Protecting Personal Information the Canadian Way

Remarks at the IAPP Privacy Summit 2009

Washington, D.C.
March 12, 2009

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

The Canadian approach to privacy is often said to be the middle ground between how privacy is done in Europe and here in the U.S.A.

Hopefully, this means that my relatively small country has some interesting ideas to offer on the major privacy challenges of the 21st Century  most of which are global in scope.

Being an effective guardian of privacy rights in Canada requires looking beyond our borders.

My Office focuses a great deal of energy on the need to address privacy issues on a cooperative global basis. To this end, weve been working closely with the OECD, APEC and a number of other international organizations.

At home, were working to address the privacy challenges raised by international data flows by helping to ensure that businesses manage these data transfers in a way which respects Canadian law. Weve just published new guidance on trans-border data flows which I think you will find interesting.

Canada is a hybrid legal culture. It draws heavily on British and French traditions in most legal areas. But it also owes a heavy debt to the influence and contemporary political developments in both the European Union and the United States.

Our quarter-century-old public sector law, the Privacy Act, applies to federal departments and agencies.

We also have private-sector legislation, which has been in full force for five years  the Personal Information Protection and Electronic Documents Act  PIPEDA.

Three provinces  Quebec, Alberta and British Columbia  have adopted their own private sector privacy laws which have been recognized as substantially similar to PIPEDA. A fourth province, Ontario, has legislation covering personal health information which has been deemed substantially similar.

The ground rules set out under PIPEDA focus on 10 principles of fair information practices which follow the OECDs principles.

This afternoon, Id like to explain our middle of the road approach to privacy in the private sector with my own Commissioners Top 10 list of how Canada differs from the European and American models.

Lets start with the differences between Canada and the EU &

1. Canada & calls it privacy, not data protection.

Canada calls what I do protecting privacy rather than data protection. On this point, we got it wrong!

My Office is in the data protection business. We ensure that personal data is adequately protected while in the hands of federal government departments and many private-sector organizations.

The Privacy Commissioner is first of all an ombudsman who tries to resolve disputes through negotiation, mediation and conciliation. However, in the private sector, we can  and do  take cases to Federal Court every year when we fail to achieve our data protection goals in another way. The vast majority of cases are settled to our satisfaction and we rarely need to go to court.

2. Canada, in a business context, puts less emphasis on privacy as a human right.

In some cases, privacy clearly raises human rights issues  where this affects our liberty or freedom of thought, for example. But always viewing privacy as a fundamental human right may be counter-productive.

I am not convinced that it is useful to view privacy as a human right in a commercial context, where people may willingly give up personal information in order to obtain some benefit, say loyalty program rewards. (How many of us collected frequent flyer points on the way here?)

An emphasis on privacy as a human right is also not going to get us very far in terms of raising protections globally.

In much of the world, privacy is not viewed as a human rights issue, nor is it at the top of the human rights agenda.

A human rights emphasis may increase resistance to adopting privacy protections because it suggests privacy must always be viewed through this lens.

3. Canada & does not use terms such as data controller or data processing.

The province of Quebec adopted its own privacy sector legislation at the same time as the EU Directive was being finalized. Our most European province avoided these terms after concluding they are incompatible with North American business practices.

Thus we avoid the agonizing debates which go on in Europe about who is and is not a data controller.

In our federal law, we simply say the legislation applies to organizations engaged in commercial activities across the country, except in provinces that have their own private sector privacy laws.

A few provinces have enacted their own laws. Even in these provinces, PIPEDA can continue to apply to the federally regulated private sector  banks, transportation and telecommunications companies, for example  as well as to personal information in inter-provincial and international transactions.

4. Canada & has no requirement to register when collecting, using or disclosing personal information.

The architects of our private sector legislation adopted general principles  reliance on fair information practices, a right of access and correction and a supervisory authority by a Privacy Commissioner with strong investigative powers  but not the more formal requirements such as registration of controllers and notification of processing.

Again, in Quebec, I am told the registration concept was initially raised for discussion, but the very negative reaction from both the business community and the bureaucrats who would have to administer the law put paid to that idea.

This suggests that it is possible to focus on common fundamental principles while recognizing that other parts of the total package may not reflect your own legal and cultural contexts or be suitable for your environment.

5. Canada & doesnt prohibit transfers of personal information for processing.

PIPEDA does not hinder our global economy. In fact, the legislation itself states that it is intended to support and promote electronic commerce by protecting personal information.

The global marketplace will be enhanced if consumers are confident that their personal information will be protected even after it travels beyond Canadas borders.

We are not saying its a free-for-all. The law requires that personal information is protected, regardless of whether, or where, it is transferred. The onus is on you  if youre in Canada and transferring personal information, you need to ensure it is protected and treated up to Canadian standard.

Our Office recently developed guidelines on transborder data flows. We hope this information will help organizations develop a better understanding of PIPEDAs impact on these flows.

The guidelines are posted on my Offices website. Copies are also available at our booth in the exhibitors area and here in the room.

6. Canada & doesnt judge whether other countries laws are adequate.

In contrast to the EUs state-to-state approach, where the adequacy of another jurisdictions data protection regime is assessed, Canada has opted for an organization-to-organization approach.

Under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement.

The organization needs to use contractual or other means to provide a level of protection comparable to PIPEDA while the information is being processed by a third party.

Comparable level of protection means that the third party processor must provide protection that can be compared with the level of protection the personal information would receive if it had not been transferred.

It does not mean that the protections must be identical across the board. It means they should be generally equivalent.

An organization will obviously consider factors such as cost savings, customer service and the availability of specialized expertise when considering whether to outsource out-of-country. It is also important to consider the political, economic and social landscape of the country in which the third-party processor operates. These are issues often raised by advocacy groups. The question for you is: Do any of those factors raise risks for the security of the personal information being transferred?

If an organization does decide to outsource processing, it must take all reasonable steps to protect the personal information from unauthorized uses and disclosures while it is in the hands of the third-party processor. It must be satisfied that the information is properly safeguarded at all times.

Finally, organizations need to be open with their customers when it comes to outsourcing to foreign jurisdictions. Tell people  in plain language  that their information may be processed in a foreign country and that it may be accessible to that jurisdictions law enforcement and national security authorities.

My Office has investigated several cases related to trans-border data flows.

For example, we looked at the disclosure of Canadians financial records by SWIFT  the Society for Worldwide Interbank Financial Telecommunication  in response to administrative subpoenas from the US Department of the Treasury.

We found that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. However, we did note that there are more privacy-friendly ways for U.S. authorities to obtain information on financial transactions with a Canadian component.

I urged Canadian officials to try to persuade their U.S. counterparts to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.

Lets shift now to compare Canadian and American approaches&.

7. Canada & has a privacy commissioner.

Canadas Privacy Act, which has been in place since 1983, was largely inspired by the US Privacy Act. However, unlike in the U.S. system, Canadas legislation created the job of a Privacy Commissioner  an ombudsman who reports directly to Parliament and oversees the application of the Act.

8. Canada & does have omnibus private sector legislation.

We are fortunate that PIPEDA has a provision that encourages provinces to pass their own private sector legislation. Those provinces which have enacted their own legislation have adopted very similar approaches. We have therefore avoided the U.S. problem of competing federal and state laws.

We also work closely with our provincial counterparts in an effort to ensure we are taking common approaches in resolving complaints. Sometimes we conduct joint investigations  as we did in the TJX breach, for example

9. Canada & does not have a data protection enforcement body that can impose financial penalties.

I do not have the power to impose fines on organizations. Unlike the U.S. Federal Trade Commission, I am not empowered to reach financial settlements.

However, if a company refuses to follow our recommendations, we go to Federal Court to seek an order forcing them to comply and provide for damages where appropriate. Not surprisingly, weve found that the possibility of court action is an extremely persuasive tool  virtually everyone complies with our recommendations.

I think we demonstrated in a case such as the massive breach at TJX that, through our investigations, we can effect changes which will mean personal information is better protected.

TJX complied with all of our recommendations on improving security, monitoring and other personal information management issues.

After we reported on our findings in September 2007, the U.S. Federal Trade Commission initiated a complaint against TJX that raised many of the same issues we had addressed in our findings. The FTC and TJX subsequently settled.

We recently worked with the FTC on a separate matter involving Accusearch, a U.S. company operating a website which advertised and sold confidential consumer telephone records to third parties without the consumers knowledge or consent. This was against Canadian law.

The FTC invited us to participate in appellate proceedings initiated by Accusearch before the US Tenth Circuit Court of Appeals. Accusearch had appealed the decision of a federal judge which barred the operation of its website, Abika.com.

In the context of these appellate proceedings, we prepared and filed an amicus curiae brief outlining our Offices own experience with Accusearch and how Canadians were affected by Accusearchs actions.

Questions about smarter and more practical approaches to enforcement are being asked in different regional fora around the globe, notably APEC, APPA, and the OECD. My Office participates in these discussions to attempt to contribute to our common understanding of privacy principles and appropriate accountability standards in order to better protect individuals.

10. Canada & has a private sector law deemed adequate.

As you know, the EU doesnt currently view the United States as having an adequate level of protection  although the EU has approved the Safe Harbor framework.

Canada has managed to create a privacy regime which the European Union has recognized as providing adequate data protection.

Weve captured some of the strengths of the EU Directive, but without what some have called the bureaucratic elements of the Directive.

In my opinion, we are not alone in striking this balance. Australia and New Zealand also have similar models  although, for reasons I do not fully understand, they have not been deemed adequate by the EU.

Future of Privacy in the U.S.

When President Obama travelled to Ottawa a few weeks ago, he received a heros welcome from ordinary Canadians.

In one poll I saw, an astonishing 86 per cent of Canadians believe Obama's presidency "brings hope for the future." As Privacy Commissioner, I am very hopeful that the new administration will look favourably on increasing the protections for personal information in the United States.

Admittedly, I say this with some self interest  Canadians would obviously stand to benefit enormously from stronger privacy protection for consumers on this side of the border given our close political, cultural and economic ties with the U.S.

Perhaps the Canadian approach  because its so flexible  would be an interesting model for the new administration to look at.

There are positive signs  on his first day in office, President Obama signaled his commitment to government transparency and accountability with an order to federal agencies to administer the Freedom of Information Act "with a clear presumption: in the face of doubt, openness prevails."

Future of Global Privacy Initiatives

Clearly, these are challenging times for privacy around the world. As we all know, technological advances and national security initiatives are creating an abundance of new risks for our privacy.

Despite all of these threats, we have  so far  not seen the emergence of global privacy standards.

If I may speak frankly, we have lost too much time over the last decade debating  in a not very positive way  whose approach is the best.

Were in the midst of a serious global economic crisis which may well have an impact on corporate privacy and security spending. Cybercrime has exploded.

We need to move faster.

Very few countries have adopted the whole European data protection package. In my opinion, this is due in large part to the challenge of disassociating the principles from the administrative structure.

We are beginning to see that there are limits to the extent to which the Directive can be exported as a model via the adequacy process.

The Directive may not be an appropriate model for emerging and smaller economies. We need to be open to other approaches without always asking how they compare to the Directive.

Achieving the goal of stronger global privacy protection cannot be done on a country by country basis. The only way to succeed is by working collectively on privacy and security issues.

We should be striving to achieve a basic level of protection around the globe. However, that does not mean we need to have a single global standard or one approach to protecting privacy.

All of us know that international discussions about how to best address an issue can sometimes be challenging. Countries take different approaches to privacy. We need to drop any my law is better than your law attitudes.

Its the outcome that matters far more than the approach and determining how best to achieve good outcomes requires global dialogue.

I think we can take some comfort in the fact that we are seeing the emergence of a very useful global dialogue about how to protect personal information.

Consider:

• The OECD is taking a big picture view of how privacy can be protected.
• My Irish counterpart, the OECD and others are participating in the Galway project, which is considering the question of what it means for an organization to be accountable for the personal information it collects.
• APEC is doing interesting work as it looks at the challenge of how to protect personal information in a region which is home to diverse cultures and economies of vastly different sizes and stages of development.
• The Spanish commissioner has launched an initiative to look at global standards.
• Meanwhile, the UK Commissioner commissioned a study that looks at the EU Directive.

There is a lot going on around the world. Many people have recognized that some fresh thinking is needed.

Canada as a Bridge

Ive talked at length about Canadas middle ground approach to privacy. Hopefully it will offer some food for thought for the global discussions.

Canada has close cultural and economic ties with many different regions of the world. We belong to both the OECD and APEC. And we are also a proudly multicultural society.

This is to say that Canada is used to dealing with issues from very divergent perspectives.

This is a valuable skill when it comes to trying to address privacy challenges. As we know, perceptions of privacy and the best ways to protect it can vary dramatically.

Privacy is just one of those issues where an open perspective helps from the outset.