1 Canadian Privacy Policy: Customizing E.U. Standards Remarks by Jennifer Stoddart Privacy Commissioner of Canada Privacy Symposium: Summer 2007 August 23, 2007

2 Personal Information Regulation in Canada Fair information/OECD principles became law: Personal Information Protection and Electronic Documents Act (PIPEDA) Civil and common law

3 Characteristics Adequate for E.U Applies to all handling of personal information by federally regulated commercial entities in Canada affecting Canadians Applies outside of Canada if personal information outsourced for processing, other uses (Abika case)

4 Characteristics Unlike E.U in: –No registration of databases –No prior approval for export of personal information –No restrictions on whistle blowing legislation

5 Characteristics Enforcement through multi-functional approach Federally –Ombudsman (Agent of Parliament) –Investigate complaints –Mediation –Audits –Education –Outreach –Federal court litigation (damages) Substantially similar provinces –Tribunals (no damages)

6 Substantially Similar Principle Quebec (1994) Alberta (2004) B.C. (2004) Ontario (Health, 2004)

7 Substantially Similar Provinces PIPEDA applies when: –Organization handling personal information is federally regulated, e.g., banks, airlines –Sending personal information from Canada elsewhere or across provincial borders –Federally regulated employee information

8 Criteria Appropriate consent for collection/use/disclosure Opt-in (express) – sensitive Opt-out (implied) – reasonable test

9 When You Export Personal Information… Exporting personal information outside Canada PATRIOT Act Concerns Finding #313 (CIBC VISA) Finding #365 (SWIFT)

10 When You Use Personal Information… Direct marketing practices –Finding #308 (Inserts) –Finding #297 ( s) –Finding #271 (Solicitations)

11 When Your Entity Markets in Canada… Can be situated outside Canada Abika case TJX case and federal/provincial enforcement

12 Security PIPEDA includes security principle in section 7 Data Breach Guidelines Recommend mandatory notification in law

13 International Co-operation in Enforcement OPC with FTC and others OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2007

14 PIPEDA Enforcement: % of complaints settled 26 letters of recommendation (e.g. financial institutions, insurance companies, law firms, real estate firms) 2 audits, e.g., Equifax No OPC initiated actions in Federal Court

15 Conclusion Flexible compliance approach Same standards as E.U. Extra-territorial reach International enforcement framework

16 29 th International Data Protection and Privacy Commissioners Conference

17 THANK YOU! Questions?