In a year of headline-grabbing privacy developments in Canada, the Quebec government saved the best for last. On Dec. 17, just days before Canada’s national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), was scheduled to take full effect, the Quebec government initiated a constitutional challenge that threatens the law’s very existence. That challenge will likely kick off before the Quebec Court of Appeal early in 2004 and make its way up to the Canadian Supreme Court either very late this year or early in 2005.Critics of the privacy statute have used the constitutional challenge to increase the volume of their dire warnings. In the words of skeptics, PIPEDA is a “tax,” a “multi-dimensional mess,” “unhinged,” “vague,” “ungainly” and now “constitutionally suspect.” What the critics don’t say is that the alternatives breed even greater business uncertainty, create the prospect for a data trade war with the European Union and simply don’t make sense in an era where provincial boundaries are largely irrelevant to most commercial transactions. While critics often claim that the privacy law creates uncertainty within the business community, the truth is that a diverse collection of provincial privacy statutes would create a far more complex — and more expensive — legislative framework. Businesses of all sizes that shudder at the prospect of complying with a single privacy law, should consider the chaos of a framework featuring up to a dozen potentially conflicting privacy statutes.The United States has long recognized the danger of multiple competing laws addressing the same issue by adopting the doctrine of pre-emption to cut off conflicting state laws with a single federal standard. For example, the recent decision by the U.S. Congress to pass anti-spam legislation was heavily influenced by the dozens of state anti-spam statutes. After California passed a state anti-spam law with far more onerous obligations than those found elsewhere, Congress was urged to set a national standard and pre-empt California’s statute.A world where a typical consumer transaction may involve a product originating in British Columbia, a retailer in Alberta, a credit-card provider based in Ontario, a call centre in New Brunswick, and an order fulfillment provider in Quebec, recognizes that personal data traverse provincial boundaries with ease. Arguing that local businesses will struggle to comply with PIPEDA misses the larger point: the alternative would burden those same businesses with multiple provincial standards.Critics of PIPEDA also claim that the federal statute lacks effective enforcement powers. While I too have argued that better enforcement is needed, a move toward multiple provincial privacy laws would actually exacerbate the enforcement problem. Quebec’s private sector privacy law has been in place for many years, yet there has been little discussion about the need for businesses operating in Quebec to comply since the reach of provincial privacy commissioners is far more limited than that of a federal commissioner.By establishing a national privacy minimum but enabling provinces to enact their own “substantially similar” legislation, PIPEDA establishes an appropriate compromise between the interests of the federal and provincial governments. Moreover, it creates regulatory efficiencies by allowing businesses to address privacy compliance through a single national standard.A finding that PIPEDA is unconstitutional would also set off a costly chain reaction from the European Union. The EU was an early privacy-law leader, establishing comprehensive privacy protections throughout Europe in the mid-1990s. The EU sought to extend those protections outside Europe by blocking the transfer of personal information to any non-EU member state that did not establish “adequate” privacy protections.PIPEDA received the EU’s seal of approval in 2002, thereby removing the threat of data blockages between Canada and European countries.
`Stakes in the constitutional challenge (to data privacy law) are enormous’