SlideShare a Scribd company logo

Canadian Response to the Draft EU Regulation - May 2013

Constantine Karbaliotis
Constantine Karbaliotis

Presented at the IAPP Canadian Symposium in May 2013 - What should the Canadian response be to the draft GDPR? Does this raise any questions or concerns for Canada's adequacy finding?

Law
1 of 24
Download to read offline
Canada’s Response to the EU Privacy Regulation Constantine Karbaliotis, CIPP/C/US/E/IT, CIPM Americas Privacy Leader, Mercer
SESSION DESCRIPTION Canada has not been troubled to the extent the US has in relation to the proposed EU Privacy Regulation; but should we be complacent? Does Canada, both public and private sectors, need to think about: 1. The impact on our status as ‘adequate’ – is this at risk? Do we need to amend our privacy legislation to meet the heightened expectations of the EU? Are our ‘subdivisions’ at risk? 2. The proposed regulation’s impact on the US – the regulation is challenging the US’ willingness and ability to meet the new standards. Is this a problem for us? An opportunity?
DISCLAIMER This represents the views of the presenter, and not of any of his: – Employer – Privacy organizations to which he may belong – Anyone else, perhaps But these are questions that may be useful to consider – and have answers to
ORIGIN OF THIS “What is Canada’s response to the draft EU Privacy Regulation?” – Privacy officer in the US • Thoughts: – Should we have one? – Why don’t we have one?
A DISCUSSION IN TWO PARTS •  First, what should we be thinking about as a country - federally and provincially - to address the changes presented by the EU draft Privacy Regulation •  Second, what position should be taken in regards to the US and EU frictions over the proposed changes
IS OUR ADEQUACY, ADEQUATE?
WHY DO WE NOT HAVE A POSITION? •  Adequacy? – We are adequate under EU law; we don’t have to do anything – Our laws will meet the new EU draft Regulation’s requirements •  Complacency? – Can we assume that our current adequacy is enough? – Perhaps we don't want to examine this closely – The EU hasn’t updated its page on Canada & PIPEDA since 2003
DISCUSSION PAPER: The Case for Reforming PIPEDA (released May 23, 2013), Office of the Privacy Commissioner of Canada •  “One of the reasons PIPEDA was enacted was to create a vehicle that would facilitate the flow of personal information from EU member states to Canada…The adequacy concept is retained under the Regulation.” •  “It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”
COULD ADEQUACY BE REVOKED? •  EU has shown willingness to take action on and challenge adequacy of member states – Hungary •  Draft regulation explicitly addresses determination of adequacy and extends ability to recognize sub- divisions - as well as to determine that a country or sub-division is not adequate, and to monitor on an ongoing basis – Draft EU Privacy Regulation, Article 41 paras. 1-6
WHY WOULD OUR ADEQUACY BE AT RISK? • Adequacy in current draft is based upon sufficiency of sanctioning power by an independent data protection authority (EU Draft Reg. Art 41(2)(b)) – Have our laws have kept pace: – Breach notification – Penalties and order-making – Onward transfers from Canada – The right to be forgotten – All of which must be regarded in light of the Draft EU Regulation's stringent provisions
WHY WOULD OUR ADEQUACY BE AT RISK (2)? • Adequacy in current draft is based upon sufficiency of sanctioning power • Lack of coverage of laws to all aspects of personal information – Employee privacy is not protected under PIPEDA unless under federal jurisdiction, or in a province lucky enough to have a provincial privacy law – Latest drafts have removed "sectoral" recognition because: "...it would increase legal uncertainty and undermine the Union's goal of a harmonised and coherent international data protection framework". – If we cannot have sectoral recognition, how can there be sectoral exemption?
ADEQUACY REAL OR PERCEIVED? •  To what extent is high regard of Canadian privacy due to personalities of Canadian privacy commissioners? •  Is the strength of Canadian privacy really our commissioners’ outreach more so than from the strength of our legislative framework? •  Would changes alter EU views of our adequacy?
CANADA’S POSITION •  Canada is not likely to be ‘first’ on the list for possible review •  Of the league of the ‘adequate’, other countries may be first to be reviewed: – Questions of resources, existence of independent authority may attract more attention •  Are we keeping up with the league of the adequate? – Australia is bringing in mandatory breach notification – Were we lucky to be considered adequate in the first place, given how hard it was for Australia?
SUB-DIVISIONS •  Could Canada remain considered adequate – but a province not be adequate? Draft EU Privacy Regulation, Article 41 para. 5 –  WADA issue in Quebec – assertions of inadequacy? –  Perhaps also - not deemed ‘substantially similar’ under PIPEDA? •  Could a province be recognized as adequate – and not the rest of Canada? •  Alberta alone has coverage, enforcement, breach – last one standing?
THE CANADIAN RESPONSE TO THE US RESPONSE
WHAT ABOUT OUR FRIENDS IN THE US? • We are interested in the US response for a number of reasons: • We work for companies which have operations in the US, or is a subsidiary of a US company – The US is our largest trading partner • The Draft EU Regulation is a "destabilization of the equilibrium" created by a combination of Safe Harbor, model clauses Schwartz, The E.U.-US Privacy Collision • So what should we do about it the US friction with the EU over the draft Regulation?
OPPORTUNITY OR RISK? • What are the down-sides to a failure to reach accommodation? – Onward transfers from Canada - limited or requiring more explicit protection (model clause?) – Limitations on companies doing business in the US because of shared systems with US operations • What are the opportunities? – Canadian data centres could use our “regulatory advantage” – if we maintain adequacy – to attract business and become the data hub for organizations needing to manage both EU and US data – "Near-shore" support for US with similar language and time zones
RESPONSE #1 Our self-interest lies in facilitating data flows internationally, and assisting our largest trading partner in reaching an accommodation with the EU – “Can’t we all get along?” – Perhaps naive to think we can play peace- maker given the positions of each side
RESPONSE #2 Our self-interest lies in utilizing our regulatory advantage, and becoming a data hub for personal information transfers from both the EU and the US – Too mercenary? – Competition might prompt a greater desire to close the gap
RESPONSE #3: the principled response Our self-interest lies in: • retaining our status of adequacy with the EU to facilitate the free flow of information consistent with the view of privacy as a fundamental human right • encouraging a rapprochement in privacy between our largest trading partners, the US and the EU, to support international trade and development, and, • maximizing the value of the Canadian approach to privacy by becoming a data hub for personal information transfers from both the EU and the US
CONCLUSION •  Without pretending to be right on any of these points, it seems that it is a worthwhile effort to develop some position on the EU draft Privacy Regulation •  There is no sword currently hanging over our heads - but developing a position - and making changes if required - will not happen overnight
CONCLUSION (2) •  Amendment of PIPEDA in line with May 2013 Discussion Paper •  Primarily for ourselves, but also because of our desire to continue to do business with the EU and perhaps to take advantage of our natural advantages •  Development of economic strategy in line with the ‘principled response’ •  Coordination with provinces to ensure: 1. “Substantially similar” legislation 2. Coverage of employee data 3. Consistent breach notification requirements 4. Codify federal-provincial cooperation on investigations, other
SOURCES •  Jan Philipp Albrecht, "Draft Report 2012/0011 (COD)" •  Paul Schwartz, "The E.U.-US Privacy Collision: A Turn to Institutions and Procedures" – http://www.harvardlawreview.org/ symposium/papers2012/schwartz.pdf

Recommended

Data Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictData Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictDavid Erdos
 
The Human Rights Responsibilities of Internet Gatekeepers
The Human Rights Responsibilities of Internet GatekeepersThe Human Rights Responsibilities of Internet Gatekeepers
The Human Rights Responsibilities of Internet GatekeepersEmily Laidlaw
 
What is a joke? The role of social media providers in regulating speech
What is a joke? The role of social media providers in regulating speechWhat is a joke? The role of social media providers in regulating speech
What is a joke? The role of social media providers in regulating speechEmily Laidlaw
 
Data Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveData Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveDavid Erdos
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
 
Unraveling intermediary liability
Unraveling intermediary liabilityUnraveling intermediary liability
Unraveling intermediary liabilityEmily Laidlaw
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeDavid Erdos
 
Framing Search Engine Responsibilities
Framing Search Engine ResponsibilitiesFraming Search Engine Responsibilities
Framing Search Engine ResponsibilitiesEmily Laidlaw
 

Recommended

Data Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictData Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictDavid Erdos
 
The Human Rights Responsibilities of Internet Gatekeepers
The Human Rights Responsibilities of Internet GatekeepersThe Human Rights Responsibilities of Internet Gatekeepers
The Human Rights Responsibilities of Internet GatekeepersEmily Laidlaw
 
What is a joke? The role of social media providers in regulating speech
What is a joke? The role of social media providers in regulating speechWhat is a joke? The role of social media providers in regulating speech
What is a joke? The role of social media providers in regulating speechEmily Laidlaw
 
Data Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveData Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveDavid Erdos
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
 
Unraveling intermediary liability
Unraveling intermediary liabilityUnraveling intermediary liability
Unraveling intermediary liabilityEmily Laidlaw
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeDavid Erdos
 
Framing Search Engine Responsibilities
Framing Search Engine ResponsibilitiesFraming Search Engine Responsibilities
Framing Search Engine ResponsibilitiesEmily Laidlaw
 
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...Mat Newman
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloudConstantine Karbaliotis
 
Cloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayCloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayZendCon
 
Cloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems Alon RefaeliCloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems Alon Refaelirefaeli
 
Analytics Store for Hybrid Cloud
Analytics Store for Hybrid CloudAnalytics Store for Hybrid Cloud
Analytics Store for Hybrid CloudMadan Ganesh Velayudham
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingNazish Mohammed
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UKNicola Hermansson
 
EU Safe Harbor – What Now?
EU Safe Harbor – What Now?EU Safe Harbor – What Now?
EU Safe Harbor – What Now?TrustArc
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberRachel Aldighieri
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
 
Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdprExponential_e
 
Legal update Leeds - 7 October 2014
Legal update Leeds - 7 October 2014Legal update Leeds - 7 October 2014
Legal update Leeds - 7 October 2014Rachel Aldighieri
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal updateRachel Aldighieri
 
The dma legal update summer 2014
The dma legal update summer 2014 The dma legal update summer 2014
The dma legal update summer 2014 Rachel Aldighieri
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 

More Related Content

Viewers also liked

Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...Mat Newman
 
Cloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayCloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayZendCon
 
Cloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems Alon RefaeliCloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems Alon Refaelirefaeli
 

Viewers also liked (6)

Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
Lotusphere 2011, BP106: "Where is the Love? How to get your users to fall in ...
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Cloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayCloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go Away
 
Cloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems Alon RefaeliCloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems Alon Refaeli
 
Analytics Store for Hybrid Cloud
Analytics Store for Hybrid CloudAnalytics Store for Hybrid Cloud
Analytics Store for Hybrid Cloud
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Similar to Canadian Response to the Draft EU Regulation - May 2013

Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
EU Safe Harbor – What Now?
EU Safe Harbor – What Now?EU Safe Harbor – What Now?
EU Safe Harbor – What Now?TrustArc
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberRachel Aldighieri
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
 
Legal update Leeds - 7 October 2014
Legal update Leeds - 7 October 2014Legal update Leeds - 7 October 2014
Legal update Leeds - 7 October 2014Rachel Aldighieri
 
The dma legal update summer 2014
The dma legal update summer 2014 The dma legal update summer 2014
The dma legal update summer 2014 Rachel Aldighieri
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 

Similar to Canadian Response to the Draft EU Regulation - May 2013 (20)

Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK
 
EU Safe Harbor – What Now?
EU Safe Harbor – What Now?EU Safe Harbor – What Now?
EU Safe Harbor – What Now?
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issues
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
 
Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdpr
 
Legal update Leeds - 7 October 2014
Legal update Leeds - 7 October 2014Legal update Leeds - 7 October 2014
Legal update Leeds - 7 October 2014
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
 
The dma legal update summer 2014
The dma legal update summer 2014 The dma legal update summer 2014
The dma legal update summer 2014
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
 
Big data: Bringing competition policy to the digital era – BURNSIDE – Novembe...
Big data: Bringing competition policy to the digital era – BURNSIDE – Novembe...Big data: Bringing competition policy to the digital era – BURNSIDE – Novembe...
Big data: Bringing competition policy to the digital era – BURNSIDE – Novembe...
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - final
 

More from Constantine Karbaliotis

Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Constantine Karbaliotis
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011Constantine Karbaliotis
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data BreachConstantine Karbaliotis
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks Constantine Karbaliotis
 

More from Constantine Karbaliotis (7)

Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data Breach
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 

Recently uploaded

Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxelysemiller87
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in LawNilendra Kumar
 
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理F La
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理ss
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaYash
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategyJong Hyuk Choi
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理e9733fc35af6
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理Airst S
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理Airst S
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理e9733fc35af6
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.pptseri bangash
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdfTodd Spodek
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理Airst S
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理Airst S
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfBritto Valan
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书irst
 
judicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptxjudicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptxIshikaChauhan30
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理e9733fc35af6
 

Recently uploaded (20)

Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in India
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
judicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptxjudicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptx
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
 

Canadian Response to the Draft EU Regulation - May 2013

  • 1.
  • 2. Canada’s Response to the EU Privacy Regulation Constantine Karbaliotis, CIPP/C/US/E/IT, CIPM Americas Privacy Leader, Mercer
  • 3. SESSION DESCRIPTION Canada has not been troubled to the extent the US has in relation to the proposed EU Privacy Regulation; but should we be complacent? Does Canada, both public and private sectors, need to think about: 1. The impact on our status as ‘adequate’ – is this at risk? Do we need to amend our privacy legislation to meet the heightened expectations of the EU? Are our ‘subdivisions’ at risk? 2. The proposed regulation’s impact on the US – the regulation is challenging the US’ willingness and ability to meet the new standards. Is this a problem for us? An opportunity?
  • 4. DISCLAIMER This represents the views of the presenter, and not of any of his: – Employer – Privacy organizations to which he may belong – Anyone else, perhaps But these are questions that may be useful to consider – and have answers to
  • 5. ORIGIN OF THIS “What is Canada’s response to the draft EU Privacy Regulation?” – Privacy officer in the US • Thoughts: – Should we have one? – Why don’t we have one?
  • 6. A DISCUSSION IN TWO PARTS •  First, what should we be thinking about as a country - federally and provincially - to address the changes presented by the EU draft Privacy Regulation •  Second, what position should be taken in regards to the US and EU frictions over the proposed changes
  • 8. WHY DO WE NOT HAVE A POSITION? •  Adequacy? – We are adequate under EU law; we don’t have to do anything – Our laws will meet the new EU draft Regulation’s requirements •  Complacency? – Can we assume that our current adequacy is enough? – Perhaps we don't want to examine this closely – The EU hasn’t updated its page on Canada & PIPEDA since 2003
  • 9. DISCUSSION PAPER: The Case for Reforming PIPEDA (released May 23, 2013), Office of the Privacy Commissioner of Canada •  “One of the reasons PIPEDA was enacted was to create a vehicle that would facilitate the flow of personal information from EU member states to Canada…The adequacy concept is retained under the Regulation.” •  “It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”
  • 10. COULD ADEQUACY BE REVOKED? •  EU has shown willingness to take action on and challenge adequacy of member states – Hungary •  Draft regulation explicitly addresses determination of adequacy and extends ability to recognize sub- divisions - as well as to determine that a country or sub-division is not adequate, and to monitor on an ongoing basis – Draft EU Privacy Regulation, Article 41 paras. 1-6
  • 11. WHY WOULD OUR ADEQUACY BE AT RISK? • Adequacy in current draft is based upon sufficiency of sanctioning power by an independent data protection authority (EU Draft Reg. Art 41(2)(b)) – Have our laws have kept pace: – Breach notification – Penalties and order-making – Onward transfers from Canada – The right to be forgotten – All of which must be regarded in light of the Draft EU Regulation's stringent provisions
  • 12. WHY WOULD OUR ADEQUACY BE AT RISK (2)? • Adequacy in current draft is based upon sufficiency of sanctioning power • Lack of coverage of laws to all aspects of personal information – Employee privacy is not protected under PIPEDA unless under federal jurisdiction, or in a province lucky enough to have a provincial privacy law – Latest drafts have removed "sectoral" recognition because: "...it would increase legal uncertainty and undermine the Union's goal of a harmonised and coherent international data protection framework". – If we cannot have sectoral recognition, how can there be sectoral exemption?
  • 13. ADEQUACY REAL OR PERCEIVED? •  To what extent is high regard of Canadian privacy due to personalities of Canadian privacy commissioners? •  Is the strength of Canadian privacy really our commissioners’ outreach more so than from the strength of our legislative framework? •  Would changes alter EU views of our adequacy?
  • 14. CANADA’S POSITION •  Canada is not likely to be ‘first’ on the list for possible review •  Of the league of the ‘adequate’, other countries may be first to be reviewed: – Questions of resources, existence of independent authority may attract more attention •  Are we keeping up with the league of the adequate? – Australia is bringing in mandatory breach notification – Were we lucky to be considered adequate in the first place, given how hard it was for Australia?
  • 15. SUB-DIVISIONS •  Could Canada remain considered adequate – but a province not be adequate? Draft EU Privacy Regulation, Article 41 para. 5 –  WADA issue in Quebec – assertions of inadequacy? –  Perhaps also - not deemed ‘substantially similar’ under PIPEDA? •  Could a province be recognized as adequate – and not the rest of Canada? •  Alberta alone has coverage, enforcement, breach – last one standing?
  • 16. THE CANADIAN RESPONSE TO THE US RESPONSE
  • 17. WHAT ABOUT OUR FRIENDS IN THE US? • We are interested in the US response for a number of reasons: • We work for companies which have operations in the US, or is a subsidiary of a US company – The US is our largest trading partner • The Draft EU Regulation is a "destabilization of the equilibrium" created by a combination of Safe Harbor, model clauses Schwartz, The E.U.-US Privacy Collision • So what should we do about it the US friction with the EU over the draft Regulation?
  • 18. OPPORTUNITY OR RISK? • What are the down-sides to a failure to reach accommodation? – Onward transfers from Canada - limited or requiring more explicit protection (model clause?) – Limitations on companies doing business in the US because of shared systems with US operations • What are the opportunities? – Canadian data centres could use our “regulatory advantage” – if we maintain adequacy – to attract business and become the data hub for organizations needing to manage both EU and US data – "Near-shore" support for US with similar language and time zones
  • 19. RESPONSE #1 Our self-interest lies in facilitating data flows internationally, and assisting our largest trading partner in reaching an accommodation with the EU – “Can’t we all get along?” – Perhaps naive to think we can play peace- maker given the positions of each side
  • 20. RESPONSE #2 Our self-interest lies in utilizing our regulatory advantage, and becoming a data hub for personal information transfers from both the EU and the US – Too mercenary? – Competition might prompt a greater desire to close the gap
  • 21. RESPONSE #3: the principled response Our self-interest lies in: • retaining our status of adequacy with the EU to facilitate the free flow of information consistent with the view of privacy as a fundamental human right • encouraging a rapprochement in privacy between our largest trading partners, the US and the EU, to support international trade and development, and, • maximizing the value of the Canadian approach to privacy by becoming a data hub for personal information transfers from both the EU and the US
  • 22. CONCLUSION •  Without pretending to be right on any of these points, it seems that it is a worthwhile effort to develop some position on the EU draft Privacy Regulation •  There is no sword currently hanging over our heads - but developing a position - and making changes if required - will not happen overnight
  • 23. CONCLUSION (2) •  Amendment of PIPEDA in line with May 2013 Discussion Paper •  Primarily for ourselves, but also because of our desire to continue to do business with the EU and perhaps to take advantage of our natural advantages •  Development of economic strategy in line with the ‘principled response’ •  Coordination with provinces to ensure: 1. “Substantially similar” legislation 2. Coverage of employee data 3. Consistent breach notification requirements 4. Codify federal-provincial cooperation on investigations, other
  • 24. SOURCES •  Jan Philipp Albrecht, "Draft Report 2012/0011 (COD)" •  Paul Schwartz, "The E.U.-US Privacy Collision: A Turn to Institutions and Procedures" – http://www.harvardlawreview.org/ symposium/papers2012/schwartz.pdf