1. This note constitutes the official record of the Committee's visit to Canada and the United States of America as part of the inquiry into surveillance and data collection.

CANADA

Department of Justice Canada and the Public Prosecution Service of Canada

2. The participants from the Department of Justice were Mr Stanley Cohen (Senior General Counsel, Human Rights Law Section); and Ms Sarah Geh and Mr Shawn Scromeda (Counsels, Human Rights Law Section). Mr George Dolhai (Acting Deputy Director of Public Prosecutions, Criminal Litigation and Organized Crime Branch) participated from the Public Prosecution Service of Canada.

3. The Canadian Charter of Rights and Freedoms—a bill of rights entrenched in the Canadian Constitution passed in 1982—supplemented the earlier Bill of Rights which had on occasion been described as 'toothless'. The Charter played an important role in protecting personal privacy (particularly in terms of surveillance) but the jurisprudence was still immature. There had been an 'ebb and flow' in the decisions of the courts and it is possible that, in future, they may not be as favourable towards privacy as previously. One key provision of the Charter was section 8. Although this section did not provide an explicit right to privacy—it is worded as a protection against "unreasonable search or seizure"—the jurisprudence of the courts had gone some way towards establishing such a right under this provision, as well as under the Charter's fundamental justice provision, section 7.

4. One of the responsibilities of the Department of Justice (DoJ) was to monitor developments in this field and to examine different government departments' proposals for data sharing provisions etc. DoJ lawyers provided advisory services to all government departments. These lawyers worked in the legal services of individual departments and at Justice Headquarters, and provided advice on government initiatives that may affect privacy interests. In addition, the Minister of Justice had a statutory responsibility to certify that legislation was compatible with the Charter of Rights.

5. The privacy commissioners (one at the federal level and one in each province and territory) played an important role in monitoring information sharing across government. In general, the commissioners were concerned about the growth of information sharing and the aggregation of ever greater amounts of data. There was also significant concern expressed by privacy commissioners about information sharing across national borders; for example, US companies processing Canadian data were subject to US law so it was not possible for the Canadian government or other bodies to guarantee the security of those data.

6. The interception of communications by state authorities was regarded as a very intrusive power which normally required judicial authorisation. The written application for judicial authorisation is put together with a great deal of care. It is made available in any subsequent court proceedings. It was for the courts to decide whether any parts of the intercept material itself should be redacted before being disclosed in the course of a prosecution. The Minister of Public Safety reports annually on the number of interceptions made.

7. Currently in Canada DNA samples were not collected upon arrest and indeed were taken only pursuant to a judicial warrant or from people convicted of certain crimes. The use of these powers was scrutinised by an advisory committee. Potential changes to DNA provisions were often a matter for public debate.

Mr Michael MacNeil, Director, Public Interest Advocacy Centre

8. The Public Interest Advocacy Centre (PIAC) was made up of various consumer groups, operated by holding consultations and making representations to the government and parliament on a variety of different subjects, including the privacy implications of legislative proposals.

9. Whilst the Charter did not articulate a specific right to privacy, section 8 (on search and seizure) was relatively well-developed in protecting privacy. Section 7 (on life, liberty and security of person) was less well-developed in this respect. In general, there was a tendency to use the Charter as a kind of 'touchstone' and the courts had said that it should inform the development of the common law. The Charter was useful because it set out a series of general privacy principles that could guide the legislative process. By contrast, specific statute such as the Privacy Act (which governed the public sector) was liable to become out-of-date and require regular amendment. Codes of conduct were probably less useful than legislation for protecting privacy because of inconsistencies in their application.

10. Turning to intercepts, the system of judicial oversight was thought to provide a greater measure of protection although this was hard to prove in practice. It was true to say that this system tended to encourage authorities seeking a warrant to make significant efforts to justify their proposed actions. The intercept material had to be disclosed once the suspect had been charged, subject to any redactions agreed to by the judge. Specially appointed representatives were able to view the redacted parts.

Roundtable Discussion at the University of Ottawa

11. The Committee held a roundtable discussion with the following people: Professor Ian Kerr (University of Ottawa); Professor Jane Bailey (University of Ottawa); Professor Valerie Steeves (University of Ottawa); Ms Stephanie Perrin (Service Canada); Ms Pippa Lawson (Canadian Internet Policy and Public Interest Clinic); Ms Heather Black (former Assistant Privacy Commissioner of Canada); and Mr Murray Long (Privacy Consultant, Murray Long and Associates).

12. In constructing the legislative framework in this area, it was important to have an overarching statement of principles setting out the importance of privacy to democratic society and providing the judiciary with appropriate language and concepts. An excellent example was Australia's privacy charter. In order to achieve this, the Canadian Charter needed to be clearer on what constitutes a 'reasonable expectation of privacy' and whether this should be understood in terms of a desirable norm rather than in terms of what people have actually come to expect, which is subject to decline. This presented problems, however, because such a concept was bound to be subjective and was likely to change (probably diminish) as technologies developed and became standard. The growing use of technologies such as radio frequency identification (RFID) and social networking sites were particularly significant in this regard. It was therefore necessary to think in advance about the acceptable uses of such technologies, including through the medium of a rigorous public policy debate, whilst also bearing in mind that certain data may yield more and different information in the future.

13. In Canada there were privacy commissioners at both federal and provincial level. The federal commissioner was an Officer of Parliament who reported to parliament annually, which provided a good opportunity to highlight the most pressing issues. However, there were very few effective sanctions available to the commissioners and there was widespread non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) which governed privacy in the private sector. Enforcement action did take place through the courts but this was very expensive. It was suggested that it should be made easier for private sector companies to be held to account and that the privacy commissioners should be given order-making powers. In addition, the privacy commissioners in the provinces needed greater resources if they were to engage proactively in investigations.

14. It was also necessary to tighten up the current Privacy Act (parliament was in the process of looking at it) which was weaker than PIPEDA. Unfortunately there was only sporadic interest in surveillance and data issues in parliament, although this partly reflected the fact that there was much less surveillance in Canada than in other countries such as the UK. The Committee on Access to Information, Privacy and Ethics did play an important role but tended to focus on headline-grabbing issues like ID theft, which was not a core data protection issue.

15. It was felt that public awareness of surveillance and data protection issues was episodic, partly because Canadian citizens tended to trust the government and its assertions that bringing in tighter privacy protections meant that government could not operate so effectively. There had been an outcry in 2000 when it emerged that the state held dossiers on every citizen (the Longitudinal Labour Force File), but the data sets had subsequently been decompiled and there were now more effective safeguards in place. Such episodes raised public awareness. Also, research showed that people do care about their privacy but express it differently in different contexts.

16. As for the private sector, people were generally content to provide their personal information in order to obtain store loyalty cards and so forth—indeed, this was often a highly rational process—but most of them did not necessarily consider the cumulative effect of handing over such data to a range of organisations. They did however show concern when organisations were perceived to be using data in an underhand or non-transparent manner. There was also a growing awareness that data could sometimes be used in ways which could result in discrimination against certain types of people.

17. There was further concern amongst those present about the leaching of information from the private sector to the public sector, particularly in the absence of statutory authorisation. For example, internet service providers (ISPs) shared information on child pornography with the police but these arrangements had never been validated by a transparent public policy decision and there seemed to be no 'reasonable expectation of privacy' with regard to ISPs. In this connection, there was also concern about the use of warrants to gain access to ISP records, and about the reversal of the presumption of innocence.

18. Similarly there was consternation about the flow of information (particularly health information) from the public sector to the private sector when public functions were outsourced. This was particularly worrying where foreign companies were involved. Indeed, British Columbia had amended the law so that companies holding health information have to be Canadian-controlled and all data processing must take place in Canada, in order to ensure that data are not exported abroad and then misused.

19. Turning to the issue of DNA, it was felt that the Canadian government would not be able to introduce the kind of extensive DNA database that existed in the UK because it would fall foul of the Charter and the wider privacy culture, and because of the likely cost to the taxpayer. However, the very limited database in Canada was growing through 'mission creep'.

Office of the Privacy Commissioner of Canada

20. The Office of the Privacy Commissioner of Canada was represented by Ms Jennifer Stoddart (Privacy Commissioner of Canada) and colleagues.

21. The Privacy Commissioner of Canada, an Officer of Parliament, reported directly to a parliamentary select committee rather than a minister and her budget was determined by an all-party review panel chaired by the Speaker of the House of Commons (so far, the panel had agreed to all budget requests from the Privacy Commissioner's Office). These arrangements reflected the importance of the post-holder being autonomous from the Government. Keeping abreast of technological changes was difficult but they did their best by employing two full-time technology experts to advise (it was also possible to commission external advice) and by having representation on other bodies within and outside Canada where questions of, for example, wireless technologies and CCTV were being considered.

22. Canada also had a federal Information Commissioner, who was entirely separate from the Privacy Commissioner except in budgetary terms. The two of them rarely had disagreements. It was not really important whether there were two separate commissioners (as in Canada) or one Information Commissioner fulfilling both functions (as in the UK); it was the powers and resources available to the commissioner(s) that mattered.

23. The Privacy Commissioner had been calling for reform of the Privacy Act, which was weaker and more out-of-date than PIPEDA, although this might be difficult to achieve while the government lacked a majority. PIPEDA had benefited from the history of its development, which involved making Canadian privacy protection 'adequate' in accordance with the EU Data Protection Directive. Under PIPEDA, private sector privacy disputes were increasingly being taken to the federal courts, and it would be desirable for a revised Privacy Act to make it easier to do the same in respect of the public sector. Government officials resisted strengthening the Privacy Act.

24. Reform of the Privacy Act should also cover Privacy Impact Assessments (PIAs). PIAs were currently 'encouraged' through funding mechanisms under the Treasury Board Directive, and the Privacy Commissioner was empowered to suggest changes to them which were usually accepted. However, it would be preferable for PIAs to be made a mandatory requirement and for them to be made more widely available to the public in order to inform dialogue. PIAs gave the Commissioner a window into how major government programmes worked and into proposals such as the enhanced drivers' licence scheme. It had taken a while before PIA requirements had been comprehended by agencies, and the Commissioner had developed systems for auditing and vetting agencies' PIA practices.

25. It would also be desirable for the Treasury Board definition of 'data matching' to be broadened so as to increase the inadequate scrutiny of government activity in this important area. For example, the courts had ruled that it had been permissible under the Privacy Act as currently drafted for the public not to be told that information obtained from landing cards was being matched with the employment insurance database to ensure that unemployed people were staying in Canada and looking for jobs.

26. Canadians tended to be instinctively opposed to the collection and use of DNA along the lines of a UK-style system. The Commissioner would be particularly concerned by practices of familial analysis and the sharing of DNA profiles with countries where the data would be inadequately protected. However, there had been a gradual increase in the use of DNA in Canada and the Royal Canadian Mounted Police had pointed to the UK as a model in this regard. The defence industry was also finding new uses for DNA. Developments in forensic science acted as a driver to DNA use.

Information Commissioner of Canada

27. The current Information Commissioner, Mr Robert Marleau, had previously been the Clerk of the House of Commons and subsequently the Interim Privacy Commissioner (IPC). Like the Privacy Commissioner, the Information Commissioner was an Officer of Parliament which reinforced his independence from government and his influence with parliament.

28. There had been an inquiry in 2005, conducted by a former Justice of the Supreme Court, Gérard La Forest, into the question of whether the roles of Privacy Commissioner and Information Commissioner should be merged (as in the UK). Both Mr Marleau and Jennifer Stoddart, the Privacy Commissioner, had opposed such a merger. The inquiry had also come out against a merger because, while there was not much interest outside Ottawa in access to information, there was a strong interest in privacy (especially in light of 9/11) so a full-time Privacy Commissioner was needed. There was also a tension between the principles of privacy and access to information—albeit a generally positive tension—so it was preferable to have two separate commissioners representing people's rights in each area. Both commissioners should share a mandate to educate the public.

29. Where privacy and public access were both involved in an issue, Mr Marleau thought that one should err on the side of privacy. In fact, there had only been one court case in 25 years in which the two conflicted, and public access had lost out. Since 2005, there had been a parliamentary committee on Access to Information, Privacy and Ethics. It was a useful committee, providing greater scrutiny of freedom of information and privacy protection issues. The committee was able to subject bills to pre-legislative scrutiny, although it had not yet done so. The Information Commissioner could give to the committee 'performance report cards' on government departments.

30. As IPC, Mr Marleau had faced two key issues: CCTV and ID cards. His predecessor, George Radwanski, had campaigned strongly against CCTV and brought a major case in British Columbia. However, the case was becoming very expensive and would probably have been lost on grounds of jurisdiction, so Mr Marleau decided to drop the action. He reached agreement with the police that guidelines on CCTV use should be formulated, and these were published in 2006. This informal, non-statutory approach was preferable to passing detailed legislation which might result in drawn-out court cases. Similarly, the large number of CCTV cameras in the UK would not necessarily be a problem provided that there were clear guidelines and policy statements, as well as maximum transparency.

31. Mr Marleau had taken a very firm stand against ID cards when he was IPC because there had been insufficient justification for introducing them. The issue had arisen again recently with enhanced drivers' licences which would, using radio-frequency identification (RFID) technology, speed up border crossings into the USA. Not only might this scheme be a first step towards a national identity card, there was also concern about sharing personal information with the USA (which could potentially turn that information into a commercial product) and about possible data mining.

Mr Larry Kearley, Vice-President, Canadian Access and Privacy Association (CAPA)

32. The Canadian Access and Privacy Association (CAPA) was a national non-profit organisation which aimed to promote knowledge and understanding of access and privacy laws and experiences in Canada. It dealt with both the three levels of government (federal, provincial, local) and the private sector.

33. The Canadian Charter and the European Convention on Human Rights had much in common. They were both quite vague, unlike the American Bill of Rights, but this allowed a measure of flexibility which enabled them to accommodate changes in society and so forth. However, it was noteworthy that neither document was specifically aimed at surveillance or data issues.

34. There were however significant differences between the UK and Canada in terms of levels of surveillance and data collection. For example, the UK was well-known as a CCTV society, whereas Canadians were very suspicious of surveillance cameras—perhaps because of the lower crime rates and risks of terrorism compared with the UK and the USA, although Canadians were concerned about crime and child pornography. In addition, it was significant that the UK had only one privacy/information commissioner for 60 million people, whereas the Canadians had numerous privacy and information commissioners for just 30 million people.

35. A potential danger facing all countries was the increase in cross-border information flows. There were particular dangers from outsourcing personal data to countries such as India, where privacy protections tended to be weaker. Moreover, many of these high-risk countries suffered from terrible poverty so the chances of identity theft were much higher than elsewhere.

36. The effective protection of privacy required a mixture of laws, codes of practice and privacy-enhancing technologies (PETs). Members of the public could use encryption and anonymity devices, but only a minority would be able to benefit from these unless they were built into software. Chief Privacy Officers could be useful but in the private sector they saw their primary role as protecting their companies rather than limiting the invasion of customers' privacy. Privacy Impact Assessments were also a good idea, but so far were used mainly in the private sector, and for risk assessment.

Madam Justice Rosalie Abella, Supreme Court of Canada

37. The Canadian Charter of Rights and Freedoms had had a very significant impact on the country's jurisprudence. The Charter contained both 'freedom from …' rights—similar to those contained in the US Bill of Rights—and equality rights, which had gained currency after the Second World War.

38. There had been a Bill of Rights (enacted in 1960) before the Charter, but judges had not generally been comfortable with the idea of enforcing rights and pronouncing on state-citizen relations. Once the Charter was enacted in 1982, the Supreme Court increasingly took up the concept of rights and in the 1990s encountered significant hostility from the media and the public over its attempts to uphold the rights of the accused and of gay people. In the current decade, the Court had perhaps retrenched from some of the more radical decisions of the 1990s. Crucially, it was possible for parliament, in extremis, to overrule the court's interpretation of the Charter.

39. Most significant privacy rulings of the Supreme Court had been concerned with criminal issues, although there had been a very important ruling establishing a woman's right to choose to have an abortion. A recent ruling on informational privacy in R. v Tessling [2004] had concerned airborne Forward Looking Infra-Red cameras (FLIRs) heat-sensor devices that could help to search for marijuana cultivation in buildings and whether the police needed a warrant to operate them. The lower courts had ruled that a warrant was needed, but the Supreme Court overturned that decision. An important issue was what constituted a 'reasonable expectation of privacy'. This should always be a contextual assessment because in certain circumstances—such as when you cross a national border—you inevitably have a reduced expectation of privacy. Indeed, the courts had upheld the idea that people have a reduced expectation of privacy in certain places. However, even with a contextual assessment the 'reasonable expectation' formula was ambiguous because of the different expectations of different kinds of people: for examples, whites, ethnic minorities or gay people.

40. The British courts had been robust in upholding citizens' rights, for example in the rulings on the detention of foreign terrorism suspects and control orders. It also appeared that privacy rights in the UK were increasing—the Naomi Campbell case being a prime example—but they were still not well-defined. However, it would not necessarily be advisable for a tort of privacy to be developed in the British courts.

Mr Ken Anderson, Assistant Commissioner (Privacy), Office of the Information and Privacy Commissioner of Ontario

41. In Ontario there was just one commissioner responsible for both information and privacy (Dr Ann Cavoukian), but she had two assistant commissioners—one dealing with information and the other with privacy. With 93 employees in total, the Office was very well staffed.

42. Whilst the Assistant Commissioner (Information) focused predominantly on tribunals, Mr Anderson spent 90 per cent of his time on advocacy and research. A key role of the Commissioner's Office was to influence politicians and police chiefs on privacy and access issues, for example through policy briefings, meetings and communications with the media. The Office also worked with interest groups and the Human Rights Commission. It aimed to gain leverage by working with players in various fields to make systematic changes; for example, the Office had worked with Facebook (a popular social networking website) to enhance privacy and online safety. At the international level, the Office had discussed with the USA's Department of Homeland Security matters such as the information held on passengers taking cross-border flights.

43. Privacy Impact Assessments (PIAs) could be useful but they varied widely in quality. It was not sufficient simply to produce a template PIA and leave it at that, because constant thought and improvement were required. In Ontario, PIAs were used extensively in the healthcare field—especially by large organisations—but should also be extended to other sectors. It was sometimes desirable to use PIAs to do a "snapshot" of existing policies; for example, this might be a good way of assessing the use of CCTV in the UK.

44. CCTV was not as popular in Canada as it was in the UK, although around 70 per cent of Canadians supported its use on public transport (a figure which tended to rise to 80 per cent or more if there had been a recent criminal incident). All privacy commissioners in Canada produced guidelines on the use of CCTV. The Office worked with the police to limit the collection of images. The latest suggestion for enhancing people's privacy was to encrypt images of people caught on CCTV (particularly where the camera's primary purpose was something other than crime prevention) in order to anonymise them. Images could subsequently be unencrypted where necessary, for example if a crime was committed.

45. In Canada, the rules governing the collection and retention of DNA samples were set out in the Criminal Code, which had the force of statute. The police were able to take DNA samples in certain specified circumstances, although generally they had to apply to the courts for a warrant. DNA samples could also be taken from volunteers, but there were no provisions in the Criminal Code governing retention in such circumstances. Canada had no equivalent of the UK's National DNA Database Ethics Committee.

UNITED STATES OF AMERICA

Mr Tom Oscherwitz, Vice President of Government Affairs and Chief Privacy Officer, IDAnalytics

46. IDAnalytics was a company that collected personal data in order to deliver accurate predictions of the likelihood of identity risk associated with applications for credit. Having collected the available data, the company processed them (through a series of complex computer programmes) to produce a 'score' which was given to clients; the data themselves were not shared with clients so there was minimal risk of data being misused.

47. The kind of assessments provided by IDAnalytics were needed because business nowadays operated in a more impersonal and less 'one-to-one' way than in the past. It was desirable for trusted parties to hold large amounts of data which could be used to provide a conclusion or summary to bank and other organisations, because this kept the data secure and removed the need for large amounts of information to be disseminated. In addition, holding data could help to protect people's privacy by preventing fraud and identity theft, which in itself was a social good. Data mining could also be beneficial, but it was important to avoid mission creep. It was difficult to determine where privacy protection ended and identity verification began.

48. The proliferation of chief privacy officers was a relatively new phenomenon. The role involved ensuring compliance with relevant laws and regulations and adherence to the company's or organisation's privacy policy. Chief privacy officers also served to provide an interface with members of the public over, for example, access to information requests.

Centre for Democracy and Technology

49. The participants from the Centre for Democracy and Technology (CDT) were: Mr Greg Nojeim (Senior Counsel and Director of CDT's Project on Freedom, Security and Technology); Mr Ari Schwartz (Vice President and Chief Operating Officer); and Professor Peter Swire (Policy Fellow).

50. In addition to the US Bill of Rights, the US Constitution provided an architecture of checks and balances that enabled any excesses by government departments to be discovered. There was nonetheless a need for the executive to exercise self-restraint when it came to the invasion of privacy, for example through the use of due diligence checklists which had the potential to cool the initial enthusiasm about a particular idea by highlighting possible problems and downsides. Privacy Impact Assessments (PIAs) were useful in this regard, because they were made public and therefore increased transparency and forced departments to answer concerns. However, if departments were determined to press ahead with particular schemes, it was unlikely that PIAs could make much difference.

51. The Clinton presidency, taking its lead from Canada and the private sector, had viewed PIAs as a best practice tool. Since 2002 they had been required in certain circumstances but they tended to be very variable in quality, and some amounted to little more than 'box-ticking' exercises. For example, the PIA of the new passport system had been only one page in length. However, as part of the reauthorisation of the E-Government Act, further consideration was being given to how PIAs ought to be conducted. The Office of Management and Budget (OMB) in the executive branch was drafting a 'best practice' manual on PIAs.

52. There were no privacy commissioners in the USA and, while it would be desirable to introduce them, it was in reality necessary to work with the existing bodies such as the Federal Trade Commission (FTC). The CDT sometimes took winnable cases to the FTC on issues such as spyware.[234] There was also a Privacy and Civil Liberties Oversight Board which was tasked with advising the President in the context of the fight against terrorism, although it had initially been seen as too close to the White House. The Board had now been re-modelled and was likely to be more independent, with its members having to be approved by the Senate, but it currently had neither members nor funding. It would probably not start operating until the next President took office.

53. The current administration, with its overwhelming focus on national security, was thought to have neglected the issue of personal privacy. In particular there had been widespread abuse of so-called National Security Letters (NSLs) which enabled the FBI, without obtaining a court order, to require a particular entity or organisation to hand over various records and data pertaining to individuals. It was particularly notable that NSLs could be used to obtain personal data from overseas that were held by American companies. Moreover, the FBI was entitled to forbid an organisation subject to an NSL from telling anyone about the demand. Congress had put in place an audit system which had picked up some of the abuses as well as ascertaining that NSLs had been used hundreds of thousands of times. The government had subsequently issued better-practice guidelines but it was not certain how far they were being followed.

54. There was a more general concern that the protections provided by the 4th Amendment (protection from unreasonable search and seizure) were getting progressively weaker. First, the government had undermined the principle that warrants were required for searches and seizures, often by classifying investigations as foreign intelligence gathering rather than regular law enforcement, thus bypassing traditional 4th Amendment protections. Second, the Supreme Court had become chary of the 4th Amendment and had made it less useful. Access to communications data was not covered by the Amendment because the 'search and seizure' pertained to internet service providers rather than individuals or their homes.

55. Another key concern was the REAL ID Act, which provided for homogenised federal driving licences. There was considerable opposition to this scheme from the states and the public because it federalised something that had been under state control. Moreover, it was easier for the federal government than state governments to share people's personal data, and federal law trumped any privacy requirements in state constitutions.

American Civil Liberties Union

56. The participants from the American Civil Liberties Union (ACLU) were: Mr Wes Macleod-Ball (Chief Legislative and Policy Counsel); Ms Michelle Richardson (Legislative Counsel); and Mr Jay Stanley (Public Education Director, Technology & Liberty Program).

57. Attitudes to privacy did not break down on political lines: just as many libertarian Republicans as Democrats were concerned about the erosion of privacy, so there was a great opportunity to make progress. Whilst national security remained a high priority amongst Americans, a growing number of them were becoming increasingly concerned about privacy issues although they did not always understand what happened to their data in terms of profiling and sharing. The ongoing challenge was to show people how they could be affected by certain initiatives—especially the PATRIOT Act and programs similar in means and ends to the now defunct Total Information Awareness (TIA) Program (such as the one that the NSA seems to be pursuing)—in practical, concrete ways. The ACLU strongly encouraged members of the public to put any concerns to their congressmen, which was often more effective than direct lobbying or litigation. The media also played a hugely important role.

58. It was essential that controversial legislation such as the PATRIOT Act should contain sunset clauses, because Congress was generally loath to revisit legislation unless they had to do so. It was perfectly possible for law enforcement agencies to adjust to changes in their powers.

59. The excessive collection of personal data by the government was thought to be a breach of privacy in itself, regardless of whether those data were subsequently used for malign purposes. There was particular concern about the REAL ID Act which was seen as a mechanism for introducing a de facto national identity card. Not only were the ACLU concerned about a potential shift towards a 'checkpoint society' where citizens have to show their papers or identification on a regular basis, they were also worried about the database behind the cards because the aggregation of data could be very problematic given the potential insecurity of the database. There was further concern about the private sector's realisation that collecting their customers' data could be commercially advantageous, particularly since the government could potentially seize or buy those data.

60. The collection and retention of DNA samples was another pressing issue in the USA. Almost all states required convicted felons to be on a DNA database, but a battle was now being fought over whether arrestees should also be added as in the UK. However, unlike in the UK, most states pursuing this path were also specifying that an arrestee's sample should be removed if he or she was not charged or convicted of an offence.

Roundtable Discussion at the Electronic Privacy Information Center

61. The Committee held a roundtable discussion at the Electronic Privacy Information Center.

62. The events of 9/11 had resulted in the prioritisation of national security, often at the expense of privacy and civil liberties. This went well beyond the USA PATRIOT Act which, although very important in itself, had assumed a symbolic importance and had been kept in the public eye by the need to renew the sunsetted provisions. But just as civil liberties were coming increasingly under threat in the name of national security, the Supreme Court had arguably moved away from protecting such liberties. This meant that advocacy groups had become more important than ever. Technology helped them to organise public campaigns quickly and effectively and they continued to be active on Capitol Hill and in the media.

63. The National Commission on Terrorist Attacks ('the 9/11 Commission') had emphasised that new security measures needed to be counter-balanced by oversight. Chief Privacy Officers were an important part of this oversight process and had made an effort to 'reach out', but they had to oversee a huge policy area—particularly Hugo Teufel in the Department of Homeland Security (DHS)—and were not genuinely independent (those in the DHS and the Department of Justice were political appointees). Moreover, PIAs were not as effective as they could be: the statutory requirements were minimal; they were only effective when the organisation in question was committed to them; they were sometimes conducted after the scheme in question had already been implemented; and the sheer volume of them often diluted the impact of even the most important ones.

64. There were big cultural differences between the USA and the UK in terms of public attitudes towards CCTV. After 9/11, there had been proposals to create a UK-style CCTV system in the USA but these had been met by serious concerns from both sides of the political spectrum. The biggest driver behind CCTV in Washington DC was crime rather than terrorism, and CCTV images were generally only viewed in the course of investigating a specific crime. There were more cameras in New York City, where Mayor Michael Bloomberg had proposed a security system similar to the 'ring of steel' around the City of London. It was notable that the Department of Homeland Security (like the Home Office in the UK) encouraged the installation of CCTV by offering funding to local councils.

65. There was a very real threat of 'ubiquitous surveillance' in the future, for example if CCTV cameras were linked into Google's 'Street View' product. Further threats were presented by potential technological developments which would, among other things, make CCTV cameras much harder to spot. The current legislation (e.g. the Video Voyeurism Protection Act 2004) and the common law provided inadequate protection against these threats. In light of this, and the fact that no challenges to CCTV had so far been made under the US Constitution, it was necessary to promulgate a set of principles governing the use of CCTV. The concept of a 'reasonable expectation of privacy' could be useful, but it could also lead to an inexorable spread of CCTV in high crime areas (because of lower resistance to CCTV amongst the local community) and the automation of policing.

66. It was possible that Congress would only be prompted to take action by a high-profile Supreme Court case, perhaps involving a celebrity. This reflected the fact that it was often necessary to have some 'trigger' event before the exertion of central control became acceptable to the public or palatable to politicians. It was also necessary for the civil rights community to engage with CCTV and related issues, moving on from the issues of the 20th century and confronting the new challenges presented by technology. Such an engagement with the issues would increase the pressure for action.

67. Public opinion in the USA was generally against identity cards. The REAL ID Act (see paragraph 55 above) had never been properly debated in Congress and there was now a considerable public backlash against it. Around 20 states had passed legislation opposing the Act and there was an ongoing stand-off between the states and the Department of Homeland Security. There was also a dispute about who should pay for the scheme. The main problem in many people's eyes was the database behind the identity documents. It would be preferable (and possible) to design a system whereby only the individual could 'unlock' information about themselves. This would avoid the dangers of having an enormous database and remove the temptations of 'function creep'. However, even revealing a name would enable law enforcement officials to conduct further searches, so it might be desirable to have a system whereby individuals could establish their entitlement to something but without revealing their identities.

68. The courts had upheld the DNA database on the basis that convicted felons have a lower expectation of privacy than others. However, law enforcement agencies were constantly pushing the boundaries; for example, the FBI had proposals on familial searches and partial matches (which could well fall foul of the courts) and there was a suggestion that some police forces had taken to following suspects in an attempt to obtain an item which might yield a DNA sample and thus link the suspect to the scene of a crime.

Office of Representative Jerry Nadler

69. In the absence of Representative Jerry Nadler, the Chairman of the House Judiciary Subcommittee on the Constitution, Civil Rights and Civil Liberties, the Committee met with his Chief of Staff, Mr David Lachmann, and his Legislative Counsel, Ms Carole Angel.

70. There had been many abuses of National Security Letters (NSLs) since the USA PATRIOT Act had been passed. A bill put forward by Representative Nadler would restore many of the pre-PATRIOT controls on the issuance of NSLs, but the administration was resisting the bill because it felt that the issue could be dealt with by means of administrative changes. The bill did not have the Republican support it needed to pass the House, partly because the law enforcement agencies had said that they felt that the proposed changes to the current regime would stop them doing their jobs properly. Nonetheless, there was considerable momentum behind the aims of the bill.

71. Chief Privacy Officers (CPOs) could be a valuable asset—indeed, the first CPO at the Department of Homeland Security, Nuala O'Connor Kelly, had been highly respected—but generally they lacked the degree of independence that CPOs across the world tended to have. It would therefore be desirable to bring in a new generation of more independent CPOs.

72. The REAL ID Act was a big issue at state and local level and there was in general a visceral public opposition to ID cards in the USA. Indeed, the federal government was offering grants to encourage reluctant states to implement the Act. There were also constitutional concerns regarding requirements placed on immigrants and visitors, and issues of due process. A recent US Supreme Court case on voters' ID had raised issues about impediments to voting and whether a requirement for ID was an impediment if the ID did not have to be paid for by the voter.

Federal Trade Commission

73. The Committee met with Commissioner Jon Leibowitz and colleagues.

74. The Safe Harbor arrangement provided a way for US companies to comply with the EU Data Protection Directive. So far, the Federal Trade Commission (FTC) had not dealt with any problems or complaints under the arrangements and, whilst they were by no means perfect, this was taken to be an indication of adequacy. Data flows across national boundaries were now very common and it would be desirable for different countries to agree common standards; however, this would be very difficult in practice.

75. The FTC could intervene if a US company holding data on UK citizens unlawfully shared or lost that data. However, if those data were demanded by a US law enforcement agency (for example through a National Security Letter) then the FTC was not empowered to do anything. Indeed, whilst the FTC liaised with government on a departmental or agency basis, it did not have any jurisdiction over other governmental organisations.

Department of Homeland Security

76. The participants from the Department of Homeland Security (DHS) were: Mr Hugo Teufel III, Chief Privacy Officer and Chief Freedom of Information Act Officer; Mr John Kropf, Deputy Chief Privacy Officer; and other members of staff.

77. Privacy Impact Assessments (PIAs) were required in certain circumstances under section 208 of the E-Government Act 2002, although the DHS also carried out some PIAs not required by statute (e.g. the PIA on full body imaging). The DHS PIAs were based on the eight 'fair information principles' which in some ways resembled the principles in the UK Data Protection Act. PIAs were useful because they forced the DHS to think very carefully about privacy and how to build in privacy safeguards. The system also had 'teeth' because, unlike in Canada, PIAs were linked to funding. It was important that PIAs should be made public so as to inform people—and perhaps give them confidence—about the government's activities.

78. A handful of government departments, including the DHS, had been required to employ Chief Privacy Officers (CPOs) since the 9/11 Commission reported. The different CPOs worked very closely together. CPOs were desirable because it was better to counsel and advise departments from the inside, rather than have an independent privacy officer (such as Richard Thomas) criticising from the outside. However, it was true to say that CPOs varied in their approaches depending on how seriously they were taken and how independent they were. It might be advisable for the United Kingdom to use departmental CPOs.

79. It was important to note that key decisions to invade individual privacy were taken by legislators, not by government agencies and their employees—it was up to Congress to scrutinise proposals and approve or disapprove them. The DHS talked informally to Congress and testified as part of the oversight process, but the CPO served the President and the Secretary of the Department of Homeland Security so would not express views to Congress that disagreed with the President's policies. However, he did see it as his responsibility to speak candidly within the DHS itself.

Mr Ken Mortensen, Acting Chief Privacy and Civil Liberties Officer, Department of Justice

80. It was important to have an officer focused on privacy issues—indeed, the job of the CPO was to protect the public from the Department of Justice (DoJ). Unlike the CPO in the DHS, the CPO in the DoJ oversaw civil liberties issues but not freedom of information. He was also more integrated into the rest of the department so tended to be present during the policy development phase, whereas the DHS CPO had an independent office.

81. The Office of Legal Counsel (OLC) within the DoJ consisted of lawyers tasked with determining the meaning of existing laws and setting out the ways in which the executive could or could not act. The courts paid heed to OLC opinions. Most government agencies also had a general counsel who was able to ask the OLC to clarify any points of legal uncertainty.

82. Until recently in the United States, it had only been possible to take DNA samples from convicted criminals, but law enforcement agencies were now permitted to take samples from arrestees for purposes of identification. The samples were to be kept for 100 years, as with fingerprints, and there was a possibility of a certain amount of 'function creep'. Fingerprints and basic biographical information could be shared across law enforcement agencies but there were severe restrictions on sharing with other bodies. There was a mechanism for data matching across states for criminal justice-related purposes as well as for some non-criminal justice purposes where access was possible (for example criminal record checks for employment).