TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Canada Dashboard Digest | Notes from the IAPP Canada Managing Director, April 26, 2019 Related reading: Privacy inspection tool finds ad trackers on sensitive nonprofit websites




While there is plenty of privacy news this week to catch up with, the one party doing their part at making headlines is the Office of the Privacy Commissioner. First, they stated that they might change their position on trans-border data flows, and they have asked for input by June 4. This week, they added to the mix by publishing an addendum or annex to their original discussion document. The annex elaborates a bit on their preliminary position that a transfer for processing is a disclosure (not a use) that requires consent.

Personally, I never thought it was important to emphasize the semantics of whether or not a transfer for processing was a disclosure versus a use. They both require consent, and they both are subject to the reasonableness requirement — AND — the accountability principle. The original 2009 OPC position did not conclude that consent was not required. Rather, it emphasized that consent can be implied for the reasonable processing so long as there was notice and so long as the accountability principle was followed. I still think this is a valid position, and I’m at a loss at figuring out how the alternative might work.

The second set of gigantic news, of course, is the most damning Report of Findings and media blitz by the OPC and the OIPCBC targeting Facebook. The social media giant broke the law and, apparently, did not think it was a good idea to cooperate with the regulator. In Canadian private-sector privacy history, I don’t think a commissioner has ever come out with such harsh language against an organization. It reminded me a bit of the Radwanski era but even more pointed, targeted and forceful. I suppose that’s all you can do when you find a violation of the law and the organization you investigated snubs you.

The backdrop to the Facebook story is that, in the United States, it seems likely that the regulator (the FTC) is going to fine them somewhere around 5 billion dollars. As IAPP CEO J. Trevor Hughes posted on LinkedIn: “Wow, wow, wow!” I commented that Facebook is probably gladly taking the embarrassing tongue lashing from Canada as it prepares to seriously dish out south of the border. It seems clear that not all penalties are equal.

Does all this have you thinking about privacy law reform in Canada? It should.


If you want to comment on this post, you need to login.