Canada’s Response to the EU Privacy Regulation

Constantine Karbaliotis, CIPP/C/US/E/IT, CIPM

Americas Privacy Leader, Mercer

SESSION DESCRIPTION

Canada has not been troubled to the extent the US has in relation to the proposed EU Privacy Regulation; but should we be complacent?

Does Canada, both public and private sectors, need to think about:

1.The impact on our status as ‘adequate’ – is this at risk? Do we need to amend our privacy legislation to meet the heightened expectations of the EU? Are our ‘subdivisions’ at risk?

2.The proposed regulation’s impact on the US – the regulation is challenging the US’ willingness and ability to meet the new standards. Is this a problem for us? An opportunity?

DISCLAIMER

This represents the views of the presenter, and not of any of his:

–Employer

–Privacy organizations to which he may belong

–Anyone else, perhaps

But these are questions that may be useful to consider – and have answers to

ORIGIN OF THIS

“What is Canada’s response to the draft EU Privacy Regulation?”

–Privacy officer in the US

•Thoughts:

–Should we have one?

–Why don’t we have one?

A DISCUSSION IN TWO PARTS

• First, what should we be thinking about as a country - federally and provincially - to address the changes presented by the EU draft Privacy Regulation

• Second, what position should be taken in regards to the US and EU frictions over the proposed changes

IS OUR ADEQUACY, ADEQUATE?

WHY DO WE NOT HAVE A POSITION?

• Adequacy?

– We are adequate under EU law; we don’t have to do anything

– Our laws will meet the new EU draft Regulation’s requirements

• Complacency?

– Can we assume that our current adequacy is enough?

– Perhaps we don't want to examine this closely

– The EU hasn’t updated its page on Canada & PIPEDA since 2003

DISCUSSION PAPER: The Case for Reforming PIPEDA (released May 23,

2013), Office of the Privacy Commissioner of Canada

• “One of the reasons PIPEDA was enacted was to create a vehicle that would facilitate the flow of personal information from EU member states to Canada…The adequacy concept is retained under the Regulation.”

• “It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”

COULD ADEQUACY BE REVOKED?

• EU has shown willingness to take action on and challenge adequacy of member states

– Hungary

• Draft regulation explicitly addresses determination of adequacy and extends ability to recognize sub-divisions - as well as to determine that a country or sub-division is not adequate, and to monitor on an ongoing basis

– Draft EU Privacy Regulation, Article 41 paras. 1-6

WHY WOULD OUR ADEQUACY BE AT RISK?

•Adequacy in current draft is based upon sufficiency of sanctioning power by an independent data protection authority (EU Draft Reg. Art 41(2)(b))

–Have our laws have kept pace:

–Breach notification

–Penalties and order-making

–Onward transfers from Canada

–The right to be forgotten

–All of which must be regarded in light of the Draft EU Regulation's stringent provisions

WHY WOULD OUR ADEQUACY BE AT RISK (2)?

•Adequacy in current draft is based upon sufficiency of sanctioning power

•Lack of coverage of laws to all aspects of personal information

–Employee privacy is not protected under PIPEDA unless under federal jurisdiction, or in a province lucky enough to have a provincial privacy law

–Latest drafts have removed "sectoral" recognition because:

"...it would increase legal uncertainty and undermine the Union's goal of a harmonised and coherent international data protection framework".

–If we cannot have sectoral recognition, how can there be sectoral exemption?

ADEQUACY REAL OR PERCEIVED?

• To what extent is high regard of Canadian privacy due to personalities of Canadian privacy commissioners?

• Is the strength of Canadian privacy really our commissioners’ outreach more so than from the strength of our legislative framework?

• Would changes alter EU views of our adequacy?

CANADA’S POSITION

• Canada is not likely to be ‘first’ on the list for possible review

• Of the league of the ‘adequate’, other countries may be first to be reviewed: –Questions of resources, existence of independent

authority may attract more attention

• Are we keeping up with the league of the

adequate? –Australia is bringing in mandatory breach notification

–Were we lucky to be considered adequate in the first place, given how hard it was for Australia?

SUB-DIVISIONS

• Could Canada remain considered adequate – but a province not be adequate?

Draft EU Privacy Regulation, Article 41 para. 5

– WADA issue in Quebec – assertions of inadequacy?

– Perhaps also - not deemed ‘substantially similar’ under PIPEDA?

• Could a province be recognized as adequate – and not the rest of Canada?

• Alberta alone has coverage, enforcement, breach – last one standing?

THE CANADIAN RESPONSE TO THE US RESPONSE

WHAT ABOUT OUR FRIENDS IN THE US?

• We are interested in the US response for a number of reasons:

• We work for companies which have operations in the US, or is a subsidiary of a US company

–The US is our largest trading partner

• The Draft EU Regulation is a "destabilization of the equilibrium" created by a combination of Safe Harbor, model clauses

Schwartz, The E.U.-US Privacy Collision

• So what should we do about it the US friction with the EU over the draft Regulation?

OPPORTUNITY OR RISK?

•What are the down-sides to a failure to reach accommodation?

–Onward transfers from Canada - limited or requiring more explicit protection (model clause?)

–Limitations on companies doing business in the US because of shared systems with US operations

•What are the opportunities? –Canadian data centres could use our “regulatory

advantage” – if we maintain adequacy – to attract business and become the data hub for organizations needing to manage both EU and US data

– "Near-shore" support for US with similar language and time zones

RESPONSE #1

Our self-interest lies in facilitating data flows internationally, and assisting our largest trading partner in reaching an accommodation with the EU

– “Can’t we all get along?”

–Perhaps naive to think we can play peace-maker given the positions of each side

RESPONSE #2

Our self-interest lies in utilizing our regulatory advantage, and becoming a data hub for personal information transfers from both the EU and the US

–Too mercenary?

–Competition might prompt a greater desire to close the gap

RESPONSE #3: the principled response

Our self-interest lies in:

• retaining our status of adequacy with the EU to facilitate the free flow of information consistent with the view of privacy as a fundamental human right

• encouraging a rapprochement in privacy between our largest trading partners, the US and the EU, to support international trade and development, and,

• maximizing the value of the Canadian approach to privacy by becoming a data hub for personal information transfers from both the EU and the US

CONCLUSION

• Without pretending to be right on any of these points, it seems that it is a worthwhile effort to develop some position on the EU draft Privacy Regulation

• There is no sword currently hanging over our heads - but developing a position - and making changes if required - will not happen overnight

CONCLUSION (2)

• Amendment of PIPEDA in line with May 2013 Discussion Paper

• Primarily for ourselves, but also because of our desire to continue to do business with the EU and perhaps to take advantage of our natural advantages

• Development of economic strategy in line with the ‘principled response’

• Coordination with provinces to ensure:

1.“Substantially similar” legislation

2.Coverage of employee data

3.Consistent breach notification requirements

4.Codify federal-provincial cooperation on investigations, other

SOURCES

• Jan Philipp Albrecht, "Draft Report 2012/0011 (COD)"

• Paul Schwartz, "The E.U.-US Privacy Collision: A Turn to Institutions and Procedures"

–http://www.harvardlawreview.org/symposium/papers2012/schwartz.pdf