Privacy protection in Canada – Keeping pace with advancing global norms

Remarks at the 2012 Access and Privacy Conference, organized by University of Alberta

June 14, 2012
Edmonton, Alberta

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

I want to begin by saying what a pleasure it is to be making my first visit to Alberta since the appointment of Jill Clayton as Information and Privacy Commissioner.

Jill has spent many years working in the access and privacy fields. Albertans are very fortunate to have Jill; someone so experienced, energetic, reasonable and approachable as Commissioner. So too, as one of Canada’s privacy commissioners, our community is very fortunate to have Jill among us.

As Commissioners, we must proceed in our work cognizant and respectful of each other’s jurisdiction. At the same time though, when circumstances dictate, we mustn’t be constrained by jurisdictional lines from supporting each other or working together. Indeed, we should never lose sight of the fact that while the application of privacy law is bounded by jurisdictions, privacy as a value is universal. Privacy itself transcends borders.

As a result, especially given the interconnected nature of today’s global economy, no law, no action, no decision really exists in isolation. Events happening in one province, one country and an ocean away need to be seen in this light. Whether it’s ensuring a level of protection for residents or citizens on par with that of our neighbours - or securing access to markets for businesses - our norms need to adjust and keep pace with actors around the world. And this is at the heart of what I’m going to discuss today.

Proposed Amendments to the European Union Directive

Increasingly today, business, and as a result personal information, crosses borders, be they between provinces, countries or continents. In Canada, when personal information crosses our international or interprovincial borders, federal privacy law applies. And this is a key reason why my Office has been closely following the proposed updating of Europe’s personal data protection regime.

Europe is where privacy protection law as we know it first took root. The European Commission issued the Data Protection Directive in 1995 and it reflects the basic principles that have guided the drafting of nearly every subsequent law throughout the world. Based generally on the eight principles of the 1980 OECD Guidelines, the directive sought to harmonize the pre-existing laws of member states, so the personal data of EU citizens would be protected, both within and outside the Union.

Today, personal data can be sent from the EU to a third country only if the sending organization can demonstrate it will be appropriately protected on the other end. While this can be done on a contract basis, the easiest way to meet this requirement is dealing with companies based in countries which have enacted privacy legislation judged adequate by the European Commission. For example, the Personal Information Protection and Electronic Documents Act was deemed adequate in 2001. This was the first law outside Europe to receive this recognition.

In January of this year, the European Commission proposed a comprehensive reform of the rules originally adopted in 1995. The draft regulation represents the main component of the proposed new framework. One of its prime goals is strengthening protection of individual rights. Individuals will have better access to their personal data. The application powers of the various data protection authorities will be more uniform and robust, which will also advance individual rights.

In sum, judging from the way things are unfolding, the proposed European framework will remain the global standard of excellence in personal information protection. Companies doing business around the world will have to adjust their personal information protection policies to meet this enhanced standard. They’ll benefit from enhanced access to one of the world’s most important markets and their customers will benefit from enhanced data protection, wherever they may be.

Certainly, my Office draws inspiration from this proposed strengthening as we prepare for the upcoming Parliamentary review of PIPEDA.

The need for an effective Federal Data Breach Law

It’s not only changes in law unfolding across the world which should occupy the attention of other data protection authorities and governments. We also need to take stock of systemic trends impacting data protection in the marketplace and their effect on the public. For one specific example, let’s consider data breaches.

It’s worth noting a report issued by Verizon earlier this year. It studied a total of 855 breaches across 36 countries in 2011, compromising more than 174 million records. It found that hacking was linked to the vast majority of incidents – 81 percent.  As well, malware was used 69 percent of the time.

Now depending on your perspective, the next statistic is either the most deflating or the most inspiring. It’s the fact that Verizon’s experts concluded that some 97 percent of the attacks were not highly sophisticated and therefore avoidable through simple or intermediate controls.

If you look at the glass half empty, you may be drawn to think that too few businesses believe that “privacy is good business,” and therefore haven’t taken sufficient measures to protect personal information. But if you look at it half-full, we can see where mandatory data breach reporting laws could motivate greater attention to data security. In other words, perhaps the force of law and the glare of the spotlight could push more companies to implement those “simple, intermediate controls.”

Let’s take a look right here in Alberta. Not only does the Office of the Information and Privacy Commissioner have order-making power, but it’s also the only jurisdiction in Canada with a comprehensive mandatory data breach requirement covering the private sector. It’s perhaps not a coincidence that our Office’s most recent business survey found that companies in Alberta were the most likely to deliver privacy training to their employees compared to other provinces. The same survey also found Alberta companies were the most likely to make employees change their computer security passwords every month.

In terms of having a mandatory data breach requirement in place, Alberta is atop the crest of a wave that’s gaining momentum. To our south, nearly all US states have breach notification laws. Looking again to the European Union, it’s proposed that organizations be required to notify authorities of a breach “without undue delay and, where feasible, not later than 24 hours after having become aware of it.” Notices meanwhile would be sent to an individual where a breach "is likely to adversely affect the protection of the personal data or privacy of the data subject.” Looking west, Commissioner Denham has pointed to the need to adopt a breach report law for British Columbia.

Meanwhile, at the federal level, legislation has been introduced in the form of Bill C12 which would bring a form of breach notification requirement across Canada. However, these proposed changes stem from recommendations made to Parliamentarians back in 2006. When the government first made these proposals, I’d hoped they would be a good first step. However, a lot has changed over the years – and the data breach reporting proposals of C-12 are simply falling behind the times.

Today, Canadians are living more and more of their lives online. More and more data is being transmitted and stored online. And cybercrime is a growing concern. In recent years, we’ve seen – and we continue to see – very serious, large-scale breaches. And C-12 may no longer be sufficient to create the kind of incentives we need to ensure that organizations take data security more seriously.

In light of this reality, serious consideration should be given to putting more teeth into the current proposals. And this is why I am strongly encouraging the federal government to explore real enforcement options to create stronger incentives for organizations to adequately protect personal information.

As it stands, unlike Alberta, my office lacks order making power. As a result, if the current C12 were to become law, we would likely have to haul an uncooperative company to court to have them notify us let alone their customers in the event of a breach. Given the rate at which information travels today, this could very understandably provide extremely cold comfort to Canadians at best.

C-12 also lacks a time limit for notification. And, as the Verizon report found, given that many data breaches are the result of criminal organizations, consideration should be given to amending the law to include notification to the appropriate law enforcement agency.

It’s also worth noting that many US states have implemented laws - including some with strong sanctions against breaches - while the EU is considering fines of up to one million Euros for companies who violate data protection rules.

All this to say, if trends continue as they are within both the marketplace and the legislatures of our major trading partners, the minimal, outdated steps taken here federally, will pale in comparison and leave the majority of Canadians shortchanged when it comes to protecting their personal information.

Recent Alberta Court of Appeal Decisions

Moving on from the international and national scenes, I want to spend a few minutes talking about a fairly recent Alberta Court of Appeal decision involving Leon’s furniture chain. I’ll provide some background for those of you who may be unfamiliar with the issue. It all stemmed from the company’s policy requiring customers to provide their driver’s licence and plate numbers when picking up furniture.

One customer objected to the practice and complained to Alberta’s Commissioner. An investigation followed. It was ultimately found that the practice violated Alberta’s Alberta’s Personal Information Protection Act or PIPA.

The matter eventually reached the Alberta Court of Appeal, which for the most part disagreed with the OIPC’s findings.

The Court took the view that a licence plate is not personal information because it relates to an object rather than an individual.

From my perspective, it would be concerning if a similar view of personal information were adopted elsewhere. It is indeed a very narrow view compared with interpretations taken by the Federal and Supreme Courts here. It also comes at a time when both the European Union and US Federal Trade Commission are taking broader views of what constitutes personal information.

All told, if a narrower view were to become the norm in Canada, be it in courts or future legislation, it could have the effect of putting Canada out of line with some of our major trading partners and effectively rendering Canadians second class citizens in terms of privacy protection, globally.

I should also mention another decision taken by the Alberta Court of Appeal in April - United Food and Commercial Workers Canada vs the Alberta OIPC – who declared that the application of Alberta’s PIPA to a union recording people crossing a picket line infringed the union’s right to freedom of expression. Last week, the Alberta OIPC announced their intention to appeal this decision. I’m happy to say today that we will support this leave to appeal as we are very concerned about the effects of the decision on the status of Canadian privacy legislation. And we offer our full support to Commissioner Clayton and her team in their efforts to assert and maintain the protection of the privacy and personal information of all Albertans.

Collaborating on Joint Guidances

This kind of collaboration goes back to one of the points I made beginning my remarks today. For Commissioners across the country, it’s essential that we respect each others’ jurisdictions, but at the same time, not be confined by their lines. On top of collaborating to help protect privacy, we can - and indeed have - come together to provide organizations with tools and guidance to help them comply with Canada’s private sector privacy laws and in turn better protect the personal information of Canadians.

In April, our Office joined with those of Alberta and British Columbia in releasing Getting Accountability Right with a Privacy Management Program; a guidance document for private sector organizations providing useful building blocks for organizations to consider when building privacy management programs. In particular, it offers organizations insight on developing programs that respect accountability requirements of Canadian privacy laws.

And it’s my pleasure today to let you know about a new guidance we’re unveiling today. It’s designed to help small- and medium-sized businesses understand their privacy responsibilities when using cloud services for storing, communicating or processing personal information. It’s something that our Office developed jointly with offices from Alberta, British Columbia and seeks to help small and medium-sized businesses reflect on privacy considerations in the cloud.

In general, the smaller a business, the less likely it has the resources to hire a fulltime counsel and Chief Privacy Officer or implement expensive IT-based solutions. At the same time, smaller businesses may find themselves turning to cloud-based service providers in order to access services they may not have the budget to implement or support on their own.

As most of us know, the word cloud is deceiving. On one hand, the services and data an organization puts there can indeed seem to float and follow users wherever they may be. On the other, the data needs to be stored on a fixed server somewhere – or perhaps on many servers in multiple countries. And our guidance makes clear the fact that organizations are responsible for the security of information they store on cloud servers and for ensuring that it’s given the same level of protection that it would when stored on Canadian soil.

On the whole, our guidance doesn’t look to discourage any business from using cloud services. Instead, it encourages all businesses to look before they leap by, for example, ensuring that the information they store won’t be left open to third-party disclosure or put at risk due to lax security. I encourage you all to read our guidance, which can be found on the websites of our Office, along with both the Alberta and BC OIPC.    


In closing now, I want to leave you with a quote from the first federal Privacy Commissioner, the late John Grace, taken from one of our Office’s first annual reports:

“Privacy protectors cannot be staled by custom or allowed to be complacent. The challenges to privacy are new, urgent, various and ingenious, brought about by technology that never sleeps and is rarely denied.”

Though written more than a quarter century ago, those words still ring loud and true today. In fact, the challenge he spoke of has only intensified with the rise of digital giants and the increasingly borderless nature of business and networks.

In such a world, we need to push for privacy protection to keep pace with the rest and best of the world. We need to fully engage in a race to the top to avoid Canadians’ privacy being left isolated on low land while confronted by ever rising tides.

Thank you.

Date modified: