International Privacy Standards : Development, Recent Events and Limitations

Remarks at the 43^rd Annual Study Session of the International Institute of Human Rights

July 9, 2012
Strasbourg, France

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

---

It is a great honour for me to be here, surrounded by history, to inaugurate the 43^rd Study Session of the International Institute of Human Rights.

I attended the Institute’s study session more than 10 years ago and I will always remember it. I am certain this session will also stay with you for years to come.

This morning, I will be speaking to you about international privacy standards, their introduction at the end of the 20^th century, their evolution since then, and their current and future situations.

I will begin with a few words about privacy rights, which are intended to advance personal data protection measures.

Privacy Rights within the Context of Human Rights

Humans have an innate need and desire for privacy. Over the years, we have established a set of social conventions that govern our relationships with one another.

All societies in all periods of history have abided by a social code that governs – completely or in part – what happens in private spaces. However, these codes and the boundaries of the space they govern are not universal.

As a legal concept, the right to privacy has gained importance relatively recently. It is a recognized human right that gives us the space we need to exercise our freedoms of thought, expression and association – it is therefore a right that is essential to democracy.

This right was recognized by the United Nations General Assembly in 1948 when it adopted the Universal Declaration of Human Rights. Article 12 of this founding document states the following:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Current legislation speaks more to the protection of personal information and data. Though the concept of “privacy” may vary from person to person, governments around the world are increasingly recognizing the need for objective standards and criteria to protect privacy. The concept of “personal data” and the codification of the fair processing of this data responds to this need.

Beyond the cultural nuances expressed from one society to the next with regard to the concept of privacy, the difference is particularly palpable in the balance each society establishes between the right to privacy and other rights and freedoms.

The most compelling example is the difference in the relative weight assigned to privacy and the freedom of expression by the United States and by continental Europe.

Americans have a tendency to value freedom above all, while Europeans and Canadians assign relatively more value to honour and personal dignity.

This difference is highlighted for example on the websites that tell the story of a German actor who was murdered in 1990.

Two men were convicted of the murder. After serving their sentences, they appeared before various German courts in 2008 and 2009 to have their names removed from the Wikipedia pages that told the story of the murder.

The case went all the way to Germany’s federal court of justice (Bundesgerichtshof), which found that websites did not have to go as far as removing the names from their archives, which dated back to when the two men were incarcerated.

The German Wikipedia editors agreed with the decisions of the German courts and removed the names of the two men from the German-language page about the actor.

The Americans see things differently. For them, such a request is akin to censorship and an attempt to re-write history. The English-language Wikipedia page about the actor still contains the names of the two men convicted of the murder.

As for Wikipedia itself, it does not recognize the authority of the German court, and has stated that it does not operate on German soil – but that’s another story.

The Emergence of International Standards

So now we have seen how the right to privacy is expressed in foundational documents and how it is viewed on each side of the Atlantic.

Earlier, I spoke about the 1948 Universal Declaration of Human Rights. With regard to privacy, the Universal Declaration is an international standard that aims to protect citizens from potential abuses by the State. The same can be said of the European Convention on Human Rights, adopted in 1950, and the Charter of Fundamental Rights of the European Union, which was formally adopted in 2000.

The international personal data protection standards that appeared from the early 1980s to the early 2000s are primarily aimed at protecting consumers from potential abuses by corporations.

These standards were adopted in response to the rapid advancement of technology and are aimed at protecting fundamental rights without interfering with trade and social development.

OECD Guidelines

The first standards of this kind to be introduced were the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted by the Organisation for Economic Co-operation and Development in 1980.

These Guidelines are founded on eight principles: collection limitation, data quality, use limitation, security safeguards, individual participation, accountability, free flow, and legitimate restrictions.

Of course, the OECD’s mandate is not to protect human rights, but to promote policies that support free-market economy.

The OECD’s interest in international standards for the fair processing of personal data speaks to the importance of these standards in today’s economy and the importance placed on the right to privacy in democratic societies.

The OECD Guidelines have inspired a number of national laws as well as the Data Protection Directive issued by the European Commission in 1995.

Convention 108

The European Directive was modelled after the OECD’s Guidelines, but was also inspired by the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (also known as Convention 108), proposed by the Council of Europe in 1981.

Article 1 of the Convention recognizes the importance of strengthening the legal protection of the individual “with regard to automatic processing of personal data relating to him” as a reaction to the increasing use of automated files, in keeping with the OECD Guidelines.

Convention 108 includes current principles of fairness for the processing of information (comparable to those included in the OECD Guidelines) and was ratified by 44 of the 47 member states of the Council of Europe.

European Directive 95/46

At the European Union-27 (EU-27) level, the European Commission issued the Data Protection Directive, or Directive 95/46, in 1995.

The European Directive is intended to harmonize the standards of the European Union’s member states so that the personal data of citizens of the EU-27 are protected, including when such data is hosted outside the EU.

The Directive is not legally binding in itself, but is intended to be transposed by member states of the European Union into their own national laws.

With respect to international trade, the personal data of EU citizens can be sent to a third country only if that country’s legislative framework is deemed adequate.

In many respects, the European Directive represents the pinnacle; the ideal to be achieved in personal information protection.

APEC guiding principles

Other regional standards also exist outside Europe.

The Asia-Pacific Economic Cooperation (APEC) was established in 1989 and has 21 member economies on every pacific coast, from Brunei Darussalam to Chile and the People’s Republic of China to Canada.

In 2004, APEC adopted a Privacy Framework for the protection personal information, which is founded on nine guiding principles aimed at strengthening privacy protection and maintaining information flows. It is intended to be consistent with the OECD Guidelines, while also taking into account the reality and diversity of the Asia-Pacific economies.

Changes since the introduction of the standards

In the late 1980s, only a handful of states, mainly in Europe, had privacy laws in place. Even ten years on, only about 35 national laws existed around the world.

Today, some 80 countries on every continent have laws to protect personal information: having legislative measures in place has now become the norm.

A number of national laws have been influenced by the OECD’s Guidelines, such as Canada’s federal private-sector privacy law: The Personal Information Protection and Electronic Documents Act.

However, an increasing number of states are looking to the European Directive, which is particularly true in Latin America. The European Directive has played a lead role in strengthening the protection of personal data on a global level.

The explosion in the potential and use of the Internet by individuals and businesses has been a game changer. The focus, which shifted from potential abuses by states to potential abuses by private corporations, is once again in transition.

The main reason for this is the concept of “personal information,” which is becoming increasingly broad and complex.

For example, the definition of “personal information” in Canada’s private-sector law refers to any information concerning an identifiable individual. Eight years ago, when I became Privacy Commissioner of Canada, things were quite straightforward: home address, date of birth, etc. But today, a new reality must pass through the filter of this definition. Does personal information include an IP address (specific to a network connection), a MAC address (specific to a physical device), or the unique identifier (UDID) for a smartphone? And, in the context of online behavioural marketing, at what point does data being collected for targeted advertising purposes become personal information?

We are increasingly concerned with derived information – information that is drawn from countless bits of data from our online wanderings and the use of our smart phones, tablets and other devices permanently connected to telecommunications networks. All of that data may be used to derive who we are, what we are doing and where we are doing it.

Does the concept of personal information remain relevant in a world where seemingly innocuous pieces of information can so easily be matched to people?

As the number of countries adopting laws to protect personal information rises, the types of information covered by these laws is also increasing in reaction to our new technological reality.

The Current Situation

The first wave of international privacy standards appeared in reaction to potential abuses by governments. In a world still feeling the aftershocks of the September 11, 2001, attacks, the standards established to manage the use of personal data within the context of the citizen-state relationship continue to be valid.

The second wave of international standards appeared in reaction to potential abuses by corporations able to process increasing quantities of personal data by virtue of the rapid pace of technological advancement. As we know, this transactional reality remains at the heart of the relationship between consumers and commercial enterprises, so the standards governing this relationship are still valid.

However, because the potential for abuse is increasing at the same rate as the processing power of computers, these standards, along with their enforcement, need to be strengthened.

Earlier, I talked about a global trend toward the adoption of personal information protection laws among countries that do not yet have laws of this kind in place. For countries that do already have them, the trend is toward strengthening existing laws.

I believe the next wave of standards to be added to existing standards, which remain relevant today, must address the potential abuses that individuals could commit against one another.

In Canada this year, the high-profile case of Jones v. Tsige focused considerable attention on this issue in the province of Ontario.

On January 18, 2012, the Ontario Court of Appeal issued a unanimous decision that recognized a new common law cause of action–intrusion upon seclusion–citing an identifiable trend in case law, as well as the constitutional protection of privacy recognized by the Supreme Court of Canada.

In this case, the respondent, who was a bank employee, was found responsible for accessing the personal banking information of the complainant, who was her spouse’s ex-wife.

The defendant did not use or share the information with anyone else, and the complainant did not incur any financial losses.

Nevertheless, the Court recognized that the complainant had suffered harm and should be compensated.

The effects of this historic decision remain to be seen. Needless to say, we are following it closely.

Jones v. Tsige brought to light a gap in Canada’s legal framework, at least when it comes to individual accountability, as well as a certain ambiguity in the awarding of damages. Another case, which is currently before the Supreme Court of Canada, has shed light on the seriousness of potential online abuse and the ambiguity surrounding possible solutions to online harassment and defamation.

The case in question is A.B. v. Bragg, in which a 15-year-old girl sought to take action against an individual who had created a phoney and allegedly defamatory profile in her name on a social networking site. In short, it is a case of online harassment.

The plaintiff convinced the Supreme Court of Nova Scotia to disclose the identity of the alleged harasser, but was denied the ability to act under a pseudonym before the court and to have the benefit of a partial publication ban on the content of the phoney profile. The case is currently being appealed before the Supreme Court of Canada.

The Office of the Privacy Commissioner of Canada obtained intervener status in the case to advocate for the importance of balancing the right to privacy with the open court principle. In its submission to the Court, the Office of the Privacy Commissioner of Canada contends that it is in the public’s interest to attach great importance to the right to privacy, stating: “Informational privacy is critical to a number of collective social values and goals, including those that underlie freedom of expression.”

Looking ahead

In the last part of my presentation, I will provide an overview of the current initiatives to modernize normative frameworks.

Renewal of the European Union framework

In January 2012, the European Commission proposed a comprehensive reform of the rules adopted by the European Union in 1995 to harmonize the rules from state to state, reduce the burden imposed on companies and strengthen the protection of individual rights.

The proposed Regulation differs from the current Directive above all in its legal status: whereas the Directive had to be incorporated into the laws of member countries, the Regulation would be binding.

The draft Regulation also introduces new standards that are not included in the Directive.

Some of the new standards reflect contemporary thinking on the protection of personal data, on which there is consensus in the international community of personal data protection authorities.

These standards would contribute to giving the Regulation the gold-standard status currently enjoyed by the Directive.

For example, mandatory data breach notification is a requirement already enshrined in a number of pieces of legislation, including one provincial law in Canada.

Other provisions proposed in the draft Regulation are the subject of intense debate, particularly the provision on the right to be forgotten. The proposed regulation contains a clause giving members of the public the right to be digitally forgotten. However, the right to be digitally forgotten continues to cause uproar among the Internet giants, as well as some defenders of the right to free expression and legal experts who specialize in digital law. It also creates confusion among enforcement authorities, who wonder how the right to be digitally forgotten can be translated into practical reality.

Users wonder whether they will be able to force others to remove content about them from their personal pages; social network operators wonder whether they will have to judge the journalistic, literary or artistic value of photographs posted by users; and search engine providers wonder whether they will become the censors of the European states.

Revision of Convention 108

The modernization of Convention 108 was initiated on January 28, 2011, International Data Protection Day.

The objective of the modernization is twofold:

1. to deal with the challenges resulting from the use of new information communication technologies; and
2. to strengthen the Convention’s follow-up mechanism.

To date, consensus has been reached on certain issues: the general character of the Convention and its technologically neutral provisions must be maintained; its compatibility with the legal framework of the European Union must be ensured; and the Convention’s potential as a universal standard must be reaffirmed.

(Moreover, countries that are not members of the Council of Europe can also sign the Convention – following the example of Uruguay, which recently requested authorization to do so.)

Review of the OECD’s Guidelines

I had the honour of leading a volunteer group charged with providing advice to the OECD on the review of its Guidelines. The group included delegates of the European Commission and the Council of Europe.

We agreed early on that the eight foundational principles should not be amended. Rather, we believe that potential amendments should be made at another level.

For example, we could submit the following additions to the guiding principles to the OECD for approval:

• further clarify the principle of accountability;
• address the issue of mandatory breach notification;
• establish a link with the information security guidelines; 
• emphasize the importance of creating independent authorities responsible for enforcing personal data protection laws;
• encourage the establishment of international agreements that foster extraterritorial data protection; and
• encourage member states to implement national data protection strategies.

The volunteer group will continue its work over the summer and will submit its recommendations to the Working Party on Information Security and Privacy (WPISP), which will forward the final recommendations to the OECD Council.

Proposals currently being studied in the United States

You may have noticed that I have not yet spoken much about the United States, despite the fact that the overwhelming majority of Internet giants are headquartered there.

The United States does not have private-sector data protection legislation – in spite of a number of attempts in Congress to change that.

However, the U.S. has a large number of sector-specific laws, which have been quite effective. The U.S. has also led the way with data breach notification legislation.

Furthermore, it would be a great injustice not to highlight the exemplary work of the Federal Trade Commission in consumer privacy protection. The positive effects of this work have been felt not only on our side of the Atlantic, but around the world.

Many were eagerly anticipating the release of the Obama government’s white paper on February 23, 2012, which proposed a more formal personal data protection framework. The framework contains four elements:

• a “Consumer Privacy Bill of Rights,” founded on a set of Fair Information Principles;
• codes of conduct, which would be developed by industry, consumer groups, universities and public authorities;
• effective Federal Trade Commission enforcement, including of codes of conduct voluntarily adopted by industry; and
• a commitment to improving interoperability with international counterparts, in other words, measures aimed at reconciling the differences between the American model and other models and facilitating co-operative enforcement of national laws.

Though it received less attention than the European Regulation, the Obama government’s white paper is no less important. And of course, it is important for us in Canada because of our close ties with our neighbours to the south. But the white paper is also of interest to the international community of privacy commissioners because the Internet giants who hold our collective attention invariably conduct their business from the United States, if not from the same zip code near San Francisco.

Conclusion: Effective protection of privacy rights in the 21^st century

In conclusion, wherever they are, citizens of every country around the world share the same concerns and face risks in the protection of their privacy rights. It doesn’t matter where we live, we access the same Internet from the same platforms using the same devices.

Protecting privacy rights in the 21^st century is a global challenge that requires a global response. It is a challenge that requires robust standards that will stand up to reality, that are flexible and that meet clear enforcement criteria.

You will have noticed that the same point is made in the various international standard modernization initiatives. Whether it is the Council of Europe, the European Commission or the OECD, all agree that the existing standards should remain intact – but that they should be enhanced with new standards that take into account new ways of using communication and information technologies.

The challenge of protecting privacy rights in the 21^st century also requires concerted enforcement of these robust, enhanced standards.

The international community of authorities responsible for enforcing data protection legislation is currently engaged in this process, and the coordination of efforts and cooperation is materializing on several fronts.

To start, national authorities are exchanging more and more general information and have an ongoing dialogue on common issues. We also have an increasing number of structures that promote collaboration at regional and global levels, and among countries with cultural or linguistic ties.

At the regional and cultural level are the various European groups and the Asia-Pacific Economic Cooperation.

Under the International Organization of La Fancophonie is also the Association francophone des autorités de protection des données personelles.

With regards to Spanish-speaking countries, there is the Ibero-American Data Protection Network, which also includes Portugal, Brazil and some Caribbean countries.

At the global scale, we have the Global Privacy Enforcement Network (GPEN), an unofficial network of nearly 30 authorities. Its mission is to implement the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy adopted by the OECD council in 2007.

At the 33^rd International Conference of Privacy and Data Protection Commissioners, held in Mexico last fall, we adopted a resolution on the coordination of the enforcement of privacy protection provisions at the international level.

The resolution provided for the creation of an ad hoc working group, which met in Montreal in May. I am proud of the success of that meeting, where we agreed on 10 measures that will be implemented in the coming months thereby translating the Mexico Resolution into concrete terms.

Collaboration in investigations and specific controls are also being initiated. For example, the Office of the Privacy Commissioner of Canada is currently conducting a collaborative investigation with a European counterpart on a company headquartered in the United States.

Each authority is conducting our own investigation but we are pooling our resources and knowledge, and are communicating jointly with the respondent.

This collaboration was made possible through a memorandum of understanding that connects our two organizations. In order to collaborate internationally on the enforcement of laws and a true standard, we must have formal means of exchanging information on investigations we plan to conduct, and memorandums of understanding that connect more than two states at a time.

In light of our new technological reality, privacy rights around the world can only truly be protected through the concerted enforcement of concrete standards.

Thank you for your attention. I would now like to continue this discussion by answering any questions you may have.