Author(s):
Adam Kardash, Andrew MacDougall
Dec 1, 2021
The concept of demonstrable accountability in privacy law is dynamic and evolving, according to Osler’s Adam Kardash, Partner, Privacy and Data Management. Adam and special guests Andrew MacDougall, Partner, Corporate, Bojana Bellamy, President of the Centre for Information Policy Leadership, and Martin Abrams, Executive Director and Chief Strategist for the Information Accountability Foundation, discussed in November’s AccessPrivacy roundtable call how demonstrable accountability shows up in ongoing legislative reform discussions and interacts with corporate governance principles.
Accountability — organizations being responsible for the personal information in their possession and implementing policies and procedures accordingly — is a cornerstone of Canadian private-sector and health privacy laws. In 2012, Canadian privacy commissioners announced their expectation for organizations under investigation to be able to demonstrate their comprehensive privacy programs. While the term itself does not appear in the text, Québec’s recently passed Bill 64 incorporates several features of demonstrable accountability, such as requiring internal policies, transparency and privacy impact assessments under an enforcement regime. The concept likely will manifest in other jurisdictions as conversations continue around privacy legislative reform across the country.
Globally, demonstrable accountability has developed significantly over the last decade. The concept appears in legislation in Brazil, Singapore and Australia, and in the European Union’s General Data Protection Regulation (GDPR), among other legal sources. Not only do regulators expect companies to demonstrate their robust privacy programs, but shareholders, the media and the general public demand that these organizations be held accountable and act responsibly in the ways in which they store and use data. As corporations re-evaluate their roles in society amid the broader ESG movement, they should also ask themselves if their treatment of data is consistent with their values and society’s expectations. With the volumes of data in their control increasing rapidly, corporations must keep up with both public perception and the law in order to safely capitalize on the business opportunities this data presents.
One challenge regulators face is preventing accountability from becoming a simple tick-the-box exercise. Being a data-responsible organization means more than just producing certain documentation, although it can be difficult to simultaneously have an active, robust program and to innovate and deliver value through the use of data. Moving beyond a system of compliance as society’s views on data and privacy evolve, to one where companies have flexibility to find new ways to use data creatively and to demonstrate their accountability, will be a large part of the conversation going forward.
Watch the Webinar on Demand