Well, the on-again, off-again consultations from the Office of the Privacy Commissioner are back on. No, really. They’ve been unsuspended.
Earlier this week, the OPC released yet another document. This one reframes the consultation on transfers for processing and TBDF. You can see their new document, along with the questions they are asking for input on.
To be fair, there are only three new questions, and they’ve been added in light of the government’s recent announcements of a digital charter.
While some organizations were waiting for the reframed discussion to be released, others like the Information Accountability Foundation were not and decided to submit their position in advance of the OPC’s reframed discussion. The IAF, in fact, made their own submission to the OPC public. You can read it here.
The IAF offers a good policy reason for choosing the accountability principle over the need for consent. They go on to say that what is missing from the analysis is how to enforce the accountability principle. Indeed, this poses an interesting issue.
The IAF position is clearly meant to be a policy-based submission, and what is still missing is the type of legal analysis that will persuade Commissioner Therrien that transfers for processing are a use and not a disclosure.
I’ve said it several times already that I don’t think it matters whether or not you call a transfer a use or disclosure. Both, under the current law, require consent. My only point is that this consent can be inferred in the vast majority of situations so long as there was proper and effective notice and that it is reasonable in the circumstances.
I get the fact that Canadians may want to know where their information is going, and they want — no, expect — it protected; however, the last thing we all need is another pop-up consent box that we need to tick every time an organization transfers our personal information for processing purposes. Such a system is simply not tenable and would result in meaningless consent, which I suspect is quite the opposite from the goal.
Instead, I think what is needed is clear guidance from our commissioners on what they specifically expect in terms of meeting the accountability principle — not just what they want in a potential future law. For some time, the EU has had a process whereby their standard contractual clauses offered the type of guidance I thought should be replicated by the commissioners in Canada. And, while I realize the SCCs are not perfect (Max Schrems is challenging them, and they are currently being looked at again by the EU Commission), if we had a system by which we knew with some certainty what is expected and what fails to meet these expectations, we would all be much better off.
All this is a rather interesting (to me!) and even controversial issue in privacy circles. Not such a big thing outside privacy land, though. Let’s just remember that as we all approach this issue, any submissions — and ultimately, solutions — should be done reasonably, respectfully and meaningfully.
If you want to comment on this post, you need to login.