Media Centre

A Canadian Perspective on Data Protection

Data Protection and Security: A Transnational Discussion

May 5, 2006
Washington, DC

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introduction

Many of you in this audience have no adult experience with that technologically naïve, but privacy protective world in which the first Canadian and American privacy legislation was born.  Yours has been a very different experience. 

You grew up in a society characterized by increasingly sophisticated – some say almost ubiquitous – surveillance technologies.  You live in an environment of truly global business.  As Joseph Alhadeff, the CPO of Oracle, says, the information economy has enabled business to distribute functions “across geographies” – including payment processing, customer service, and data centres.  Networks, he says, are the new spice routes.

And in recent years, that sophisticated technology of surveillance has been married with fears – some justified, but some excessive – over national security that have led to calls for even greater surveillance capabilities. 

What was once seen as extreme in terms of intrusiveness has now become the norm.  And the legislative tools for protecting privacy, some of which were developed over two decades ago in that halcyon era for privacy, are no match for increasingly intrusive technologies and information-hungry governments and commercial interests.

Lawyers working in any field which overlaps with issues of personal information protection must take a global vantage point. Their clients do business on many continents and across jurisdictions. Yet the citizens and consumers and shareholders back home, demand that national standards be nonetheless observed.

And unlike in the more leisurely days of the last century, businesses and consumers alike are not reassured by the eventual promise of court action somewhere in the world. They want reassurance about enforceable standards – whether it be preventing data spills or ensuring whistleblower provisions or, in the case of the Europeans, the assurance of comparable level data protection legislation.

I am taking this opportunity to talk to you today about Canadians’ and Canadian laws’ approach to personal information protection. It is a tailored blend of European and American data protection principles which has grown over 25 years through Supreme Court of Canada interpretations and the realities of ever-changing business imperatives.

Privacy Concerns Relating to the United States as a paradigm for issues in transborder data flows

The privacy climate has changed over the past two decades.  It has changed profoundly in the last five years.

What happens in the United States can have substantial consequences for Canada.  All Canadians are aware.  We are a geographically large country, but with a population that is a small fraction of that of the United States.  We are therefore not as economically powerful, and we are strongly affected by the actions and attitudes of the US. 

Thirty-seven years ago, at the National Press Club here in Washington, former Canadian Prime Minister Pierre Trudeau remarked that living next door to the United States was in some ways like sleeping with an elephant.  No matter how friendly or even-tempered the beast is, he said, one is affected by every twitch and grunt. 

The preoccupation of the United States about national security in particular has had consequences for Canada.  As allies, we have of course long shared information among our police and intelligence agencies.  That sharing is on the increase, and means that ever-greater amounts of personal information about Canadians will end up in the hands of US government agencies. 

In the past, Canadians by and large accepted information sharing as part of the political environment on this continent.  But they are now more fearful about what will be done with personal information flowing to the United States. 

This issue came to a head almost two years ago when British Columbia’s Information and Privacy Commissioner began to look at the implications of the USA PATRIOT Act for personal information about Canadians.   My Office participated in that examination, as did many other organizations.

The USA PATRIOT Act, first enacted in 2001, has given additional powers to the FBI to get access to information held by corporations, including information about Canadians that may be processed in the US by corporations here.  That is fair game – after all, the operations of companies in this country should be subject to the laws of this country. 

However, the USA PATRIOT Act has kindled an awareness among Canadians of the lack of protection of their personal information when it crosses borders. 

First, they are worried about what is portrayed as the relative ease with which the FBI can get access to information about them that is held in the United States.  The obvious and perhaps too simplistic answer for this, although complicated by the Canada-US Free Trade Agreement, is for Canadian companies and governments to restrict flows of personal information about Canadians across the border.
This is not only an issue between Canada and the United States.  The loss of control over personal information when it crosses borders is common to data flowing from Canada to any country.   

Canadians are also very much concerned about another aspect of the USA PATRIOT Act, the extraterritorial reach of the Act into Canada.

Canada’s federal government institutions also outsource much of their data processing, so there are concerns about the reach of the USA PATRIOT Act into government databases that have been outsourced to companies in Canada or the United States for processing. 

Of course, Canada regularly shares personal information with the United States under agreements between the two countries.  However, this occurs or is supposed to occur under formal undertakings, not the relatively opaque access by one country to the databases of the businesses of another. 

Just last month, Canada’s Treasury Board Secretariat published a strategy to address concerns about the USA PATRIOT Act and transborder data flows.  My Office was consulted on the development of this policy. The strategy is designed to ensure that the privacy rights of Canadians are protected when federal government institutions consider outsourcing activities involving personal information.  In practice, this will mean that private sector contractors to Canadian government agencies will need to show Canadian federal institutions that they can be trusted to protect the personal information that is outsourced to them. Risk analysis must identify and suggest how to mitigate the various privacy threats.

Encryption, privacy impact assessments, firewalls and strong contractual language will go far in all but the most sensitive cases. This tailored approach, rather than an outright ban on outsourcing of personal information, seems to me to provide a practical and workable way of dealing with privacy protection issues.

The Canadian Approach to Privacy

The environment for privacy is becoming increasingly harsh in many countries, and privacy legislation designed for more benign conditions needs updating, sometimes substantially.  That said, there is much to commend the basic legislative approach to privacy in countries such as Canada.

Canada has had federal public sector data protection legislation that encompasses a set of fair information practices since 1983.  In this sense, it is behind the United States, which has had its Privacy Act since 1974.  However, the Canadian federal legislation, called the Privacy Act like its American counterpart, has one major difference from the American law. 

The Canadian Privacy Act gives authority to a Privacy Commissioner, an ombudsman, to oversee the application of the Act.  As Privacy Commissioner, I am appointed for a fixed term and I report directly to Canada’s Parliament.  I can apply to Federal Court for an order. I also have a voice on privacy issues – through advocacy before Parliament, through research, and through public education.  Individuals who believe that their protections under the Privacy Act have been violated can complain to my Office.  We will investigate their complaint and, if necessary, in very limited circumstances of denial of access, take their case to Federal Court.

Canada has moved on the private sector data protection front as well in order to comply with the European Directive.

In 1994, in preparation for the coming into force of the European Directive, Quebec adopted private sector legislation. But it created a new enforcement approach. The law set out the principles, and organizations were expected to follow them. There was no obligation to register data files or identify a data controller.

Canada followed this light regulatory approach with the Personal Information Protection and Electronic Documents Act – PIPEDA – in 2001.

As with the federal Privacy Act, the Privacy Commissioner of Canada has responsibility for overseeing the application of PIPEDA.  My Office investigates complaints, takes cases to Federal Court, conducts audits, issues reports, liaises with industry and consumer groups, and reports directly to Parliament about the private sector privacy issues of the day.  The Act now extends to almost all commercial activity in Canada, whether federally or provincially regulated, except in those few provinces, like Quebec, Alberta and British Columbia, and Ontario for their health services, that have enacted substantially similar provisions to cover activities within those provinces. 

Last year we investigated a complaint that the Canadian Imperial Bank of Commerce’s credit processing of customer data in the U.S. was contrary to PIPEDA. We decided it was not, because CIBC had complied with the all-important accountability principle. It had tied the other, U.S.-based party, to comply with Canadian standards and offer Canadian-level protection for the personal information in its custody. PIPEDA does not, as a matter of law, specifically require a notice that personal information may or will be outsourced. But we encourage organizations to give this notice to potential customers in cases where the processing is being done in another country, so that customers may assess the risks for themselves. Full information about the safeguards in outsourcing may give some organizations a competitive advantage in a jittery market.

I am not here to suggest that the Canadian approach to data protection, private or public sector, is without its flaws. 

As in the United States, Canada lives with a tangle of jurisdictions that make it challenging to secure uniform privacy protection.  But the Canadian approach captures many of the benefits of data protection legislation in many European countries, while not becoming overly burdensome.  There is no requirement in Canadian legislation to register databases, for example.  No yearly fees to remit. No reports to file.
And we operate federally using an ombuds approach.  We have powers of audit and powers of investigation.  We have the tool of publicity and court action when it is necessary to encourage recalcitrant companies and government institutions to respect the fair information practices set out in our legislation. 

My provincial colleagues have direct enforcement and adjudicatory powers, but even they settle most of their complaints amicably.

I know that there has been discussion in the United States about moving towards federal private sector data protection legislation.  I recall the statement of support for such legislation by FTC Commissioner Pamela Jones Harbour in March, and I am also aware of the position taken by companies such as Microsoft, Intel and Hewlett Packard in favour of such legislation. 

I can only encourage American legislators, companies and consumer groups to look to the Canadian private sector legislation.  The United States can and does move quickly on particular privacy issues when it gets the wind in its sails on specific issues. 

Take a look at the number of states that now have enacted reporting requirements for companies that have suffered breaches of their personal information holdings.  Congress has enacted federal privacy provisions in legislation specific to certain sectors – financial institutions, health care providers, cable operators and telecommunications carriers. 

There are specific laws to address matters such as spam and children’s online privacy.  It may well get the same wind in its sails for comprehensive private sector legislation.

The Canadian private sector data protection model, despite a need for some fine tuning, generally fits well into the global privacy environment. On one hand, the whistleblower protection demands of the Sorbanes-Oxley Act have yet to meet any privacy-based objections in Canada, as far as I know.

On the other hand, the EU Commission has concluded that PIPEDA provides an adequate level of data protection, making Canada one of a handful of countries outside the EU to have received this approval – an approval that greatly facilitates the flow of personal information from within the EU to Canada. 

Personal data can flow from EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to Canada without any further safeguard being necessary.

Conclusion

PIPEDA is slated for a review by Canada’s Parliament this year.  We have identified several areas where the law needs to be fine-tuned to reflect the realities of the modern business environment and the concerns of Canadians about the handling of their personal information by the private sector.  We are interested in the American experience of notification of privacy breaches. How should we incorporate it into our own law?

Maybe I am stepping outside the traditionally modest Canadian persona in doing so, but let me suggest to you that the Canadian model for the protection of personal information in the private sector merits serious attention by our international and American friends. 

Canadian private sector data protection law is flexible and realistic, two attributes that would make a similar legislative framework here sit well with the dynamic character of North American business.