In the current legislation, the first principle is referred to as “accountability” in English and “responsabilité” in French. As I understand it, the term “accountability,” in an accounting sense, means a “reddition de comptes.” In other words, it means that the responsible party must report to its constituents on how it has carried out its responsibilities.
In the current PIPEDA, the term “accountability” is referred to as “responsabilité” in French. Responsibility ends before accountability. It's already a lot, but it ends before accountability. Responsibility consists of adopting procedures to implement the other principles of the legislation, including consent, openness and access.
The company or organization fulfills its obligation to take responsibility by adopting procedures. However, the company or organization isn't accountable, either to users or to the regulatory agency, when it comes to demonstrating that the procedures implement the PIPEDA principles.
One consequence of Facebook—and there are other signs of this—is that it can no longer be trusted. The principle of accountability is important. Companies must take responsibility, and the entire privacy burden mustn't be placed on users. It would be unrealistic to think so. Companies must take responsibility.
The case of Facebook, for example, clearly shows that the fact that the legislation imposes a responsibility doesn't mean that the obligation will be fulfilled, hence the need to require accountability. Companies must be required to show that they've adopted procedures to implement the principles of the legislation, while providing proactive inspection powers.
Under one model, companies would provide a report to the regulatory agency on the procedures that they've adopted. The reports would be similar to the privacy breach reports, which have been a legal obligation since November.
Imagine legislation where companies must provide a report to the regulatory agency on the procedures that they've implemented to fully comply with the PIPEDA principles. The regulatory agency, which has limited resources, would review the reports and note issues in certain places. It would inspect the companies, and perhaps it would find violations and penalize the companies.
If responsibility were to lead to true accountability,
a real accountability in accounting terms,
it would eventually have an impact on the entire industry, because companies wouldn't want to run the risk of being inspected and penalized.