My first comment would be that the GDPR is an incredibly complex piece of legislation. It is still being actively reviewed, and there is a tremendous effort globally to understand what certain aspects of the legislation even mean. We're just getting policy guidance from regulatory authorities in the EU, who are starting to elaborate on what some of the features mean.
Having said that, having had the opportunity to go through the act specifically with respect to client mandates, and having spent years working with the data, I feel that there are vast aspects of PIPEDA that would be substantially similar. There will be a distinction for sure in the sheer prescriptive nature—the GDPR is much lengthier and more prescriptive—but there are aspects under PIPEDA's accountability regime, which has been held up as a model globally, that I think will remain intact and will stand the test of time.
The upshot is that adequacy is a matter of EU consideration and, at a minimum, I think that very careful consideration and a fair amount of time should be taken to understand several of the elements, which even the Office of the Privacy Commissioner of Canada has cited do not expressly exist. There are elements, including the one you've cited—the right to be forgotten—and there are others that don't exist in the GDPR.
Our view, at least practically with clients, has been that certainly with respect to adequacy, while it's a very helpful basis on which to allow for transborder data flows, there are other mechanisms that allow for transborder data flows and that can be accommodated. That's number one. Number two, it would be very important not to enter into a rash revision to the statutory framework until we really understand what some of these provisions mean, and that might take a fair bit of time. At a minimum, we're going to be getting opinions in due course from EU authorities as to the sufficiency. That process will afford us an opportunity to understand the nuance and distinction of where we see the shortcomings, and since it's an EU consideration, that should serve as a starting point for consideration of where the actual gaps are.
I'll just make one point. I mentioned it before but I cannot overstress it. There are vast swaths of the GDPR that, I feel, could be read into our existing framework. I think that, as Canadians, we should feel very proud of how our statute has stood the test of time in the wake of substantial change globally.