Canada, the U.S., and five other Pacific rim countries will try to create international rules to bridge different regulatory approaches to data protection and privacy.
The countries have created the Global Cross-Border Privacy Rules (CBPR) Forum, which they hope more nations will join. The goal is to create international cross-border privacy rules (CBPR) and privacy recognition for processors (PRP) systems.
Ultimately there would be an international certification system based on the CBPR created by Asia-Pacific Economic Co-operation (APEC) group.
In a statement Thursday, U.S. Commerce Secretary Gina Raimondo said an international CBRP would create data privacy certifications that help companies show compliance with internationally recognized data privacy standards. “With this unique approach founded on creating practical compliance tools and based on co-operation, we can make the digital economy work for consumers and businesses of all sizes alike,” she said.
The other countries in the forum are Japan, Taiwan, South Korea and Singapore.
However, former Ontario privacy commissioner Ann Cavoukian said the announcement is “weird.”
“It makes no sense there’s all these [privacy] instruments being developed,” said Cavkoukian, who is now the executive director of the Global Privacy and Security by Design Centre in Toronto.
“The U.S. and the European Union are finalizing the Trans-Atlantic Data Privacy Framework to facilitate data transfers between the U.S. and the EU. Why are they now creating this Global Cross-Border Privacy Rules Forum that will apply to only seven countries? … If you want to promote interoperability and bridge different regulatory approaches to protecting data, why wouldn’t they just expand on this Trans-Atlantic Data Privacy Framework they’ve been working on? The U.S. could say once it’s finalized — which is supposed to be any day now — then we’ll look to extend it to other countries.”
But Constantine Karbaliotis, of the Ottawa privacy law firm nNovation, said the Global Cross-Border Privacy Rules Forum has a key goal that other privacy agreements don’t have: the ability for firms to be certified that they follow their nations’ privacy frameworks. The APEC agreement — around which the global regime would be built — calls for “accountability agents” to assess the adequacy of firms’ data protection processes. A firm in Japan, for example, that needs to transfer data to a firm in South Korea could ensure its partner is certified. Data processors would be certified under a PRP regime.
To make this work, he added, persons or firms in Canada would have to become accountability agents. So far none are.
He also said Canadian companies that meet the obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) “are probably most of the way to achieving Cross-Border Privacy rules.”
In a statement, the federal Office of the Privacy Commissioner said it is monitoring developments regarding the new forum, particularly the privacy rules which its new international scheme will certify against. “We are open to such international certification schemes in principle, as they promote interoperability. That said, it is imperative that they be underpinned by high data protection standards to ensure the significance and complexity of trans-border data flows and their associated privacy risks are appropriately addressed.”
Yara El Helou, senior communications advisor at the department of Innovation, Science and Economic Development (ISDED, said the Global CBPR Forum will promote interoperability and help bridge different regulatory approaches to data protection and privacy.
“Canada continues to work with its international partners to ensure that individuals’ privacy is protected by providing them with meaningful control over their personal information without creating undue restrictions for business,” she said.
In addition, the Government of Canada intends to bring forward new legislation that will consider stakeholders’ comments on the former Bill C-11 and help advance Canada’s Digital Charter, strengthening privacy protections for consumers and providing a clear set of rules to enhance trust and promote responsible innovation by organizations that collect, use or share personal information in Canada.
According to an FAQ issued by the Global CBPR forum, its objectives are to:
- establish an international certification system based on the APEC Cross Border Privacy Rules and Privacy Recognition for Processors Systems. It would be administered separately from the APEC system;
- support the free flow of data and effective data protection and privacy through promotion of the global CBPR and PRP Systems;
- provide a forum for information exchange and co-operation on matters related to the global CBPR and PRP Systems;
- periodically review data protection and privacy standards of members to ensure Global CBPR and PRP program requirements align with best practices and
- promote interoperability with other data protection and privacy frameworks.
“The GCBP rules is a positive development,” said Canadian privacy lawyer Barry Sookman of the McCarthy Tetrault law firm. Unlike in many other sectors where there are minimum standards in multi-lateral treaties such as those covering intellectual property, common inter-operable standards for privacy and transborder data flows do not exist. Some treaties have started to address this such as the CPTPP [Comprehensive and Progressive Agreement for Trans-Pacific Partnership], he said, but much more is needed.
There are significant differences in international privacy laws, he pointed out. For example the European Union has the General Data Protection Regulation (GDPR) while the U.S. only has state privacy laws. This, Sookman said, creates barriers to trade and transfers of personal information.
“Unfortunately,” he added, “much more is needed than another forum for discussion. What is needed is a bold treaty that major jurisdictions such as the U.S. and the EU can agree to. Canada, which sits between these two major trading partners, is caught in a difficult situation.”
Assuming there were common standards agreed to and assuming there were changes in laws internationally that adopted those standards, it would facilitate global data transfers between organizations. “However,” he added, “those are two really big ifs.”
(This story has been updated from the original to include comments from ISED)