Good enough by design keeps most data flowing

I visited a cannabis store in Canada last week out of professional curiosity.

Outside there was a notice along the lines of “no-one under 30 may enter this store.”

I knew from our research on the personal data aspects of cannabis, published in PL&B International Report August 2021 that there are strict rules in Canada on the collection and processing of personal data related to the sale of cannabis products. So I went in and asked the person behind the counter whether she knew about these rules. She did not know about these regulations.

She asked me for some details and I explained a few points, for example, the collection, processing and retention of video images and the regulators’ advice for customers to pay by cash to avoid subsequent security issues with payment cards.

The display of well packaged and many types of clearly labelled products showed that the store was run in a clean and efficient way like a well-run speciality food store. If this store came to the attention of British Columbia’s Information and Privacy Commissioner, responsible for enforcement of these specialised data rules, and there were an inspection visit, the assessment might be that it had reached the good enough standard in some areas, despite the lack of staff training. There might be a follow-up communication with recommendations rather than formal enforcement action.

What does “good enough” mean in the privacy law context?

Companies: Some organisations work towards high data standards driven by a combination of ethics, law and reputation. Others aim for “good enough” in some areas, but from which perspective do you take a view? The concern about your organisation’s reputation with consumers and employees? Concern about avoiding Data Protection Authorities’ attention? Concern about keeping compliance costs within budget?

Governments: The United Kingdom government is still assessing 40 jurisdictions (the European Economic Area member states and those currently declared to be adequate such as New Zealand and much of the private sector in Canada) to evaluate whether they meet the standard “not materially lower” than that of the UK.

In the context of tight budgets, it would have been easier, in principle, for the UK government to declare that if these jurisdictions meet the EU’s “adequacy” standard, it would be “good enough.” The UK would save time and resources by accepting these decisions and move on to a new and independent review of the next countries in line for assessment, Kenya and Brazil, and then others. In this case, the government is choosing to not go the easy “good enough” route.

Data Protection Authorities, as we learned at our Ireland conference on 6 February, often have to decide how to allocate their resources to helping companies move in the right direction at an early stage of developing products and services, rather than taking enforcement action at a later stage.

The two-yearly assessment of 172 privacy laws around the world by Professor Graham Greenleaf shows that there are almost as many types of laws as countries. All reflect the political culture from which they emerge which means that not all follow the familiar Euro-centric model. Some new laws have an independent regulator, such as in Ethiopia. Others, including Guyana in the Caribbean region have adopted a law but have not followed up with the appointment of a regulator. 15 countries have official draft laws but have not yet enacted them. This legislative patchwork might appear “good enough” for some companies but not for privacy advocates.

Faced by this daunting list of different types of privacy laws, it is not surprising that some companies accept the EU “gold standard” and apply it to their business everywhere. Other companies make an assessment of the risk of being sanctioned by regulators, consider it low, and make less effort to comply.

The US is going its own way with California’s influential privacy law, but the separate states follow different models and there is no dominant state law. The federal level Final Rule, issued on 8 January this year, prohibits or restricts US persons from engaging in certain transactions involving personal and some other data that would result in access by countries of concern including China and Hong Kong, Russia, Iran and Venezuela. There is no room for “good enough” in this case.

The Good, the Bad and the Good Enough, is the title of this year’s PL&B conference in Cambridge 7-9 July.

Conference sessions have the broad theme of helping you understand how different types of companies in many countries are working, in practice, towards at least a “good enough” standard from different viewpoints.

This year you are welcome to be a speaker in the Debate at the Cambridge Union for or against the motion: This House believes the concept of “special category data” needs reforming.

To apply, explain in up to 100 words the points you wish to make and e-mail your proposal by 30 April to info@privacylaws.com with “Debate” in the subject line. This process will encourage diversity of speakers and avoid overlap.

We look forward to responding to your questions, receiving your registration and meeting you in Cambridge in just over three months from now.

Regards

Stewart Dresner
Publisher, Privacy Laws & Business

April 2025