Even Justin Trudeau thinks Canada needs to update its data privacy laws for the 21st century, but the recently passed E.U.-U.S. Privacy Shield probably isn’t providing the guiding light he might be hoping for, according to several privacy experts.
Instead, the current agreement highlights the need for an update: While our own federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was deemed “adequate” by the European Commission in the early 2000s, it’s scheduled to be revisited in the near future and might not meet the E.U.’s new standards – which many privacy advocates believe don’t go far enough anyway, the University of Ottawa’s chair of Internet and e-commerce law, Michael Geist, says.
“There’s a very real possibility that the E.U. could examine the adequacy finding for Canada and raise the same kinds of concerns that came up in the context of [Privacy Shield predecessor] Safe Harbour, potentially challenging whether Canada’s existing system – given some of the things we now know about surveillance and information sharing – is deserving,” he says.
That said, “there’s still a bit of an open question as to whether [Privacy Shield itself] meets E.U. law or not,” he continues. “There was a lot of political motivation to get a deal done, but I think there remains some ongoing concerns, particularly in the privacy community, which suggests that it still could be subject to challenges.”
Approved on July 12, the agreement, which E.U. member nations must incorporate into their national laws by May 6, 2018, establishes new regulations for data transfers between the U.S. and E.U., notably by imposing limitations on the access of U.S. public authorities to European consumers’ digital information; by requiring regular updates and reviews of companies that handle personal data; and by providing a clear method of conflict resolution for E.U. residents who feel their data has been misused without their consent.
However, it may still be struck down by the European Court of Justice, which ruled last October that Safe Harbour could not prevent U.S. companies from misusing data collected from the E.U. in light of the mass surveillance activities revealed in 2013 by Edward Snowden.
The court, which is presently awaiting guidance from the Article 29 Working Party, a group of European data protection authorities who have promised to deliver a report regarding the new regulations by July 25, may have similar reservations about Privacy Shield, Geist says.
Ontario’s former privacy commissioner has 3 questions for EU regulators
While Ann Cavoukian, who served as Ontario’s Information and Privacy Commissioner from 1997 until 2014 and now works for Ryerson University’s Privacy and Big Data Institute, calls the Privacy Shield “an improvement” over its predecessor, she also feels that in its current form the new regulations leave at least three key questions unanswered:
- Will U.S. companies be held to the E.U.’s privacy standards?
- Will U.S. intelligence agencies have access to the E.U.’s mass surveillance data?
- What redress is available to data breach victims?
One reason Safe Harbour was invalidated in the first place, Cavoukian says, is that U.S. companies weren’t obligated to provide legislative protection equal to European Union privacy laws, and many advocates feel that under Privacy Shield, they still aren’t.
“One can certainly raise the question of whether… equivalent protection has been extended,” she says.
Nor does Privacy Shield say that mass surveillance categorically cannot take place in the United States – that organizations such as the National Security Agency (NSA) or CIA, which employed Snowden, can never have access to E.U. citizens’ personal data.
“I believe that will continue to be a concern,” Cavoukian says.
Privacy Shield’s most egregious omission, however, may be its lack of an impartial observer, Cavoukian says: In its current form, the legislation promises an ombudsperson that reports to the U.S. department of state and acts independently of the country’s intelligence services.
“That’s certainly a good thing, but – BUT – and here’s the ‘but,’ they don’t say that the ombudsperson is going to report to someone outside the government,” she says. “For example, when I was privacy commissioner, I didn’t report to the government of Ontario. I reported to the legislature, which consisted of all three political parties… If I didn’t have that independence, there’s no way I would have been able to issue some of the reports I did, which were very critical of the government.”
By contrast, an ombudsperson reports to the department of state might be independent of U.S. intelligence services, but they are not independent of the government.
“If they wanted true independence they could send the ombudsperson reports to congress, and they didn’t do that,” she says. “So I think that could be a potential cause for concern, because the independence that the E.U. is seeking does not appear to be present in my mind.”
Like many in the privacy advocate community, David Christopher, communications manager of Vancouver-based OpenMedia, echoes Cavoukian’s concerns.
“The one thing that really raises a red flag with me is the way a lot of responsibility for how these rules will be interpreted actually seem to lie with very opaque agencies like the NSA,” he says. “And of course we know from Snowden that these agencies have a way of interpreting rules in a way that seem pretty clear on the outset but gives them a big loophole to suddenly capture all of this data.”
What that could mean for Canada
Despite Privacy Shield’s apparent drawbacks, in many ways even the current regulations are an improvement over Canada’s present data privacy laws, the experts say.
Like Geist, Cavoukian believes that Canada’s privacy laws would no longer be considered adequate under the new measures, noting that Daniel Therrien, Canada’s current privacy commissioner, has repeatedly said that Canada’s federal privacy laws haven’t kept up with technology.
In particular, the new legislation’s General Data Protection Legislation, which does not come into effect until May 25, 2018, represents a significant step forward, she says: unlike Canadian regulations, it incorporates the phrase “data protection by design and by default” into the law.
“That language – ‘data protection by default’ – is huge, because it says you should embed privacy-protective measures as the default setting in your company,” she says. “Don’t wait for someone to ask for privacy, embed it proactively – that’s huge.”
When contacted by ITBusiness.ca, the Office of the Privacy Commissioner of Canada simply sent an e-mail stating PIPEDA’s adequacy under European regulations, and suggested contacting Innovation, Science and Economic Development Canada (ISED) with further questions.
Hans Parmar, a media relations representative with ISED, wrote that the E.U.’s decision to revoke Safe Harbour and replace it with Privacy Shield would have no impact on Canada’s adequacy status.
“Canada’s approach to meeting EU privacy requirements is our national legislation (PIPEDA),” Parmar wrote. “The majority of countries with adequacy status have a legislative approach consistent with Canada’s.”
“Our privacy regime is based on internationally recognized standards, and we continue to strengthen our legislative framework to ensure it evolves to address new challenges and incorporates emerging best practices,” he wrote.
A standard to aspire to?
Despite his colleagues’ misgivings, cybersecurity expert and Cypfer Inc. CEO Daniel Tobok believes the Privacy Shield could mark a new height for Canadian regulators to reach, though he shares Geist and Cavoukian’s misgivings about Canada’s own data protection legislation.
Here in Canada we should be taking a look at this new policy, because it actually takes privacy regulation to the next level,” he says, noting that Europe’s previous regulations – established back in 1995 – left gaping holes for criminal activity which Privacy Shield has closed up.
“At least 50 per cent of the breaches that occur in Canada originate from a European direction,” he says. “And businesses in Europe are suffering with that, because there wasn’t really anything from a regulation point of view that could help them with data leakage. Now there is, and while it’s going to take time like anything else, I think it will be very beneficial for them.”
Tobok calls Canada’s current privacy laws and the fines they carry “a joke,” noting that companies are more afraid of the media embarrassing them after a data breach than paying $1 million to the government.
“Yes we have a privacy officer, but unless you’re in Alberta it’s not mandatory to report,” he says. “Until you have these regulations in place, no institution – like in retail, financial, anyone who has citizens’ private information – will take it seriously.”