Moving Towards a Global Regulation of Privacy: Proposals and Strategies

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 31st International Conference of Data Protection and Privacy Commissioners

November 6, 2009
Madrid, Spain

Address by Jennifer Stoddart

(Check against delivery)


The reason we are discussing the global regulation of privacy today is not because we have a shortage of data protection legislation.  Indeed, countries around the world have adopted laws over the last 35 years.  The OECD Guidelines and the Council of Europe’s Convention 108 will soon “celebrate” their 30th birthdays.

We also have regulations; we have guidelines; we have fair information principles and we have binding corporate rules. 

Although all of these laws, guidelines and rules have much in common they also differ in the details – and that’s why we’re here today. 

We have differing views on even the most basic issue: What constitutes personal information?  We also have different rules about consent, and we have different approaches to openness and transparency. 

Although I am not convinced that the differences between our laws are as great as many people assume, it is probably unrealistic to expect that any one of these laws , on its own, could form the basis for a uniform global approach to protecting personal information.

The differences in our approaches would matter much less if personal data was still captured on paper and stored in filing cabinets or even if digital data was still measured in gigabytes.  And we wouldn’t have to worry about global standards or harmonizing our laws if this data would have the courtesy of staying within national boundaries.

However, we live in a world in which data is measured in terabytes and petabytes and global data flows have become multipoint and multidirectional. 

This “exaflood” of data is only going to increase as more individuals take advantage of information and communication technologies. 

Today there are roughly one and a half billion Internet users.  A billion new people are expected to go online in the next ten years with many of the new users coming from countries such as China, India and Brazil. 

The Internet Corporation for Assigned Names and Numbers (ICANN) is now proposing to allow Web users to create website domain names in non-Latin characters, a recognition of the growing importance of non-Western markets. 

When Internet Protocol version 6 is rolled out we will be able to assign IP addresses to everyday objects, potentially creating the “Internet of Things”. 

Everyday objects will be able to communicate with one another and also disclose information about their owners across borders.

So if we are rapidly moving to a world in which data flows are global and communication and information technologies are ubiquitous, does this means that we need a global privacy standard? 

The advantages are obvious: individuals would know that the same rules applied whether they were making an online purchase from a business based in Ireland, the United States or the Philippines.

They could feel confident that their personal information is protected regardless of whether it is being stored on a server in Bangalore, Palo Alto or Toronto. 

Businesses would only have to worry about one set of rules greatly simplifying the cost and complexity of complying with a myriad of laws.

So where do we start? One of the challenges we face is well illustrated by the program description for this session, which refers to intimacy, privacy, vié privée, riservatezza, informational privacy, autodeterminación informativa and the fundamental right to personal data protection.  As we know all too well, these terms do not always mean the same thing.

Before we can develop a global standard we would have to agree on what it is we want to protect.  Many of us are called Privacy Commissioners, but perhaps we should acknowledge that we are actually tasked with protecting personal information or data.

Then there is the difficult issue of whether we are protecting a human right, an administrative right or are we actually in the business of consumer protection.

We are in the business of enforcing laws; we do not make the laws.  We can advise our governments but any decisions about harmonizing our laws or adopting a legal binding international instrument would have to be made by our governments.

I don’t wish to be unduly pessimistic; however, we should be aware of the challenges of trying to develop a binding global standard or even adopting harmonized laws.

These challenges are not insurmountable. 

After all, even if those of us on this panel do not always describe our work in the same way, I am certain we would all agree that what we do is fundamentally important.

Our host, Commissioner Rallo, has made a promising start with the Joint Proposal for an International Standard.  I am pleased that my Office had the opportunity to participate in this important project. 

I was impressed with the broad range of interests represented at the two meetings and I was encouraged by the openness of the participants in the project to new approaches.  Reaching agreement on broad principles was a valuable first step. 

I would also like to commend Commissioner Rallo for putting together this panel – a reflection of the increasing global reach of the Conference.

It’s also noteworthy that the Conference has just accepted Israel, Monaco and Uruguay as accredited members.

I also hope that we will soon be welcoming the U.S. Federal Trade Commission as an accredited member of the Conference. 

The American approach to protecting personal information is different; at times, it is even difficult for our Office to understand all the nuances.  However, I am increasingly impressed with the way in which the U.S. model of sector specific legislation, regulation, and self-regulation serves to protect personal information. 

My Office – indeed all Canadians – have benefited from the FTC’s willingness to co-operate on enforcement issues.

Like my colleagues on this panel, I have a very keen interest in trying to encourage other countries to adopt effective measures to protect personal information. 

In our interconnected world we need to take a cooperative approach to protecting personal information.  If we want to find global solutions the Conference needs to reach out and be open about accepting authorities from all parts of the world even if they have an approach to data protection that differs from our own.

It seems to me that if we are to make progress towards a global solution on data protection, we will need to accept our differences and find a way to work around them. Success will only come if all of us are willing to compromise.

Date modified: