It is my pleasure. Chair, and distinguished members of this committee. I really appreciate this kind invitation for me to speak to you today. Let me say that I'm very honoured.
I'm not the EU legislator. I am not formally in charge of any adequacy finding. I represent an independent institution, like the Privacy Commissioner of Canada. We share in all the EU duties and powers of national data protection authorities. Being Brussels-based, however, we also are influential as the special and first adviser of the Council of the European Union and the European Parliament. We're better positioned to be of help.
My third introductory remark relates to our excellent working relations with the Privacy Commissioner of Canada. In general terms, we've always had a very close and fruitful strategic partnership with Canada. We also had the occasion, just to give you an example, to submit our pleadings to the European Court of Justice concerning the Canadian PNR. We had a chance to interact with some of our colleagues in Canada so as to be fully in touch with your legal framework.
I'm very pleased to be at your disposal and to answer any questions you may have about the process and the content of revising PIPEDA. I've been intimately involved in the reform of the European data protection rules. We are here to advise legislators. We adopted many opinions. We have been in touch with the rapporteurs and shadow rapporteurs. It was a process that took almost a decade from consultation, to proposal, to very long negotiations. Now we are focusing on implementation.
My institution will be one of the members of the newly established European Data Protection Board, the new EU body that will replace the existing advisory board, the Article 29 Working Party of the European Commission. In addition, the EDPS, the European data protection supervisor, will also serve the board as secretariat. So 20 people from my staff will be delegated full-time to this initiative.
We are investing all our energies to be ready on day one, May 25 of next year. The GDPR, general data protection regulations, adopted last year and published last year on May 4 in the official journal, comes into force next year in May. Today nothing prevents a data controller from starting with real implementation, although full implementation, with enforcement, can only start at midnight on May 24 next year, when we come to convene all colleagues for the first meeting of the European Data Protection Board.
We are also putting our energies into complementary and necessary reforms. We need, notably on electronic communication privacy, the so-called e-privacy regulation, which is likely to replace the existing e-privacy directive. We have more or less the same approach as for the GDPR versus the 1995 directive. In addition, we are also expecting new rules applicable to the big galaxy of the European Union institutions and bodies subject to my supervision.
We're doing the work of a generation, and the challenge is to make sure people get to enjoy the new rights on the online world. The GDPR is going to be in place for, I predict, at least 15 years, which is more than a decade.
We can see that we have legislated not only for millennials, but perhaps also for the mid post-millennials who have only ever known a connected world. Therefore, the challenge is to consider the reinforced rise in the GDPR and the new rise such as those concerning privacy by design and privacy by default that can be called big data rights.
We really want to be more conversant with new technologies, to be future oriented, and to be, let's say, neutral from a technological viewpoint. You will not see any specific legislation on social networks or other specific applications, though the new rules on profilings, the right to be forgotten, and the rate of data portability are designed to be horizontal.
I see a line of continuity between current legislation and the future one in making existing and new rights and freedoms meaningful for ordinary people and more effective in practice. We will have to depart from former requirements and focus more on substantial safeguards. Therefore, there is a convergence across the world on how these rules are to be drafted and applied, and I see Canada as part of this convergence. I see a growing consensus.
We're now in a position today to focus on transfer of personal data, which is a key factor in this debate. You may be interested to know what is new in the GDPR as compared to the directive and, of course, I can only quote Daniel Therrien, the federal commissioner, to say that the GDPR contains some provisions that did not appear in the current directive and also do not appear in PIPEDA: portability, erasure, privacy by design, and privacy by default. Therefore, we have to analyze together the differences in the two statutes.
I am pleased answer any questions about the major differences between the directive and the GDPR about the process for determining PIPEDA's adequacy status under the GDPR, although neither the current directive nor the GDPR provide for any specific process, but we know what the approach could be.
I guess you will be interested to verify the criteria for determining the adequacy status, what it means after the Schrems case, digital rights versus Ireland, judgment for the European Court of Justice, what it means, and an adequate level of protection of personal data essentially equivalent to the one in the EU. Would you expect consultations with Canadian authorities, for instance, in the evaluation of the new approach in Canada, if any? What about the timelines, and more specifically, what are the long-term implications of the Schrems decision that were confirmed by the Court of Justice in coming decisions? One of them relates to the Canadian PNR.
If this is the right approach, we may focus then on specificities concerning either the retention of data or the protection of children. Many companies are interested to verify, for instance, which consent is to be re-collected once the GPR enters into force. I think we have enough food for a fruitful discussion.
I don't want to abuse your time, and I think it's much better to now go into specificities in answer to your questions or focus on more detailed issues.
This is the million-euro question. Let me say first that there is no regulated process that expresses [Inaudible--Editor
] in the GDPR. We should build on the basis of the criteria. First of all, existing adequacy decisions will remain in force up until the moment they are updated or repealed. There is a line of continuity.
Second, we have a lot of clarification in the GDPR as compared to existing direct.... For instance, the commission will now be able to adopt those adequacy decisions also for the law enforcement sector. It's much more clear that the new GDPR will allow for an adequacy determination to be made with respect to a particular territory of a third country, or even to a specific sector or industry—so partial adequacy findings.
Although the GDPR provides for a rebus sic stantibus approach, a periodic review of every adequacy finding, including existing decisions by the European Commission at least every four years, we're not in a hurry to put Canada on top of our decisions. You should now verify on the basis of the new, extensive list of criteria now listed in the GDPR for the assessment of that adequacy, what is needed.
My first recommendation before entering into details is to realize that chapter 5 of the GDPR is much less relevant compared to today. Today we apply the European Union legislation on data protection, mainly the two directives, to companies established in one of the European Union countries. Therefore you have to discuss to what extent a controller is established here.
As of May 25 of next year, the principle will be different. It will no longer be a mix of territoriality and establishment, but a system where we pay attention to the place where the services are delivered. The entire set of provisions in the GDPR will be fully applicable, including but not only, those on transfers to controllers offering goods and services into the EU remotely, or profiling people at a distance.
It means that if, for a company, there is a perspective to have a continuous processing of personal data, not only in a one-way direction to Canada, attention is to be paid to the full set of provisions, not only to chapter 5. Assuming that we are only considering a minor dimension, which is the one of transfer, we have to pay attention to a second important approach. The GDPR was drafted and prepared for final adoption before the Schrems case, which relates to October 6, 2015, when it was too late to change the wording.
Adequacy now is a little different. We started in the seventies with the requirements of essential equivalence. If we look to the convention 108, adopted in 1981, the system in another country should be equivalent. The directive adopted in the EU in 1995, so 14 years later, has been focusing on something lighter, what is simply adequate. Then we have criteria to verify when a country or a system or a territory is offering an adequate level of protection.
Now, because of the new legal status of the Charter of Fundamental Rights and because of the Lisbon treaty, which is de facto the European Constitution, the European Court of Justice has said that these criteria are to be read jointly, with the condition expressed by the same court in the Schrems case.
They read what is adequate as now being essentially the equivalent.
Thanks for the leeway, Mr. Chair.
Mr. Buttarelli, I appreciate your joining us today. Thank you for coordinating around our schedule somewhat. As we know here in Canada, different time zones are often challenging.
I want to talk to you a little bit about our privacy commissioner. There have been ongoing discussions for a number of years now in terms of order-making powers that he has and hasn't wanted in the past.
I'm looking at your mandate, and from what I can understand, as a European data protection supervisor you have the power to advise institutions, handle complaints, and conduct inquiries.
Can you provide a bit more detail on your powers and whether they include order-making powers?
This is one of the areas where we have novelties in the EU.
First off, there are three important rulings from the European Court of Justice concerning independence of supervisory authorities. They relate to Germany, Hungary, and Austria. In these three cases, the countries have been found in breach of the existing directive and there are important recommendations to the legislators to bring forth independence, autonomy of supervisory authorities.
Secondly, the Court of Justice has said that the exercise of all existing powers in directive 95/46/EC is essential in terms of raising the independence, particularly the advisory role, the existence of a robust supervisory role. Therefore, now the regulation and the directive provide for a full list of reinforced powers, an entirely new scheme in terms of budgetary lines, requirements in terms of appointment, and relationship with government and relevant parliaments, depending on the legal system in each country.
Each DPA should be equipped with substantive powers in terms of warnings, with a view to admonish relevant comptrollers. Another novelty relates to the application of administrative fines. It is now mandatory for all member states to keep independent supervisory authorities with the duty and power to apply those fines where appropriate. The novelties are not only in terms of enforcement, but also with a view to consider all seven functions of a DPA listed by a famous Canadian professor, Colin Bennett, together with Charles Raab. They drafted the book listing seven missions of DPAs, including those concerning awareness, with a view to creating also a culture in terms of data protection.
In terms of more co-operation and more transparency, DPAs should be more selective in exercising their functions. One of the key pillars of the new regulation is accountability, which means that each private and public comptroller is requested to go beyond mere compliance, to have an internal policy to demonstrate that they comply in practice, to have an answer to every pressing need, including the allocation of resources and responsibilities. We would like to treat all comptrollers more responsibly, as adults, we might say. Therefore, DPAs should be more effective when appropriate, but also more selective, and more transparently define their priorities. They should publish a program and they should be more predictable, more accessible, and more protective.
So it's a less prescriptive approach, with more engagement, more interaction with new technology. It's also from the perspective of making new rules on accreditation, certification, seals, and privacy by design and privacy by default more effective in practice.
This is a question where I risk displeasing you. Let me speak as a member of the judiciary, as I am, to say that the GDPR contains very little news on the right to be forgotten. You will not find any specific reference.
If you interview the rapporteur of the Costeja González case, he will furiously react to say that there is no wording in the judgment mentioning the right to be forgotten. He will say that it is actually a right to be delisted. He will say that there is no novelty in the ruling by the Court of Justice, and that the only novelty relates to the faculty of the data subjects involved to directly address the search engine instead of contacting other controllers.
In terms of perspectives, we attach real importance to the coming case before the Court of Justice. Once again, it's a preliminary ruling. It comes from the French council of state. Right after the Costeja González case, together with other national DPAs, we coordinated our enforcement actions, so we clarified which principles are to be defined.
Google, Bing, and other search engines have agreed on the principle. If we look at the statistics published by all of them, you will see that after the initial peak we are now in a reasonable trend. The large majority of requests by data subjects are properly considered, and where they are forwarded to the competent authorities—it could be a court or a DPA—the conclusion by those two is not different from the search engines'.
There is a convergent approach in identifying good reasons in terms of public interest not to delist the relevant information.
The area of disagreement relates to the territorial scope of application of the ruling. While DPAs consider that this should be global, and the French authority has adopted the decision to challenge it before the Court of Justice to say that we should also consider the dot.com domains, Google is of a different opinion, and this is why we are waiting for a conclusion.
The GDPR does not contain any reference to areas where the right to be forgotten is currently regulated by the civil penal code, common rules in all member states. Here I see that regardless of the GDPR, let's say it's business as usual.
The GDPR provisions on transfer of data apply to all controls in the public and the private area without any distinction. We have different criteria now for the assessment. They basically allow for it to say that it should be a global evaluation and not purely a legal one.
The criteria are the following. First of all, there is the rule of law, so we have to look to relevant legislation in force, both general and sectorial, including—this is an important specific novelty—that concerning public security, defence, national security, and criminal law. This is why we now have the case on the Canadian PNR but also professional rules, security measures, which are complied with in a third country or by an international organization. We would like to see to what extent certain rights are effective and enforceable, so we look to effective administrative and judicial redress for data subjects.
A second element relates to the existence and effective actioning of at least one independent supervisory authority. How they advise and assist with regard to the data depends on the extent to which they may co-operate with supervisory authorities in other countries, but also on the international commitments they may have as an international organization.
The commission adopted a communications package on January 11 this year to focus, as a priority for the next two years and up, the mandate of the current commission. They have declared that we'll look first to start with a new dialogue where necessary. Then we'll look at the extent of the European Union's even potential commercial relationship with that country, including the existence of a free trade agreement or ongoing negotiations. Then we will look at the extent of personal data flows from the European Union.
There is the pioneering role. This is an essential role for South America, for instance, that the first country plays in the field of privacy data protection, so it is something that could serve as a model for other countries.
Finally, there is the overall political relationship with the third country in question.
We focus on data protection but not only. There is no procedure to apply for adequacy as I said, but I can describe in detail which best practices are observed in practice.
Yes, it is an area of major concern, but I would like to take this opportunity to draw your attention to a recent position by the Article 29 Working Party, according to which our opinion for the assessment by the commissioner will be based on more than those principles.
We would like to draw attention first to the basic rules for the data protection purpose limitation principle, data quality and proportionality, transparency—to reach a standard on how data subjects are effectively informed, security—the security of a database's data and systems, the exercise of rights of access in opposition—not only portability, and something that is particularly highlighted in the GDPR, which is onward transfer. There are a few other additional points on sensitive data, direct marketing, and automated individual decisions, but I would like to recommend that you not focus too much on the novelties in the GDPR, such as design, default, and portability.
Of course, they will contribute to the review of the current assessment by the EU, but we have time. The European Commission has been requested to submit in three years from now—by spring of 2020—a record of the first round of implementation of the GDPR and of the approach to be taken with regard to existing adequacy findings.
If I go back to the one adopted for Canada, I have to go back to an opinion adopted by the Article 29 Working Party in 1998, to the Working Party 12 document. Default, design, and portability were not considered in that document, but we started at that time to consider the conditions on surveillance, which are now much more relevant.
We would encourage that there be a global approach and that you not have a sort of point-to-point replication of every single rule, so the adequacy test is an important message I would like to share with you. It relates to the substance of all privacy rights, globally speaking, in terms of implementation, enforceability, supervision—
I would welcome a similar approach on those areas, of course, but I'm saying that the evaluation by the EU side builds on a different approach, where they are part of the global analysis, but we look to many other things that are—in a few cases—more essential.
Being the one taking a decision by considering the EU approach, I would say that, for instance, the restrictions, exceptions, and derogations for law enforcement are more important than design and default. One member of my team will be part of the joint review of the privacy shield. Of course, we will consider privacy by default, privacy by design, and data portability as well, but law enforcement is at the top of our concerns. Globally speaking, it counts more.
This is what I want to say, then I can simply welcome that you harmonize as much as possible with this approach.
If I had a couple of minutes with you or one of your colleagues, I would like to share with you the latest update on what other countries are doing around the world, what's going on in 35 countries in addition to the 109 already equipped with a new generation of data protection rules.
Here we don't have too much novelty. The GDPR does not mention the artificial intelligence, but there is a provision which is in continuity with the current directive. It provides for this article 22, which provides for a line of continuity. The data subject will continuing having a right not to be subject to a decision based solely on automatic processes, including but not totally providing...when the decision is likely to produce legal effects concerning him or her, or with a view to significantly affecting him or her. There are some exceptions in the case of the necessity relating to a contract between the data subject and the data controller, explicit consent by the data subjects. What is needed is that in case of a derogation, some suitable measures be listed by the legislator to safeguard the data subjects and rights.
We see a line of continuity in having a human evaluation as part of the process. We recognize the ability of the controller to build largely on an automated individual decision-making process. However, the question is on what is at the end, how the decision is placed, and to which extent there is a human contribution. This is a specific right. The wording is “shall”, and therefore now the question is to what extent we may build on safeguards.
Let me say that with regard to artificial intelligence, we have posted on our website an important background document for the last conference of all data protection and privacy and information commissioners from all around the world—a meeting in Marrakech—with a view to going beyond the GDPR being part of the artificial intelligence debate by the data protection people, and a list of questions for a more synchronized approach by DPS. In case you fail to identify the web page, we can provide you with the relevant link.
They are. Let me speak about my background.
I spent 12 years in a national data collection authority as a secretary general in my country of origin. I can say that awareness and data protection in privacy culture is more than essential. You may be the best one in terms of legal analysis, but if you fail in making people aware of their rights, if you fail in being engaged with the controllers in the process, you are not on the right track.
One of the novelties of the GDPR relates to the adoption of guidelines. We've replaced 25 out of 47 legal provisions, so the GDPR is speaking about new legislation, implementing delegated acts by the European Commission with flexible guidance from controllers. They are to be adopted on the basis of an inclusive process, in active consultation with data controllers. The decision-making process by the European Data Protection Board will be very different from the one currently followed by 29 working parties.
Recently, I also started an exercise to make more accessible data protection. It is extremely complicated. It's not simple from a legal viewpoint. It's horizontal. It relates to many sectors. You should make this principle digestible in practice. There should be not only warnings, but also, on the basis of your experience, proactive exercises to explain how they may be applied in practice.
By May of next year, together with the commission, we will take part in a European Union campaign to make people aware of the new data subject's rights, but also to speak more directly to data controllers and processors to make data protection digital. I would like to focus more on making this principle effective in practice, much less “Pater Noster, Ave, and Gloria,” and more substantive principles in practice.
I'm not an expert on PIPEDA, but I understand that it applies only to private sector organizations. Initially, the act applies only to organizations that are regulated at the federal level, but also to the disclosure of personal information by certain organizations. Finally, I understand that the act also applies to all businesses in the territories as they are deemed to be federal work.
One question relates to this. What if a province passes privacy legislation, even if it is substantially similar? Second, what about government organizations? Would you like to work in a perspective to simply follow the line and remain in the specific context of the private sector organizations, or is there any interest to make the adequacy finding larger by considering other areas as well?
I think we will pay attention to onward transfers more than in the past, to the specific statutes for sensitive data, and pay a lot of attention to the e-privacy regulation to be applied soon. It enters into force by May 25 next year as well.
Some regulation is likely to specify and complement existing provisions in the general regulations in the online world, so you will have substantive provisions, for instance, on cookies, on the protection of confidentiality, and on search engines, particularly with regard to consent.
I had a chance to discuss with your federal commissioner consent in the GDPR as compared to consent in the current directive. One of the major concerns for controllers is whether to collect once again a new consent by the data subject. The answer is that it depends on whether you respect the essence of the future provisions. Did you really collect freely given, specific, and informed indication of the data subject's wishes? Did you provide for an explicit consent to process sensitive data? Could you say that for data other than sensitive data consent is unambiguous? Therefore, you have to discuss which consent is unambiguous in the online world.
This is extremely important, because in case you cannot work on reliable consent anymore, you have to verify which other legal ground is to be...collected, with particular regard to the balance of interest and to legitimate interest.
There are two opinions by the current Article 29 Working Party, plus another one on purpose limitation. I think they may be considered in terms of priority now, with a view to see to what extent certain protections or safeguards for the data subject are effective in practice.
Perhaps it would also be relevant to share my views with you on profiling and mass information—
I would like to ask you some questions about the powers. Here, as you are well aware—through your discussions with Mr. Therrien, among others—academia and the general public agree with giving more powers to the Privacy Commissioner, whereas businesses talk more about collaboration.
We know that, over there, you have those powers, even the power to impose fines. We saw that, in Italy, your native country, WhatsApp was fined $4.5 million.
Tell us how those powers are a deterrent in a situation of this kind. Or do you think that we should keep collaborating with companies instead of imposing penalties?
The two approaches are not opposite. Accountability is the right approach we request, and it doesn't mean that you should simply respect the law. We are asking now more, and let me speak for a second as a member of the judiciary, as I am.
Being in front of a court case where we may discuss to what extent the controller has been proactive, I would consider in a better way the case where he made mistakes but has been very operational. The question is not to have an emphasis on every kind of even minor mistake. I would like to see the big picture, but I would welcome the approach they recommended to you. We need a dissuasive approach.
Let me say that we are now bombarded from everywhere in the world, and if I am in Silicon Valley or in Africa or in South America, the first question is the same everywhere. What about fines?
We know that they are very serious.
I would now advise the legislators to clarify the interlink between administrative fines and penal law. This is another area. We have to clarify the so-called non bis in idem principle, so are we going to apply fines in all countries with regard to the same controller? In adopting the criteria to decide if a fine is to be applied, we have to consider the remedies considered by the subject, which is then he has been fair and dynamic in approaching a security breach, informing people after a violation, reducing the kinds of damages. All in all, data protection costs a lot, and every effort is to be considered when taking a decision.
So this is why I talk and I would defend this approach, a system where fines are to be applied where necessary, but not necessarily in every case. I'm not a lover of the Spanish approach. We call it tot capita, tot sententiae. If there is even a minor breach, there is no appeal, and unavoidably, the sanction is to be applied.
Let's look to the picture because otherwise we risk having fines considered as a budget line, and this leads also to an amount of fines because we need to graduate, we need to consider the position of small and medium enterprises, and we need to carefully consider the criteria in terms of the seriousness of the breach, the implications of a larger-scale approach. We cannot treat every breach in a single way. So we need a very dynamic approach where we use the carrot and the stick.
If you'll give me 20 seconds to open article 83, I think this is one of the lucky provisions where we have no excuse because we have all the opportunities to consider. I'm quoting now the relevant paragraphs:
|(a) the nature, gravity and duration of the infringement taking into account the natural scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
|(b) the intentional or negligent character of the infringement;
|(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
|(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
|(e) any relevant previous infringements by the controller or processor;
Another important point relates to the degree of co-operation with the supervisory authority to mitigate the possible nefarious effect. How many data subjects have been involved? What about the categories of personal data or data subjects involved? How has a data controller been proactive in approaching the supervisory authority to confess the breach? How do they notify them of the infringement? Are they following codes of conduct? Do they consider other circumstances, for instance financial benefits they got from the infringement?
All these criteria can be applied to four categories of breaches. We cannot treat every breach in a single way. In addition to the criteria I've just mentioned, we should also consider the seriousness of different violations so we are reasonable, we are credible. Otherwise, people would not understand.
We need to avoid a system whereby the fines are simply a budget line item for a big corporation. We need to increase the amount of fines where and when dispensable, but in the end we need to consider the amount of money and the energy that the controller, in the process, has spent on the case.