TrustArc was pleased to once again take part in the IAPP Canada Privacy Symposium held on May 23rd and 24th in picturesque Toronto–participating in four conference sessions, side events and, of course, countless conversations. The annual confab of industry thought-leaders, regulators and privacy professionals from Canada and abroad came at a particularly fascinating moment for privacy and data protection in the world’s second largest country.
Recent events that have cast Canada in the privacy spotlight include the Office of the Privacy Commissioner (OPC)’s release of findings against the Canadian arm of a global credit reporting agency headquartered in the U.S.; the OPC’s simultaneous launching of a Consultation on a policy change to require consent for transborder data flows under the country’s Personal Information Protection and Electronic Documents Act (PIPEDA); and the government’s announcement of a new Canadian Digital Charter with ten principles intended to, if adapted to law and supported by codes of conduct and certifications, further establish Canada as a digital trade and innovation leader, while providing for adequate enforcement measures to maintain trust. At the IAPP Canada opening session, the Privacy Commissioner of Canada even announced a suspension of the Consultation, in light of privacy law changes that may arise from the Digital Charter reforms.
With this as a backdrop, the conference was ripe for rich discussions of the past, present and future of Canadian privacy. TrustArc did its part to facilitate these discussions by engaging with panelists and audience members during multiple conference sessions.
Hilary Wandall, SVP, Privacy Intelligence and General Counsel, presented on two panels in one day. The first, “International Developments Impacting Canada,” was a wide-ranging discussion of the emerging regulatory approaches around the world that are impacting the Canadian landscape, from Europe to Brazil, India to Japan, and the U.S. to Singapore. The panel likewise addressed the need to continue to infuse ongoing accountability and risk considerations into an organization’s business activities in order to realize the full value of the personal data it holds and the insights derivable from it. It further looked at digital trade considerations, recent adequacy decision negotiations and questions around the establishment of a Canadian Accountability Agent for APEC CBPR purposes.
Hilary’s second panel, “NIST Roundtable: Privacy Framework Discussion Draft” looked at the voluntary, risk- and outcome-based enterprise risk management tool being developed to help organizations answer the fundamental question of “How are we considering the privacy impacts to individuals as we develop our systems, products and services?” This Framework, still in its discussion draft phase as of April 2019, but with its preliminary draft anticipated in July/August 2019, is likely to be consequential, given the success enjoyed by the National Institute of Standards and Technology’s highly respected Cybersecurity Framework. Audience questions raised during the session earnestly discussed the need to focus on not only the risks or potential adverse impacts of a possible data processing, but also its benefits, to which Hilary shared thoughts on legitimate interest balancing tests and the benefits of quantifying risk. Hilary spoke alongside NIST’s Deputy Manager for the Privacy Framework.
Margaret Alston, Director of Consulting, presented with RADAR on “How to Build a Global Data Incident Management Program,” which featured discussions of how to simplify and operationalize critical privacy program functions to help ensure compliance with existing and emerging global data breach regulations–of which there are many. The engaging session looked at the lifecycle of privacy incidents, PIPEDA’s mandatory data breach notification and recordkeeping requirements, what a unified framework for global data breach compliance looks like, and surveyed global data breach laws that passed or have taken effect since 2018 (including penalties for non-compliance). A major theme across these laws, as Margaret explained, whether at the U.S. state and federal level, the GDPR, PIPEDA or APAC-Australia, is the use of a multi-factor risk assessment to determine notification obligations to affected individuals, taking into account the nuances of each law’s standard of harm.
Darren Abernethy, Senior Counsel, presented on a Star Wars-themed panel entitled “The Last Jedi: Why the Future of Privacy Belongs to Canada,” a comparative look at the legal and historical cultures that led to different privacy regimes in the European Union (comprehensive model), the United States (sectoral approach) and Canada (co-regulatory). The session asked, one year after the GDPR has been in effect, which model would best meet the challenges of tomorrow? Darren addressed the U.S. and European perspectives, surveying U.S. sector-specific legislation; discussing federalism and states as “laboratories for experimentation” as evidenced by California Consumer Privacy Act and the Washington State bill; describing the major federal legislative proposals put forth in Congress, federal agencies, private corporations, and associations such as Privacy for America or think tanks such as CIPL and the IAF. Darren concluded that any federal or state legislation should focus on interoperability with the major common concepts of significant privacy standards around the world to reduce the cost of implementation for businesses and to facilitate digital trade. Each law can do so in line with the specific cultural and historical principles for its jurisdiction, such as First Amendment rights in the U.S., but laws that have an eye towards syncing with other major standards to interoperate together will be the laws and regimes that rule the accountability- and risk-based data galaxy of the future.
To request copies of any slides used during the above sessions, or to learn more about how TrustArc can help your organization with privacy compliance technology solutions, consulting or assurance programs/certifications, contact TrustArc today.