In the midst of the debate over Canada’s lawful access proposals – Bill C-30 or the misleadingly-named Protecting Children against Internet Predators Act – some have compared the removal of requirements for warrants and court oversight, as well as lack of transparency, to the USA Patriot Act. I think those observations are valid, but what doesn’t appear to have been recognized or discussed is the possible impact on Canada’s adequacy status, especially given the proposed new EU Data Privacy Regulation. Bill C-30 would arguably put our adequacy status on the table for revocation.
The proposed EU regulation provides for the ability in Article 38 to review adequacy, and suggests more vigorous tests for adequacy; as well it permits the EU Commission to consider sub-divisions (states or provinces) in considering the extent to which a country is considered adequate. I would regard the willingness of the EU Commission to challenge the Hungarian data protection authority on the basis of its independence, a strong signal that they will in fact regard the efficacy of privacy regulations, independence and enforcement authority in determining adequacy.
So: if the EU were to re-consider PIPEDA as it currently stands, under the new regulation, AND with ‘lawful access’ as contemplated by the Conservative government presently, would we get a finding of adequacy? I suggest not:
- It is the lack of judicial oversight, accountability and transparency, that makes the Patriot Act in EU (and Canadian) eyes intolerable. The impact of this cannot be understated. Even if the proposed framework for consumer privacy recently unveiled by the White House is adopted, while certainly very welcome, there would still be the underlying weakness that the Patriot Act would trump privacy protections, and doubtless stand in the way of EU acceptance of a US private sector privacy law, much less recognition of its adequacy. If this is the case for the US, then moving Canada to a regime that mimics this lack of oversight and transparency, would undermine current recognition of PIPEDA.
- Sometime over the next year to two years, the EU Privacy Regulation will be adopted, hopefully with some of the problematic areas worked out; there is no reason at this point to think that the provisions relating to adequacy however will change. It puts all countries who have achieved adequacy on notice, that they will have to ensure their laws keep pace with the development of the Privacy Regulation.
- With an adequacy review likely and inevitable, it follows that Bill C-30’s Patriot-like features could undermine our status as adequate. This will have a negative impact on Canadian business, and put us in effectively the same position as the US in terms of the difficulties in dealing with cross-border transfers of personal data.
- It is not only Bill C-30 that should be making us consider our adequacy status. Canada should be keeping PIPEDA up to date, and enacting Bill C-12 updating PIPEDA would help ensure we meet heightened EU expectations through stronger enforcement as well as breach notification. This bill has languished, despite the support of all parties, and as Michael Geist has pointed out, is now somewhat out of date; nevertheless, strengthening privacy protections has to be part of a serious and reasoned approach to lawful access (see Professor Geist’s comments in this regard), and now, critically, to retaining our adequacy status.
In both my professional work and in discussions with privacy professionals, I have always touted Canada as the ideal ‘data hub’ bridging the EU and Canada. Locating a data centre in Canada means (for Americans) near-shore support with a culture and language largely similar to their own and in the same time-zones; for Europeans, our privacy laws and culture have been recognized as similar to their own, and so locating EU data in Canada has been more ‘comfortable’ as a concept. I have always wondered why we have not been more aggressive in selling Canada in this fashion.
I would say that Canadian values for privacy and respect for the individual, and regard for due process supervised by our courts, would be enough of an argument against C-30 as it is drafted. Certainly we should be paying attention to the concerns of both our Federal Privacy Commissioner and that of the Ontario Privacy Commissioner. However, it may speak to the Conservative government more forcefully to consider the economic impact on Canada before introducing lawful access provisions without due regard to our adequacy status with the EU.