Canada and the United States as a group plan to circumvent global privacy rules
Canada, the United States and five other Pacific Rim countries will attempt to create international rules to bridge different regulatory approaches to data protection and privacy.
The countries have created the Global Forum on Cross-Border Privacy Rules (CBPR), which they hope more countries will join. The aim is to create international cross-border privacy rules (CBPR) and privacy recognition systems for processors (PRP).
Ultimately, there would be an international certification system based on CBPR created by the Asia-Pacific Economic Cooperation (APEC) group.
In a statement Thursday, U.S. Commerce Secretary Gina Raimondo said an international CBRP would create data privacy certifications that would help companies comply with internationally recognized data privacy standards. “With this unique approach of building practical, co-operative compliance tools, we can make the digital economy work for consumers and businesses of all sizes,” she said.
The other countries in the forum are Japan, Taiwan, South Korea and Singapore.
However, former Ontario privacy commissioner Ann Cavoukian said the announcement was “weird”.
“It makes no sense that there are all these [privacy] instruments under development,” said Cavkoukian, who is now executive director of the Global Privacy and Security by Design Center in Toronto.
“The United States and the European Union are finalizing the Transatlantic Data Privacy Framework to facilitate data transfers between the United States and the EU. Why are they now creating this global forum on cross-border privacy rules that will only apply to seven countries? … If you want to promote interoperability and connect different regulatory approaches to protecting data, why don’t they just develop this transatlantic data privacy framework they’re working on? The United States could say that once it is finalized – which is supposed to be any day now – we will look to expand it to other countries.
But Constantine Karbaliotis, of Ottawa law firm nNovation, said the Global Forum on Cross-Border Privacy Rules has a key purpose that other confidentiality agreements don’t: the ability for companies to be certified as ‘they respect their country’s privacy frameworks. The APEC agreement – around which the global regime would be built – calls for “accountability officers” to assess the adequacy of companies’ data protection processes. A company in Japan, for example, that needs to transfer data to a company in South Korea could ensure that its partner is certified. Data processors would be certified under a PRP scheme.
For this to work, he added, people or companies in Canada would have to become accountability agents. So far, none are.
He also said Canadian companies that meet obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) “are likely the furthest along in reaching cross-border privacy rules.”
In a statement, the Federal Privacy Commissioner’s Office said it was monitoring developments regarding the new forum, in particular the privacy rules that its new international system will certify. “We are in principle open to such international certification systems, as they promote interoperability. That said, it is imperative that they are underpinned by high data protection standards to ensure that the scale and complexity of cross-border data flows and their associated privacy risks are properly addressed.
Global Affairs Canada was invited to comment on behalf of the federal government. No statement has been received as of press time.
According to an FAQ posted by the Globar CBPR forum, its goals are to:
- establish an international certification system based on the APEC cross-border privacy rules and recognition of privacy for processing systems. It would be administered separately from the APEC system;
- support the free flow of data and effective data and privacy protection by promoting the global CBPR and PRP systems;
- provide a forum for information exchange and cooperation on matters related to the global CBPR and PRP systems;
- periodically review member data protection and privacy standards to ensure that CBPR and PRP global program requirements are aligned with best practices and
- promote interoperability with other data protection and privacy frameworks.
There are significant differences in international privacy laws, he pointed out. For example, the European Union has the General Data Protection Regulation (GDPR) while the United States only has national privacy laws. This, Sookman said, creates barriers to trade and personal information transfers.
“Unfortunately,” he added, “much more is needed than just another forum for discussion. What is needed is a bold treaty that major jurisdictions such as the US and the EU Canada, which lies between these two major trading partners, is caught in a difficult situation.
Assuming there are agreed common standards and assuming there are changes in international laws that have adopted these standards, this would facilitate global transfers of data between organizations. “However,” he added, “those are two really big ifs.”