insulated from the Canada, at least at the moment, those advances world of security and surveillance. The shaping are seen in relation to private sector, rather than of specific business processes is also being affected public sector practices. But it is thoroughly by the pressure of these other policy consider- misleading to try to observe a single ‘‘balance’’ ations. between privacy and surveillance on a global, or Secondly, and with regard to law enforcement even a national, scale (Bennett and Raab, 2003). issues, privacy protection has been defined more and more narrowly within the Canadian State. To the extent that it involves the collection, proces- References sing and disclosure of personal information, the issue can be advanced by the Privacy Commis- Austin, L. (2001), ‘Is Privacy a Casualty of the War on sioner of Canada. However, this formulation Terrorism?’ in Daniels, R., Macklem, P. and Roach, elides deeper surveillance issues. The greater K. (Eds), The Security of Freedom: Essays on Canada’s issues concerning enhanced surveillance powers Anti-Terrorism Bill, University of Toronto Press, Toronto, pp. 251–267. for law enforcement when a broadly defined Bennett, C. (1996), ‘Rules of the Road and Level crime of ‘‘terrorism’’ is suspected were never Playing-Fields: The Politics of Data Protection in seriously addressed by the Privacy Commis- Canada’s Private Sector,’ International Review of sioner. These legislative and policy actions Administrative Sciences, volume 62, pp. 479–491. indicate that the Privacy Commissioner’s ability Bennett, C. and Bayley, R. (1999), ‘The New Public to prevent state infringement on privacy rights is Administration of Information: Canadian Ap- diminishing. Where the public sector has deter- proaches to Access and Privacy,’ in Wesmacott, mined to use personal information to combat the M. and Mellon, H. (Eds), Public Administration and threat of terrorism, the advocacy of the Privacy Policy: Governing in Challenging Times, Prentice Hall Commissioner has seemingly little impact. As the Allyn and Bacon, Scarborough. Bennett, C. and Grant, R. (Eds), (1999), Visions of emergency mentality has become normalised Privacy: Policy Choices for the Digital Age, University and instruments of the state have been more of Toronto Press, Toronto. consistently directed towards security, privacy, Bennett, C. and Raab, C. (2003), The Governance of conceived in a strategic sense, is trumped. A Privacy: Policy Instruments in Global Perspective, weak and fragmented coalition of civil liberties Ashgate, Aldershot. and public interest groups protested, but also had Berzins, C. (2002), ‘Protecting Personal Information in little effect on either the content or the timing of Canada’s Private Sector: The Price of Consensus these measures. Building,’ Queens Law Journal,volume27,pp.609–645. Finally, although the historical record has yet Canada (2001a), Anti-Terrorism Act - An Act to Amend to be thoroughly researched, it is probable that the Criminal Code, the Official Secrets Act, the Canada Evidence Act, the Proceeds of Crime (Money Launder- significant pressures to converge with dominant ing) Act and Other Acts, and to Enact Measures American practices are the main explanation for Respecting the Registration of Charities, in Order to all of the various policy changes. At a time, Combat Terrorism, Department of Justice, Minister therefore, when Canadian privacy protection of Supply and Services, Ottawa, on-line at: http:// policy was beginning to diverge from, and be www.parl.gc.ca/37/1/parlbus/chambus/house/bills/ more progressive than, that in the US, 11 government/C-36/C-36_4/C-36TOCE.html. September has convinced many American policy Canada (2001b), An Act to Amend the Aeronautics Act, makers that American security is only as strong Department of Justice, Minister of Supply and as that of the longest undefended border in the Services, Ottawa, on-line at: http://www.parl.gc.- world. And those arguments have obviously had ca/37/1/parlbus/chambus/house/bills/government/ C-44/C-44_4/90175bE.html. a powerful influence on the Canadian federal Canada (2002), ‘Lawful Access – Consultation Document’, government. Department of Justice, Industry Canada, and the But this is not a story of indigenously created Solicitor General of Canada, Minister of Supply Canadian privacy protection policy being and Services, Ottawa, on-line at: http://canada. challenged and undermined by US influence. justice.gc.ca/en/cons/la_al/a.html#2.

Volume 11 Number 1 March 2003 r Blackwell Publishing Ltd. 2003 THE STATE OF PRIVACY IN THE CANADIAN STATE 11

Council of Europe (CoE) (2001), Legal Co-operation: 21 November 2001, on-line at: http://www.priv- Cyercrime, Council of Europe, Strasbourg, on-line com.gc.ca/media/nr-c/02_05_b_011121_e.asp. at: http://www.coe.int/T/E/Legal_affairs/Legal_co-op- Radwanski, G. (2001c), Letter from the Privacy Commis- eration/Combating_economic_crime/Cybercrime/. sioner of Canada to the Rt. Hon. Joe Clark, leader of the European Union (EU) (1995), Directive 95/46/EC of the PC/DR Coalition, 22 November 2001, on-line at: European Parliament and of the Council on the http://www.privcom.gc.ca/media/nr-c/ Protection of Individuals with Regard to the Processing 02_05_b_011122_e.asp. of Personal Data and on the Free Movement of Such Radwanski, G. (2001d), Letter from the Privacy Commis- Data, Brussels, OJ No. L281, (The EU Data sioner, George Radwanski to the Minister of Protection Directive) (24 October 1995). Transport, 30 November 2001, on-line at: http:// Gellman, R.M. (1993), ‘Fragmented, Incomplete and www.privcom.gc.ca/media/nr-c/02_05_b_011130_e.asp. Discontinuous: The Failure of Federal Privacy Radwanski, G. (2002a), Legal Education Conference – Regulatory Proposals and Institutions,’ Software Privacy: Your Rights and Obligations Speech Law Journal, volume 6, pp. 199–231. delivered at the Community Legal Information Harris, L. and Westin, A. (1994), The Equifax-Canada Association of PEI’, 17 October 2002, on-line at: report on Consumers and Privacy in the Information http://www.privcom.gc.ca/speech/02_05_a_021017_e.asp. Age, Equifax Canada, Ville d’Anjou. Radwanski, G. (2002b), Statement by the Privacy Ottawa Citizen (2001), ‘Security trumps privacy: poll Commissioner of Canada on Bill C-55, 1 May 2002, 72% willing to sacrifice privacy to help police catch on-line at:http://www.privcom.gc.ca/media/nr-c/ terrorists’, 22 November 2001, Ottawa. 02_05_b_020501_e.asp. Perrin, S., Black, H., Flaherty, D. and Rankin, T. (2001), Radwanski, G. (2002c), Letter from the Privacy Commis- The Personal Information Protection and Electronic sioner of Canada to the Solicitor General of Canada on Documents Act: An Annotated Guide, Irwin Law Inc., the subject of Bill C-55, 17 May 2002, on-line at: http:// Toronto. www.privcom.gc.ca/media/nr-c/02_05_b_020517_ Regan, P. (1995), Legislating Privacy: Technology, Social e.asp. Values and Public Policy, University of North Radwanski, G. (2002d), Letter to the Hon. Elinor, Caplan, Carolina Press, Chapel Hill. Minister of National Revenue, 26 September 2002, Radwanski, G. (2001a), Testimony Before the House of on-line at: http://www.privcom.gc.ca/media/nr-c/ Commons Standing Committee on Justice and 02_05_b_020926_3_e.asp. Human Rights, 23 October 2001, on-line at: Rosen, J. (2000), The UnWanted Gaze: The Destruction of http://www.privcom.gc.ca/speech/ Privacy in America, Vintage Books, New York. 02_05_a_011024_e.asp. Whitaker, R. (1999), The End of Privacy: How Total Radwanski, G. (2001b), Letter from the Privacy Surveillance is Becoming a Reality,NewPress, Commissioner of Canada to the Minister of Justice, New York.

r Blackwell Publishing Ltd. 2003 Volume 11 Number 1 March 2003