You likely believe that your organization’s data – operating, financial, human resources – is a key resource and you have policies and processes in place to mitigate any risk.
Whether or not your organization operates in just one province, or just within Canada, you should understand that the principles and guidelines of data management are not grounded in geographic jurisdiction. Data management, and the security and privacy of that data, is a global issue.
Goodbye Safe Harbor
In October 2015, the “Schrems” decision by the European Court of Justice ruled that the “Safe Harbor” structure between the US and the European Union (EU) is invalid.1
The US has no federal privacy law (a source of serious concern to many organizations), and Safe Harbor was the means by which US-based firms could previously get blanket approval regarding the movement of personal data, including HR data, between the US and all EU member countries.
This decision is a direct result of the considerable suspicion of the global community regarding the extent of US government surveillance of personal information (via The Patriot Act, and others). The US‘s National Security Agency (NSA) has taken the position that non-US citizens have no rights regarding an expectation of privacy.
Further, US law requires US-based organizations to comply with surveillance orders, so the concept of data privacy becomes almost moot.2
US Swarm Regulation
The lack of countrywide legislation in the US has spawned an industry-based approach to the regulation of data privacy.
Companies face multiple state and federal regulators on an industry-to-industry basis, producing an ever growing swarm of regulation that is simultaneously inconsistent, conflicting, and full of gaps. Major US-based technology companies (Apple, Microsoft, and Google, to name three) have been outspoken about this problem since diverse legislation is both frustrating and costly.3
Hello EU/US Privacy Shield
Schrems fired a shot across the bows of the US intelligence and business communities by opening the door for each European country to apply its own regulations for organizations moving personal data to the US, and possibly forcing organizations to host personal data exclusively within Europe. It also created the foundation for a pan-European General Data Protection Regulation (GDPR) that takes full effect in 2018.
On February 4, 2016, the European Commission and the United States announced a new framework agreement for transatlantic data flows: the EU-US Privacy Shield. It is intended to protect the fundamental right of privacy of European citizens while at the same time providing legal certainty for the thousands of US-based businesses that serve them.
As always, the devil will be in the details and the evolution of the full draft complete with regulations will be of considerable interest through the remainder of 2016.
The good news is that (so far) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been considered adequate to protect personal privacy, and an agreement similar to Safe Harbor has been unnecessary.
But the Canadian Communications Security Establishment (CSE), the lesser known of Canada’s two spy agencies which focuses on electronic surveillance, may give rise to concern as well.
The Canadian Anti-terrorism Act gave the CSE expanded use of electronic surveillance, authorizing it to intercept foreign communications that begin or end domestically, as long as one party is outside Canada. CSE shares information with intelligence agencies in the so-called “Five Eyes” group of countries — namely the US, UK, Australia, New Zealand and Canada. The European Union’s success in challenging the NSA could easily mean that attention shifts to the CSE.
Canadian Model Leads the Way
The EU/US Privacy Shield announcement includes an Ombudsman-style redress mechanism similar to Canadian Federal and Provincial Privacy Commissioners.
This may be one of the more interesting aspects of the agreement as it seems to mean that the US could FINALLY, actually create some form of “Privacy Czar” (a.k.a. office of data protection or privacy.)
Global Data Management Rules
History has shown us that concepts and laws in one jurisdiction rapidly spread. Recall the 2002 advent of the US’s Sarbanes-Oxley (SOX) Act regarding securities and financial controls. That law almost immediately spawned corresponding Canadian legislation.
Data management legislation will likely closely follow SOX in significantly increasing the legal responsibilities of executive management with regard to the privacy and security of personal data. Organization policies and procedures will follow directly. This strikes a major blow against organizations that try to consolidate data into an effective and efficient single database (look out Big Data!!) and creates enormous uncertainty surrounding global data management.
If your organization’s operations transcend national borders the challenge will be to construct a data privacy and security strategy, as well as processes that maximize data utility and minimize risk of loss or misuse.
The growth of technology and the impact on data management has spread like an epidemic across the world and the concept of national boundaries has become largely meaningless. Expecting that a national border will change the nature or flow of data is as realistic and probable as expecting it to stop the spread of the flu. In that regard, the EU-US Privacy Shield is a positive step in the global data management challenge since it helps provide some structure to the swarm reality of the US’s current approach.
Data sharing can’t be taken for granted any more. Companies and their cloud providers are more responsible than ever for data sovereignty, and this responsibility is only going to increase when the European General Data Protection Regulation (GDPR) is adopted, leaving organizations with a two-year time limit to comply. The penalties for wrongdoing are well publicized and severe for companies that fail to adapt to the new data privacy landscape.4
Canada-US Data Management Challenges
Data management challenges are not just true with respect to privacy and security. Canadian users of services such as Netflix or Apple’s iTunes will have experienced the frustration of Canadian licensing laws limiting access to content. These laws are as much based on nationality as on geography. For example, a Canadian in the US cannot buy US content if the devices being used for access are linked to Canadian IP addresses or cell-phone carriers. Meanwhile the data flows illegally across the border through a variety of innovative technical end-arounds.
Individual consent seems to be increasing in importance although that process is the most administratively burdensome, in part because it can be revocable, and because adequate tools to manage that process are in very short supply.
That places pressure on a variety of management activities – such as business analytics – which will clearly be effected by the trend to recognize individuals’ notice rights, including third-party protection (naming names), retention periods, the right to be forgotten, purpose and transfers.
Trying to analyze and act on collective data will be very complex. For example, profiling based on sensitive data can only be done with explicit consent.
International agreements to deal with these realities are expected.
About the Author
Ian Turnbull is a Director of The Canadian Privacy Institute, formerly a subsidiary of Laird & Greer Management Group Corp. A former Chair of the Canadian Council of Human Resource Associations (CCHRA) and of the International Association of Human Resource Information Management (IHRIM) his latest book (Carswell 2014) is HR Manager’s Guide to Managing Information Systems. Ian has a BA and MBA from Western University (The University of Western Ontario) and obtained his professional human resource designation, the CHRP, in 1992.
1 The author gratefully acknowledges the early reporting and ideas of Jon Neiditz of Kilpatrick Townsend & Stockton of Atlanta GA, US, and Kevin Duggan, President & CEO of Camouflage Software.
2 Roberts, D. & Ackerman, S. (2013, June 7). Anger swells after NSA phone records court order revelations. Retrieved February 7, 2016, from http://www.theguardian.com/world/2013/jun/06/obama-administration-nsa-verizon-records.
3 Neiditz, J. (2015, November 14). No Harm, Big Foul: Why Yesterday’s LabMD Decision is Stunning and Important. Retrieved February 12, 2016, from http://datalaw.net/no-harm-big-foul-why-yesterdays-labmd-decision-is-stunning-and-important/.
4 Help Net Security. (2014, March 17). EU sets huge fines for firms who violate users’ privacy Retrieved, February 22, 2016, from https://www.helpnetsecurity.com/2014/03/17/eu-sets-huge-fines-for-firms-who-violate-users-privacy/.