It isn’t about whether Statistics Canada has a legal right to compel data about Canadians from financial institutions and credit reporting agencies. It isn’t about whether Statistics Canada has a good cybersecurity track record. It isn’t about whether the data will be appropriately anonymized. It is about Statistics Canada violating the contextual integrity of Canadians’ financial data. And that is a bigger problem for Statistics Canada in the long run.
In case you missed it, on October 26, 2018, Global News broke the story that Statistics Canada was requesting banking information of 500,000 Canadians without their knowledge. Global News then learned that Statistics Canada has “scooped up 15 years’ worth of credit rating information from Trans Union” in 2017 and 2018. Prime Minister Trudeau has attempted to defend the massive data sweep.
Even though Statistics Canada says that it was in communication with the Office of the Privacy Commissioner of Canada about the data collection, the OPC has now launched an investigation. Meanwhile, the Chief Statistician of Statistics Canada, Anil Arora, has downplayed concerns saying “[w]e know there is going to be a segment of the population that no matter how much or what you ask or anything you ask will have concerns”. However, rather than examine whether those concerns stem from a violation of important norms, Mr. Arora concluded that it is only about use limitation, saying “we give them assurance that at the end of the day, their individual record will not be seen by anybody” — other than Statistics Canada, of course.
What we seem to be seeing is a textbook example of a failure of contextual integrity. Fourteen years ago, in “Privacy as Contextual Integrity”, Prof. Helen Nissenbaum proposed a theory of privacy as contextual integrity. In simple terms, she theorized that information exchanges are governed by norms — political, social and cultural expectations — about the appropriateness of information and about the flow or distribution of that information. A privacy violation is one in which contextual expectations (norms) of appropriateness or norms of flow have been breached — that is, contextual integrity for that information has been violated:
a normative account of privacy in terms of contextual integrity asserts that a privacy violation has occurred when either contextual norms of appropriateness or norms of flow have been breached.
Prof. Nissenbaum’s theory appears to be playing out in real-time in Canada. It seems as though Statistics Canada failed to appreciate that compelling information from Canadian financial institutions without the knowledge of the affected individuals violates fundamental norms that Canadians have about their relationships with their financial institutions and their expectations about how governmental agencies will obtain information about them.
The obligation of banks to maintain the confidences of their clients runs deep in Canadian law. It is a black letter common law principle. But it is not just a legal obligation. Confidentiality permeates the cultural expectations that Canadians have about their relationships with their banking institutions. Law and social norms flow in the same direction on this point.
Canadians understand and expect that information about loans and credit cards will be shared with credit reporting agencies. It would not be shocking to Canadians to learn that transactions might be reported to FINTRAC as part of anti-money laundering efforts. Borrowing from Prof. Nissenbaum’s theory, sharing information among credit grantors through a credit reporting agency does not violate norms of appropriateness of the information or information flow. Same with sharing of information regarding suspicious transactions.
However, it seems from the current backlash that Canadians do not expect that the minute details of everyday banking transactions would be shared with third parties outside of the network of those transactions. The merchant may need to know. The bank certainly. But current political, social and cultural norms were violated by Statistics Canada deciding that the expedient way to collect data about Canadians was to conscript the financial institutions used by those Canadians.
As Statistics Canada has acknowledged, the cash-based economy has given way to credit, debit and other alternative payments systems – and Canadian banks are ultimately involved in those systems. A rich trove of data lies just beyond the reach of the statisticians. However, it might not be too extreme to say that a fundamental norm on which the success of those systems are based depends on trust in the confidential flow of information about those transactions. Otherwise, one might imagine Canadians would turn to cash transactions for purchases of sensitive goods and services.
Another norm that appears to have been crossed by Statistics Canada is that Canadians expect to be told when information about them is being collected and used by the government. This should not be surprising. Indeed, this is, apparently, something the Office of the Privacy Commissioner of Canada already warned Statistics Canada about. The Office of the Privacy Commissioner noted in its annual report that it warned Statistics Canada about a lack of transparency.
We have recommended the agency consider whether it could achieve the same objectives by collecting customer information that has been de-identified before it is disclosed to the agency. We also suggested it limit collection of administrative data to what is needed for the specified purposes, and that it evaluate the necessity and effectiveness of this work on an ongoing basis. To ensure transparency, we recommended StatCan let the Canadian public know how and why it is increasing its collection of data from administrative and other non-traditional sources.
In a nutshell, what Statistics Canada seems to have tripped up on is that their activity violates social and cultural norms by conscripting financial institutions to collect data about their customers without the knowledge of those customers in a context in which those customers believe (not without reason) that they have a relationship of confidence.
In that context, the claims of anonymization and security won’t help Statistics Canada. Those issues are table-stakes. It is the appropriateness of the information and the information flow that is at stake. And, it is expectations about these issues that Statistics Canada needed to address. They could not be addressed in the shadows.
It is not just transparency for transparency’s sake. As Prof. Nissenbaum noted, social and cultural norms change over time. Statistics Canada is not a passive participant in those social and cultural norms and can change them through consultation and dialogue about what it is doing and how it is doing. Admittedly, consultation and dialogue is time-consuming and uncertain.
For the rest of us watching, the larger point here is that Privacy Impact Assessments must address these contextual issues. The good news is that the “front-page of the newspaper test” is still a relevant consideration for any new initiative.