There are rumors floating around that people are lobbying government officials with respect to what our privacy laws should look like. Is that a positive sign? Does this mean that the government is actually keen on modernizing the Privacy Act and PIPEDA? Or are they just trying to influence if and when the time comes?
All this has me thinking about what would likely be one of the bigger issues if we got around to amending our data protection laws. That is, what should the role of consent be in a new law?
If you’ve taken some time to read the EU General Data Protection Regulation, you’ll know that the EU has not abandoned the role of consent, but it has taken an approach where consent is not the end game. Many other obligations arise when it comes to data protection, and, in fact, it is permitted to process personal information in several situations when consent has not been necessarily obtained. It is this emphasis on the other obligations that has me thinking about what might happen if Canada were to take a run at changing our paradigm.
Things like mandatory PIAs (if thresholds are met), appointing a CPO that has real authority, and otherwise demonstrating accountability seem to be the topics that would necessarily make their way into second-generation privacy law. Maybe they’re considering granting the commissioner the powers he has asked for without those high requirements to demonstrate reasonable grounds.
I think it’s fair to say that these issues transcend to the public sector, as well as the private sector. Maybe it’s time we stop operating in the private-public silos we’ve created and set up rules that apply to all organizations regardless of which sector they are in. None of this is groundbreaking or even new. It’s just different than how Canada has been operating for the last 20 or 30 years.
In many respects, I think revisiting the basic fundamentals of our system is what’s needed if we moved forward. Of course, that would mean also revisiting the enforcement model that was chosen so many decades ago.
Just because we examine other ways of ensuring compliance doesn’t mean that we have to turn our system into a litigious and adversarial system. All in all, the rumors about lobbyists hanging around Ottawa has provided a lot of food for thought. I, for one, choose to take it as a positive sign that there’s some movement. And that’s an opportunity for us collectively to share views on how things have gone to date and to get it right in the time ahead.
What do you think are the big issues if we were to modernize our privacy laws? I’d love to hear from you on this.
If you want to comment on this post, you need to login.