Interview with Murry Long

July 2004

Terry McQuay, Nymity's President, interviews Murray Long of PrivacyScan on Canada's new Public Safety Act, 2002 and its impact on PIPEDA and organizations subject to PIPEDA. Bill C-7, the Public Safety Act, 2000, was passed on May 4 after its third reading debate in the Senate.

Nymity: Murray, please provide the history on the Public Safety Act and the reasons for the creation of this Act.

Long: The Act is one of the follow-up measures to the Anti-Terrorism Act. It went through several iterations and took a long time to get through Parliament, due to proroguing and other issues. The Act is an omnibus bill that modifies a number of other federal laws, especially to permit the government to make interim orders where there is a perceived immediate danger to the environment or to human life, health or safety.

Nymity: The Public Safety Act amends 21 different statutes. Which of these amendments will impact private sector organizations?

Long: The Act is potentially quite pervasive. For example, private companies in marine transportation or the energy sector could be significantly affected if an interim order is issued sealing a port or addressing the security of energy supply. The Act also provides for the ability to strengthen export restrictions on sensitive technologies, which could affect businesses that currently export technologies to some countries. One of the sectors that will be most affected will be the airline industry, as the Act paves the way for even tougher airport security and passenger screening measures.

Nymity: How does the Public Safety Act impact privacy rights of Canadians?

Long: As mentioned above, a major area where privacy rights will be impacted is in airline travel, where amendments to the Aeronautics Act will require air lines and operators of reservations systems to turn over something like 34 individual items of passenger information to government officials, foreign governments, the RCMP and CSIS, including how a ticket was paid for, who bought it, gaps in an itinerary that would suggest ground travel, and many more items.

The other major impact – and one which is much more open-ended – is the impact on PIPEDA.

Nymity: What were the amendments to PIPEDA?

Long: There are three amendments, all in section 7 of the Act, which lays out the exceptions to consent. The first is that organizations can now collect personal information without an individual’s knowledge or consent where the collection is for the purpose of making a subsequent disclosure as required by law. Previously, organizations could disclose personal information without consent where required by law, but there was no such exception for collection. Consent had to be obtained, except where the legal purposes had to do with an investigation.

The second change is that PIPEDA now permits an organization to collect new information about an individual where either CSIS or the RCMP, the two agencies responsible for national security, make a request for the collection and the data relates to a national security interest.

The third change is that an organization can now also collect new personal information, on its own recognizance, in the same circumstances – i.e. wherever the organization suspects the information might be relevant to national security interests, and the organization intends to subsequently disclose it either to a security agency or to an industry investigative body.

Nymity: Any changes to provincial privacy Acts?

Long: Not directly. National security is a federal responsibility and, in this domain, organizations that are otherwise subject to provincial laws would still be subject to PIPEDA. However, I have yet to see any legal interpretations addressing this point.

Nymity: What has the Privacy Commissioner publicly stated about these amendments?

Long: Before the bill became law, Ms. Stoddart publicly expressed her concerns that the amendments to PIPEDA dangerously “blur the line” between the private sector and the State by enlisting the private sector to collect information on behalf of security agencies.

Nymity: What are the issues with these amendments?

Long: I see three issues. Firstly, the amendment concerning collection without consent for statutory purposes, while making it more efficient for businesses to collect some personal data, greatly erodes transparency. To present a very practical example, if a person is buying a new car at a dealership and previously had bought a car from a different dealership, this change to PIPEDA would legally permit the second dealership to call the first dealership and ask them to send over any personal data that the motor vehicle registry requires, without the customer even knowing about it. I hope this doesn’t happen. If it does, to any extent, it will have the effect of greatly reducing the citizen’s knowledge of exactly what data the government does routinely collect and for what purposes.

The other amendments are much more alarming. I do not think it should be the business of commercial organizations to start collecting new personal information about customers or employees because they are suspicious that there may be a national security interest. The key point here is that PIPEDA already permits an organization to turn over any information it comes across “in the course of its activities” that might be useful to investigate any contravention of a law – including the Anti-terrorism Act. With this new amendment, we’ve moved into the realm of permitting a business to actively collect new personal information that could lie outside the bounds of normal business activities – in essence, it permits businesses to spy on customers and employees.

Equally worrying is that CSIS or the RCMP could ask a business to collect new data that these agencies themselves could not directly collect. For example, where the RCMP would need a court order to enter a business premises and search a customer’s files or an employee’s desk or locker, they could ask the business to do it for them, without any judicial authorization. It is quite possible that this amendment will be used to conduct searches at the request of security agencies that could potentially violate Charter rights.

Nymity: What industries are impacted?

Long: This cuts across the entire marketplace and potentially could affect customer or employee privacy rights in all types of industries. The RCMP may have security concerns about a hotel employee, a delivery van driver, even someone working in a flower shop. But, I suspect the industries most likely to be impacted are those with the capacity to collect personal financial information, travel information, and lifestyle information (remember the 9-11 terrorists who worked out at the gym but only did upper body exercises).

Nymity: Does this amendment permit organizations to freely collect information on their own accord, based on their own suspicions, where the collection is for the subsequent disclosure to a security and intelligence agency?

Long: This is exactly what one of the amendments does. The disturbing aspect of this is that commercial organizations should not be in the business of spying on behalf of the government – and certainly not of their own accord and without any guidance. No wonder former Supreme Court Justice Louise Arbour and members of Canada’s Muslim community have expressed their public alarm about how the national security agenda is eroding human rights.

Nymity: Will government routinely collect personal information from corporate Canada?

Long: There is only one instance where the Public Safety Act is going to expand the routine collection of personal information, and that is in the airline industry. In other sectors, however, there is the potential for the kind of covert collection of data that I have just talked about.

Nymity: Are there any obligations on organization to collect new information on their customer and employees?

Long: The PIPEDA amendments do not oblige organizations to collect any new information. Rather, they permit them to do it voluntarily, on their own initiative or if asked by a security agency.

Nymity: Can or should organizations inform their customers of these collections?

Long: Doing so would defeat the purpose of this type of information collection. But it is important to note that, with these new amendments, businesses have entered a new territory where the legal rules of behaviour are unclear. For example, PIPEDA does provide very clear direction on how to respond to an access request where personal information has been disclosed to CSIS or the RCMP for a security investigation. However, there is no comparable guidance on the circumstance where the organization is collecting the information on its own initiative and the individual seeks access to it. Also what happens if the organization decides to abandon an investigation because the individual stops dealing with the company, the employee has quit, or the organization unilaterally decides that the individual at question is not a security threat? There is no guidance on these circumstances.

Nymity: Is there any impact on employers collecting or disclosing employee's personal information?

Long: The right to collect data required for mandated government purposes without knowledge or consent has the potential to greatly upset the privacy balance. In the past, the Office of the Privacy Commissioner has considered some federally regulated employee complaints concerning new security checks required by the federal government following 9-11. Even where it is recognized that consent is never freely given in such circumstances, there has been at least the acknowledgement by the Commissioner that consent was necessary. Now that requirement for consent is gone. A business can now legally conduct a government-mandated security check without employee knowledge and consent.

Nymity: Will these changes to PIPEDA have any impact on the outsourcing agreements or on firms that outsource to Canadian companies?

Long: I think it is too early to tell. I hope it has no impact and that businesses choose not to collect information without consent for legal purposes. The information required for legal purposes (outside of airlines passenger data), in my view, is likely to be quite constrained and, in most cases, not linked to the kind of data collection and processing normally outsourced to third parties.

The worst case scenario would be companies using already assembled lists of SIN numbers or tombstone data required for a legal purpose. There is always a risk that such data is erroneous - a fact which strongly supports the continued collection of such data with knowledge and consent in order to provide individuals with an opportunity to verify the data.

Nymity: In closing, what recommendations do you have for corporations in light of these changes? Should policies and practices be amended?

Long: I encourage organizations to do three things. First, when it comes to collecting new personal information for the purposes of a legally required disclosure, businesses should continue to explain the purpose and obtain consent – unless a government regulation or the specific circumstances dictate otherwise. Individuals should always, wherever possible, know what information government is collecting about them and how it will be used. This is a necessary condition to the functioning of open and transparent government.
Secondly, businesses should never collect new personal information relevant to national security on their own accord. If a business thinks there is a legitimate security issue, the appropriate authorities should be immediately informed and then they can assess the threat and take the appropriate actions.
Finally, if a national security agency approaches a business asking the business to collect new data about a customer or employee, a court order should be the standard. This fully protects the business from any future repercussions and helps preserves Charter rights by imposing judicial oversight. Any deviations in this approach should only ever be in situations of immediate and apparent danger.