TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Working with Canadian regulators requires communications, transparency Related reading: Therrien speaks on Digital Charter, trans-border data flow consultation at CPS19



Communication is a fundamental building block for any relationship. This is not a new discovery. As a matter of fact, it is about as far from a hot take as you will get. For privacy professionals in Canada, however, it may become more important than ever. Canadian Innovation Minister Navdeep Bains recently unveiled the Digital Charter, which contains principals that will reform the country's privacy laws. The charter could change the dynamic for both privacy professionals and regulators, hence the need for strong communication between the two groups. It was also the advice one attorney recently gave privacy professionals for dealing with regulators on federal and provincial levels.

Borden Ladner Gervais' Eloïse Gratton said it's important for Canadian organizations to establish a dialogue with the Office of the Privacy Commissioner of Canada and its provincial counterparts. Gratton advises companies to be open with Canadian regulators over the course of an investigation. Whereas in the U.S., where Federal Trade Commission investigations are handled by litigators, Gratton said entities sometimes may be hesitant to share information given that anything offered up by an organization may be used against them in an inquiry. This is not a tactic one can take in Canada.

“That is not the way to deal with regulators in Canada,” Gratton said during a panel at the IAPP Canada Privacy Symposium recently held in Toronto. “You cannot hide stuff. You have to have a dialogue with them. They have broad investigation powers and they are allowed to ask for these things. They are allowed to come on your site and talk with people.”

Gratton said regulators can ask about a litany of privacy practices, such as whether a company has a privacy policy in place, established a training program, or if they have conducted privacy impact assessments in the past. 

Ontario Securities Commission Senior Legal Counsel Christopher Berzins echoed Gratton’s thoughts. Berzins said the best course of action is to provide as much information as possible in order to “paint a picture” to the regulators that all courses of action were taken to remediate as much of the issue as possible.

“Whenever there is a complaint, I will go out of the way to ensure we provide as much information on our position and background to explain where we stand,” Berzins said. “That has ultimately helped us avoid having complaint going to the formal stage of investigation.”

Canada Post Chief Compliance and Privacy Officer Amanda Maltby said there has been noticeable turnover at the Office of the Privacy Commissioner of Canada, which can result in various investigators handling a case. Gratton added that while it can be challenging to deal with new faces, privacy professionals would do well to show patience with junior investigators.

The speakers advised privacy professionals to take the time to ensure regulators are satisfied with their efforts and added that interactions with enforcers can also be used to reinforce the culture within their organizations.

“This is an ideal opportunity to bring the message home to your own organization,” Berzins said. “You don’t like to deal with it when it happens, but it is a real opportunity because otherwise the message in your organizations don’t resonate until something happens and you have real risk playing out.”

The relationship between privacy professionals and regulators may be a challenge now, but developments within Canada may take the dynamic between the two groups into new directions.

Maltby said she senses the OPC is overwhelmed with the amount of work it has on its plate. She believes the commissioner is frustrated over the lack of influence over the creation of privacy laws. It is not a complaint that has come of nowhere, as Privacy Commissioner of Canada Daniel Therrien has called for more powers on numerous occasions during his tenure.

Should the OPC receive more enforcement authority? Gratton is not so sure, she said, adding it might be premature to give those powers to the agency. Given that few cases over the past decade have made their way to federal court, Gratton is not sure there is a pressing need to acquiesce to the demands of the commissioner’s office.

Regardless of whether the federal commissioner gains new enforcement powers, Canadian privacy professionals still have plenty to consider when they interact with regulators around the country, and with the Digital Charter looming over the horizon, it does not look like work will slow down any time soon.

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.