Canada: British Columbia Privacy Commissioner Says No Drivers License Facial Recognition Searches for Law Enforcement Without Court Order
First some background:
From Wikipedia:
The 2011 Vancouver Stanley Cup riot was a public disturbance that broke out in the downtown core of Vancouver, British Columbia, Canada on Wednesday, June 15, 2011. The riots happened immediately after the conclusion of the Boston Bruins' win over the Vancouver Canucks in game seven of the Stanley Cup Finals, which won the Stanley Cup for Boston. At least 140 people were reported as injured during the incident, one critically; at least four people were stabbed, nine police officers were injured, and 101 people were arrested that night, with 16 further arrests following the event.
Dramatic Photos Here
Enter the Insurance Corporation of British Columbia (
ICBC), which administers the province's drivers license aparatus:
Insurance corporation offers to help ID rioters (CBC - June 18, 2011)
The Insurance Corporation of B.C. is offering Vancouver police the use of its facial recognition software to aid in the investigation into Wednesday night's riot.
Troubled by the ICBC's offer, the British Columbia privacy commissioner launched an investigation.
The Office of the Information and Privacy Commissioner (OIPC) is independent from government and monitors and enforces British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection Act (PIPA).
That's the background and the primary actors.
The BC privacy commissioner has now issued a press release of her findings:
ICBC cannot use facial recognition to identify Stanley Cup rioters without a court order, says B.C.’s Privacy Commissioner (OIPC Press Release - pdf)
The Insurance Corp. of British Columbia cannot use facial recognition to identify Stanley Cup rioters without a court order, B.C.'s privacy commissioner said in a report released Friday.
A passage of critical importance states:
Next, the commissioner reviewed ICBC’s offer to Vancouver Police, and found that using the database in this manner is not authorized under FIPPA.
“A public body can only use personal information for the original purpose it was collected, except in very limited circumstances. ICBC’s offer to use its database to check police-submitted images is clearly a different purpose,” said Denham.
The commissioner’s findings do not alter the power of police to request personal information from public bodies to assist in a specific investigation, or through the use of a subpoena, warrant or court order, as per section 33 of the act.
The part of the FIPPA law the privacy commissioner cites in support of her finding that the ICBC can't cooperate with the police without a court order actually says:
Section 33 - A public body may disclose personal information in its custody or under its control only as permitted under section 33.1,
33.2 or 33.3.
Section 33.2 A public body may disclose personal information referred to in section 33 inside Canada as follows:
Section 32.2(i) to a public body or a law enforcement agency in Canada to assist in a specific investigation
Section 32.2(i)(i) undertaken with a view to a law enforcement proceeding, or
Section 32.2(i)(ii) from which a law enforcement proceeding is likely to result;
To summarize, the law states that: A public body may disclose personal information inside Canada to a law enforcement agency in Canada to assist in a specific investigation undertaken with a view to a law enforcement proceeding, or from which a law enforcement proceeding is likely to result.
So, a public body can only use personal information for the original purpose it was collected, except in very limited circumstances; those circumstances are described in section 33 of the act which clearly permits the sharing of information with police (and, really, any other government official for nearly any reason; see for yourself), yet here is precisely where the OIPC "finds" that the ICBC is prevented from cooperating without a court order when the term "court order" is never used in either of the two acts that give the OIPC its power.
As stated earlier, the OIPC is independent from government and monitors and enforces British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection Act (PIPA).
The PIPA (
Sections 52 & 53) gives the OIPC the power to issue orders which are binding unless they are appealed within thirty days.
But the OIPC's
news release never asserts that the OIPC is ordering anything. The OIPC writes:
In a public report released today, Information and Privacy Commissioner Elizabeth Denham found that any use of ICBC’s facial recognition technology to identify criminal suspects requires a warrant or court order. [Emphasis mine].
Either of the bolded portions could have used the order/ordered terminology if that was what was intended by the British Columbia privacy commissioner, but they didn't.
So what exactly is going on here?
Is the OIPC ignoring its stated powers because issuing an order would lead to an appeal that the OIPC would, in the plain reading of the Act, be certain to lose?
Is the OIPC trying to take the position that if the police ask, the ICBC can co-operate, but that the ICBC can't preemptively offer help?
The OIPC's Summary of Recommendations in the document is rather telling.
1. ICBC should clearly notify customers that facial recognition technology is in use for the purposes of detecting and preventing driver’s licence fraud...
2. ICBC should immediately cease using their facial recognition database to identify persons in images provided by police, unless authorized by a subpoena, warrant or court order.
3. ICBC should establish accountability and leadership on privacy within the corporation, to ensure that privacy is taken into account in decision-making at the executive level.
4. ICBC should implement a privacy impact assessment policy, to set out when and how a privacy impact assessment is completed and reviewed. Technology projects should be reviewed at the conceptual, design AND implementation phases.
5. ICBC should develop a schedule for periodic review of its privacy policies. [Point 1 truncated, bold emphasis mine.]
If the OIPC believes that the ICBC is or was in violation of either the PIPA or FIPPA laws, doesn't it have a duty
to order the ICBC to comply with the two acts and be prepared to go to court over its stance?
Perhaps another portion of the FIPPA law has more bearing in this case.
Part 2 - Division 4 states:
Information must be disclosed if in the public interest [emph. in orig.]
25 (1) Whether or not a request for access is made, the head of a public body must, without delay, disclose to the public, to an affected group of people or to an applicant, information
(a) about a risk of significant harm to the environment or to the health or safety of the public or a group of people, or
(b) the disclosure of which is, for any other reason, clearly in the public interest. [emph. mine]
The ICBC would be expected to make the argument that informing the police of its capabilities to assist them in quelling riots is not prohibited by the FIPPA law, but rather it is
required by it.
