• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 

Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements

on

  • 2,057 views

This is the presentation from the class I taught at the University of Toronto Faculty of Information Sciences graduate school - a major challenge to capture the concepts in less than 3 hours!

This is the presentation from the class I taught at the University of Toronto Faculty of Information Sciences graduate school - a major challenge to capture the concepts in less than 3 hours!

Statistics

Views

Total Views
2,057
Views on SlideShare
2,043
Embed Views
14

Actions

Likes
1
Downloads
0
Comments
1

3 Embeds 14

http://www.linkedin.com 11
https://www.linkedin.com 2
http://www.lmodules.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • can you please email me a copy of this presentation? dainabyrne@gmail.com
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Thank Ruth for the opportunity to speak with you today
  • we have a very ambitious agenda – won’t do all the slides in detail but want them to have reference materials. When you heard the topic for today’s class – groans re: boring-me too. So my objective today is to enable you to see how relevant this is to your daily lives, as well as to those organizations with which you interact
  • If you read the papers at all you’ll know that privacy has been in the news a lot lately – who would have thought there was a connection between smart meters, models, patient records and Facebook? But there is and the common link as the stories describe is privacy issues
  • Facebook has been one of the biggest privacy issues in the news lately-demonstrating the leadership coming from Canada in privacy matters
  • Before we discuss the question of the week and your responses, I have some questions of you regarding your use of Facebook: How many of you are on Facebook How many of your children are on Facebook? Before the Commissioner’s report cam out did you, or anyone you know ever read their Privacy Policy? Manage your privacy settings? Ask them a question about their policy? Now to your responses to the question and Were you aware of the report before I included it in the question? Do you care about your privacy on Facebook? On other social media sites? On the internet generally? Or do you think that given the nature of social media and its objective of communication, people should be responsible for their own information? Importance of Facebook report – first time public report on the application of privacy law to social media; law lags behind technology; Canada’s leadership – comments of Australian Commissioner and Facebook’s response that it will follow the recommendations for its entire global user base, not just Canada. If you thought that the Commissioner’s report resolved any concerns about your control over your info when you set your privacy settings-think again !
  • Before we begin our discussion of regulatory regimes would like to review the core concepts that Ruth addressed last week
  • Regardless of whether we think the yeas or the nays were the winners, the reality is that most countries around the world regulate privacy in some way shape or form or are in the process of developing it. Also second generation privacy laws.
  • And now to the regulatory regimes
  • While we take our trip around the world think about the different objectives and perspectives that different countries have on privacy rights
  • It may appear a bit strange to begin with the EEA – the European Economic Area – but there’s a reason for this. The EEA represents the union of the European Union and the European Free Trade Association. The genesis for privacy legislation around the world comes from the OECD and the various privacy laws in many European countries and states. The objective was the protection of human rights. I’ve always thought that it’s a bit ironic as the legislation applied to the private sector but it was the public sector, state governments, that were responsible for the abuses based on information, but in any event… There is a difference in terminology over there as they use the term “data protection” as opposed to privacy
  • As time went on more and more European countries and states developed their own legislation. Lead to a desire for harmonization of legislation among the countries and the Directive .was the result A couple of critical points about the Directive that have a direct impact on other privacy laws – “adequate”, definition of personal data
  • As per the Directive, the countries “transposed” or implemented the Directive by passing their own legislation – regimes are called “data protection". It is so important in the EU that countries applying for admission often pass very strict legislation using it as a “demonstration” of its commitment to the values of the EU. An example of the very politicized nature of privacy legislation
  • I’d like to move on closer to home to Canada. This slide is one that I call “The Big Map” This may be a bit of a geography lesson as well – the 10 Canadian provinces and the 2 territories. I have set out both the public sector privacy laws – those applying to government bodies – and the private sector laws, as well as you’ll see that in certain provinces there is also health information specific privacy legislation, or in the case of B.C. legislation dealing specifically with electronic health information. Note that the map only contains privacy specific legislation – we’ll deal with other laws, professional codes etc later on. Also in the health context, professional Codes of Ethics, College by-laws We sometimes call it a ‘patchwork’ but it is not nearly as complicated as the US approach and we’ll see why when we discuss their privacy environment. You’ll see that all provinces have public sector access and privacy legislation that applies to government “institutions” – ministries and agencies. One aspect of that is access – for open government. That is how, for example, the Ontario PC caucus was able to get all of the information you’ve seen on TV and in the news on the eHealth Agency over the summer. This public sector legislation also sets out the rules for how governments must deal with the personal information it maintains on its citizens. So for example when you go to the doctor in Ontario and the doctor submits an OHIP claim, the fact that you were treated for x on a certain date by doctor y is information in the hands of the Ontario Ministry of Health as the insurer to pay OHIP. The challenge with much of the public sector laws is that they are very old and don’t address the current realities of government use of legislation, let alone new technologies (the law is always behind anyway as we saw in the case of Facebook). E.g. The Federal Privacy Act was enacted in ??? And the Commissioner has been lobbying for years for change. I don’t want to spend time on the public sector legislation – in the limited time we have, want to focus on the private sector laws because they are generally more relevant to everyone’s daily lives and work.
  • Why does the map look the way it does? The reason lies in the way the Canadian constitution affords certain powers to the federal government and others to the provinces.
  • Let’s begin our examination of Canadian laws with PIPEDA, the Federal private sector privacy law. It was the Canadian government’s response to the potential of the non-tariff trade barriers that could result from the EU laws restricting transfers of personal data out of the country. The US response was Safe Harbor –we’ll look at the EU laws and Safe Harbor later Because of the different areas of powers and jurisdiction between the federal government and the provinces that I set out previously, PIPEDA is limited to the application of pi collected, used and disclosed in the course of commercial activities. In addition it applies when pi crosses inter-provincial or international; e.g. to the US, borders. The final ‘division of powers’ restriction is that it applies to the employee personal information of only federally regulated industries or organizations – banks, telcos, airlines, railways. Regulation of employment is a provincial matter so there are privacy rules applying to employee information only in those provinces that have enacted ‘substantially similar’ legislation – a designation made by the federal government. If you look at how PIPEDA came into force in 3 stages – you see that the feds gave the provinces a 3-year opportunity to enact their own legislation but few got it done
  • The scope of application is limited to “personal information” and as you see there are certain exclusions for what type of information falls into that category. One is that of work product information , a term that came from a 2001 finding of the federal Privacy Commissioner that IMS physician prescribing information is not “personal information” and is thus not subject to PIPEDA. The commissioner is the oversight body for PIPEDA. As we saw in the Facebook report, the federal commissioner can only make recommendations – they are not binding on the company. We will see if Facebook follows the recommendations and, if not, whether the commissioner will take the matter to court as that is the only option available to her. Another point of comparison between the Canadian approach and that of the U.S. with more “teeth” – Commissioner relies on persuasion and corporate concerns of adverse publicity.
  • There are 3 provinces – Quebec, Alberta and B.C. – that have general privacy legislation. It’s a bit of a misnomer in the case of Alberta which, as we’ll see also has health information specific legislation, but in B.C. and Quebec, the provincial laws cover all pi, including personal health information. The fact that all 3 provinces’ laws have a ‘substantially similar’ designation means that they, and not PIPEDA, apply to pi cud in the course of commercial activities within those provinces. In other provinces without ss provincial laws, PIPEDA has ‘dropped in’ and applies. There are also provincial privacy commissioners in each province that provide oversight.
  • So Alberta and BC were the only 2 provinces that took advantage of the Fed’s 3-year window under PIPEDA and got their act together to enact legislation before the Jan. 1, 2004 deadline (Quebec’s was in place before).. The fact that all 3 provinces’ laws have a ‘substantially similar’ designation means that they, and not PIPEDA, apply to pi cud in the course of commercial activities within those provinces. In other provinces without ss provincial laws, such as Ontario, PIPEDA has ‘dropped in’ and applies. There are also provincial privacy commissioners in each province that provide oversight.
  • In addition, there are the 4 provinces indicated that have specific health information privacy legislation – covers health information generally in the public and private sectors. Newfoundland and New Brunswick are not yet in force. Only Ontario’s is ss meaning that technically it is that law that applies when phi is cud in that province in the course of commercial activities. However the practical reality is that even without the designation the other provinces have assumed their health information applies instead of PIPEDA.
  • These are only a very few of the other privacy frameworks in existence in Canada. Some. Like the ISO, are international. Some are voluntary; others are mandatory such as those of the CMA and the Marketing Association where in order to be a member in good standing of the association, you must follow the Code. The point is that when you are working on any project involving personal information, the data protection framework is not necessarily limited to privacy legislation – other rules may apply as well.
  • So what does all of this mean to you in the real world? From the practical perspective the point is that the analysis of what rules you need to follow requires asking yourself a number of questions about the personal information, its use etc. and the organization before you can even decide on the framework that applies. In certain cases an organization may be subject to both provincial and federal legislation. These are the series of questions that form the basis of what may be called the decision tree to determine what privacy law applies in a particular scenario involving personal information in Canada.
  • The US approach to privacy legislation is very different from that in Canada – approach is sector-specific – though to some extent Canada’s is as well when it comes to legislation regulating personal health information. Talk about HITECH and the stimulus bill – for health technology. Tell the story of the Bork confirmation hearings.
  • This barely scratches the surface of the state laws in effect – numerous states have legislation protecting personal health information as well. Compliance with U.S. law represents even more of a challenge than the Canadian law for a number of reasons. One is simply a numbers game – 50 states plus DC, Puerto Rico, Guam and the VI vs. 10 provinces and 2 territories. So assuming you’re a business that operates nationally – more legislation that will apply. Like Canada, where the legislation addresses the same subject matter; e.g. data breach, there are numerous critical differences amongst the state laws; e.g. the data covered; timing of reporting; method of reporting; consequences of data breach; also there is no what is called “federal pre-emption” which means that is a federal law deals with a certain matter, as well as a state law, the organization has to comply with both
  • You’ll recall that I mentioned that the Federal Privacy Commissioner can only make recommendations, so if Facebook doesn’t comply she will have to launch a court action. Even where Commissioners have order making power in Canada (provinces)– still have to go to court if the organization doesn’t comply, publicity etc. But while the Canadian privacy regimes is vastly different from that in the U.S. is in the consequences of non-compliance. Data chain-tell the story of the security auditor being sued.
  • I’d like to do a quick high level comparison: Like in many things in this world, Canadian privacy laws fall somewhere in the middle of the road between the US and European approaches Caveat re: “publicly available information”
  • Not only does PIPEDA differ from the EU approach but also from the US as well. An ‘omnibus’ approach as it covers all type of personal information and not confined to e.g. health, financial, video rental records etc as in the US
  • While there are other privacy regulatory regimes in existence around the world – e.g. APEC – and legislation in many other countries including Hong Kong and Russia – let’s take a glimpse at how the different regimes interact in The Wired World
  • I’d like to touch briefly on an issue that continues to be in the news and the subject of a lot of misconceptions in the public and the media. Have any of you heard about the controversy surrounding the US Patriot Act and the issue of storage of Canadian data in the US? What have you heard? What is the concern?
  • Now that we’ve had our privacy around the world in 80 minutes, let’s consider the practical impact of such regimes.
  • Obviously the first thing that probably comes to mind is compliance
  • But there are said to be other “business drivers” that incent organizations to follow the privacy rules. The Ontario Privacy Commissioner Ann Cavoukian often says in her presentations that “privacy is good for business”. The reverse would appear to be that an organization that abuses its customers’ personal information, will suffer from a business perspective. But.. Even those organizations in the B2B space are not immune from privacy issues.
  • Most organizations will look at privacy compliance from a risk management perspective.
  • Let’s take a look at Canadian futures re legislation
  • Industry Canada has been consulting with the privacy commissioners of the other provinces on their PIPEDA data breach proposal – the objective is to try as much as possible to ensure that any amendments to the provincial legislation are the same as or as close as possible to those in PIPEDA to avoid the situation like you have in the US with some 40 different state notification laws, with differences and no federal law with preemption. While it may seem a bit out of place I mention Bill C-51 as it is certainly relevant to pharma and healthcare products industries in Canada – proposal to monitor the safety and effectiveness throughout the product’s lifecycle under a progressive licensing regime. Will be interesting how the government addresses the privacy issues that will inevitably arise from PIPEDA and other provincial privacy legislation in the context of some of the industry reporting requirements.
  • And as we know privacy is nothing without security!
  • Thank you for your interest-any follow up

Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements Presentation Transcript

  • PRIVACY PRACTICE FUNDAMENTALS WEEK #2: UNDERSTANDING COMPLIANCE REGIMES AND REQUIREMENTS Legislation, Regulations and Governance Anita Fineberg, LL.B., CIPP/C September 16, 2009 Barrister & Solicitor University of Toronto President Faculty of Information Anita Fineberg & Associates Inc. Faculty of Applied Sciences and Engineering
  • Agenda
    • Privacy in the News (9:15-9:45)
    • Review of Core Concepts (9:45-10:00)
    • Privacy Regulatory Regimes
      • The EEA (10:00-10:15)
      • Break (10:15-10:30)
      • Canada (10:30-11:00)
      • The United States (11:00-11:15)
    • The Wired World (11:15-11:30)
    • Practical Impact (11:30-11:45)
      • Compliance
      • Consumer Trust
      • Competitive Advantage
      • Risk Considerations
    • Canadian Futures (11:45-11:55)
    • Conclusion (11:55-12:00)
  • Privacy in the News The model, the blogger and the Web giant. Once-anonymous writer angered after Google complies with court order to out her 300K Patient Files on Stolen Laptops. Alberta's privacy commissioner has launched an investigation into the theft of two laptops from a University of Alberta lab, reports CBC News Cavoukian: Smart Grid Privacy a "Sleeper" Issue. The recent Toronto Hydro security breach that exposed the information of 179,000 customers has Ontario's Information and Privacy Commissioner warning that a Smart Grid could present privacy risks, Reuters reports Facebook makes friends with privacy czar. Social-networking giant agrees to changes that will allow users to have more control over their personal data
  • Privacy in the News - Facebook
  • Privacy in the News: Facebook
    • Discussion: Question of the Week
    • “ The Federal Privacy Commissioner has recently issued a report in response to the complaint of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about the privacy practices of Facebook. The report is available at: http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.pdf . What impact, if any, has the report had on your use of Facebook? Other social networking sites? The Internet in general?”
    • So you think your private settings are private?
      • Leduc v. Roman , 2009 CanLII 6838 (ON S.C.) — 2009-02-20
      • Wice v. Dominion of Canada General Insurance Company , 2009 CanLII 36310 (ON S.C.) — 2009-07-06
  • Review of Core Concepts
  • Review of Core Concepts
    • Privacy
    • Security
    • Confidentiality
  • Review of Core Concepts
    • Privacy: the right of individuals to determine when, how, and to what extent they share information about themselves with others
    • Confidentiality: the obligations of one person to preserve the secrecy of another’s personal information
    • Security: the procedures and systems used to control access and maintain the integrity of the information
  • Privacy Regulatory Regimes
  • Privacy regulatory regimes
    • State control?
    • Human rights? Self-determination?
    • Consumer protection?
  • Privacy Regulatory Regimes: EEA - Legislative
    • Organization for Economic Co-operation and Development (OECD)
      • Emergence of various state and federal data protection laws in the 1970s
      • Awareness of WWII abuses related to use of centralized databases of citizens’ information
      • Desire for strong human rights protection that covered all forms of personal information
    • OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Information
    • Root document for many privacy laws and codes of practice around the world
  • Privacy Regulatory Regimes: EEA - Legislative
    • EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data:
      • Obliges all member states to implement tough data protection laws that (theoretically) would be harmonized throughout to European Union (EU)
      • Blocked data transfers to states without “adequate protection” for their personal data
      • “ Personal data” very broadly defined to include virtually any and every type of information that can identify an individual
      • Contained specific more restrictive rules applicable to “sensitive data”
  • Privacy Regulatory Regimes: EEA - Legislative
    • Resulted in data protection legislation being implemented in all 27 member states of the EU as well as well as Norway, Lichtenstein and Iceland
    • Together called the European Economic Area (EEA)
  • Privacy Regulatory Regimes: Legislative – Canada Federal Public: Privacy Act Private: Personal Information Protection and Electronic Documents Act Alberta Public: Freedom of Information and Protection of Privacy Act Public/Private: Health Information Act Private: Personal Information Protection Act British Columbia Public: Freedom of Information and Protection of Privacy Act Private: Personal Information Protection Act Electronic Health Information: e-Health (Personal Health Information Access and Protection of Privacy) Act Yukon/NWT/Nunavut Private: Personal Information Protection and Electronic Documents Act Manitoba Public: Freedom of Information and Protection of Privacy Act Public/Private: Personal Health Information Act Private: Personal Information Protection and Electronic Documents Act Saskatchewan Public: Freedom of Information and Protection of Privacy Act Public/Private: Health Information Protection Act Private: Personal Information Protection and Electronic Documents Act Ontario Public: FIPPA Public/Private: Personal Health Information Protection Act, 2004 Private: Personal Information Protection and Electronic Documents Act P.E.I. Public: Freedom of Information and Protection of Privacy Act Private: Personal Information Protection and Electronic Documents Act Quebec Public: An Act respecting Access to Documents held by Public Bodies and the Protection of Personal Information Private: An Act respecting the protection of personal information in the private sector New Brunswick Public: Protection of Personal Information Act / Right to Information Act Private: Personal Information Protection and Electronic Documents Act Public/Private: Personal Health Information Privacy and Access Act (not yet in force) Nova Scotia Public: Freedom of Information and Protection of Privacy Act Private: Personal Information Protection and Electronic Documents Act Newfoundland Public: Freedom of Information and Protection of Privacy Act (not yet in force) Private: Personal Information Protection and Electronic Documents Act Public/Private: Personal Health Information Act (not yet in force)
  • Privacy Regulatory Regimes: Canada - Legislative
    • Privacy regulation in Canada is complex because of constitutional division of powers
    • Federal government -> trade & commerce
    • Provincial government -> property and civil rights
    • Resulting in private sector being regulated by:
    Provincial: Electronic Health Information e-Health (Personal Health Information Access and Protection of Privacy) Act B.C. Provincial: Health Information Personal Information Protection Act B.C. Provincial: General Application Personal Health Information Protection Act Health Information Act Personal Health Information Act Health Information Protection Act Ontario Alberta Manitoba Saskatchewan Personal Information Protection Act Alberta An act respecting the protection of personal information in the private sector Quebec Personal Information Protection and Electronic Documents Act (PIPEDA) Federal Legislation Jurisdiction
  • Privacy Regulatory Regimes: Canada - Legislative - Federal
    • PIPEDA
    • Came into effect in three stages:
      • January 1, 2001: applied to collection, use and disclosure of personal information by federal works, undertakings and businesses that disclose personal information outside a province for consideration
      • January 1, 2002: applied to personal health information
      • January 1, 2004: applied to all personal information collected used and disclosed within a province unless the province has enacted “substantially similar” legislation
    • Principles derived from the CSA code which is attached as a Schedule to the Act
    • Application
      • Focus is on the nature of the transaction – i.e. personal information collected, used or disclosed in the course of a commercial activity
      • Applies to the personal information of employees of only federal works, undertakings and businesses
      • Applies to international and inter-provincial disclosures of personal information
  • Privacy Regulatory Regimes: Canada - Legislative - Federal
    • PIPEDA
    • Application is limited to “personal information”
      • “ Personal information” = information about an identifiable individual
        • does not include the name, title or business address or telephone number of an employee of an organization
        • “ identifiability” is not defined = organizational assessment
        • “ work product information” exclusion from Commissioner’s findings
        • exclusion from consent requirements for “publicly available information”
        • no separate categories for “sensitive” information or distinction between that of employees or clients/customers
    • Oversight
      • Provided by the Federal Privacy Commissioner
      • Ombudsman model
        • no ability to make binding orders
        • recommendations only
        • no ability to impose fines or other sanctions
  • Privacy Regulatory Regimes: Canada – Legislative – Provincial (general application)
    • Quebec: An Act Respecting the Protection of Personal Information in the Private Sector (the “Quebec Act”)
      • It was, and continues to be, first of its kind in North America
      • Modeled after European privacy laws
      • Has been in force since 1994
      • Applies all personal information in the private sector, including personal health information, as well as personal information about the activities of health professionals
    • Alberta: Personal Information Protection Act (Alberta PIPA)
      • Came into force on January 1, 2004
      • Applies to personal information (not personal health information) in the private sector
      • Special rules for employee personal information and contact information
  • Privacy Regulatory Regimes: Canada - Legislative – Provincial (general application)
    • B.C.: Personal Information Protection Act (B.C. PIPA)
      • Came into force on January 1, 2004
      • Applies all personal information in the private sector, including personal health information, with an exclusion for work product information
      • Special rules for employee personal information and contact information
    All have been declared “substantially similar” to PIPEDA -> apply to personal information collected, used and disclosed in the course of commercial activities within each province Oversight provided by provincial Privacy Commissioners with order-making power
  • Privacy Regulatory Regimes: Canada - Legislative - Provincial (“personal health information”)
    • Alberta: Health Information Act
    • Ontario: Personal Health Information Act, 2004
    • Manitoba: The Personal Health Information Act
    • Saskatchewan: Health Information Protection Act
    • Generally…
    • Alberta, Manitoba, Saskatchewan and Ontario are the only provinces that currently have personal health information legislation in effect
    • Promote a consistent approach to personal health information collected, used and disclosed by persons other than health professionals – in different contexts and different settings
    • Only Ontario legislation has been deemed to be ‘substantially similar’ to PIPEDA
    • Oversight provided by provincial Privacy Commissioners with order-making powers except in Manitoba where an ombudsman model exists
  • Privacy Regulatory Regimes: Canada – Other Privacy Frameworks
    • Professional Regulation
      • Regulated Health Professions Act
      • Real Estate and Business Brokers Act
    • Professional Codes
      • Canadian Medical Association - Code of Ethics
      • Canadian Marketing Association – Code of Ethics and Standards of Practice
    • Guidelines
      • COACH – Guidelines for the Protection of Health Information
    • Standards
      • ISO
    • Contracts
      • Provisions for the protection of personal information
      • Outsourcing projects
  • Privacy Regulatory Regimes: Canada – Decision Tree
    • In what province is the information being collected?
    • What is the nature of the information?
    • What type of activity is the information being used for?
    • Where is the geographic location of the recipient of the information?
      • If it is out of the province or the country PIPEDA always applies if
        • it is in the course of a commercial activity, and it is not
        • employee personal information of a non federal work, undertaking or business
  • Privacy Regulatory Regimes: United States - Legislative
    • No overarching general privacy legislation
    • Approach is sector-specific regulation:
      • Examples of Federal Legislation
      • Health : Health Information Portability and Accountability Act (HIPAA), amended by Health Information Technology for Economic and Clinical Health Act (HITECH)
      • Financial : Fair Credit Reporting Act (FCRA) Gramm - Leach Bliley Act (GLB)
      • Children : Children’s Online Privacy Protection Act (COPPA)
      • Spam : Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
      • Videos : Video Privacy Protection Act
  • Privacy Regulatory Regimes: United States - Legislative
    • Examples of State Legislation:
    • Data breach reporting notification
      • 45 states, District of Columbia, Puerto Rico and the Virgin Islands
    • Social security numbers
      • 30 states have legislation limiting how SSNs may be collected, used and disclosed
      • Six states ( Connecticut , Massachusetts , Michigan , New Mexico , New York and Texas ) have enacted laws or regulations that require organizations that collect or use SSNs to implement policies to protect those SSNs and, in some instances, to make their SSN protection policies available to the public or to their employees
    • Data Security
      • Massachusetts : Data Security regulation (in the process of being amended; compliance date delayed)
  • Privacy Regulatory Regimes: United States - Legislative
    • Key Practical Differences = Consequences of Non-Compliance
      • High profile litigation brought by the Federal Trade Commission
      • Actions by the States Attorneys General
      • Fines in the millions of dollars
      • Ongoing audit and compliance orders for many years
      • Private rights of action; e.g. individuals can sue a company for breach of their privacy rights
      • Class action lawsuits
      • Actions against other organizations in the “data chain”
  • Privacy Regulatory Regimes: PIPEDA: EU and U.S. comparisons
    • Similar to the EU laws in that it is consent-based
    • More flexibility in application because:
      • Some information is excluded from the definition of “personal information” and therefore from the scope of the Act
        • “ business contact information”, “publicly available information”, “work product information”
      • No separate definition of “sensitive personal information” that always requires express consent
        • takes a contextual approach
      • Allows for “implied consent” in more circumstances
        • e.g. personal health information disclosed within the “circle of care” for diagnostic, treatment and care purposes
      • No broad-based definition of “processing”
        • clear that one does not require consent in order to anonymize, de-identify or encrypt personal information
  • Privacy Regulatory Regimes: PIPEDA: EU and U.S. comparisons (cont’d)
    • Less administratively burdensome than EU laws because:
      • No requirement to register databases
      • No requirement to provide notice to and/or obtain approval for data transfers from data protection authorities
      • No limitations or standard contractual clauses for data transfers outside of Canada
    • Differs from U.S. approach in that:
      • Omnibus, as opposed to sectoral approach to regulation
      • Financial penalties not an issue
      • Oversight takes a more “carrot” than “stick” approach
    • Unlike HIPAA because
      • Concept of “identifiability” is not defined by data elements
      • Security requirements are not prescriptive
  • The Wired World
  • The Wired World
    • Privacy legislation developed at a time when electronic data processing was at its infancy
    • Capability to compile databases was just beginning
    • Data exchanges were directly one-to-one within a finite geographic
    • The global economy with ubiquitous data flows was not contemplated
    • EU legislation with its “adequacy” requirement threatened to become a non-tariff trade barrier
    • Different countries responded in different ways
  • The Wired World
    • Certain countries developed privacy legislation, applied for and obtained “adequacy” status:
      • Canada (PIPEDA), Argentina, Switzerland, Guernsey, Isle of Man
    • Others refused to have domestic legislation dictated by Europe
      • U.S. – Department of Commerce voluntary Safe Harbor program
    • Status granted for transfers of personal information for specific international programs
      • Transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection
  • The Wired World
    • Canada – U.S. Issue :
    • Storage of and access to Canadian personal information in the U.S.:
      • Issue has arisen because of potential U.S. government access pursuant to the U.S. Patriot Act
    • Myth:
      • It is illegal for Canadian organizations to store personal information in the U.S.
    • The Facts:
      • PIPEDA does not prohibit international disclosures of personal information: Findings #313 and #333
      • Only 2 provinces (B.C. and Nova Scotia) have legislation requiring that personal information of Canadians be stored in Canada: B.C. FIPPA and the Nova Scotia Personal Information International Disclosure Act
      • Both apply only to personal information that is held by the government (not the private sector) and include a number of exemptions and exceptions
      • As a matter of government policy (to manage public expectations) or business practice (for competitive advantage) an organization may choose to require that such data is retained in Canada
  • The Wired World
    • Canada – U.S. Issue (cont’d)
    • BUT
    • There are environmental sensitivities concerning such disclosures
    • Contractual provisions must apply the same measure of protection as if the personal information remained in Canada
    • Individuals must be informed
    • Potential conflicts re: advising individuals when and by whom their personal information has been accessed
  • Practical Impact
  • Practical Impact
    • Compliance
      • Democratic societies have adopted rules by which all entities to which the rules apply are supposed to play
    • HOWEVER
      • Privacy and security compliance can be very expensive, consuming human and financial resources
      • Difficult to engage the C-Suite in the issues particularly when economic issues are of immediate concern
      • Consequences of non-compliance in Canada tend to be minimal
      • All lead to a very reactive approach
  • Practical Impact
    • B2C: Consumer Trust
      • “Privacy is good for business”
    • BUT
      • TJX did not lose any customers nor suffer a decrease in its stock value as a result of its large and widely reported breach
    • B2B
      • Not immune – TJX was sued by numerous financial institutions that processed its declaring bankruptcy
      • Outsourcing/off shoring contracts - accountability
  • Practical Impact
    • Risk considerations
      • Perfect compliance is virtually impossible
      • What is the organization’s risk tolerance?
        • Nature of the entity
        • Type of personal information
        • Nature of the risks
        • Cost of proactive risk management vs. reactive risk remediation
  • Canadian Futures
  • Canadian Futures
    • PIPEDA amendments
      • Likely that an amending Bill will go to Cabinet within the next month or so
      • Will definitely include mandatory breach notification requirements
      • Changes to consent-based approach to organization collection, use and disclosure of employee personal information
    • Alberta PIPA amendments
      • Likely to implement Review Committee’s recommendations for mandatory data breach notification and informing individuals of transborder data flows
    • B.C. PIPA amendments
      • Likely to implement Review Committee’s recommendations for mandatory breach notification and explicit accountability for cross-border data flows
    • Ontario PHIPA Review
      • Awaiting legislative response to Review Committee’s recommendations
  • Conclusion
    • Global privacy regulatory regimes differ based on their philosophical underpinnings
    • All include fair information principles, but the “devil is in the details”
    • The Canadian regime is complicated by the division of powers between the federal and provincial governments
    • Practical application involves utilizing a decision tree to assess which laws apply
    • Current compliance regimes are ill-suited to ubiquitous, technology-facilitated, consumer-driven domestic and global data flows
  •  
  • Contact Information
    • Anita Fineberg, LL.B., CIPP/C
    • Barrister & Solicitor
    • President
    • Anita Fineberg & Associates Inc.
    • [email_address]
    • Bus: 416.762.4583
    • Cell: 416.565.5007
    • Fax: 877.475.7096