by Stephan Grynwajc, EU, U.S., and Canadian Privacy and Data Protection Attorney
As an international privacy professional advising companies on complying with privacy laws, and on protecting personal information in multiple jurisdictions, I experience first-hand differing international regulatory approaches to personal information processing and protection that countries across the globe take in order to regulate the processing of their residents’ personal information. To competently advise on matters of international privacy requires an understanding of the different cultural and legal foundations upon which this area of law has been built.
This article aims at presenting an overview of the fundamentally different foundational and ideological approaches the EU and the U.S. have taken to regulating the area of privacy, and the “compromise system” developed by Canada in devising and evolving its own legal framework.
I. The similarities between U.S., EU, and Canadian privacy laws
Despite some clear differences in approach to the concept of privacy and the scope of its regulation, the three regions all employ a layered approach in their privacy frameworks.
A) U.S. privacy laws
In the U.S., federal regulation, such as the Fair Credit Reporting Act of 1970 (FCRA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999 (GLBA), the Children’s Online Privacy Protection Act of 1998 (COPPA), the Privacy Act of 1974 and the Freedom of Information Act of 1966 (FOIA) operates in parallel to a patchwork of sometimes conflicting state privacy laws, particularly in the areas of data breach notification, identity theft and medical privacy.
While some federal privacy statutes, such as the FCRA, preempt state law (meaning states cannot impose additional requirements), others, such as HIPAA, do not. Adding complexity, some laws attempt to do both – the recently adopted California Consumer Privacy Act of 2018 (CCPA), as amended, excludes from its scope personal information governed by the FCRA, the GLBA, or HIPAA, but requires that HIPAA-Covered Entities or related Business Associates must still comply with CCPA with respect to personal data (or even health data) that does not satisfy the definition of Personal Health Information (PHI) under HIPAA.
In such a complex legal environment, any practitioner advising on U.S. privacy law would need to master not only federal regulations but also the relevant state-level laws operating in states where their clients operate their business or otherwise collect and process the data of residents of those states.
B) EU privacy laws
Legislation adopted at the EU level, such as the General Data Protection Regulation (EU) 2016/679 of 2016, or the EU e-Privacy Directive (2002/58/EC) of 2002, amended in 2009 by the EU Directive 2009/136/EC (also known as the EU Cookie Directive) sits alongside national privacy legislation including the French “Loi Informatique et Libertés” n° 78-17 of 1978, as amended by Law n°2018-493 of 2018, or the recently adopted UK Data Protection Act of 2018. EU Directives are not automatically applicable under the laws of the EU Member States. They only set objectives for the Member States to attain and time periods for countries to incorporate the European text into national law. While this preserves some flexibility in implementation for Member States, it also results in country-to-country regulatory variation. On the other hand, EU Regulations are binding legislative acts and must be applied in their entirety across the EU, with the significant exception that the GDPR permits EU Member States to authorize national-level exceptions (so-called “national derogations”) in more than 50 areas (for more information read my separate article on this topic).
In the EU, any practitioner advising on privacy laws would require fluency not only with EU Directives and Regulations (soon to include a ePrivacy Regulation under final discussion at the EU level), but also with the laws of those countries in which their clients process personal data of individuals or have otherwise established their processing facilities.
C) Canadian privacy laws
In Canada, similarly, federal privacy laws such as the Privacy Act of 1983, governing the processing of personal information by the federal government and the Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA) (with a number of key amendments being recently introduced through the draft Consumer Privacy Protection Act (CPPA)) governing the processing of personal information in the private sector, sit alongside the Canadian Charter of Rights and Freedoms and the Quebec-only Quebec Charter of Human Rights and Freedoms. In addition, every province and territory in Canada has its own specific public sector privacy laws (such as FIPPA/MFIPPA in Ontario or An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information in Quebec).
Provinces such as Alberta, Saskatchewan, Manitoba and Ontario also have their own health-specific privacy laws, such as the Personal Health Information Protection Act (PHIPPA) in Ontario. With respect to the use of personal information in a commercial context, Quebec has also passed An Act Respecting the Protection of Personal Information in the Private Sector (PPIPS) (a number of key amendments to which have been introduced by Bill 64), while British Columbia (PIPA BC), Alberta (PIPA AB) and Manitoba (PIPITPA) have also passed their own provincial laws in the area.
Just as in the U.S. and the EU, a Canadian privacy law practitioner, or any foreign practitioner whose clients are either based in Canada or are doing business in Canada, needs to be familiar not only with federal privacy laws and the Canadian Charter, but also with provincial and sometimes sector-specific legislation.
Despite these similarities, major differences separate these three legal regimes. These differences are primarily philosophical as the U.S., the EU and Canada have a different interpretation of what should drive the passing of privacy laws and the protection of privacy, with that initial difference creating varying risk analysis methods and culminating in distinctive regulatory frameworks.
- The key differences between the U.S., the EU and the Canadian approaches to privacy
Distinct concepts of privacy in each jurisdiction have led to different types of regulations. On one hand, in the U.S. there exists a deeply engrained, fundamental distrust for government (“Big Brother“) when it comes to protecting individuals’ personal information creating an instinctive mistrust of federal government action. This view has only been amplified by the recent abuses found in the application of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) and, more recently, the Snowden revelations. On the other hand, recent legislative moves in the U.S. at the state level in the wake of the adoption of the CCPA (and the upcoming Consumer Privacy Rights Act of 2020 amending the CCPA that will come in to force January 1st, 2023) show a willingness to impose new restrictions. These rules are matched by action at the federal level, with the recent draft of the Data Accountability and Transparency Act of 2020, signaling a clear move towards giving individuals more control over the processing of their data by private market players.
European and Canadian cultures show less distrust in government handling of personal data. Instead, the government’s role is viewed as a protector of individual rights against private businesses mishandling their data. While recent breaches at the government level in the UK may have undermined public faith, for the most part the EU and Canada are more concerned with business interest driving a culture of disregard for individuals’ personal information than with the government misuse. At the same time, recent high profile corporate security breaches in the U.S. (affecting firms such as eBay, Citigroup, Target, Sony, Marriott, or Zoom) have eroded some of the public trust in corporate industry self-regulation and have prompted calls for federal industry oversight. However the EU and Canada on one side, and the U.S., on the other side, see the role of government oversight differently, both generally, and towards privacy regulation in particular.
There is also a difference in philosophical approach to what should be the purpose and scope of privacy laws. In the U.S., privacy protection takes the form of protecting an individual liberty, particularly from government interference. For Europeans, data protection includes protecting one’s dignity or their public image. In Canada, data protection is focused on individual autonomy through the personal control of information.
1 – The U.S. Approach
Traditionally, Americans have preferred that their government leave them alone. Recent global events, the specter of terrorism since 9/11, the consequent passage of the USA PATRIOT Act and the recent Snowden revelations, have convinced U.S. citizens that privacy must be protected, first and foremost, from “Big Brother” government. Privacy laws and regulations have been passed to limit government activity and extend privacy provisions into digital data, including the Electronic Communications Privacy Act of 1986 (ECPA) (enacted to extend government restrictions on wire taps to include transmissions of electronic data by computers and also added provisions prohibiting access to stored electronic communications), the Privacy Protection Act of 1980 (protecting journalists and newsrooms from search by government officials), and the Right to Financial Privacy Act of 1978, (designed to protect the confidentiality of personal financial records, but only from government intrusion).
Insofar as regulation protects privacy rights in the private sector, it lacks the comprehensive purpose of EU privacy laws, taking a sector-by-sector approach instead. Whether it is the FCRA (credit reporting), the Financial Modernization Act of 1999 (GLBA) (financial sector), the Cable Communications Policy Act of 1984 (cable companies), the Videotape Privacy Protection Act of 1988 (video stores), the Telephone Consumer Protection Act of 1991 (telemarketers), the Telecommunications Act of 1996 (telephone companies), HIPAA (healthcare providers) or COPPA (children), the U.S. federal legislative framework is sector-specific and thus fails to articulate an overall legal theory with respect to privacy. This, combined with the patchwork of state laws in that area, addresses narrow, specific issues rather than privacy as a concept. The result is a greater protection against the collection and use of personal information by government and a much lower set of requirements for the private sector.
2 – The EU Approach
The Council of Europe, established in 1949, developed a comprehensive, principle-based approach to privacy in addressing the painful aftermath of World War II, the horrors of which included the weaponization of data (such as the keeping of lists of Jews in Nazi-occupied territories). Post-War European generations felt it was clear that only such an approach could ensure adequate protection of people’s dignity. That same approach was incorporated into the OECD on 23 September 1980 when the Transatlantic organization adopted its Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and more recently by the GDPR, which aimed at covering in a comprehensive, universal way (and transcending business sectors or fields of use) the processing of all personal data by whatever means. The Regulation is based on a set of principles which require a legitimate (“fair and lawful”) basis for processing; purpose limitation; data quality; proportionality; transparency; data security and confidentiality; data subjects’ rights of access, rectification, deletion and objection; restrictions on onward transfers; additional protection where special categories of data and direct marketing are involved; and a prohibition on automated individual decisions. This comprehensive approach is believed to best protect the fundamental rights and freedoms of EU citizens.
While the GDPR does constitute the law of the land in 80% of processing scenarios, its interplay with the Member States’ “national derogations” in more than 50 areas of privacy continues to require, albeit to a considerably lesser extent than under the 1995 EU Data Protection Directive, a reading of the GDPR that examines EU national privacy laws alongside opinions, recommendations and various guidance issued by the 27 Member States’ regulators as well as by the European Data Protection Board (successor to the Article 29 Working Party under the Directive). It also continues to require a reading of the ePrivacy Directive (until its replacement by a Regulation) and other EU Directives in effect in the privacy area alongside national laws implementing, with sometimes substantial variations country to country, the EU text into national law.
3 – The Canadian Approach
The Canadian privacy legal framework is a middle ground between the U.S. and EU regimes, echoing U.S. concerns about “Big Brother” government, while still being skeptical of private sector use of personal information. Although Canada hasn’t gone as far as enacting comprehensive, unified federal legislation governing all uses of personal information to cover all sectors and fields of use, privacy laws exist, addressing individuals’ privacy both in the public sector and in the private sector.
With respect to the actual regime of protection, despite its geographic proximity to the U.S., Canada is closer in philosophy and approach to the EU model. PIPEDA, Canada’s comprehensive national private sector privacy legislation, which in 2004 became fully applicable to all industry segments, is modeled on the Canadian Standards Association (CSA)’s Model Code for the Protection of Personal Information, comprising ten privacy principles included in the Model Code (Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance) remarkably similar to the principles outlined in the EU GDPR.
Furthermore, despite its decentralized federal structure, Canada has achieved a greater level of uniformity than found in the EU, where unity is undermined by the number of national derogations to the GDPR available to all 27 Member States and differences in the interpretation among EU countries in the adoption of EU Directives. In Canada, the legal principle which provides that if a provincial law is deemed “substantially similar” to PIPEDA, it generally supersedes PIPEDA with respect to the regulation of intra-provincial and provincial government activities, has enabled the enactment of local laws, in Alberta, in British Columbia, in Quebec, that are harmonized with and have substantially similar provisions to the federal law.
Final Thoughts
Despite the similarities in the construct of the regulatory regime of data protection in the U.S., the EU and Canada, there are enough differences and complexities in navigating the international privacy landscapes to keep privacy practitioners and their clients on their toes. The comprehensive approach of the EU has not only inspired Canada to offer “an adequate level of protection” under article 25 of the Privacy Directive for EU data export purposes, but has also driven the U.S. Department of Commerce to successively enter into (despite their recent invalidation by the European Court of Justice) the 2000 Safe Harbor Agreement and the 2016 EU-U.S. Privacy Shield Framework with the EU Commission to govern the onward transfer of EU data to the U.S.
Despite the differences, there is an appreciation that we live in a global world where data needs to flow across borders and where incompatible regimes represent a hindrance to the development of international commerce. The passing of the GDPR was aimed precisely at facilitating doing business within the EU, both for domestic businesses and for non-EU companies looking to expand in the EU. Although in the U.S. there is historically ideological opposition to any plan to introduce federal privacy laws and oversight such as that adopted in the EU and, to some extent, in Canada, things are changing. The GDPR has had a major influence on the adoption of the CCPA in California and of comparable legislation in a number of other States, and the impact of recent cyberattacks and other massive corporate security breaches have certainly brought about a new sense of urgency around the importance of looking at privacy more holistically.
Until a single solution is universally acclaimed, privacy practitioners and their clients will have to continue navigating the intricacies and interactions of federal v. state law in the U.S., EU v. national law in Europe, and federal v. provincial law in Canada.