Canadian privacy law is now widely regarded as outdated and ill-equipped to address the emerging challenges that arise from the massive collection and use of personal information. Canada’s private sector privacy law was drafted in the 1990s, well before the advent of a data-driven economy and the need for reform has grown increasingly urgent as Canadian law falls behind comparable rules around the world.
Guided by Canada’s Digital Charter, a roadmap for reform released last spring, Minister of Innovation, Science and Industry Navdeep Bains has promised to lead on privacy reform. While many may expect opposition to tougher privacy rules to come from large Internet companies such as Facebook, my Globe and Mail op-ed notes that a recent report from the Business Council of Canada suggests that a bigger barrier may come from some of Canada’s largest companies, including big banks, airlines, retailers, insurance providers, and telecom giants.
The Business Council report, Data Driven: Canada’s Economic Opportunity, is positioned as the Canadian corporate sector’s vision for creating a legal and policy framework to support both innovation and public trust through stronger privacy safeguards. Yet despite stating that a “foundation of trust requires a policy framework that ensures high levels of data protection”, its recommendations consistently advocate for a cautious approach that would leave Canada lagging behind.
For example, Mr. Bains’ Digital Charter calls for stronger enforcement powers that include granting the Privacy Commissioner of Canada the power to order companies to stop non-compliant activities, increasing penalties, and establishing statutory damages for some offences. The Business Council has a much different vision, noting that its companies said the government should move “carefully” on the issue and cautioning “against adopting the overly prescriptive approach” found in the European Union.
It therefore only recommends “providing the Office of the Privacy Commissioner with limited new powers to order organizations to cease activities that threaten imminent material harm to an individual.” That standard – limited power only in instances of imminent material harm – would render the Privacy Commissioner’s new order making power virtually meaningless.
The report also warns that introducing new privacy rights requires caution or a limited implementation. For instance, it recommends only a “narrowly defined” right to data portability, which plays a central role in open banking by promising to put consumers in control over their own data through the right to have it transferred from one company to another. The recommendation would effectively limit the circumstances under which a company could be required to transfer the customer data.
The same is true for the right to be forgotten, which would require the removal of search results that are “inadequate, irrelevant or no longer relevant.” The Business Council is only willing to back a “limited right” for the right to be forgotten. Similarly, algorithmic transparency is supported only if “the requirement to do so is limited.”
While the Business Council wants to limit new privacy rights, it seeks no limits on corporate transfers of personal information across borders. Indeed, the report argues that Canada is too small to establish a full requirement to store data domestically (known as data localization). It instead supports ensuring that all trade agreements feature a ban on data localization requirements.
In fact, the report even recommends establishing new flexibilities around the notion of obtaining informed consent for the collection, use and disclosure of personal information. As an alternative to statutory requirements, the report envisions the Privacy Commissioner of Canada working with the government to maintain a list of industry codes, standards, and certifications. Companies would be permitted to use compliance with these codes as evidence that they meet their privacy law obligations. If the approach becomes law, big businesses would be free to establish their own government-approved industry standards as equivalent to privacy law.
Privacy has attracted increasing political attention in the new Parliament, with opposition parties repeatedly asking when the government intends to take legislative action to update the law. If the Business Council report is any indication, the privacy reform process will face a rough ride as the Canadian business establishment works to narrow new consumer rights and increased enforcement measures.