Who Watches the Watchers
Strengthening Accountability Together
March 26, 2026
#PrivacyInPracticeCA
Introduction: Accountability Benefits Everyone
Independent oversight of digital trust and identity systems serves everyone’s interests. It provides citizens with assurance that their rights are protected. It provides governments with validation that their systems meet standards. It provides responsible industry players a level playing field where compliance is verified, and non-compliance is identified.
The FPT Joint Resolution called for governments to establish clear accountability mechanisms, “including providing authority and resources for regulators to exercise adequate oversight.”[1] This principle recognizes that systems affecting fundamental rights require accountability mechanisms beyond self-reporting. Trust in digital trust and identity depends on verification, not just assertion.
DIACC supports strengthened oversight of digital trust and identity. Oversight serves our members’ interests and the public interest. This article examines the current oversight landscape, the value and limits of self-regulation, and the requirements of effective accountability.
Why Oversight Matters
Digital trust and identity systems affect fundamental rights: privacy, autonomy, access to services, and freedom from discrimination. Systems that affect fundamental rights require robust accountability.
The Stakes Are High
Digital trust and identity credentials may be required to access government services, open bank accounts, verify age for restricted products, prove professional credentials, and countless other purposes. Errors in these systems, whether wrongful denial, privacy violation, or discrimination, can have serious consequences for individuals.
When systems work well, their operation is invisible. When they fail, the consequences are visible and often harmful. Oversight mechanisms exist to identify and correct failures before they cause widespread harm.
Trust Requires Verification
The digital trust and identity market depends on Canadians trusting that systems protect their privacy and function fairly. This trust must be earned and maintained.
Unverified claims of privacy protection or fairness are insufficient. Citizens have no way to independently assess whether systems meet stated standards. External oversight provides the verification that trust requires.
Organizations that meet high standards benefit when oversight confirms their compliance. Oversight distinguishes genuine leaders from those who merely claim leadership. In a market where trust is the currency, verified compliance creates a competitive advantage.
Collective Accountability
When any participant in the digital trust and identity ecosystem violates trust, the entire ecosystem suffers. A single high-profile breach or discrimination case can undermine confidence in digital trust and identity broadly, affecting organizations that had no involvement in the failure.
This interdependence creates collective interest in accountability. Responsible organizations want mechanisms that identify and address bad actors, not just for public protection, but for ecosystem protection. Oversight serves the interests of those who meet standards by ensuring that those who do not are identified and addressed.
Current Oversight Landscape
Digital trust and identity currently operate under multiple, fragmented oversight mechanisms. Understanding this landscape helps identify gaps and opportunities.
Privacy Commissioner Oversight
Federal and provincial privacy commissioners have jurisdiction over digital trust and identity systems within their mandates. The Office of the Privacy Commissioner of Canada oversees federal government and private sector systems subject to PIPEDA. Provincial commissioners oversee provincial government systems and, in some provinces, private sector systems.
This oversight has produced essential guidance and enforcement. Commissioner Dufresne’s strategic priorities include addressing the privacy impacts of technological change, alongside championing children’s privacy.[2] The OPC’s biometrics guidance, published in August 2025, provides clear expectations for the handling of biometric data.[3] Investigations and findings shape organizational practice.
But privacy commissioner oversight faces significant constraints. The OPC has repeatedly identified resource limitations and the need for permanent funding to effectively address investigation backlogs.[4] With limited resources, commissioners must prioritize, meaning many systems receive no proactive oversight.
Sectoral Regulators
Financial services regulators oversee identity verification in banking and financial contexts. Telecommunications regulators have jurisdiction over identity in that sector. Professional regulators oversee credential verification in their domains.
This sectoral approach provides specialized expertise but creates fragmentation. A comprehensive digital trust and identity system may span multiple sectoral jurisdictions, with no regulator having complete visibility. Coordination across regulators is challenging.
Self-Regulation
Organizations like DIACC provide standards and certifications through mechanisms such as the Pan-Canadian Trust Framework. These frameworks establish baseline requirements and verify compliance through assessment processes.
Self-regulation provides valuable standards and drives improvement. DIACC’s PCTF has helped establish common expectations and identify leading practices. Certification assures that organizations meet defined standards.
The Legislative Gap
Bill C-27’s collapse in January 2025 left Canada without modernized privacy legislation. PIPEDA’s framework, while foundational, was designed before modern digital trust and identity architectures existed. The legislation does not adequately address issues such as algorithmic decision-making, cross-border data flows, or the specific risks posed by identity systems.
This legislative gap affects oversight capacity. Regulators work with tools designed for a different era. Enforcement mechanisms may not match current threats. All stakeholders would benefit from modernized legislation that provides clear rules and adequate enforcement authority.
The Value and Limits of Self-Regulation
DIACC’s Pan-Canadian Trust Framework provides valuable standards and certification. We are also candid about where self-regulation fits within a broader accountability ecosystem.
What Self-Regulation Provides
Self-regulation offers distinct advantages. Industry organizations understand technical details that general-purpose regulators may not, and standards developed by practitioners reflect practical implementation knowledge. Self-regulatory frameworks can also update more quickly than legislation: when new threats or technologies emerge, industry standards can respond faster than legislative processes allow. Industry-funded standards development does not compete with other demands on public resources, and organizations that benefit from standards contribute to their development. Even imperfect self-regulation establishes expectations that would otherwise be absent, giving organizations clear targets to meet.
What DIACC Provides
DIACC is a strategic alliance representing members committed to advancing digital trust and identity in Canada. Our Pan-Canadian Trust Framework establishes technical and operational standards, provides assessment and certification, and drives continuous improvement among participants. This work creates real accountability: organizations that fail to meet PCTF standards cannot claim certification, and those that fall out of compliance face revocation.
Where Self-Regulation Ends
Self-regulatory frameworks operate within natural boundaries. Participation is voluntary, so organizations that choose not to seek certification are able to operate outside the framework. Certification consequences, while meaningful in the market, differ from the legal enforcement powers that regulators hold. And while DIACC strives to serve the public interest through our work, our governance structure is accountable to members rather than directly to the public.
These boundaries are inherent to how self-regulation functions, not limitations unique to DIACC or reflective of the value our framework provides. They simply describe where self-regulation ends and where independent oversight begins.
Why Both Are Necessary
This is precisely why DIACC supports strengthened independent oversight. A well-functioning accountability ecosystem needs multiple layers: industry-driven standards that reflect technical expertise and move at the pace of innovation, and independent oversight that provides legal authority, universal coverage, and direct public accountability. These layers complement rather than compete with each other. The privacy commissioners are right to call for robust oversight mechanisms, and responsible industry participants benefit when those mechanisms exist.
Why Industry Should Support Independent Oversight
Independent oversight serves both industry and public interests.
Market Trust
The digital trust and identity market depends on public trust. When Canadians trust that digital trust and identity systems protect their privacy and operate fairly, they adopt them. When trust is low, adoption lags regardless of technical capability.
Independent oversight builds this trust more effectively than industry assertions. Citizens are appropriately skeptical of claims that they cannot verify. External validation provides the verification that self-assertion cannot.
Level Playing Field
Organizations that invest in privacy protection and fairness face a competitive disadvantage if others can claim similar protection without making similar investments. Independent oversight levels the playing field by verifying claims.
When oversight identifies non-compliance, it protects compliant organizations from unfair competition. When all organizations face the same accountability standards, competition occurs on legitimate dimensions rather than on willingness to cut corners.
Risk Management
Independent oversight can identify problems before they become crises. External review provides a perspective that internal assessment may lack. Issues that organizations rationalize internally may be evident to external reviewers.
This early identification benefits both organizations and the public. Addressing issues proactively is less costly than responding to crises. Organizations that welcome external review as a risk management tool benefit from the perspective it provides.
What Effective Oversight Requires
Effective oversight of digital trust and identity requires several elements. Understanding these requirements helps identify where current mechanisms fall short and where investment is needed.
Adequate Resources
Privacy commissioners and other oversight bodies need funding commensurate with their responsibilities. Oversight of a rapidly evolving, technically complex domain requires technical expertise, investigative capacity, and ongoing learning. Underfunded oversight cannot fulfill its mandate.
The OPC has repeatedly identified resource constraints as limiting its effectiveness. Proactive audits, technical analysis, and timely investigation all require staff with relevant expertise. When resources are limited, oversight becomes reactive rather than proactive, responding to complaints rather than identifying problems before they cause harm.
Adequate resourcing is not solely a government responsibility. Industry benefits from effective oversight and can support adequate funding through advocacy. Civil society can advocate for oversight resources to be prioritized.
Clear Authority
Oversight bodies need clear legal authority over digital trust and identity systems. This includes authority to investigate proactively, access relevant information, require remediation, impose meaningful penalties, and publicize findings. Ambiguous or limited authority undermines the effectiveness of oversight.
Current authority is fragmented and sometimes unclear. Different systems fall under different jurisdictions. Some systems may fall into gaps between jurisdictions. Legislative modernization should clarify authority and ensure comprehensive coverage.
Sector Expertise
Digital trust and identity oversight requires an understanding of the specific technologies, business models, and risks involved. General-purpose oversight bodies may lack this expertise. Mechanisms for developing and maintaining sector expertise are essential.
Practitioners’ expertise must be continuously updated. Digital trust and identity technologies evolve rapidly. Threat landscapes change. Business models adapt. Oversight bodies need ongoing learning and access to current technical knowledge.
Balanced Application
Oversight should apply to governments and the private sector alike. Government digital trust and identity systems affect citizens as significantly as private-sector systems do. Accountability mechanisms that cover only one sector leave gaps and create inconsistent expectations.
Some argue that government systems face different constraints and should have different standards. While implementation details may differ, the fundamental accountability principles should apply equally. Citizens deserve assurance that all systems affecting their identity meet appropriate standards.
DIACC’s Approach
DIACC supports the development of effective independent oversight through the following approaches:
Legislative reform: We educate and promote the benefits for modernizing privacy legislation to provide clear rules and adequate enforcement authority for digital trust and identity.
External engagement: We are prepared to engage constructively with external assessments of our certification processes and standards.
Transparency: We support transparency in certification activities, including reporting on assessments, issues identified, and remediation.
Regulatory Engagement: We participate constructively in regulatory consultations and educate by providing technical expertise to support the development of effective oversight.
We also support continued improvement of self-regulation within its appropriate scope. Self-regulation complements and does not replace independent oversight. Within that complementary role, we work to strengthen PCTF and related frameworks.
The Path Forward
Strengthening accountability in digital trust and identity requires collaborative effort from all stakeholders. No single actor can establish effective oversight alone.
Governments can restart privacy reform and provide oversight bodies with adequate resources and authority. Legislative modernization is slow, but the need has not diminished. Digital trust and identity systems continue expanding while oversight frameworks remain static. This gap widens with each passing year.
Industry can embrace accountability as serving its interests. Communities with effective oversight build stronger trust than those without. Organizations that view oversight as adversarial miss the benefits that verification provides.
Civil society can continue advocating for effective oversight. Privacy advocates, consumer organizations, and public interest groups play essential roles in maintaining pressure for accountability. Their voices help ensure that oversight serves public interests, not just regulated interests.
Oversight bodies can develop the expertise and capacity to fulfill their mandates. This requires investment in technical capability, ongoing learning, and coordination across jurisdictions. Oversight of digital trust and identity cannot succeed with yesterday’s tools and knowledge.
DIACC supports this collaborative effort. We believe accountability serves everyone. We look forward to working with all stakeholders to build oversight mechanisms worthy of the systems they oversee.
Next Week
Article 10 examines Trust and Identity Without Borders: Privacy in a Global Context
How Canada can pursue international interoperability while maintaining privacy protection.
Footnotes
[4] The OPC has repeatedly identified resource constraints as a challenge. The 2022-23 Departmental Results Report noted the need to “address the chronic underfunding of our office.” The 2023-24 Annual Report to Parliament observed that “without additional permanent funding, the backlog is at risk of remaining high.” The 2024-25 Departmental Results Report noted the OPC’s use of temporary funding to address privacy breaches and complaint backlogs, and the planned reduction in spending once the temporary funding ends.
The Privacy Scorecard
A practical tool for measuring digital identity services against the FPT privacy principles. Assess your organization’s implementation across architecture, policy, user experience, and ecosystem coverage. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.