Changing Global Privacy Concepts
Remarks at the Privacy Law Salon
February 2, 2012
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
We all know that the world of privacy has evolved dramatically over the past couple of years. I’d like to focus my remarks today on two dimensions of this change that are particularly relevant to American businesses.
The first is the fact that an increasing number of countries are adopting data privacy laws. Legislation is now the norm.
Meanwhile, we are seeing an expansion in the types of data protected by those laws.
Concepts around what constitutes personal information are shifting in the face of new technological applications such as online behavioural advertising, geo-location and facial recognition.
These two shifts – a geographic expansion in privacy protection, and also an enlargement in the types of data protected by those laws – are resulting in challenges for US corporations, which are based in a jurisdiction without an over-arching privacy regime.
My message to you is that these are not insurmountable challenges – and it is important to face up to them now.
International data protection authorities are becoming better at cooperating on issues. We can expect this change to translate into more effective enforcement when privacy concerns arise.
Expansion of Privacy Laws
I’ll come back to enforcement issues shortly, but first I’d like to explore what’s been happening over the last few years. While acknowledging the many aspects of privacy regulation, explored most recently by Mulligan and Bamberger in their article on the influence of the Chief Privacy Officers within large corporationsFootnote 1, my remarks today will focus on traditional top-down data protection rules.
In every corner of the globe, we have seen a proliferation of countries adopting privacy legislation.Footnote 2
If we look south, we see that Mexico, Uruguay and Peru have all adopted comprehensive laws quite recently. In Africa, we’ve seen Morocco and Angola recently pass legislation.
As we see economic power shifting, so too is data protection.
Consider what’s happening in the BRIC economies. Data protection laws came into force in India and Russia in 2011. China has just released provisions that will require “Internet information service providers” to obtain consent before collecting or disclosing personal information. Brazil is drafting legislation in which privacy will be recognized as a fundamental human right.
In most of the countries I’ve just mentioned, the new laws are modelled on or influenced by the EU Directive.Footnote 3
Next year marks 40 years since Sweden became the first country to adopt a comprehensive data privacy law. The tally of laws around the world now stands at approximately 80 – and many of those are quite new. An analysis by Privacy Laws and Business found that the growth of global data privacy laws is accelerating.Footnote 4
And while countries that didn’t previously have data protection laws have introduced them, others are strengthening their laws.
Israel’s data protection office, for example, has recently taken on a much higher profile and the law there is being enforced more forcefully.
Meanwhile, Europe recently announced proposals to enhance its legal framework for data protection. The proposals call for a more harmonized, consistent approach across Europe as well as stronger enforcement powers, including stiffer penalties for organizations that flout the rules.
The proposals suggest the EU wants to re-assert its leadership role in promoting the protection of personal information. The proposed Regulation also strengthens individual rights, for example, by adding a “Right to be Forgotten.”
Europe has taken a different approach to privacy than the United States, and I know the practical application of the EU Directive has been a source of some frustration in this country.
However, I think we can agree that the Directive has had a very positive impact in raising the level of data protection around the world.
Evolving Concepts of Personal Information
As the number of laws around the world continues to grow, we also see some interesting debates about both the impact of privacy protection and concepts of what constitutes personal information worthy of legislative protection.
When I attend conferences in the US, I often hear discussions about the relationship between privacy and innovation – specifically the concern that privacy protection may hinder innovation.That’s not something I hear when I’m outside the North American context.
While the concept of “privacy” means different things to different people, governments around the world have recognized the imperative of protecting privacy according to objective standards and criteria, which includes the notion of personal information.
This concept of personal information is at the root of Canada’s federal private-sector legislation and many other statutes found across the world.
When I became Privacy Commissioner of Canada eight years ago, what we meant by personal information was usually quite straightforward.
But evolving technologies are forcing us to think hard about the concept of personal information.
Is an IP address personal information? What about a MAC address?
Consider facial recognition. Are we not talking about personal information when someone’s face is detected? Is recognized?
And, in the context of online behavioural marketing, at what point does data being collected for targeted advertising purposes become personal information?
There are no easy answers.
We’re increasingly concerned with derived information – information that is drawn from countless bits of data from our online wanderings, the use of our smart phones and so on. All of that data may be used to derive who you are, what you are doing and where you are doing it.
Does the concept of personal information remain relevant in a world where seemingly innocuous pieces of information can so easily be matched to people?
Some have argued that the concept of personal information, or personally identifiable information – PII, as you refer to it in the US, is ultimately doomed.Footnote 5
Others argue that, although current approaches to PII are flawed, the concept of PII should not be abandoned. Instead, it needs to be updated. Paul Schwartz and Daniel Solove, for example, identify a need for tailored legal safeguards determined by the premise of the risk to individuals.Footnote 6
But these are essentially debates within American privacy circles, responding to the realities of new business models. I am not aware that this debate has the same resonance outside of the US.
On the contrary, attention is focussed elsewhere. The EU’s casting of an old civil law concept akin to a pardon in the information handling context is an imaginative, individual-centred, active answer to the personal information deluge.
Those of you with a particular interest in this area may also want to look at the work of a prominent Canadian health researcher, Dr. Khaled El EmamFootnote 7.
Dr. El Emam has examined issues around anonymization and re-identification of data. He asserts that we shouldn’t abandon anonymization as a practical means to protect privacy, especially in instances where the data is being used to further a social good – health research, for example. But his work points out the increasing challenges of relying on anonymization.
I would also flag the work of legal thinker Teresa ScassaFootnote 8 of the University of Ottawa, who has explored the relationships between geographic information and the concept of personal information. She argues that adding a geographic or locational dimension to data could often trigger the application of data protection laws.
Online Behavioural Advertising Guidance
I’d like to share with you an example of how my Office is currently dealing with the sometimes challenging issue of defining personal information.
We recently issued guidelines on online behavioural advertising.
Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA defines personal information as “information about an identifiable individual.”
My Office has taken the position that the information involved in the online tracking and targeting of people’s browsing activities for the purposes of serving behaviourally targeted advertising will generally constitute personal information as defined under PIPEDA.
In the context of online behavioural advertising, the purpose behind collecting information is the creation of profiles of individuals that, in turn, permit the serving of targeted ads. There are powerful means available for gathering and analyzing disparate bits of data. The resulting advertising is potentially of a highly personalized nature.
Our guidelines call on all players involved in online behavioural advertising to be upfront with Canadians about what they’re doing and to make it easy for people to say No to being tracked.
There has been a great deal of discussion about opt-in versus opt-out consent in the context of online behavioural advertising.
Our view is that opt-out consent can be used for behavioural advertising if certain conditions are met. For example, an opt-out approach might be acceptable where information about what’s happening is clear and obvious and where people can very easily opt out.
That’s a somewhat different approach than in Europe, where the Article 29 Working Party advocates an opt-in or express consent approach.
However, our position advocates for a real opportunity for users to express their wishes and for enough information to allow them to make an informed decision. This is the common thread that runs through our guidelines, the US Federal Trade Commission’s views on Do Not Track as well as Europe’s position on cookies.
Situation in the US
I’ve talked about two global trends that are transforming the privacy landscape. But where does this changing environment leave the US and US corporations, who are often established in many countries around the world?
Earlier, I listed some of the many countries which have adopted privacy legislation. There’s obviously one major player notable in its absence.
The US has become something of an anomaly. You don’t have comprehensive private-sector data protection legislation – in spite of a number of attempts in Congress to change that.
You also – as noted by scholars Paul Schwartz and Daniel Solove – generally take a reductionist, or minimalist view of what constitutes personal information. That also puts the US somewhat at odds with the rest of the world – and we see that played out in the contexts of online behavioural advertising, the use of facial recognition and geo-location technologies.
The US has a large number of sector-specific laws, which have been quite effective. The US has also led the way with breach notification legislation. As well, I would be remiss if I didn’t mention the US Federal Trade Commission and its outstanding work on privacy which is having a positive impact for people, not only in the US, but around the globe.
The US also benefits on a more informal force for privacy – a sophisticated advocacy community. We saw a demonstration of its effectiveness just last month, with the decision to put on hold both the Stop Online Piracy Act (SOPA) and the Protect IP Act in the face of widespread criticism.
Many outside the US eagerly anticipate the release of the Department of Commerce white paper on privacy and how its proposals address some of the challenges I’ve mentioned.
Internationally, several data protection authorities have been alarmed by the failure of some American-based corporations to respect basic privacy principles – and national privacy laws as they unfold their products.
Those concerns have prompted us to take some important steps to strengthen coordination of our enforcement efforts.
For US businesses, it’s clear that that’s going to mean increased scrutiny.
Increased International Coordination
To be frank, it has taken too long, but the international data protection community is getting its act together.
Coordination of efforts and cooperation is happening on a number of levels.
For a start, regulators are sharing more general information and exploring issues together.
Last fall, for example, my Office hosted a meeting with a number of my international colleagues to discuss the growing privacy implications of facial recognition. The US Federal Trade Commission (FTC) held a facial recognition workshop which my staff and I attended in December.
Regulators have also created new frameworks to encourage cooperation.
Most of you will be aware of the Global Privacy Enforcement Network, which exists in large part thanks to the efforts of the FTC. GPEN – with more than 20 members – is an informal network of privacy enforcement authorities that is intended to promote enforcement cooperation.
Last fall, international data protection and privacy commissioners passed an important resolution on privacy enforcement coordination at the international level. We resolved to undertake specific efforts to enable more effective coordination of cross-border investigation and enforcement in appropriate cases.
My Office and our colleagues in the UK are co-chairing a working group that will come up with a practical framework to translate the words in the resolution into action. In May, I’ll be hosting a meeting in Montreal on privacy enforcement cooperation to follow up on the resolution.
Meanwhile, my Office has been putting to good use recent legislative amendments allowing us to share investigative information with other regulators.
We have signed information-sharing agreements with both the Irish and Dutch data protection offices. As a result, we were able to share insights of our 2009 Facebook investigation with our Irish colleagues during their audit of the social networking site.
As well, we continue to participate in a multilateral information sharing agreement with several other Asia Pacific Economic Cooperation economies.
Cooperation in Canada
Whenever a multitude of jurisdictions are involved in regulating an issue, as is the case in the United States, the European Union, and back home in Canada, there will be some unique challenges. But there will also be important opportunities to work together.
Canada, like the United States, is a federation with the power to make laws divided between the provinces and the federal government. Whatever the constitutional responsabilities are or maybe, cooperation among jurisdictions is essential.
My Office continues to work with our provincial counterparts to ensure a uniform approach to the protection of personal information. We publish joint guidance, for example with British Columbia, Alberta and Quebec, which are provinces with substantially similar privacy legislation. We also coordinate investigations and discuss issues of mutual interest on a regular basis.
Increasingly, people around the globe face common privacy concerns. Whether we live in Canada, the US, Russia, India or Peru, we are all accessing the same websites and using the same types of smart phones and other technologies.
We can expect increasing regulation of the uses of personal information from many new jurisdictions where the concept of commercial freedom and free speech do not occupy the same place in their respective legal cultures.
The good news for business that operate internationally is that the privacy laws elsewhere are based on common principles – principles that are also generally accepted in the US. There are nuances and degrees of regulation, of course, but the fundamentals are the same. This is why the work being done on updating the application of the OECD principles is so important. Just to bring you up to date, at this point three issues have been singled out for further reflection: the role of the individual, trans-border data flow, and enforcement of data-protection laws.
The rest of the world will continue to note with interest how the US responds to the shifting privacy environment.
That said, we have moved away from a situation where the rest of the world was looking in to see what the US was doing.
Privacy laws are in place elsewhere – and global corporations that want to operate in global markets will increasingly need to look out to see what the rest of the world is doing.
- Date modified: