Transport Committee on Nov. 18th, 2010

Thank you very much, Mr. Chairman. I'm very happy to come before you today on this important question of use of personal information in airline security.

I'm accompanied by two people who have very relevant expertise. To my right is Carman Baggaley, a senior policy advisor who has worked for a long time in this area. To my left is Maître Daniel Caron, who is our legal counsel on this issue. I also have two other people accompanying me who have relative expertise in this area.

Honourable members, Bill C-42 is a very deceptively simple bill. It's certainly a short one. It only contains two sections and it does only one thing. It amends the Aeronautics Act to allow the operator of an aircraft that is scheduled to fly over a foreign state to provide certain personal information about the passengers on the flight to the foreign state when required to do so by the laws of the state.

Aviation security has always been important, but for reasons that we all understand it has become a priority in Canada and for countries around the world.

Since the terrorist attacks of 2001 and subsequent aviation-related incidents, we have witnessed the introduction in Canada of numerous aviation security measures, including the Public Safety Act, the implementation of the advanced passenger information passenger name record--recognized under the initials API/PNR program--and the passenger protect program, commonly called the Canadian no-fly list.

All of these measures give rise to privacy concerns. They have resulted in the creation of massive government databases, the use of secretive no-fly lists, the increased scrutiny of travellers and airport workers, and greater information-sharing with foreign governments.

However, the bill before you, Bill C-42, differs from the measures listed above in that it will not result in the introduction of any new domestic aviation security programs, nor will it involve the collection of additional personal information by Canadian government agencies. Rather, it will allow American or other authorities to collect personal information about travellers on flights to and from Canada that fly through American airspace. This in turn will allow American authorities to prevent individuals from flying to or from Canada.

Bill C-42 raises important sovereignty issues. We are not questioning the American government's authority to implement its secure flight program. International law is clear that a state's sovereignty extends to its airspace. However, the Canadian government has a duty to protect the privacy and civil rights of its citizens. Thus it's important that we understand how the secure flight program may affect Canadian travellers.

Before commenting specifically on Secure Flight, I would like to remind the committee that we have just had an exhaustive study of aviation security in Canada. The Major Inquiry into the Bombing of Air India Flight 182 devoted a whole volume to the subject.

The inquiry made two general recommendations that I think are germane to the subject: when selecting equipment and procedures for passenger screening, consideration should be given to individual rights, including privacy rights and the rights guaranteed under the Canadian Charter of Rights and Freedoms. Given the importance of the "no search, no fly" rule and the potential impact of security measures on individual rights, Transport Canada and the Office of the Privacy Commissioner of Canada should collaborate to devise tools and criteria to evaluate proposed security measures.

The Major Report also identified gaps or vulnerabilities in aviation security and it recommended that efforts to enhance security should focus on three areas: air cargo; airport security, particularly access to the airside and restricted areas of airports; and fixed base operations and general aviation—recreational and business aircraft that often operate in close proximity to major airports.

From our perspective it's noteworthy that the Major Inquiry did not recommend greater focus on passenger screening or collecting even more information about travellers. In fact, the report states that Canada's no-fly program has not proven to be effective.

With that context, I would like to highlight some of the significant aspects of Secure Flight, the American no-fly program. Air carriers, including Canadian carriers flying through American airspace, will be required to provide the Department of Homeland Security not only with basic identifying information—name, date of birth and gender—but also, "if available", additional information such as passport information and itinerary information. Since this information will always be available for international flights from Canada flying over the U.S. airspace, that full information will always be provided.

Although the Department of Homeland Security's Privacy Impact Assessment is somewhat unclear on this, our understanding is that information collected can be disclosed and used for purposes other than aviation security, such as law enforcement and immigration purposes.

DHS will retain this information for as long as seven days after the journey has been completed even for individuals who are not on the no-fly list. That period will be seven years for potential matches and 99 years for confirmed matches.

One important difference between the U.S. secure flight program and the Canadian program is that under the U.S. program the responsibility for checking passengers against the no-fly list rests with the Department of Homeland Security, not with the airlines as in Canada.

According to DHS, this will result in greater accuracy and therefore fewer false positives--for example, a similar name, but the wrong person. However, this means that DHS will collect personal information from Canadian travellers. The Canadian government attempted to have all Canadian overflights exempted from the secure flight program. It was unsuccessful, although overflights between two Canadian cities, like Montreal and Halifax, which may pass through American airspace, were exempted.

If Bill C-42 is passed, we believe the Canadian government has an important role to play in working with the American government and Canadian airlines to minimize the impact of the secure flight program.

These are our suggestions:

Ensure that the minimal amount of personal information is disclosed to American authorities. The secure flight program requires only three pieces of information. In particular, Transport Canada should work with the airlines to avoid excessive disclosures of personal information. On this point we note that the Aeronautics Act currently allows the Governor in Council to make regulations respecting the type or class of information that may be provided to the foreign state.

The government should also question the retention periods of seven days for no-match and seven years for potential matches. The U.S. is committed to collecting only personal information necessary for airline security.

The government should also negotiate robust and accessible redress mechanisms with the Department of Homeland Security for Canadians who are prevented from flying as a result of the secure flight program.

It should also make Canadians aware of the U.S. secure flight program and our passenger protect program to minimize the confusion that may result from the operation of the two programs.

These are my initial remarks.

Thank you for giving me the opportunity to make these observations on this legislation. I would be happy to attempt to answer any of your questions.

Yes. I understand that this can be specified under the Aeronautics Act. My understanding is that they would have to specify whether they want Canadian planes to continue to fly over airspace in harmony with what DHS is asking for.

They do. I'm simply recommending that the government take a position going forward that DHS attempt to shorten its retention periods of Canadians' information.

That is my understanding. Would you like to hear the details of how this applies?

Allow me to ask our legal counsel.

Effectively, the U.S. Privacy Act does not apply to visitors or aliens, so it would not apply to Canadians. However, with respect to the secure flight program, the Department of Homeland Security has stated that it will mesh together the personal information of foreigners and Americans. This would seem to allow the U.S. Privacy Act to apply to non-Americans.

However, the Department of Homeland Security has also issued a final rule exempting a number of provisions of the Privacy Act in the light of the secure flight program. This rule applies to U.S. citizens as well as to Canadian citizens on an overflight. So the short answer, for all intents and purposes, is that the U.S. Privacy Act would not apply.

Yes, certainly they are.

Well, I'm recommending that you follow up on my own recommendations about how the government can mitigate this. Obviously, the recommendation of whether or not you adopt this bill goes to other considerations, such as economics, travel patterns of Canadians, and so on. But we must put this also into the context of a world in which increasingly a lot of personal information will be given out in order to board an airplane, either to the airlines or, in the case now, to DHS.

I think this is a pattern that is going to become more acute as time goes on, with the European Union looking at these kinds of measures, and with Canada itself having its own requirements for people who fly into this country, in terms of personal information, and so on. So the decision whether to push back or not I think rests with this committee, and on a variety of issues, as I understand.

From a privacy point of view, if the bill were to pass, there's still a very dynamic stance that the Canadian government could take in relation to this.