Information & Ethics Committee on June 13th, 2017

Unfortunately, the working language we use most often in our organization is English.

Allow me to speak to you in English.

It is my pleasure. Chair, and distinguished members of this committee. I really appreciate this kind invitation for me to speak to you today. Let me say that I'm very honoured.

I'm not the EU legislator. I am not formally in charge of any adequacy finding. I represent an independent institution, like the Privacy Commissioner of Canada. We share in all the EU duties and powers of national data protection authorities. Being Brussels-based, however, we also are influential as the special and first adviser of the Council of the European Union and the European Parliament. We're better positioned to be of help.

My third introductory remark relates to our excellent working relations with the Privacy Commissioner of Canada. In general terms, we've always had a very close and fruitful strategic partnership with Canada. We also had the occasion, just to give you an example, to submit our pleadings to the European Court of Justice concerning the Canadian PNR. We had a chance to interact with some of our colleagues in Canada so as to be fully in touch with your legal framework.

I'm very pleased to be at your disposal and to answer any questions you may have about the process and the content of revising PIPEDA. I've been intimately involved in the reform of the European data protection rules. We are here to advise legislators. We adopted many opinions. We have been in touch with the rapporteurs and shadow rapporteurs. It was a process that took almost a decade from consultation, to proposal, to very long negotiations. Now we are focusing on implementation.

My institution will be one of the members of the newly established European Data Protection Board, the new EU body that will replace the existing advisory board, the Article 29 Working Party of the European Commission. In addition, the EDPS, the European data protection supervisor, will also serve the board as secretariat. So 20 people from my staff will be delegated full-time to this initiative.

We are investing all our energies to be ready on day one, May 25 of next year. The GDPR, general data protection regulations, adopted last year and published last year on May 4 in the official journal, comes into force next year in May. Today nothing prevents a data controller from starting with real implementation, although full implementation, with enforcement, can only start at midnight on May 24 next year, when we come to convene all colleagues for the first meeting of the European Data Protection Board.

We are also putting our energies into complementary and necessary reforms. We need, notably on electronic communication privacy, the so-called e-privacy regulation, which is likely to replace the existing e-privacy directive. We have more or less the same approach as for the GDPR versus the 1995 directive. In addition, we are also expecting new rules applicable to the big galaxy of the European Union institutions and bodies subject to my supervision.

We're doing the work of a generation, and the challenge is to make sure people get to enjoy the new rights on the online world. The GDPR is going to be in place for, I predict, at least 15 years, which is more than a decade.

We can see that we have legislated not only for millennials, but perhaps also for the mid post-millennials who have only ever known a connected world. Therefore, the challenge is to consider the reinforced rise in the GDPR and the new rise such as those concerning privacy by design and privacy by default that can be called big data rights.

We really want to be more conversant with new technologies, to be future oriented, and to be, let's say, neutral from a technological viewpoint. You will not see any specific legislation on social networks or other specific applications, though the new rules on profilings, the right to be forgotten, and the rate of data portability are designed to be horizontal.

I see a line of continuity between current legislation and the future one in making existing and new rights and freedoms meaningful for ordinary people and more effective in practice. We will have to depart from former requirements and focus more on substantial safeguards. Therefore, there is a convergence across the world on how these rules are to be drafted and applied, and I see Canada as part of this convergence. I see a growing consensus.

We're now in a position today to focus on transfer of personal data, which is a key factor in this debate. You may be interested to know what is new in the GDPR as compared to the directive and, of course, I can only quote Daniel Therrien, the federal commissioner, to say that the GDPR contains some provisions that did not appear in the current directive and also do not appear in PIPEDA: portability, erasure, privacy by design, and privacy by default. Therefore, we have to analyze together the differences in the two statutes.

I am pleased answer any questions about the major differences between the directive and the GDPR about the process for determining PIPEDA's adequacy status under the GDPR, although neither the current directive nor the GDPR provide for any specific process, but we know what the approach could be.

I guess you will be interested to verify the criteria for determining the adequacy status, what it means after the Schrems case, digital rights versus Ireland, judgment for the European Court of Justice, what it means, and an adequate level of protection of personal data essentially equivalent to the one in the EU. Would you expect consultations with Canadian authorities, for instance, in the evaluation of the new approach in Canada, if any? What about the timelines, and more specifically, what are the long-term implications of the Schrems decision that were confirmed by the Court of Justice in coming decisions? One of them relates to the Canadian PNR.

If this is the right approach, we may focus then on specificities concerning either the retention of data or the protection of children. Many companies are interested to verify, for instance, which consent is to be re-collected once the GPR enters into force. I think we have enough food for a fruitful discussion.

I don't want to abuse your time, and I think it's much better to now go into specificities in answer to your questions or focus on more detailed issues.

It's not only sunny but extremely hot.

This is the million-euro question. Let me say first that there is no regulated process that expresses [Inaudible--Editor] in the GDPR. We should build on the basis of the criteria. First of all, existing adequacy decisions will remain in force up until the moment they are updated or repealed. There is a line of continuity.

Second, we have a lot of clarification in the GDPR as compared to existing direct.... For instance, the commission will now be able to adopt those adequacy decisions also for the law enforcement sector. It's much more clear that the new GDPR will allow for an adequacy determination to be made with respect to a particular territory of a third country, or even to a specific sector or industry—so partial adequacy findings.

Although the GDPR provides for a rebus sic stantibus approach, a periodic review of every adequacy finding, including existing decisions by the European Commission at least every four years, we're not in a hurry to put Canada on top of our decisions. You should now verify on the basis of the new, extensive list of criteria now listed in the GDPR for the assessment of that adequacy, what is needed.

My first recommendation before entering into details is to realize that chapter 5 of the GDPR is much less relevant compared to today. Today we apply the European Union legislation on data protection, mainly the two directives, to companies established in one of the European Union countries. Therefore you have to discuss to what extent a controller is established here.

As of May 25 of next year, the principle will be different. It will no longer be a mix of territoriality and establishment, but a system where we pay attention to the place where the services are delivered. The entire set of provisions in the GDPR will be fully applicable, including but not only, those on transfers to controllers offering goods and services into the EU remotely, or profiling people at a distance.

It means that if, for a company, there is a perspective to have a continuous processing of personal data, not only in a one-way direction to Canada, attention is to be paid to the full set of provisions, not only to chapter 5. Assuming that we are only considering a minor dimension, which is the one of transfer, we have to pay attention to a second important approach. The GDPR was drafted and prepared for final adoption before the Schrems case, which relates to October 6, 2015, when it was too late to change the wording.

Adequacy now is a little different. We started in the seventies with the requirements of essential equivalence. If we look to the convention 108, adopted in 1981, the system in another country should be equivalent. The directive adopted in the EU in 1995, so 14 years later, has been focusing on something lighter, what is simply adequate. Then we have criteria to verify when a country or a system or a territory is offering an adequate level of protection.

Now, because of the new legal status of the Charter of Fundamental Rights and because of the Lisbon treaty, which is de facto the European Constitution, the European Court of Justice has said that these criteria are to be read jointly, with the condition expressed by the same court in the Schrems case.

They read what is adequate as now being essentially the equivalent.

Yes. It's a very similar approach, and indeed, the adequacy will also relate to the law enforcement sector. This sector can be evaluated in two different areas. One is the processing of personal data by private controllers. The other is the accessing of data by police forces and by members of the judiciary. The directive is to be implemented by members states differently than the regulation, by May 6 of next year. We are now looking for a coherent approach to prevent the member states from departing from the right approach and introducing some, let's say, strange details.

The police directive is in force. However, because it's a directive and not a regulation, member states have until May 6 next year—so 19 days before the full entry into force of the GDPR—to transpose it into the national system. This is because it has more implications for domestic processing of personal data by police forces.

This is one of the areas where we have novelties in the EU.

First off, there are three important rulings from the European Court of Justice concerning independence of supervisory authorities. They relate to Germany, Hungary, and Austria. In these three cases, the countries have been found in breach of the existing directive and there are important recommendations to the legislators to bring forth independence, autonomy of supervisory authorities.

Secondly, the Court of Justice has said that the exercise of all existing powers in directive 95/46/EC is essential in terms of raising the independence, particularly the advisory role, the existence of a robust supervisory role. Therefore, now the regulation and the directive provide for a full list of reinforced powers, an entirely new scheme in terms of budgetary lines, requirements in terms of appointment, and relationship with government and relevant parliaments, depending on the legal system in each country.

Each DPA should be equipped with substantive powers in terms of warnings, with a view to admonish relevant comptrollers. Another novelty relates to the application of administrative fines. It is now mandatory for all member states to keep independent supervisory authorities with the duty and power to apply those fines where appropriate. The novelties are not only in terms of enforcement, but also with a view to consider all seven functions of a DPA listed by a famous Canadian professor, Colin Bennett, together with Charles Raab. They drafted the book listing seven missions of DPAs, including those concerning awareness, with a view to creating also a culture in terms of data protection.

In terms of more co-operation and more transparency, DPAs should be more selective in exercising their functions. One of the key pillars of the new regulation is accountability, which means that each private and public comptroller is requested to go beyond mere compliance, to have an internal policy to demonstrate that they comply in practice, to have an answer to every pressing need, including the allocation of resources and responsibilities. We would like to treat all comptrollers more responsibly, as adults, we might say. Therefore, DPAs should be more effective when appropriate, but also more selective, and more transparently define their priorities. They should publish a program and they should be more predictable, more accessible, and more protective.

So it's a less prescriptive approach, with more engagement, more interaction with new technology. It's also from the perspective of making new rules on accreditation, certification, seals, and privacy by design and privacy by default more effective in practice.

This is a question where I risk displeasing you. Let me speak as a member of the judiciary, as I am, to say that the GDPR contains very little news on the right to be forgotten. You will not find any specific reference.

If you interview the rapporteur of the Costeja González case, he will furiously react to say that there is no wording in the judgment mentioning the right to be forgotten. He will say that it is actually a right to be delisted. He will say that there is no novelty in the ruling by the Court of Justice, and that the only novelty relates to the faculty of the data subjects involved to directly address the search engine instead of contacting other controllers.

In terms of perspectives, we attach real importance to the coming case before the Court of Justice. Once again, it's a preliminary ruling. It comes from the French council of state. Right after the Costeja González case, together with other national DPAs, we coordinated our enforcement actions, so we clarified which principles are to be defined.

Google, Bing, and other search engines have agreed on the principle. If we look at the statistics published by all of them, you will see that after the initial peak we are now in a reasonable trend. The large majority of requests by data subjects are properly considered, and where they are forwarded to the competent authorities—it could be a court or a DPA—the conclusion by those two is not different from the search engines'.

There is a convergent approach in identifying good reasons in terms of public interest not to delist the relevant information.

The area of disagreement relates to the territorial scope of application of the ruling. While DPAs consider that this should be global, and the French authority has adopted the decision to challenge it before the Court of Justice to say that we should also consider the dot.com domains, Google is of a different opinion, and this is why we are waiting for a conclusion.

The GDPR does not contain any reference to areas where the right to be forgotten is currently regulated by the civil penal code, common rules in all member states. Here I see that regardless of the GDPR, let's say it's business as usual.

The GDPR provisions on transfer of data apply to all controls in the public and the private area without any distinction. We have different criteria now for the assessment. They basically allow for it to say that it should be a global evaluation and not purely a legal one.

The criteria are the following. First of all, there is the rule of law, so we have to look to relevant legislation in force, both general and sectorial, including—this is an important specific novelty—that concerning public security, defence, national security, and criminal law. This is why we now have the case on the Canadian PNR but also professional rules, security measures, which are complied with in a third country or by an international organization. We would like to see to what extent certain rights are effective and enforceable, so we look to effective administrative and judicial redress for data subjects.

A second element relates to the existence and effective actioning of at least one independent supervisory authority. How they advise and assist with regard to the data depends on the extent to which they may co-operate with supervisory authorities in other countries, but also on the international commitments they may have as an international organization.

The commission adopted a communications package on January 11 this year to focus, as a priority for the next two years and up, the mandate of the current commission. They have declared that we'll look first to start with a new dialogue where necessary. Then we'll look at the extent of the European Union's even potential commercial relationship with that country, including the existence of a free trade agreement or ongoing negotiations. Then we will look at the extent of personal data flows from the European Union.

There is the pioneering role. This is an essential role for South America, for instance, that the first country plays in the field of privacy data protection, so it is something that could serve as a model for other countries.

Finally, there is the overall political relationship with the third country in question.

We focus on data protection but not only. There is no procedure to apply for adequacy as I said, but I can describe in detail which best practices are observed in practice.

With regard to the EU position, not just the one of my institution, you may look at the latest state of the union speech by President Juncker, which says we need coherence and consistency. Europe, regarding the GDPR with the directives I mentioned, would like to have one coherent single harmonized legal framework so that any trade agreement, including the one you mentioned, does not depart from the system but is fully in line.

The commission doesn't want to have substantive provisions relevant to a data protection viewpoint or to interpret existing or future trade agreements with a view to having lex specialis from a data protection viewpoint, although we are all aware that you may have some specific need to address certain specificities, whether a principle in terms of territoriality, or something concerning cloud computing servers, or something related to trade secrets.

In terms of general obligations for data controllers and data subjects that arise, the idea is to have everything in the GDPR and only in the GDPR.