[IP] The Canadian privacy questions
Begin forwarded message:
From: Michael Geist <mgeist@xxxxxxxxx>
Date: October 17, 2005 10:04:33 PM EDT
To: dave@xxxxxxxxxx
Subject: The Canadian privacy questions
Dave,
Interesting debate on privacy on the list for the past couple of
days. For a Canadian perspective, below is my Law Bytes column from
today which happens to focus on the current Canadian situation in
light of government plans to mandate new ISP surveillance
capabilities and two recent reports from the Privacy Commissioner of
Canada, who paints a bleak picture of the effectiveness of national
privacy legislation.
Toronto Star version at
http://geistprivacyaction.notlong.com
Freely available hyperlinked version at
<http://www.michaelgeist.ca/index.php?option=content&task=view&id=981>
MG
Michael Geist
October 17, 2005
PRIVACY PROTECTION REQUIRES ACTION NOT RHETORIC
In the face of growing public concern about Ottawa's plans to grant
law enforcement authorities vast new Internet surveillance powers,
Prime Minister Paul Martin last week tried to assure Canadians that
their privacy and civil rights would be respected. Responding to
questions about the so-called lawful access initiative, Martin
remarked that "when the government brings forth this kind of
legislation obviously the question of civil rights is first and
foremost in our minds and they will be protected."
While Canadians undoubtedly want to take Mr. Martin at his word, the
state of Canadian privacy reveals another story. In the days
preceding Mr. Martin's comments, the Privacy Commissioner of Canada
released two annual reports that paint a bleak picture of Canadian
privacy - illustrating that Canadian policies are ill-equipped to
deal with emerging technologies and cross-border trade practices.
When combined with the lawful access initiative, it is clear that a
robust privacy framework requires action rather than rhetoric.
Lawful access is the most troubling development on the short-term
horizon. The term itself unsettles many; it sounds benign while its
purpose is not - the legislation would grant new, intrusive powers of
surveillance to law-enforcement authorities without matching judicial
oversight.
If enacted, it would compel Internet service providers to install new
interception capabilities as they upgrade their networks. The
country's major ISPs, who provide service to the majority of
Canadians, would eventually be capable of intercepting data,
isolating specific subscribers, and removing any encryption or other
changes that they make to data transmissions.
The legislation would also provide law enforcement authorities with a
wide range of new powers. For example, authorities could apply for
new "production orders" with which they could compel disclosure of
tracking data such as cell phone usage and transmission data,
including telecommunications and Internet usage information.
Law enforcement maintains that these new powers are necessary to
ensure that Canada's legal framework rises to the challenges posed by
the Internet and emerging technologies. While additional powers may
be warranted, law enforcement has failed to marshall specific
evidence about how the current rules hamper criminal investigations
or prosecutions.
Moreover, should Canada establish new surveillance powers, the
effective protection of civil rights would depend upon matching
oversight. The most troubling aspect of the lawful access proposals
is that they take the opposite approach by increasing surveillance
but reducing oversight, thereby permitting police to obtain access to
personal information without any judicial involvement in certain
circumstances.
If lawful access presents the most immediate privacy threat, the
Privacy Commissioner's annual reports - one for each of Canada's
federal privacy laws - leaves little doubt that this is only the tip
of a dangerous iceberg. The Commissioner's concerns include
inadequate statutory enforcement powers, the challenges created by
new technologies such as radio frequency identification devices
(RFIDs), and a cross-border trade environment that often results in
the transfer of personal information across borders with limited
accountability and oversight.
The Privacy Commissioner's insufficient enforcement powers include
both the Privacy Act, which governs the collection and use of
personal information by the federal government, and the Personal
Information Protection and Electronic Documents Act (PIPEDA), the
national private sector privacy law.
In each case, the Privacy Commissioner is limited to an ombuds role
that seeks to settle disputes through moral persuasion. Unlike many
of her provincial counterparts, the federal commissioner does not
possess order making power, limiting the office to non-binding
findings that carry little weight in federal courts.
The Commissioner used the annual reports to send a clear signal that
the ombuds approach should be reconsidered, noting that "models in
several other jurisdictions, both in Canada and abroad, give the
overseer the tools to compel respect for the law. Parliament may wish
to review the merits of such powers for the Privacy Commissioner of
Canada."
New technologies also pose a significant challenge to the current
privacy framework. The Commissioner singles out RFIDs, tiny tracking
devices that use radio waves to read a serial number stored on a
microchip, as particularly problematic. While RFIDs have been
innocuously used for inventory management with containerized shipping
in the past, some retailers have recently begun experimenting with
them in consumer products such as razor blades in order to deter theft.
The Commissioner notes that the combination of the grain-of-rice
sized devices with advanced computer systems creates "enormous
economic incentives to introduce RFID technology." Since few
consumers are even aware of this new technology, there is an equally
enormous potential for the invasion of personal privacy.
The transborder flow of information is a longtime concern - experts
identified the issue as early as the 1960s - that has gained
increasing prominence with data outsourcing and the Internet. Last
year, British Columbia Privacy Commissioner David Loukidelis
conducted a much-discussed inquiry into the implications of the
transfer of provincial health information to the United States.
Critics feared that U.S. law enforcement authorities could use the
USA Patriot Act -- the statute enacted immediately after 9/11 -- to
access Canadians' personal health information without disclosure or
effective judicial oversight. The B.C. Commissioner agreed, leading
to new provincial legislation to safeguard cross-border disclosures.
Given the popularity of outsourcing, the B.C. experience may be
replicated at the national level. With limited protections in
PIPEDA, the Privacy Commissioner laments in the annual report that
"there is a loss of control over what a foreign jurisdiction might do
with that information and our Office has no oversight authority."
Given these challenges, it appears that Canada is facing a privacy
crisis that can only be resolved by instituting statutory reform that
creates adequate privacy safeguards. If the Prime Minister of Canada
is serious about prioritizing civil rights, then decisive action must
follow his strong words.
--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa, Faculty of Law
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319 Fax: 613-562-5124
mgeist@xxxxxxxxx http://www.michaelgeist.ca
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/