Article 29 Working Party to Quebec: “Sorry, darlings, you’re inadequate…”

This is a tough message to get from the EU; the Article 29 Working Party has identified some areas for improvement in order to find adequacy for Quebec’s Privacy Act (opinion linked here). Particularly harsh, I imagine, getting this by way of a voice mail message since Quebec was celebrating Saint-Jean-Baptiste Day on Tuesday; if they got any forewarning of the result, it was left via voice mail. Harsh.

I have hope that this will prompt changes that the Quebec Commission d’Acces a L’Information (CAI) have been asking for to their legislation; perhaps thoughts like servers leaving Montreal in a caravan down the 401 to Toronto, or even that the ROC (rest of Canada) is considered by the EU – the EU! – as adequate while Quebec is not, may prompt some speedy action…

Seriously, this is a shot across the bow for the provinces, for Canada, and for the world. I had done a presentation last year at the IAPP Canadian Symposium, on the topic of whether our adequacy finding was at stake. The EU had been pressing forward with its draft Regulation, and I speculated over whether we would need to update PIPEDA to maintain our status, and whether in fact provincial ‘substantially similar’ findings would not save the provinces from being reviewed for adequacy, since the draft Regulation contemplated reviews of adequacy of national subdivisions. This issue over Quebec, however, goes back as far as the WADA controversy in which the Working Party issued an opinion over the adequacy of Quebec’s law in relation to drug testing of athletes.

Well, the Working Party didn’t wait for the draft Regulation; they’ve started, and and while it is an advisory opinion, sets out a list of four areas for improvement that can only be interpreted as setting a standard for adequacy:

  • clarifying the territorial application of the Quebec Privacy Act;
  • strengthening transparency by requiring identification of the data controller;
  • clarifying sensitive information; and most significantly,
  • putting in place data agreements for onward transfers.

The last one has relevance for all of Canada – this is an issue raised with the Federal Commissioner’s Office, over the fact that transfers can take place from the EU to Canada freely, but there is no controls over onward transfers – say to the US. I think that this decision sets out not only expectations for Quebec, but for all of Canada, and is possibly also a message to the ‘league of the adequate’ nations as to what they will have to start doing to keep pace with changes in the EU.


Could ‘lawful access’ jeopardize Canada’s adequacy status with EU?

In the midst of the debate over Canada’s lawful access proposals – Bill C-30 or the misleadingly-named Protecting Children against Internet Predators Actsome have compared the removal of requirements for warrants and court oversight, as well as lack of transparency, to the USA Patriot Act. I think those observations are valid, but what doesn’t appear to have been recognized or discussed is the possible impact on Canada’s adequacy status, especially given the proposed new EU Data Privacy Regulation. Bill C-30 would arguably put our adequacy status on the table for revocation.

The proposed EU regulation provides for the ability in Article 38 to review adequacy, and suggests more vigorous tests for adequacy; as well it permits the EU Commission to consider sub-divisions (states or provinces) in considering the extent to which a country is considered adequate. I would regard the willingness of the EU Commission to challenge the Hungarian data protection authority on the basis of its independence, a strong signal that they will in fact regard the efficacy of privacy regulations, independence and enforcement authority in determining adequacy.

So: if the EU were to re-consider PIPEDA as it currently stands, under the new regulation, AND with ‘lawful access’ as contemplated by the Conservative government presently, would we get a finding of adequacy? I suggest not:

  • It is the lack of judicial oversight, accountability and transparency, that makes the Patriot Act in EU (and Canadian) eyes intolerable. The impact of this cannot be understated. Even if the proposed framework for consumer privacy recently unveiled by the White House is adopted, while certainly very welcome, there would still be the underlying weakness that the Patriot Act would trump privacy protections, and doubtless stand in the way of EU acceptance of a US private sector privacy law, much less recognition of its adequacy. If this is the case for the US, then moving Canada to a regime that mimics this lack of oversight and transparency, would undermine current recognition of PIPEDA.
  • Sometime over the next year to two years, the EU Privacy Regulation will be adopted, hopefully with some of the problematic areas worked out; there is no reason at this point to think that the provisions relating to adequacy however will change. It puts all countries who have achieved adequacy on notice, that they will have to ensure their laws keep pace with the development of the Privacy Regulation.
  • With an adequacy review likely and inevitable, it follows that Bill C-30’s Patriot-like features could undermine our status as adequate. This will have a negative impact on Canadian business, and put us in effectively the same position as the US in terms of the difficulties in dealing with cross-border transfers of personal data.
  • It is not only Bill C-30 that should be making us consider our adequacy status. Canada should be keeping PIPEDA up to date, and enacting Bill C-12 updating PIPEDA would help ensure we meet heightened EU expectations through stronger enforcement as well as breach notification. This bill has languished, despite the support of all parties, and as Michael Geist has pointed out, is now somewhat out of date; nevertheless, strengthening privacy protections has to be part of a serious and reasoned approach to lawful access (see Professor Geist’s comments in this regard), and now, critically, to retaining our adequacy status.

In both my professional work and in discussions with privacy professionals, I have always touted Canada as the ideal ‘data hub’ bridging the EU and Canada. Locating a data centre in Canada means (for Americans) near-shore support with a culture and language largely similar to their own and in the same time-zones; for Europeans, our privacy laws and culture have been recognized as similar to their own, and so locating EU data in Canada has been more ‘comfortable’ as a concept. I have always wondered why we have not been more aggressive in selling Canada in this fashion.

I would say that Canadian values for privacy and respect for the individual, and regard for due process supervised by our courts, would be enough of an argument against C-30 as it is drafted. Certainly we should be paying attention to the concerns of both our Federal Privacy Commissioner and that of the Ontario Privacy Commissioner. However, it may speak to the Conservative government more forcefully to consider the economic impact on Canada before introducing lawful access provisions without due regard to our adequacy status with the EU.

Privacy Law Salon: My Learnings

I attended the Privacy Law Salon this week in Miami; it was a very worthwhile event with senior privacy officers and privacy lawyers in attendance. Canada’s very own Jennifer Stoddart, Privacy Commissioner, delivered a keynote on Thursday that was both frank and heart-felt, to our American colleagues, about the direction of privacy internationally. My congratulations to the organizing committee for a great event.

Chatham House rules rules apply to the Salon, so my comments are not about anything anyone has said specifically at the Salon; these are just thoughts that occurred to me while I was listening to this great group of privacy professionals talking.

First, I was struck by the lack of confidence by our American friends that there would be a way to address, or deal with, the new proposed EU Privacy Directive. They seemed to despair of reaching a middle ground with the EU, and feel that it is a choice of either simply living with the new EU directive, or turning aside (for instance, focus on other markets), or finally a quid pro quo response of more diligently enforcing US privacy laws against EU organizations. Second, when I pointed out that the US has strong privacy laws in various sectors, and enforcement that puts the rest of the world to shame, the response was that the Europeans should know these things, and therefore must simply not care that there was in fact a privacy regime in the US even in the absence of a broad private sector law. Thirdly, this contest of approaches between the US and the EU is characterized as a dichotomy between privacy and innovation, that enforcing privacy rights would undermine innovations springing from (largely) US-based companies.

My reaction and thoughts were along these lines:

Having spent a number of years being the ‘conciliator’ between US and EU colleagues (in different organizations), I was most distressed by this sense of despair. I have always found that by explaining what laws existed, and diligent enforcement by the FTC, state attorney generals, as well as through private rights of action, that the Europeans would ultimately agree that the perspective that Americans don’t care about privacy to be quite wrong. I think that a concerted effort needs to be made by the US (both at the governmental and business levels) to map to the proposed EU directive, the laws that do exist, and how the US has chosen to address the same issues that the Europeans are proposing to address through this new regulation. There are some issues on which there is no question, some divergence of opinion – but I still see tremendous importance in engaging with the EU to discuss how problems relating to cookies and the right to be forgotten, can be seen as issues that the US is also struggling with (do not track, and retention of PI, in my humble view), and is trying to address through different means.

The second response I would make to this pessimism is that it springs from a fundamental failure of communication which could be addressed by a four-prong approach. Mapping US to EU laws will help in educating the EU to understand the significant efforts that the US is making; but also to help in translating differences in legal concepts and approaches between the two. The US thinks of data protection as distinct from privacy, something I think that is not the case outside the US. Another step that would help in bridging this gap is actually asking Europeans (through focus groups, perhaps) how to best communicate the US approach to privacy. Furthermore, it is critical to explain the technology – do not make the assumption that all these innovative technologies are fully understood by the policy makers in the EU, or how they are used. Finally, America’s allies – Canada, as well as many European countries – can be bridges to help create understanding and common ground.

The third and perhaps most important thing to do is to decide what privacy should look like in the US, independent of what the EU is doing. The lack of a broad private sector law affects the perspective that the US doesn’t “care” about privacy – something I think would change even if all it did was codify and consolidate the many laws (one of our participants said there were over 200) that cover privacy. One lawyer said this notion of reform or codification was unlikely given the current politics and election year in the US – but what about a restatement of privacy laws? An informal codification of existing laws requires no legislative changes, but would present a formidable argument that there is already a significant correspondence to the EU privacy regulation. Even if it incorporated voluntary frameworks and best practices in FIPS, this would be a tool for organizations (used in conjunction with the next point, GAPP) to erode the notion that ‘America doesn’t care about privacy.

Fourthly, GAPP privacy controls (and in conjunction with ISO security standards) represent some significant thinking about actually implementing privacy, which is an area where I do believe many US organizations are ahead of their European counterparts. This is how companies can demonstrate (in an audit-able fashion) effective privacy management, which leads into the next point…

There is a lot of good things in the EU proposal. I am very excited about the efforts to clean up the bureaucratic issues with compliance, and the revamping of the Binding Corporate Rules (BCR) as a way to meet organizations’ compliance requirements in the EU. A concerted focus by the US on using BCR as a tool for US organizations to meet EU expectations, would I think be well received, and make compliance (even with the new expectations in the EU privacy regulation) easier.

I am also responsible to an American-based organization, despite being a Canadian, to promote its best interests. I feel that isolationism is more harmful than helpful; only full engagement, given the global nature of business today, can best promote the interests of business. The notion that there is a choice between innovation and privacy is a false dichotomy and at best a red herring: privacy by design, a concept being promoted by the EU regulation, is fully capable of meeting the goals of innovation while still being respectful of personal rights to privacy.

No one is saying that finding the middle ground will be easy: nothing worthwhile is.