Thank you, Mr. Chair.
Thank you for the opportunity to appear before you again.
I am a professor of political science at the University of Victoria, and I'm generally known for my comparative work on privacy governance in both the public and the private sectors.
I understand that you would like to know a bit more about the European regulation and its impact on Canada, so that's what I want to principally talk about, and perhaps suggest how it should or should not influence our deliberations here about PIPEDA. Then I will suggest three areas where there are some glaring divergencies between what we do in Canada and what the Europeans are proposing.
When the general data protection regulation comes into force across the entire EU in 2018, it will be the most comprehensive set of data protection requirements in the world, and it will, in large measure, set the standards for the protection of personal data in global electronic commerce and cloud computing. For countries like Canada, it contains important extraterritorial implications that we need to consider very carefully.
Under the former directive, as you know, Canada was awarded an “adequacy status”, meaning that businesses could legally process personal data on European citizens without further contractual mechanisms. The EU did not consider Canada, as a jurisdiction, adequate, just those organizations that were subject to PIPEDA. Nevertheless, the adequacy status provided some significant practical benefits to Canadian companies. More importantly, it sent a symbolic message that Canada was a safe jurisdiction within which personal data could be processed. That issue, of course, assumes a more critical importance in the context of CETA, which will presumably increase trade and therefore the volume of consumer and employee data that flows across the Atlantic to Canada.
To this date, only 11 jurisdictions have been awarded this adequacy status under the European directive, and Canada is by far the biggest economy within that number. For the United States, adequacy is granted only to those companies that have self-certified under the new EU-U.S. privacy shield arrangement. Under the general data protection regulation, the adequacy mechanism will continue and the countries that have been awarded that status will continue to enjoy its benefits for the time being. The EU Commission envisages a mechanism of periodic review at least every four years, so presumably we can expect an evaluation of the Canadian assessment by 2021, but there is no guarantee that the benefits of that status will continue. Furthermore, there are lots of other countries that are likely to want to get in line. The difference between 2001 and now is that now there are something like 100 countries around the world that have data protection legislation sort of on the European model.
In October 2015, there was a decision by the European Court of Justice in the so-called Schrems case, which was about Facebook, that invalidated the former EU-U.S. safe harbor agreement and that has changed the politics of adequacy assessment in a number of ways. There are three points to note.
First, an existing adequacy determination does not absolve a European privacy protection authority from investigating a complaint against a company residing in another jurisdiction. Adequacy is not, and probably never was, a get-out-of-jail-free card. Canadian companies are as vulnerable as others to challenge in the EU.
Second—and more recently since the Snowden revelations—the entire question of access to business data by security and intelligence services is now prominent in any adequacy determination. In 2013, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs called for a review of Canada's privacy regime in light of our participation in the Five Eyes alliance, so this whole question is now part of the assessment process. Those concerns also need to be considered in light of the assurances by the American government in the EU-U.S. privacy shield that access to personal data by U.S. law enforcement and national security agencies will be subject to clear limitations, safeguards, and oversight mechanisms, although that will be reviewed and it is the subject of ongoing litigation in Europe at the moment.
Thirdly, the European court raised the bar for adequacy assessments to have what is called an “essential equivalence”. We do not have any clear signals yet on what that means. It's rather like revising for an exam without knowing what the grading standards are. What aspects of privacy protection are going to be considered essential? There are some new things in the general data protection regulation that did not appear in the directive and are not really prominent in PIPEDA either. Are they going to be part of the test that includes? My colleagues have talked about the right to be forgotten. There's a right to data portability in the regulation, which I could talk about. There is the right to object to decisions made on automated processing. There is privacy by design and privacy by default. Which are essential principles, and which are methods of enforcement and implementation?
At the moment, the adequacy requirements in the regulation are quite vague. They have to be applied consistently, and I would suspect that the EU is not going to insist on legal reforms in other countries that either are unrealistic politically or that will obviously pose constitutional problems for some jurisdictions, especially the United States. In light of that, I think we should be reluctant to revise PIPEDA just because the Europeans want us to. In any case, there is unhelpful rhetoric about this regulation being kind of the gold standard for privacy protection around the world. It is a mix of different provisions, some of which have been imported from countries like Canada. We should modernize PIPEDA because it needs modernization, not because it will satisfy a vague and shifting set of standards imposed from Brussels. We should take note of what the Europeans have done and draw lessons. I suspect that serious efforts to update and amend PIPEDA will not go unnoticed on the other side of the Atlantic. On the other hand, I would suspect that leaving the law as it stands will send the wrong message.
With that in mind, in conclusion, I'd just like to draw your attention to three broad areas, in which, I think, there are the most glaring divergencies between what we do in PIPEDA and what the European regulation says.
Firstly—and I'm going to skip over this, because my colleagues have talked about it—are the enforcement powers of the Privacy Commissioner. Under the general data protection regulation, data protection agents are empowered to levy some really significant administrative fines against companies—up to 20 million euros or 4% of annual turnover. I would not suggest that we go that far. Fines do capture the intention like no other sanction does, but in general, having reflected on this, I think at the very least, the Privacy Commissioner should be given powers equivalent to those available to the B.C. Information and Privacy Commissioner under our private sector legislation.
Secondly, we need to ensure that the Privacy Commissioner has all the tools in the privacy toolbox. At the moment, PIPEDA is written in a very reactive way. The statute is written as if the entirety of this work is devoted to complaints investigation and resolution. As David Fraser said, there are provisions in PIPEDA that have not really been actively used over the years. I believe that the most effective functions are more proactive and they involve a variety of other instruments. As personal consent becomes far more difficult to obtain in this era of big data analytics, I think organizations are going to have to rely on these other tools. The general data protection regulation and many other contemporary privacy protection laws recognize the importance of these other policy instruments in effective enforcement implementation and say that organizations must stand ready to demonstrate their compliance by using such mechanisms—things like codes of practice, privacy seals, privacy standards, privacy impact assessments, and so on. The regulation tries to incentivize good privacy practices, and I believe that PIPEDA should try to do the same thing.
So I would like to see a more explicit recognition in section 24 of PIPEDA that the commissioner may encourage these kinds of tools and, in some cases, require the adoption of those accountability mechanisms by Canadian companies and their trade associations. In particular, there is privacy by design and privacy by default.
The general data protection regulation says that organizations, should, as far as possible, ensure that, by default, the only personal data processed are those necessary for each specific purpose of the processing. It goes on; it's complex. What it tries to do, therefore, is to ensure that privacy protection will become an integral part of the technological development and organizational structure of any new product and service, and to the extent that organizations do not do that, they are then subject to heightened sanctions if there are investigations.