Personal information protection - Additional text proposal

Joint statement on electronic commerce
Communication from Canada

The following communication, dated 16 October 2020, is being circulated at the request of the delegation of Canada.

1. Context

• 1.1. Canada’s concept paper (INF/ECOM/39 dated 4 September 2019), Preventing the use of Personal Information from being used for the Discrimination or Persecution of Natural Persons, put forth an idea for Members’ consideration that governments commit to not using personal informationobtained from private organizations for the purposes of discriminating against or persecuting natural persons. As part of this concept paper, Canada provided sample text for a potential trade commitment to inform discussions with Members.
• 1.2. Taking into account Members views expressed through numerous bilateral discussions over the past year, Canada proposes the following additional three paragraphs, to be read under its existing proposed article on Personal Information Protection. Canada reserves the right to revise or propose additional elements and/or provisions to this proposal and it is made without prejudice to changes in Canada's position, including on scope, modalities, and legal architecture.

2. Details of new paragraphs

• 2.1. The first new paragraph X.1., is similar to the sample text provided through our concept paper, but refers to targeted discrimination on manifestly wrongful grounds. This is wording which has been used in the past under Investment chapters of our free trade agreements, including our Comprehensive and Economic Trade Agreement (CETA) with the European Union. This paragraph also includes a non-exhaustive list of the wrongful grounds of discrimination, which as explained last year when presenting our concept paper, is adapted from the International Covenant on Civil and Political Rights, but which includes additional wrongful grounds, such as medical status, or disability. One key difference between this paragraph and the sample text provided in last year’s concept paper is that we intend for the General Exceptions to apply to such an obligation, a decision which was based upon extensive domestic consultations, as well as bilateral discussions held with other Members.
• 2.2. Paragraph X.2. is proposed as a soft obligation (shall endeavour) for governments to protect the personal information disclosed to them by enterprises. Canada considers this to be complimentary to paragraph X.1., in that government authorities should at a minimum, be seeking to protect this type of information against, for example, loss or theft, and unauthorized access, as this speaks to the confidence a company has, and subsequently its users have, that their personal information will be protected when disclosed to governments. The reason however we are proposing this be read as a soft obligation is that Canada recognizes that unauthorized access can occur, for example through security hacking, despite best efforts by governments.
• 2.3. Paragraph X.3. is another obligation which compliments paragraph X.1. well, in that it prevents governments from using this personal information that is disclosed to them by enterprises, in a manner which can reasonably be expected to cause an individual “significant harm” (a term defined below). Of note, Canada also proposed the footnote attached to paragraph X.3., which excludes instances of public disclosure of such personal information for the purposes of legitimate law enforcement activities. For example, if a government authority discloses the name of an individual as a suspect through the course of a law enforcement investigation, it can be reasonably expected this person could suffer significant harm as defined (example, damage to reputation), but we do not intend to prevent this type of scenario from occurring as we recognize there to be valid grounds for disclosing such personal information publicly. We consider this footnote to provide additional flexibility beyond the General Exceptions, provided such public disclosure is not performed in a manner that contravenes paragraph X.1. With this linkage, we are seeking to prevent a scenario whereby a government authority could indirectly discriminate against an individual by citing the footnote to paragraph X.3. upon releasing that individual’s name publicly.
• 2.4. All of these additional proposed paragraphs are intended to support the consumer and business confidence and trust component of our work, a theme Canada has noted in the past as being an important piece to supporting the digital economy under this initiative. In the past, Members have also spoken about how to ensure the free flow of data across borders, while accounting for things such as privacy. Canada sees these additional paragraphs as enabling just that, obligations upon our respective governments that we, in effect, not misuse personal information that is disclosed to our authorities by an enterprise. By taking on such obligations, enterprises may have more confidence that governments will protect the personal information of their users when subject to requests for such information. Meanwhile, the users themselves, whose personal information is being shared, may have more confidence that their personal information will not be used against them when disclosed to government authorities.
• 2.5. Canada recognizes that the scope of its text proposal would also require amendment, per below, so that information held or processed by or on behalf of a Party, is captured by paragraphs X.1., X.2., and X.3., of Canada’s text proposal. 
• 2.6. Finally, as noted in our concept paper last year, these types of obligations do not prevent government authorities from requiring companies to disclose personal information of private organizations’ users or customers for lawful purposes.
• 2.7. Canada looks forward to the next opportunity to engage with Members on this text proposal, whether in formal meetings or bilaterally, and welcomes any suggestions or questions.

Text proposal

Existing definitions relevant to this article

• Enterprise means an entity constituted or organized under applicable law, whether or not for profit, and whether privately or governmentally owned or controlled, including a corporation, trust, partnership, sole proprietorship, joint venture, or other association;
• Personal information means any information, including data, about an identified or identifiable natural person;

Additional definition proposal

• Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Annex 1: (4) Scope (Page 84 – Stocktake text)

Addition of text in bold:

4. This Agreement does not apply to, except for paragraphs X.1., X.2., and X.3. of Article C.2.(1) (Personal Information Protection), information held or processed by or on behalf of a Party, or measures related to that information, including measures related to its collection; or

C.2. Privacy: (1) Personal information protection (Page 45 – Stocktake text)

Additional Text Proposal:

X.1. No Member shall use the personal information of natural persons obtained from enterprises operating within their jurisdiction in a manner which constitutes targeted discrimination on manifestly wrongful grounds such as race, colour, sex, sexual orientation, gender, language, religion, political or other opinion, national or social origin, property, medical, birth, or other status, genetic identity, age, ethnicity, or disability.

X.2. Each Member shall endeavour to ensure that any personal information disclosed to a government authority by an enterprise is protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

X.3. Each Member shall ensure that any personal information disclosed to a government authority by an enterprise is not accessed, disclosed, used or modified by a government authority in a manner that can reasonably be expected to cause significant harm to a natural person. [FN]

FN: For greater certainty, the public disclosure of personal information that can reasonably be expected to cause significant harm does not constitute a violation of this obligation provided that it is not inconsistent with paragraph X.1. of this Article and that it is done for the purposes of legitimate law enforcement activities, judicial proceedings, compliance with regulatory requirements, or national security.