The provinces are tackling privacy regulation; the feds need to step up
By Abu Kamat, CCI Policy Advisor
In Quebec, Ontario, Alberta and British Columbia, provincial governments are in various stages of public consultations on privacy legislation reform. Given that Canada’s key overarching legal framework, the Privacy Act, was created before the advent of the internet, this is not only natural, but long overdue.
However, instead of a patchwork provincial approach, as MPs return to Ottawa, sensible privacy regulation should be an urgent federal priority, and CCI is hoping for something much better than Bill C-11, which died on the Order Paper this summer when the campaign was called.
We are living through a revolution, one where internet-connected devices and software-enabled services are embedded in every facet of our lives. The digital revolution is arguably the most transformative trend happening in the world today, affecting the way we work, how we learn, what we do for entertainment, and how we perceive the world. As these digital technologies proliferate, and increasingly become the backbone of our whole society, they generate enormous amounts of data, much of which is incredibly personal — your location, your medical history, and your deepest desires.
Naturally, grappling with the privacy implications is a key dimension of this shifting landscape.
For CCI, the overwhelming majority of our membership is impacted in some way by privacy regulations, and as leading experts in innovation and technology commercialization, our CEOs are heavily invested and knowledgeable about responsible data usage and privacy.
That’s why our members have been calling for the federal government to implement a national data strategy since 2018. As our chair Jim Balsillie has emphasized countless times: “Data is not the new oil — it’s the new plutonium. Amazingly powerful, dangerous when it spreads, difficult to clean up and with serious consequences when improperly used.”
If any elected official felt like radioactive plutonium was flying around their community, potentially harming their citizens, they would feel compelled to step up and do something about it. Equally, as policymakers come around to the idea that data is the most potent economic resource in our digital economy, they are eager to get involved.
The same sentiments of urgency and eagerness are reflected in the technology sector. The manner in which privacy and data is handled will undoubtedly have a transformative impact on the way high-growth technology companies interact, operate, and grow within provincial innovation ecosystems.
Consequently, on behalf of our members, if any Canadian government is holding consultations about data and privacy regulations, we will be there to offer expertise and input. In Ontario, Quebec, Alberta and B.C. we’ve already been actively engaged in the process.
Over the past few months, CCI has offered submissions to each provincial government outlining key principles that should guide the development of their privacy reforms. Policy makers should consider how these regulations will actually impact the companies operating in the data economy, especially Canadian data-driven businesses. Any new regulations should avoid issues like the fragmentation of policies across provinces, unclear definitions, inefficient enforcement of rules and regulations, and unnecessary red-tape that would stifle the potential of domestic technology companies.
On the whole, domestic innovators want to be good stewards of privacy. We believe innovation and privacy are not odds. Our members welcome each government’s effort to design a new and updated framework that allows it to govern the economic and non-economic effects of the data-driven world where the collection, use and monetizing of personal data is at the centre of new business models.
That being said, while these provincial consultations represent a valiant effort to better align policy with the realities of a data-driven economy, having various governments within Canada independently setting regulations for data and online privacy issues is a recipe for disaster. The worst possible outcome for the innovative companies impacted by new rules would be a patchwork-quilt approach, with differing standards from province-to-province.
Technology companies operate globally, selling software and services over the internet to dozens of countries. No matter how well-intentioned, various different governments creating divergent regulations on data collection, usage and privacy will introduce significant hurdles to businesses. In the best-case scenario, a patchwork approach will create heavy regulatory compliance costs; in the worst case scenario, companies will simply refuse to sell their products in smaller jurisdictions, if the market isn’t big enough to justify compliance costs.
There is already a global conversation unfolding about how governments should approach privacy in a synergistic manner, with jurisdictions like Europe and California taking leadership. The EU’s General Data Protection Regulation (GDPR) in particular is the most widely adopted data governance framework and is often hailed as the north star to follow for good privacy legislation. The GDPR’s overarching goal is to enhance individuals’ control and rights over their personal data while simplifying the regulatory environment for business.
We thought the federal government was working on a similar framework for Canada, when at the end of 2020, then-minister Navdeep Bains introduced Bill C-11 in the House of Commons. Frankly, the resultant ‘generational update’ to Canada’s privacy laws did not get a warm reception by experts.
Federal Privacy Commissioner Daniel Therrien called the updated legislation “a step back overall” for privacy regulation in Canada. In fact, provinces have indicated that their pursuit of a regional privacy framework is a reactionary measure to fill the critical gaps of Bill C-11. Ontario minister of Government and Consumer Services Ross Romano recently told The Logic that the province is moving to make its own law because, “We need this legislation in this area, because unfortunately, the federal government has not hit the mark on ensuring that we’re protecting people’s rights of privacy.”
For CCI’s membership, the failures of Bill C-11 reflect the lack of engagement between the federal government and domestic innovators whose stake in the issue is too significant to ignore. Minimal communication has effectively led to a ‘transformative’ piece of legislation that, in its first iteration, failed to effectively balance public good with the economic potential of data-driven companies and markets.
Given the backlash to Bill C-11, we applaud the provinces for stepping up and wanting to engage in this conversation. But as important as what we do is how we do it, and even with the best of intentions, a fragmented approach, with differing standards in B.C. and Ontario, Alberta and Quebec, would be a nightmare for business.
This is not to say the provinces don’t have a role to play. In fact, certain important items like data mobility or localization will most definitely require the provincial governments to have some regional regulation in place. However, to help guide the development of provincial legislation, the federal government must step up and take a meaningful leadership role in the ongoing conversation around digital privacy.
The first step would be to consult with industry and the Federal Privacy Commissioner and fill the identified gaps in Bill C-11 to set the appropriate governing standards for provinces to follow — not the other way around. This will establish synergy amongst new provincial legislations and encourage interoperability. A carbon copy of GDPR is not the answer. While GDPR contains many important principles Canada can learn from when crafting its own privacy legislation, the breadth of GDPR’s compliance framework has in practice proved to be difficult for companies to interpret and tedious for them to effectively operate within. It is essential that Canada take the necessary precautions and evaluative measures to learn from the impact of GDPR as it positions its own regulatory framework. This will ensure Canadian companies do not fall victim to the same pitfalls.
As the government resets and re-engages following the federal election, there is an opportunity for Canadians to pause and reflect on critical issues facing our economy. Privacy protections and industry growth can be mutually reinforcing and CCI is determined to continue discussions on how best to enhance fundamental personal privacy rights while positioning Canada to be a leader in the 21st Century innovation economy.
Abu Kamat supports CCI’s federal and provincial leads as policy advisor. He can be reached at akamat@canadianinnovators.org.