Privacy law is less settled today than it was when the European Union General Data Protection Regulation (GDPR) went into effect two years ago. While the GDPR has sparked new privacy legislation in other geographies, implementation of the GDPR as a truly risk-based regime is still in question. Regulators are having difficulties overseeing legal basis other than consent, and to the staff at the IAF, Schrems II raises questions about the meaning of risk based. Further, in addition to a risk-based approach challenges, it is not clear there is a proficiency for applying a full range of rights and interests in balancing requirements let alone addressing the needs of society. The California Consumer Privacy Act (CCPA) hadn’t even been implemented fully when an initiative was placed on the Fall ballot to amend it. Brazil’s new privacy law goes into effect without an effective oversight process in place.
Privacy is complex, yet the digital age continues to move forward. Can legislatures even create the guardrails for a digital society that is not just innovative but also respectful of the full range of human interests both to an individual and groups of individuals?
Forward looking privacy legislation must create guardrails so that data pertaining to individuals is used in a manner that facilitates the growth of the digital marketplace in a fair and just manner. Such legislation must create a legal framework where computers and communication technologies serve the full range of needs of individuals, singly, as a group, and societally, while respecting the fundamental interests individuals have in legitimate spaces where they are free of surveillance, where they can choose to be part of a community, and where data pertaining to them is processed in a fair and just manner. Those three rights against the full range of interests to multiple stakeholders could comprise a balanced score card for next generation privacy laws.
So, in an environment of questionable success, hope now shifts to Canada, a country where there are three jurisdictions taking steps to revise privacy law. Philosophically, Canada lies between the protection of all fundamental rights and freedom viewpoint taken in Europe and the free expression trumps fair processing position of the United States.
Privacy is a Canadian fundamental right that has been practically implemented by OECD based legislation. Privacy in Canada is more understood by Canadians than defined. Most fundamental rights are fairly straight forward. Not so privacy. In fact, scholars have a hard time capturing the essence of privacy in definitions. So, rather than define the right, it is often simpler to define the interests that the right encompasses. There are three interests:
- The first is the individual’s interest in seclusion. All of us need a space where we are free of observation or intrusion into our private lives. This interest in seclusion rests on privacy within a household and the papers and the records associated with that household. In many ways, our interest in seclusion has been eroded by the observational nature of modern society, where one may create a record of behavior without a legacy paper record.
- The second is the individual’s interest in defining his or herself and not being defined by the digital tracks we leave behind. This is reflected in actions related to the individual’s autonomy, or ability to control the data that pertains to the reputation of the individual.
- The third is the individual’s interest in fair processing. This interest relates to the individual’s interest in fair treatment, absent inappropriate discrimination, with decisions based on accurate data. As data has become fundamental to the way processes and machines work (e.g. internet-of-things), more of the work of privacy agencies and privacy professionals has been dedicated to fair processing.
How technology interfaces with those three interests is very different today than 30 years ago, when Quebec, the first of Canada’s private sector privacy laws was enacted. That law, and others in Canada, predate the risks and benefits to individuals that have come with the Internet, smart phones, connected cars, advanced analysts and an internet of everything. When the enactment of privacy legislation is considered, how privacy intersects with other fundamental rights and interests needs to be considered. This intersection also should include other stakeholders (e.g. groups of individuals and/or society) as well as an express consideration of the benefits to specific rights fair processing might create. Privacy, while fundamental, is not an absolute right. Every individual has other rights and interests that are just as important. Those interests include better health and education, the right to be employed and create a business. They also include the right to information and to make decisions based on data validated facts. Sometimes those interests are best served when aggregated with the interests of other individuals into societal interests. For example, while an individual has an interest in how health records might impact reputation and standing, the individual also has an interest in that data being used in a protected manner for healthcare research. Canadian law, more than most, has recognized that group interest in better healthcare through research. Quality privacy law links one or more of those privacy interests and allows for proportionate balancing among all rights and freedoms.
The three efforts currently underway in Canada to amend or enact privacy legislation are:
- First, the federal government signaled its intent to update the private sector privacy law, Personal Information and Electronic Documents Act (PIPEDA), as part of a new digital agenda for Canada. The digital agenda’s overarching goal is consistent with the score card above. The devil will be in the details on how legislation is drafted that will encourage economic growth through fair digital innovation and societal interests, while staying loyal to Canadians’ attraction to privacy as a fundamental right of individuals.
- Second, the Quebec government has tabled a discussion draft of privacy legislation that would update the current provincial law that is 30 years old. Canada is a federal state that enables private sector privacy at the provincial level where the provincial laws are similar to PIPEDA. Quebec (along with British Columbia and Alberta) is one of those provinces. However, the Quebec proposed law doesn’t match well with the IAF scorecard. It is not flexible and depends much too much on consent as a means of making processing lawful, even as consent has become less and less viable as a governance concept. It also doesn’t build on the accountability framework already established in Canada. Furthermore, the draft legislation prohibits data transfers to jurisdictions without equivalent protection. Adequacy findings are always tricky, maybe more so when the other jurisdiction is a province in the same federal system. Equivalency as adequacy has not been fully effective anywhere. The IAF will post the comments that it will be filing with the Quebec government.
- Third, Ontario, Canada’s largest province by population, doesn’t currently have a private sector privacy law and by extension the private sector is overseen by the Federal Privacy Commissioner. That oversight would change if the Ontario government were to enact a new privacy law that is deemed similar to PIPDEA. The intent to do so was signaled by a discussion paper recently released by the government entitled “Ontario Private Sector Privacy Reform.” The discussion paper includes a link for comments and a survey. The discussion paper includes key themes that would be explored as part of the legislative process. Ontario has an Information Commissioner that is responsible for public sector privacy and provincial institutions such as healthcare. The new privacy statute would provide oversight and grant regulatory authority for the private sector to the Information Commissioner. The discussion paper contains very broad themes that need to be developed into specifics, and there seems to be a process to do so.
The IAF has conducted three projects in Canada, all involving a multi-stakeholder discussion. The IAF, a global organization, has been asked why it puts so much time and effort into Canada? The answer is because the Canadian laboratory works. The Canadian government, regulators and other stakeholders have been debating modernization for the last half decade, and these debates have been dynamic. Whether it has been the Privacy Commissioner’s consultation on consent or the Ministry of Innovation, Science and Economic Development (ISED) support of solutions to People Beneficial Data Processing, and many discussions on its digital agenda, the discussions have been open and frank. The discussions in the three projects the IAF has conducted in Canada have been fruitful, in part because of the willingness of all parties to listen to each other and learn.
So, the IAF, in its research and education mission, will continue to participate in the Canadian debate because the Canadian laboratory works, and the Canadian debate has the most promise of creating replicable models for other jurisdictions.