By Stéphane Grynwajc (New York, United States)
Those of us who practice in a jurisdiction other than the one in which we were originally trained and admitted to practice face the ongoing challenge of keeping ourselves apprised of legal developments in our home jurisdiction while developing an understanding of the laws that apply in the jurisdiction in which we are based. Those of us who practice in-house further see it as our obligation – if not an ethical obligation at least an operational obligation linked to our responsibilities as counsel supporting our client’s business operations wherever these operations are – to gain and maintain an appreciation for other national laws and the differences in legal culture upon which these laws are based. The divergent development of privacy and data protection law is a primary example of those differences in culture, some of which conflict to some extent. Advising clients – whether internal or external – in that area requires an appreciation, if not an understanding, of the different cultural and legal foundations upon which this area of law has been built.
This article aims at presenting an overview of the fundamentally different foundational and ideological approaches the EU and the US have taken to privacy and data protection, and the compromise between those two approaches that Canada has adopted in devising and evolving its own legal framework in this area.
After exploring some of the similarities between the EU, US and Canadian approaches to privacy (I), we will explain why the underpinning cultural differences in approach to the concept of privacy in the three regions have led to the creation of different legal regimes in this area (II).
I. The similarities between the US, the EU, and the Canadian approaches to privacy
While it may not seem obvious at first – even to the experienced international privacy practitioner – despite some clear differences in approach to the concept of privacy itself and to the scope of regulation in that area – there is a similar construct to the regulatory framework in the three regions. All three privacy frameworks are based on a layered approach.
A) The US Approach
In the US, federal regulation, such as the Fair Credit Reporting Act of 1970 (FCRA)(1) , the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(2) , the Gramm-Leach-Bliley Act of 1999 (GLBA)(3) or the Children’s Online Privacy Protection Act of 1998 (COPPA)(4) in the private sector; and the Privacy Act of 1974(5) or the Freedom of Information Act of 1966 (FOIA)(6) in the public sector, has to be read in conjunction with a whole set of state privacy laws, particularly in the area of data breach notification, or on topics such as identity theft and medical privacy. While some federal privacy statutes such as the FCRA, preempt state law so that states cannot impose additional requirements, others, such as HIPAA, do not. Therefore, the US privacy law practitioner, or any foreign legal practitioner advising companies operating in the US, would need to not only understand the federal privacy legislation as it relates to the sector of operation of their clients, but also every state law in the area depending on where these clients operate or otherwise collect and process data of citizens from those states.
B) The EU Approach
In the EU, legislation adopted at the EU level, such as the EU Data Protection Directive 95/46 of 1995(7) or the EU e-Privacy Directive (2002/58/EC) of 2002(8) , amended in 2009 by the EU Directive 2009/136/EC(9) , also known as the EU Cookie Directive, sits alongside national privacy legislation such as the French «Loi Informatique et Libertés» nr. 78-17 of 1978(10) or the UK Data Protection Act of 1998(11) . EU Directives, contrary to EU Regulations, aren’t automatically applicable as such under the laws of the EU Member States. They only set objectives for the Member States to attain and set time periods for the countries to incorporate the Directives within their national law. Although this allows the Member States some flexibility in the way they implement the Directives, it results in EU Members’ national laws to vary from country to country. The EU privacy law practitioner or a foreign practitioner whose clients operate or intend to operate in the EU will need to not only become familiar with the objectives set forth by the EU Directives, but also with the laws of those countries in which their clients process personal data of individuals or have otherwise established their processing facilities.
C) The Canadian Approach
In Canada, similarly, national legislations such as the Privacy Act of 1983(12) , for the federal government and the Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA)(13) for the private sector, sit alongside the Canadian Charter of Rights and Freedoms (Canadian Charter)(14) at the national level, and the Quebec Charter of Human Rights and Freedoms(15) at the provincial level. Every province and territory in Canada has their own specific public sector privacy legislation, such as FIPPA/MFIPPA(16) in Ontario or An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information in Quebec(17) while some other provinces such as Alberta, Saskatchewan, Manitoba and Ontario also have their own health specific privacy legislation, such as the Personal Health Information Protection Act (PHIPPA)(18) in Ontario. With respect to the use of personal information in a commercial context, Quebec has also passed An Act Respecting the Protection of Personal Information in the Private Sector (PPIPS)(19) , while BC (PIPA BC)(20) , Alberta (PIPA AB)(21) and Manitoba (PIPITPA)(22) have also passed their own provincial laws in the area. Therefore, as is the case with the US and the EU, a Canadian privacy law practitioner, or any foreign practitioner whose clients are either based in Canada or are doing business in Canada, needs to be familiar with not only federal legislation and the Canadian Charter, but also with provincial and sometimes sector-specific legislation.
Beyond those similarities in regulatory framework, there are quite a number of differences between the three regimes. These differences are primarily philosophical as the US, the EU and Canada have a different interpretation of what should drive the protection of privacy. From there, a different risk analysis was performed, and a regulatory framework developed, which maps against this analysis.
II. The key differences between the US, the EU and the Canadian approaches to privacy
Distinct conceptual bases for privacy in each jurisdiction have led to different types of regulations. On one hand, in the US there exists deeply engrained in the culture of the country, a fundamental distrust for government («Big Brother») when it comes to protecting individuals’ personal information. Some of the abuses found in the application of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act)(23) and, more recently, the Snowden revelations, do not alleviate that overall feeling. On the other hand, there doesn’t seem to exist in the US a great concern with private market participants misusing individuals’ personal data. In Europe and Canada, conversely, there isn’t the same distrust about the government’s handling of our data. Much the opposite, the government’s role is viewed as that of protecting the individuals against companies mishandling their data. Government isn’t the enemy. Some recent data breaches at the government level in the UK in particular may have questioned whether that trust was ill-placed, but for the most part the EU and Canada are more concerned with business objectives and operational efficiency dictating a certain culture of disregard for individuals’ personal information than with the government misusing that information. Now, in the wake of the many recent high profile security breaches in the US, such as the ones at eBay, Citi, Target or Sony, this trust placed in companies and in the principle of industry self-regulation versus federal industry oversight (except for the financial services and healthcare industry sectors which are the subject of comprehensive federal privacy legislation and regulation and oversight by a number of federal agencies) may have prompted a change in public perception, but there is no doubt that there is a philosophical divide in the way the EU and Canada, on the one hand, and the US, on the other hand, see the role of government oversight and of government regulation generally, and privacy regulation in particular.
There is also a difference in conceptual bases. In the US, privacy protection takes essentially the form of protection of one’s liberty, and particularly protection from government interference. For Europeans, privacy is more about protecting one’s dignity or their public image. In Canada, privacy protection is focused on individual autonomy through the personal control of information.
A) The US Approach
Traditionally, Americans prefer that their government leaves them alone. Recent global events, the specter of terrorism since 9/11 and the consequent passage in the US of the USA PATRIOT Act, and the recent Snowden revelations, have convinced US citizens that privacy must be protected, first and foremost, from «Big Brother» government. We already mentioned some of those federal statutes, but let’s also cite the Electronic Communications Privacy Act of 1986 (ECPA)(24) , which was enacted to extend government restrictions on wire taps to include transmissions of electronic data by computers and also added provisions prohibiting access to stored electronic communications, the Privacy Protection Act of 1980(25) , which protects journalists and newsrooms from search by government officials, or the Right to Financial Privacy Act of 1978(26) , which was designed to protect the confidentiality of personal financial records, but only from government.
On the other hand, as it relates to the protection of privacy in the private sector, privacy legislation at the federal level is essentially sector-based, and does not have the comprehensive purpose of EU legislation. Whether it is the FCRA (credit reporting), the Financial Modernization Act of 1999 (GLBA)(27) (financial sector), the Cable Communications Policy Act of 1984(28) (cable companies), the Videotape Privacy Protection Act of 1988(29) (video stores), the Telephone Consumer Protection Act of 1991(30) (telemarketers), the Telecommunications Act of 1996(31) (telephone companies), HIPAA(32) (healthcare providers) or COPPA(33) (children), the US federal legislative framework is one that only targets certain sectors, and in doing so, fails to articulate an overall legal theory with respect to privacy. This, combined with the patchwork of state laws in that area, addresses narrow, specific issues rather than privacy as a concept. And, as we indicated, it provides citizens with greater protection against the collection and use of personal information by government than it does for the private sector.
B) The EU Approach
When the Council of Europe was established in 1949, in the aftermath of World War II and its horrors, and in particular the keeping of lists of Jews in Nazi-occupied territories, it begun at that time to address the issue of personal information, and it became clear that a comprehensive, principle-based approach to privacy was the only one that was able to ensure an adequate protection of people’s dignity. That same approach was the one followed by the OECD when the transatlantic organization adopted on 23 September 1980 its Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data(34) , and later by the 95/46 Privacy Directive(35) , which aimed at covering the processing of all personal data by whatever means, in a comprehensive way that transcends business sectors or fields of use. The Directive is based on a set of principles which include legitimate («fair and lawful») basis for processing; purpose limitation; data quality; proportionality; transparency; data security and confidentiality; data subjects’ rights of access, rectification, deletion and objection; restrictions on onward transfers; additional protection where special categories of data and direct marketing are involved; and a prohibition on automated individual decisions. It is a comprehensive approach that was seen as most able to protect the fundamental rights and freedoms of EU citizens, in particular the right to privacy with respect to the processing of personal data. At the same time, and this is probably its inherent limitation, the legal instrument that was chosen to implement that framework, the Directive, is one that isn’t automatically applicable into EU Member States’ national laws and requires each country of the EU to promulgate a national law, or integrate the Directive’s principles within its existing national law. This has led to the unfortunate situation, much decried by opponents to the «one size fits all» approach, that 28 different national data protection laws not only create regulatory uncertainty but more importantly, fail to convey the overarching objective of a uniform law with respect to the processing of personal data within the EU. This is an issue not only for non EU companies looking to do business in the EU, but also for companies within the EU, which have to deal with different regulations and enforcement authorities at country level. The EU Commission’s attempt at replacing the Directive with a Data Protection Regulation, a legislative instrument, which, once adopted, would be automatically applicable in a uniform way throughout the EU, carries the hope that a consistent data protection regime will soon become a reality for all 28 Member States.
C) The Canadian Approach
The Canadian data privacy framework is a middle ground between the US and EU regimes, sharing US concerns about «Big Brother» government, while also expressing deep concerns about the private sector abuse of personal information(36) . Although Canada hasn’t gone as far as enacting a comprehensive federal legislation governing all uses of personal information, all sectors and fields of use included, there is coexisting legislation addressing individuals’ privacy in the public sector and in the private sector. With respect to the actual regime of protection, despite its geographic proximity to the US, Canada is closer in philosophy and approach to the EU model. PIPEDA, Canada’s comprehensive national private sector privacy legislation, which in 2004 became fully applicable to all industry segments, has been modeled on the Canadian Standards Association (CSA)’s Model Code for the Protection of Personal Information(37) . The ten privacy principles included in the Model Code (Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance) are remarkably similar to the principles outlined in the EU Privacy Directive of 1995. However, Canada, despite the federal v. provincial dichotomy, has somewhat achieved a level of uniformity one does not find to the same extent in the EU. Indeed, where the choice of the Directive as the legislative instrument for implementing the 1995 regime allowed Member States to implement national privacy laws which often conflict with one another, Alberta, British Columbia and Quebec in particular have implemented substantially similar provincial laws that govern the private sector. The theory which provides that if a provincial law is deemed «substantially similar» to PIPEDA, it generally supersedes PIPEDA with respect to the regulation of intra-provincial and provincial government activities, has enabled the enactment of local laws that are harmonized with and have substantially similar provisions to the federal law.
Final Thoughts
Despite the similarities in the construct of the regulatory regime of data protection in the US, the EU and Canada, there are enough differences and complexities in navigating the international privacy landscapes to keep lawyers advising clients doing business between these regions busy. The comprehensive approach the EU has been taking to the issue has not only inspired Canada to follow a path so as to offer «an adequate level of protection» under article 25 of the Privacy Directive for EU data export purposes, but has also driven the US Department of Commerce to enter into the Safe Harbor Agreement with the EU Commission governing the onward transfer of EU data to US companies. Despite the differences, there is the appreciation that we live in a global world where data needs to be able to flow across borders and where incompatible regimes are a hindrance to the development of international commerce. The draft EU Privacy Regulation currently under discussion at the EU Council is precisely aimed at facilitating that very objective for companies doing business within the EU and for non-US companies looking to expand in the EU. Although there is still a strong ideological opposition in the US to any plan to introduce federal legislation and oversight by federal regulators of the area of privacy in the form that was adopted in the EU and, to some extent in Canada, the impact of recent cyber attacks and other massive security breaches making the US headlines may hopefully contribute to bring a new sense of urgency around the importance of looking at privacy more holistically. Until then privacy practitioners will have to continue learning about the intricacies and interoperability of federal v. state law in the US, EU v. national law in Europe, and national v. provincial law in Canada.
1- https://www.gpo.gov/fdsys/pkg/STATUTE-84/pdf/STATUTE-84-Pg1114-2.pdf
2- https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
3- https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/html/PLAW-106publ102.htm
4- https://www.gpo.gov/fdsys/pkg/PLAW-105publ277/html/PLAW-105publ277.htm
5- https://www.gpo.gov/fdsys/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf
6- https://www.gpo.gov/fdsys/pkg/STATUTE-80/pdf/STATUTE-80-Pg250.pdf
7- https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046
8- https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML
9- https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF
10- https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460
11- https://www.legislation.gov.uk/ukpga/1998/29/contents
12- https://laws-lois.justice.gc.ca/eng/acts/P-21/
13- https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html
14- https://laws-lois.justice.gc.ca/eng/const/page-15.html
15- https://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/C_12/C12_A.htm
16- https://www.ontario.ca/laws/statute/90f31; https://www.ontario.ca/laws/statute/90m56
17- https://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/A_2_1/A2_1_A.html
18- https://laws.gnb.ca/en/showfulldoc/cs/P-7.05//20150512
19- https://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html
20- https://www.bclaws.ca/Recon/document/ID/freeside/00_03063_01
21- https://www.qp.alberta.ca/1266.cfm?page=P06P5.cfm&leg_type=Acts&isbncln=9780779762507
22- https://web2.gov.mb.ca/bills/40-2/b211e.php
23- https://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf
24- https://www.gpo.gov/fdsys/pkg/STATUTE-100/pdf/STATUTE-100-Pg1848.pdf
25- https://www.law.cornell.edu/uscode/text/42/chapter-21A
26- https://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg3641.pdf
27- See (3) above
28- https://www.gpo.gov/fdsys/pkg/STATUTE-98/pdf/STATUTE-98-Pg2779.pdf
29- https://www.gpo.gov/fdsys/pkg/STATUTE-102/pdf/STATUTE-102-Pg3195.pdf
30- https://www.law.cornell.edu/uscode/text/47/227
31- https://www.gpo.gov/fdsys/pkg/STATUTE-110/pdf/STATUTE-110-Pg56.pdf
32- See (2) above
33- See (4) above
34- https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
35- See (7) above
36- See Avner Levin and Mary Jo Nicholson, «Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground» (2005) University of Ottawa Law & Technology Journal at p. 360
37- https://cmcweb.ca/eic/site/cmc-cmc.nsf/eng/fe00076.html
