It was announced in June 2012 that the United States would be allowed to share personal information about Canadians with other countries, under a wide-ranging and highly controversial border deal. The most worrisome provision of the perimeter security agreement places Canadians’ personal information at risk, since it allows US authorities to share sensitive data without permission.
Behind ‘Beyond the Border’
The perimeter security agreement, known as the Beyond the Border Plan, was first announced in December 2011. The plan focused on cross-border information sharing and involved several initiatives that could result in unprecedented cross-border information sharing.
On June 28, 2012, both countries announced that they were making good on key commitments under the Beyond the Border action plan, through their release of a joint Statement of Privacy Principles. These principles were said to “reflect the commitment of the United States and Canada to protecting privacy, and underscore the importance of information sharing to the security of both nations.”
Statement of Privacy Principles
The Statement of Privacy Principles fleshes out the provision, receipt and use of personal information that has been exchanged between the two nations. The Statement functions as a guide for all information sharing arrangements and initiatives described in the Beyond the Border Plan.
The Statement is made up of the following key ideas that further develop the Beyond the Border Action Plan:
- Recognizing greater information sharing between the two countries is vital to protecting the security of citizens.
- Recognizing that Canada and the US are committed to protecting privacy in all Beyond the Border arrangements and initiatives.
- Noting that implementation of these Principles may be tailored to the specific context of particular Beyond the Border arrangements and initiatives, but always in a manner consistent with the Principles.
- Recognizing that exceptions from principles may be required for law enforcement and national security purposes. These will be limited in number, made known to both Canada and the US and the public, and consistent with domestic law.
- Recognizing that personal information is to be provided, received and used only in accordance with domestic and international law applicable to the US and Canada.
According to Chantal Bernier, assistant privacy commissioner of Canada, “A newly published agreement on how information will be handled under the Canada-US security pact means personal details about Canadians could be sent to a country with a poor human rights record.”
Bernier went on to say that the principle on information sharing falls short of the standard recommended by the federal commission of inquiry charged with examining the Maher Arar torture case. She said, “We were hoping for greater control for Canada on the personal information it holds.”
While the Beyond the Border principles contain some fundamental building blocks of good privacy practices, these principles are ultimately non-binding. However, they include:
- The right to see and verify the personal information governments hold
- The right to seek correction or redress
- Safeguards to ensure that data doesn’t fall into the wrong hands
“Considering that privacy is a fundamental human right, one would expect that a statement of privacy principles would be binding,” Bernier pointed out. “So the fact that it’s not begs the question of the purpose of the statement.
One worrisome part of the Plan is that it proposes joint, integrated assessments about security threats and improved intelligence sharing between the two nations. There will also be significantly more comprehensive advance screening of travellers from third countries heading to North America, as well as a harmonized approach to screening cargo arriving from offshore locations.
The most controversial element of the perimeter security agreement is the proposed plan to exchange entry information collected from all persons at the border, thus serving as a record of exit from the other country. According to the principles of the agreement, either Canada or the US is permitted to transfer information received from the other to a third country.
This means that the US could send information received from Canada to an overseas capital. It’s important to note, however, that this is only possible if American law permits the exchange. This hypothetical transfer must also be carried out in accordance with the relevant international agreements and arrangements.
Such sharing of information is concerning to privacy rights advocates. Emily Gilbert, director of the University of Toronto’s Canadian studies program, asks, “When somebody is a person of interest in the United States, but is a Canadian, What does that mean? And then what does it mean if that information is then being sent to the European Union or somewhere else?”
Although the Beyond the Border privacy guidelines represent a good first step, it will still be necessary to clarify how the distinct constitutional and legal frameworks of the two countries can be maintained in this context of cross-border information sharing.
In June 2012, both US and Canadian officials released a 12-point Statement of Privacy Principles which will guide the Beyond the Border Action Plan, a proposal made December 2011 regarding perimeter security and cross-border information sharing. The Statement of Privacy Principles includes areas such as information sharing, data quality, information security, effective oversight and redress options for privacy infringements. The article also introduces further privacy concerns resulting from the Beyond the Border Plan.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Canada (CIPP/C) exam, a privacy professional should be comfortable with topics related to this post, including:
- Office of the federal privacy commissioner (I.A.c.i.1.a.)
- Privacy implications of service delivery models (III.B.f.)