New privacy regulations coming into force in Europe next year are calling into question whether Canada's approach to privacy is keeping up with its global peers.
Industry observers are suggesting that if Canada does not continue to modernize its approach to privacy, it could face roadblocks in maintaining its status as an adequately protected jurisdiction – a status that allows for more fluid trade with the European market.
In May, 2018, Europe's new General Data Protection Regulation (GDPR) will come into force, and will impose sweeping changes on how privacy is protected in the European Union.
Businesses with operations there are – or should be – working to prepare for that deadline, but it could impact privacy controls beyond EU borders as well.
Right now, Canada has "adequacy" status from the European Commission, which determined in 2001 that Canada's law under PIPEDA (the Personal Information Protection and Electronic Documents Act) was strong enough to satisfy that any data transferred from the EU to Canada would be adequately protected. But things are changing.
"We cannot take for granted that Canada would be recognized as adequate under the GDPR, because it is very different from our current legislation, and very different from the previous European legislation under which we were deemed adequate," said Chantal Bernier, former interim privacy commissioner of Canada, and an adviser in the privacy and cybersecurity practice at law firm Dentons Canada LLP.
The new regulations are far stricter than their predecessors in Europe and the rules in many countries. They will have an impact on marketers, since gathering and storing customers' data is becoming a valuable part of targeted advertising. Any ad agencies doing business with clients in the EU, or companies targeting ads to potential customers there will have new rules to contend with – including the law's broadened definition of personal information to include computers' IP addresses.
The law also allows individuals in many cases to withdraw their consent for companies to keep their data, particularly if the use of that information is not related to the reason that it was collected in the first place. And they have the right to ask to see the data companies have about them.
But the law goes way beyond marketing: It also changes the way companies must handle their own employee data and how they protect against the kind of data breaches that have made headlines in recent years – and how such breaches are reported. Penalties for non-compliance could be up to €20-million (almost $30-million Canadian) or 4 per cent of a company's total global revenue, whichever is greater.
Adequacy status is important, because it allows for fluid exchange of personal information between the EU and Canada for commercial purposes. It paves the way for Canadian companies to do business with firms and consumers in Europe.
"They know that they are transferring information to a company that is in compliance with the obligations that they are under," Ms. Bernier said.
For trade purposes, losing that status would make doing business much more difficult. In any circumstance where data is moving digitally across those borders, more onerous measures would be needed to ensure European firms could trust that the Canadian firms are compliant under their new stricter laws.
"The flow of information needs to happen," said Kris Klein, partner at law firm nNovation LLP and an expert in privacy and information security. "We do a lot of trade with European companies. In my practice, probably 25 to 30 per cent of it is dealing with European organizations doing business in Canada or vice versa. That's a fair amount of data flow that goes back and forth."
The U.S. does not have adequacy status, but has its own treaty called Privacy Shield to enable such trade. Just 11 countries, including Canada, have adequacy status with the EU, and in coming years, those countries will be up for review: Article 45.3 of the European regulation provides for "a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organization."
"There are still a number of areas where I think if the Europeans were looking at us, they'd say we fall short," Mr. Klein said. The last major change to PIPEDA came in 2015, when the Digital Privacy Act passed into law. That made it mandatory for organizations to report any data breaches to the OPC, or face fines of up to $100,000. But some believe Canada needs do more.
For example, enforcement of both Canada's Privacy Act and PIPEDA are still, largely, driven by complaints. As federal Privacy Commissioner Daniel Therrien said in a recent speech, "people are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the "Internet of Things," it is very difficult to know and understand what's happening to our personal information."
This calls into question not just whether people will make complaints that could trigger enforcement under the law, but also whether individuals are given the chance to provide meaningful consent when their information is collected. (The fine-print complexity of privacy policies does not help matters. The OPC has been pushing for the development of privacy policies that are easier to digest for consumers.)
Since February, the House of Commons' standing committee on access to information, privacy and ethics has been holding meetings to review PIPEDA, and to hear from witnesses across industry, the regulatory and academic spheres, and other individuals. Whether it will lead to changes in the law has yet to be determined.
"I am looking forward to hearing from the Canadian government how they are addressing the issue of an eventual review of Canada's adequacy status under GDPR" Ms. Bernier said.
In an appearance before the standing committee in February, Mr. Therrien suggested that lawmakers should consider bringing Canadian law "closer to European law, if not to the same place." He has also been asking the government for greater enforcement powers, including the right to make orders to comply, and to hand down fines for those who don't. At this point, the federal watchdog "is in many respects, weaker than some of our provincial and international counterparts," he told the committee.
Mr. Klein pointed out that when PIPEDA was originally passed in the late 1990s, part of the motivation was a response to regulation in other markets, particularly the EU – and a desire to demonstrate that Canada had equivalent protections in place.
"Maybe it's a sad state of affairs that we're going to be pressed into doing something that is long overdue," Mr. Klein said. "But I do think that it ultimately is going to be what happens."