I had a great time this week spending two days with a group from a Ministry of the Ontario government that had signed up for CIPP/C training. Our conversations were enlightening and I wish them good luck in studying for the exam. I’m quite sure the group will do just fine; they were already pretty well versed on privacy issues and were taking the occasion to really get into the weeds on some things.
One thing that came up (and it does in almost every training session) concerned what to do to meaningfully compensate people whose privacy rights have been violated and, at the same time, what to do to meaningfully punish and deter others from violating privacy rights. Is the slap on the wrist model we have been using working? What about an automatic $5,000 fine for certain types of violations? Is a private right of action the right answer?
I don’t have all the answers, but I do note the interesting conclusion in the U.S. Federal Trade Commission’s investigation into the Ashley Madison breach. Remember: In Canada, our commissioner investigated and ultimately summarized for us what the company had done wrong. The FTC, on the other hand, took a bit longer to complete the investigation, but levied a fine against the company that was over a million dollars. Isn’t it almost silly how different those outcomes were?
And that raises another issue that came up during our time together in Toronto this week. Updating privacy laws in Canada, is, for some reason, a difficult thing. PIPEDA, if you recall, is supposed to be reviewed every five years (at a minimum). Yet, in the 16 years it has existed, it’s gone through only one review exercise. What's the hold up?
If you want to comment on this post, you need to login.