Canadian Privacy Cop Seeks More Enforcement Power, Fights Harm Requirement, Sees International Coalitions
Canada’s privacy commissioner said Wednesday she expects to seek increased enforcement authority next year. “I am probably going to ask for greater powers, in terms of having new tools,” Commissioner Jennifer Stoddart said on an American Bar Association teleconference. She provided few specifics. She did say that “some of us” privacy authorities only “talk a good talk” on enforcement.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Legal requirements of proof of concrete harm have “generally led to very few sanctions” against privacy violators through private lawsuits or regulatory action, Stoddart said. Online profiling may eventually hurt users, but there’s no proof of harm now, she said. Stoddart called for “moving from the harm principle to the dignity principle” as the basis for liability.
"Self-regulation in all areas has its limits,” Stoddart said. Canadian law allows some action concerning behavioral advertising, but “we may need to have some kind of legislation” to ensure that consumers know when and why they're tracked online and can opt out, she said. “Maybe we could have a workable do-not-track system” modeled on do-not-call, Stoddart said. Billy Hawkes, Ireland’s data commissioner, said there are questions whether “commendable efforts to come up with self-regulatory solutions” for behavioral advertising “go far enough” to deal with the qualms. “A lot more thought would be required of industry before we conclude that they have done enough in this area,” he said.
Behavioral advertising may not be “causing immediate harm, but it is causing concerns,” and that’s why the FTC continues to work on principles for business to follow, said Hugh Stevenson, deputy director of the agency’s Office of International Affairs. More broadly, privacy “enforcers started out with certain limited tools,” and that requires “more thought and more work” about enforcement mechanics and cooperation to deal with international data flows and make players accountable for it, he said.
The International Conference of Data Protection and Privacy Commissioners last month in Jerusalem laid the groundwork for future coalitions of national governments like the one that took on Google, Stoddart said. It’s “inevitable and the only way to act with global companies,” she said. There’s “quite a group” around the world eager to align in action with the EU and the U.S., including Israel, Mexico and Paraguay, Stoddart said. Forty-five countries have similar privacy standards, she said, indicating frustration with companies that reach settlements with one government only to “start up from square one” with another on the same issue as though nothing had happened.
Hawkes predicted that “a general data-breach notification system” will take hold across the EU. National privacy authorities are moving in that direction under European Commission guidance, he said. That means companies “won’t face too much divergence” in requirements across borders, Hawkes said.
Stevenson noted the “complexity of having a multiplicity of laws,” along the lines of differing state data-breach rules. Notification laws also pose the challenge of striking the “right note” in informing breach victims without causing “notice fatigue,” he said. Stevenson said one of the main benefits of laws on the subject has been a significant increase in “privacy awareness."
Government bodies in Canada have been “much more reluctant to come forward and talk about” breaches of their data than have businesses, dozens of which have agreed to make voluntary disclosures, Stoddart said. Public offices tend to wait for audits and investigations to expose their data leaks, she said. Stevenson didn’t bite at an invitation to discuss whether that’s true in the U.S., too. In Ireland, which has national guidelines covering breaches of government data, “the public sector has been reasonably good at breach notification,” Hawkes said.
Officials said the key to cloud computing is keeping organizations responsible for the handling of information they entrust to others. In many cases, this basically means applying current rules that hold those who control data accountable for the data processors they use, the speakers said. “I don’t think we should be mesmerized by the cloud,” Hawkes said. Data controllers’ “responsibility does not change when you outsource to the cloud” rather than older kinds of contractors, except that “it becomes heavier,” he said.
"Global standards are the obvious way to go” in privacy regulation for use of cloud computing, Hawkes said. “Significant efforts” are being made to adopt them, he said. Stevenson agreed about maintaining data controllers’ accountability, but he warned not to “be overly mesmerized by the prospect of global privacy standards.” They're “appealing” but “quite challenging,” as reflected in differences among member countries’ national laws carrying out European rules, he said. International standards are “not a near-term fix, likely,” Stevenson said. Meanwhile, authorities’ emphasis should move to requiring companies to provide “reasonable protections” from enforcing “procedural requirements,” he said.