Protecting privacy: Canadian perspectives

Remarks at the 20^th annual convention of the Association sur l’accès et la protection de l’information (AAPI)

April 25, 2012
Quebec City, Quebec

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

Thank you for your kind invitation. It’s always a pleasure to come back to Quebec City and see my friends and colleagues from the Association sur l’accès et la protection de l’information. (...)

In Quebec City, I also find friends and former colleagues from the Commission d’accès à l’information, which is celebrating its thirtieth anniversary this year. (...)

As professionals in the field of data protection and access, you know that the right to privacy is central to all the burning issues of the day. Privacy issues cross the boundaries of economic sectors, spheres of activity and jurisdictions.

I would like to take advantage of the time that you have given me this morning to talk to you about some of the work that the Office of the Privacy Commissioner of Canada has been doing nationally and internationally. First, I will look at the draft European Data Protection Regulation and what this proposal means for Canada. Second, I will say a few words about the hot issues in public safety that we are monitoring closely.

Draft European Regulation

As promised, I will start this overview with a few words on the personal information protection regime in Europe and the impact that its updating could have on this side of the Atlantic.

We all know that nowadays, commerce barely slows down at the border, whether between two provinces or between two states. The duty to protect the personal information of all consumers when it travels beyond the borders of Canada or of a province that has its own legislation on the private sector rests upon the federal Office of the Privacy Commissioner.

That is why we have been following with interest the proposed update of Europe’s personal data protection regime, launched by the European Commissioner for Justice, Viviane Reding.

First let me situate you in the current context. The European Commission issued the Data Protection Directive in 1995. Like Quebec’s Act respecting the Protection of personal information in the private sector, which came into force the preceding year (January 1, 1994), the European directive reflects the basic principles that have guided the drafting of subsequent laws elsewhere in the world. Based on the eight principles of the OECD Guidelines (adopted in 1980), the European directive is intended to harmonize the standards of member states so that the personal data of citizens of the European Union is protected, including outside the Union.

As regards international trade, the personal data of EU citizens can be sent to a third country only if that country’s legislative framework has been deemed adequate.

The adequacy of the Personal Information Protection and Electronic Documents Act was recognized by the European Commission in 2001. This federal Canadian act was the first clearly non-European law to receive this recognition, and the first outside Europe.

In January, the European Commission proposed a comprehensive reform of the rules adopted by the European Union in 1995. The draft Regulation unveiled in January represents the cornerstone of the proposed new framework.

The proposed Regulation would differ from the current Directive above all in its legal status: whereas the Directive had to be incorporated into the laws of member countries, the Regulation would be binding in itself.

This fundamental difference is intended to meet a prime objective of the reform of the European framework, which is to harmonize personal data protection among the EU member countries. This is because the experience of the past 15 years has highlighted the importance of having data protection regimes that are similar, compatible and practical.

The second goal of the reform of the European framework is to strengthen the protection of individual rights. This objective is reflected in such provisions as the right to be forgotten and data transferability. Individuals will have better access to their personal data. The application powers of the various data protection authorities will be more uniform and robust, and this too will advance individual rights.

The third goal of the reform of the European personal data protection framework is to reduce the administrative burden of companies doing business in EU countries. It goes without saying that uniformity among the laws of the EU member states would make life easier for those who do business in these states. Other components of the proposed framework, such as an easing of the requirements to declare data processing to national authorities, also work in this direction.

The draft Regulation would also have consequences for authorities outside EU member states. First of all, the draft Regulation explicitly mentions the possibility of recognizing the adequacy of infranational laws of federated states, whereas the Directive does not.

In this regard, a few years ago, the former chair of the Commission d’accès à l’information, Mr. Jacques Saint-Laurent, and I had the opportunity to discuss the division of powers between Canada and Quebec at length with the Article 29 Working Party, when it was examining the protection afforded to personal information contained in the ADAMS data base of the World Anti-Doping Agency in Montreal in 2009. Although the Working Party has issued an opinion on this subject, the European Commission has yet to make a pronouncement as to whether Quebec law is adequate in this regard. We hope that the explicit mention of infranational regimes in the draft Regulation reflects a willingness to further clarify such situations.

Another consequence that the proposed regime would have for data protection authorities outside Europe is that the standardization of national regimes, and especially the appointment of a single EU Data Protection Authority to speak with non-European businesses, will greatly facilitate cooperation in concerted investigations.

In other regards, the proposed European framework would remain the standard of excellence in personal information protection. Multinationals that do business around the world will have to make their personal information protection policies conform to this enhanced standard, and this will have the effect of improving the lot of all their customers, wherever they may be.

The Office of the Privacy Commissioner of Canada draws inspiration from this proposed strengthening of the European regime in its own efforts to enhance the Canadian normative framework.

Public safety

I would now like to move on to the second part of my talk and discuss issues of the day in public safety.

Measures to improve safety have gradually been strengthened since September 11, 2001. This is a paradox, since these measures intended to protect us too often do so while encroaching on our civil liberties, which are at the heart of the integrity that we are trying to maintain.

The Office of the Privacy Commissioner of Canada examines bills and programs related to public safety and that have an impact on privacy by using an analytical framework anchored in an empirical approach to determine whether the measures really are necessary, and in a legal framework to assess their legality.

I would like to speak briefly about two of these initiatives this morning, namely, the Canada-US perimeter security agreement and Bill C-30 on lawful access.

Beyond the Border

In February 2011, Prime Minister Harper and President Obama signed Beyond the Border, a joint declaration aimed at boosting trade and enhancing safety.

In June 2011, our Office submitted recommendations to the Government of Canada on protecting personal information within the framework of such a partnership, which will necessarily involve a greater exchange of sensitive personal information between the two countries.

In December 2011, Canada and the United States released an action plan spelling out how the perimeter security declaration would be implemented. A central point of this action plan is the commitment by the two partners to issue a joint statement of personal information protection principles by May 31, 2012. We will examine it carefully, as well as all the measures flowing from the action plan.

To this effect, earlier this month, Mr. Chartier and I, together with our counterparts from the other provinces and territories, signed a resolution calling on the government to make sure that none of the programs created to implement the action plan will compromise the standards and values underlying our privacy laws.

This joint resolution includes the following recommendations:

• That any action plan initiative involving the collection of personal information include appropriate redress and remedy mechanisms;
• That Parliament, the provincial and territorial privacy commissioners and representatives of civil society take part in designing these initiatives;
• That information about Canadians be kept on Canadian soil whenever possible;
• That new surveillance technologies—such as unmanned aerial vehicles—be subject to appropriate controls and a proper regulatory framework.

A privacy impact assessment must be performed for all federal government programs that involve personal data processing, and this assessment must then be submitted to us for review. Consequently, all federal programs resulting from the action plan’s implementation will be subject to such a review. We will examine each of the privacy impact assessments that we receive in the Beyond the Border context using the empirical analysis model that I described earlier, meaning a model based on a legitimacy criterion and the principles of fairness in information handling.

Lawful access bill

Another hot issue that we are following closely in Ottawa is Bill C-30, designed to broaden police investigative powers on electronic networks. This is both a hot issue and a longstanding one, since the government’s initial consultations on lawful access date back to the twentieth century.

The current bill, C-30, has generated much comment since it was tabled in Parliament in February. We have had a chance to review it and compare it with the previous legislative iteration of the proposed measures, which included three separate bills (C‑50, C‑51 and C‑52).

We were happy to note certain improvements over the previous bills, improvements that respond in part to the recommendations that we made to the previous Parliament.

However, several aspects of Bill C-30 still cause us concern. I wish to emphasize that these are not new concerns: we expressed them to legislators numerous times when commenting on the previous bills on legal access.

We acknowledge that the advent of new information technologies leads to new public safety challenges.

However, encroachment on fundamental rights and civil liberties profoundly changes the relationship between citizens and the state—the state that represents them and is supposed to protect them.

That is why it is essential that the state’s power not encroach on civil liberties, except where such encroachment is appropriate and justified, and only in clearly defined circumstances and with very strict oversight. We are encouraged by the recent decision of the Supreme Court in R. v. Tse. This decision states that a section of the Criminal Code that permits access to private communications without prior authorization in an emergency is unconstitutional.

When Bill C-30 is submitted for study in committee, I will be happy to once again share these observations with Parliament.

Conclusion

This concludes my overview of the issues of the day from Ottawa’s vantage point. You will have noticed from the examples I have given that a favourable resolution of these issues often depends on collaboration with my provincial counterparts. I would therefore like to once again thank Mr. Chartier and the members of the Commission d’accès à l’information for the collegiality that they demonstrate in their exchanges with us.

I hope to see you all at noon, when the Association sur l’accès et la protection de l’information launches the educational kit that it has prepared with the support of the OPC's Contributions Program. I have had an opportunity to see the results of this project, and it truly is a very high-calibre achievement.

I wish you all two excellent days at your convention.