1 / 16

A Regulator’s Perspective on Trans-Border Data Flow Issues

A Regulator’s Perspective on Trans-Border Data Flow Issues. David Loukidelis Information and Privacy Commissioner for British Columbia American Bar Association CLE Vancouver, BC April 18-19, 2009. Introduction. Regulator’s overview of privacy and trans-border data flows (TBDF)

sharondag
Download Presentation

A Regulator’s Perspective on Trans-Border Data Flow Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Regulator’s Perspective on Trans-Border Data Flow Issues David Loukidelis Information and Privacy Commissioner for British Columbia American Bar Association CLE Vancouver, BC April 18-19, 2009

  2. Introduction • Regulator’s overview of privacy and trans-border data flows (TBDF) • Discussion of outsourcing and issues it raises under Canadian privacy laws • First, overview of the role of the OIPC

  3. OIPC’s Role • Regulation of public and private sector privacy compliance • Order-making power to back-up complaint investigation powers • Emphasis on dispute resolution—first-instance settlement between the parties, with back-up mediation by OIPC • Complementary jurisdiction with federal privacy commissioner • Collaboration in investigations and other activities with federal and provincial colleagues

  4. Privacy and Trans-Border Data Flows • TBDF are of course indispensable for modern commerce • Nothing inherently wrong with TBDF from a privacy perspective • Must avoid barriers to TBDF while achieving appropriate privacy protections • Canadian law thus doesn’t prohibit or restrict TBDF • Privacy protections can take a variety of forms—there is no silver bullet—and may have complementary components

  5. TBDF and Privacy Protections • Possible tools include traditional regulation and enforcement, binding corporate rules (BCR) / cross-border privacy rules systems (CBPR) • Latter approaches can involve mixed public-private accountability mechanisms (e.g., trustmarks accountability agents backstopped by regulators) • APEC work on CBPR has some promise (also noting EU BCR developments)

  6. Accountability and TBDF • Focus here is on outsourcing and TBDF • Traditional regulatory involvement in TBDF flows from the accountability principle in Canadian privacy laws • Organization outsourcing processing of personal information remains accountable for its collection, use, disclosure and security • Example: BC’s Personal Information Protection Act, s. 18(2) allows disclosure for data processing or other services

  7. Accountability and TBDF • Disclosure-use distinction can be tricky, and others disagree, but in BC an inter-organizational disclosure / transfer, from A to B for B to perform services for A, is a disclosure • Under PIPEDA, and thus international transfers, concept of ‘transfer’, contrasted to ‘disclosure’, applies

  8. Accountability and TBDF • Service providers who are within jurisdiction are accountable for breaches they cause • Example: privacy breaches caused by service provider’s lax security • Outsourcing organization also has accountability • Under PIPEDA, concept of ‘comparable level of protection’ • No such explicit standard in BC and other laws, but such a standard makes sense in outsourcing cases

  9. Accountability and TBDF • Whatever the standard, regulators would deal with both organizations, neither of which can contract out of statutory obligations • What will a privacy regulator expect an outsourcing organization to do?

  10. Outsourcing and Privacy Protections • Due diligence in selecting service providers (including as to privacy laws where they operate) • Careful contractual arrangements to mitigate, not just allocate, risk • Audit and review rights—useful tools or lip-service?

  11. Public Sector Outsourcing • Nova Scotia and BC have special rules for public sector outsourcing involving personal information • BC law effectively prohibits export of citizen’s data, with some exceptions (e.g., system upgrades or repair, with ministerial consent) • Concerns about USA Patriot Act underlie these 2004 measures

  12. BC’s Public Sector Outsourcing Rules All BC public bodies must ensure personal information stays in Canada and is accessed only in Canada Cannot disclose in response to foreign requests or demands This extends to service providers to public bodies Exceptions exist (e.g., with individual’s consent: Order F07-10 and Gallup’s online teaching skills assessment)

  13. BC Outsourcing Rules Other exceptions in s. 33.1(a) through (p) allow external disclosure Examples: other Canadian legislative authority; Canadian court order; installation, repair, upgrade, etc. of electronic systems or equipment Disclosure also allowed by law enforcement agencies to foreign counterparts under an arrangement, written agreement or treaty

  14. BC Outsourcing Rules Minister can grant case-by-case exemptions also Service providers must disclose to public body’s ‘head’ both foreign disclosure demands and actual disclosures Whistleblower protections are extended to employee whistleblowers Both apply to disclosures in Canada that are contrary to FIPPA (e.g., privacy breaches)

  15. Conclusion • Ongoing questions about BC’s outsourcing rules • Challenges of cloud computing in context of follow-the-sun service expectations and solutions • Challenges of B2C personal information transfers and cross-border privacy measures (EU BCR, APEC CBPR) • Again, hybrid measures may be best, combined with cross-border regulatory mutual assistance arrangements

  16. Contact Office of the Information and Privacy Commissioner for British Columbia info@oipc.bc.ca www.oipc.bc.ca 250 387 5629

More Related