The Adequacy Standard

The key purpose of the Directive was to harmonize EU Member States’ laws, so that each Member State could transfer data to other Member States, while still safeguarding the fundamental rights and freedoms of their citizens.  If data controllers in one State transferred data to a third country that failed to protect personal data, the State’s protection of personal data would be lost once the Member State transferred the data to the third country.

Article 25 of the Directive prohibits Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. Article 26 of the Directive outlines exceptions to the requirement that a third country have adequate protection in third countries.

For example, if the laws of a third country (e.g. Canada) fails to provide adequate protection of personal data, then a data controller located in a Member State would be prohibited from transferring personal data to Canada, unless an exception happened to apply. Without this exception, a transfer of data could lead to a data or information embargo.

Data Embargos

A data or information embargo would result in serious consequences on both Member State and third country. The Member State government may be prohibited from sending information to the third country regarding individuals in that country.

For instance, a Member State might prevent a private bank in the Member State from transferring information about its customers to Canadian financial institutions. Or perhaps a Member State might prohibit a European employer from sending information about its employees to its Canadian subsidiaries.

Article 26 outlines a number of exceptions to any such data embargo. Specifically, even if a sector or activity is found to lack adequate private protection, the Directive would still permit the transfer of personal data out of the EU if:

• The party desiring to send the data has entered into a contract approved by the privacy office in the EU member country (thus committing the party to providing certain protections)
• The individual has unambiguously consented to the data transfer
• The transfer is necessary to complete a transaction
• The data are otherwise public

It’s worth mentioning that the American credit reporting industry’s privacy protections should certainly satisfy the EU Data Protection Directive. The US Federal Credit Reporting Act (FCRA) includes the types of protections that EU Member States have incorporated into their laws, namely notice to consumers and the opportunity for them to correct any incorrect or inaccurate information in their files.

Working Party

Article 29 of the Directive establishes that a Working Party will advise the Commission on data protection matters, as well as contribute to the uniform application of the national data protection measures. Essentially, the Working Party is an independent advisory group, composed of a representative from each Member State’s supervisory authority, a representative of the Community and a representative of the Commission.

The responsibilities of the Working Party include examination of Member States’ data protection laws, as well as consulting with the Commission on the level of protection available in Member States and third countries.

Adequacy and US Data Protection

The United States’ sectoral approach to data protection is derived from the American philosophy that laws should ensure citizens’ access to government, while still protecting them from government. While this enables the US to extensively regulate its public sector, it generally prevents the federal government from limiting interactions between private citizens. As a result, the US commitment to the free flow of information also favors a narrow regulatory approach to data protection.

Essentially, whether the Directive prohibits certain data transfers to the US largely depends upon what constitutes an adequate level of protection. The Directive requires a standard of adequacy that should be assessed in light of all the circumstances surrounding the transfer, yet fails to elaborate about this standard. Earlier data protection measures require a standard of equivalency, rather than adequacy.

For instance, the OECD Guidelines, as well as the COE Convention do not define or use an adequacy standard for data transfers to third countries. In the same vein, the traditional legislation of most European countries establishes a standard of equivalency, rather than adequacy.

However, since the October 2008 enactment of the European Commission’s Directive on Data protection, the Safe Harbor framework has been developed which bridges the gap between some US privacy laws and the EC’s adequacy requirements.

Summary

This article takes a look at the European Commission’s Directive on Data Protection (95/46/EC), and the establishment of the adequacy requirement, which prevents Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. The Directive also explores certain related concepts, including the Working Party and data/information embargoes. Finally, the article takes a look at the US data protection approach and its ability to meet the EC’s adequacy standard.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• EU Data Protection Directive – Adequacy (I.C.c.i.4.a.)

What is authentication?

Authentication in this context refers to the verification of user identities in an electronic information system. Authentication can be discussed in terms of three factors, or authenticators:

1. Something that is known by the individual (e.g. a password, personal identification number, account number, etc.)
2. Something that the individual has (e.g. a bankcard, token, identity card, digital certification, etc.)
3. Something that the individual is or does (e.g. a biometric, such as a facial image, retinal scan, voice print; or a person’s signature)

Single-factor authentication is the traditional security process. In this type of authentication, the user must provide an authenticator in one of the above categories. For instance, before a user has access to an account, he/she must provide a username and a password. Single-factor authentication is more likely to result in compromised privacy or security.

Two-factor, or multi-factor authentication requires authenticators from two or more of the above categories. For instance, before accessing a system, a user must provide a physical token, such as an identity card and a security code. Authentication that is based on more than one authenticator from the same category is known as multi-layer authentication.

Electronic Authentication in Canada

A 2008 study conducted by the Public Interest Advocacy Center (PIAC) focused on electronic authentication of consumer financial transactions. It established that Canadian consumers were particularly attentive to electronic authentication methods in their daily transactions, which included banking and financial services, airport check-in and online shopping. While many online banking services required two-factor authentication, the most common online authentication is single-factor authentication with a username and password.

A 2004 study revealed consumer frustration with the lack of security provided by online banking services and online retailers. A later 2005 study showed that Canadian consumers were more concerned about security and privacy than their American counterparts; 40% of Canadians avoided online shopping due to security issues, compared to 24% of Americans. The Privacy Commissioner of Canada continues to note concerns with the increasing trend of collection, use and retention of personal data.

Authentication Principles

In May 2004, Industry Canada released the Principles for Electronic Authentication to provide guidance for the development, implementation and use of authentication services and produces in Canada. The Principles complement existing authentication governance through establishing benchmarks for products and services. They also ensure compatibility with international developments in authentication.

The Principles for Electronic Authentication are outlined below:

1. Responsibilities of Participants

Participants in authentication processes should be aware of their functions and responsibilities. Responsibilities should be proportional to the degree of knowledge and control they can reasonably be expected to have. Functions may include: administration, specification, end use, standards development, compliance assessment and infrastructure provision.

2. Risk Management

Any risks associated with authentication processes should be identified, assessed and managed in a reasonable, fair and efficient manner. Risks may include financial risks, loss of confidentiality or privacy, damages to reputation or identity theft. Assessment should be done in the context of the six functions listed in the previous principle.

3. Security

Participants in authentication processes should be responsible and accountable for security. A security incident that only affects a single participant may have implications for all participants. Participants have a responsibility to mitigate risks through sound security practices, but most of this responsibility lies with infrastructure providers and authentication administrators. Review and assessment is essential in ensuring the ongoing efficacy of security programs.

4. Privacy

Organizations involved in the design or operation of authentication processes should comply with data protection regulations set out in privacy legislation. The collection, use and disclosure of personal information in the context of authentication should be minimized. For instance, the authentication of a business should be focused on business attributes, rather than personal attributes of individual employees.

5. Disclosure Requirements

Organizations offering authentication services should disclose information, such as policies, practices and procedures, to other participants. This will ensure that all participants are aware of the risks and responsibilities associated with participation. Disclosure should not include any information that would introduce vulnerabilities or increase risk. The extent and nature of the information disclosed may vary, depending on whether the end user happens to be an individual or an organization.

6. Complaints Handling

Organizations that implement authentication processes should establish a complaints-handling process in order to enable participants to effectively resolve complaints and respond appropriately to non-compliance issues. Adequate complaints-handling processes should reflect the following characteristics: visibility; accessibility; responsiveness; fairness and objectivity; free of charge; confidentiality and privacy; accountability; continual improvement; and third-party dispute resolution processes for unresolved complaints.

Authentication Initiatives Since 2004

Since the publishing of the Authentication Principles, governments and consumer groups have been involved in several electronic authentication initiatives:

• The Data Protection Working Party adopted a working document on online authentication services. It studies the efficacy of the Microsoft .NET passport, which reduces the number of accounts a user needs to create and makes more services accessible through a single authentication process.
• In June 2007, the OECD released their Recommendation on Electronic Authentication as well as the OECD Guidance for Electronic Authentication, which lists a number of foundational principles for authentication.
• In September 2007, the Department of Finance began discussions regarding the expansion of the Debit Card Code to cover a broader array of electronic payments.

Authentication Principles, Revisited

In October, 2008, the PIAC released a report calling for a substantial overhaul to Industry Canada’s Authentication Principles. The report cited the Principles’ widespread failure to provide adequate protection when conducting online business transactions. While consumers are becoming increasingly careful around security and privacy risks online, the report urges federal and provincial governments to play a greater role in the regulatory process.

The following is an outline of some of the criticisms and recommendations made by the PIAC regarding the Authentication Principles:

• Criticism: The Authentication Principles provide insufficient assurance of consumer security. Principle #3 is based on security, but it is too vague to be meaningful as it does not indicate how an organization might achieve appropriate security.

Recommendation: Authentication should move beyond multi-layer single-factor techniques. Two-factor authentication provides only minimal security for highly sensitive transactions. One-time-passwords can be provided to the consumer through the financial institution or retailer. This strategy has been implemented internationally, but has yet to be introduced in Canada.

• Criticism: The Principles do not clarify who is liable for losses. Consumers should not be held liable.

Recommendation: Standard form contracts must make clear who bears the liability for losses. Banks and retailers should bear the burden of responsibility for unpreventable losses.

• Criticism: The Principles fail to adequately protect consumer privacy, especially in light of continually evolving security breaches.

Recommendation: Prioritizing consumer privacy would help to minimize the harm that results from security breaches related to authentication. The Principles should tie in corresponding sections of the Personal Information Protection and Electronic Documents Act (PIPEDA) fair information practices. Sensitive personal information should be used as authenticators only in very limited situations. Consumers should be able to choose the pieces of personal information they use as authenticators.

• Criticism: The Principles must mandate full public disclosure and consumer education.

Recommendation: Implementation of authentication processes should be transparent. This includes notifying consumers if the authentication system has changed; making information available before the user creates an account; providing full public disclosure of audits and compliance reviews; providing security breach notification; and providing consumer education.

• Criticism: Consumers are not guaranteed protection in a voluntary framework. Consumers need a better regulatory framework to address electronic authentication.

Recommendation: Regulate authentication through sectoral regulation. Strengthen online authentication through implementing two-factor authentication. Regulate authentication in the retail sector. The Privacy Commissioner of Canada should oversee authentication practices.

Summary

This article examines the concept of electronic authentication in a consumer context. Single-factor, two-factor and multi-factor authentication are explored. Industry Canada’s Principles for Electronic Authentication are defined and later criticisms and recommendations are raised. The article also looks at other authentication initiatives that have developed in Canada since 2004.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Security Controls: Authentication (V.A.a.i.)

The Model Code was largely based on the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the Organization for Economic Cooperation and Development (OECD). While the Code remains a voluntary standard, it enjoys strong support and endorsement by a variety of Canadian companies as the national standard on privacy protection.

In April 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) became law. The CSA Model Code forms an important component of the PIPEDA.

What is the CSA?

The CSA is an independent, not-for-profit association that aims to serve national and international businesses, industries, governments and consumers. As a leader in standards development, the CSA involved with product certification; quality and environmental management systems registration; and information products. The CSA is a membership organization governed by a Board of Directors who are both elected and appointed.

Standards are written and developed by volunteer committees made up of representatives from government, industry, consumer groups and users. Committees are facilitated by CSA employees and use a consensus-based approach to decide on the contents of a standard and to determine if the standard will be published.

Developing the Code

The Code intends to balance the privacy rights of individuals with legitimate data requirements of industries, businesses and institutions. It was developed by a 45-member committee with representatives from the main groups concerned with personal privacy issues in Canada. Committee representatives included:

• Federal and provincial governments
• Consumer advocates
• Organized labor
• Security and IT experts
• Industries including:
  • Financial services
  • Telecommunications
  • Cable television
  • Direct marketing

What does the Code say?

The Code outlines basic guidelines for the protection of personal data. It addresses two main issues:

I)             How organizations collect, use, disclose and protect personal information.

II)            How individuals access and correct personal information collected by the organizations.

Organizations who choose to follow the Code demonstrate that they are handling the information they collect fairly. The Code offers consumers, employees and other data subjects a means for challenging an organization’s practices.

The Code is based on ten interrelated principles:

1. Accountability

This principle states that an organization is responsible for personal information under its control. The organization should designate an individual or individuals to be accountable for the organization’s compliance with the principles stated in the Code. An organization needs to implement policies and practices that will help them respect the principles.

2. Identifying Purposes

An organization should identify the purposes for collecting information at or before the time of collection. This will enable the organization to determine which information needs to be collected in order to meet their needs. This goes hand in hand with the Limiting Collection principle (#4). Depending on the manner in which information is collected, this principle can be fulfilled orally or in writing. For example, an application form may explain the purposes of information collection to an individual.

3. Consent

Where it is appropriate, an individual must have knowledge of and give consent to the collection, use or disclosure of personal information. An organization should make a reasonable effort to inform individuals of the purposes for collecting information. Consent should be meaningful; the purposes should be explained in such a way that the individual can reasonably understand the use and disclosure of their personal information. Individuals are entitled to withdraw consent at any time.

4. Limiting Collection

Personal information should only be collected as necessary for the purposes that the organization has identified. This includes limiting the amount and type of information. The information should be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention

An organization should not use personal information for new purposes, unless it has the consent of the individual, or as required by law. Personal data should only be retained as long as is necessary to fulfill the organization’s stated purposes. An organization should develop specific guidelines and procedures governing the destruction of personal information.

6. Accuracy

In order to meet the intended purposes, personal information should be accurate, complete and up-to-date. This principle aims to minimize the possibility that incorrect information is used to make a decision about an individual. This also applies to information disclosed to third parties.

7. Safeguards

An organization should implement appropriate security safeguards to protect the personal information collected. The appropriate safeguard should be determined by the sensitivity, amount, distribution, format and method of storage of the information. Employees in the organization should be aware that confidentiality of personal information should be maintained.

8. Openness

An organization should be open about its personal information policies and practices. Individuals should be able to access an organization’s policies and practices relatively easily. The method of disseminating such information depends on the nature of the organization. This may include brochures, mail to customers, online access or toll-free information lines.
9. Individual Access

Individuals should be informed of the existence, use and disclosure of their personal information. Individuals should have access to their personal information and be able to question and correct the accuracy and completeness of this information.

10. Challenging Compliance

Individuals should be able to challenge an organization’s compliance with the above principles. The person accountable for an organization’s compliance will be responsible for dealing with inquiries, challenges or complaints. An organization should investigate all complaints and if it is necessary, adjust its policies and practices appropriately.

Implementation

The Code is meant to be used by any organization that collects or uses personal information. Such organizations may include:

• Financial institutions
• Service providers
• Retailers
• Direct marketers
• Telecommunications companies
• Product manufacturers
• Schools
• Universities
• Hospitals
• Government agencies

As organizational compliance with the Code is purely voluntary, organizations may incorporate the ten principles in its policies to varying degrees. The Quality Management Institute (QMI) has a program that recognizes three levels of compliance:

Tier 1: Declaration

An organization declares its compliance with the code by signing a code of ethics or statement of their information protection principles.

Tier 2: Verification

An organization submits documented policies and procedures to the QMI, which may conduct on-site audits in order to confirm compliance with the Code.

Tier 3: Registration

The QMI reviews the organization’s documentation and carries out an audit. This establishes compliance with the CSA Model Code and with ISO 9001 or 9002.

Blind Spots

Since its introduction, a number of critiques of the Code have arisen. Many of these critiques point to the vagueness in interpretation, which have led to confusion, loss of confidence and decreased utility of the Code. Due to differences in meaning and application of the Code, a number of cases have been taken to the Canadian Privacy Commissioner. This process is slowly eliminating some uncertainties in the Code.

Some gray areas of the Code include:

• The issue of collecting personal information from or about children is not mentioned.
• Different types of consent are not distinguished (e.g. express, implied and deemed consent).
• The Code does not elaborate upon the issue of notice. What constitutes a reasonable effort to advise an individual on collection of personal information?
• It is unclear if retention of personal information constitutes a “use” under the Code. If so, retention would require consent from the individual.
• The Code does not require businesses to explain the purposes of personal information collection to its customers. This has led to widespread failure of customer service representatives to reasonably explain the purposes of information collection to the ordinary consumer.
• The principle of openness is only encouraged, rather than required.

Summary

The CSA Model Code for the Protection of Personal Information presented a foundation for Canadian privacy protection legislation, such as the PIPEDA. A number of Canadian businesses and organizations have modeled their own privacy codes, policies and practices on this standard. Individuals have also used the Code to understand their privacy rights and protect their personal information. Over time, provisions in need of greater clarity or strengthening have been identified in the CSA Code.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Canadian Standards Association (II.A.a.)
• Model Code for the Protection of Personal Information: CAN/CSA-Q830-96 (II.A.a.i.)

This also opens the company to privacy violations – dependent on the industry, will you face indictment by the FCC, FTC, EU DPAs, etc.

My phone battery was on the fritz, so needed to find a replacement. I visited an electronic’s store currently trying to rebrand itself as “the Shack” looking for a new battery. They had an off brand labeled for my phone type. I explained the situation with the cashier – I tried this solution before with another battery retailer, and there’s a very real possibility would similarly fail. I paid cash, thinking why go through the hassle of having the same charge card to make the return. Maybe, I’d just have my wife stop by while running errands?

That night, my hunch was right, and a large X appeared over the phone’s status icon. I went in the following day, where the same cashier immediately recognized what must have happened. “No problem, we’ll give you a refund. We just need a little information.” This included much more than just my name – address, phone number, photo ID. All of this because I used a green piece of paper. Maybe the company is trying to combat fraud, but for less than US$50, at what cost? I didn’t ask what protections corporate had in place, and even if they had literature, I was on my way to the airport and in no shape to read it…

No matter what the rationale, this is simply too much information in the wake of the numerous network breaches sparked by TJX. Jennifer Stoddart, former privacy commissioner of Canada saying “The company collected too much personal information, kept it too long and relied on weak encryption to protect it.”

Good companies have opt-in policies, clearly define how the data will be used, and who it may be shared with. Great companies don’t collect information without a specific purpose. The ideas are not new; they fall in line with US Department of Health, Education and Welfare’s “The Code of Fair Information Practices” from the 1970′s and the Organization for Economic Cooperation and Development’s (OECD) principles laid out in 1980 for collection limitations, methods and relevance. These same ideas are echoed throughout the EU’s Data Protection Directive. Today’s Payment Card Industry’s Data Security Standard, HIPAA, and Federal Rules of Civil Procedure reemphasize collection limitation’s importance, placing specific regulations on how data are treated. PCI mandates encryption and physical access restrictions, while FRCP’s e-discovery suggests retaining volumes of data indefinitely could create massive evidentiary headaches and unexpected costs.

In all, keep in mind, if you don’t collect it, you can’t lose it.  Do you really need to log my personal information to make a $50 return?

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Guidelines Governing the Protection of Privacy and Trans-border Data Flows
  of Personal Data” (Foundations: I.D.iv.1),  The European Union (“EU”) Data Protection Directive (95/46/EC) (Foundations: I.D.ii.2)

This seems to fly in the face of EU’s Privacy Protection Directive, and a long history of pro-privacy government.  Finland was one of the early participants of a group called the Organization for Economic Cooperation and Development (OECD), signing up in 1969.  The OECD’s eight privacy principals served as a baseline for private data handling within member states and included such items as collecting the minimum amount of information necessary and limitations of use for any data collected.

Finland’s not the first country to register this sort of information – Singapore’s been doing this for several years.  They keep all of their citizen’s data (including fingerprints) in one big database called the Central Identification and Registration Information System (CIRIS).  It not only covers Singaporian’s, but includes anyone that passes through their customs and immigration checkpoints. Granted, it’s protected through several security mechanisms, they’re a much smaller country land-wise and not affiliated with Europe or it’s wartime past indiscretions, but the population difference is less than 600K in Singapore’s favor and the economic influence of the tiny island can’t be ignored.

Why the parallels to Singapore you may ask?  Pedigree.  Singapore is part of the Asia-Pacific Economic Cooperation and (mostly) abides by the APEC privacy framework. The nine principles of the APEC privacy framework mirrors the OECD’s eight, including both the Collection Limitation and Use Limitation principles.    The CIPP covers all of this history and evolution between the various privacy assurance concepts.

Finland might look over some of Singapore’s justifications for private data centralization in selling this to their citizens.  Are they collecting the fingerprints just to have them on file?  Maybe someone somewhere might do something criminal?

The Google translation of the Finnish government’s statement is here.