In case you missed it, the Organization for Economic Cooperation and Development (“OECD”) released the revised Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the “OECD Privacy Guidelines”) last month. There is work to be done for the Governments of Canada, British Columbia and Nova Scotia.
Last month’s revision was the first major update to the 1980 OECD Privacy Guidelines, which have been influential in the development of private sector data protection legislation worldwide. Canadians should be justifiably proud that the Canadian Privacy Commissioner, Jennifer Stoddart, was the chair of the expert group that was convened to develop the 2013 amendments.
So far, the Government of Canada has not commented on this important work. Time will tell whether the Government intends to respond with legislation to amend the ageing Personal Information Protection and Electronic Documents Act to implement some of the recommendations from the 2013 OECD Privacy Guidelines. Potential amendments should include:
Enhancing the accountability requirements to require privacy management programs that must be available on demand to the Office of the Privacy Commissioner of Canada (“OPC”).
Notification to the OPC and, in some cases, law enforcement of a breach affecting personal data.
Notice to individuals who may be adversely affected by a breach involving personal data.
Enhanced powers for the OPC to ensure that there are adequate sanctions and remedies in case of failures to comply with laws protecting privacy.
But it isn’t just the Government of Canada that has work to do. The Governments of British Columbia and Nova Scotia should consider the renewed emphasis on free transborder data flows among OECD members. In particular, Part IV states:
17. A Member country should refrain from restricting transborder flows of personal data between itself and another country where (a) the other country substantially observes these Guidelines or (b) sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by the data controller, to ensure a continuing level of protection consistent with these Guidelines.
18. Any restrictions to transborder flows of personal data should be proportionate to the risks presented, taking into account the sensitivity of the data, and the purpose and context of the processing.
Currently, the public sector data protection legislation of British Columbia and Nova Scotia precludes (in most circumstances) the transmission of personal information controlled by public sector entities outside of Canada. Because this proscription applies to entities such as universities, colleges and hospitals, it can apply even when the public sector agency is essentially operating a commercial activity as a means to generate revenue for its core programs. Serious consideration should be given to whether this “Canadian gating” requirement comports with the 2013 OECD Privacy Guidelines.