Current data protection laws in Canada, like those in the US, are vertical – that is, specific to sectors such as healthcare or business. The ten privacy principles enshrined in the Personal Information Protection and Electronic Documents Act (PIPEDA) and other legislation are the only unifying element across sectors and jurisdictions in North America. By contrast, the European Union and many of its constituent states have committed to implementing a horizontal model, with a single data protection regulation cutting across sectors and jurisdictions. This allows for a more mature and integrated approach to the protection of personal information. With more data sharing across organizational boundaries, sector-specific laws are becoming increasingly difficult to apply, and many initiatives now require extensive consultation to establish relevant privacy obligations. Data sharing across jurisdictions raises further complications; in Canada, some provinces have similar privacy laws, but others have very divergent legislation. The European Commission’s 2012 decision in favour of comprehensive data protection reform has irreversibly committed the EU to a new approach designed for a big data environment. The EU’s pending General Data Protection Regulation offers much that Canada should consider emulating.
Six legal concepts that Canada should consider adopting from the EU:
- Comprehensive law approach: One set of rules allowing for streamlined provision and enforcement of data protection.
- Personal content privacy: Personality rights – individuals’ right to control the commercial use of their name, image, and other aspects of their identity – are an evolving field in Canadian jurisprudence. The provinces of British Columbia, Manitoba, Newfoundland and Labrador, and Saskatchewan have enacted privacy legislation dealing with personality rights, and Canadian common law also recognizes a limited right to personality. Such rights can also be found in the Civil Code of Quebec. Recent audio and video recording technologies raise new issues around the use and publication of individuals’ personal content. Legislation needs to be strengthened and expanded to keep privacy protection in step with these technological advances.
- Collective action: Citizens in Canada and the US can only launch complaints through the provincial or state privacy commissioner. This makes it much more difficult to launch class action suits and otherwise advocate for privacy as a citizen collective. The new EU legislation allows individual citizens to exercise their right to protect their personal data, including the right to be removed from databases and the right to transfer their data elsewhere. Citizens can appeal individually or through any agency, organization or association that works to protect their rights and interests. While North American laws do not offer any specific recourse, the pending EU Regulation guarantees the right to compensation for damages in the case of a privacy breach involving a single or multiple data custodians.
- Data breach notification: In line with a greater focus on privacy risk management and enforcement, the new EU Regulation requires that companies (inside or outside Europe) that hold information pertaining to EU citizens notify citizens in the case of data breaches. The pending Regulation requires that companies notify regulators of breaches within 24 hours, and affected individuals within 72 hours, particularly if the breach increases the risk of identity theft, humiliation, or damage to reputation. North American laws only mandate notifying local regulators of breaches at the company’s earliest convenience, which in practice means within two or three months, and notifying individuals within a similar time frame if there is a risk of harm to individuals as a result of the breach.
- Mutual responsibility for the privacy of shared data: In this model both the primary service provider who first collected personal data and third parties with whom that data is shared are held legally responsible for enforcing privacy provisions. North American laws require organizations to have adequate data sharing policies and agreements, but cannot enforce third party compliance with these policies and agreements. A shared responsibility model reflects greater privacy maturity by ensuring effective implementation through monitoring and governance of all data holders.
- National regulation of multinational corporate activity: The EU approach to data sharing across jurisdictions is based on territories, which means that foreign companies must comply with the laws of the countries in which their customers reside. The pending legislation will give national regulators the power to assess the legal compliance of multinational companies’ codes of conduct. Codes of conduct must contain satisfactory privacy principles and effective implementation tools, and demonstrate that they are binding. By contrast, Canadian citizens have little recourse to protect their personal information held by American multinational companies, which include most cloud computing service providers, since under the US Patriot Act all information collected by American companies is subject to US government surveillance.
Under the new EU legislation, fines for large data breaches will be a proportion (currently 2%) of the company’s gross revenue. Most North American laws define a set amount for fines, averaging a few hundred thousand dollars, which is insignificant for large companies. For companies to take privacy seriously, fines for violations must be set as a proportion of revenue.
- Binding validation of compliance: While current Canadian law requires privacy impact assessments for all initiatives handling personal information, the content of these assessments is defined only in terms of compliance with general principles. The pending EU legislation, on the other hand, defines very specific criteria for privacy impact assessments. Similarly, while North American laws require only that organizations create privacy risk mitigation plans, the EU Regulation makes corporate rules and policies binding, and through auditing and monitoring holds organizations accountable for their publicly and internally published policies.