Strengthening Global Privacy Law Enforcement: Building Bridges
Remarks at the Privacy Laws and Business 26th Annual International Conference Bridging Privacy Cultures
July 2, 2013
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
I have been asked to speak with you this morning about an issue that is central to our conference theme of Bridging Privacy Cultures: Strengthening enforcement cooperation among data protection authorities around the globe.
I could go on at length about the importance of working together in a landscape where privacy transcends borders; where we increasingly face multinational organizations launching products and services globally; and where resources to enforce privacy laws are limited.
Recent revelations about the extent of mass surveillance on the one hand and commercial use of Big Data on the other underscore how important it is for data protection authorities to become more efficient.
I do believe we have reached a point where there is almost universal recognition that enforcement cooperation is essential to protecting privacy rights around the globe.
This is illustrated by the fact that so many dedicated and insightful people have gathered here in Cambridge to gain a better understanding of the various approaches to data protection.
We know that we must cooperate in order to be successful.
Now comes the really hard part: Figuring out how to make that work in practice.
As many of you know, I am now in the final stretch after a decade as Privacy Commissioner of Canada. Bolstering international cooperation has been an important priority right from the start of my mandate.
My remarks today draw from my experiences over those 10 years. I would like to speak with you about some of the challenges I think we face as we try to strengthen enforcement cooperation and also share a few thoughts about the way forward.
Some of the most significant challenges are the following:
- First, our different approaches to privacy – our seemingly different privacy cultures;
- Second, is what I’d describe as the “nuts and bolts” of cooperation – how organizations with different laws actually cooperate;
- A third challenge is enforcement powers – for cooperation to be meaningful, you need to have meaningful sanctions;
- The final challenge I would like to discuss today relates to the many countries – some of them major economic powerhouses – that either have brand new privacy laws, or no privacy laws at all.
Of course, as anyone who works in this field knows, those are only some of the potential obstacles we face.
All of this may sound a bit discouraging, but I promise to also leave you with plenty of reasons to feel hopeful.
We have already made progress – we are building bridges – and I believe we can make significant headway in the years to come.
Challenge 1: Different Approaches to Privacy
Perhaps the most obvious challenge for enforcement cooperation between data protection authorities is the fact that the formal philosophical underpinnings of legislative approaches to privacy differ significantly in various parts of the world.
While that challenge is there – and I’ll talk more about it in a moment – I do want to pause to emphasize that it is important not to overstate the differences.
Although privacy has so many meanings around the world, what is common is that they all relate to shared aspects of the human experience. We all need privacy.
Privacy laws around the world are based on widely accepted basic principles such as limiting collection and only using personal information for purposes for which it was collected.
There is plenty of common ground that will help pave the way for greater cooperation – even if our different approaches do result in a few bumps on the road. I was encouraged by Professor Colin Bennett’s presentation on the shared values of different national populations.
But divergent historical approaches mean that the architecture of privacy laws also differs.
For example, we see differences in how important concepts are defined: What is personal information? What constitutes meaningful consent?
We also see variations in the obligations imposed on organizations, and also in the scope of laws.
EU Reform Debate
At times, contrasting doctrines can result in friction – as we have seen in the trans-Atlantic back-and-forth over proposals to update the European Union privacy framework. The EU, as I have said before, leads the way in defining the standards of data protection, and in articulating central issues for individuals, such as the right to be forgotten.
Hence it may not be surprising that the draft General Data Protection Regulation apparently ranks among the most lobbied legislation ever introduced in the European Parliament.
While I find it can be disheartening to watch the sometimes bitter debate unfold, I remain cautiously optimistic that positive developments for privacy cooperation will ultimately emerge.
It seems to me that sometimes we in the world outside the U.S. underestimate the protections for personal information in the United States. That said, there are some gaps – a situation that a New York Times headline referred to as “an American quilt of privacy laws, incomplete.”
If the U.S. adopted comprehensive legislation – for example, along the lines of the proposals in the Obama administration’s privacy white paper – it might go a long way to easing some of the current tensions by changing widespread perceptions, and by helping those of us outside the U.S. understand what the bottom line may be. However, we must deal with the reality of the American political system and understand that this may never be.
A Question of Adequacy
One of the issues I will be following with particular interest is how the EU addresses the issue of adequacy as part of its ongoing review.
Those decisions could have important consequences for countries such as Canada, Israel and New Zealand, where laws have been deemed adequate, and Australia, whose privacy law has not yet been deemed adequate.
A committee of the European Parliament has proposed that existing adequacy decisions should be reviewed two years after the adoption of the Regulation.
I believe that, before such a review happens, there should be a set of criteria made public, after consultation with adequate countries. Such adequacy criteria should be based on the application of the national law in question and results of that law’s application, rather than on the evaluation of the formal legislative wording.
A law that looks different than European law, but has teeth and is regularly and forcefully applied, may do a better job of protecting the privacy of its citizens than a law that looks good on paper, but lacks meaningful enforcement.
The challenge of reaching agreement in the face of different privacy approaches was also evident during discussions to update the OECD Guidelines on the Protection of Privacy and Transborder Flows of Data.
Several weeks ago, I attended a difficult OECD meeting to discuss possible revisions to the Guidelines. As some of you may know, there were numerous points of contention, including the “independence” of authorities; references to “adequacy”; language regarding restrictions on transborder data flows; mechanisms to promote interoperability.
Fortunately, despite our differences, we were able to find common ground. I was very happy that we resolved our disagreements, as the OECD guidelines remain the only floor-level data protection principles adopted by a range of economies which are nevertheless free to go farther in data regulation.
The recommendations will soon be going to the OECD Council for approval.
Challenge 2: The Mechanics of Cooperation
Let’s turn now to a related challenge: Dealing with some of the more nuts and bolts issues we come up against when data protection authorities look at working together.
We need mechanisms that will allow us to work efficiently, rapidly – and get results at the end of the day.
The sluggishness of reaction in the data protection community has not made us more effective, either together or individually.
When it comes to the mechanics of cooperation, some of the major issues to be addressed relate to information sharing.
Some jurisdictions still cannot share information under their legislation. This is a problem which needs to be addressed.
In Canada, our private sector legislation was only recently amended to allow us to share information with other data protection authorities.
As a result, we have been able to sign bilateral information-sharing arrangements with four European authorities, creating the opportunity to collaborate with our Dutch colleagues on the WhatsApp investigation – and, I hope, many other future joint investigations. Billy Hawkes, Ireland’s Data Protection Commissioner, mentioned our current investigation of the recent Facebook leak.
Coordination is another issue. If a privacy issue affects multiple jurisdictions, we need to figure out how to coordinate the response across the globe. Do you appoint a lead data protection authority? If so, how involved should other jurisdictions be in an investigation as it proceeds? And, more and more often, we are dealing with the communications challenge of explaining to your country’s citizens that another nation will take the lead on a major privacy issue.
These are not minor obstacles.
The good news is that there is a tremendous amount of work being done to try to address them. In fact, there are far too many initiatives underway to mention them all here, but I will point to a couple of examples.
In 2011, international data protection and privacy commissioners passed an important resolution on encouraging and facilitating privacy enforcement coordination at the international level.
My Office and our colleagues in the UK are co-chairing a working group that will come up with a practical framework to translate the words in the resolution into action. We’ve made great progress on this front.
At the International Commissioners’ Conference that will be held in Warsaw in September, we will be in a position to discuss improved mechanisms for information sharing, as well as the steps we’ve taken to address common privacy threats.
We have already developed a set of principles to guide enforcement cooperation and we’ve had discussions about how to address cooperation barriers, with productive meetings in Montreal and Washington and regular teleconferences to discuss common threats.
An action flowing from these efforts is the recent joint letter to Google raising questions with respect to Google Glass.
Another step forward is the fact that the European Commission’s Directorate General Justice has provided funding to the PHAEDRA consortium to identify barriers on international cooperation and make recommendations for improving cooperation and coordination.
The consortium working on this two-year initiative is made up of academics, the Polish data protection authority and a research and consulting group.
Putting Cooperation into Practice
We are beginning to see examples where cooperation is already working in practice. Countries with different laws are finding ways to work together.
The Canadian-Dutch coordinated investigation of WhatsApp is one example.
The recent international Internet Privacy Sweep coordinated by my Office also illustrates how differences in the details of various privacy laws can be overcome.
A very diverse group of 19 privacy enforcement authorities from around the globe participated in the first annual international Internet Privacy Sweep – an initiative of the Global Privacy Enforcement Network.
While we have different laws, we were able to agree on a common theme to address – privacy practice and transparency – by keeping it at a high level and allowing for flexibility in approaches.
I would like to more briefly touch on two further areas that can present challenges.
Challenge 3: Adequate Enforcement Powers
One of these is the need for adequate enforcement powers. As I said earlier, for cooperation to be meaningful, data protection authorities need to be able to bite, not just bark.
Enforcement powers are critical.
At the moment, various authorities have very different powers and that could be an impediment to cooperation.
For example, some authorities cannot conduct audits and inspections of private sector companies on their own initiative. Some have the power to fine; some do not; and some can fine only under very limited circumstances.
Clearly it would be a challenge for an office without significant enforcement powers to conduct an investigation on behalf of other offices that are able to impose significant sanctions.
Unfortunately, Canada is one of the laggards in this regard.
Right now, the only real power I have is to name an organization. And, while we have seen some success with that, it is simply not enough of an incentive to ensure that organizations are investing in – and effectively addressing – privacy issues.
Some of my European counterparts, like the U.S. Federal Trade Commission, are also able to impose attention-getting sanctions.
The proposal to harmonize enforcement powers across Europe would be an important step going forward, setting an example for other jurisdictions.
Challenge 4: Bringing Countries with New Laws or No Laws into the Privacy Tent
In the interest of time, I will touch only briefly on the final challenge I would like to highlight today: Bringing countries with new laws or no laws into the privacy tent.
In every corner of the globe, we have seen a proliferation of countries adopting privacy legislation.
Comprehensive data protection laws have recently been adopted in countries as diverse as Singapore, Colombia and Angola.
We need to bring them into the global privacy dialogue.
To this end, our Assistant Commissioner, Chantal Bernier, recently attended a meeting of the Latin American Congress for Data Protection, where she spoke on best practices for innovative enforcement.
Meanwhile, as transborder data flows grow, it will become ever-more important that countries that lack comprehensive privacy laws, but play an increasingly important role in the global economy, have effective laws in place.
There is some very positive work already underway to develop connections with countries that have not historically been at the table when privacy issues are discussed internationally.
I would point to, for example, the Association francophone des autorités de protection des données personelles , APEC, and the Ibero-American Data Protection Network. Those are all good first steps, but further efforts are needed. It is incumbent on larger authorities, such as my own Office, to continue to work to bring others into the tent.
In conclusion, it remains clear that, after years of discussion, many questions still don’t have answers.
Global cooperation is difficult.
And it is made all the more difficult by broader national and regional interests that colour all international talks.
Discussions about personal information handling practices and regulation are often proxies for more difficult debates about economic priorities, attitudes with respect to the role of government, and national security strategies.
Over the last decade, I have spent countless hours discussing these issues, and I confess that there have been moments when I have felt discouraged that the common purpose of strengthening personal information protections does not outweigh the stumbling blocks in our path. Often, I have felt there is not enough of a sense of urgency.
But I have also had the great privilege to be part of inspiring conversations that have left me with an optimistic outlook on the future.
There are many, many talented, bright people in the data protection community who are deeply committed to making progress and making cooperation work.
The critical element to making cooperation work is already in place: good will.
The will is there, and we are moving forward in a positive direction and building those urgently needed bridges. As Baudelaire told us : “La joie vient toujours après la peine.”
Report a problem or mistake on this page
- Date modified: