For many years now, organizations around the globe have had to use contractual terms, with the entities they interact with, where those terms involve and protect the personal information that gets exchanged between the parties.
In the EU, they have standardized the process with standard contractual clauses. We don't have that in Canada, so we are left to our own drafting skills to come up with what is generally being referred to in the industry as a "data protection agreement."
In the early days, the agreements were one to two pages in length. But now, it is common for them to run in excess of 30 pages. Negotiating, editing and marking these beasts up can be time consuming and, unfortunately, sometimes an expensive endeavor.
That is why I would like to see our regulators come up with more concrete guidance as to what needs to be in these agreements. Maybe even a Canadian version of SCCs that have been endorsed by the regulator community in the EU.
I'm working a fair amount on agreements lately — mine are shorter — incorporating concepts and obligations coming up from Quebec's new private-sector privacy law, Law 25. We are also trying to anticipate what these agreements will need to look like if Canada's federal privacy reform, Bill C-27, is passed federally and we get an entirely new private-sector law.
Speaking of Law 25 out of Quebec, you now have less than two months before the majority of all those shiny new provisions come into force. Are you ready to conduct your transfer impact assessments and your privacy impact assessments?
I'm heading to Quebec myself this weekend and, at least for the moment, the only impact assessment I'll be thinking about has nothing to do with a new privacy law. Rather, it relates to how many times I can safely consume a stick of taffy-on-the-snow. Yes, they still have it in the summertime, it's divine, and truth be told, I'm a bit of an addict.
Have a great weekend everyone.