I'm not an expert on PIPEDA, but I understand that it applies only to private sector organizations. Initially, the act applies only to organizations that are regulated at the federal level, but also to the disclosure of personal information by certain organizations. Finally, I understand that the act also applies to all businesses in the territories as they are deemed to be federal work.
One question relates to this. What if a province passes privacy legislation, even if it is substantially similar? Second, what about government organizations? Would you like to work in a perspective to simply follow the line and remain in the specific context of the private sector organizations, or is there any interest to make the adequacy finding larger by considering other areas as well?
I think we will pay attention to onward transfers more than in the past, to the specific statutes for sensitive data, and pay a lot of attention to the e-privacy regulation to be applied soon. It enters into force by May 25 next year as well.
Some regulation is likely to specify and complement existing provisions in the general regulations in the online world, so you will have substantive provisions, for instance, on cookies, on the protection of confidentiality, and on search engines, particularly with regard to consent.
I had a chance to discuss with your federal commissioner consent in the GDPR as compared to consent in the current directive. One of the major concerns for controllers is whether to collect once again a new consent by the data subject. The answer is that it depends on whether you respect the essence of the future provisions. Did you really collect freely given, specific, and informed indication of the data subject's wishes? Did you provide for an explicit consent to process sensitive data? Could you say that for data other than sensitive data consent is unambiguous? Therefore, you have to discuss which consent is unambiguous in the online world.
This is extremely important, because in case you cannot work on reliable consent anymore, you have to verify which other legal ground is to be...collected, with particular regard to the balance of interest and to legitimate interest.
There are two opinions by the current Article 29 Working Party, plus another one on purpose limitation. I think they may be considered in terms of priority now, with a view to see to what extent certain protections or safeguards for the data subject are effective in practice.
Perhaps it would also be relevant to share my views with you on profiling and mass information—