Privacy Protection in a World of Transborder Data Flows

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Working Party on Information Security and Privacy Organisation for Economic Co-operation and Development (OECD)

October 3, 2005
Paris, France

Paper submitted by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)


The Problem

The protection of privacy, like other public policy issues, is being transformed by globalization. The continued growth of multinational corporations; the proliferation of common technologies (the Internet, wireless communications, location technology, etc); the recent emergence of international terrorism; and even the rise of transnational crimes such as money laundering and Internet scams are forcing privacy and data protection commissioners to confront a similar set of complex and seemingly intractable issues which arise from the continual flow of personal information around the globe.

To cite a few examples:

  • Governments throughout the world are looking at new ways to identify their citizens and visitors to fight terrorism, to combat fraud and to deliver services.  This has prompted governments to consider identity cards, enhanced passports and other travel documents and the use of biometrics in health cards, drivers’ licences and other entitlement documents.  These documents will leave data trails that may create risks in countries without adequate data protection.
  • Corporations and governments, in a drive to reduce costs and become more efficient, are outsourcing activities, including the processing of personal information of their customers and citizens. The phenomenon is not new, the scale and speed and number of players having access to the data is unprecedented and shows little sign of abating. This has led to legitimate concerns about the security and misuse of information being transferred to countries without data protection legislation.
  • New technologies and applications as diverse as search engines, radio frequency identification chips (RFIDs), voice over Internet protocol, web logging and wireless communications generate huge amounts of personal transactional information and create data trails that can survive long after the transaction or conversation has taken place. New requirements for data retention, with which we are all familiar, could ensure that much of this data will persist for years, split among various jurisdictions across the world.
  • The fight against terrorism and the related concerns about public safety have prompted governments to put individuals under unprecedented scrutiny.  Governments are demanding significant amounts of personal information about people entering their countries, developing assessment tools to detect suspicious patterns of travel and behaviour, creating watch lists, and sharing this information with other countries. This raises significant concerns about the ability of individuals to exercise their information rights in the countries they visit.

These trends are creating new and complex challenges for data protection commissioners and other organizations charged with overseeing privacy and data protection laws. Transborder data flows are increasing exponentially, whether for processing purposes, to facilitate e-commerce, for law enforcement and national security purposes or simply the result of people going about their daily lives.

Recent Canadian experience with transborder data flows

In Canada we have experienced several of these challenges. We have received complaints about businesses based in other countries that sell personal information about residents of Canada, including psychological profiles and searches of criminal records. Investigating businesses that have little or no physical presence in Canada is very difficult.

Concerns have arisen in Canada about the ability of American law enforcement agencies to obtain access to the personal information of Canadians being processed by American businesses under the authority of section 215 of the USA PATRIOT ACT. My provincial colleague from British Columbia conducted a length and exhaustive inquiry into this issue. He concluded that the FBI would be able to obtain a court order compelling a person subject to the court's jurisdiction to obtain records located outside the United States, but under the control of that person, and deliver them to American authorities in the United States.

Canada now requires air carriers arriving in Canada to provide the Canadian Border Services Agency (CBSA) with personal information about the passengers and crew members. Following negotiations with the European Commission, the Canadian government agreed to make changes to the program regarding the use and retention of the data. CBSA has also agreed to administratively extend to individuals who are not present in Canada certain rights under our Privacy Act. As a result of these commitments, the Article 29 Working Party issued an Opinion concluding that Canada provides an adequate level of protection with respect to the processing of the information transferred to CBSA.

I could have cited more examples, but these are sufficient to demonstrate the challenges that we face when dealing with privacy issues that involve transborder data flows and international law enforcement and anti-terrorism initiatives.

The common challenge

When personal information moves across borders individuals may lose some of their privacy rights such as the ability to request access and challenge the accuracy of the information. One of our concerns about information that flows to government agencies in the United States is that the US Privacy Act does not apply to foreign nationals, thereby depriving Canadians and the citizens of other countries of certain privacy protections—including access and redress rights—under American law. If data is held in Canada, my office can view the records even if they are held by law enforcement and national security, but that is no longer the case once the data crosses the border.

Data protection offices and other agencies are struggling with complaints and investigations that are triggered by the activities of organizations outside our borders. All too often, we are forced to tell the victims or the complainants that there is little that we can do to help them, for example, in response to complaints about spam.

Data protection commissioners are at a significant disadvantage in attempting to address these problems on their own. Once information leaves a country we may lose any hope of protecting the information or helping complainants. I am sure that many data commissioners and those in agencies with similar responsibilities have experienced similar frustrations.

This convergence of issues suggests that it is mutually advantageous for jurisdictions attempting to regulate data flows to share information and expertise in enforcing laws across borders. We need to work together to provide individuals with redress mechanisms and to pursue organizations that violate our privacy and data protection laws in the same way that national law enforcement agencies work together to fight crime or national security agencies cooperate to fight terrorism.

As a federation we have worked successfully with our provincial counterparts to protect the privacy rights of Canadians. We hold twice yearly Federal-Provincial-Territorial meetings. As circumstances dictate, Canadian commissioners coordinate their representation at international fora. For example, last January, the federal and the British Columbia Commissioners participated in a meeting on privacy law convened by the government of Mexico. We have developed Memoranda of Understanding with some provinces to better ensure a harmonized application of federal and provincial privacy laws and we have held joint training sessions. Earlier this year, the OPC published a study that analyzed jurisprudence in Québec, the first Canadian jurisdiction to have enacted a private sector data protection law. The result of this research has been published and has been shared with the Canadian legal community. We expect that this cooperative approach will continue to evolve and diversify as the privacy protection regime in Canada matures.

International precedents

We are beginning to see some promising developments in terms of cooperative efforts to promote privacy protection and compliance with fair information principles. The 21 members of the Asia-Pacific Economic Cooperation (APEC) group have approved a “Privacy Framework” and are now in the process of implementing the Framework.

As well as participating in the APEC process, Australia and New Zealand have established the PANZA (Privacy Agencies of New Zealand and Australia) group to pursue common interests.

In October 2004, Canada was one of the 27 countries that developed the London Action Plan that will promote international enforcement cooperation and address spam-related
problems, such as online fraud, phishing, and the dissemination of viruses. The United Kingdom’s Information Commissioner has signed a Memorandum of Understanding with other relevant UK bodies and authorities in the United States and Australia to coordinate their anti-spam efforts.  The International Telecommunications Union is also actively involved in combating spam and we will hear about the work of the OECD’s Spam Task Force tomorrow.

I have just come from the 27th Data Protection Commissioners Conference which was hosted by Switzerland this year and it was very gratifying to see the greatest number yet of delegates from around the world who had come together to discuss common problems.

The Article 29 Working Party is perhaps the most successful example of international cooperation and mutual assistance. As a country outside Europe, we have benefited significantly from the concerns expressed by the Working Party to our own government in a number of key areas. These concerns contributed to a stronger Canadian private sector data protection law and a more limited advanced passenger information/passenger name record (API/PNR) program. This model may be a useful one to look at as we address the complex problem of transborder data flows.

There are many promising developments, but we need to go further in developing mutual assistance arrangements and other mechanisms to share information and foster cooperation. While it is important to understand differences in national legislation, we should not let these differences overwhelm us. Rather than focus on differences in our laws or our powers we should focus on the common problems that we need to address.

The OECD Guidelines

One way to move forward is by looking back to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Two of the major challenges in dealing with the transborder flow of information relate to openness and accountability.

The OECD Openness principle states that “Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.” The Accountability principle requires that the data controller be accountable for complying with fair information principles set out in the Guidelines.

These principles may seem out of date in a world in which corporations can transfer personal information across borders with the click of a button, consumers calling a help line do not know if their calls are being answered by someone across town or in a distant continent and information service providers are creating vast databases of personal information.  Nevertheless, these principles raise fundamental questions: Who is accountable? Who is controlling the data? If the answer is “nobody”, that is not good enough.

The OECD Guidelines have perhaps been overshadowed by the introduction of national legislation and the emergence of data protection challenges that no one could envisage when the Guidelines were released 25 years ago. However, the principles that are set out in the Guidelines can still serve as a useful starting point in addressing the challenges of the 21st century.

We need to work together to ensure that organizations are open about their practices and policies. Individuals need to be able to find out how their information is being used, where it is being processed and how they can request access.

Suggested initiatives

The challenge of working together cooperatively may seem daunting; the alternative—dealing with these issues on our own—is even more daunting. We should build on the initiatives that already exist, such as the various efforts to combat spam, and identify other common problems that could be addressed through mutual cooperation and enforcement. I would like to conclude by suggesting a few areas where we might want to start our discussions:

  • Rights for non-citizens and non-residents: we need to develop a framework to ensure that citizens and residents of other countries can exercise their rights with respect to personal information held by organizations or government agencies in other countries.
  • Sharing of information: we should pursue multilateral or bilateral arrangements to share information about common problems that involve transborder data flows, including the results of investigations and possibly even evidence that could be used to pursue enforcement actions.
  • Audit or joint reviews: in the case of organizations that disclose or transfer personal information across borders we could investigate the possibility of joint audits or reviews to track information flows to determine what happens to the information and to assess whether it is being used and protected appropriately.
  • Security: we could collaborate together to develop guidance for organizations setting out what we expect in terms of industry standards for security practices.
  • Enforcement: we need to explore ways to recognize and enforce judgments and other enforcement actions issued in another jurisdiction.

I offer these ideas as suggestions to further discussion. I look forward to any suggestion you may have.

Date modified: