Michael Geist:
This is LawBytes, a podcast with Michael Geist
Michael McEvoy:
Canada is far far behind I think many jurisdictions. Europe certainly the United States doesn’t have comprehensive privacy legislation by any means but through the Federal Trade Commission there is some element of regulation of privacy and obviously we’ve seen that with the latest investigation of Facebook. Canada has a lot of catching up to do in this regard both at a federal and provincial level.
Michael Geist:
There’s a lot happening in the Canadian privacy world. Daniel Therrien, the Privacy Commissioner of Canada, is in the courts battling Google over a right to de-index. He’s calling for order making power after Facebook declined to abide by his recommendations. And he’s embarked on a dramatic reinterpretation of the law premised on incorporating new consent requirements into cross-border data transfers. Underlying it all is a Privacy Commissioner of Canada who is seemingly frustrated with the law he’s been given to enforce. After years of calling for change he’s taking matters into his own hands with what feels like statutory amendments without actual amendments. Here to provide an update on the recent developments and their implications is David Fraser, one of Canada’s leading privacy experts, a partner at the law firm McInnes Cooper, and an active blogger at privacylawyer.ca.
Michael Geist:
David thanks so much for joining me on the podcast.
David Fraser:
My pleasure. Thank you.
Michael Geist:
So there is as I guess is always the case a lot happening in the Canadian privacy world but it’s really feels like underlying it quite a bit of it is a Privacy Commissioner of Canada who’s pretty frustrated with the law that he’s been given to enforce. And after years of calling for reform with limited success there’s the sense that he’s taking matters into his own hands almost by reinterpreting some of the law without actual statutory amendments. There’s there’s a number of examples but the one that is certainly quite a lot of people’s attention within the privacy world has to do with cross-border data transfers. So why don’t we start there. Perhaps you could can explain what a cross-border border data transfer is and why these issues really matter.
David Fraser:
Yeah. Certainly they happen quite often. That’s just the reality of the way that the world works right now particularly where it’s so mediated by technology. Probably the the one that people are most familiar with is you’re a Canadian. And you’re using a U.S. service provider. It could be Facebook it could be Google or it could be Amazon or whoever. And the data associated with whatever that activity is is going to be going to the U.S. to be processed or it ends up stored in a U.S. data center. And there’s also many examples where Canadian companies take advantage of cloud technology or efficiencies of scale where data is stored elsewhere. And then there’s also the much more traditional notion of let’s say you’re Air Canada and you’re flying a passenger to Paris you’re obviously going to have to move that passenger’s information to Paris if they want to check in at the airport to come back. So this sort of thing has happened for a very long time and happens quite regularly. And so it’s not an unusual occurrence and it’s just but it’s certainly it’s increasing particularly as so much of the data processing and data storage capacity in the world is outside of Canada.
Michael Geist:
Ok so we’re talking it sounds like even just from that brief description this is touching on everybody’s lives today from the kind of communication services they use to their banking to travel to just such a wide range of activity sometimes for the purposes as you suggest to store the data or to process it sometimes because the transactions are activities themselves are cross-border in nature. So I suppose the starting point from a legal perspective is how has Canadian privacy law traditionally treated these issues.
OPC:
What exactly does accountability mean for my business. Accountability means that you need to make sure someone in your organization is responsible for protecting the personal information you collect and that you give that person the tools and support to do it right.
David Fraser:
Since PIPEDA first came into effect in 2001 it hasn’t made any explicit distinction between activities that are taking place in Canada and activities are taking place elsewhere. And I guess one can assume that that was probably an explicit choice because at the time that PIPEDA was being drafted they already had the example of the European Data Protection Directive which preceded the GDPR which did regulate cross-border data transfers that did require if he were a data controller in the European Union and we wanted to transfer data outsid
