Public consultation on the Privacy Act – Submission – Anonymous #13

Cette soumission n’est disponible qu’en anglais.

February 11, 2021

Hon. David Lametti, P.C., Q.C., M.P.
Minister of Justice and Attorney General of Canada
House of Commons
Ottawa, Ontario K1A 0A6

Re: Modernizing Canada’s Privacy Act

Submission of [Information was severed]

[Information was severed] (“we,” “us,” or “[Information was severed]”) appreciates the opportunity to make submissions to the Government of Canada (the “GoC”) regarding its Online Public Consultation on Modernizing Canada’s Privacy Act (the “Consultation”).Footnote 1 We welcome the efforts of the GoC to modernize the Privacy Act and we look forward to working with diverse stakeholders to advance privacy safeguards for Canadians’ personal information.

[Information was severed] is a global cloud computing company that offers enterprise software tools to businesses, governments, and other organizations. We help our customers connect with their customers — or employees or citizens — in a whole new way via cloud, social, and mobile technologies. Our customers use our services to work with some of their most sensitive data, which is why trust has been our number one value since our founding.

We share the GoC’s vision that the Privacy Act’s modernization ought to be guided by the three pillars of Respect, Accountability, and Adaptability, all of which complement [Information was severed]’s corporate philosophy. While some companies view privacy as a burden, we see it as a strategic enabler of innovation and, ultimately, a competitive advantage. Trust among consumers, businesses, and governments is at the foundation of prosperity and innovation in a digital economy, and has its roots in respect for individuals and their privacy rights. Trust is fostered when governments and businesses remain accountable for their handling of personal information and actively protect individuals’ privacy. In turn, individuals expect governments and their service providers to provide products and services that are smart, personalized, and adaptable so they may innovate and meet the challenges of today’s global information landscape.

In the comments below, we draw upon insights we have developed over our two decades of securely, responsibly, and transparently processing personal information to provide our views regarding the Consultation Discussion Paper (the “Discussion Paper”).Footnote 2

I. The Privacy Principles Provide an Adaptable Framework for Personal Information Protection

As a provider to government institutions around the globe, [Information was severed] understands that governments must remain accountable for the personal information under their control and we work tirelessly to ensure that the personal information we process on behalf of our government and business clients alike is protected to the highest degree. [Information was severed] believes that the incorporation into a modernized Privacy Act of the ten well-established international privacy principles found at page seven of the Discussion Paper will assist in ensuring that Canadians’ personal information is adequately protected. A principles-based and technology-neutral approach is key to ensuring that the Privacy Act remains adaptable to new challenges. Furthermore, the incorporation of the ten privacy principles would facilitate interoperability with both Canadian and foreign privacy legislation, preventing gaps in accountability and demonstrating alignment with established global standards.

II. The Provisions of the CPPA Should Serve as Model for the Privacy Act

To facilitate interoperability, we believe that future amendments to the Privacy Act regarding the Safeguards and Accountability principles as they relate to service providers should be consistent with the provisions of the proposed Consumer Privacy Protection Act (“CPPA”).Footnote 3 In our view, the CPPA provides a flexible and adaptable approach to transfers to service providers, in part due to its neutrality regarding international transfers.

The CPPA requires an organization that transfers personal information to a service provider for processing to ensure by contract or otherwise that the service provider delivers substantially the same protection of the personal information as that which the organization is required to deliver under the CPPA.Footnote 4 Service providers must protect that personal information through physical, organizational, and technical safeguards proportionate to the sensitivity of the information, taking into account quantity, distribution, format, and method of storage.Footnote 5 Such safeguards must protect against, among other things, loss, theft, and unauthorized access, disclosure, copying, use, and modification.Footnote 6 If a service provider determines that a breach of its security safeguards involves personal information, it must notify the organization that controls the information “as soon as feasible.”Footnote 7

III. Data Localization Requirements are Not Adaptable, Do Not Effectively Prevent Foreign Access, and are Less Protective than Other Safeguards

We would discourage the Safeguards and Accountability principles from being interpreted within a modernized Privacy Act as requiring that personal information under the control of a government institution and transferred to a service provider for processing remain within Canada’s geographic borders (a concept often referred to as “data localization”). Rather, we agree with the Discussion Paper that a flexible, risk-based approach is desirable. Furthermore, we believe that a modernized Privacy Act effort could serve as a template for provinces to harmonize their patchwork data localization requirements in a way that addresses transborder data flows more flexibly and effectively.

Data localization requirements attempt to provide an over-simplified answer to a complex issue. An oft- cited rationale for these requirements is that they help to prevent foreign governments and courts from accessing the personal information of another nation’s citizens. However, as recognized by Canada’s own Assistant Deputy Minister, Cyber and IT Security, this is simply not the case.Footnote 8,Footnote 9,Footnote 10

Data localization requirements run counter to the pillar of adaptability, which dictates that a modernized Privacy Act should not inhibit the processing of personal information across borders when it would benefit Canadians and adequate safeguards are in place. Rather than imposing such requirements upon government bodies, the accountability and security of service providers should be ensured via safeguards similar to those contained within the CPPA, which does not contemplate data localization, emphasizing instead contractual obligations and technological protections.

For example, the GoC may implement policies mandating that all contracts for the processing of personal information outside Canada require service providers to reasonably assist transferring organizations who wish to resist foreign government or court orders to produce Canadian personal information. They may further specify technical requirements such as encryption, authentication, and data minimization standards.

Federal institutions can diligently oversee service provider contract performance, remediate any discovered breaches, and put in place measures to detect and defend against actual or potential disclosure of personal information to a foreign court or other foreign authority.Footnote 11 Such monitoring can be achieved through regular, thorough compliance audits conducted by a third-party auditor.

Furthermore, federal institutions can ensure through contract that data protection obligations apply to sub- processors, as well. For instance, [Information was severed] enters into written agreements containing privacy, data protection, and data security obligations that flow down to our sub-processors the commitments we make to our customers and to individuals to whom the personal information we process relates. Our sub- processor privacy exhibit includes (i) an obligation for the vendor to use and disclose personal information only in accordance with our instructions; (ii) a commitment to assist us in helping customers to respond to the exercise of rights by individuals whose personal information is processed; (iii) provisions related to confidentiality obligations of vendor personnel; (iv) obligations regarding the vendor’s use of further sub-processors; (v) commitments regarding security controls and security breach notification; (vi) provisions governing the transborder transfer of personal information; and (vii) details on the return and deletion of data. Compliance with such obligations as well as the organizational and technical measures implemented by [Information was severed] and its sub-processors is subject to regular audits and certification by multiple third parties.

IV. A Modernized Privacy Act Must Distinguish Between Transfers for Processing and Disclosures

The Discussion Paper does not distinguish between disclosures of personal information outside of Canada and transfers of personal information outside of Canada for processing. [Information was severed] believes that distinguishing between transfers and disclosures is an important feature of Canada’s privacy law regime and helps to ensure that the protections afforded to Canadians’ personal information are meaningful, rather than pro forma.

2009 Guidance from the Office of the Privacy Commissioner of Canada correctly noted that under the Personal Information Protection and Electronic Documents Act (PIPEDA), a “‘transfer’ is a use by the organization… When an organization transfers personal information for processing, it can only be used for the purposes for which the information was originally collected.”Footnote 12 PIPEDA requires an organization to “use contractual or other means to provide a comparable level of protection while [personal] information is being processed by a third party.” It is therefore clearly contemplated in existing Canadian privacy legislation that a transfer for processing, even a transborder transfer, presents a materially lower level of risk to the privacy of Canadian individuals than does a disclosure. The former is understood to be a use case that is subject to the same legal, administrative, and technical safeguards that would be in place if it were performed by an organization’s personnel at an organization’s own locations, yet happens to be performed by a sub-processor’s personnel in other geographic locations.

V. A Modernized Privacy Act Must Distinguish Between Controllers and Processors

[Information was severed] believes that the principle of accountability should be vigorously enforced under Canadian privacy law. The positions for which we have advocated above are fundamental to and widely shared among data protection frameworks in the EU and around the world. Although privacy is a concept that varies from culture to culture, and any future amendments to or expansions of the Privacy Act should be grounded in Canadian values, we strongly urge the GoC to prioritize global interoperability in any new legislation. The interoperability of Canada’s privacy laws with those of other countries and trading blocs is not only critical to continued innovation and economic investment in Canada, but also to ensuring that Canadians’ personal information enjoys easily understandable and consistent protections regardless of where it is processed.

Further to this point, we suggest that a key distinction made in a number of the data protection frameworks of the world’s leading economies should also be introduced within a modernized Privacy Act. The Privacy Act should acknowledge and clearly distinguish between data controllers, which may include private businesses or government institutions who determine the purposes and means of processing personal information for their own purposes, and data processors, which process personal information on behalf of data controllers.

Due to the nature of our business and the services we provide, [Information was severed] acts in the role of a processor with respect to the data uploaded to our cloud software by customers. We treat the confidentiality, integrity, and availability of our customer’s data with the utmost care, because we know that our customers, in turn, have made privacy commitments to the individuals from whom the data was collected. As a result, we impose strict internal controls on when (either with customer permission or as required by law) we may access or process customer data.

Processors should be expected to assist controllers in fulfilling the latter’s obligations towards individuals, including with respect to transfers. However, other than in extraordinary circumstances, expecting processors to directly fulfill obligations towards individuals (rather than to the controllers who collected those individuals’ data) would require processors to make decisions regarding data into which they have limited visibility and over which they have no legal authority, breaching the contractual commitments they have made to, and the trust of, their controller customers and mis-aligning controller/processor incentives.

VI. Conclusion

We are encouraged by the GoC’s efforts and look forward to further engagement. [Information was severed] remains committed to the success of our public and private sector customers, and we view our active participation in this important discussion as advancing that success. We would be pleased to serve as a resource to the GoC as it works towards modernizing the Privacy Act.

Respectfully submitted,

[Information was severed]