Interview with Theo Ling
August 2003
Learn more about Baker
and McKenzie
Terry McQuay, Nymity's President recently spoke
with Theo Ling, a partner with Baker & McKenzie, Toronto,
regarding PIPEDA and its relevance to international privacy
legislation. Theo leads the firm's Canadian Information Technology
/ Communications Practice and is a member of the firm's Global
Business Trade & Technology Group Steering Committee.
His practice focuses on advising local and multinational technology-based
clients on issues relating to computer and technology law,
including telecommunications, Internet and privacy law matters.
Nymity: Theo, will an organization complying with PIPEDA
meet compliance standards around the world?
Ling : They will certainly meet many of the standards, but
by no means all. Some jurisdictions, most prominently European
jurisdictions, require either higher or different standards
of privacy and data protection than those contained under
PIPEDA. For instance, in France an employer cannot monitor
employees' private email communications. In many countries
all databases containing personal information must be registered
with a local data protection authority.
When discussing privacy, it has to be stressed that compliance
is no longer an option. Many regulators, both in North America
and overseas, have recently taken an aggressive approach to
enforcement.
Nymity: Will compliance with PIPEDA mean compliance with US
privacy legislation?
Ling : Again, the answer is "No". The U.S. has taken a very
different approach to privacy characterized by sectoral and
state regulation rather than enacting a more comprehensive
privacy law, such as PIPEDA. Privacy standards in the U.S.
are in many respect less onerous than those found under PIPEDA.
The U.S. regime, however, is much more complex with regulation
being developed by all three levels of government (federal,
state, and in some cases, municipal) as well as by various
industry associations.
Nymity: You have indicated that there is a significant increase
in enforcement activities by data protection authorities around
the world. Please explain.
Ling : Right after the introduction of privacy regulation,
data protection and privacy authorities concentrated their
efforts on education. We have seen in the last year or two
a definite shift from education to enforcement, in particular
in some EU-member states as well as in Canada and the U.S.
For instance, penalties for privacy violations have been
up to half a million U.S. dollars in Spain; data protection
authorities in Finland recently arrested and imprisoned executives
of the country's largest telecommunications operator for violation
of privacy; and in the U.S. an investigation of Microsoft's
privacy practices relating to its .NET Passport authentication
service has resulted in very substantial compliance costs
to that company.
Nymity: As an organization subject to PIPEDA, can I freely
receive personal information from a EU-member state?
Ling : If you are an organization that falls under PIPEDA's
jurisdiction (until January 1, 2004, it is mostly federally
regulated entities, such as banks, telecommunications, interprovincial
transportation, etc), personal information can be sent to
you from the EU-based entity relatively freely. Canada is
one of very few jurisdictions that have received so-called
"adequacy" finding from EU, meaning that our federal law is
considered by the EU to provide sufficient privacy protection.
Nymity: When should a company develop a global business
strategy for privacy compliance?
Ling : The answer is relatively simple. If a company has
operations in multiple jurisdictions, it will sooner or later
have to address privacy issues. In our experience, a global
well thought through, strategic approach to privacy compliance
will prove to be more effective, less costly and, perhaps
most importantly, less risky than addressing privacy in an
ad-hoc fashion.
Nymity: What is the process for developing a global privacy
compliance program?
Ling : It differs depending on the organization. Some companies
may only have HR-related privacy issues (e.g, some manufacturing
businesses that cater to corporate clients only). On the other
hand, companies that deal directly with individual customers
will need to focus on issues specific to their business. In
our view, the key to a successful privacy program is a clear
understanding of both legal and other types of regulatory
obligations as well as the internal personal information handling
practices. Having said that, all privacy compliance programs
will have a number of common elements. They include some type
of internal practices audit; the appointment of a privacy
officer and a privacy working group; the analysis of legal
and other types of obligations (such as industry codes); identifying
areas of concern; developing a privacy statement/policy for
the organization; drafting of procedures and relevant contractual
clauses; training of key employees; and implementation of
the privacy program.
Nymity: Should a company comply with PIPEDA first, or start
with a global privacy compliance program?
Ling: It depends on when the company decides to take action
leading to full compliance. As mentioned before, in our experience,
a larger global company may wish to address privacy compliance
in a global manner making it largely consistent throughout
its operations and simpler for employees to follow.
Nymity: What are the risks of non-compliance? How seriously
should an organization view global privacy legislation?
Ling: As I have already mentioned, the risks have become
increasingly high, not only in terms of enforcement but also
with respect to how negative publicity may affect company
reputation. We have all heard about Air Canada or Microsoft
privacy issues. On the other hand, organizations that have
implemented strong privacy programs often use it as a way
to distinguish themselves from competitors and promote themselves
as transparent and trustworthy organizations.
Learn more about Baker
and McKenzie
|
Learn
More about Baker and McKenzie
