Under information sharing legislation, the Canadian Customs and Revenue Agency (CCRA) can share certain information with other law enforcement agencies. Since the terrorist attacks in the United States on September 11, 2001, CCRA has proposed keeping information about travellers and then possibly sharing that information with other agencies.
            The proposal is controversial. What power does CCRA have to collect personal information about travellers? Who would provide that information to CCRA? What would CCRA do with that information and who would have access to it? And, most importantly, even if all those questions were answered, who would monitor CCRA to make sure they were complying with their stated objectives and guidelines?
 
Passenger Name Record (PNR) and Advance Passenger Information (API) Database
 
            The Canadian Customs and Revenue Agency (CCRA) proposed collecting information under two programs: the Passenger Name Record (PNR) and the Advance Passenger Information (API) program. The legislation authorizing CCRA to establish such programs was passed into law in 2002.
 
            Many privacy advocates are concerned about these new programs. Under the PNR and API, CCRA would receive information about travelers entering Canada from the all commercial and charter airlines. This information would be kept for up to six years and other law enforcement agencies would have access to the information through information sharing legislation. The transportation carriers are to turn over all information, including name, address, destination, travelling companions, and even dietary restrictions or health concerns.
 
            The former Privacy Commissioner George Radwanski opposed this initiative and voiced his objections in several letters written to National Revenue Minister Elinor Caplan. In April 2003, the Privacy Commissioner’s website published a letter from Minister Caplan stating that CCRA was going to introduce privacy guidelines to be used in association with the PNR and API programs. To date, there have been no legislative amendments, regulations or officially published guidelines issued from CCRA regarding this topic.
 
            According to the Privacy Commissioner’s website (http://www.privcom.gc.ca/media/nr-c/2003/02_05_b_030408_e.asp), CCRA will continue to receive the complete information from the airlines because they cannot edit the information. However, CCRA will immediately purge all health and dietary restrictions.
 
            For the first 72 hours, any custom and immigration officer, in accordance with his or her mandate, will use the information. There do not appear to be any additional restrictions on the use of the information in the first 72-hour period.
           
            Between 72 hours and two years, the information will be used only for “custom purposes,” with the name and other identification information removed. The identification information can be reattached if “the name is reasonably regarded as necessary for an investigation for custom purposes.” The information will still be shared “on the same basis with regulatory agencies for purposes related to the administration by Customs of their acts ore regulations at the border. It will also be shared with law enforcement authorities in the pursuit of offences at the border.” The information can also be shared with governments of other countries in order to prevent a “real or apprehended threat to the security or defence of Canada.”
 
During this time period, if other agencies, including the tax mandate of CCRA, must obtain a warrant to gain access to the information. However, where the information relates to a “customs offence, the CCRA will disclose it to law enforcement authorities of its own initiative.” To date, there is no additional information that would provide definitions or clarification for any of these terms and phrases used by the Minister and Mr. Radwanski on the Privacy Commissioner’s website.
 
            Between three and six years, the information can only be used by CCRA in connection with the national security of Canada, not all customs purposes. The information will continue to be depersonalized, however the Commissioner of CCRA can authorize the reattaching of identification information if the Commissioner has reason to believe that the information is “necessary to deal with a high-risk person.” During the period, information can only be shared with agencies and departments that have a “national security or defence mandate, where there are reasonable grounds to believe that the information relates to a real or apprehended threat.” Again, no additional information is currently available to define these terms.
 
            Mr. Radwanski hailed these comments from Minister Caplan’s letter as a huge step forward for privacy rights in Canada. He stated that his correspondence with the Minister had prompted these changes.
 
CCRA’s Proposed Changes not Clear
 
            Civil libertarians, such as the Canadian Civil Liberties Association, raised concerns when the legislation was first passed. In October 2002, CCLA wrote to Minister of National Revenue Elinor Caplan to voice some of its concerns. According to the letter, the initial “legislation was rushed through the House of Commons in the wake of” the terrorist attacks in the United States on September 11, 2001, “with virtually no scrutiny or debate from Parliament or the public.” From the beginning, CCLA was concerned about the substance of the law and stated: “Instead of focusing narrowly on certain types of personal information that might arguably be needed to serve some overriding security interests, these provisions operate more like a vacuum cleaner. They inhale a wide range of personal information into the bosom of the government where it sits ready to be exhaled for a wide range of governmental purposes.” The letter concluded by stating that “no department of the government of Canada should be entitled to commandeer such information simply on the basis that some of it might prove helpful in some way, on some occasion.”
 
The April 2003 announcements have done little to address most of these concerns. Despite the Federal Privacy Commissioner’s assurances, privacy activists have argued that Minister Caplan’s letter does not contain sufficient tangible safeguards.
 
            The Minister’s letter, as published on the Privacy Commissioner’s website, does not indicate how these changes will be enforced. Is there legislation that will be passed? Are the changes to be codified in regulations? Or is this merely an advisory opinion with no force of law? These are questions that need to be answered.
 
            In addition, there are many concerns that remain despite the Minister’s letter. For example, when the health and dietary information is purged from the files, what happens to that information? Can it be retrieved later? Also, the identification information supposedly will be removed, but it appears rather simple to reattach identification information later on. This leaves open the question of how separate will the information really be? Where will identification information be kept, and how secure will it be?
 
            The letter indicates that law enforcement agencies will only have access to the information if it falls within their mandates, but the mandates can be quite broad. The parameters of the mandates need to be clarified.
 
            Finally, a key concern is left unanswered. Privacy advocates often call for independent oversight of agencies with broad powers. It is unclear who will supervise CCRA in connection with API/PNR. Who will make sure identification information is in fact kept separate? Who will make sure that information is only turned over to the appropriate agencies in connection with proper mandates? Some privacy advocates have suggested that the Federal Privacy Commissioner’s mandate be expanded to encompass oversight of API/PNR. However, Minister Caplan’s letter does not address this issue.

Privacy Project Home

API-PNR | Cyber Snooping | National ID Cards
Spouse In The House | Strip Searches | Video Surveillance