Roundtable on Information Sharing between Private Enterprises and Law Enforcement and National Security Agencies
The University of Toronto’s Centre for Innovation Law and Policy (CILP) in conjunction with the Ontario Bar Association Constitutional, Civil Liberties and Human Rights Section hosted a roundtable discussion on the topic of customer information sharing between private enterprises and public bodies on March 27, 2008. The roundtable launched the CILP’s report, “Personal Information Protection in the Face of Crime and Terror: Information Sharing by Private Enterprises for National Security and Law Enforcement Purposes”. The report and the roundtable were made possible by a Contributions Program grant from the Office of the Privacy Commissioner of Canada. The report was researched and written by four law students supervised by CILP Executive Director Andrea Slane, exploring the information sharing context and practices of four industries: telecommunications, retail, banking, and airlines. The concerns and recommendations discussed are set out below, followed by the agenda for the evening.
Additional Concerns and Recommendations Arising from the Roundtable Discussion
Scope of reasonable expectation of privacy: One concern raised by participants is the degree to which the scope of the reasonable expectation of privacy may be shrinking with the advent of new technologies. This observation is related to the findings in the report regarding the status of customer name and address information held by private enterprises, especially telecommunications service providers. It would be helpful to have more guidance from the Privacy Commissioner regarding the specific circumstances where the disclosure of customer name and address on request by law enforcement is appropriate. Dissatisfaction was expressed with the argument that there is no reasonable expectation of privacy in customer name and address information in all situations.
Scope of PIPEDA section 7(3) law enforcement disclosure consent exception: As discussed in greater detail in our report, there is general concern regarding the scope of the exception to the consent requirement for law enforcement and national security purposes set out in section 7(3) of PIPEDA. The additional concerns raised at the roundtable included a) clarification that PIPEDA is not an originating statute authorizing law enforcement to access customer information that they would not be otherwise entitled to; b) that PIPEDA would never authorize streaming data disclosure, but instead would require that consent exceptions be considered on a case by case basis; and c) that the discretion to disclose set out in section 7(3) is not unlimited, but is rather guided by the law as a whole – that is, that there is less discretion to disclose sensitive information unless there are exigent circumstances. With regard to the last concern, section 7(3) should be read in conjunction with section 5(3) of PIPEDA, which sets out that “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.” The Privacy Commissioner is encouraged to issue a guideline to this effect, which would subject the exercise of discretion to a “reasonableness” standard.
Adequacy of a consent-based regime to govern disclosure to law enforcement/national security services: A further concern was raised that PIPEDA’s consent-based regime is not appropriate to govern disclosure by private enterprises to law enforcement/national security services. The concern is that there is typically no meaningful choice involved when customers are confronted with the prospect of either consenting to such disclosure or foregoing doing business with a particular retailer or service provider.
Purpose of judicial authorization: Concerns were expressed about the lack of accountability that can result where law enforcement/national security services are interested in obtaining information, but not in using that information in court. Such information may be key to obtaining other information which will be used as evidence, but the non-evidentiary information is more likely to be the subject of informal requests from law enforcement, over which there is virtually no oversight. This form of information gathering by law enforcement is not typically subjected to Charter scrutiny. Therefore, front end protections and limits were recommended, rather than reliance on review of such practices after the fact.
Transparency and mandatory information streaming regimes: Concerns were also expressed about the lack of transparency regarding currently in-place mandatory information streaming regimes such as the “no-fly” list, and a related lack of safeguards for dealing with mistaken conclusions drawn from such lists. The CCLA recommends that upon request an individual should be able to determine that they are on the list, the reasons for being put on the list, and the evidence upon which inclusion on the list was based, except in rare instances where there is an active and ongoing investigation. The process of independent adjudication of appeals to be removed from the list should further be enhanced.
AGENDA:
5:00 - 5:30 – presentation of an overview of the report
Aba Stevens - on the telecommunications industry
Tamir Israel - on the retail industry
Ali Mian - on the banking industry
Michelle Yau - on the airlines industry
Andrea Slane - review of recommendations
5:30 – 6:30 – presentations by invited speakers
Micheal Vonn (British Columbia Civil Liberties Association) spoke about the ongoing Lawful Access reform process and her organization’s privacy-based objections to the changes to the lawful access/wiretap regime sought by law enforcement;
Stephen McCammon (Information and Privacy Commissioner’s Office, Ontario) spoke about the IPC’s intervention in the appeal of the Cash Converters v. City of Oshawa case, which dealt with a municipal by-law requiring second hand goods dealers to collect a significant amount of identifying information about every seller and to stream that information to a law enforcement database;
Morris Manning, Q.C. (Prominent criminal lawyer) spoke about the difficulties involved in finding a proper balance between the privacy interests of the public and law enforcement/national security interests in the context of investigating money laundering;
Graeme Norton (Canadian Civil Liberties Association) spoke about the CCLA’s recommendations for reducing the privacy threatening footprint of the Passenger Protect Program and other security minded initiatives in the airlines industry;
6:30 – 7:00 – open discussion