The Sum of Its Parts : Addressing Contemporary Privacy Challenges on the World Wide Web

Remarks at the Fourth Annual Sedona Conference International Programme on Cross-Border Discovery & Data Privacy

June 20, 2012
Toronto, Ontario

Address by Daniel Caron
Legal Counsel, Office of the Privacy Commissioner of Canada

(Check against delivery)


Hello to you all and welcome to what is surely to be a very engaging two days of candid discussion on a variety of issues. Bonjour à tous et à toutes, et j'aimerai d'emblée vous souhaiter la bienvenue non seulement à ce que je prévois être deux jours de mûr réflexion et discussion, mais aussi au Canada et à cette magnifique ville de Toronto.

One of the main things the Sedona Conference hopes to achieve through our upcoming discussions is to prepare a Canada/U.S. version of the European version of its International Principles of Discovery, Disclosure and Data Protection. I think it's a timely endeavor, not only because a Canadian version would follow nicely a European version, but because the imperative of protecting privacy in an increasingly interconnected world continues to raise more and more relevant issues related to jurisdiction.

The reality of our interconnected environment underscores the waning importance of borders and the waxing importance of increased cooperation and coordination. In particular, there is a growing recognition for greater “interoperability” between privacy regimes, and coordination of efforts between international data protection authorities. Interoperability is really all about how different regimes can deal with issues in a similar manner, without necessarily being identical. In other words, it is about creating predictable and workable rules for businesses out of varying national standards. Indeed, the Principles of the Sedona Working Group 6 themselves embody this very notion to some extent.

The growing discussion about “Interoperability” took the forefront at the 33rd International Conference of Data Protection and Privacy Commissioners, which took place in Mexico City in early November 2011. The conference's theme was “Privacy, the Global Age”, and was in many respects a follow-up to the Conference held in Madrid two years before, where a number of international data protection authorities adopted a resolution on international cooperation. Many at the Mexico City conference agreed on the importance of interoperability going forward, and the Conference passed a Resolution on Privacy Enforcement Co-ordination at the International Level.

From my perspective, I find it fascinating how the novel technological advances of the past ten years or so have led to a more collective and cooperative approach to dealing with privacy. Indeed, this growing interconnectedness reminds me of an extraordinary natural phenomenon that occurred in Australia earlier this year.

Earlier this year, we all heard the news coverage of how three Australian states were ravaged by floods that reached historical levels. One city in New South Wales, Wagga Wagga, saw the waters of its Murrumbidgee River rise to levels apparently not seen since 1844. Although the rising water led to great anxiousness among the locals, the rising water also had a very peculiar consequence. Literally thousands upon thousands of a type of ground-dwelling wolf spider seeking shelter from the rising waters cast fields upon fields of white webs over the flood-hit area. I was always fascinated at how so many small creatures could build such an impressive and elaborate structure, and so quickly; the sight is pretty impressive and I urge you all (unless you are an arachnophobe, of course), to search for some pictures of this giant web on the Internet.

Experts described the spiders' behavior as “ballooning”. In an attempt to escape rising waters, the spiders climb blades of grass and let out hundreds of meters of silk in the hope a gust of wind will catch the web and transport them to safety. The resulting web is essentially the collective result of their attempts to rise above the turbulent waters below.

Although I'm not much of a fan of spiders, I find intriguing not only the size of the expansive web created by all these individual ballooning spiders together, but also the fact that it was created by smaller, individual spiders, was a natural response to the surrounding environment, and was weaved with astonishing rapidity.

To me, the “Wagga Wagga web” is an apt metaphor for the new deeply interconnected environment in which we find ourselves today, and in which data protection authorities operate to deal with the growing tide of privacy issues. This connected environment is geographically expansive, has been built up with relative rapidity, and brings otherwise isolated entities together.

Like the current environment in which data protection authorities operate, the Wagga Wagga web is very much a giant white blanket made up of smaller components, each bringing their own unique nuances to the larger web. In the same vein, there do remain regional and national differences in how to address specific legal issues in an increasingly interconnected world, including the protection of privacy. By way of example, Canada's federal personal information protection statute, the Personal Information Protection and Electronic Documents Act, which has thankfully been more commonly known by its acronym, PIPEDA, is largely based on the same OECD principles on which much of the privacy legislation in the western world is based. However, there are some specific differences between PIPEDA, on the one hand, and the EU Data Protection Directive, for example, on the other. In fact, I'm sure many of these differences will be highlighted today and tomorrow.

So what does Canada's part of the Wagga Wagga web look like? In terms of data protection legislation, Canada's federal PIPEDA imposes obligations on organizations that collect, use or disclose personal information in the course of commercial activities. Ultimately, PIPEDA aims to strike a balance between a business' need to use personal information to offer services and products, and an individual's right to control how his or her personal information is used by that business.

PIPEDA is a unique statute; it is the only federal statute in Canada to wholly incorporate a voluntary Model Code regarding the protection of personal information, and makes parts of that Model Code mandatory. It incorporates 10 privacy principles, and as a principle-based technologically-neutral statute, PIPEDA has continued to be relevant in dealing with the privacy implications of newer technologies not contemplated when it was enacted.

Although PIPEDA is a relatively young statute - it was enacted in 2001 and fully came into force in 2004 – Parliament ensured that it be given the opportunity to review the legislation every five years. However, PIPEDA's first five-year review has yet to be fully completed by Parliament. A bill now at first reading before the House of Commons, Bill C-12, includes a number of changes to PIPEDA flowing from this first five-year review, such as mandatory breach notification and clarifying the consent provisions of the Act.

In terms of cross-border disclosures of personal information for the purpose of discovery in the United States, PIPEDA is certainly a key consideration for organizations. I will be speaking to more specific aspects of the legislation throughout our two days together. It will be interesting to discuss the legal and practical differences between the Canadian and the European contexts as the Sedona Conference works towards creating a Canada/U.S. set of principles on cross-border discovery and privacy.

A current unique feature of PIPEDA that I would also like to mention is that it yields to provincial legislation that has been deemed “substantially similar”. Under PIPEDA, the Governor in Council can exempt an organization, a class of organizations, an activity or a class of activities from the application of PIPEDA where a province has passed legislation deemed to be substantially similar to PIPEDA. Presently, the personal information protection statutes of British Columbia, Alberta and Quebec have been deemed substantially similar, as well as the personal health information protection statutes of the provinces of Ontario and New Brunswick.

The existence of substantially similar legislation does not thereby mean that privacy commissioners across Canada operate in silos. In fact, the whole notion of interoperability being discussed at the international level is equally relevant in the Canadian context. The Office of the Privacy Commissioner of Canada, and provincial and territorial commissioners, work together to ensure, as much as possible under their respective laws, some measure of consistency in the application of their personal information protection statutes. Our Office and various provincial counterparts have in the past issued joint guidance on issues, including just recently guidance on cloud computing for small and medium sized enterprises, and on the principle of accountability. Collaborative efforts between our Office and our international counterparts have also been made easier through recent amendments to PIPEDA, which gives our Office the power to enter into agreements and arrangements with our international counterparts to share investigative information in certain cases.

The importance of working with our counterparts cannot be understated. Since the beginning of her mandate, our Commissioner Jennifer Stoddart has tirelessly underscored the importance of working with her counterparts, both nationally and internationally. In the spirit of international dialogue and cooperation, our Office regularly participates in OECD and APEC meetings on privacy, has concluded various arrangements and agreements with other data protection authorities allowing us to share information, and has worked with other authorities on specific enforcement matters.

While the Wagga Wagga web eventually disappeared as the flood waters receded, I am of the view that our international environment will not share this fate and can only become increasingly interconnected. Greater interoperability, stronger cooperation, and much needed guidance on how to deal with potential jurisdictional conflicts will all help businesses, data protection authorities and courts in dealing with contemporary challenges, and with new ones on the horizon.

Date modified: