Accountability has increasingly become the nucleus of effective data protection in a world where the observation of people is critical to how machines and systems work and drives advanced analytics. Canada was the first country to explicitly capture accountability as part of its privacy law, and therefore actions in Canada have impact beyond Canada. Now accountability is a European General Data Protection Regulation basic building block and is part of the law in a growing number of jurisdictions. Accountability requires organisations to be both responsible and answerable. Technical privacy violations are relatively easy to enforce against, while accountability requires a different oversight approach. If privacy notices are not transparent or consents are not respected, there is tangible evidence of a violation. However, accountability requires an oversight agent, be it a third party or a regulator, to look at the full range of program elements and determine whether together they lead to responsible data use. Therefore, accountability failures typically are more difficult to identify and require more descriptive enforcement to make organisations answerable. Accountability is enforceable, but it requires new skills that are beginning to emerge at data protection agencies.
Recent investigations by the Office of the Privacy Commissioner (“OPC”) led the Commissioner to question whether accountability, as the basis for transborder transfers, can be effectively enforced. These cases led the OPC to revisit its 2009 guidance on transborder transfers and publish a consultation on whether those transfers should be governed by consent rather than accountability. Independent of that consultation, the Canadian Ministry of Innovation, Science and Economic Development announced that it will conduct its own consultation leading to recommendations to Parliament to update the Canadian private sector privacy law. The OPC has since suspended its consultation.
Prior to the suspension of the OPC consultation, the IAF drafted comments. The issue of accountability enforceability has been raised this year in other venues as well . Therefore, the IAF has determined that its comments pursuant to the suspended OPC consultation would have relevance to the readership of this blog. Those comments are below.
Dear Sirs and Madams,
This letter is in response to the consultation on transborder data flows (the “Consultation”) issued by the Office of the Privacy Commissioner of Canada (the “OPC”).
The Information Accountability Foundation (“IAF”) is a global, non-profit research organization whose mission is to develop and provide sound policy solutions related to the processing of data pertaining to individuals. The IAF has conducted projects in Canada and has worked on transborder personal data transfer issues in North and South America, Asia, Australia and Europe. The IAF is responding to the Consultation based on the IAF’s expertise in transborder personal data transfers, not based on an expertise in Canadian law. The IAF’s comments reflect the views of IAF staff and do not necessarily reflect the views of its board of trustees or its funders.
Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), any collection, use and disclosure of personal information requires consent, unless an exception to the consent requirement applies. However, when personal information is shared with a third party for processing, it is IAF’s understanding PIPEDA treats the sharing as a “transfer” and not a “disclosure”. In its 2009 Guidelines on Processing Personal Data Across Borders (the “2009 Guidelines”), the OPC stated that a transfer of personal information for processing, including a cross-border transfer, is a “use” of personal information and not a “disclosure”. The OPC’s view was that, as long as the personal information was being processed for the purpose for which it was originally collected, additional consent for the transfer to the processor was not required.
In the Consultation, the OPC states that in the absence of an applicable exception, the OPC’s view now is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another. It is the IAF’s view that the OPC’s updated policy position is not well founded for three reasons: (1) Given the nature of data flows, accountability chains not consent are the most effective form of governance; (2) the 2009 Guidelines have been influential internationally; (3) the issue of the OPC’s enforcement powers should be separated from the issue of whether accountability as a basis for data flows can be effectively enforced.
Accountability chains are more effective as a governance mechanism, given the nature of data flows, than consent
The interactive nature of the digital age is dependent on data flowing to where ever they most efficiently and effectively make things work. Data flows will change as the ecosystem changes. The number of individual participants in the ecosystem may grow as those ecosystems change. For example, the data flows necessary to keep smart cards smart and personalized medicine personal may change, but the underpinning of all effective governance is responsible and accountable data stewardship. This means that even the most informed consent will be dated by the fully fluid operations necessary for things to work.
The only way to achieve sound governance of data transfers is through a concrete framework of accountability chains. Organizations are responsible for passing on and being accountable for the conditions and obligations associated with personal data as they pass to other participants. Organizations are responsible for assessing the risks associated with the chains and mitigating those risks. The IAF has been exploring the accountability chain concept since the IAF was founded in 2013. The 2009 Guidance has been the guiding light for both the theory and practice associated with trustworthy data flows.
Organizations necessary to make smart cars avoid other smart cars and personalized medicine be personal are not only large, but they also are ever changing. A detailed description of where data will flow will change even before the transmission of that transparency disclosure takes place. A detailed consent form based on yesterday’s transparency report would be meaningless in terms of controlling the flow of information to others. Policies whose purpose is to disrupt appropriate data flows, be they data localization or consent, are pushing against the nature of the ways things work. For that reason, the IAF has been in favor of accountability-based governance for movement of data from one party to another, including to third parties for processing.
Also, the question of whether individuals truly have the power to enforce sound governance based on the consents they make needs to be addressed There are certainly instances in which individuals have that power, but it is not clear that controlling the flow of personal data, particularly to third parties necessary for the processing to take place, is an effective governance mechanism.
The OPC guidance on accountability as it relates to third parties does not differentiate between third parties in Canada and those in other locations. So, it seems that guidance that labels a sharing with a third party as a disclosure would have impact beyond transfers that are transborder. In fact, it is likely that the guidance would have to cover data sharing with all third parties, including those necessary to make the modern digital ecosystem work.
As to practicality, the addition of information about the transfer of personal information outside Canada to the flood of information required by the consent guidance, much of it out-of-date, would exacerbate an already overloaded barrage of decisions forced on individuals. This addition would obscure the data necessary for the decisions that are truly important for individuals to make, thus making consent an even less effective governance mechanism for data flows than it already is.
The interactive nature of the digital age demonstrates the risk of confusing consent and transparency. Consent is only really meaningful in situations where the individual has the ability to withhold or withdraw consent. For example, an individual knows through transparency that an organization transfers personal data outside Canada and decides not to do business with that organization or decides to withhold/withdraw consent to the transfer of the data. As discussed below, failing to consent to the transfer of personal data does not solve the governance issue the OPC seeks to solve. The limitations on the individual’s ability to enforce consent also point out the individual’s total inability to enforce accountability. That responsibility lies with the organization, thus emphasizing again the importance of accountability chains.
The 2009 Guidance has been influential internationally
The 2009 Guidance on transborder data flows based on organizations remaining accountable has been lauded internationally as the most reasonable approach to transfers. If something goes wrong, there is an answerable party, not some distant entity. European Binding Corporate Rules and APEC Cross Border Privacy Rules are legal adaptions to provide what appears to be already contained in Canadian privacy law and guidance.
The IAF has looked at transborder data flows in many different countries. The IAF has worked with policymakers and businesses in many jurisdictions on how to protect individuals and on how individuals get the benefits of a digital age. The 2009 Guidance has been the soundest of the policies reviewed by the IAF. Others will speak to the analysis conducted to inform the 2009 Guidance, but the IAF can speak to the general effectiveness of the 2009 Guidance.
The issue of OPC enforcement powers should be separate from the issue of whether accountability as a basis for data flows can be effectively enforced
The Consultation has been informed by two recent enforcement cases involving data breaches in Canada. The first relates to a service Equifax Canada provided through Equifax U.S. where the OPC found that Equifax Canada failed to police Equifax U.S., leading to an accountability failure. The second involved Facebook and its failure to fully police app providers, leading to the Cambridge Analytica violation. The OPC has raised the questions of whether accountability has been an effective mechanism to prevent the violations and whether the OPC’s authority to enforce the breach of the law has been effective. As discussed above, the OPC also has raised the question of whether another principle, informed consent, would have been more effective in preventing the incidents from taking place or providing the OPC with greater enforcement authority. How would consent have addressed the problem the OPC is trying to solve? If individuals had consented to the transfer of personal data, those data breaches still would have happened. Individual consent will not prevent data breaches from occurring.
The IAF is not in a position to speak to the level of authority that the OPC currently has to take actions against PIPEDA violators. The OPC has the same authority to enforce both consent and accountability. Whether the level of investigative and enforcement powers is sufficient is a matter that may eventually be debated by the Canadian Parliament. The Department of Innovation, Science and Economic Development in Canada in its May 22, 2019 Proposals to modernize PIPEDA proposes incentivizing compliance with PIPEDA by expanding the OPC existing powers, including its fining power. However, the OPC’s power to enforce is not related to the principle at issue, governance of data transfers.
As discussed above, accountability has been an effective basis for data flows. The fact that two companies were found to have violated the accountability principle does not mean that the accountability principle is ineffective. Laws in every sector are violated, and enforcement is used to create incentives for compliance. Sound policy should not be changed because of enforcement challenges.
The IAF respectfully suggests the OPC separate the issue of accountability as the basis for personal data movement from the question of whether OPC enforcement powers under Canadian law are adequate.