TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Canadian privacy commissioner announces 'proactive' approach to enforcement Related reading: Therrien, Bar weigh in on pending breach notification regulations

rss_feed
iapp-privacycore
S18_Web_300x250-COPY
GDPR-Ready_300x250-Ad

The Office of the Privacy Commissioner of Canada has announced the agency plans to initiate a "consumer-focused," "proactive" approach to its enforcement efforts. 

Privacy Commissioner Daniel Therrien made the announcement Wednesday during the IAPP Canada Privacy Symposium here in Toronto, Canada. "While we will continue to investigate complaints," he said during his keynote address to a sold out event, "we will also look for ways to be more proactive. We will take a key privacy principle to the next level and champion demonstrable accountability and our work will be more citizen-focused." 

Therrien outlined the "complaint-driven" framework that informs his office's current mandate, which has been outpaced by "a growing disconnect between those who provide and those who receive products and services." 

"I don't raise this to worry the organizations in the room," he explained, but "compliance-minded organizations" will receive OPC assistance if they so choose. 

Similar to the Obama-era U.S. Federal Trade Commission, Therrien said the OPC "will examine investigative trends, calls to our Information Centre and feedback we receive through our outreach activities to determine whether there are specific issues, chronic problems," or other sectors that might "benefit from a commissioner-initiated investigation." 

"While we will continue to investigate complaints, we will also look for ways to be more proactive. We will take a key privacy principle to the next level and champion demonstrable accountability and our work will be more citizen-focused." -Canadian Privacy Commissioner Daniel Therrien

So how would the OPC work with organizations? Therrien champions "voluntary privacy audits" or "advisory visits or meetings" to "validate compliance with PIPEDA or recommend ways companies can improve their privacy" programs prior to any incidents.

Though he conceded his agency only has so many resources and a tight budget, he said businesses and federal agencies "must be involved in the solution." One possible solution the OPC will promote, Therrien said, is "demonstrable accountability," an idea that "could result in positive outcomes for privacy." 

Therrien noted that the OPC has historically only "looked under the hood" after a complaint was brought to the agency. When that happened, organizations had to prove they had been accountable by regularly updating their privacy policies and procedures, adequately training their staff, and appointing an employee to overlook these programs. 

The new "commissioner-driven" complaint paradigm will allow the agency, "when appropriate, [to] ask organizations to demonstrate accountability." He said a similar process has been effective in Europe when using "mini-audits" for improving accountability. 

"By going into companies and asking questions about their privacy practices," Therrien said, "they can better identify gaps that can be addressed before serious problems occur." 

Though he didn't name any specific companies, Therrien hinted that his office is concerned about organizations leveraging big data tools, artificial intelligence, biometrics, among others and whether they are able to demonstrate accountable practices. 

He also encouraged companies to develop codes of practice, while announcing the agency will fund a code of practice project for connected cars. 

Another component of the OPC's new paradigm shift will focus on a consumer-driven aspect. Therrien said "citizen empowerment will be the standard by which we measure the success of our activities." Part of that solution involves not only providing consumer education, but also increased organizational compliance. As part of its new outreach efforts, the agency has redesigned its website to be more user friendly, and, after "many internal discussions," launched a Facebook page

Though he didn't name any specific companies, Therrien hinted that his office is concerned about organizations leveraging big data tools, artificial intelligence, biometrics, among others and whether they are able to demonstrate accountable practices. 

The refreshed website includes a new "request tool" to allow for direct communication as well as "tip sheets" on internet-of-things devices like wearables. 

Notably, Therrien said the OPC has recognized the importance of protecting the privacy of vulnerable populations, such as minorities, children, and senior citizens. He said the OPC has been reaching out by creating lesson plans for provinces, drafting articles, and providing additional thought leadership. 

And like virtually anyone involved in privacy, the OPC will also "closely monitor" the EU's General Data Protection Regulation. Therrien warned that Canada could face European adequacy issues in light of the new regulation. In the past, the EU's adequacy agreement with Canada was partial and only involved PIPEDA, not the public sector. With the GDPR, the EU will conduct comprehensive adequacy decisions of Canada's privacy regime, including law enforcement access to user data. 

Therrien has been urging the federal government and parliament to consider reviewing any gaps that exist between the Canadian and European privacy regimes to head off any potential adequacy issues.  

Therrien warned that Canada could face European adequacy issues in light of the new regulation. 

Not leaving anyone out, recent efforts by the U.S. president are also on the OPC's radar. Therrien expressed concern about U.S. border searches of Canadian citizens when traveling into the U.S. He said he was particularly concerned about citizens being asked about their religious beliefs and for their mobile device passwords. Therrien also urged the Canadian government to get agreement from their U.S. counterparts to include Canada under the same privacy protections as offered to Europeans' in the U.S. Judicial Redress Act.

Comments

If you want to comment on this post, you need to login.