Translating BCRs into a Canadian Context
Remarks at the International Association of Privacy Professionals (IAPP) Global Summit 2013
March 7, 2013
Washington, DC
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
Introduction
Good morning and thank you for joining us this morning on this panel on Binding Corporate Rules (BCRs) beyond Europe.
Considering that Canada does not have a BCR system, I feel my first step today should be to explain why I was glad to accept Eduardo’s invitation to participate on a panel on BCRs.
The reason is twofold: first, our Office is focused on accountability as the key pre-condition for data protection and BCRs are one, prominent accountability instrument.
Second, our Office and the UK Information Commissioner’s Office are leading an initiative to encourage and promote enforcement cooperation as a means to address the global protection of personal data—which also happens to be precisely what BCRs seek to accomplish.
The issue then is how do various accountability regimes, BCRs in the EU and Fair Information Principles outside of the EU, compare and interact to build an effective regime for global data protection.
The key messages I wish to leave you with today are:
- that our purpose must be demonstrating accountability;
- that there is no better or worse mechanism by which accountability is demonstrated—be it a more regimented system like BCRs or a more flexible system like the Canadian model—but rather the product of legal and commercial policy decision, based, in each country, on a weighing of pros and cons that are dictated by legal traditions and national priorities.
I will address the topic today, by:
- Stepping back to clarify my use of the word “translating”;
- Distilling what I see as the essence of BCRs;
- Translating this essence in terms of the Canadian regime on accountability and on global privacy protection; and
- Finally, comparing the pros and cons of BCRs and the Canadian instruments for accountability.
Translating
A good translator will tell you that the objective is not to translate what is said, but what is meant.
This is what leads me to distill, so to speak, for the purpose of comparison, what is said in the description of BCRs and what is meant by it.
The essence of BCRs
A BCR is described as an internal privacy policy by which a company undertakes to protect cross-border data transfers amongst its own corporate entities, and which is approved by an EU data protection authority.
The Article 29 Working Party has recently approved the use of BCRs for third-party data processors hired by that company.
The purpose of this regime is to hold companies operating in the EU accountable to EU data protection standards in the risky world of cross-border data transfers, including where the company hires a third-party data processor. Through this regime, EU countries in fact extend their reach beyond their borders.
I would like to focus on how these central elements of accountability and cross-border reach are reproduced in the Canadian regime.
The Canadian regime
But first, let’s characterize the underpinnings of the Canadian regime.
Canada is known for its moderate approach, a hybrid between European legal tradition and North American commercial policies.
While we are sometimes derided for that gentle, middle-of-the-road approach, I believe that it deserves some clarification—not as a defense, but as an explanation.
The explanation is this: Canada has a British common law tradition and a French civil law tradition, and its private sector legislation is applied mainly in a North American context.
In the context of data protection in the private sector, we have integrated both legal traditions in our own legislative choices, while taking into account the commercial realities of trade in the North American context.
The result is different from Europe in that we have two privacy regimes, one for the public sector and one for the private sector. We are different from the US in that we have one private sector law for all industry sectors, and we have a Privacy Commissioner specifically focused on privacy rather than as part of consumer protection.
Our objective is to have a robust data protection regime with a flexible, trade-friendly approach. It is reflected in section 3 of our private-sector legislation, which states the purpose of this act as:
“to govern the collection, use and disclosure of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
The result is a regime that may form a bridge between the European and American data protection regimes. It is characterized by the following features:
- We have an ombudsman role—so no enforcement powers, contrary to the FTC or other international counterparts, much to our chagrin—but we make the most of the powers we do have:
- We have the power to name, in the public interest—which is what brought us to publicly denounce what we saw as shortcomings in Facebook’s privacy settings or Google’s privacy protection governance in Google Wi-Fi;
- If the respondent does not accept our recommendations, we have the power to take the matter to court, either with the agreement of the complainant, as we did in Nexopia, a website directed at youth, or on our own where we have initiated the complaint ourselves.
- Unlike the EU regime, which applies to all means of data controllers, ours only applies to commercial activity.
- Also unlike the EU regime, we do not require organizations or data controllers to register with us, but our legislation makes the Fair Information Principles mandatory.
- There is also no prohibition to transfer data for processing, and we do not use the concept of adequacy of foreign legislation—under the Fair Information Principle of Accountability, however, companies are required to “use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.” I will come back to that.
- Even with limited powers, and without a BCR regime, our Office asserts its jurisdiction abroad, as we have demonstrated in our investigations of foreign companies. There are two main criteria for us to exercise our jurisdiction over foreign companies.
- The first criterion is the presence of collection, use or disclosure of Canadians’ personal information in the course of international commercial activity.
- The second criterion on which we exercise our jurisdiction over foreign-based companies is the presence of a real and substantial connection to Canada. We use a variety of factors to establish this connection, including:
- location in which the activity complained of takes place;
- location to which information and profits flow;
- location of preparatory activities;
- residency and/or location of parties involved, including end users, intermediaries, content providers or host servers;
- location of contract;
- location of any potential related proceedings;
- jurisdiction where promotional efforts are primarily targeted.
Most recently, we exercised our jurisdiction over the US company WhatsApp in a coordinated investigation with the Dutch DPA. I will elaborate on that further as well.
- And finally, while our Office does not have the enforcement powers that the FTC or foreign counterparts have, as I mentioned earlier, other Canadian regulators have overlapping jurisdiction that may apply to data protection—and some of them do have enforcement powers. An example of this is a 2012 decision of the Canadian Radio-Television and Telecommunications Commission, the CRTC, which worked with the FTC and the Australian Commission and Media Authority to fine an Indian company for misuse of personal information of Canadians, when the company in question was found to offer them computer virus protection that led to the victims losing control over their computers. In 2011, the CRTC also exercised its jurisdiction beyond our borders to stop a Mexican company from calling Canadians that had specifically registered on a Do-Not-Call list.
So let me move from that broad legislative context to hone in on accountability, the first essential element of BCRs, and how it translates in Canada.
The basic concept of accountability in Canadian law requires that:
- an organization is responsible for personal information under its control;
- and for personal information that it has collected and transferred for processing.
The obvious application is the cloud, but it also includes external service providers such as health insurance services for a company’s employees, data processors for disposal, etc.
The flexible, principles-based regime we have chosen corresponds to policy choices towards enabling commerce. More specifically:
- Our regime seeks to favour interoperability in the global context by focusing not on the means to protect data but on the ends. The premise is that the goal does not need any more specific definition than the protection of the right to privacy of individuals with respect to their personal information. This allows for compliance with our legislation by companies that abide by other domestic legislation, as long as it ensures the same end. While we may seem less demanding, we would argue we are more so: by focusing our demands on the end rather than the means, we force companies to come up with the means by themselves.
- That being said, we have not entirely left companies to their own devices. Last year, with the Commissioner of British Columbia and the Commissioner of Alberta—who, with the Commissioner of Quebec, are the only provincial Commissioners in Canada to have jurisdiction over the private sector—we have developed a Guidance document entitled Getting Accountability Right with a Privacy Management Program. The link to BCRs is this: the step-by-step guidance for Canadian companies and companies that do business in Canada to ensure that they can develop and demonstrate proper data protection policies, and that their practices buttress the reliability of their privacy policies and practices in a manner that should also enhance their reliability in the eyes of EU Data Protection authorities and thus assist the BCR approval process.
- This same guidance document, which is based on our legislation’s stated objective to reconcile the right to privacy with the need for organizations to use personal information, is in line with the proposed European Regulation which focuses so explicitly on data protection as a matter of trust, and on trust as a matter of economic competitiveness. Customers will walk away from a company that does not adequately protect personal information.
- Finally, this document clarifies the extension of the duty of accountability by contracted third parties, an issue so topical in the era of the cloud and central to BCRs as well.
Just as BCRs seek to govern the protection of data that is leaving the country, Canadian legislation requires that a transferring company exercise due diligence in several ways:
- The information must be protected through contractual clauses to ensure a “comparable level of data protection”;
- The level of protection must be commensurate to the level of sensitivity of the information; and
- It must take into account the requirements of the foreign regime.
This brings me specifically to the second essential element of BCRs, transborder data flows, and how that is translated in the Canadian regime.
Again, some clarification of the Canadian regime needs to be made:
- Our legal regime does not make a distinction between domestic and international data transfers—in both cases, accountability rests with the transferring organization, which must ensure continuity in the level of data protection.
- Neither does our legal regime make a distinction between internal or third-party data flows—while BCRs only apply to transborder data flows within a company, our legal regime has one requirement that applies to all transborder data flows, either within a company or with a third party; the condition is that the transferring company must ensure that the level level of protection remains comparable, and the transferring company remains accountable for that.
- This duty will be fulfilled by:
- Contractual provisions or other means that bear on standards of data protection;
- Regular audits by the transferring company; and
- Inspections as necessary by the transferring company.
The defining point is that “transfers” do not constitute disclosure, but use – the consequence is continuity of the applicable legal regime at the moment of collection, subject to foreign law, after transfer.
So, even without BCRs, Canada clearly has a regime for a continuum of data protection across borders. But we go further than that.
So let me turn to our approach to data protection in the global context.
It is a priority for our Office to contribute to the efforts being made to favour global privacy compliance: as data can no longer be contained within borders, protection must extend beyond borders.
With that view, we have been contributing to the OECD’s renewal of the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and we have recently broken grounds on global enforcement on data protection.
I will mention two main initiatives under this last point:
- First, with our UK counterpart, we are leading a working group of Data Protection Authorities on global enforcement—we envisage cooperation in holding multinationals accountable for privacy protection, in taking joint positions on worldwide corporate initiatives, in joining forces by rallying behind one authority rather than duplicating efforts in analyzing or investigating multinational privacy policies or practices. To operationalize this direction, our Office has concluded four bilateral MOUs with to exchange information necessary to exercise our functions in a coordinated fashion.
- Second, as I mentioned earlier, we have just completed with the Dutch Data Protection Authority the first internationally coordinated investigation. We both became aware of some practices of an American company called WhatsApp, a messaging via Internet service, which caused us concern, namely in relation to safeguards (messages were not encrypted), transparency (the breadth of disclosure of location was not clear enough), and collection (the company would collect information about non-users to distinguish them from users).
- WhatsApp was very cooperative and has already implemented corrections to address some of our concerns. We believe that collaboration with the Dutch enriched our investigation in several ways:
- WhatsApp was probably even more enclined to cooperate seeing two DPAs investigating rather than just one.
- We concluded the investigation much more quickly than usual owing to a few reasons, including: (i) the aforementioned responsiveness of WhatsApp given the joint intervention of our agencies; and (ii) the division of certain investigative responsibilities between our Office and the Dutch. The Dutch assumed much of the technological analysis, while our Office, in addition to assessing the technological findings with the Dutch, assumed the primary communication and negotiation role with WhatsApp.
- We used our resources much more effectively by pooling them. We believe more such activities will follow.
Pros and Cons
Let me conclude now with a comparison of accountability for cross-border transfers under the rules-based BCRs and the principles-based Canadian regime, under what could be called lost—or gained—in translation:
- BCRs, we admit, provide greater control over data holders on the modalities for data protection; our regime, however, provides greater flexibility to foster compliance on the basis of principles rather than rules;
- BCRs also provide greater prevention: having an EU DPA approve the modalities ahead of the transfers ensures that all the applicable rules are in place. The Canadian regime, on the other hand, favours trust; we certainly do not believe in a self-regulatory regime, but we believe that the competitive advantage of privacy protection combined with clear, mandatory Fair Information Principles enshrined in our legislation, puts the responsibility for data protection where it belongs: on the companies.
- BCRs bring forward rules with the advantage of clarity and specificity of conditions. By choosing principles over rules, our regime seeks to provide the room for a company to comply according to its size, nature or other material circumstances, without compromizing the fundamental purpose of privacy protection.
- Finally, BCRs are grounded in EU rules and therefore force foreign companies operating in the EU to comply with both their domestic regime and the EU’s regime. Canada’s regime favours interoperability since it accommodates different rules as long as they meet the Fair Information Principles.
There are also advantages that are offered equally in both approaches: 1) harmonizing privacy practices within a corporate group, 2) ensuring continuity of protection and risk mitigation in transfers to third countries, 3) creating a public record for external communication of a company policy, 4) creating an internal record for employees, guidance and, 5) integrating data protection to the company’s business, whatever it may be.
I do not judge one regime to be above the other, but I would like to conclude by leaving you with this question: In a globalised world where there is diversity of rules but uniformity of purpose, how must each regime adapt to continue to be effective?
I look forward to your comments.
- Date modified: