It seems to me – although I have no evidence of this – that the European view on privacy differs somewhat from the view in Canada, which in turn differs from the view in the U.S. I have the impression that people in Europe, especially in the U.K., are quite comfortable with the idea of CCTV cameras everywhere, and they may, for no apparent reason, be more trusting of governments. Canadians are often shocked at the extent to which the British, in particular, are okay with being observed by the authorities as they walk about town.
So I’ve been reading the hot-off-the-press Directive 2016/680 of the European Parliament with interest. The new directive is entitled a Directive "… on the protection of natural persons with regard to the processing of data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA."
That’s almost as long as Canada’s Anti-Spam Law (CASL) title, which is "An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act."
The most interesting parts of the new EU directive, at least to me, are the lengthy recitals, a few of which state:
- Data protection is a “fundamental right” of people. (When the Europeans say “data protection” they mean something different from “privacy” in the North American sense. The European concern is about the processing of data about people to learn things about them that are non-obvious. In North America, it seems that we have a vaguer notion about “privacy” that primarily revolves around the right to be left alone and not to be invaded, rather than around the right to ensure that there are no dossiers created about us. The term “fundamental right” is found in the E.U. Charter of Fundamental Rights and Freedoms.)
- Data protection is related to freedom, security and justice.
- Technology threatens the right to protection of personal data.
- But the free flow of personal data among authorities (whether European or otherwise) that are responsible for the criminal justice system should be encouraged, even while otherwise protecting personal data and enforcing that protection.
- Commercial entities that collect personal data for certain purposes that do not pertain to criminal justice should be permitted to re-purpose those data at the behest of actors in the criminal justice system, but subject to certain written requirements and constraints. (In other words, criminal justice players should be able to go to a bank and get information in the course of an investigation.)
- Spy agencies and national security agencies are not bound by this Directive. (That means that it’s okay for them to gather personal data, subject to their own mandates and constating regulations.)
- Anonymous information is not covered by this Directive.
- Public authorities (e.g., taxing authorities) that collect personal information are not to have their databases of personal information interlinked with those of the criminal justice system. Instead, requests for information should follow existing requirements of being in writing, authorized, and ad hoc.
- Genetics data are considered personal data and discrimination based on genetic features should in principle be prohibited. Health data is similarly protected.
- Collaboration between the E.U. and Interpol should be strengthened by promoting the exchange of personal information, but that exchange must be balanced against personal rights regarding the “automatic processing of personal data”.
- Processing of personal data must be lawful, fair and transparent, and only for the purposes laid down by law. However, this does not prevent the criminal justice system from carrying out covert investigations or video surveillance for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including keeping the public safe from threats, but always in accordance with the law. This is declared to be a necessary and proportionate measure in a democratic society, with due regard for the legitimate interests of the data subjects involved. The right of “fair data processing” is different from the right to a fair trial.
- People should be made aware of risks, rules, safeguards and rights in relation to the processing of their personal data and of how to exercise their rights in relation to the processing of their personal data.
- The purposes for which the personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.
- The personal data processed should be adequate and relevant for the purposes. The collection of personal data must not be excessive and data must not be kept longer than necessary for the purposes.
- Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
- Personal data collected must be accurate. Incorrect personal data should not be knowingly shared.
- Criminal justice authorities may collect data that extends beyond the amount required for the direct purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, if they need to do so in order to understand the criminal activities or make links between criminal offences.
- Data collected about persons for the purposes of the administration of criminal justice should distinguish between who is a subject, who is accused, who is convicted, who is a victim, who is a witness, etc.
- Consent is not needed for the collection of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
- Data pertaining to race should not be used to support a theory that there are separate human races.
- People should be free from “automatic processing” that “profiles” them and they should have the right to challenge any profiling. “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. (Think about police “carding” in Canada when you think about this provision.)
- People should have the right to know who has collected personal data about them and the purposes of the collection, and the right to lodge a complaint and have the data expunged. If the data controller refuses, then the reasons for the refusal have to be disclosed.
There’s a lot more in the background statements that is extremely interesting, but the point is that they shed significant light on the differences in attitude between Canada and Europe when it comes to surveillance and personal information collection for the purposes of the administration of criminal justice. It is my view that the Europeans have given the matter a lot more thought than Canadians have. You need look no further than Bill C-51 (An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts) to understand that this is so.