DPAs — data protection agreements, not data protection authorities — have been occupying some of my time lately. Is it the same for you?
I find they have somehow become more mainstream since the EU General Data Protection Regulation came into effect in 2018, but arguably, they’ve been needed by organizations caught by Canadian privacy laws for the past 20 years or so.
In my experience, they’ve become more sophisticated over time. In the early years, it was simply a matter of throwing a line into your contract that every party agreed to abide by privacy law obligations. Today, however, these contractual clauses span several pages and cover just about every obligation under the sun.
Some data protection agreements are written for one organization’s intra-corporation use — where one branch of the company is sharing information with another. For sure, this is important and, in fact, under European parlance, has become known as binding corporate rules. The other type of data protection agreement is one where an entity is sharing with a completely separate corporate organization. There’s probably a bit more at stake in those considering how accountabilities might not easily flow down the ladder of sub-processor to sub-processor.
Those data protection agreements involving only Canadian entities are one thing, but when the agreement contemplates parties being involved from around the world, it gets more complex. Suddenly, you need your data protection agreement reviewed by professionals in multiple jurisdictions, which inevitably slows things down. Despite the little hurdle in “getting the deal done,” I’m grateful my clients take this step. A little effort spent at the beginning of the project could save a lot later on if not done well.
Tools like data protection agreements and privacy impact assessments are definitely becoming more common — which is a good thing. The one missing thing is guidance from our regulators on what is needed to make sure these things meet legal requirements. We know we need contracts, but we haven’t been told what meets the expected standards and what doesn’t. The laws are vague, and we need more absolute rules on what to advise our clients and organizations. The Europeans are way ahead of us on that front, and I hope our Canadian counterparts act quickly to fill this void. There’s no need to wait for our new privacy laws. This guidance is required now, and it will serve the entire privacy community if we get it.