Home / Privacy Resources / Article Search / PrivaTalk - November 2001

PrivaTalk - November 2001

PrivaTalk

November 2001
Volume 1
Issue 10

The Impact of Canada’s New Anti-Terrorism Legislation on Privacy

The muted public reaction to the introduction of Bill C-36, the federal government's massive 171-page anti-terrorism bill, came as little surprise. While the Privacy Commissioner has rightly raised alarm bells about the privacy implications of the proposed law, in the wake of the devastating September 11th attacks, it has become clear that many Canadians are willing to accept less privacy in return for greater security.

The proposed legislation will certainly accomplish that, as it contains significant new powers to identify, prosecute, convict and punish terrorist activity. The definition of a “terrorist activity” is extremely broad. Although it excludes lawful protests and strikes, violent protests or illegal blockades that disrupt essential services are included. Many critics have argued that the loosely worded definition could be used by police to crack down on anti-globalization protestors or native activists, for example.

The RCMP Commissioner was content with the sweeping bill and told the House of Commons Justice Committee that the anti-terror bill will give police the tools they need to fight an elusive threat and ensure that Canadians are the safest citizens in the world. Meanwhile, the privacy and information commissioners say parts of the proposed bill are seriously flawed.

The Federal Privacy Commissioner was particularly concerned about a provision in the bill enabling the Attorney General of Canada to issue a certificate that would prohibit the release of personal information under the public sector Privacy Act or the private sector Personal Information Protection and Electronic Documents Act, for reasons of security, international relations or defence considerations. The bill goes on to amend the two privacy Acts to say that the legislation does not apply to information, the release of which is prohibited by a certificate issued in accordance with the anti-terrorism legislation. Thus, the Privacy Commissioner can no longer review such information or recommend that some of the information about the individual be released to him or her. Essentially, the Minister can arbitrarily declare some information off limits, giving government officials or organizations the ability to shield information deemed sensitive.

The bill creates more than 20 new offences, covering everything from facilitating financing and carrying out terrorist activities, to damaging property associated with religious worship, to communicating “special operational information” without authorization. Two controversial Criminal Code amendments would force certain individuals, who have not been charged with a crime, to answer questions at an “investigative hearing”, and would create a new “preventative arrest” power enabling police to hold suspected terrorists without charge for up to 72 hours. The bill would extend the period of validity of wiretap authorizations from the current 60 days to up to one year, when police are investigating a terrorist offence. The requirement to notify the target after surveillance could be delayed up to three years. When investigating terrorist activity, police would no longer have to prove that electronic surveillance was a last resort.

Many government officials worry that the legislation, with the dramatic new powers it would assign to police and security services, goes too far. Even if the limitations it imposes on civil liberties seem reasonable, under the circumstances, they run the risk of being abused.

Just about everyone agrees the bill's provisions are so novel, so far-reaching and so hurriedly drafted that it would be prudent to attach some sort of "sunset" clause, at least to the more controversial sections, stipulating that these would expire at some fixed date unless renewed by act of Parliament. However, Justice Minister Ann McLellan prefers parliamentary review whereby the bill lives until expressly repealed instead of the bill dying unless expressly renewed.

The Prime Minister has said that the government is open to improving the bill. No one knows for sure whether the increased domestic surveillance will advance the cause of preventing terrorism relative to the erosions of privacy involved. Given this, a sunset clause is highly appropriate – the federal government should be forced to review the legislation when more information is available and when cooler heads prevail.

Privacy Commissioner Releases Decision about Doctors’ Prescribing Patterns

Another decision by the Federal Privacy Commissioner under Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (the “PIPED Act”), was released in early October. The Commissioner ruled that physicians’ prescribing habits do not constitute personal information under the PIPED Act. The decision comes following a complaint filed alleging that IMS Health Canada (“IMS”) sells information about prescribing patterns without consent. IMS gathers the names, identification numbers and phone numbers of prescribers and details about the drugs they prescribe from Canadian pharmacies. The information is anonymized as far as the patient is concerned. IMS produces reports from this information that it sells to its pharmaceutical company clients, such as lists of all the doctors within certain sales territories of the client, ranked by their relative level of prescribing activity. Another example is reports tracking the monthly prescribing activities of a group of physicians who have attended a Continuing Medical Education event sponsored by a pharmaceutical company, that are used to see if the event was effective in resulting in new presecriptions for a targeted drug.

Personal information is defined in s. 2 of the Act as “…information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” The Commissioner explained that while the definition of personal information is broad, it is not so broad as to encompass all information associated with an individual. A prescription discloses little or nothing about the physician as an individual because it is about the patient. The Commissioner acknowledged that the prescription is about the professional process that led to the issuance of the prescription, however he concluded that this is not personal information about the physician. He applied similar reasoning for the prescription patterns discerned from numerous prescriptions.

Many physicians would argue that prescribing patterns say something about the physician as an individual, such as how conservative they are or how experimental they are with new drugs on the market. The Privacy Commissioner himself stated in his decision that “there may be circumstances where information relating to an entity such as a sole proprietorship is so closely linked to an individual person, that the information can be said to be about that individual”. So when is such information so closely linked to an individual person? There seems to be an underlying message that is not explicitly stated in the Commissioner’s decision but that we need to shed light upon to answer this question.

Privacy needs to be balanced with other human rights and social interests. Making prescribing patterns personal information that cannot be used or disclosed without the consent of the physician would fly in the face of promoting accountability of the health care system. The Commissioner’s decision gives pharmaceutical companies the free reign to market to health care practitioners, but it also means that the prescribing patterns of physicians can be freely revealed to the pubic, regulatory bodies and the government for review. This larger public goal of access to prescription patterns makes it necessary to think of the information as less closely linked to the individual personally.

The IMS decision will probably not go to the courts, however, we may see a federal court decision on PIPED Act sooner than expected. A Vancouver lawyer is challenging Telus’ right to charge extra fees for unlisted telephone numbers as a violation of the PIPED Act. Upon dismissal of his complaint by the Federal Privacy Commissioner, the lawyer filed a Federal Court application to force the company to stop charging fees to keep names, telephone numbers and addresses out of the public domain. There is some indication that at the time the legislation was introduced, Industry Canada gave the telephone companies assurances that fees charged for unlisting phone numbers, essentially withdrawals of consent, would not be seen as a violation of the Act. Only time will tell if the Federal Court sees it differently.

Kelowna Decision hasn’t stopped Plans to Introduce Video Survillance

Toronto’s Chief of Police is pushing to have security cameras installed on street corners, such as the corner of Yonge and Dundas streets, and the Toronto Police Services Board voted in favour of examining whether to install cameras in this and other downtown areas. Unfortunately, the city’s mayor, who asked, “What is there to be afraid of unless you’re a criminal?”, does not understand the privacy issues. Individuals in public places have not implicitly consented to and don’t expect to be surveyed, unlike in private places such as a bank or a convenience store that merit special protection to deter criminals. One’s privacy rights do not depend on whether or not one has something to hide. However, privacy rights need to be balanced against security and safety issues.

Many Canadian cities already have or are considering having cameras mounted in public places for safety reasons. The Federal Privacy Commissioner’s recent decision under the public sector laws sheds some light on the issue. The Commissioner, George Radwanski, ruled that video-surveillance activities by the RCMP in Kelowna violate the Privacy Act. This would only be an issue under the private sector legislation if the surveillance was engaged in by a private sector organization as a “commercial activity” (see the article entitled “First Ruling under the New Canadian Privacy Law – Security Cameras in Yellowknife” in the August 2001 issue of PrivaTalk). In the Yellowknife case, the Commissioner found that live video stream that is not being recorded is still a collection of “personal information” (defined as any information about an identifiable individual), and thus subject to the private sector legislation. However, under the public sector Privacy Act governing the RCMP, personal information is defined as any "information about an identifiable individual that is recorded in any form".

The RCMP installed a single video camera in downtown Kelowna focused on a high crime area near a park and a bus depot. At the time of the complaint, the camera recorded video on a continuous basis, 24 hours a day, seven days a week. The Privacy Commissioner reasoned that according to the Privacy Act, there must be a demonstrable need for each piece of personal information recorded, in order to carry out a program or activity. Continuous recordings meant the RCMP was “collecting information on thousands of innocent citizens engaging in activities irrelevant to the RCMP”, and was therefore unjustified. The RCMP changed its practices in Kelowna such that the area under surveillance is now only videotaped if something suspicious is noticed or an officer in the field requests a recording because a violation of the law is detected. However, although the Commissioner ruled that the camera now complies with the Act, he called on Kelowna and the RCMP to stop using the camera, saying he was not satisfied that the video camera surveillance was “sufficiently respectful of the spirit of the law, nor of the privacy rights of Canadians”.

This part of Radwanski’s decision is somewhat problematic. No doubt a camera on every street corner or any other form of random surveillance is unacceptable, but an isolated camera in a troublesome area, even if privacy-invasive, is in line with public expectations, given that privacy must be balanced with safety and security. In a Kelowna poll, 80% of respondents supported the surveillance. Thus, the RCMP does not plan to remove the camera unless asked to by the RCMP Commissioner’s office in Ottawa, which is now reviewing Radwanski’s ruling with federal justice department lawyers. The issue may eventually go to the courts for a legally binding ruling if the RCMP continues to use the cameras over the objections of the Federal Privacy Commissioner.

Asking the RCMP to remove one strategically placed camera in an area clearly marked as being under surveillance may be extreme. However, the Commissioner found that at least five other locations had been selected for the installation of surveillance cameras. The more cameras there are in the plan, the more real the concern is that privacy and security are not being properly balanced. The RCMP is holding off on further installations until a clear ruling is received.

Although the Commissioner felt that there is no persuasive evidence that video surveillance of public places is an effective deterrent of crime, most police forces feel differently. Its clear that the on-going debate over whether video surveillance is appropriate is shifting as security comes forward as an issue that deserves as much protection, if not more in today’s times, as privacy.

FTC to Drop Call for New Federal Internet Privacy Laws in the U.S.

Reversing the prior FTC position adopted under the Clinton administration, FTC Chairman, Timothy Muris, has announced that it is no longer seeking new stronger laws to enhance on-line consumer privacy, but will step up enforcement of existing privacy laws, such as the Gramm-Leach-Bliley financial services legislation and legislation designed to shield young children from on-line marketers. Muris promises a 50% increase in resources dedicated to enforcement and promises to fight harder to stop deceptive spam, identity theft, abuse of credit reports, and violations of privacy policies. He also promises to create a national “do not call” list of people who do not want to be contacted by on-line marketers, and wants to build on earlier initiatives to educate consumers on the ways in which they can safeguard their privacy. Although privacy advocates such as the Electronic Privacy and Information Center, were encouraged by Muris' commitment to strong enforcement of existing laws, there has been strong opposition to the view that new laws are not needed. Meanwhile, many industry trade groups praised the new FTC direction, since it once again supports self-regulation.

The problem is that without legislation in the United States forcing companies to post privacy policies and stand by the promises they make in those policies, self-regulation will fail, because the FTC can only prosecute companies that violate their stated privacy pledges. It becomes easier for a company to not have a privacy policy at all – those who are silent about their privacy practices are not subject to enforcement.

Also, given the patchwork of state privacy laws that exist, not putting baseline federal U.S. privacy standards in place may only hurt consumer confidence.

There is the counterargument that broad-based privacy laws may not be effective. The Gramm-Leach-Bliley financial services legislation for example gave customers the right to opt out of having their financial information shared with third party companies. While the opt out notices that banks mailed to customers this summer cost the industry millions of dollars, most were so complicated to read that consumers simply threw them away.

The key is to have federal privacy laws that are flexible and that balance consumer privacy with the business need to collect and share information. The problem in the United States is that efforts have been made to introduce privacy legislation at the federal level that is too heavy handed and thus can never gain the support of the business community. If the U.S. gives up on all efforts to introduce federal privacy laws for consumers on-line, the true potential of e-commerce cannot be realized.

Polls Find that Many Canadian are Willing to Give up Basic Rights

A Globe and Mail/CTV/Ipsos-Reid poll suggests that most Canadians are willing to surrender some crucial individual rights in exchange for strengthened police powers in the fight against terrorism. Contrary to many continental European countries, Canada has long resisted a universal identity card – especially one containing such personal information as its owner's fingerprints. However the study showed that four out of five Canadians are willing to provide their fingerprints for a new permanent security card that would be carried at all times and shown to police on request.

Even though Canada is known for limiting police powers, 59 per cent of respondents to the poll said they would give police the extraordinary power to “randomly stop and search” either themselves or their vehicle, instead of doing so only upon a reasonable suspicion that the individual may have committed an offence.

A small majority, 53% of respondents, said that law enforcement officials should have the power to detain individuals who may be suspected of being involved in terrorist activities indefinitely.

Overall, 58 per cent of Canadians said that terrorism threats outweigh the protection of their individual rights and freedoms and the due process of law.

Canadians, however, rejected measures that would seem to directly affect their privacy. A clear majority of respondents said they do not want the police to tap their phones at will or to snoop through their mail and their credit-card bills without permission.

The poll, which is based on a random sample of 1,000 respondents, has a margin of error of 3.1 per cent, 19 times out of 20. It comes at a time when the federal government is putting the finishing touches on an anti-terrorism bill that will suppress many individual freedoms. It highlights that Canadians cherish their privacy, but that they are also willing to offer better resources and tools to the police. There is obviously some truth to Justice Minister Anne McLellan’s recent statement that the balance between individual rights and collective security shifted after the attacks. However, the results of the poll are inconsistent in some respects and seem to indicate that the public does not understand the importance of civil liberties until they need them or think of their own. In light of the terrorist attacks, it is easy to be short-sighted and place excessive weight on security at the expense of other rights and interests. It is important for Canada to ensure that civil liberties are only suppressed to the extent necessary to achieve desired security results, and that those results are effective.

Airports Consider New Technologies to Help Tighten Security

Devices exist today, and are being deployed at airport checkpoints, that can electronically "strip-search" clothed passengers, sniff people for trace amounts of explosives, analyze the chemical composition of items stashed in luggage, and scan thumbprints and faces to verify a person's identity.

New security tools are costly. Individual pieces of equipment range in price from U.S. $130,000 to $10 million. By comparison, the metal detectors and X-ray machines that have been at airports for decades cost about $5,600 and $45,000, respectively.

There are also obvious civil liberty concerns. Do travelers really want their personal information – even their bodies – on display to security staffs? The American Civil Liberties Union (ACLU) advocates a go-slow approach, saying that invasive technology must be proven effective before it is used, and that even then its use should be limited. The key is to pick the less privacy invasive alternative whenever possible. There is no guarantee that spending millions on state-of-the-art technology would prevent future hijackings or terrorist attacks, particularly as terrorists find ways to work around the system.

Researchers are approaching airport security on two fronts: detecting explosives or other weapons and identifying suspicious travellers. This article will provide a brief overview of three basic tools: advanced scanners, smart cards and facial recognition software.

Several new devices that scan people and containers for weapons are being discussed for use in airports and other public buildings. The neutron scanner shoots neutrons through containers to measure the chemical composition of items. It can scan everything from cargo containers to suitcases. The technology is so sophisticated that it can tell the difference between a bottle of wine and a bottle of liquid explosives. However, the scanner is the size of three tractor-trailers and costs $10 million.

The body search scanner is a more controversial technology. It uses special "backscatter" X-rays to see through clothing to spot weapons such as plastic guns or knives that would not be picked up by metal detectors. Such a scanner cost $130,000 to $150,000. The images seen through the machine resemble nude mannequins. Concerns have been raised in the past about whether the technology is too revealing.

The Explosives Detection Portal being developed at Sandia National Laboratories for the U.S. Federal Aviation Administration, collects air samples and analyzes them for trace amounts of explosives. A passenger stands inside a device that resembles a large metal detector equipped with a bunch of air nozzles. The nozzles emit puffs of air that pick particles off clothing, and then the samples are analyzed by the machine. The process takes about 12 seconds. A prototype has been built, but the portal is still in the testing stage.

Smart cards have been around for awhile but have become increasingly sophisticated. They're the size of credit cards and can store information such as flight schedules, a person's background information, photographs and thumbprints.

Some security experts are calling for airlines to test smart cards by using them as boarding passes for frequent fliers. An airline could issue a card that contains background information about a passenger and is keyed to the passenger's thumbprint.

When someone buys a ticket, the flight information would be downloaded to the smart card. At the airport, the card would be inserted in a reader at security checkpoints and at airline gates. Frequent fliers could avoid most of the intensive security checks that slow down travelers, and the security staff would then have more time to scrutinize people who travel less frequently.

Facial-recognition software is also being promoted as a tool to keep terrorists off airplanes. Airports could install cameras in terminals that check the faces of passengers against the faces of terrorists stored in a computer database. The problem is that in an airport setting, there would be many false alarms because the software sometimes would identify innocent people as terrorists. However, facial-recognition software could cull passengers down to a short list for security staff to check.

We need to keep in mind that as devices grow more sophisticated, so do efforts to circumvent them. In fact, it is extremely important to ensure security staff are not lulled into a false sense of security, thinking new gadgets have given them the upper hand and can prevent terrorism.