Archived—The Trilateral Committee on Transborder Data Flows 2010 Update

Archived Information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.


If the following document is not accessible to you, please contact us to obtain other appropriate formats.


PDF Version, 66 KB, 6 pages


Overview

The Trilateral Committee on Transborder Data Flows (Committee) was established in 2008 to further the goals of the Security and Prosperity Partnership of North America (SPP). The SPP was launched by the leaders of Canada, Mexico and the United States to provide a means for dialogue, priority setting, and action on issues affecting the security, prosperity and quality of life of Americans, Canadians, and Mexicans. The Committee's work is led by Industry Canada, the Ministry of Economy in Mexico, and the Department of Commerce and Federal Trade Commission in the United States and supports the goals of the North American Leaders Summit agenda.1

The Committee held its inaugural meeting in Washington, DC in September 2008 and held subsequent meetings and stakeholders' fora in Mexico and Canada in 2009. The stakeholders' meetings included members of each country's government, business community, civil society and academia. The fora were designed to facilitate dialogue among stakeholders to identify and address impediments to electronic information flows across borders that affect not only day-to-day operations within businesses, but also the marketplace and the overall North American economy. In addition to these stakeholders' meetings, the Committee surveyed the business community in each country regarding the costs of impediments to transborder data flows. Industry Canada also commissioned a macro-economic study on the impact of transborder data flow restrictions on the Canadian economy.

2010 Update

In January 2010, the Committee finalized its report on the findings of its consultation sessions and research process. The report describes trends, benefits of, and impediments to transborder data flows throughout North America. It also presents a series of recommendations to address the issues raised by stakeholders. These recommendations focus on the need to: 1) clarify and bolster industry awareness of the data privacy frameworks in each country, both at the national and sub-national levels, and 2) consult regularly on impediments to data flows in North America and possible solutions for addressing these challenges.

Over the course of 2010, the Committee's goals and recommendations have been furthered by significant examinations of or changes to the privacy policy frameworks in the three participating countries. Both Canada and the United States are examining their domestic commercial privacy frameworks to determine how they might be improved and better support trade and innovation. Mexico passed comprehensive commercial data protection legislation in 2010 to achieve these same goals. These efforts have been coupled with increased outreach to the business community regarding privacy frameworks in each country. This joint update provides an overview of this work and how it has furthered the Committee's goal of reducing barriers to transborder data flows that affect economic growth.

Canada

In 2010, Canada introduced two significant pieces of legislation to further enhance the Canadian framework on e-commerce.

1) Canada's Anti-spam Legislation was passed on December 15th, 2010.

This law addresses the legislative recommendations of the Task Force on Spam, which brought together industry, consumers and academic experts to design a comprehensive package of measures to combat threats to the digital economy. The new act is part of the regulatory framework to protect electronic commerce in Canada and will be enforced by three organizations:

  • The Canadian Radio-television and Telecommunications Commission will be able to investigate and take action by imposing administrative monetary penalties if needed, against the unauthorized sending of commercial electronic messages, the altering of transmission data, and installing a computer program with computer systems and networks without consent.
  • The Competition Bureau will address misleading and deceptive practices and representations online, including false or misleading headers and website content.
  • The Office of the Privacy Commissioner will be able to take measures against the collection of personal information via access to a computer and the unauthorized compiling or supplying of lists of electronic addresses.

More detailed information of the new legislation is available at http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00567.html

2) Bill C-29 – Safeguarding Canadians' Personal Information Act

Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) were tabled in Parliament on May 25, 2010 for the approval process. These amendments were proposed in response to the first statutory review of the Act by Parliament which took place in 2006/2007. The amendments aim to better protect and empower consumers, clarify and streamline rules for business and enable effective investigations by law enforcement and security agencies. Major proposed amendments include: 

  • Introducing new requirements for organizations to report material breaches of information security safeguards and to notify affected individuals and organizations
  • Enhancements to the consent provisions of the Act to further protect the personal information of minors
  • Increased flexibility for organizations to share necessary information to conduct investigations

More detailed information of the proposed amendments is available at http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00571.html

Mexico

1) Federal Personal Data Protection Law

The Federal Law on Protection of Personal Data held by Private Parties was published in the Official Gazette of the Federation on July 5th 2010. This Law is mandatory and for general observance in all Mexico. It has as its purpose the protection of personal data held by private parties, to regulate its lawful, controlled, and informed processing, in order to guarantee privacy and the right to informational self-determination of all persons.

With the publication of this law, Mexico has a legal basis to promote commercial data flows, nationally and internationally, highlighting the following benefits:

  • economies of scope
  • increased trade in ICTs and services
  • access to knowledge
  • increase in productivity
  • opportunity for international growth
  • access to new products and services

2) Workshop: "Competitiveness through the protection of personal data"

On November 8th 2010, the Ministry of Economy through the Digital Economy Office, held an event entitled "Competitiveness through the protection of personal data," to promote the importance of personal data protection to economic activity and discuss how to implement best practices within the business community. The event featured four topics, which were discussed by experts in these matters:

  • "Privacy notice models": The discussion focused on the elements that the privacy notices must contain at a minimum (Article 16 of the Law), according to the commercial purposes of the personal data collection.
  • "Mechanisms of self-regulation": Experts discussed the best business practices regarding self-regulation for personal data protection (Article 44 of the Law), in order to promote mechanisms such as trustmarks and codes of ethics.
  • "Treatment of personal data and its security": With regard to Articles 12 and 19 of the Law, experts discussed the business practices used to manage data in accordance with the purposes indicated in the privacy notice and the security measures that ensure proper protection of personal data.
  • "The importance of international flows of personal data": With reference to Article 36 of the Law, experts discussed the importance of international flows of personal data to companies; as well as the importance of international cooperation on the topic.

Considering that the Federal Law on Protection of Personal Data held by Private Parties applies to all economic activities, companies from different sectors participated in this workshop, including: financial, academic, automotive, consulting, health, logistics, international, food, insurance, BPO, government, legal, and aeronautics representatives.

3) Publication of the regulations of the Law

According to the second transitory article, the Federal Executive Branch will issue the regulations implementing this Law within one year from its entry into effect. (July 2011)

The draft regulations are being developed with the participation of other Ministries identified as regulators and the Federal Institute for Access to Information and Protection of Personal Data, as well as by the Ministry of Economy, which has been considering the concerns expressed by the private sector.

4) Launch of Ministry of Economy portal on personal data

http://www.edigital.economia.gob.mx/datos%20personales.htm
At the beginning of 2010, the Personal Data Protection Website was made available to share information on the background, economic importance, and publication of the Law.

In addition, the Ministry of Economy is working to reach out to the business community in order to share information on the application of the Law and solicit questions to answer on the Website.

United States

Below is a description of privacy-related efforts undertaken by the Department of Commerce and Federal Trade Commission over the past year that support the goals of the Trilateral Committee.

Department of Commerce

1) Creation of Department of Commerce Internet Policy Task Force

On April 21, 2010, the Department of Commerce announced the creation of an Internet Policy Task Force to identify leading public policy and operational challenges in the Internet environment. Over the past year, the Task Force has worked to identify and offer recommendations to address these challenges in a way that supports the U.S. private sector's ability to foster economic and job growth through the Internet. The Task Force has focused its work on privacy, cybersecurity, copyright protection, and global free flow of information. While the Task Force's privacy initiative has been its first order of business, both the privacy work and its work on free flow of information have furthered the goals of the Trilateral Committee.

2) Notice of Inquiry on Privacy and Innovation

On April 23, 2010, the Internet Policy Task Force published a notice of inquiry in the Federal Register seeking public comment from all Internet stakeholders on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy, including their effect on the free flow of information across borders. In response to its inquiry, the Task Force received 72 formal comments from stakeholders in the business community, academia, and civil society.

3) Public Symposium on Privacy and Innovation

On May 7, the Department held a public symposium in Washington, D.C. to facilitate additional public discussion on domestic and global privacy policy. Panel topics included: a) Global Internet Commerce and Free Flow of Information, b) Privacy, Innovation and Global Trade, c) Privacy Frameworks and Innovative Uses of Personal Information, d) Innovations in Transparency and Choice, and e) Privacy on the Ground.

4) Department of Commerce Green Paper

On December 16, 2010, the Department of Commerce issued a green paper detailing initial policy recommendations aimed at enhancing consumer privacy online, while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth. The green paper's recommendations further the Trilateral Committee's goals to clarify and bolster industry awareness of data privacy frameworks and to encourage greater collaboration to address issues affecting transborder data flows between countries. Key recommendations include:

  • Establish Fair Information Practice Principles as baseline protection for online consumers
  • Encourage the development of enforceable privacy codes of conduct in specific sectors; Create a privacy policy office in the Department of Commerce
  • Encourage global privacy policy interoperability; Enhanced international collaboration
  • Consider how to harmonize disparate state security breach notification rules

The green paper is available at http://www.ntia.doc.gov/internetpolicytaskforce. Comments on these recommendations were due by January 28, 2011, and are also available on the Internet Policy Task Force website (noted above).

Federal Trade Commission

During 2010, the Federal Trade Commission (FTC) remained very active in consumer privacy issues. It continued its law enforcement efforts, educated consumers and businesses, and continued its role as a thought leader on policy issues relating to privacy.

1) Enforcement Activities

In the past year, the FTC's enforcement activities included actions against Rite Aid Corporation, a large national pharmacy retailer, for failing to protect prescription and employment information, and against the social media service Twitter, for deceiving customers by failing to honor their choices to designate certain "tweets" as private.2

2) Consumer and Business Education

The FTC continued to educate both businesses and consumers on privacy and data security. For example, the FTC widely distributed a brochure, Net Cetera: Chatting with Kids About Being Online, specifically designed for children, parents, and teachers to help kids stay safe online.3 The FTC also launched a new online "business center" that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with consumer protection laws, rules, and guides the FTC enforces.4 Guidance on how to comply with privacy-related laws and rules are featured on this web portal.

3) Privacy Public Consultation

In the policy realm, the FTC spent the past year engaging in a public consultation project to consider how the U.S. domestic commercial data privacy framework could be improved. This consultation included three public roundtables that brought together a broad array of stakeholders to examine the privacy challenges posed by emerging technology and business practices.

4) Privacy Staff Report

Based on the discussions at these events, as well as the written submissions the FTC received in connection with the consultation, on December 1, 2010, the FTC issued a preliminary staff report that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.5

The report makes a number of recommendations, including the following: (a) companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices; (b) consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions; and (c) information practices should be more transparent to consumers and consumers should be allowed reasonable access to the data companies maintain about them, particularly for non-consumer facing entities such as data brokers.

The proposed report also suggests implementation of a "Do Not Track" mechanism – likely a persistent setting on consumers' browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities. The report seeks public comment on the proposals made and the FTC staff expects to issue another report in 2011 based on comments received.


1 The North American Leaders Summit is an annual summit which brings together the heads of government from Canada, Mexico and the United States to discuss issues of mutual concern, including the global economy, energy and climate change, security and safety, and health pandemics. (Back to reference 1)

2 Rite Aid Corp., No. 072-3121, 2010 WL 3053863 (F.T.C. Nov. 12, 2010) (consent order); and In re Twitter, Inc., No. 092-3093, 2010 WL 2638509 (F.T.C. June 24, 2010) (proposed consent order). (Back to reference 2)

3 See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start with Online Child Safety Campaign (Mar. 31, 2010), http://www.ftc.gov/opa/2010/03/netcetera.shtm. (Back to reference 3)

4 See Press Release, FTC, New Business Center Can Help Boost Compliance with FTC Law (Nov. 5, 2010<), http://www.ftc.gov/opa/2010/11/businesscenter.shtm. (Back to reference 4)

5 See Press Release, FTC, FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers (Dec. 1, 2010), http://www.ftc.gov/opa/2010/12/privacyreport.shtm. (Back to reference 5)