Presented at the IAPP Canadian Symposium in May 2013 - What should the Canadian response be to the draft GDPR? Does this raise any questions or concerns for Canada's adequacy finding?
Canadian Response to the Draft EU Regulation - May 2013
1.
2. Canada’s Response to the
EU Privacy Regulation
Constantine Karbaliotis,
CIPP/C/US/E/IT, CIPM
Americas Privacy Leader, Mercer
3. SESSION DESCRIPTION
Canada has not been troubled to the extent the US has in relation to
the proposed EU Privacy Regulation; but should we be complacent?
Does Canada, both public and private sectors, need to think about:
1. The impact on our status as ‘adequate’ – is this at risk? Do we
need to amend our privacy legislation to meet the heightened
expectations of the EU? Are our ‘subdivisions’ at risk?
2. The proposed regulation’s impact on the US – the regulation is
challenging the US’ willingness and ability to meet the new
standards. Is this a problem for us? An opportunity?
4. DISCLAIMER
This represents the views of the presenter,
and not of any of his:
– Employer
– Privacy organizations to which he may belong
– Anyone else, perhaps
But these are questions that may be useful
to consider – and have answers to
5. ORIGIN OF THIS
“What is Canada’s response to the
draft EU Privacy Regulation?”
– Privacy officer in the US
• Thoughts:
– Should we have one?
– Why don’t we have one?
6. A DISCUSSION IN TWO PARTS
• First, what should we be thinking
about as a country - federally and
provincially - to address the changes
presented by the EU draft Privacy
Regulation
• Second, what position should be
taken in regards to the US and EU
frictions over the proposed changes
8. WHY DO WE NOT HAVE A
POSITION?
• Adequacy?
– We are adequate under EU law; we don’t have
to do anything
– Our laws will meet the new EU draft
Regulation’s requirements
• Complacency?
– Can we assume that our current adequacy is
enough?
– Perhaps we don't want to examine this closely
– The EU hasn’t updated its page on Canada &
PIPEDA since 2003
9. DISCUSSION PAPER:
The Case for Reforming PIPEDA (released May 23,
2013), Office of the Privacy Commissioner of Canada
• “One of the reasons PIPEDA was enacted
was to create a vehicle that would facilitate
the flow of personal information from EU
member states to Canada…The adequacy
concept is retained under the Regulation.”
• “It is an open question as to what effect
the proposed Regulation, if passed in its
present form, might have on Canada’s
adequacy status, given the current state of
PIPEDA.”
10. COULD ADEQUACY BE REVOKED?
• EU has shown willingness to take action on and
challenge adequacy of member states
– Hungary
• Draft regulation explicitly addresses determination
of adequacy and extends ability to recognize sub-
divisions - as well as to determine that a country
or sub-division is not adequate, and to monitor on
an ongoing basis
– Draft EU Privacy Regulation, Article 41 paras. 1-6
11. WHY WOULD OUR ADEQUACY BE
AT RISK?
• Adequacy in current draft is based upon
sufficiency of sanctioning power by an
independent data protection authority (EU Draft
Reg. Art 41(2)(b))
– Have our laws have kept pace:
– Breach notification
– Penalties and order-making
– Onward transfers from Canada
– The right to be forgotten
– All of which must be regarded in light of the Draft EU
Regulation's stringent provisions
12. WHY WOULD OUR ADEQUACY BE
AT RISK (2)?
• Adequacy in current draft is based upon
sufficiency of sanctioning power
• Lack of coverage of laws to all aspects of personal
information
– Employee privacy is not protected under PIPEDA unless
under federal jurisdiction, or in a province lucky enough to
have a provincial privacy law
– Latest drafts have removed "sectoral" recognition because:
"...it would increase legal uncertainty and undermine the
Union's goal of a harmonised and coherent international data
protection framework".
– If we cannot have sectoral recognition, how can there be
sectoral exemption?
13. ADEQUACY REAL OR PERCEIVED?
• To what extent is high regard of
Canadian privacy due to personalities of
Canadian privacy commissioners?
• Is the strength of Canadian privacy
really our commissioners’ outreach
more so than from the strength of our
legislative framework?
• Would changes alter EU views of our
adequacy?
14. CANADA’S POSITION
• Canada is not likely to be ‘first’ on the list for
possible review
• Of the league of the ‘adequate’, other
countries may be first to be reviewed:
– Questions of resources, existence of independent
authority may attract more attention
• Are we keeping up with the league of the
adequate?
– Australia is bringing in mandatory breach notification
– Were we lucky to be considered adequate in the first
place, given how hard it was for Australia?
15. SUB-DIVISIONS
• Could Canada remain considered adequate
– but a province not be adequate?
Draft EU Privacy Regulation, Article 41 para. 5
– WADA issue in Quebec – assertions of inadequacy?
– Perhaps also - not deemed ‘substantially
similar’ under PIPEDA?
• Could a province be recognized as
adequate – and not the rest of Canada?
• Alberta alone has coverage, enforcement,
breach – last one standing?
17. WHAT ABOUT OUR FRIENDS IN THE US?
• We are interested in the US response for a number
of reasons:
• We work for companies which have operations in
the US, or is a subsidiary of a US company
– The US is our largest trading partner
• The Draft EU Regulation is a "destabilization of the
equilibrium" created by a combination of Safe
Harbor, model clauses
Schwartz, The E.U.-US Privacy Collision
• So what should we do about it the US friction with
the EU over the draft Regulation?
18. OPPORTUNITY OR RISK?
• What are the down-sides to a failure to reach
accommodation?
– Onward transfers from Canada - limited or requiring more
explicit protection (model clause?)
– Limitations on companies doing business in the US
because of shared systems with US operations
• What are the opportunities?
– Canadian data centres could use our “regulatory
advantage” – if we maintain adequacy – to attract
business and become the data hub for organizations
needing to manage both EU and US data
– "Near-shore" support for US with similar language and
time zones
19. RESPONSE #1
Our self-interest lies in facilitating data
flows internationally, and assisting our
largest trading partner in reaching an
accommodation with the EU
– “Can’t we all get along?”
– Perhaps naive to think we can play peace-
maker given the positions of each side
20. RESPONSE #2
Our self-interest lies in utilizing our
regulatory advantage, and becoming a
data hub for personal information
transfers from both the EU and the US
– Too mercenary?
– Competition might prompt a greater
desire to close the gap
21. RESPONSE #3: the principled
response
Our self-interest lies in:
• retaining our status of adequacy with the EU to
facilitate the free flow of information consistent with
the view of privacy as a fundamental human right
• encouraging a rapprochement in privacy between
our largest trading partners, the US and the EU, to
support international trade and development, and,
• maximizing the value of the Canadian approach to
privacy by becoming a data hub for personal
information transfers from both the EU and the US
22. CONCLUSION
• Without pretending to be right on any of
these points, it seems that it is a
worthwhile effort to develop some position
on the EU draft Privacy Regulation
• There is no sword currently hanging over
our heads - but developing a position - and
making changes if required - will not
happen overnight
23. CONCLUSION (2)
• Amendment of PIPEDA in line with May 2013
Discussion Paper
• Primarily for ourselves, but also because of our
desire to continue to do business with the EU and
perhaps to take advantage of our natural
advantages
• Development of economic strategy in line with
the ‘principled response’
• Coordination with provinces to ensure:
1. “Substantially similar” legislation
2. Coverage of employee data
3. Consistent breach notification requirements
4. Codify federal-provincial cooperation on
investigations, other
24. SOURCES
• Jan Philipp Albrecht, "Draft Report 2012/0011
(COD)"
• Paul Schwartz, "The E.U.-US Privacy Collision:
A Turn to Institutions and Procedures"
– http://www.harvardlawreview.org/
symposium/papers2012/schwartz.pdf