Industry Committee on Nov. 2nd, 2023

I will offer a quick comment. There is some concern as to who will be appointed and by whom. If there's only going to be one privacy expert on the tribunal, who is appointed by the industry ministry, whose interest is to promote commerce, it undermines fairness. We also are concerned, though, that if a commissioner's decision ends up having to be reviewed, and then the offending organization has the opportunity to exhaust all of its legal recourse—as Mr. Lawford said— that this creates delay.

Then a private right of action kicks in. I now get the honour and pleasure to hire a lawyer and spend even more money and more years, with the offending organization having much deeper pockets than most people, I would venture. Up to what point...? By the time they have exhausted their legal recourse, am I even going to be alive?

Oh, my God! Do we have to pick a number? Should we try to get on board together with what numbers we're going to go for here?

Oh, oh!

I would rate it south of five, if I'm being generous, although I don't know where we're at. Given our mandate to look at fundamental rights and privacy, it is a failure on both fronts. Maybe five is high.

I give it a two.

Do you know what? I'm going to go with two.

Oh, oh!

I think you're being very generous at five.

It's a starting point. It has drawn attention. It has turned your minds, and the discussions have turned your minds to some of the very many problems that have to be faced. As a starting point...yes, okay. As to what it is now, I'd say about a one—generously a one and half.

I think together we each give it a one—so two.

Maybe a three.... I may be more charitable, but I think it was well intended. I don't ascribe malicious motives to it, but it has a lot that needs to be improved.

I'd rate it between a three and an undeciphered symbol. We simply don't know what AIDA will be in the final version. We don't have every piece of the puzzle.

As a starting point, as a white paper that we could then run a consultation around, sure, it's a great start. However, at the speed it's moving, I can't give it a positive rating.

Should we make them more widely used? Yes, absolutely. The problem comes in when many organizations leave it to the operational people in the departments to do the preliminary assessment, such as on whether they think this new product or system or whatever will have an impact, when the people do not understand what privacy is, what privacy laws require and what the rights and responsibilities are.

They're under the gun. They have budgets. They have deadlines and go, “Nope, no privacy problem here.” They don't understand the unintended consequences. They don't understand the technology, the law or the business side of it. They're looking at it from a very narrow perspective. That's the first point. We need more education. There needs to be a mandate about all of this to the people in the organization.

The other part that's really critical is that an awful lot of organizations require that whoever does the privacy impact assessment follows the guidelines of their jurisdictional privacy regulator commissioner. Those tend to be checklists. They do not want fulsome legal analysis. They do not want the full picture. They want to be able to say, “We did a PIA. Tick that box. Move on. Next. Let's get business done.”

That's the public and the private sector.

We should, but we also need to have the people as the GDPR requires. The people who are in the position to do the PIAs, the privacy officers, must be independent within the organization and speak directly to the highest level of executive in that organization.

Now they are underlings. Even when they are lawyers who do the privacy work, a lot of our members who are the access and privacy people in the organization have to report to a very lengthy chain of command within the organization very often, and they don't have much say. They have very little authority. That has to be changed.