Global Security of Personal and Confidential Information 28 February 2005 Ensuring that personal data is protected and privacy safeguarded cannot be left to good intentions of those entrusted with the collection, storage or use of this information. In a virtual world, where technology has made data collection easy and global transfer of data commonplace, principles of secure care must enshrine how such information is collected and managed. It is indeed a small world. Privacy protection in data collection and warehousing and in the use of such data is a global concern. Different jurisdictions have responded differently. Below are the essential differences in how the European Union (EU), Canada and the United States of America (US) address privacy protection. v The EU Privacy Directive covers all member states and, therefore, is supranational in application, unlike privacy laws in either Canada or the US, which are applicable only to those respective countries. The EU Privacy Directive covers 25 countries to date. The EU and Canada enshrine privacy concepts in legislation. In the US, these concepts are managed by self-certification and self-regulation on a national basis. There is no national law of general application that regulates privacy except for laws regulating financial and health information. The framework that has been established by the United States Department of Commerce to allow for the application of common privacy principles in accordance with EU requirements is called "Safe Harbor". It is entirely voluntary. In the EU, each member state is required to provide for an administrative body to hear complaints, conduct investigations, and to engage in legal proceedings where the Directive has been violated. In addition, persons in EU member states have rights to judicial remedies and damages awards where their privacy rights have been breached. In Canada, non-compliance with privacy principles may result in an investigation or audit by the federal Privacy Commissioner and possibly an application to the Federal Court if the matter is not resolved. In the US, Safe Harbor participants must provide a dispute resolution mechanism as part of their Safe Harbor obligations. Additionally, enforcement of Safe Harbor commitments could occur under the Federal Trade Commission Act provisions that prohibit unfair and deceptive acts, or under other statutes that prohibit that type of activity. In Canada, the regulation of privacy approximates the EU approach. For further elaboration on the essential elements of each jurisdiction, a discussion on each is provided below. Note – readers are cautioned that this summary is provided for informational purposes only, and is not intended to be an exhaustive or up-to-date study of privacy laws, rules or policies in Canada, the US or the EU. Readers are encouraged to visit the websites of the Privacy Commissioner of Canada, www.privcom.gc.ca, the European Commission www.europa.eu.int, and the US Department of Commerce, www.export.gov/safeharbor, for more complete information. Implementing Privacy Protection – Three Approaches Three major jurisdictions involved in the framing and enforcing of laws and standards that protect and ensure the privacy of personal information transmitted and stored both within and between their respective national borders are Canada, the European Union (EU) and the United States of America (US). All adhere to a set of similar privacy principles, although each has a different approach to implementing privacy protection. The following summarizes those differences. CANADA Canada, like the EU, has comprehensive privacy legislation in the form of the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"), as well as substantially similar legislation in some provinces such as Quebec, Alberta, British Columbia, and Ontario (health sector information only). Schedule 1 of PIPEDA contains ten privacy principles, which are comparable in scope and intent to those described in both Chapter II of the EU Data Protection Directive and the US International Safe Harbor Privacy Principles. The legislation, implemented in three stages between January 2001 and January 2004, was officially recognized by the European Commission on 20 December 2001 as meeting EU requirements for the protection and trans-border transmission of personal data between EU member states and Canada. PIPEDA establishes a complaint mechanism for individuals to make complaints where they believe that an organization has not complied with PIPEDA. Under Section 11 of the PIPEDA, an individual has the right to file with the federal Privacy Commissioner a written complaint against an organization. The Privacy Commissioner is required to investigate all complaints, and may also initiate complaints on his or her own initiative. The Privacy Commissioner will generally issue a report on the complaint but is not obligated to report on all investigations.1 Under Section 18 of PIPEDA, audits to ensure compliance can be carried out by the federal Privacy Commissioner’s Office if the Privacy Commissioner has "reasonable grounds" to believe that an organization is contravening PIPEDA or is not following one of its recommendations. Audits are therefore a purely discretionary device but give very wide-ranging powers of enforcement to the Privacy Commissioner, including searching premises (other than a dwelling house) and compelling individuals to give evidence and produce any information "that the Commissioner considers necessary" for an audit. Beyond privacy commissioners, either federal or provincial, no other level of administrative authority is specified in Canadian legislation, although the means exist for complaints in respect of certain matters to be referred to the Federal Court of Canada for a hearing. EU The Data Protection Directive 95/46/EC of the European Parliament was enacted in 1995 to protect individuals with respect to the processing and "free movement" of personal data. It applies to all economic or organizational sectors and, under Chapter 1, Article 1 paragraph 1, is binding on all EU member states. The legislation therefore effects a supranational oversight with respect to its member states. Article 4 paragraph 1, for example, compels each member state to adopt its own privacy laws or "national provisions" in compliance with the Directive’s principles. Contrast this with the situation in Canada and the US, where provinces and states, respectively, cannot be compelled to pass their own privacy legislation in strict conformity to federal regulations. (However, in Canada, organizations (which by definition include individuals) may be required to follow PIPEDA in the event that provincial privacy legislation is absent or the transfer of personal information crosses provincial borders.) The Directive’s scope includes specific details about the administrative aspects of implementing compliance. Within the Directive, for example, three levels of authority were created: the supervisory authority, the controller, and the processor. A supervisory authority is similar in nature to Canada’s federal Privacy Commissioner’s office. The supervisory authority is a public authority in a member state responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to the Directive. A controller can be a person or organization, public authority or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller would be analogous to an organization in the PIPEDA regime collecting, using or disclosing personal information. Where a controller is established in more than one member state, the controller must ensure that each operation conforms to the applicable national privacy law. A "processor" is fairly self explanatory – it is an individual or organization that processes data on behalf of a controller. A typical example would be a third party payroll service. Under Section IX, Article 18, of the Directive, all member states ensure that controllers inform the "supervisory authority" of "any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes" before implementing these processes. Member states are further required to create and maintain a register of controllers and their processing operations, although provisions exist for simplified filing and exemptions. In accordance with EU laws, the register "is intended to provide information to the public" and "is open to consultation either by the public in general or by any person demonstrating a legitimate interest." In the UK, for example, controllers are registered on "The Data Protection Register", which lists, among other things, the types of information collected, the typical uses, and disclosures for each registered controller. Neither Canada nor the US possesses a public register of processing operations. As noted above, the supervisory authority exists within each member state of the EU, and each supervisory authority acts in a manner similar to that of the office of the Canadian Privacy Commissioner. Unlike the Canadian Privacy Commission office, however, as previously noted, supervisory authorities are kept informed by controllers on the controllers’ data processing activities. Exercise of their powers is confined to the member state for which they are the supervisory authority, although the Directive does call for co-operation between supervisory authorities, and suggests that one supervisory authority may call upon another to exercise its powers in its jurisdiction (perhaps where a data controller spans several member states and is operating in contravention of the Directive in all of them). EU supervisory authorities are obligated to hear claims in respect of the treatment of personal information. According to Chapter VI, Article 28, Paragraph 4 of the Directive, each authority "shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data." However, the Directive goes on to provide that any person who suffers damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to the Directive is entitled to receive compensation from the Controller for the damage suffered. Contrast this remedy with PIPEDA, which provides only that the Federal Court, in addition to other remedies, may grant damages to a complainant for humiliation. USA In the USA, the approach to protecting personal information differs from Canada and the EU in that there is no national, comprehensive privacy legislation that applies to all sectors. The legislation that does exist applies to specific sectors such as financial and medical data. The gap between the sector-specific US approach and the EU’s Directive prohibiting the transfer of personal information to countries that fail to provide adequate privacy protection threatened to disrupt over $120 billion in two-way trade dependent upon access to personal data. Consequently, it was necessary to bridge this gap while at the same time providing a streamlined means for US organizations to comply with the EU Directive, in order to maintain the trans-border flow of data and ensure a high degree of privacy protection. The Department of Commerce, in consultation with the European Commission, developed a "safe harbor" framework between the two jurisdictions. The framework was approved by the European Commission in 2000 and put into effect in November of that year. Safe Harbor became an important mechanism specifically for US companies to avoid interruptions in their business dealings with EU member states. The US International Safe Harbor Privacy Principles are a set of privacy standards rather than laws. They are imposed through self-regulation and annual self-certification filed with the US Department of Commerce. An organization’s decision to participate is entirely voluntary. Joining requires self-certification, a fairly rapid process of completing a form and submitting it to the US Department of Commerce. Once the form has been checked for completeness, the organization’s name is added to a Safe Harbor list that can be viewed on the Safe Harbor website. No authentication of the submission’s accuracy is, however, made by the Department of Commerce. In general, enforcement of Safe Harbor relies primarily on private sector enforcement under US laws, rather than on government authorities. Under the Safe Harbor Privacy Principles, organizations must provide: "readily available and independent" recourse mechanisms to handle individual complaints; follow up procedures to verify an organization’s attestations and assertions about its privacy practices and their implementation; and obligations to remedy failures to comply with the Safe Harbor Privacy Principles and the consequences for failure to comply. It should be noted that, where an organization relies on self-regulation, in order to take advantage of the Safe Harbor regime, failure to self-regulate must also be actionable under Section 5 of the Federal Trade Commission Act, or another law or regulation that prohibits unfair and deceptive acts. There is, however, no US equivalent to either a Canadian Privacy Commissioner or an EU supervisory authority with wide-ranging, legal powers to investigate infringements and compel organizations to provide information. 1 In situations where there are other more appropriate means of dealing with the complaint (e.g., a grievance situation or another federal/provincial law should be used to address the issue), the complaint is essentially stale dated, or the complaint is frivolous or vexatious, the Commissioner is not obligated to produce a report.