Moving on From the Ombuds Model for Data Protection in Canada
Both the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act adopt an ombuds model when it comes to addressing complaints by members of the public. This model is also present in other data protection laws, including public sector data protection laws at the provincial level, as well as personal health information protection legislation. The focus of this short paper is the model adopted in PIPEDA and its ongoing suitability. PIPEDA was designed to apply across the full range of private sector actors and is increasingly under strain in the big data society. These factors may make it less well suited to the ombuds model than public sector and health sector data protection laws. This paper argues that it is time to move on from the ombuds model for data protection in Canada. This will not simply require the addition of new enforcement powers for the Privacy Commissioner, but will also entail a more substantial reform of PIPEDA.