Canada’s PIPEDA Consent Guidelines Now In Effect
Posted on January 24, 2019
Canada’s new guidelines for obtaining consent under PIPEDA are now in effect. Last year federal Office of the Privacy Commissioner and the Alberta and British Columbia Offices of the Information and Privacy Commissioner jointly issued the guidelines, which outline how to get “meaningful” consent. The OPC will now apply the guidelines when looking at how companies obtained consent, and it has been reported that the guides are viewed by the regulators to have the force of law.
Companies are expected to find creative solutions for developing a consent process, and the guidelines provide seven principles for companies to consider. These include transparency: making clear what is being collected and why. Also part of transparency is if the information is shared. Companies should also give people clear options (“yes” or “no”) and be innovative when putting together the consent process. The consents should, similarly, be user- friendly. Finally, the guidelines urge companies to be ready to show how they implemented the principles when designing their consent process. To help companies, the guidelines include “must do” and “should do” checklists.
PUTTING IT INTO PRACTICE: This Canadian guidance gives helpful insight into what regulators expect from a consent process, which may be useful even for those that operate outside of Canada.
CROSS BORDER PRIVACY
The Privacy Shield Survives Another EU Commission Review, For Now...
Posted on November 22, 2019
The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with some parts of the program. This included a fear that US Department of Commerce’s monthly pro-active checks of companies may be too surface level, and did not necessarily include review of the companies’ privacy provisions in vendor contracts.
Also of concern for the EU Commission was the focus -when trying to identify companies who falsely claimed to participate in the program- only on companies who had previously applied for certification. Instead, the Commission expressed, it would like to see all companies included in scope. The Commission also expressed its belief that there should have been more companies examined overall. Finally, the Commission recommended that the US Department of Commerce (that administers the program in the US), the FTC (which enforces compliance in the US), and the EU Data Protection Authorities work together more closely.
PUTTING IT INTO PRACTICE: The Privacy Shield survived another review intact, however there is pending litigation in the EU that we expect will impact the status of the program prior to its next annual review. With this in mind, companies should keep in mind that it is only one of several potential avenues for the transfer of personal information between the EU and the US.
   Eye on Privacy 2019 Year in Review 18