Canada’s privacy regulatory framework is characterized by a principles-based, rather than rules-based, approach, putting on the shoulders of organizations accountability for its implementation; and by an ombudsman model providing recommendations rather than exercising enforcement powers. This distinctiveness is about to fade to give way to a new Canadian model. We explore here the general new convergences and divergences between Canadian and foreign privacy law.
The global context
We are witnessing growing uniformity in privacy law around the world through efforts to replicate the European model. States adopt or amend their data protection laws copying the European General Data Protection Regulation. The impetus is both political and economical.
Politically, governments are under pressure from their citizens to address the imbalance of power between individuals and the organizations that hold their data, to create reputation management tools in view of the worldwide, permanent impact of dissemination of personal data through the internet, and to rein in the apparently infinite potential of data monetization. Internationally, the GDPR is perceived as the new standard in this regard.
In the United States, California has also strengthened its privacy regulatory framework with the California Consumer Privacy Act. Its grounding, however, is in consumer protection while the GDPR’s is in the protection of human rights.
Economically, countries want to harmonize their data protection regimes with Europe’s to facilitate access to the European market of more than 700 million consumers. Domestically, their objective is to allow responsible data use in favour of innovation.
It is through these trends that the modernization of Canadian and foreign privacy law finds new convergences and divergences.
Some international convergences
In Canada, proposals to modernize privacy law are found in the Canada Digital Charter, issued in 2019 by the federal government, Quebec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, tabled in June 2020, and the Ontario Consultations to Strengthen Privacy Protections of Personal Data, launched in August 2020.
As elsewhere, the three initiatives borrow heavily from the GDPR. In particular, transparency and consent requirements are enhanced on the model of Articles 7, 12 and 13 of the GDPR, the creation of a new portability right is proposed, as in Article 20 of the GDPR, as well as a right to de-indexation, inspired by the right to erasure in Article 17 of the GDPR. Each initiative undertakes to create or increase enforcement powers. Quebec’s Bill 64 provides for fines in “the amount corresponding to 4% of worldwide turnover for the preceding fiscal year,” essentially a copy-paste of Article 83.5 of GDPR
Quebec also proposes to make privacy impact assessments mandatory in certain circumstances, akin to the Data Protection Impact Assessments required at Article 35 of the GDPR. Bill 64 also strengthens current section 17 of its Act respecting the protection of personal information in the private sector on disclosure of personal information outside Quebec with equivalence conditions akin to Chapter V of GDPR on cross border transfer of personal data. Granting the Minister of Justice the power to publish a list of states whose data protection regime is “equivalent” to that of Quebec imitates the notion of adequacy in the GDPR.
The federal modernization proposal follows the model of section 5 of Chapter IV of GDPR by putting forward the possibility of encouraging, as best practices, the adoption of codes of practice, accreditation/certification schemes and standards through their formal recognition in legislation.
Some divergences
Through this alignment with European – and foreign law since so many States are adopting are adopting GDPR-inspired laws – Canada maintains its traditional search for balance between the rights of individuals and the rights of organizations. Its modernization proposals also benefit from developments since the coming into force of the GDPR in May 2018. The Canadian model takes a new shape.
Firstly, Canada would act upon the express concern for “enabling responsible innovation.” While the GDPR, in Recital 7, asserts the general principle of “the importance of creating the trust that will allow the digital economy to develop across the internal market” and, at Article 6, allows member states to adopt derogations in favour of broader data use, provided it is “lawful and fairl,” Canada makes concrete proposals. Both Canada’s Digital Charter and Ontario’s Consultations address the reconciliation of innovation and privacy objectives through data trust structures to enhance the use of personal data without compromising privacy rights.
Secondly, Canada’s attachment to a balanced approach, “principles-based and technologically neutral,” strengths of its current regime, is clearly stated. The specific challenges of small- and medium-sized organizations are taken into account in the policy proposals of the Digital Charter as well as the reality of evolving business models.
Canada also demonstrates having learned from the two years of GDPR application through its insistence on maintaining a level playing field.
Finally, while the GDPR provides only for cooperation among data protection authorities, the Digital Charter takes into account the intersection between privacy law and other fields. For example, both privacy law and competition law are engaged with respect to the monopolisation of the power to monetise personal data and to the lack of transparency inherent to deceitful privacy policies. The federal proposal, therefore, provides for the possibility for the Office of the Privacy Commissioner of Canada to collaborate with regulators in related field.
In short, we recognize in modernization of Canadian privacy law, mostly in the federal proposal, the continuation of a direction resolutely pragmatic and balanced, all Canadian.
Chantal Bernier is National Practice Lead, Privacy and Cybersecurity, Dentons Canada LLP