Canada’s Role and Influence in the Global Privacy Arena

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the AccessPrivacyHB Conference

June 3, 2011
Toronto, Ontario

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

I will address the topic in three parts:

  1. What is the influence of the OPC in the world of privacy
  2. Why does the OPC have such an influence
  3. How will the OPC maintain its influence

What is the influence of the OPC in the world of privacy

Among national data protection authorities, the Office of the Privacy Commissioner of Canada is viewed as a leader. This is apparent in the scope and the extent of our involvement on the world stage, be it under the auspices of international organizations or through informal channels.

It was quite striking particularly in Israel at the latest international conference of data protection authorities: our Commissioner was front and centre. She was on the opening panel of the OECD meeting, she was the moderator of the closing session of the international commissioners, and in the closed meetings of data protection authorities, she was sought after to lead joint work by the DPAs.

I will get to my analysis of the reasons why—besides her inherent qualities. But first, let me describe some of our international activities.

Let’s start with the OECD, where Commissioner Stoddart has the honour of leading a volunteer group that helped develop the 2007 recommendation on cross-border co-operation, and that is currently providing advice on the review of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

At APEC, she has played a leading role in the Privacy Sub-Group, and used her influence with her counterparts from Europe and APEC member countries to build bridges between various regulating authorities.

At the Organisation internationale de la francophonie, we play a key role within a sub-group of the Organisation, the Association francophone des autorités de protection des données personnelles, which also holds an annual conference, bringing together 26 other DPAs from Europe and Africa.

And this is key: it is a unique forum to reach third-world states which are only beginning to develop data protection regimes, realizing that it is a condition of their participation in international trade.

Because French is one of our official languages, and because we have such a robust privacy protection regime, we play a key role in that organisation, offering a model for going forward.

We are also involved in the Ibero-American Forum of Data Protection Authorities. After being engaged in an informal dialogue with our Mexican counterparts for several years, we were quite pleased to see the enactment of Mexico’s new federal data protection law last year.

When the launch of this new act was celebrated at the 8th Ibero-American Forum hosted by the Mexican DPA in September 2010, I had the honour of delivering the keynote address on behalf of the OPC.

The links between Canada and the Spanish-speaking world extend beyond Mexico. For instance, I had the honour of contributing to the Memorandum of Montevideo on the protection of children online, which was drafted by a team of experts from various Latin-American countries.

Again, I was pleased to accept an invitation to deliver a keynote address at the launch of the Memorandum a few months later in Mexico.

We have also been working with the ISO, we have recently hosted a Berlin Group meeting and we have a permanent representative on the Commission for the Control of INTERPOL’s Files.

I suppose you all know that we hosted the International Conference of Data Protection and Privacy Commissioners in 2007.

In addition, the OPC’s guidance on modern privacy law is sought by delegations from various countries—most recently from South Africa, China, Singapore and Japan.

And we use our international influence to concrete ends.

Besides the discussions we have behind the scenes where we influence the course of particular positions, we also use our influence to concrete ends: for example, last year we rallied our counterparts from nine other countries to co-sign a letter to Google regarding Buzz, the social networking service that was added to some Gmail users’ accounts without prior warning and suffered a glitch that exposed their personal information.

The OPC’s continued efforts on the global stage speak to the fact that in today’s world, where everything is linked to the overall information network, privacy becomes an international issue.

Some of our more publicised investigations clearly illustrated that fact: when we convinced Facebook to change its personal-information management practices, this made an enormous difference for all users, throughout the world.

The success of that particular venture confirmed to us that we should continue to seek better privacy protection in the online world, regardless of its borderless nature—perhaps even because of it.

As it happens, we are establishing ourselves as something of a centre of excellence when it comes to investigating privacy issues in the online world. We have established an in-house “tech lab”, run by a team of technology experts who are well versed in privacy and security. Our team has already hosted some colleagues from the Netherlands and the UK who were seeking a better understanding of how we established in-house expertise, and how we use it in the context of investigations.

Why does the OPC have such an influence

Our influence rests partly on the strength of our work—our groundbreaking investigation of Facebook being the turning point—and on fundamental characteristics that make Canada a natural bridge between continents.

I will highlight 5 characteristics that I believe are key to the OPC’s international influence and develop each one further:

  1. What The Economist called our “hybrid privacy regime;”
  2. Our bilingualism;
  3. Our bijuralism;
  4. Our multiculturalism;
  5. The independence of our national data protection authority.

Hybrid privacy regime

For those of you who read The Economist, I hope you shared our tremendous sense of pride we were specifically mentioned in an article entitled “The clash of data civilisations”.

The article focussed on the differing legal regimes between Europe and America, and the impact of these differences in regulating privacy on the Internet. The article puts in contrast, on one hand, the European legal regime grounded in human rights law, with all the strength and rigour that it brings to privacy laws and regulations, and, on the other hand, the American legal regime which is grounded in the much more flexible and fragmented consumer protection regime.

The Canadian legal regime is described as a hybrid in that it does have one comprehensive legal regime that is both grounded in the fundamental right to privacy and in the more flexible framework of consumer protection. In fact, the article answers exactly the question we address today by stating that Canada’s

“hybrid privacy regime may explain why its data protection commissioner, Jennifer Stoddart has been so influential on the international stage.”

It has made us a bridge between the two continents.

Based on the success of this hybrid model, Mexico adopted a comparable one. This is, again, a sign of our influence and an indication that it will continue as we remain a model for the evolution of privacy law around the world.

Bijuralism

The second characteristic that makes us a bridge between continents is our bijuralism. I refer to the fact that Canada’s legal system stems from both common law and civil law.

This bijuralism allows us to bridge the gap between various jurisdictions, given that civil law is in use in Continental Europe, South America and a good part of Africa, and that common law is in use in the UK, the US, and parts of Africa and Asia.

This allows us to speak a common legal language with most of the world. In a 2006 speech, our Commissioner underlined the importance of Canadian bijuralism in these words: “Canadian bijuralism is more than just a topic of debate among jurists. It is also a reflection of the position of a nation that is open to several normative realities.” It is that openness that allows us to transpose domestic norms into international frameworks—in forums of civil law countries, of common law countries, or in forums that bring together both. The advantage is that we know where they all come from.

For example, when the Francophonie seeks to adapt the concept of accountability, which has been introduced in the international framework by common-law countries, we understand exactly how it does not quite fit a civil-law model, and we can offer a reconciliation of the civil law and common law concepts into an international norm. We can do so because we know both, and because, inside Canada, we have to do that reconciliation, or that transposition, all the time. Again, it gives us a unique sway in the development of international norms and positions.

Bilingualism

In addition to two legal systems, our mother countries of England and France also left behind two official languages. Because English and French are official languages, both the English and the French versions of our legislation have equal value, and the senior officials of the OPC must be bilingual.

As seasoned professionals, you know only too well the importance of relationships, of dialogue, of coffee-break talk where alliances are forged, ideas are shared freely, and friendships that materialize in concrete cooperation are developed.

Being able to speak to counterparts from most of continental Europe as well as from common-law states in their own language makes all the difference. In the Google Buzz joint initiative, which was firmly led by Jennifer Stoddart, one of our most prominent European counterparts told me that the nine countries joined in not only because of the merit of the case but because of their personal trust in our Commissioner.

Multiculturalism

I just described bilingualism as giving us a partnership advantage. Multiculturalism gives us the advantage of being much more nimble in international forums and therefore makes us natural brokers. Let me explain.

Because Canada has chosen the mosaic rather than the melting pot, we have preserved within our own borders the international dynamic of our respective countries of origin.

Contrary to certain countries where exists what some political scientists call an “imperative culture,” meaning the adherence to one set of customs, Canada has one set of meta-values, enshrined in the Canadian Charter of Rights and Freedoms, but that accommodates a diversity of specific values.

Canadians are used to dealing with what we call “hyphenated nationality,” meaning the preservation of the integrity of the culture of origin while integrating in Canadian culture. We speak of “Italo-Canadians;” we come up with shows like “Little Mosque on the Prairie;” the state funds Aboriginal and foreign-language courses to preserve the various languages of origin of Canadians.

The result is that we come to international forums with a nimbleness, an ease, that too many countries lack. We are used to working with a diversity of perspectives that do not only stem from personal opinion but from a whole system of values. It means we understand the relativity of views, rather than think in absolutes—and therefore are capable of moving to new frameworks, different from the ones we are used to. And that is the inherent outcome of international cooperation.

Multiculturalism is much more than just a rich cultural heritage; it is at the core of our ability to be influencers, mediators, and bridge-builders.

Independence

The fifth and final driver of Canada’s influence in the world of privacy is the fact that we have a national data protection authority that is accountable to the whole of Parliament, independent from the political direction of the government of the day.

Our right to privacy is guaranteed by federal law, and the enforcement of our federal privacy law is centralized in one single entity, the Office of the Privacy Commissioner of Canada.

And furthermore, the OPC is not accountable to the government of the day through a cabinet minister. As an Agent of Parliament, the OPC is accountable to the institution of Parliament, the ultimate guardian of our fundamental values.

Official Languages Commissioner Graham Fraser recently described Agents of Parliament as “the guardians of values that transcend the political objectives and partisan debates of the day.” Footnote 1 This is a role that we take on with great reverence.

And that is what allows us the freedom to blaze a trail in the advancement of privacy law as its context evolves rapidly and forcefully.

How will the OPC maintain its influence

So on the basis of these five main strengths, how will we maintain our influence on the global privacy stage?

  1. In relation to our independence, we will maximize the use of our existing powers by exercising them in a manner that is better suited to the present conjuncture—that means, more forcefully, as privacy is threatened more acutely;
  2. In relation to the tight partnerships we have been able to forge, we will make good use of the new powers that were recently granted to us through the anti-spam legislation;
  3. And to meet the standards of foreign data protection authorities, we will seek new powers through the mandatory PIPEDA review process.

Let me expand on each point, starting with a more assertive exercise of our existing powers.

New use of existing powers

As you know, we have always applied an approach of compliance through partnership. The establishment of the Toronto Office and the excellent work that Robin Gould-Soil has done is the most concrete illustration of that approach. We definitely remain committed to it.

We have, however, met increasingly frustrating compliance challenges. We are concerned about practices that suggest some level of disregard for privacy in the private sector. And we are also concerned about the magnitude and pace of recent breaches, highlighting the new vulnerability of personal information. On the basis of these two observations, we have decided to exercise some of our existing powers more forcefully.

The first I will mention is our ability to name respondents in the public interest. As the Commissioner has stated many times in the last few months, the honeymoon is over. Businesses have now had 10 years to develop the mechanisms necessary to comply with PIPEDA; we have issued 10 years of findings that spell out our interpretation of the Act, and our interpretation has largely prevailed. Hence, we feel our expectations for compliance can justifiably increase.

Moreover, the advent of information technology increases the impact of violations of privacy to such an extent that the threshold of public interest is easily met.

So to reflect our increased expectations and the reality of increased vulnerability of personal information, you will see that a rigorous interpretation of section 20(2) of PIPEDA will necessarily lead to more businesses being named.

For example, in our annual report on PIPEDA for 2010, to be tabled in a few weeks, you will see that four large organizations are being named. As you know, I am not at liberty to name them today since the report must go to Parliament first, but I can say this: I am confident that you will see the public interest in naming either one, because in each case, the organisation’s practices jeopardize sensitive information of a large number of people.

There is significant public interest in the creation of a marketplace where organizations are accountable for their privacy practices and where individuals understand the privacy implications of their choices.

That being said, I need to reiterate our commitment to a “rigorous” interpretation of s. 20(2)—it follows that a company that has a good record of protecting privacy, that shows to have taken all necessary measures to comply, but experiences a lapse of limited consequences, would not be named.

In the same spirit of openness and transparency, we will also, from now on, post not only summaries of our findings but the entire findings, with proper anonymization where there is no public interest to name. We are introducing that change on the basis of the recommendations from a privacy professional who impressed upon us that our case summaries simply did not reveal enough of our reasoning to properly inform the privacy community of our interpretation of the law.

Still, I must insist that where there is no decision to name, the posted letter of findings will be carefully anonymized to remove any possible identifier of the complainant or the respondent.

A third new development in the exercise of our existing powers is to adopt the practice of asking organizations to file independent, third-party audits attesting to the fact that they have indeed lived up to their commitments and have complied with our recommendations—not unlike the request recently made to Google by the FTC.

One example, in fact, is our final decision in Google Wi-Fi, which has been issued last week and will be announced next week. Let me give you a preview:

  • Our final report confirms our preliminary findings: Google simply did not have the necessary controls in place to exercise due diligence in relation to protecting personal information;
  • Our investigation showed that a Google engineer developed a code to locate Wi‑Fi access points that was included in the Street View program—without ever checking whether it could actually pick up payload data;
  • Apparently the engineer considered that the possible privacy implications were superficial, the file never went to a Product Counsel and no one checked;
  • The issue was clearly a governance issue, a lack of proper controls that is disconcerting, frankly, when you consider the size and means of Google, the amount of personal information it collects and the nature of the program being rolled out.

To me, this speaks of an improper balance between innovation and privacy protection, if not flippancy in protecting privacy while innovating in the use of technology.

That concern is what fuels our increased assertiveness. We have asked that Google produce, within a year, an “independent, third-party audit” to confirm that all our recommendations have been implemented. Failing that, we reserve the right to exercise the full extent of our powers.

Until now, we have been taking organizations at their word when they promise to undertake certain corrective measures to bring them into compliance with the law. Asking these organizations to actively demonstrate that they are following through on their commitments and complying with privacy legislation—on their own time and their own dime—is consistent with the international focus on the concept of demonstrating accountability.

Good use of new powers

Let me now move to the use of our new powers, building on our strengths as natural brokers and bridge-builders between continents.

We have recently obtained new discretionary powers and information-sharing powers. These were conferred to us under the terms of Canada’s new anti-spam legislation, but they can—and will—be applied to all our work under PIPEDA.

Most relevant to a discussion on Canada’s role and influence on the global stage, the Commissioner has been granted the power to share information with international counterparts in the course of investigations.

The Commissioner has also been granted new discretionary powers, which she intends to use in order to concentrate our investigative resources on systemic issues of broad public importance, some of which are largely invisible to Canadians while nonetheless having a significant global reach.

I’m speaking, for example, of how personal information is increasingly treated as a commodity, for sale to the highest bidder, as well as the role data analytics plays in this context.

I am also referring to the fact that breaches or violations of the Act transcend borders—take Epsilon, Sony or the allegations against Apple. Naturally, we will work closely with our counterparts, as appropriate, and we have developed a Memorandum of Understanding to cooperate in investigations that involve more than one country.

Seeking additional powers

For the future, we are looking forward to new amendments to PIPEDA. Again, realizing that businesses have had 10 years to develop the proper privacy safeguards to meet the requirements of the Act, and to reflect the fact that the privacy landscape is changing in terms of the impact and nature of privacy violations, we need to modernize the tools provided by the Act to ensure compliance.

We are reflecting on the amendments that we feel would further strengthen PIPEDA in light of the lessons we have learned from 10 years of enforcement, but also in light of what we see on the horizon—including issues with a global reach.

Among the measures we feel would strengthen privacy protection in Canada are mandatory breach notification and monetary penalties.

As you know, notifying our Office of personal data breaches is strongly encouraged, but not mandatory. We hear that organizations who have reported data breaches to us feel their experience with our office was positive.

However, some of the most spectacular breaches, such as those we have seen this spring, are not always reported promptly to the OPC, if at all.

These types of breaches, which put at risk the personal and financial information of a staggering number of consumers, are the first ones that should be reported to our Office. The fact that they aren’t systematically being reported tells me that mandatory breach notification should be a priority.

Last month, the Commissioner called for mandatory breach notification and for what she called “significant, attention-getting fines,” explaining that the potential for large monetary penalties would serve as an incentive for compliance. Basically, it appears we need to hit the bottom line to ensure privacy protection.

A number of our international counterparts now have the authority to issue these types of penalties, and have been imposing fines in certain cases.

Because of the global nature of the new corporate giants, because data is being stored on servers across the world—or at least on servers that are potentially accessible from anywhere in the world—, the need to ensure harmonization between national data protection authorities is pressing. Canada’s international influence can only be maintained if our power is at level.

Going back to maintaining our status as a leader of privacy protection in the world, we need to ensure we have a legislative framework that corresponds to the strengths that made us a leader in the first place: we need a privacy framework so robust as to uphold privacy as a fundamental right in a world where privacy is increasingly threatened, and we need a framework that keeps our powers at par with those of our counterparts.

Closing

In closing, I would like to actually refer to a concept that Marty Abrams put forward last year at this event, a concept that’s stuck with me as defining the new paradigm of privacy protection.

Marty was speaking then of moving from the technical concept of personal information to the practical concept of “impactful information.” I was struck by the wisdom of his words because I believe it more properly reflects the privacy challenges we have before us now: whether it’s a case of unlawful collection, unlawful disclosure or accidental breach, the game changer is impact. Unprecedented and growing.

For the OPC to keep up, we need to increase our impact, proportionately.

I am very much looking forward to your comments.

Date modified: