On August 13, the Ontario government launched a public consultation to solicit input on “creating a legislative framework for privacy in the province’s private sector,” citing longstanding public concern over data privacy intensified by increased reliance on digital platforms during the COVID-19 pandemic. The consultation and accompanying discussion paper outline key issues in data protection, many of which will be familiar to those following Canadian privacy legislative reform: broadly, the focus will be on increasing transparency around how information is gathered and used, strengthening consent and establishing an opt-in model for secondary uses of information, introducing a right to erasure of personal information (subject to limitations), introducing a right to data portability, increasing the enforcement powers of Ontario’s Privacy Commissioner, introducing requirements and protections for de-identified or derived data, enabling the establishment of data trusts for information sharing, and expanding the scope of the law to non-profit and non-commercial organizations, including political parties. The consultation comes two months after Quebec introduced a bill to update its data protection strategy along the lines of the European Union’s General Data Protection Regulation (GDPR). If a new law is passed, Ontario will join other provinces, namely BC, Alberta, and Quebec, in having its own private sector privacy legislation.
It may superficially appear that better privacy protection for Canadians at any jurisdictional level could only be a positive development. Privacy in Ontario’s private sector is currently governed by the 2000 Personal Information Protection and Electronic Documents Act (PIPEDA), a federal law crafted in the late 1990s that has long been groaning under the weight of various pressures, including paradigm-shifting developments in the media environment and the need to keep pace with international data-sharing norms, most notably the global standard-setting GDPR. Among the most significant gaps in PIPEDA are its lack of real enforcement mechanisms and its grey areas around consent, which have become muddier in the age of big data as increasingly complex information flows undermine people’s ability to fully understand what they’re agreeing to. Under the “substantial similarity” exemption to PIPEDA, provinces are allowed to establish their own private sector privacy law if it offers comparable privacy protection to the federal legislation.
While there have been rumblings of reform at the federal level, including the government’s May 2019 release of an aspirational “Digital Charter” and accompanying proposals for modernizing PIPEDA, it’s not clear how extensive the changes will be, or when Canadians can expect them, especially with the parliamentary schedule having been disrupted by the pandemic. The introduction of an Ontario data protection strategy might thus come as a welcome development to those eager for reform who are understandably frustrated being at the mercy of a slow-moving federal process.
But there are more reasons to be wary of further fragmenting privacy legislation along provincial or territorial lines. Without highly coordinated pan-provincial consistency and cooperation, a province-by-province enactment of privacy laws risks providing uneven protection to Canadians, whose personal information may be treated differently based on territorial factors like the residency of the consumer, the storage location of the data, or the locus of incorporation of the company that offers the service. There’s also a risk that the move will encourage legal gamesmanship, with companies simply transferring operations to weaker privacy jurisdictions.
A patchwork of provincial laws will also complicate the business environment and potentially exacerbate internal trade barriers. The movement of personal data across both national and international borders is essential to the internet economy, and some Ontario business leaders are already balking at the increased compliance burden posed by multiple, potentially inconsistent layers of regulation. These kinds of challenges are already playing out in the US, which has begun its own state-by-state introduction of consumer privacy laws in the void of a comprehensive national regime. Companies are seeing that even slight inconsistencies between laws—and even between rules that appear on the surface to grant the same rights, such as data portability—can lead to huge compliance costs, which may be passed onto consumers in the form of both higher prices and a shrunken market.
Some analysts have pointed to an emerging irony in the global privacy crackdown: rules that are outwardly pro-consumer may end up empowering the very tech monoliths whose abusive data practices they’re meant to target, since these companies have the deep pockets to absorb rising compliance costs and increased legal risk. While poll after poll shows that Canadians do have an interest in strong privacy protections, a robust federal law can avoid the unnecessary compliance burden posed by a proliferation of regional frameworks.
While promising to protect citizens within each province, a piecemeal approach to privacy may also pose challenges for federal and provincial regulators. Again, we can look for guidance to the international context, where traditional notions of territoriality and jurisdictional authority are being challenged by the nature of electronic data. Even as the EU’s equivalency requirement has put increasing pressure on countries to update their privacy laws, data privacy rights vary considerably across national borders, and the speed, ease, and complexity of global data circulation often severs the factual link between the location of data and the location of its user. This tension between bordered privacy regimes and borderless data has led to serious conflicts between countries seeking control over online information, including efforts by governments to set global privacy standards via their own domestic regulation. The result is that businesses, regulators, and consumers increasingly operate in an environment of uncertainty in which it’s unclear which country’s or region’s laws govern online data at any given time. A patchwork of provincial laws risks reproducing this uncertainty within Canada.
Managing these complexities will likely be pricey for provinces. As former federal privacy commissioner Jennifer Stoddart notes, Quebec’s recently tabled Bill 64, which proposes amendments to the province’s public and private sector privacy laws, intends to deal with the issue of cross-border transfers via a GDPR-style adequacy condition that requires assessment of the destination’s privacy regulations, but this process has proved cumbersome to even the EU’s large, experienced bureaucracy. In the EU, regulators are finding that the GDPR requires enormous investment and staffing resources in order to give it teeth. And in the US, state privacy laws are under near-constant amendment to close ambiguities and catch up to other jurisdictions. Even if Ontario’s rules would apply only to commercial activities within the province and not to interprovincial or international transfers, there are costs involved in reviewing and assessing compliance with any new regulatory regime.
Those impatient for change might be reassured by the rising urgency of federal privacy reform. Federal privacy commissioner Daniel Therrien has warned the federal government that the growing discrepancy between Canadian and European privacy law is increasingly threatening our trade relationship with the EU. Under the GDPR, EU citizens’ personal data can be transferred only to jurisdictions that have been determined by the European Commission (EC) to provide “adequate” privacy protection, unless the data subject’s valid consent has been obtained. With Canada’s adequacy status scheduled for review by 2022, privacy experts are calling for “serious, rather than cosmetic, reform to PIPEDA” to maintain the free flow of data Canada and European countries. A single, robust federal privacy regime is a more realistic road to adequacy and to ensuring that the EU is confident exchanging data with Canada.
PIAC’s preliminary view is that Canadians will be better protected by a robust, modernized federal data protection regime than by increasing province-by-province legislation. A regulatory patchwork risks putting Canadians in a worse position when it comes to understanding their privacy rights, increasing uncertainty around how data is handled and potentially enabling inconsistent treatment of personal information depending on the residency of the consumer. As digital surveillance has become more pervasive and intrusive and the risks to both individual and society more profound, it’s clear that PIPEDA has failed to keep up, but it’s unlikely that a proliferation of regional frameworks will be more effective in protecting consumers against the power of the multi-billion-dollar personal data industry. Federal lawmakers need to step in to protect Canadians’ interests as consumers and rights as citizens.