A Regulators Perspective on TransBorder Data Flow Issues

1
A Regulators Perspective on Trans-Border Data
Flow Issues

• David Loukidelis
• Information and Privacy Commissioner for British
  Columbia
• American Bar Association CLE
• Vancouver, BC
• April 18-19, 2009

2
Introduction

• Regulators overview of privacy and trans-border
  data flows (TBDF)
• Discussion of outsourcing and issues it raises
  under Canadian privacy laws
• First, overview of the role of the OIPC

3
OIPCs Role

• Regulation of public and private sector privacy
  compliance
• Order-making power to back-up complaint
  investigation powers
• Emphasis on dispute resolutionfirst-instance
  settlement between the parties, with back-up
  mediation by OIPC
• Complementary jurisdiction with federal privacy
  commissioner
• Collaboration in investigations and other
  activities with federal and provincial colleagues

4
Privacy and Trans-Border Data Flows

• TBDF are of course indispensable for modern
  commerce
• Nothing inherently wrong with TBDF from a privacy
  perspective
• Must avoid barriers to TBDF while achieving
  appropriate privacy protections
• Canadian law thus doesnt prohibit or restrict
  TBDF
• Privacy protections can take a variety of
  formsthere is no silver bulletand may have
  complementary components

5
TBDF and Privacy Protections

• Possible tools include traditional regulation and
  enforcement, binding corporate rules (BCR) /
  cross-border privacy rules systems (CBPR)
• Latter approaches can involve mixed
  public-private accountability mechanisms (e.g.,
  trustmarks accountability agents backstopped by
  regulators)
• APEC work on CBPR has some promise (also noting
  EU BCR developments)

6
Accountability and TBDF

• Focus here is on outsourcing and TBDF
• Traditional regulatory involvement in TBDF flows
  from the accountability principle in Canadian
  privacy laws
• Organization outsourcing processing of personal
  information remains accountable for its
  collection, use, disclosure and security
• Example BCs Personal Information Protection
  Act, s. 18(2) allows disclosure for data
  processing or other services

7
Accountability and TBDF

• Disclosure-use distinction can be tricky, and
  others disagree, but in BC an inter-organizational
  disclosure / transfer, from A to B for B to
  perform services for A, is a disclosure
• Under PIPEDA, and thus international transfers,
  concept of transfer, contrasted to
  disclosure, applies

8
Accountability and TBDF

• Service providers who are within jurisdiction are
  accountable for breaches they cause
• Example privacy breaches caused by service
  providers lax security
• Outsourcing organization also has accountability
• Under PIPEDA, concept of comparable level of
  protection
• No such explicit standard in BC and other laws,
  but such a standard makes sense in outsourcing
  cases

9
Accountability and TBDF

• Whatever the standard, regulators would deal with
  both organizations, neither of which can contract
  out of statutory obligations
• What will a privacy regulator expect an
  outsourcing organization to do?

10
Outsourcing and Privacy Protections

• Due diligence in selecting service providers
  (including as to privacy laws where they operate)
• Careful contractual arrangements to mitigate, not
  just allocate, risk
• Audit and review rightsuseful tools or
  lip-service?

11
Public Sector Outsourcing

• Nova Scotia and BC have special rules for public
  sector outsourcing involving personal information
• BC law effectively prohibits export of citizens
  data, with some exceptions (e.g., system upgrades
  or repair, with ministerial consent)
• Concerns about USA Patriot Act underlie these
  2004 measures

12
BCs Public Sector Outsourcing Rules

• All BC public bodies must ensure personal
  information stays in Canada and is accessed only
  in Canada
• Cannot disclose in response to foreign requests
  or demands
• This extends to service providers to public
  bodies
• Exceptions exist (e.g., with individuals
  consent Order F07-10 and Gallups online
  teaching skills assessment)

13
BC Outsourcing Rules

• Other exceptions in s. 33.1(a) through (p) allow
  external disclosure
• Examples other Canadian legislative authority
  Canadian court order installation, repair,
  upgrade, etc. of electronic systems or equipment
• Disclosure also allowed by law enforcement
  agencies to foreign counterparts under an
  arrangement, written agreement or treaty

14
BC Outsourcing Rules

• Minister can grant case-by-case exemptions also
• Service providers must disclose to public bodys
  head both foreign disclosure demands and actual
  disclosures
• Whistleblower protections are extended to
  employee whistleblowers
• Both apply to disclosures in Canada that are
  contrary to FIPPA (e.g., privacy breaches)

15
Conclusion

• Ongoing questions about BCs outsourcing rules
• Challenges of cloud computing in context of
  follow-the-sun service expectations and solutions
• Challenges of B2C personal information transfers
  and cross-border privacy measures (EU BCR, APEC
  CBPR)
• Again, hybrid measures may be best, combined with
  cross-border regulatory mutual assistance
  arrangements

16
Contact

• Office of the Information and Privacy
  Commissioner for British Columbia
• info_at_oipc.bc.ca
• www.oipc.bc.ca
• 250 387 5629