Nurturing Civil Society

Emerging International Information Collection and Sharing Regimes: The Consequences for Canadian Charities

The International Journal
of Not-for-Profit Law

Volume 7, Issue 1, November 2004

By Terrance S. Carter, B.A., L.L.B., and Sean S. Carter*

Introduction

Information sharing and centralized databases of personal information are fundamental mechanisms of anti-terrorism initiatives worldwide. Such sharing and collection of information has exponentially increased in recent years, not only between domestic government agencies, but also between security agencies of different states. A manifestation of these data collection and sharing initiatives in Canada of interest to charities are the Advance Passenger Information/Passenger Name Record (“API”/”PNR”) programs, which have been gradually implemented since the fall of 2002. The API/PNR programs involve the Canadian Border Services Agency (“CBSA”) maintaining a database of airline passenger information that will be collected and subjected to ongoing analysis.[1] As part of the federal government’s anti-terrorism initiative, these programs were introduced under a purported concern for public safety and security, but they may have much broader implications. Charities with representatives who travel internationally need to be aware of the potential risks that the charity and the individual may consequently be subject to as a result of these programs.

Commentary

The API program, implemented by the CBSA in October 2002, is a database of basic information about passengers collected during the check-in process for air travel. The PNR program, which began its staged implementation during the summer of 2003, involves information concerning the individual traveler’s reservation and itinerary as recorded by the carrier’s reservation system, a travel agent or reservation system. The PNR collects the passenger’s full name, date of birth, gender, citizenship or nationality, and “any other information relating to the person in a reservation system.”[2] The PNR program is in its final stage of implementation, which involves the automated sharing of information with authorities in the United States, and began in the spring of 2004.

Information collected under the API/PNR programs is subject to ongoing intelligence analysis for not only present but “future threats” pertaining to anti-terrorism and to “security, public health and criminal activity.” This information will be kept for six years. Additionally, the information, which is stored in a central database, may be shared with other agencies or departments for non-customs purposes under certain circumstances. The CBSA has further indicated that these programs, which are currently limited to air travel, will ultimately be expanded to all modes of transportation. All Canadian API/PNR information on potentially “high-risk” persons will be shared with U.S. customs and immigration authorities, in accordance with a “Memorandum of Understanding” between Canada and the United States.[3]

Information sharing and collection initiatives, such as the API/PNR programs, stem from a collection of non-legislated bilateral security agreements with the United States, international conventions, and domestic legislation and regulations. This includes the “32 Point Smart Border Agreement,” which calls for increased coordination and information sharing between Canadian and U.S. police and intelligence services, and the aforementioned “Memorandum of Understanding.” Data collection initiatives like the API/PNR programs were given statutory and regulatory force in fulfilment of the bilateral security agreements.

One of the central pieces of legislation implementing the bilateral security agreements is the controversial Public Safety Act, 2002, S.C. 2004, c. 15, which received Royal Assent on May 7, 2004 (the “Public Safety Act”). The Public Safety Act contains provisions for the collection and sharing of personal information through the API/PNR programs between airlines, Canadian Security Intelligence Services, the Royal Canadian Mounted Police, and various government agencies, as well as with foreign governments, for purposes that extend beyond air safety and national security. The API/PNR programs have come under criticism from many fronts. The Privacy Commissioner of Canada, Jennifer Stoddart, and organizations such as the Canadian Bar Association (“CBA”) have openly raised concerns about this type of data collection system in Canada. In its submission on the Public Safety Act, the CBA said the Act “fails to find any appropriate balance between security and privacy and human rights.”[4] In a March 2004 submission to the Senate Standing Committee on Transport and Communications regarding the Public Safety Act, the Privacy Commissioner stated that “the legislation goes beyond fighting terrorism and enhancing transportation safety” and that would set a “very dangerous precedent.”[5]

Two further pieces of legislation were used to implement the initiatives of the bilateral security agreements: the Senate’s An Act to amend the Customs Act and to make related amendments to other Acts, S.C. 2001, c. 25 (“Bill S-23”), and the House of Common’s An Act to amend the Aeronautics Act, S.C. 2001, c. 38 (“Bill C-44”). Under Bill S-23, Canada Customs has access to all information in airline or travel agent reservation systems pertaining to travelers arriving in Canada, and can widely share the information. Bill C-44 authorizes Canadian air carriers to provide passenger information to authorities in foreign states. Canada’s commitment to these initiatives was clearly reiterated in Canada’s first “National Security Policy,” which was released in April 2004.[6] A new National Risk Assessment Centre (the “Centre”) was opened in Ottawa in January 2004 in order to implement the program. The Centre will receive all passenger information, analyze it, and share it with U.S. counterparts, with virtually no restrictions on what happens to information once it passes out of Canadian hands.[7] Concerns about the implications of the new regime of information sharing and collection, and what happens to information once it leaves Canada, were highlighted by the Maher Arar case and his deportation to Syria by the United States. The outcome and recommendations of the public inquiry into his deportation and the events surrounding it may play an important role in reforming the current information collection and sharing system.

Implications for Canadian Charities

The API/PNR programs should be of particular concern to directors, officers, employees, and volunteers of charities who travel internationally, especially to regions that may be considered ‘conflict zones’. An individual’s travel patterns may subject that person and the organization that he or she represents to an investigation as a potential ‘security threat’ under the API/PNR programs. This type of information may be considered in an investigation for the deregistration process of charities under the Charities Registration (Security Information) Act, as amended by the Anti-terrorism Act, S.C. 2001, c. 41, s. 6 (in force December 24, 2001).[8] Charities, their directors, officers, employees, and volunteers need to also be aware that not only may the information collected under the API/PNR programs be subject to ongoing scrutiny and investigation by various Canadian and U.S. authorities, but the information may also be shared with, or obtained by, other foreign security agencies.

Conclusion

It is difficult to speculate on what the long-term ramifications of this unprecedented information collection and sharing regime will be, largely because many of the details of its implementation and specifics of its operation are kept from public scrutiny in the interests of ‘national security.’ However, charities need to be particularly aware of these programs and the potential risks that both the organization and involved individuals may be subject to as a result.

The API/PNR programs are part of an emerging regime of comprehensive information awareness that have been introduced and justified as anti-terrorism initiatives, but have a much broader range of application and use. These types of information collection and sharing programs are not specific to Canada or even to North America; rather, they are an ever-emerging reality internationally. In May 2004, the United States and the European Union, after protracted discussions over many months, and despite ongoing opposition by the European Parliament and human rights groups, entered into a formal agreement to share information on all airline passengers crossing the Atlantic.[9] Such programs are substantial, widespread, and likely a permanent part of the foreseeable future. It is, therefore, essential to understand, as much as possible, the scope of information that is being collected, what is being done with it, and who has access to it, in order to protect individuals and organizations that the individuals represent. More information about the API/PNR programs is available from CBSA in the form of a fact sheet[10] and press releases.[11] Additional commentary on the API/PNR programs and fact sheets advising Canadians on protecting their personal information when it crosses borders is available from the Privacy Commissioner’s website.[12]

Notes

* Terrance S. Carter of Carter & Associates in Orangeville, Ontario, practices primarily in the area of charity and not-for-profit law, and is counsel to and affiliated with Fasken Martineau DuMoulin LLP. He is a member of Canada Revenue Agency’s Charity Advisory Committee, and has been recognized as one of the leading experts in the area of charity and not-for-profit law in Canada by Lexpert. He is also a frequent writer and speaker in the area of charity and not-for-profit law across Canada and internationally, as well as editor of www.charitylaw.ca, www.churchlaw.ca, and www.antiterrorism.ca. Sean S. Carter is in his final year at the University of Toronto, completing a joint specialist degree in Political Science and Philosophy, as well as a writing assistant with Carters.

[1] The CBSA integrates several key functions previously spread among three organizations: the Customs program from the Canada Customs and Revenue Agency, the Intelligence, Interdiction and Enforcement program from Citizenship and Immigration Canada, and the Import Inspection at Ports of Entry program from the Canadian Food Inspection Agency.

[2] “The CCRA: Protecting Canadians”, Press Release, (September 27, 2002), available at https://www.ccra-adrc.gc.ca/newsroom/releases/2002/sep/api-e.html (accessed June 12, 2003).

[3] “Smart Border Action Plan: Progress Report” available at https://www.cbsa-asfc.gc.ca/general/blue_print/compliance/report-e.html (accessed August 9, 2004).

[4] “Submission on Bill C-17 Public Safety Act 2002” available at https://www.cba.org/cba/pdf/c-17-eng.pdf (accessed August 11, 2004).

[5] “Senate Standing Committee on Transport and Communications Bill C-7, the Public Safety Act,2002”available at https://www.privcom.gc.ca/speech/2004/sp-d_040318_e.asp (accessed August 11, 2004).

[6] “Securing An Open Society: Canada’s National Security Policy” available at https://www.pco-bcp.gc.ca/docs/Publications/NatSecurnat/natsecurnat_e.pdf (accessed August 9, 2004).

[7] “Anti-terrorism and the Security Agenda: Impact on Rights, Freedoms and Democracy” available at https://www.antiterrorismlaw.ca/Public%20Forum%20-%20ICLMG.pdf (accessed August 12, 2004).

[8] For more information about the deregistration process and the evidence that may initiate or be used during the process, please see Charities and Compliance with Anti-Terrorism Legislation in Canada: The Shadow of the Law available at www.antiterrorismlaw.ca

[9] “EU in passenger data deal with US” BBC Online News, May 17, 2004, available at https://news.bbc.co.uk/1/hi/world/europe/3721625.stm (accessed: August 19, 2004).

[10] “Advance Passenger Name Record” Factsheet, July 2003, available at https://www.ccra-adrc.gc.ca/newsroom/factsheets/2003/july/july_api_pnr-e.html (accessed: November 11, 2003).

[11] “The CCRA: Protecting Canadians”, Press Release, (September 27, 2002), available at https://www.ccra-adrc.gc.ca/newsroom/releases/2002/sep/api-e.html (accessed: November 11, 2003) and “Advance Passenger Information/Passenger Name Record” available at https://www.cbsa-asfc.gc.ca/newsroom/factsheets/2004/0124passenger-e.html (accessed August 19, 2004).

[12] “Privacy Commissioner of Canada criticizes CCRA’s plans for “Big Brother” database”, available at https://www.privcom.gc.ca/media/nr-c/02_05_b_020926_2_e.asp (accessed: August 20, 2004), and “What Canadians Can Do to Protect Their Personal Information Transferred Across Borders” available at: https://www.privcom.gc.ca/fs-fi/02_05_d_23_e.asp (accessed: August 20, 2004).