This week, we are working on setting up a contract between a Canadian company that is going to outsource to a third party overseas. It’s a big contract and we’re supposed to ensure that it meets all privacy obligations.
In the very early days, we might have tackled this task by merely throwing in a line or two that just said something like “each party will use reasonable safeguards to protect the personal information at issue in this transaction.” Today, however, the contractual clauses we’re developing go on for some length and are very detailed. The practice of privacy law has evolved tremendously. The landscape has changed.
When working on these types of cases, I'm struck by the lack of guidance we have from the commissioners in Canada who oversee private-sector privacy legislation. The cases we get to read on these very nuts-and-bolts issues are lacking in the details that would help businesses truly understand what clauses are required to meet the accountability and safeguards principles.
While I understand it might be too much to ask for endorsed contractual clauses in the way that most Europeans countries do it, I do think that, here in Canada, given that the application of privacy law has evolved, the guidance and cases we have access to must as well, in order to be as helpful as possible. "Case by case" and "it depends" can translate into generalities that keep things at such a high level that companies are unsure what, in real terms, to do. While there has been some positive movement in this direction, I would argue that more practical advice is what we all need. I mean, the common goal is compliance, after all.
Funny thing is, if there were more prescriptive guidance and advice like this, companies might not need lawyers like me. So, forget I said anything! And have a great weekend everyone.
If you want to comment on this post, you need to login.