the tpp agreement and privacy

In This Issue:

The TPP Agreement and Privacy Jawaid Panjwani .............................. 9

Is Canada Safe from the Safe Harbor Decision? Anca M. Sattler, Lauren Crosby, and Wendy J. Wagner.................... 11

Online Trust Alliance Issues Revised Draft “Trust Framework” for the Internet of Things Keith Rose ........................................... 14

Volume 13 • Number 2 January 2016

The TPP Agreement and Privacy

The Trans-Pacific Partnership Agreement (the “TPP Agreement”) is a re-gional trade and investment agreement negotiated by 12 Pacific Rim coun-tries representing 40 per cent of the global economy. Canada, the United States, Mexico, Japan, Malaysia, Vietnam, and Australia are signatories. The TPP Agreement, which has 30 Chapters, ushers in a comprehensive program of tariff reduction for goods and services and establishes binding rules in a wide-range of subject areas, including financial services, cross-border trade in services, investment, competition policy, intellectual prop-erty, telecommunications, and electronic commerce. The TPP Agreement also touches on a number of privacy-related issues, including the cross-border flow of information, spam, and encryption technology.

Cross-Border Flow of Information

The free flow of information across borders is important for international commerce and the trade in services, particularly information technology services. However, a number of countries regulate the export of data to other jurisdictions and/or require that service providers use local data servers, equipment, and infrastructure as a condition of doing business. This has raised concerns that restrictions on cross-border information flows and data localization requirements may be misused as disguised trade barriers to favour domestic service providers.

Jawaid Panjwani Associate

Dentons Canada LLP

CANADIAN PRIVACY LAW REVIEW • Volume 13 • Number 2

10

Under the TPP Agreement, each Party must allow the cross-border transfer of information by electronic means, including personal information, in the course of business activities. In addition, no Party can require a service provider to use or lo-cate computing facilities in its territory as a condition for conducting business in the territory. Exceptions are permitted in order to achieve a legitimate public policy objective, pro-vided that the measure adopted is proportional to the objec-tive and the measure is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

Unsolicited Commercial Electronic Messages

Unsolicited commercial electronic messages (CEMs)—also known as spam—can be exploited to deliver malware, spy-ware, and other related network threats, which can undermine network security and privacy. The TPP Agreement requires each Party to adopt or maintain measures to minimize unso-licited CEMs, but provides each Party with flexibility on how to address the problem. A Party may either require organiza-tions that send CEMs to obtain prior consent from recipients or provide recipients with the ability to prevent ongoing re-ception of those messages (unsubscribe mechanism).

Canada’s current anti-spam legislation (“CASL”) meets (and far exceeds) the obligations under the Agreement. CASL generally requires both opt-in consent and an unsubscribe mechanism for CEMs, and sets out a myriad of disclosure and form requirements. It also implemented a strict enforce-ment regime.

Encryption

Encryption protects the security, confidentiality, and privacy of data by converting data (plaintext) into unreadable data (ciphertext) through the use of a cryptographic algorithm. The use of encryption technology is a major policy issue with technology companies adopting strong encryption for devices (full-disk encryption) and communications on the internet (end-to-end encryption) to ensure data security and protect user privacy. National security agencies and law enforcement allege, though, that the use of encryption undermines their ability to investigate criminals and terrorists, and are subse-quently pressuring technology companies (and lawmakers) to allow for access to decrypted data (“backdoors”).

Canadian Privacy Law Review

The Canadian Privacy Law Review is published monthly by LexisNexis Canada Inc., 111 Gordon Baker Road, Suite 900, Toronto, Ontario M2H 3R1, and is available by subscription only.

Web site: www.lexisnexis.ca Design and compilation © LexisNexis Canada Inc. 2016. Unless otherwise stated, copyright in individual articles rests with the contributors.

ISBN 0-433-44417-7 ISSN 1708-5446 ISBN 0-433-44418-5 (print & PDF) ISBN 0-433-44650-1 (PDF) ISSN 1708-5454 (PDF)

Subscription rates: $300.00 (print or PDF) $455.00 (print & PDF)

Editor-in-Chief:

Professor Michael A. Geist Canada Research Chair in Internet and

E-Commerce Law University of Ottawa, Faculty of Law

E-mail: [email protected]

LexisNexis Editor:

Boris Roginsky LexisNexis Canada Inc. Tel.: (905) 479-2665 Fax: (905) 479-2826 E-mail: [email protected]

Advisory Board:

● Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Toronto

● David Flaherty, Privacy Consultant, Victoria ● Elizabeth Judge, University of Ottawa ● Christopher Kuner, Hunton & Williams,

Brussels ● Suzanne Morin, Ottawa ● Bill Munson, Information Technology

Association of Canada, Toronto ● Stephanie Perrin, Service Canada, Integrity

Risk Management and Operations, Gatineau ● Patricia Wilson, Osler, Hoskin & Harcourt LLP,

Ottawa Note: This Review solicits manuscripts for consideration by the Editor-in-Chief, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in the Canadian

Privacy Law Review reflect the views of the individual authors and do not necessarily reflect the views of the advisory board members. This Review is not intended to provide legal or other professional advice and readers should not act on the information contained in this Review without seeking specific independent advice on the particular matters with which they are concerned.


11

The TPP Agreement wades into this debate to en-sure that encryption policies are not obstacles to trade, particularly with respect to Information and Communication Technology (ICT) products. Under the Agreement, a Party is not permitted to require a manufacturer or supplier of a commercial product that uses encryption to transfer a decryption key to the Party or integrate a particular encryption in the product as a condition for conducting business in the territory.

However, there are a number of important excep-tions to this rule. First, the section does not apply to products used by a government entity. Second, the section does not preclude law enforcement authori-ties from requesting unencrypted communications pursuant to lawful authority (i.e., court order). Third, the section does not apply to investigations by financial market regulators. Finally, the section is subject to the Security Exception in Chapter 29 of the TPP Agreement that permits a Party to apply any measure that it considers necessary to maintain or restore international peace and security, includ-ing the protection of its own essential security interests.

The TPP Agreement demonstrates that with the growth in digital trade and electronic commerce, international trade and investment agreements will increasingly address privacy-related issues.

© Dentons Canada LLP

Is Canada Safe from the Safe Harbor Decision?

Europe’s highest court, the European Union Court of Justice (CJEU), released a decision on October 6, 2015,1 declaring invalid the EU Commission’s Safe Harbor program, which allowed for legal data trans-fers between the EU and the United States. With this decision, the CJEU takes a restrictive stance towards privacy rights, emphasizing that the EU regime requires compliance with a high standard of privacy protection. The declaration of invalidity significantly impacts companies that transfer EU citizens’ data to the United States. Although Canada was not a party to the Safe Harbor program, and data transfers from the EU to Canada are gen-erally permissible, the CJEU decision may have a ripple effect in Canada.

The Safe Harbor Program and Its Principles

In 1995, the EU passed the Data Protection Directive (European Directive), which establishes a uniform set of privacy laws that apply across Europe and also establishes guidelines to protect

Anca M. SattlerAssociate

Gowling Lafleur Henderson LLP

Lauren Crosby Articling Student


Wendy J. WagnerPartner



12

data as it moves between countries and outside of the EU jurisdiction. Specifically, the European Directive required that any country wishing to re-ceive EU citizens’ data must offer privacy protec-tion equivalent to the European Directive. According to the European Directive, the European Commission (EC) could suspend all personal data transfers to countries whose privacy regimes were deemed inadequate.

The United States did not have a national privacy regime that was considered sufficient to meet this EU requirement. However, in an effort to address concerns about data transfers between the EU and the United States, the U.S. Department of Commerce and the EC negotiated the Safe Harbor program,2 which allowed U.S. organizations to voluntarily im-plement a number of privacy principles agreed upon by the U.S. and EU, thus permitting lawful data transfers from the EU Member States to the U.S. while protecting personal data.

The Safe Harbor program required U.S. participat-ing organizations subject to the jurisdiction of the U.S. Federal Trade Commission and receiving per-sonal data about EU citizens to certify with the U.S. Department of Commerce that they adhered to the Safe Harbor protective policies. The stringent obli-gations of the Safe Harbor program included the following requirements:3

to submit a self-certification each year, attesting continuing compliance with the program;

to provide notice to users about the kind infor-mation being collected and the purpose for which it may be used;

to allow individuals to access the information to correct, amend, or delete that information where it is inaccurate and choose whether their infor-mation may be disclosed to third parties;

to ensure that adequate security protections are in place to protect against loss, misuse, and unau-thorized access to the information; and

to share that information with only those third parties that also uphold the Safe Harbor princi-ples or are themselves subject to EU law.

The Safe Harbor Was Recently Invalidated by the CJEU

The case of Schrems v. Data Protection Commis-sioner4 prompted the CJEU to review the EC’s Safe Harbor decision. The complainant, Maximillian Schrems, an Austrian citizen, brought a claim be-fore the Irish Data Protection Commissioner in rela-tion to Facebook’s Irish subsidiary transferring his personal information to Facebook servers in the U.S. Following the 2013 revelations about the prac-tices of the U.S. National Security Agency (NSA), Schrems claimed that the transfer of data to the U.S. Facebook servers was subject to surveillance by the NSA, and argued that the Safe Harbor pro-gram did not provide adequate protection against such surveillance. The Irish Commissioner refused to investigate Schrems’ claim, citing Facebook’s participation in the Safe Harbor program. Schrems challenged the Irish Commissioner’s decision, and the question was referred to the CJEU in June 2014.

The CJEU ruled5 that it alone had the jurisdiction to invalidate an act undertaken by the EU, while stressing that the national supervisory authorities still have independent powers to review the ade-quacy of protection of personal data under the Charter of Fundamental Rights of the European Union6 and the European Data Protection Directive.7 These national supervisory authorities have the power to examine findings on adequacy of privacy measures, with respect to complaints brought before them, in spite of the existence of the Commission Decision that a third country ensures adequate protection.

The CJEU was critical of the EC’s Safe Harbor de-cision, commenting that the EC was tasked with determining whether the U.S. domestic law and its international commitments offer a level of pro-tection of fundamental rights equivalent to that


13

guaranteed under EU law. Instead, according to the CJEU, the EC merely examined the Safe Harbor scheme, applicable only to self-certified individual organizations compliant in enacting the Safe Harbor principles, leaving out U.S. public authorities.

In addition, the CJEU noted that adherence to the program was limited by national security, public interest, and law enforcement requirements prevail-ing over the Safe Harbor scheme when these con-flict. Allowing the public authorities to have access “on a generalised basis” to the content of electronic communications left data potentially vulnerable, “compromising the essence of the fundamental right to respect for private life.” The far-reaching access powers of U.S. public authorities beyond the protective scope of Safe Harbor (i.e., mass surveil-lance by the NSA) were found by the CJEU to be incompatible with the principles under the EU Data Protection Directive or the EU Charter of Funda-mental Human Rights. Furthermore, the Court found that under the Safe Harbor program, EU citi-zens have no recourse to challenge the use or inter-ception of their data by the U.S. government, which “compromises the essence of the fundamental right to judicial protection.”

In light of the CJEU’s finding that the EC Decision on the Safe Harbor program was invalid, the Irish Commissioner must now re-examine whether the transfer of personal data from Facebook Ireland Ltd. to Facebook Inc. in accordance with Safe Harbor offers European users an adequate level of data protection. If Facebook Ireland Ltd. is found to have inadequate protective measures in place (through the use of Safe Harbor or otherwise), it may lead to the suspension of Facebook Ireland Ltd.’s transfers of personal data to its American counterpart.

In his letter to the Irish authorities,8 Schrems calls for the suspension of all data transfers from Facebook Ireland Ltd. to Facebook Inc., and an au-dit of Facebook Inc. and its sub-processors.

Schrems has since lodged additional complaints9 before the Belgian Privacy Commissioner and the German Data Protection Authorities in an effort to stop Facebook’s data transfers to the U.S.

In a statement10 following the October CJEU ruling, the EC announced it would consider a new Safe Harbor program with the U.S. to be completed by the end of January 2016. Failing such an agreement, the EU data protection authorities are to “take all necessary and appropriate actions” to ensure priva-cy of EU citizens’ data is protected. The statement sets out some alternatives that U.S. companies may be permitted to use now that Safe Harbour has been invalidated, such as standard contractual clauses and binding corporate rules. However, Schrems in-sists11 that a new Safe Harbor system between the U.S. and EU is irrelevant to his complaints, and calls on the EU data protection authorities to exam-ine his complaints regardless of such developments in the meantime.

What Does This Mean for Canada?

Canada’s enactment of its federal privacy law, the Personal Information Protection and Electronic Documents Act [PIPEDA],12 was motivated in part by the EU Data Directive. In 2002, the EU Commission determined13 that PIPEDA provides an adequate level of protection for the purpose of data transfers from the EU to Canada. Therefore, the Schrems decision should have no immediate impact on data transfer from the EU to Canada in circumstances where the transfer is made to an or-ganization that is subject to and compliant with PIPEDA.

However, it should be noted that in 2013, the Euro-pean Parliament’s Committee on Civil Liberties, Justice and Home Affairs called14 for a review of Canada’s privacy regime due to Canada being a member of the “Five Eyes Alliance”. It remains to be seen whether Canada’s PIPEDA will be chal-lenged before the European Court or national su-pervisory authorities of any EU member state on


14

the basis that it no longer provides adequate protec-tion for EU citizens’ data.

Given that the CJEU decision affects transfers of personal data from the EU to the U.S., it may have an impact on Canadian organizations that transfer, store, or host EU citizens’ data to or within the ter-ritory of the United States. Canadian organizations that engage in such practice will need to consider the use of alternative means that may offer an ade-quate level of protection to EU citizens’ data, such as the standard contractual clauses and binding cor-porate rules referenced above.

© Gowling Lafleur Henderson LLP ____________________ 1 See <http://curia.europa.eu/juris/document/

document.jsf;jsessionid= 9ea7d2dc30ddfa644cd0ad38451aaa55db2374e51290. e34KaxiLc3qMb40Rch0SaxuRchj0?text=&docid= 169195&pageIndex=0&doclang=EN&mode=req&dir= &occ=first&part=1&cid=555286>

2 See <http://eur-lex.europa.eu/LexUriServ/ LexUriServ.do?uri=CELEX:32000D0520:EN:HTML>.

3 See <http://export.gov/safeharbor/eg_main_018238.asp>. 4 See <http://curia.europa.eu/juris/document/

document.jsf?docid=169195&doclang=EN>. 5 See <http://curia.europa.eu/juris/document/document.

jsf;jsessionid=9ea7d2dc30ddfa644cd0ad38451aaa55db2374e51290.e34KaxiLc3qMb40Rch0SaxuRchj0?text=&docid=169195&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=555286>.

6 See <http://www.europarl.europa.eu/charter/pdf/ text_en.pdf>.

7 See <http://www.refworld.org/docid/3ddcc1c74.html>. 8 See <http://www.europe-v-facebook.org/comp_fb_ie.pdf>. 9 See <http://www.europe-v-facebook.org/prism2_en.pdf>. 10 See <http://www.cnil.fr/fileadmin/documents/

Communica-tions/20151016_wp29_statement_on_schrems_ judgement.pdf>.

11 See <http://www.europe-v-facebook.org/comp_fb_ie.pdf>. 12 S.C. 2000, c. 5. 13 See <http://eur-lex.europa.eu/legal-content/en/

ALL/?uri=CELEX:32002D0002>. 14 See <http://www.statewatch.org/news/2014/jan/

ep-draft-nsa-surveillance-report.pdf>.

Online Trust Alliance Issues Revised Draft “Trust Framework” for the Internet of Things

By some estimates, there were more than two wire-less networked devices for every person on the planet in 2014. The multiplier is expected to reach five by the year 2020. In the recent 2015 holiday period alone, 50 million new connected devices were predicted to be sold.

This explosive proliferation of networked technolo-gy offers remarkable opportunities but also inspires concern that the connected future may result in ubiquitous, inescapable surveillance of every aspect of our lives. Legislators and regulators around the world are grappling with the implications of this technology for the ability to protect personal priva-cy interests and the practical problems of applying legal regimes originally developed in a very differ-ent era.

Against this backdrop, the Online Trust Alliance (OTA), a U.S.-based organization with the goal (among other things) of advancing best practices to “enhance online safety, data security, privacy and brand protection”, has been working to develop a “Trust Framework” for the Internet of Things.

This framework is intended to set out guiding prin-ciples for connected home and wearable devices. It is conceptually based on the “Fair Information Practice Principles” (FIPPs) that underlie privacy law in many jurisdictions, including Canada.1

An initial discussion draft was issued in August 2015. This was followed by a consultation period.

Keith Rose Associate McCarthy Tétrault LLP


15

The OTA issued a “last call” draft in October and followed up with a revised “pre-release” draft on December 3, 2015.

Although the current draft is described as “pre-release”, the OTA’s consultation and development process for the framework appears to be over. The organization seems to be turning its attention to im-plementation and adoption. It plans to develop a voluntary code of conduct and certification pro-gram, based on the framework.2

The current framework covers two categories of products: “1) home automation and connected home products, and 2) wearable technologies, lim-ited to health & fitness categories”. It consists of 30 numbered specifications (some of which seem to themselves consist of more than one obligation), which are classified as either “required” or “rec-ommended” for each of the two scope categories. The draft has been structured to allow a given spec-ification to be required for connected home devices, but only recommended for wearable devices, or vice versa; but currently the classifications are iden-tical for both scope categories.3

Some of the requirements are technical in nature, such as using transport encryption and enabling email authentication protocols. Others deal with business practices, such as support periods and end-of-life practices. Still, others intersect more directly with privacy and other legislation.

For example, item #16 requires organizations to

[e]nsure privacy, security and support policies are easily discoverable, clear and readily available for review prior to purchase, activation, download or enrollment.

This is broadly consistent with Canadian privacy law. For example, PIPEDA principle 4.8.1 provides as follows:

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

But there are some important differences. While item #22 of the Trust Framework suggests that it is sufficient to “clearly and objectively” explain the consequences of declining to consent to a privacy policy, Canadian law goes farther. An organization may not make supply of a product or service condi-tional on such consent unless that consent is “re-quired to fulfil the explicitly specified, and legitimate purposes”.4

Similarly, item #23 of the Trust Framework re-quires that organizations do as follows:

Only share consumers’ personal data with third parties with consumers’ affirmative consent, unless required and limited for the use of product features or service operation. Require third party service providers are held to the same polices including holding such data in confidence and notification requirements of any data loss/breach incident and/or unauthorized access.

Canadian law similarly requires controls on third parties and service providers when personal infor-mation is shared. But Canadian law has distinct tests for (1) when consent is required, and (2) when opt-out vs. opt-in consent models may be applied.

Generally, the Trust Framework is at least concep-tually aligned with the applicable Canadian legal principles, since both derive from the same underly-ing FIPPs. But vendors and manufacturers cannot assume that compliance with the Trust Framework will result in compliance with Canadian laws. The Trust Framework provides practical guidance, not legal advice.5

However, there is one specific point of potential conflict that vendors should take note of (albeit not one arising from privacy law, per se). Item #5 re-quires organizations to

Remediate post product release design vulnerabilities and threats in a publically responsible manner either through remote updates and/or through actionable consumer notifications, or other effective mechanism(s).

Manufacturers and vendors must note that remote activation and “push” updates could easily run afoul of the prohibition on installation of software


16

without consent in Canada’s anti-spam law (com-monly known as “CASL”). Manufacturers and ven-dors should be very careful to ensure they understand these consent requirements, because failure to comply can result in exposure to adminis-trative monetary penalties of up to $10 million per violation.

© McCarthy Tétrault LLP

1 For example, a version of the FIPPs comprises Schedule 1

to the Personal Information Protection and Electronic Documents Act [PIPEDA], S.C. 2000, c. 5.

2 See, e.g., the “What’s Next?” slide in the OTA’s Congres-sional Staff Briefing dated November 19, 2015.

3 A “not applicable” class is also contemplated, but not used, in the current draft. Presumably, this would allow the framework to be extended to other product categories in a modular fashion.

4 See, e.g., PIPEDA, supra note 1, principle 4.3.3. 5 The lead-in text to the current draft now expressly notes that

“compliance with the framework and specification does not mean compliance with the law and/or regulations”.

INVITATION TO OUR READERS

Do you have an article that you think would be appropriate

for Canadian Privacy Law Review and that you would like to submit?

Do you have any suggestions for topics you would like to see featured

in future issues of Canadian Privacy Law Review?

If so, please feel free to contact Michael A. Geist

@[email protected]

OR

[email protected]