Volume 7, No. 3 - April/Avril 2007

Printer-friendly

Upcoming Program(s)

Publications

Multimedia Products

Section Executive

Ontario Lawyers’ Assistance Program

YLD Charity Casino

Editors: Jason Young Abiodun O. Lewis OBA News Editor: Vickie Rose Web Programmer & Administrator: Sunny Zhao Proofreader: Lynn Wilson

Message from the Chair
By Mark S. Hayes

The PIPEDA Review Will Lead to Changes in the Act, but What Will They Look Like?
By Murray Long
A review of the major themes considered by the House of Commons Standing Committee on Access to Information, Privacy and Ethics in their mandated review of the Personal Information Protection and Electronic Documents Act.

Binding Corporate Rules
By Eduardo Ustaran
Justification and practicalities for global binding corporate rules.

Examining the Role of the Privacy Commissioner of Canada in Judicial Proceedings
By Kris Klein and Megan Brady
How the Privacy Commissioner's duty as an ombudsman plays out before the Federal Court and the issue of judicial deference.

Trans-jurisdictional Outsourcing Involving Personal Information:  Canadian Approaches
By Bonnie Freedman
A survey of personal health information outsourcing approaches analyzing trends and changes in legislation and guidelines.

Push and Pull:  Negotiating the Transfer of Passenger Name Record Information
By Allison Knight
The impending expiry of the interim EU-US passenger name record agreement raises questions about what privacy protections may replace it.

Notifications under PHIPA 
By Elaine Ashfield
Steps to take in ensuring that proper notices are given to individuals whose personal information has been subject to a privacy breach.

Video Surveillance Use by Municipalities in Ontario
By Louise Vrebosch and Michael Migus
A review of the use and efficiency of video surveillance by Ontario municipalities.

Identity (ID) Theft:  How to advise your clients when they ask what to do?
By Corinne D. Leon
A guide on minimizing the risk of identity theft in the electronic information age.

Case Comment on Rousseau v. Wyndowe:  Access to Personal Health Information under the Common Law, PIPEDA and PHIPA
By Michael Migus
A consideration of a patient's right of access to independent medical records under PHIPA.

Ontario Bar Association | Association du Barreau de l'Ontario The Ontario branch of the Canadian Bar Association | La division ontarienne de l'Association du Barreau canadien

The articles that appear in this publication represent the opinions of the authors. They do not represent or embody any official position of, or statement by, the OBA except where this may be specifically indicated; nor do they attempt to set forth definitive practice standards or to provide legal advice. Precedents and other material contained herein are intended to be used thoughtfully, as nothing in the work relieves readers of their responsibility to consider it in the light of their own professional skill and judgment.

Message from the Chair Mark S. Hayes* Anyone reviewing the recent issues of Eye on Privacy cannot help but be struck by the ever-increasing complexity of privacy law issues in Canada and the rapid acceleration of the importance of privacy issues in the business environment. From the almost daily media attention to privacy security breaches to the impact of compliance on transactions, contracts and corporate organization, privacy has gone from a curiosity championed by a small number of knowledgeable advocates to a mainstream part of the business environment. As can be seen from some of the articles in this month’s issue, much of the complexity in the privacy field arises from the nature of the Canadian federation. Even though many provinces did not take up the federal government’s invitation to enact “substantially similar” privacy legislation, the web of federal and provincial laws relating to privacy in the public and private sectors is so complex that, as Bonnie Freedman demonstrates in her useful survey of offshore outsourcing issues, it is very difficult to properly advise clients faced with a specific problem. As the case law in this area continues to develop, we will certainly see more issues of process arise, as Kris Klein and Megan Brady discuss in their article on the role of the federal Commissioner in PIPEDA Federal Court applications. The recent PIPEDA hearings have shown the importance of privacy breach notifications and the differing opinions on their usefulness; Elaine Ashfield brings us an interesting analysis of this issue in the context of Ontario’s PHIPA and Corinne Leon from Visa Canada provides a very useful guide to advising clients who believe that they have been the victim of identity theft. We are fast approaching the time for Executive elections at the OBA, and I encourage all of the members of the Privacy Law Section to consider getting involved in the Executive for the 2007-2008 year. There are many exciting and interesting projects in the works, and we are always looking for new faces. * Mark S. Hayes, Blake, Cassels & Graydon LLP, (416) 863-2279, mark.hayes@blakes.com. Back to top >>

The PIPEDA Review Will Lead to Changes in the Act, but What Will They Look Like? Murray Long* I am keenly aware, in writing an article for Eye on Privacy, that this is an audience that truly cares about the details of Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), and is keenly interested in the current review of the Act and the likely outcomes. At this juncture, writing on February 5 (the day prior to my own appearance as a witness), it seem fairly clear that the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the Ethics Committee) will be recommending a number of changes to PIPEDA and that these changes will include at least one significant new obligation for business, as well as a number of housekeeping changes. It is important to keep in mind that no member of this committee (except for Liberal MP Marlene Jennings, who sat in from time to time but has now dropped out of sight on this study), had background expertise in the rationale for PIPEDA, how the Act was drafted, how it works in practice and what are its shortcomings.  Committee members are, for the most part, brand new to this legislation and this field, with many being at the same time newly minted Members of Parliament.  This, in itself, raises the question of who will actually guide decision-making within the Committee and how comfortable the members will feel as they begin work on their report. Nevertheless, Chair Tom Wappel and the other Committee members know they must generate something of substance from their deliberations, including recommendations to amend PIPEDA to incorporate necessary, practical and useful improvements.  The following article is an attempt to sort out which issues will be uppermost in the minds of Committee members as they deliberate on what to report back to the House of Commons. Commissioner Powers While privacy advocates have decried the lack of order-making powers for the Privacy Commissioner and have recommended various solutions to this perceived problem, the Commissioner herself advised the Committee that now is not the time to change the enforcement model.  Her office finally having emerged from the turmoil of the Radwanski era, Commissioner Stoddart stated that a better use of existing enforcement tools – most notably the threat to take an organization to the Federal Court when it refuses to abide by recommendations – is sufficient.  She also argued that more time is required for serious study of the advantages and disadvantages of various enforcement models before a new one is recommended, thus leaving the door open for a new model to be reconsidered at the next five year review. The Committee is in a weak position to second guess the Commissioner’s reasoning, and with industry groups largely supporting this view, the Committee may have little choice but to recommend that no change be made at present to enforcement powers. Naming of Names This is a companion issue to enforcement powers that gets raised again and again.  The Committee has, in my view, largely accepted a well articulated rationale proposed by MP Marlene Jennings that naming of organizations would never occur where mediation was underway or successful, leaving open only the prospect of naming organizations where no mediation occurs, organizations are recalcitrant to adopt the Commissioner’s recommendations, or where there is a public interest in naming the company.  In other words, naming names will likely occur in situations where the Commissioner could already exercise her discretion to identify organizations.  This would maintain the status quo and, for advocates of mandatory naming, will continue their level of frustration on this issue.  However, among Committee members, you can expect any serious proposals that all organizations be named routinely in complaint findings to fall on deaf ears. Breach Disclosure Requirement All industry groups who have appeared before the Committee, with the exception of the Marketing Research and Intelligence Association (MRIA), have opposed mandatory breach disclosure obligations.  In his testimony, BC Information and Privacy Commissioner David Loukidelis also said he would adopt a “wait and see” attitude on mandatory disclosure requirements as the practical implications of U.S. state-level breach notification laws become more apparent.1   The federal Commissioner and privacy advocates, including the Public Interest Advocacy Centre (PIAC) and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) have expressed support for adding a breach notification requirement to PIPEDA, and several Committee members have embraced the need for some form of notification.  In fact, the tone of discussion on this issue has migrated towards a virtual demand that the business community accept a legislated responsibility of some type to notify the public and the Commissioner in the event of a breach.  The recent appearance of Canadian Life and Health Insurance Association (CLHIA) and Canadian Chamber of Commerce representatives before the Committee led to a virtual showdown, with Chairman Tom Wappel attempting to pin witnesses to a position of accepting at least a duty to notify the Commissioner in the event of a breach. There are problems with breach disclosure requirements that will need to be ironed out – for example: what constitutes a breach; whether the California model which is restricted to hard data items associated with identity theft is the right approach; and, whether there is a role for some discretionary analysis by businesses about the types of data breaches that should trigger public notification? In addition to the foregoing, there are enforcement issues.  With greater recognition by the Committee that breach disclosure is a matter of public interest, there may be a corresponding recognition that some penalties should be invoked where companies fail to notify the public about breaches, especially serious ones. Whatever the detail problems, it seems increasingly likely that the Committee will recommend some form of mandatory breach notification in the Act, and that Parliament is likely to respond. Transborder Flows of Data Virtually all business groups appearing before the Committee have stated their views that there is no need to alter the current provisions of the law that permit organizations to outsource data processing operations, subject to contractual measures and other safeguards.  Groups have seemed concerned that the Commissioner or privacy advocates will propose new controls or obligations on businesses and they are anxious to stave off any such action.  In her discussion guide of PIPEDA Reform, the Commissioner had raised the concept of additional controls, including audit rights by the contracting organization, requirements that enforcement of contracts take place in suitable jurisdictions and binding arbitration on contracts in accordance with international rules of arbitration.2   This issue has not gained much traction, however, despite some Committee members voicing their concerns about personal information being processed in the United States.  This may be due to a recognition that transborder data flow is a fact of life in a global economy and that personal information about Canadians will be subject to access under U.S. laws, just as personal information about Americans will be subject to access under Canadian laws when data processing goes the other way.  Two other factors may come into play here.  The first, likely understood by most Committee members, is the desire not to offend NAFTA rules, interfere with free trade or spark loud cries of protest by recommending measures that unduly restrict commercial data flows.  The second, hardly understood by anybody, is whether the USA PATRIOT Act a) has ever been used to obtain information about Canadians; b) actually represents a substantially different standard than those under which Canadian national security agencies can already secretly obtain information under domestic anti-terrorism laws; or c) meet the threshold of U.S. Constitutional standards.3 Such interpretative matters are beyond the mandate of the Committee.  Moreover, the Committee is likely to agree with industry views that outsourcing of data processing to other countries is entirely permissible, as long as organizations take steps, as recommended by the Commissioner, to inform customers when their personal information is being processed outside of Canada and to adequately protect the data according to its sensitivity.  Thus, the standards currently set by the Commissioner in her advice to the marketplace are likely to be seen as sufficient.4 Expanding the scope of employee contact information In its first meeting, the Committee heard from Industry Canada officials that there have been calls to remove privacy protection for employee e-mail and fax numbers, as these could be considered business contact numbers much like a telephone number.  Exempting employee fax numbers from the definition of personal information seems a simple and practical change and one the Committee will likely recommend.  Employee e-mail addresses are a somewhat different matter.  The fact that employee e-mail addresses are not specifically listed as exempted information has led Assistant Commissioner Black to conclude this information is personal information, a determination that factored large in at least two findings concerning spam e-mail sent to individuals at business e-mail addresses.5  This determination, in fact, has become one legal tool in the war against unsolicited spam. Fortunately, the Alberta Personal Information Protection Act (“Alberta PIPA”) has a useful model which the Committee can propose and which resolves any concerns.  This Alberta PIPA permits use of “business contact information” without consent for the purposes of contacting an individual in that individual’s capacity as an employee or an official of an organization and for no other purpose. Employment Consent The employment consent issue has not received much serious discussion so far, although I plan to address this topic further in my own evidence.  Federally Regulated Employers - Transportation and Communication, an organization of major employers and employer associations in the transportation and communications sectors, did raise concerns about the challenges placed on employers due to the employee consent requirements in PIPEDA.  It has recommended that Parliament adopt the Alberta and BC approach (where no consent is required within the context of managing the employment relationship). Assistant Commissioner Black, in addressing the consent issue within the workplace has recently provided more detailed legal analysis of how she has determined that a condition of implied consent exists in the employment relationship that enables an employer to collect, use or disclose employment information for reasonable business purposes without the need for an express consent.6  In the Commissioner’s view, there is no need to remove the consent obligations from PIPEDA – at least a complete removal – as the interpretative approach used by the OPC is sufficient to resolve any problems with consent. As the Commissioner will have a second opportunity to meet with the Committee before it completes its deliberations, this is one area where the last at bat may win the game.  Business Transfers and other expanded collection, use and disclosure with out consent Parliament benefits from the ability to play leapfrog with the newer provincial private-sector privacy laws and to incorporate some of the improvements made in the provinces.  One example would be an exception to permit organizations to collect personal information without consent in the process of a business transfer or acquisition.  It is well recognized that some access to customer or employee data is necessary to do due diligence on a prospective target company’s assets, liabilities, etc.  The provincial laws provide clear and fair rules under which such review can occur.  The Committee may also recommend other housekeeping changes to the Act to permit disclosures of employee or customer information, for example, to permit the contacting of next of kin or a friend or an injured, ill or deceased individual.  Attempted collection of information without consent This issue has been raised by the Commissioner and others who have appeared before the Committee and the Committee seems to have recognized that this is an important loophole in the Act.  It will likely recommend a new provision that any attempt to collect personal information in contravention of the Act would be a breach of the Act.  If so, this would bring PIPEDA into congruity with the Alberta Act which makes it an offence to wilfully attempt to gain or to gain access to personal information in contravention of the Act. Work Product Work product is that category of information that is created by an individual in the furtherance of duties or obligations.  In a 2001 finding, former Commissioner George Radwanski derived the definition in considering whether doctor prescriber information (the type and number of drug prescriptions authorized by doctors) constituted personal information about the doctor or another class of information known as a work product.7 The current Commissioner believes there is no real need to incorporate a definition of “work product” into the Act, as the law can be interpreted on a case-by-case basis to address non-personal, work-generated information.  The Canadian Medical Association (CMA) made a request that any definition of work product not extend to physician-generated information in order not to undermine the confidence patients have in their doctors’ ability to safeguard their health data.  The CMA could not come up with any specific examples of how the flow of physician prescription data to commercial entities harmed the doctor-patient trust relationship.  More recently, however, representatives of the Insurance Bureau of Canada told the Committee that it was essential for the Act to include a definition of work product information, similar to the BC law to provide legal certainty about the right to continue to collect this type of information about workers without any legal uncertainties. We can expect the Committee to either propose that a definition of work product information be added to the Act or to make a statement that the status quo should be preserved. Solicitor-Client Privilege This may be one of the more interesting issues for Eye on Privacy readers, and has become an issue of great concern to some industry groups – particularly the property and casualty insurance industry, which strongly supports amendment to the Act to clarify that the Commissioner does not have the power in investigations to obtain information subject to solicitor-client privilege. In her prior testimony before the Committee, Commissioner Stoddart had expressed her dismay with the Federal Court of Appeal decision in the Blood Tribe8 case in which the Appeal Court determined that the Federal Court Judge had erred in applying a liberal interpretation to Commissioner powers and should have adopted a standard in which the Court, not the Commissioner, considers any information subject to a claim of solicitor-client privilege.  The Commissioner has sought leave for this issue to now be heard by the Supreme Court.  Her concerns are that, following the Appeal Court decision in Blood Tribe, organizations may expand the ambit of solicitor-client privilege (for example, to include information gathered pre-litigation) in ways that harm legitimate individuals access rights. The Appeal Court decision, in practice, also creates a conundrum as the Commissioner cannot apply to the Federal Court for a hearing on any matter until an investigation is completed and a report issued, while the inability to examine information for which a claim of solicitor-client privilege has been asserted might mean that the investigation cannot be completed. The Committee, however, seems disposed to a view that solicitor-client privilege is a fundamental underpinning of the legal system and should not be whittled away via legislative provisions.  As a result, the Commissioner may have a hard time convincing the Committee that it must amend PIPEDA to clarify her right to examine any information in an investigation, including documents for which a claim of solicitor-client privilege is asserted. What happens after the report is submitted? The Committee’s report is only the first stage of what could be a lengthy process in amending PIPEDA.  All recommendations will have to be considered by the Justice Department and Industry Canada, with perhaps further consultation with stakeholders before a proposed amending bill is tabled in Parliament.  Any amending bill would likely be referred back to the Ethics Committee, before being put to a vote in the House of Commons and the Senate.  The Senate Social Affairs, Science and Technology Committee might also be inclined to hold its own review.  If you throw an election into the mix, we may not see Parliament pass amending legislation before 2009, with amendments coming into force possibly in 2010.  * Murray Long is an Ottawa-based privacy consultant and an acknowledged Canadian authority on PIPEDA.  He is the editor/publisher of PrivacyScan, a privacy law resource for businesses.  He can be reached at murraylong@privacyscan.ca.  1   Commissioner Loukidelis is already interpreting section 34 of the BC Personal Information Protection Act as incorporating a de facto obligation to notify individuals in the event of an unauthorized disclosure of personal information. 2   See PIPEDA Review Discussion Document: Protecting Privacy in an Intrusive World, July 2006. 3   Eye on Privacy Editor Jason Young has expressed the view that the USA PATRIOT Act contains powers of “summary and secret compulsion” that have no equivalent in Canadian laws and that these powers are more likely to be abused.  In an article on cross-border outsourcing (Privacy Commissioner gives Green Light to Cross-Border Outsourcing of Personal Information; Raises Questions – Canadian Privacy Law Review, Volume 3, Number 2, November 2005), Mr. Young stresses that the use of National Security Letters (NSLs) by the FBI has multiplied 100 times over pre-PATRIOT Act levels.  NSLs do not require judicial review and can be issued quickly by designated FBI agents to facilitate investigations, using a standard for authorization that has now slipped from a cautionary requirement that agents use “least intrusive means” to obtain information to a more expansive standard of using any lawful techniques to further anti-terrorism investigations.  In a 2004 Decision, a U.S. District Court Judge rules that the NSL provision for telephone and Internet records was unconstitutional, because the gag order that accompanies it is so draconian as to effectively bar recipients of such requests from challenging them in court without first violating the order.  Doe v. Ashcroft, No. 04-CIV-2614 (S.D.N.Y. Sept 29, 2004).  See the discussion of this in Terrorism and the Constitution, 3rd Edition, David Cole and James X. Dempsey, The New Press, 2006, p. 216.  4   These standards were first articulated in Transferring Personal Information about Canadians Across Borders — Implications of the USA PATRIOT Act, the federal Commissioner’s response to the BC Commissioner’s inquiry into the implications of the USA PATRIOT ACT, August 2004.  The CIBC finding summary (#313) further solidified the Office’s views on transborder data processing to the U.S. 5   See PIPEDA finding #297, Unsolicited e-mail for marketing purposes (two separate complaints on the same subject, dated Dec. 1, 2004 and March 31, 2005. 6   See PIPEDA finding #351, Use of personal information collected by Global Positioning System considered, Nov. 9, 2006.   7   See PIPEDA finding #15, Privacy Commissioner releases his finding on the prescribing patterns of doctors, Oct. 2, 2001. 8   Blood Tribe Department of Health v. Privacy Commissioner of Canada, 2006 FCA 334, October 18, 2006. Back to top >>

Binding Corporate Rules Justification and Practicalities Eduardo Ustaran* The information that organisations hold about customers, employees and other individuals is a very valuable asset.  Exploiting this information correctly is crucial for their operations, but its use on a global basis is strictly regulated by EU data protection law, which does not allow the transfer of personal information to countries outside Europe that do not have an adequate level of data protection. Countries where a legislation-free approach to personal privacy is preferred, such as the USA, are not regarded by the European Union as providing an adequate level of protection for individuals’ data privacy rights.  Therefore, in order to process personal information lawfully on a global basis, organisations must find a way to legitimise transfers of this information from the EU to other countries. Article 26(2) of the Directive provides that EU member states may authorise a transfer, or a set of transfers, of personal data to third countries which do not ensure an adequate level of protection where the organisation wishing to transfer the data adduces adequate safeguards with respect to the protection of the privacy rights of individuals.  Article 26(4) goes on to say that such safeguards may result from certain standard contractual clauses approved by the European Commission.  Accordingly, the use of standard contractual mechanisms is one of the most widely used mechanisms to legitimate global data flows. The Binding Corporate Rules route Where data transfers are made to third party vendors dotted around the world, it may be possible to ensure that those vendors are bound by the standard contractual clauses approved by the European Commission for these cases under Article 26(4) of the Directive.  However, using ad-hoc contractual arrangements is not a suitable way of legitimizing international transfers for data-reliant organizations operating on a worldwide basis.  In the context of many global organizations, using personal data is all about sharing information without having to pay attention to borders and national regulatory differences.  Therefore, a flexible, tailor-made solution that does away with the inconvenience of having to enter into innumerable contracts among subsidiaries is likely to be the only lawful option. On 3 June 2003, the Article 29 Working Party published its Working Document (WP74) on Binding Corporate Rules (“BCR”) for international data transfers.1  According to this Working Document, as long as such corporate rules are binding (both in law and in practice) and incorporate the essential content principles identified in the Working Document (WP12) of 24 July 1998, there is no reason why national regulators should not authorize multinational transfers within a group of companies following Article 26(2) of the Directive. In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism (WP107)2 that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities.  This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union. Whilst for some organisations it may be obvious which data protection authority should have jurisdiction, where it is not clear which authority should become the entry point, organisations must consider the following factors to determine the most appropriate data protection authority: The location of the corporate group’s European headquarters or office with data protection responsibilities. The location of the company which is best placed to lead the BCR application and, eventually, enforce compliance. The place where any key operational decisions in terms of the purposes and means of the data processing are made. The EU country from which most international transfers originate. Evidencing the binding nature of the BCR In order to standardise the application process across the European Union as much as possible, the Article 29 Working Party has also published its Working Document WP1083 which contains a checklist of requirements.  This checklist requests applicants to submit a concise background paper summarising how certain elements of the Article 29 Working Party’s Working Document (WP74) of 3 June 2003 are satisfied.  One of the most important aspects that needs to be evidenced in the background paper is the binding nature of the organisation’s BCR. The binding nature must be evidenced from several points of view, as follows: Binding between the component parts of the organisation (e.g. by means of an internal code of conduct backed by a multi-party agreement, or via a unilateral declaration given by the parent company). Binding on employees (e.g. by adding the BCR to the staff handbook which all employees are required to abide by). Binding on subcontractors (e.g. by incorporating the BCR as an annex to the services agreement in place). Binding externally for the benefit of individuals (e.g. by publicising a complaints handling process that allows individuals to enforce compliance). Documentation required for BCR approval The precise nature and amount of information that is required for the purposes of the submission to be made to the relevant data protection authority can be ascertained from paragraphs 4.1.1. to 4.1.3. of the checklist in WP108, as set out below. A. Bundle 1 – Factual details Paragraph 4.1.1 of WP108 refers to a note containing: contact details of the responsible person within your organisation to whom queries may be addressed; and all the relevant information to justify the choice of data protection authority including the basic structure of your group and the nature and structure of the processing activities in the EU/EEA with particular attention to the place/s where decisions are made, the location of affiliates in the EU, the means and purposes of the processing, the places from which the transfers to third countries are being made and the third countries to which those data are transferred (this is needed so that the ‘entry point data protection authority’ can circulate it to the data protection authorities concerned). The purpose of the note referred to in paragraph 4.1.1 of WP108 is to justify the choice of the authority that will act as the lead authority during the approval process.  This lead authority will guide the organisation seeking BCR approval through the process and act as an introducer to the other data protection authorities from which BCR approval will be required.  In order to avoid a “forum shopping” situation, where BCR candidates select as their lead authority an authority perceived as more lenient or less likely to scrutinise their operations, the Article 29 Working Party established certain objective criteria that apply to the selection of the relevant lead authority. Accordingly, in practice, the first bundle of information should include factual details comprising the following: A chart or diagram showing the organisation’s corporate structure (including all European affiliates and any entity that receives personal information collected in the European Union). Addresses of all group companies established in the EU. A description of the data processing activities that take place in the EU, including the flows of personal data. A description of the purposes for which personal information is used within the group of companies. A description of the type of personal information that is transferred to any other country outside the EU and the mechanisms employed for the transfer. Confirmation of the group companies that receive personal information from the EU. 3. Bundle 2 – Background paper Paragraph 4.1.2 of WP108 refers to: A background paper summarising how the required elements of WP74 have been satisfied (this will help the data protection authorities to identify the relevant sections of the documents you are providing). All EU data protection authorities regard this background paper as the most important element during the submission process, since the information provided via this paper is the clearest indicator of how the BCR system will work in practice and whether it is likely to achieve its goals. In practice, the second bundle of information should include the following: A succinct description of the BCR system This is meant to be a very brief summary (i.e. not more than two pages) of how the BCR system works within the organisation and should describe in simple terms the structure of the system and how it fits in within the organisation’s corporate governance. Evidence of the binding nature of the BCR Information on the following procedural requirements: Internal awareness mechanism – How the system guarantees awareness and implementation of the compliance procedures in place both inside and outside the European Union.  This should also include information on any data protection training procedures adopted by the organization. Internal audit process – How the organization operates a programme of either self-audits of the BCR system and/or external supervision by accredited auditors, including any mechanisms to report the outcome of such audits to the organization’s top management. Complaint handling mechanism – How individuals' complaints are dealt with by a clearly identified complaint handling department (including service levels and response times-type information where appropriate). Cooperation with data protection authorities – How the organization intends to make itself available to the data protection authorities.  Whilst a detailed cooperation programme will not be required, all of the authorities from which approval is sought will expect a degree of availability by the relevant individuals with responsibility for the operation of the BCR system. Responsibility of EU-based headquarters – A description of the privacy management resources at the EU-based entity that will be taking primary responsibility for the BCR system in order to facilitate supervision by the authorities and the practical exercise of individuals’ rights. Redress for individuals – To what extent the organization accepts that individuals will be entitled to take action against the group, as well as to choose the jurisdiction. System transparency – How the organization allows individuals to have readily accessible information about the BCR obligations undertaken as part of the system. C. Bundle 3 – BCR documents Paragraph 4.1.3 of WP108 states: All relevant documents that comprise the ‘binding corporate rules’ to be adopted by your organisation (e.g. any policies, codes, notices, procedures and contracts that may be relevant to the application). As well as a general statement of principles, the data protection authorities need to see how personal data is actually handled within your group. In our experience, data protection authorities need not be provided with copies of every single document dealing with privacy matters, but they expect to see examples of documents at all levels, such as: Top level privacy policies Privacy statements Internal compliance guidelines, checklists or similar notes Customer-facing policies Data quality policies (dealing with issues such as data retention) Access request response procedures Information security policies Data processing agreements Intra-group agreements providing binding force to the BCR (if any) For further information, please contact: * Eduardo Ustaran, Partner, Field Fisher Waterhouse LLP, 35 Vine Street London EC3N 2AA, +44 (0)20 7861 4842, eduardo.ustaran@ffw.com, http://www.ffw.com 1  See http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp74_en.pdf. 2  See http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp107_en.pdf. 3  See http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp108_en.pdf.  Back to top >>

Examining the Role of the Privacy Commissioner of Canada in Judicial Proceedings Kris Klein and Megan Brady* As more and more privacy-related cases make their way to Court through the mechanism provided for in the Personal Information Protection and Electronic Documents Act (PIPEDA), the issue of the Privacy Commissioner of Canada’s role in these judicial proceedings warrants further consideration.  The Privacy Commissioner is an ombudsman.   When she receives a complaint, the Privacy Commissioner investigates it and seeks to resolve it confidentially, through negotiation and mediation.  At the conclusion of her process, the Privacy Commissioner will issue a non-binding report containing any recommendations she considers necessary to enhance the personal information management practices of a respondent organization. Unlike a typical ombudsman, who must resort to the political arena for enforcement of his or her recommendations, PIPEDA empowers the Privacy Commissioner or a complainant to apply to the Federal Court for a binding, judicial resolution of a privacy matter addressed in the Commissioner’s report.  Melding the Privacy Commissioner’s ombudsman process with the Federal Court’s judicial process raises interesting questions about the role the Privacy Commissioner should play before the Federal Court.  Traditional rules governing the judicial supervision of administrative actors are unable to adequately delineate the Privacy Commissioner’s role in judicial proceedings under PIPEDA.  This is in part because hearings under PIPEDA proceed on a de novo basis.  Before the Federal Court, the alleged privacy violation is determined ‘afresh’ and ‘anew’, ostensibly as if the Privacy Commissioner’s process had never occurred.   In proceedings before the Federal Court, it is the complainant’s allegations and the respondent organization’s conduct that are in issue and not the reasonableness or correctness of the Privacy Commissioner’s report.  In this context, there is no role for the “pragmatic and functional approach” to play in ascribing an appropriate degree of judicial intervention. The fact that PIPEDA expressly contemplates the Privacy Commissioner becoming a party to any proceeding introduces additional complexity.  The de novo nature of a hearing brought pursuant to PIPEDA is inconsistent with the role administrative decision makers traditionally play on judicial review of their own decisions – namely, explaining the record and making representations as to jurisdiction (See Northern Utilities v. City of Edmonton, [1979] 1 S.C.R. 684 at 708 - 710).  Because it is not a review of the Privacy Commissioner’s findings, a de novo proceeding eliminates, in large measure, the relevance of the record before the Privacy Commissioner and therefore, any explanatory role she might otherwise play.  However, under PIPEDA, the Privacy Commissioner is empowered to initiate a hearing of her own accord (with the consent of a complainant); the Privacy Commissioner may appear on behalf of a complainant; and the Privacy Commissioner may apply for leave to become an added party.  Unlike typical administrative decision-makers who are precluded from addressing the merits of a decision under review, PIPEDA appears to contemplate the Privacy Commissioner assuming the role of privacy advocate and acting as a full participant in an adversarial judicial process. In one of the first PIPEDA cases to reach the courts, the Federal Court sought to understand the Privacy Commissioner’s role by applying factors that dictate the appropriate standard of review in other contexts.  In Englander v. Telus Communications Inc., 2003 FCT 705 at para. 33, the Federal Court noted that “as a statutorily created administrator with specialized expertise, the [Privacy Commissioner of Canada] is entitled to some deference with respect to decisions clearly within his jurisdiction”.   Similarly, in Eastmond v. Canadian Pacific Railway, 2004 FC 852 at para. 122-123., Lemieux J. determined that the Privacy Commissioner was deserving of deference “in the area of his expertise which would include appropriate recognition of the factors he took into account in balancing the privacy interests”.  Notwithstanding the Privacy Commissioner’s obvious expertise in privacy issues, the Federal Court of Appeal has largely rejected the concept of deference as a relevant consideration.  In Englander v. Telus Communications Inc., 2004 FCA 387 at para. 48, Décary J.A. noted that a hearing under PIPEDA is a “proceeding de novo akin to an action”.  He found that “the report of the Commissioner, if put in evidence, may be challenged or contradicted like any other document”.  Décary J.A. was concerned that showing any deference to the Privacy Commissioner’s findings “would give a head start to the Commissioner when acting as a party and thus could compromise the fairness of the hearing” (para. 48). Technically speaking, the Federal Court of Appeal appears to be right.  It makes little sense to speak of deference to the Privacy Commissioner’s findings in a hearing de novo.  The Privacy Commissioner’s findings are, technically, irrelevant.  Though the report itself is a necessary precondition to a hearing, the substance of the Privacy Commissioner’s report need not be introduced in evidence by any of the parties.  Moreover, the evidence before the courts may differ considerably from that before the Privacy Commissioner.  In a de novo hearing, no rules exist which would preclude a party from adducing fresh or additional evidence.  And any formal recognition of deference to the Privacy Commissioner’s findings could undermine the fairness of a hearing de novo, which contemplates each side having a fresh and full opportunity to argue the merits of their case from the beginning. But many of the reasons why administrative tribunals are accorded deference on judicial review support the granting of some deference to the Privacy Commissioner’s findings.  The Privacy Commissioner’s significant and special expertise in privacy law is such that her findings, were they subject to review, would warrant deference.  In the course of investigating and reporting on complaints brought under PIPEDA, the Privacy Commissioner must consider and balance a multiplicity of policy issues and competing interests.  In crafting her recommendations, the Commissioner is engaged in remedial exercise that falls far outside the traditional role and expertise of the Federal Court.  Although the Federal Court is empowered to order an organization to correct its personal information management practices, ascertaining the specific corrections required falls within the relative expertise of the Privacy Commissioner. Since the Federal Court of Appeal’s decision in Englander, the federal courts have opted to “adopt” and “add to” the Privacy Commissioner’s findings without formally deferring in an administrative law sense (See Wansink et al. v. Telus Communications Inc., Docket A-639-05, January 29, 2007 at paras. 11-12).  In Morgan v. Alta Flights (Charters) Inc., 2005 FC 421 at paras. 16-17, Noel J. determined that deference was voluntary: “[t]he Court may rely on the decision of he Privacy Commissioner or certain parts of it where applicable in arriving at a determination, but it is not bound to do so”.  Noel J. attempted to reconcile this approach with the de novo nature of the proceedings by noting that “the question of whether or not a breach under PIPEDA occurs...is a question of interpretation under the Act, and so should be reviewable on a standard of correctness”. From the melding of ombudsman and judicial processes in the privacy law context, one thing is clear: Parliament intended to ensure that remedies were available for privacy infractions by the private sector.  Far less clear is the role the Privacy Commissioner and her process can and ought to play in securing the judicial remedies available for breaches of privacy rights.   The Privacy Commissioner is a gatekeeper to the judicial process; she can contribute considerable legal and policy expertise to a resolution of privacy complaints; and, insofar as she is permitted to act on a complainant’s behalf, plays an important role in ensuring access to justice in the de novo determination of the complainant’s case.  The federal courts’ efforts to develop a principled approach to reconciling these unique roles within a poorly understood process are deserving of close scrutiny. * Kris Klein and Megan Brady are litigation counsel with the Office of the Privacy Commissioner of Canada.  The opinions expressed in this article are the views of the authors and they are not necessarily reflective of the views of the Office of the Privacy Commissioner of Canada.   Back to top >>

Trans-jurisdictional Outsourcing Involving Personal Information:  Canadian Approaches Bonnie Freedman* I. Outsourcing The Information and Privacy Commissioner of Alberta concluded in his February 2006 report, “Public-sector Outsourcing and Risks to Privacy”1 that government bodies are no longer able to provide an appropriate degree of security to information they manage internally and accordingly must outsource services involving personal information.  In 2003, the Government of British Columbia approved outsourcing by public bodies to private sector service providers as a means of addressing antiquated information technology systems.  Despite opposition culminating in legal proceedings, British Columbia subsequently outsourced some functions of its public health and drug benefits plan.2   Outsourcing has been defined in a number of ways, but at its most essential involves retaining an outside supplier to provide services which a company or public body might otherwise have its employees perform.  To the extent that outsourcing involves suppliers in a jurisdiction outside of that in which a company or public body operates (a “foreign jurisdiction”), it has become a matter of public interest, thanks in part to George Bush.  The Bush administration’s lack of respect for interests that it views as interfering with the war on terrorism, the enactment of the USA PATRIOT Act3 in October 2001 and its renewal by the USA PATRIOT Act Improvement and Reauthorization Act of 2005 in March 2006, have done much to raise awareness in Canada of the potential risks of outsourcing personal information services to the United States.  Media reports of threatened or actual data security breaches and misuse of personal information by the employees of service providers in foreign jurisdictions other than the U.S. have reinforced the concerns and highlighted the fact that the issues are global.4   The following surveys approaches adopted in Canada to the outsourcing to third party service providers in foreign jurisdictions of services and programs involving personal information.  The approaches involve legislative measures and guidelines. The survey is not comprehensive and is only intended to provide an introduction to the issues and some of the options adopted by governments.  Legislation governing the collection, use and disclosure of personal health information is not reviewed.  Sections III and IV below provide a summary of or reproduce provisions in legislation and guidelines that apply to the outsourcing of services involving personal information to third party service providers in foreign jurisdictions.  Section  0 provides a preliminary analysis of the approaches to such outsourcing. II. Audits of Public Sector Outsourcing Practices The challenge by the Service Employees’ Union (“BCSGEU”) to the decision of British Columbia’s Ministry of Health Services to outsource the administration and several information management functions of the province’s Medical Services Plan and BC PharmaCare, brought the risks of outsourcing to the attention of the public and made them a matter for government action.  A report by the Information and Privacy Commissioner for British Columbia on the implications of the USA PATRIOT Act for British Columbia public sector outsourcing5 called for public bodies to conduct audits of their outsourcing agreements to determine the level of security they were affording to personal information, implement a program of routine and thorough compliance audits, diligently monitor the performance by service providers of their contractual obligations and enforce available remedies where such obligations are breached. The Alberta government took heed of the BC report and in February 2006, the Office of the Information and Privacy Commissioner of Alberta released the results of a survey it had conducted of provincial government ministries and a representative sample of public bodies.6  The survey canvassed the extent of outsourcing by public bodies governed by the Freedom of Information and Protection of Privacy Act,7 the types of services that are outsourced by these bodies and the contractual safeguards used to protect personal information to which third party service providers may have access. The federal government also heard the call and in October 2004, asked the 160 institutions subject to the Privacy Act8 to audit their outsourcing activities that involve personal information.  The object of the review was to “determine if information that is being stored by private companies or is accessible under the terms of a contract was susceptible to disclosure, specifically under the USA PATRIOT Act.”9  The review also looked at the nature of the contractual safeguards being used by the institutions in connection with outsourced services and programs. In addition to audits, the attention garnered by outsourcing has led to legislative amendments. III. Legislation and Legislative Amendments A. Public Sector Access and Personal Information Protection Laws A.1 British Columbia - Freedom of Information and Protection of Privacy Act, (BC/FOIPPA)10 The British Columbia legislature sought, but ultimately did not wait for a report from its Information and Privacy Commissioner before amending the BC/FOIPPA which applies to personal information in the custody and control of public bodies. Amendments to BC/FOIPPA that came into force in October, 2004 severely restricted the storage of and access to personal information in the custody or control of a public body from outside Canada.  There have been subsequent amendments to BC/FOIPPA, perhaps in response to difficulties incurred by users of equipment, including medical equipment that is only serviced from outside Canada. The principal provisions affecting third party service providers supplying services involving personal information to public bodies are found in Part 3 of BC/FOIPPA in sections 30.1 through 33.2.  One of the unique features of the amendments is brought into effect by section 31.1(b), which expands the application of the sections of BC/FOIPPA relating to the protection of personal information to service providers, their employees and associates including subcontractors.  Accordingly, in British Columbia, the relationship between a service provider and a public body client may be determined by BC/FOIPPA as well as by contract.  Section 31.1 provides: 31.1 The requirements and restrictions established by this Part also apply to: (a) the employees, officers and directors of a public body, and (b) in the case of an employee that is a service provider, all employees and associates of the service provider. Section 30.1 of BC/FOIPPA requires a public body to ensure that personal information in its custody or under its control is only stored and accessed in Canada, unless the individual to whom the information relates consents to another arrangement or the storage or access are for the purpose of a disclosure permitted under the Act, including for the purposes of the public body collecting a debt or making a payment.  Section 30.1 provides: 30.1  A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies: (a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction; (b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act; (c) if it was disclosed under section 33.1 (1) (i.1) [for the purposes of a payment to be made to or by the government of British Columbia or a public body, authorizing, administering, processing, verifying or canceling such a payment, or resolving an issue regarding such a payment]. Section 30.2 of BC/FOIPPA requires notification of the responsible minister of any demand from a foreign authority for the disclosure of personal information, which notification could violate provisions introduced by the USA PATRIOT Act prohibiting disclosure of such demands except in limited circumstances.  Section 30.2 provides: 30.2 (2)  If a public body, an employee of a public body or an employee or associate of a service provider (a) receives a foreign demand for disclosure, (b) receives a request to disclose, produce or provide access to personal information to which this Act applies, if the public body, employee or other person receiving the request (i)  knows that the request is for the purpose of responding to a foreign demand for disclosure, or (ii)  has reason to suspect that it is for such a purpose, or (c) has reason to suspect that unauthorized disclosure of personal information has occurred in response to a foreign demand for disclosure, the head of the public body, the employee or other person must immediately notify the minister responsible for this Act. (3)  The notice under subsection (2) must include, as known or suspected, (a) the nature of the foreign demand for disclosure, (b) who made the foreign demand for disclosure, (c) when the foreign demand for disclosure was received, and (d) what information was sought by or disclosed in response to the foreign demand for disclosure. Section 33.1 governs the disclosure of personal information in the custody or under the control of a public body inside or outside of Canada.  Until recently, this provision only permitted disclosure in limited circumstances, for example where required to comply with another law of British Columbia or Canada, or to permit government officials to carry out their duties.  Amendments to the section that came into force in 2006 permit the disclosure of personal information to a service provider outside Canada where the service provider would normally receive the information in Canada, but is temporarily travelling outside Canada.11  Other amendments permit disclosure to a service provider where the disclosure is necessary for: (a) installing, implementing, maintaining, repairing, trouble shooting or upgrading an electronic system or equipment that includes an electronic system, or (b) data recovery that is being undertaken following failure of an electronic system that is used in Canada by the public body or by a service provider for the purposes of providing services to a public body, and in the case of disclosure outside Canada, (c) is limited to temporary access and storage for the minimum time necessary for that purpose, and (d) in relation to data recovery under subparagraph (b) above, is limited to access and storage only after the system failure has occurred.12 Public bodies may also disclose personal information inside Canada in response to a subpoena, warrant or order issued or made by a court or other person or body in Canada with the authority to compel the production of information.13  This provision is significant in that it prohibits public bodies and their service providers from disclosing personal information in response to a subpoena or other legal instrument issued by a foreign authority and applies even where the service provider is subject to the law of the foreign jurisdiction in which the subpoena or instrument was issued. A.2 Alberta - Freedom of Information and Protection of Privacy Act (“AB/FOIPPA”),14 Following on British Columbia’s lead, Alberta’s amendments to the AB/FOIPPA in 2006 limit the powers of foreign courts, governments and governmental authorities to order the province’s public bodies to produce personal information.  Section 3(d) provides that the AB/FOIPPA does not apply so as to interfere with an order compelling a witness to testify or the production of documents made by a court or tribunal in Canada.  Section 40(1)(g) narrows the scope of disclosure permitted in response to a legal instrument, to circumstances where the disclosure is: ...for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body having jurisdiction in Alberta to compel the production of information or with a rule of court binding in Alberta that relates to the production of information.15 A.3 Nova Scotia - The Personal Information International Disclosure Protection Act (“PIIDPA”)16 PIIDPA received Royal Assent on July 14, 2006 but has yet to be proclaimed in force.  PIIDPA borrows liberally from the initial amendments made to BC/FOIPPA, but incorporates provisions intended to address some of the operational difficulties that were reported to have arisen because of the requirement in the British Columbia legislation to store and access personal information in Canada. PIIDPA applies to public bodies, including their directors, officers and employees and to employees and associates of a service provider.  A service provider is defined as “...a person who is retained under a contract to perform services for a public body and in the course of performing those services, uses, discloses, manages, stores or accesses personal information in the custody or under the control of a public body”.17 Section 5(2) of PIIDPA contains an exemption from the requirement that a public body ensure that personal information in its custody or under its control is stored and accessed in Canada that applies where the head of a public body considers the storage of or access to personal information from outside Canada “... to meet the necessary requirements of the public body’s operation.”  Under section 5(4), where the head of a public body permits personal information to be stored or accessed from outside of Canada, he or she is required to report the decision and reasons for making the decision to the responsible minister.  Service providers are required to limit their collection and use of personal information that is stored, accessed or disclosed outside of Canada to the information and uses that are necessary to fulfill their contractual obligations and to make reasonable security arrangements to protect the information.  Under section 6(1) of PIIDA, public bodies and their service providers are required to report foreign demands for disclosure to the responsible minister. A.4 Quebec - Amendments to An Act respecting Access to documents held by public bodies and the Protection of personal information (“ARA”)18 Quebec has amended the sections on “security measures” in its public sector access and protection of personal information legislation. Section 63.1 of ARA now requires public bodies to: ...take the security measures necessary to ensure the protection of the personal information collected, used, released, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. Section 63.2, which is not yet in force, will require public bodies to “...protect personal information by implementing the measures enacted for that purpose by regulation of the Government.”  This provision will permit, but not require, Quebec to prescribe by regulation security measures for personal information kept by a public body in the exercise of its duties. B. Amendments to Private Sector Laws To date, provinces have required the private sector to protect personal information to which it gives third party service providers access, but have been reluctant to impose more direct forms of restriction on its outsourcing activities.  It is not clear whether Quebec has become the exception.  Quebec has amended its private sector privacy legislation and the amendments may restrict outsourcing or may merely be an express statement that organizations must use appropriate safeguards where personal information may be subject to the laws and authorities of a foreign jurisdiction.  To assess the Quebec amendment, it may be useful to examine the requirements relating to outsourcing in the Personal Information Protection and Electronic Documents Act (“PIPEDA”).19 Principle 4.1.3 of Schedule 1 to PIPEDA provides that: An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.  The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.8 provides that: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. The office of the Privacy Commissioner of Canada (the “OPC”) has applied Principle 4.1.3 and Principle 4.8 to a complaint about the outsourcing of services involving personal information to a foreign third party service provider.  The complaint was made about the outsourcing of credit card transaction processing by the Canadian Imperial Bank of Commerce (“CIBC”) to an American service provider.20  The Assistant Commissioner made a number of noteworthy findings about the application of PIPEDA to outsourcing activities, but for the purposes of this review, the significant findings are that PIPEDA does not prohibit the use of foreign-based third-party service providers, but requires organizations to ensure that foreign-based third-party service providers afford personal information a comparable level of protection to that required in Canada (Principle 4.1.3.).  Applying Principle 4.8, the Assistant Commissioner reiterated the position of the OPC that companies resident in Canada that outsource personal information processing or like services to the United States should notify the individuals to whom the information relates that it may be available to the U.S. government or its agencies under a lawful order. According to the finding in the CIBC case, the requirement established in Principle 4.8 for organizations to be transparent about their personal information handling practices extends to giving individuals notice in circumstances where their personal information may be transferred to a foreign jurisdiction, notwithstanding that consent is not required where personal information is transferred for the purposes of data processing.21  The finding in the CIBC case is harder to interpret in regard to the requirements established in Principle 4.1.3.  While the Assistant Commissioner initially describes the obligation on organizations in the language of Principle 4.1.3 (an organization must ensure that personal information is afforded “a comparable level of protection while the information is being processed by a third party”), she later frames it as an obligation to “…protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means” (emphasis added).22 B.1 Quebec - An Act respecting the protection of personal information in the private sector (“PIPPS”)23 As suggested above, the obligations created under amendments to Quebec’s private-sector privacy legislation that apply where services involving personal information are outsourced, are not entirely clear.  Section 17 of PIPPS applies to a person carrying on business in Quebec who “communicates personal information outside Quebec or entrusts a person outside Quebec with the task of holding, using or communicating such information on his behalf”.  Section 17 provides: Refusal If the person carrying on an enterprise considers that the information ... will not receive the protection ...[required under the Act], the person must refuse to communicate the information or refuse to entrust a person or a body outside Quebec with the task of holding, using or communicating it on behalf of the person carrying on the enterprise. Section 17 may require an environmental scan, taking into account factors such as the laws governing data protection in the foreign jurisdiction in which a service-provider operates (or lack thereof), the degree to which the rule of law is respected and the stability of the political situation and economy.  If this is the extent of the obligation, it is questionable whether companies will have the resources to conduct the required research.  Even where companies do have the resources, the requirement may have such a significant impact on the economics of outsourcing as to make it less interesting.  Without assistance from government, for example information along the lines of the travel alerts posted by the Government of Canada where it believes Canadians may be at risk travelling in a country or region, it is not reasonable to expect companies to conduct a full environmental scan of jurisdictions in which they are considering retaining a third party service provider. Another possible interpretation of section 17 is that it is not intended to introduce a prohibition on outsourcing where there are concerns over data security, but rather to require companies to address the nature and magnitude of the risks by including appropriate provisions in their contracts with third party service providers.24 Finally, it is open to debate whether section 17 permits an organization to outsource services involving personal information in circumstances where the information will not receive the degree of protection required under the Act, if the organization obtains the consent of the individual to whom the information relates to the arrangement. IV. Guidelines A.1 Taking Privacy into Account Prior to Making Contracting Decisions (“Taking Privacy into Account”)25 The Treasury Board of Canada Secretariat (the “Treasury Board”) has produced two guidance documents for use by federal government institutions that are subject to the Privacy Act26  when they outsource services or programs involving personal information.  The first document, “Taking Privacy into Account” establishes a 3-step program to assess the risks to personal information and the nature of the safeguards that may be used where services or programs are to be outsourced.  It also provides sample provisions for inclusion in Requests for Proposal (“RFPs”) and contracts for outsourced services involving personal information. Taking Privacy into Account recommends that federal institutions ensure that there is a business case for outsourcing, by assessing factors such as the quality and speed of delivery of the outsourced service and the specialized expertise and other resources required to provide the service, before commencing the risk assessment. Step 1 involves identifying any privacy risks associated with the proposed arrangement by determining whether the proposed arrangement is in compliance with the Privacy Act and Treasury Board privacy policies, conducting an “Invasion of Privacy Test” and conducting a Privacy Impact Assessment (“PIA”).  The Privacy Invasion Test was developed for the Treasury Board and involves assessing 3 risk factors: the sensitivity of the exposed information; the expectations of the individuals to whom the information relates regarding privacy; and the nature and scope of the potential injury if a breach of data security were to occur.  The Treasury Board has guidelines to assist institutions with performing PIAs. Step 2 involves assessing the privacy risks related to the jurisdiction in which the proposed service provider is resident.  Step 2 is potentially quite onerous in that institutions are to: ...give consideration to whether contracts or operations under contracts can be negatively affected by the foreign jurisdiction’s economy, political reality, laws and/or legal system. Step 2 also involves determining whether any international trade agreements apply to the proposed arrangement. The requirement to consider international trade agreements may be unique to the federal public sector and validates the Privacy Commissioner of Canada’s comments that personal information is more likely to be obtained by American authorities under grand jury subpoenas, search warrants, information sharing agreements and bilateral mutual legal assistance treaties signed by Canada and the U.S. than under the amendments enacted by the USA PATRIOT Act.27  The second guidance document, “Privacy Matters”, makes the point more succinctly when, in reference to the amendments to BC/FOIPPA, it suggests that similar provisions could not be included in the Privacy Act, because, Such action could encourage other foreign governments to do the same, choking off the economic benefits to Canada from work outsourced to Canadian suppliers. In addition, the federal government must respect international trade agreements that are not binding on provincial governments.28 Step 3 of Taking Privacy Into Account involves assessing whether the protection of personal information in a given outsourcing arrangement requires the imposition on service providers of certain obligations and restrictions. Institutions are to consider including the first set of obligations in the RFP for the services it is seeking to outsource.  The obligations are of general application and include requiring the service provider to: where international trade agreements do not apply, conduct the work and retain the data in Canada or Government of Canada facilities; segregate the information from other information; submit an information management and security plan; have specified qualifications or certifications (relating for example, to its knowledge of privacy law and implementation of privacy policies and procedures); maintain a list of personnel authorized to access personal information or facilities in which personal information is housed; maintain audit trails and report on access to, disclosure and destruction of personal information. Institutions are to consider including the second set of obligations in the agreement they enter into with the service provider.  The obligations require that: the institution maintain control over the personal information involved in the transaction by defining the role and responsibility of the service provider for the personal information, confirming the institution’s ownership of the personal information and demanding that the service provider return or destroy the personal information on demand; the most stringent of the privacy laws applicable to each of the parties be applied; access to personal information be limited to authorized persons for the purposes of the contract; the service provider obtain prior approval for the disclosure of sensitive personal information and the use of subcontractors; approved subcontractors agree to comply with the privacy, confidentiality and security provisions in the contract and the institution approve the contract between the service provider and the subcontractor; the institution have the right to inspect the premises and operations of the service provider; and the service provider promptly notify the institution of any data security breach and indemnify the institution for any damages arising out of such a breach. Where the risk to privacy is very high and the contract involves database development and data processing, Taking Privacy into Account recommends that proponents responding to an RFP also be required to certify that they have: ... the unfettered lawful right to comply with ... [terms in the RFP or proposed agreement with the company relating to the protection of personal information] and to ensure that personal information which is managed, accessed, collected, used, disclosed, retained, received, created or disposed of in order to fulfill the requirements for the Contract shall be treated in accordance with the Privacy Act, R.S.C. 1985, c.P-21 and the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5. Taking Privacy into Account also contains a set of criteria for determining whether foreign law will apply to personal information as a result of an outsourcing arrangement.  The risk designations run from “No Risk”, where the information is maintained and processed at a Government of Canada site or is maintained and processed off-site by a Canadian company that operates uniquely in Canada, to “High Risk”, where personal information is maintained, processed, stored and disposed of by a foreign-based company in a foreign jurisdiction. A.2 Privacy Matters, The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows (“Privacy Matters”)29 The second federal guidance document, Privacy Matters, makes reference to and incorporates some of the information and recommendations in Taking Privacy into Account, but focuses on the strategy of the federal Government in regard to public sector outsourcing of services involving personal information to foreign-based third party service providers.  Privacy Matters incorporates some of the suggestions made by the Information and Privacy Commissioner for British Columbia in his report on the USA PATRIOT Act,30 including having institutions audit their outsourcing contracts involving personal information.  In this respect, Privacy Matters is the federal version of the survey conducted in Alberta. Privacy Matters makes many of the same recommendations as are made in Taking Privacy into Account.  It is more detailed in some respects, recommending for example, that the personnel of service providers be required to sign non-disclosure agreements and the use of encryption technology.  Privacy Matters also makes reference to technological solutions to protect information and includes as part of the Government’s mid-term (6 months to a year) strategy, the need to determine “best practices in building privacy into design through technological and architectural solutions”.31  The incorporation of privacy considerations into technology and data architectures is too often overlooked given that by thinking about privacy at the design stage, systems architects may be able to eliminate some data security risks, for example by eliminating points of access to personal information or the storage of live data in a system. V. Preliminary Conclusions and Steps Forward As this brief survey indicates, different jurisdictions have taken different approaches to the outsourcing of services that involve personal health information. The federal strategy in response to the USA PATRIOT Act is to ensure the best practices are used more uniformly throughout government.32  The approach is designed to identify and make institutions more aware of the risks surrounding transborder flows of personal and other sensitive information and to assist institutions in mitigating those risks, for example by insisting on stronger contractual protections. The federal guidelines on outsourcing demonstrate the value of creating a framework within which to evaluate the threats and risks to personal information that is transferred to or made accessible from a foreign jurisdiction.  The degree to which the guidelines will influence the decision to outsource, the choice of service provider and the shape of the agreement reached with the service provider may be largely shaped by economics: a dominant theme in Privacy Matters is that privacy considerations have to be “balanced” with others, such as “significant cost and service efficiencies, and economic benefits from contracting out as well as the need to respect Canada’s obligations under its trade agreements and the requirements to protect national security”.  According to Privacy Matters, one in every four jobs in Canada is related to international trade.33   The Office of the Chief Information and Privacy Officer for Ontario has circulated draft guidelines on outsourcing services involving personal information for consultation, but as of the date of writing, has not released an official version of the guidelines. British Columbia was the pioneer and perhaps because of the attention the BCSGEU case received, it adopted a highly restrictive approach to the outsourcing of services involving personal information by public bodies to foreign-based service providers.  If there was any thought that legislative restrictions on accessing and storing personal information would encourage the establishment of home-grown data processing businesses, the restrictions do not appear to have had that effect.  The capital costs of starting up or expanding businesses that supply the types of services being outsourced may be too formidable.  As noted by Jean Walters and John Tuck, lawyers with the Legal Services Branch of the British Columbia Ministry of Attorney General, in a paper on outsourcing and USA PATRIOT Act: Many of the companies seeking contracts from governments are companies with connections to other countries, including the US.  Often it is such large and sophisticated corporations that have the expertise and infrastructure required to provide the services required in complex outsourcing initiatives given the breadth and complexity of the services that need to be provided.34 Ultimately British Columbia was forced to relax the restrictions in BC/FOIPPA on storing and accessing personal information from outside Canada, although even under the most recent amendments, public bodies are only entitled to disclose personal information outside of Canada for limited purposes, including where such disclosure is necessary for data recovery after a system has failed. Alberta rejected the British Columbia approach, concluding that: The easy answer, suggested in some quarters, of protecting privacy by assuring no company affiliated in any way with an American company, or doing business in the USA, is allowed to do outsource work for Canadian governments, fails to recognize the existing transnational nature of the IT services industry.35 The amendments made by Alberta to AB/FOIPPA require third party service providers to disregard any demand for disclosure made by or under a foreign authority.  Rather than restrict the activities of public bodies, Alberta has essentially told service providers that if they want to do business with the public sector in Alberta, they have to agree to comply with the laws of Alberta and the laws of Canada applicable in Alberta, regardless of any penalties they may incur for non-compliance with foreign laws to which they are subject. While adopting essentially the same approach as British Columbia, Nova Scotia was careful to build exceptions into its stand-alone legislation, which permit public bodies to store and access personal information outside Canada where such access and storage is required for a public body’s operations.  The requirement for a public body to report situations where personal information in its custody and under its control is to be stored or accessed from outside Canada ensures accountability for such decisions. Quebec focuses on safeguards, by placing the onus on the public body or company outsourcing functions involving personal information to ensure that the information will be afforded an appropriate degree of protection.  If under Quebec law, determining the appropriate level of protection involves a full environmental scan prior to engaging a foreign-based service provider, outsourcing may become less attractive, particularly to small businesses.  Small businesses may also not have the bargaining power to secure an agreement with a foreign-based service provider that contains adequate safeguards for personal information.  Where performing the services internally is not an option, an organization may decide to use a foreign-based service provider, even where it deems the risks to personal information to be significant.  The deal made by British Columbia in connection with the outsourcing of functions of the Medical Services Plan and BC PharmaCare involved the establishment of corporate structures designed to ensure that personal information does not become subject to foreign laws in addition to technical and contractual safeguards, but such arrangements have little chance of acceptance in less remunerative, shorter term transactions.36 As recognized by the Information and Privacy Commissioner of British Columbia in his report on the implications of the USA PATRIOT Act, technological advances and trade liberalization have resulted in an increased flow of information across geographic borders.37  It is interesting that technology, which has been a principal driver of outsourcing and a principal source of risk to the security of personal and other sensitive information, is only slowly being recognized as a significant part of the solution.  Perhaps because policy makers and lawyers rather than technology experts have been tasked with creating means to mitigate privacy risks, the focus has been on legislative restrictions and contractual safeguards.  It is encouraging that Privacy Matters refers to the need to explore “technology and data architecture solutions to protect information flows”.38  Privacy needs to be considered from the initial stages of system design and not as an afterthought. A culture needs to be established in which systems architects embrace the challenge of building systems that incorporate privacy protection as enthusiastically as they embrace building systems with ever-greater functionality.39  Privacy Matters points out that the Government of Canada was the first national government to introduce a mandatory PIA policy,  but the effectiveness of tools such as PIAs needs to be routinely examined: adherence to best practices, including performing PIAs, should not in and of itself provide comfort that personal information protection has been adequately addressed. The approach and means of protecting personal information will undoubtedly change over time.  Perhaps the anticipation of change was part of Nova Scotia’s rationale in passing its law on international disclosure of personal information in stand-alone legislation rather than as an amendment to its Freedom of Information and Protection of Privacy Act.40 * Bonnie Freedman, Goodman and Carr LLP.  The opinions expressed in this article are those of the author and do not necessarily reflect the views of Goodman and Carr, LLP. 1  “Public-sector Outsourcing and Risks to Privacy”, Office of the Information and Privacy Commissioner, Alberta, February 2006, http://www.oipc.ab.ca/ims/client/upload/Outsource_Feb_2006_corr.pdf 2  Tuck, John and Walters, Jean M. “Outsourcing and the USA Patriot Act”, Health Information Privacy and Security Conference, Insight Information, January 29-30, 2007, pp. 4-5.  See also British Columbia Government and Services Employees’ Union v. Minister of Health Services et. Al., 2005 BCSC 446, Victoria Registry, March 23, 2005.  An appeal has been heard but the decision is under reserve. 3  Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act, Pub. L. No. 107-56, 115 Stat. 272 (2001) 4  In one case, a medical records transcriptionist in Pakistan threatened to post the medical records of patients of a San Francisco hospital if she was not paid wages she claimed were owing to her.  Her employer was a subcontractor retained by the service provider to the hospital.  In another case, employees of a service provider in India demanded money in exchange for not making public confidential information entrusted to their employer.  For reports on these cases by the San Francisco Chronicle, see:  http://www.sfgate.com/cgi-bin/article.cgi?file+/c/a/2003/10/22/MNGCO2FN8G1.DTL and http://sfgate.com/cgi-bin/article.cgi?file+/c/a/2004/04/02/MNG175VIEB1.DTL. 5  “Privacy and the USA Patriot Act, Implications for British Columbia Public Sector Outsourcing”, October 2004, Information & Privacy Commissioner for British Columbia,  http://www.oipcbc.org/sector_public/archives/usa_patriot_act/pdfs/report/privacy-final.pdf 6  See above note 1 7  R.S.A. 2000, c. F-25 8  R.S.C. 1985, c. P-21 9  “Privacy Matters”, The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows, www.tbs-sct.gc.ca, p. 16 10  RSBC 1996, c. 165 11 Ibid., s. 33.1(1)(e.1)(ii)(B) 12  Ibid., s. 33.1(1)(p) 13  Ibid., s. 33.2(b) 14  See above note 8715  Ibid., s. 40(1)(g). 16  Chapter 3 of the Acts of 2006 17  Ibid, s. 1(g) 18  R.S.Q., c. A-2.1 19  S.C. 2000, c.5 20  Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #313  http://www.privcom.gc.ca/cf-dc/2005/313_20051019_e.asp 21  PIPEDA, Schedule 1, Principle 4.1.3 22  See above note 21 23  R.S.Q., c. P-39.1 24  This interpretation among others was reviewed by Anita Fineberg, Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health, in a presentation on January 29, 2007 at Insight Information’s conference on Health Information Privacy and Security. 25  Treasury Board, http://www.tbx-sct.gc.ca/gos-sog/atip-aiprp/in-ai/in-ai2005/2005-19_e.asp 26  See above note 8 27  “Transferring Personal Information about Canadians Across Borders – Implications of the USA PATRIOT Act”, Submission of the Office of the Privacy Commissioner of Canada to the Office of the Information and Privacy Commissioner for British Columbia, August 18, 2004, Office of the Privacy Commissioner of Canada, http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.asp 28  See above note 9, p.12 29  Ibid 30  See above note 5 31  See above note 9, p.31 32  Ibid, p.15 33  Ibid, pp.10 and 12 34 See above note 2, p.14 35  See above note 1, p.12 36  See above note 2, pp.26-28 37  See above note 5, p. 13 38  See above note 9, p.4 39  Ibid, p.3 40  S.N.S., 1993, c.5   Back to top >>

Push and Pull:  Negotiating the Transfer of Passenger Name Record Information Allison Knight* INTRODUCTION In the days following 9/11, the United States passed legislation requiring air carriers operating flights to, from or through the United States to provide Passenger Name Record (PNR) information to US Customs and Border Patrol.1  A Passenger Name Record consists of information provided by a passenger to an airline when booking an airline ticket.  PNR information can range from a person’s name, address, and travel itinerary, to ticket payment information, frequent flyer information, passport details and any special circumstances or requests such as disability accommodations or meal preferences.2 According to US law, PNR data must be made available in order to identify “individuals who may pose a threat to aviation safety or national security”; PNR data may also be shared with other US agencies for the purpose of “national security.”3  Refusal of an airline to provide requested PNR data could result in the withdrawal of its landing authorization in the US.4  Upon passage of this legislation, the US began negotiating agreements with foreign jurisdictions for transfer of PNR data to US authorities.  Negotiations with the European Union have proven to be the most complex and problematic, mainly due to differences in the ways in which the respective jurisdictions collect and process personal data. US-EU AGREEMENT Initial talks between the US and the European Commission (EC) were intended to reconcile the security interests of the United States with the data privacy safeguards required by the European Data Protection Directive 95/46/EC.5  The European Directive prohibits transfer of personal data to a third country that does not ensure an “adequate” level of data protection.  As the US does not have an adequate legislative data protection scheme in place to protect the privacy rights of EU citizens,6 transfer of PNR data in accordance with the European Directive requires contractual safeguards to be included in an agreement.  Specifically, the European Directive requires that personal information be collected “for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”7  Further, the European Directive limits the retention period for records containing personal information and provides access and correction rights for data subjects. While the first US-EU agreement,8 negotiated in 2004, did not explicitly address any of these requirements, it did refer to Undertakings given by the Department of Homeland Security (DHS) concerning the processing of personal information.  According to the Undertakings, PNR data would be used strictly for the purposes of preventing and combating terrorism, related crimes, and other serious crimes.9  Although the US had originally planned to store PNR data for fifty years, the Undertaking agreed to limit retention of unaccessed data to three-and-one-half years, and retention of accessed data to eight years.  In regard to access and correction, the Undertaking offered non-US citizens the opportunity to file an access request under the Freedom of Information Act10 as well as the opportunity to make “requests for rectification.” The European Council issued a decision that the data protections contained in the US-EU 2004 agreement and its additional US Undertakings ensured an “adequate” level of data protection.11  The agreement purported to be legally binding in all Member States and provided a unified standard across the EU for the provision of PNR data to the US.12 CANADA/EU AGREEMENT Similar to the US, Canada also passed legislation requiring the provision of, or access to, the PNR information of all persons en route to Canada at the time of their departure.  The Passenger Information (Customs) Regulations,13 made under section 107.1 of the Customs Act,14 came into effect on October 4, 2002.  Under the Regulations, PNR information must be made available to the Canada Customs and Revenue Agency15 for the purpose of maintaining a safe border, and interdicting “potentially high-risk passengers” who are inadmissible to Canada. Both the US and the Canadian governments required the transfer of PNR data from European airlines on a unilateral basis, as the European Union does not have similar legislation.  However, because Canada has a similar data protection scheme to that of the European Union, it did not face many of the challenges posed in the US-EU PNR negotiations.  Canada’s privacy legislation16 has been declared “adequate” to EU data protection laws, thereby allowing cross-border flow of data without the requirement of additional contractual safeguards.17 Three other factors added legitimacy to the Canadian negotiations.  First, Canada has an independent privacy office18 that provides oversight, administration and enforcement of its privacy laws.  Second, Canada requested fewer PNR fields from the European airlines than the 34 fields required by the US agreement.19  Third, Canada agreed to a “push” system of PNR information transfer, as opposed to the “pull” system proposed by the US.  Under a “push” system, airlines provide the data to the Canadian government on request.  The “pull” system allows the US government to access the airlines’ information, thereby giving control of the data transfers to US authorities.20 However, because Canadian privacy law only extends to individuals present in Canada, the EU required Canada to provide an undertaking that the same protections would be extended to EU passengers who were not present in Canada.  Upon completion of this requirement, Canada and the EU finalized and signed a PNR agreement. INVALIDATION OF THE US AGREEMENT The US-EU and Canada-EU agreement negotiations took place with European Commission representatives as a result of a consultative process, rather than the assent procedure required by the European Parliament.  Parliament, dissatisfied that the European Commission’s negotiations had adequately protected EU citizens’ data privacy rights, sought to have the US-EU 2004 agreement annulled.  It argued that because the European Commission acted without authority (ultra vires), the agreement fell outside of the scope of Community law.  Pending a decision of the European Court of Justice, the European Parliament also rejected the Canada-EU agreement on PNR data, even though Members considered the content of the agreement with Canada to be an “acceptable balance” between ensuring security and protecting personal data.21 In May 2006, the European Court of Justice declared the terms of the US-EU agreement invalid.22  The Court did not rule whether the US-EU agreement and related Decisions infringed fundamental rights with regard to data protection; rather, it annulled the agreement on jurisdictional grounds, stating that “neither the Commission decision finding that the data are adequately protected by the United States nor the Council decision approving the conclusion of an agreement on their transfer to that country are founded on an appropriate legal basis.”  According to the Decision, the transfer of PNR data outside the EU is a matter of law enforcement rather than a commercial transaction; therefore, the agreement should have been negotiated under the third, or “Police and Judicial Co-operation in Criminal Matters” pillar of European law, which concerns “co-operation in the fight against crime.”  Although in theory the Canada-EU agreement could suffer from the same jurisdictional fault, Parliament is unlikely to bring a case against the agreement as it contains strong privacy protections for EU citizens’ personal data. CONSEQUENCES OF INVALIDATION The invalidation of the EU-US 2004 Agreement was in some respects a “pyrrhic victory” for data protection rights.23  The European Court of Justice’s decision that PNR negotiations rightly belong under the “third pillar” of European law removes PNR data from the scope of the European Data Protection Directive and, because no EU-wide third pillar data protection agreement currently exists, places it under the mandate of individual Member States.  The EU is in the process of developing a framework to provide data protection across third pillar activities of the EU - the proposed framework would offer a level of protection equivalent to that provided by the European Data Protection Directive - but it does not seem that Member States will reach a consensus any time soon.24  Third pillar data protection framework negotiations have been ongoing since April 2001.  Most recently, the German Presidency submitted a letter to the Framework’s Article 36 Committee outlining further concerns with the draft document.25 US INTERIM AGREEMENT In annulling the Agreement and Decisions, the Court preserved their effects only until September 30, 2006.  Because of the ensuing legal vacuum, the US and the European Commission quickly negotiated an interim agreement, which expires in July of 2007.  The provisions of the interim agreement are strikingly similar to the 2004 US-EU Agreement, and in fact provide even fewer protections for individuals’ personal information. For example, the interim agreement states that the Department of Homeland Security is “deemed to ensure an adequate level of protection for PNR data.”  The standard of adequacy to which this clause refers is unclear: the European Data Protection Directive is no longer applicable to this agreement; the European Court of Justice invalidated the European Commission’s decision on the “adequacy” of the 2004 agreement’s safeguards; no uniform standard of data protection has yet been adopted under the third pillar; and the European Parliament has had no input into the negotiations, nor approval, of the interim agreement. To add another layer of confusion and questionable legality to this complex issue, Stewart Baker, Assistant Secretary for Policy at the US Department of Homeland Security (DHS), submitted a letter (the “Baker letter”) to the Council of Europe which purports to “set forth [DHS’] understandings with regard to the interpretation of… the Passenger Name Record (PNR) Undertakings issued on May 11, 2004.”26  In the letter, the Department of Homeland Security vastly expanded both its scope and its treatment of individuals’ personal data.  For example, the letter interprets the Undertakings “so as not to impede the sharing of PNR data by DHS with other authorities of the US government responsible for preventing or combating of terrorism and related crimes”.  The letter reneges on the US’s prior commitment to a data retention period of three-and-one-half years, at least in future agreements, and expands the list of PNR data to include all contact information associated with a frequent flyer number, in addition to reiterating DHS’ requirement for all thirty-four PNR data fields.  In its concluding paragraph, the letter refers to the usefulness of PNR data in the context of infectious disease control, a situation for which access to PNR data was not previously envisioned.27  While the Council of Europe acknowledged receipt of the letter, it did not comment on its content. GOING FORWARD: 2007 NEGOTIATIONS In the absence of a European “third pillar” data protection framework to govern security, the next US-EU agreement runs the risk of containing even fewer privacy protections than the current interim agreement.  However, there are three factors that may change the course of the next round of negotiations: (1) the recent disclosure of the Department of Homeland Security’s Automated Targeting System; (2) the US’s secret subpoenas of SWIFT data in violation of the EU Data Protection Directive; and (3) the increasing assertion of human rights of European citizens by the European Parliament. Automated Targeting System In November of 2006, the Department of Homeland Security published a notice of its Automated Targeting System (ATS), a risk profiling program that was originally created to screen shipping cargo, but had since been used to screen individuals travelling to and from the US.28  ATS processes “available information”, including PNR data, to develop a risk assessment for each traveller.  The ATS terrorist risk profiles are secret, unreviewable, and maintained by the government for 40 years.  As the agency notice makes clear, the ATS profiles may be integrated with other government databases and may be used for a wide variety of purposes.29 Following the announcement of the Automated Targeting System, European Commission Vice-President Franco Frattini sent a letter to the US Government requesting formal confirmation that the way European Union PNR data are handled in the ATS is the one described in the Undertakings.  As stated by Frattini, “The information published by the DHS reveals significant differences between the way in which PNR data are handled within the Automated Targeting System (ATS) on the one hand and the stricter regime for European PNR data according to the Undertakings given by the DHS.” It is difficult to see how the Automated Targeting System could possibly comply with the terms of the US-EU interim agreement, as the Department of Homeland Security sought to exempt the program from its own domestic legislation, the Privacy Act.31 SWIFT Financial Data The Society for Worldwide Interbank Financial Telecommunications (SWIFT), a Brussels-based banking consortium, complied with US Treasury Department subpoenas for five years by supplying US authorities with financial data.  The European Union's Article 29 Data Protection Working Party concluded that SWIFT violated data protection laws by transferring records of millions of private financial transactions to American intelligence agencies in what it called a "hidden, systematic, massive and long-term transfer of personal data."32  According to the unanimously adopted draft statement, SWIFT failed to provide an appropriate level of protection to meet the requirements for international transfers of personal data; further, the transfer agreement demonstrated a lack of transparency and adequate and effective control mechanisms, and violated the principles of proportionality and necessity contained in European Data Protection Directive. European Parliament The uncertain legitimacy of US instruments of negotiation such as the “Baker letter” and the interim agreement, the imminent deadline for a new agreement, and the two scenarios described above have fostered a certain amount of mistrust towards both the Department of Homeland Security and the European Commission in their respective PNR dealings.  The European Parliament has been highly critical of what it sees as a lack of democratic legitimacy in the negotiations, most recently noting in its January 31, 2007 joint debates that, “the solutions envisaged so far by the Council and the Commission as well as by private companies do not adequately protect the personal data of EU citizens.”33  Allegations by the Minister for European Affairs late last year that the European Commission and European Council were aware of the Automated Targeting System as early as 200534 have further strengthened the European Parliament’s resolve to attend and participate in upcoming high-level negotiation meetings between the US and the EU. The European Parliament’s February 7, 2007 Joint Resolution adopted at the conclusion of the joint debates demonstrates the degree to which the SWIFT and the Automated Targeting System data transfers have impacted the PNR debate.  As stated in the opening sentence of the Resolution, “[a]greements on PNR, SWIFT and the existence of the US Automated Targeting System (ATS), have led to a situation of legal uncertainty with regard to the necessary data protection guarantees for data sharing and transfer between the EU and the US for the purposes of ensuring public security and, in particular, preventing and fighting terrorism..”  The disclosures of these two data transfer programs have had the effect of focussing the debate on a few key privacy principles related to transparency and accountability, namely the need for independent oversight, and access and correction mechanisms.  These two features, oversight by an independent agency, and the availability of redress procedures, form the critical distinction between the US-EU and Canada-EU agreements. The momentum that is currently building in the European Parliament may be enough to ensure that the next US-EU PNR agreement, in July 2007, contains satisfactory data protections based on Europeans’ fundamental right to the protection of their personal data,35 regardless of whether an EU third pillar data protection framework is yet in place.  Formal negotiations for a new US-EU PNR agreement will begin in Washington, DC this March. * Allison Knight is Staff Counsel at the Electronic Privacy Information Center in Washington, DC, and a member of the Ontario Bar.  She can be reached at knight@epic.org. 1  Division of the Department of Homeland Security. 2  For further discussion of Passenger Name Records, see Privacy and Human Rights 2005 (EPIC/Privacy International, 2006) at 80-88. 3  US Aviation and Transportation Security Act 2001, Pub. L. No. 107-71, § 101(a) and 115, 115 Stat. 597. 4  Air Commerce Regulations, 19 C.F.R. § 122.14 (d) (1999). 5  EC, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ. L. 281. 6  The Privacy Act of 1974, 5 U.S.C. § 552a, which stipulates data privacy requirements for US federal government agencies, only extends its protections to US citizens and permanent residents. 7  Ibid. at Section I, Article 6, ss.1(b). 8  EC, Agreement between the European Community and the United States of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, [2004] CE/USA/en 1. 9  US, Department of Homeland Security Bureau of Customs and Border Protection (CBP), Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP) (2004) at s.3. 10  5 U.S.C. § 552. 11  EC, Council Decision on the Conclusion of an Agreement Between the European Community and the United States of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, [2004] 2004/496/EC. 12  EC, Airline passenger data transfers from the EU to the United States (Passenger Name Record) Frequently Asked Questions, [2003] MEMO/03/5.  Available at: <http://ec.europa.eu/comm/external_relations/us/intro/pnrmem03_53.htm>. 13  S.O.R./2003-219. 14  R.S. 1985, (2nd Supp.), c.1. 15  Now to the Canada Border Services Agency. 16  Privacy Act, R.S. 1985, c. P-21; Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5. 17  EC, Commission Decision No. 2002/2/EC pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, [2001] O.J. L 2/13. 18  The Office of the Privacy Commissioner of Canada.  Available online: <http://www.privcom.gc.ca>. 19  Canadian authorities requested a maximum of 25 PNR fields. 20  EC, Agreement Between the European Community and the Government of Canada on the Processing of API/PNR Data, [2006] O.J. L.82/15. 21  European Parliament, Press Release, “MEPs reject the EU-Canada agreement on transfer of personal data” (7 July 2005).  Available online: <http://www.statewatch.org/news/2005/jul/ep-canada-pnr.pdf>. 22  Parliament v. Council, C-317/04 and C-318/04, [2006] O.J. C. 178 at 1. 23  Statewatch, PNR Observatory, available online: http://www.statewatch.org/news/2006/jun/pnrobservatory.htm. 24  Council of Europe, Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, Memo/05/349 (2005). 25  Council of Europe, Presidency, Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, (2007) Interinstitutional File 2005/0202 (CNS). 26  72 Fed. Reg. 348 (2007). 27  The Centers for Disease Control and Prevention (CDC) issued a proposed rule in 2005 that would require airline and shipping industries to gather passenger information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request.  The comment period for the proposed rule closed in March 2006; however, a final rule has not been published.  See online <http://www.cdc.gov/ncidod/dq/nprm/>.  See also the Electronic Privacy Information Center’s comments on the proposed rule at <http://www.epic.org/privacy/medical/cdc_com013006.pdf>. 28  Notice of Privacy Act system of records, 71 Fed. Reg. 64543 (2006). 29  Electronic Privacy Information Center, “EPIC Spotlight on Surveillance: Customs and Border Protection’s Automated System Targets U.S. Citizens” (October 2006).  Available online: <http://www.epic.org/privacy/surveillance/spotlight/1006/default.html>. 30  European Union, Press Release No.108/06, “Statement by European Commission Vice-President Franco Frattini, Responsible for Justice, Freedom and Security, in the European Parliament on ‘Data Protection and Transfer of PNR Data’” (December 13, 2006).  Available online: < http://www.eurunion.org/News/press/2006/20060108.htm>. 31  Supra note 25. 32  Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT).  Available online: <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.pdf>. 33  EC, Motion for a Resolution to Wind Up the Debate on Statements by the Council and Commission Pursuant to Rule 103(2) of the Rule of Procedure (2007). 34  Address to the European Parliament by Minister for European Affairs Paula Lehtomaki on Data Protection (December 2006).  Available online: <http://www.statewatch.org/news/2006/dec/ats-eu-coun-statement-12-dec-06.pdf>. 35  Charter of Fundamental Rights of the European Union, [2000] 2000/C 364/01 at art.8.   Back to top >>

Notifications under PHIPA 1. Privacy Breach Notification 2. Transfer of Records to Successor Elaine Ashfield* 1.  Privacy Breach Notification Overview of Breach Notification Laws Organizations that collect, use and disclose personal health information within Ontario must comply with the Personal Health Information Protection Act, 2004 (PHIPA).   Currently, PHIPA stands alone as the only privacy statute in Canada that requires individuals be notified if personal information has been subject to a privacy breach.  Following a number of high profile privacy breaches, the most recent being that affecting customers of TJX Cos., there is increased public awareness and pressure on other governments to impose laws requiring organizations to notify individuals of privacy breaches.  Whether such changes are coming to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is uncertain although the federal parliamentary review committee has heard many submissions from privacy proponents, including the federal Privacy Commissioner