Information & Ethics Committee on March 21st, 2017

I wish.

On the point about the provincial laws, I think there was an assumption initially that if PIPA in B.C. and Alberta, and the law in Quebec were considered substantially similar to PIPEDA, they would, by default, be considered adequate under the European Union standards. The European Union, however, has rejected an independent application by Quebec to have its law considered adequate, so that assumption is not absolutely correct. That's something that's going to have to be figured out in the context of the upcoming review of Canadian adequacy under the EU's GDPR.

At the moment, the adequacy standards of the European Union are stipulated, but they're quite vague. They have to do with respect for the rule of your law. They have to do with the essential principles of data protection. They have to do with the existence of redress mechanisms. They're trying to walk a very fine line between protecting the rights of European citizens when their data is processed overseas and interfering with the internal politics and constitutional requirements of other countries. That's where the tension has existed with the United States.

On the EU-U.S. privacy shield issue, I think that the continuation of that arrangement is up in the air at the moment, for a number of reasons. First, the standard to which that was negotiated was the old European directive and not the new one. Second, there's litigation in Europe at the moment, specifically in Ireland, about the mechanisms by which Facebook is transferring data to the United States. On either side of the Atlantic, there could be a pulling of the plug on that agreement.

On whether or not we should take account of that, I couldn't really advise, because we don't know what the future holds.

Thanks for the question. Let me unpack it a little bit. You've talked, in a sense, both about data transfer and data localization, and they're different things.

The issue of data localization is with regard to a country requiring businesses to store or retain personal information locally, ensuring that that information enjoys the protections that their national laws provide. In fact, it is also what our national government has done as part of a process that was started by the Conservatives, and continued by the Liberals in terms of a cloud-computing strategy, recognizing that there might be some information held by government that we would not want stored on servers elsewhere.

What I think we are likely to see in NAFTA and what we saw in the TPP, largely at the behest of the United States since they represent some of the companies that tend to store large amounts of data and tend to store it in the United States, are attempts to preclude countries from adopting mandates to require that data be stored locally. We're certainly seeing some commercial impetus for doing so.

That's why those big companies have set up those servers in Canada. They're responding, in a sense, to market demand for better protection, but I would argue that Canada should certainly be free to say that for certain kinds of information, we want to ensure that it is retained in Canada so that Canadians know that it is adequately protected and subject to Canadian rules. I am expressing concern that as part of the trade negotiations, we may find attempts to override that.

That, I should note quickly, is different from restrictions on transferring data across borders. We've also seen the United States focus on stopping restrictions doing that, but as Professor Bennett just explained, the European Union has tried to do exactly that. They have tried to create restrictions on the ability to transfer data across certain borders.

As somebody who practises privacy law on a daily basis and advises businesses, I think one thing that's notable—certainly it's been my experience and I've heard it anecdotally from others—is that the large banks, the large telcos, and the large Internet companies have squads of lawyers on staff. They have compliance people. They have international compliance people. In fact, their level of compliance is pretty high, although their risk threshold might be slightly different from that of a small or medium-sized business.

The level of awareness of the mechanics of how to actually comply with Canadian privacy law—how to get people's consent, how to manage all that, and how to protect information—is actually quite low in the very large portion of our economy. Here I refer to the SMEs across the board.

One thing I think is worth discussing—and I don't have a ready solution for it—is that although the Privacy Commissioner has done a lot of work with big banks, telcos, and Internet companies, how do you educate and reach those SMEs and incentivize them to protect Canadians' personal information better? I don't have an out-of-the-box solution for that.

I'll give it a try. I don't doubt Michael and Colin may have responses, and David, too.

I'll quickly say that it is readily apparent that these issues have entered into the realm of trade negotiations. We saw it unquestionably within the Trans-Pacific Partnership, within the TPP. The Secretary of Commerce in the United States, Wilbur Ross, has talked about the need to address the digital economy as part of renegotiating NAFTA.

If you look at the e-commerce chapter in the TPP, you see there's a blueprint for the kinds of issues that we are likely to see come up within NAFTA. They include things like data localization and data transfer. I should note that they also included in the TPP a provision on countries being required to have a privacy law, but it was a very watered down version in light of the fact that the United States, while it has strong enforcement, doesn't have broad-based privacy rules.

I don't think there's any question that we're going to continue to face those pressures. In some instances that might be a good thing. David talked about what it would look like if the Privacy Commissioner were given order-making power. He suggested it would look like the Human Rights Commission. I would argue that it would look like just about everybody's privacy framework. It would look like the other privacy commissioners across the provinces. It would look more like what we see in the EU. It would even look like the Federal Trade Commission in the United States, where we do see order-making power and the ability to enforce the common approach in many other places. The outlier in this case, actually, is the federal Privacy Commissioner, who hasn't had those powers.

I agree with that.

I'd just add one other dimension. It's something that I mentioned very briefly. In the politics of adequacy assessment, it is a political judgment, not just a legal judgment. I have a couple of points on this. One is that the Europeans really do want this system to work; they're not going to want the process of adequacy assessment to collapse. Therefore I think there would be a cost if, as I say, a country like Canada, a trade partner, were to lose its adequacy status.

Secondly, I would just reiterate that the whole issue about access by intelligence services and national security services, etc., to business-related data is also part of the equation. If you look at the EU-U.S. privacy shield, you see there's as much in that about that issue as there is about commercial transfers.

I think the general principles do serve us quite well. But what we've experienced, especially as new technologies have emerged in recent years, is specific privacy legislation or regulation trying to address new concerns, whether identity theft, or spam, or some of the national security issues that have arisen. We're now likely to see some of these other new issues come up. We've even seen data localization at a provincial level pop up in a number of instances as well.

I think part of it is a matter of being live to the issue. If we look at the experience with the TPP, we see that the Australians were aware of exactly what I have been talking about. They obtained a side letter from the United States specifically addressing the potential for them to be be subject to EU demands on the one hand and U.S.-led demands in regard to the TPP on the other hand. Canadian negotiators, with all respect, seemed to be asleep at the switch and didn't raise the same kind of issue and didn't obtain the same sort of thing. Had the TPP, which now seems like it's dead, come to fruition, Australia would have protected itself in terms of data transfer issues and privacy protection; Canada would not have.

What I would say makes sense for Canada is to open up the trade negotiations. If there was were a fundamental problem with the way the Conservative government, with all respect, negotiated CETA and the TPP, it was that it was done with an enormous amount of secrecy and then presented on a take-it or leave-it basis.

The TPP is dead. ACTA , which it negotiated, is dead, and CETA had to largely be renegotiated by the Liberals on key issues because of that secrecy. If we want to ensure that does not happen again when we talk about the NAFTA renegotiation, open these things up. The solution isn't to ensure that every negotiator knows the nuances of every single issue; the solution is to bring in many experts into the process through the negotiating process so that these issues get flagged as we're negotiating—not after the fact when it's too late to do anything about it.

I think all of them face the same issues and the same scrutiny, and I think many of them have addressed them in varying ways in order to incorporate that. Many of them build within their organizations particular firewalls to prevent the investigations from being tainted by the advocacy activities of the organization.

What I'm suggesting is that if you were to build a significant or real firewall, it would end up looking like the Canada Human Rights Commission or other sorts of models.