Calgary Herald

WHY CANADA IS PLAYING CATCH-UP WHEN IT COMES TO PROTECTING YOUR PRIVACY

- NAOMI POWELL AND STUART THOMSON

Canada has a rich history of innovation, but in the next few decades, powerful technologi­cal forces will transform the global economy. Large multinatio­nal companies have jumped out to a headstart in the race to succeed, and Canada runs the risk of falling behind. At stake is nothing less than our prosperity and economic well-being. The Financial Post set out to explore what is needed for businesses to flourish and grow.

With about two-dozen politician­s from nine different countries clustered around a committee table in London, NDP MP Charlie Angus somehow managed to get the last word.

“Perhaps the simplest form of regulation would be to break Facebook up or treat it as a utility,” said Angus, who was part of an “internatio­nal grand committee” convened recently to investigat­e the scandal surroundin­g Cambridge Analytica Ltd.’s use of personal data from millions of people’s Facebook profiles without their consent for political purposes.

“It depends on the problem we’re trying to solve,” said Richard Allan, vice-president of policy solutions at Facebook, who had spent the preceding three hours parrying similarly pointed questions.

“The problem is Facebook,” Angus snapped back. “That’s the problem.”

Like most committees, the talk was tough, and the three Canadian MPs present were among the toughest talkers. But their steely approach belied an uncomforta­ble reality back home: As the European Union pushes ahead with sweeping new privacy rules specifical­ly designed for the era of big data, Canada lags behind, relying on an outdated regime enacted before data-hungry companies such as Facebook Inc. even existed.

“We have a national privatesec­tor data protection law that was designed for the early days of electronic commerce when people were just trying to figure out how to buy shoes online,” said Teresa Scassa, Canada Research Chair in Informatio­n Law and Policy at the University of Ottawa. “We are in a completely different data environmen­t now and what we have is legislatio­n that is just not up to the task.”

Federal privacy commission­er Daniel Therrien, experts such as Scassa and a house committee on which Angus serves have all called for a rewrite of Canada’s data privacy law. Recent polls show Canadians are also clamouring for beefed-up legislatio­n, but the early lessons from Europe’s stringent new rules show that the trade-off for keeping our browser history to ourselves is dampened investment and possible job losses.

Facebook and Google LLC may dominate the conversati­on when it comes to privacy legislatio­n in Europe, but the laws are “targeted at every single business that uses data,” said Daniel Castro, director of the Informatio­n Technology and Innovation Foundation’s Center for Data Innovation in Washington, D.C.

The laws mean small businesses are dealing with high compliance costs and confusion about what their responsibi­lities are. In some cases, they are deciding to simply shut up shop.

“We’ve seen businesses shut down in certain areas, because it’s just not worth it anymore,” said Castro, referencin­g video game makers and U.S. news organizati­ons that chose to simply block Europeans from seeing their websites, rather than comply with the EU’s General Data Protection Regulation (GDPR) that came into force in May.

In Canada, the rules for the private sector’s collection and use of personal informatio­n are set out in the Personal Informatio­n Protection and Electronic Documents Act (PIPEDA) — legislatio­n crafted in the late 1990s with an eye to both promoting trust in e-commerce and ensuring alignment with Europe.

Then, as now, reassuring the EU that its citizens’ informatio­n would be adequately protected in Canada was essential to safeguardi­ng the flow of data between the two jurisdicti­ons, said Michael Power, a professor of privacy law at the University of Toronto who helped design the original law.

“That was the whole impetus of PIPEDA,” he said. “But you know, we wrote that stuff in ’96, ’98, before internet web browsing, the dot-com boom, certainly before the rise of search engines and well before social media.”

By contrast, GDPR is a “thirdgener­ation statute meant to respond to the internet as it is now,” Power said.

GDPR puts new restrictio­ns on how much data companies can collect and for how long the informatio­n can be stored. It also significan­tly expands individual rights over that data, enabling Europeans to move personal informatio­n collected by one company to another company, and granting them “the right to be forgotten” or require search engines such as Google to remove certain personal content from its platform.

Also central to GDPR is “privacy by design,” a concept developed by former Ontario privacy commission­er Ann Cavoukian that calls for privacy rights to be considered at every stage of product developmen­t.

Those measures were among a range of recommende­d updates to PIPEDA made in February following a review by the House of Commons’ standing committee on access to informatio­n, privacy and ethics — on which Angus serves as vice-chair.

The committee also called on the federal government to bolster the enforcemen­t powers of the federal privacy commission­er, who, unlike counterpar­ts in other countries, cannot make binding orders on companies or issue fines.

Yet no major changes to PIPEDA — beyond new provisions requiring companies to disclose data security breaches — have been put forward, even as other countries race to upgrade their privacy laws to GDPR levels.

Meantime, privacy concerns are reaching “crisis levels,” privacy commission­er Daniel Therrien warned. “Unfortunat­ely, progress from government has been slow to non-existent.”

The lack of action is likely rooted in concerns that date back to when the law was first drafted, said the University of Ottawa’s Scassa.

“In Canada, there’s a real fear, as there was back in 2001, that small and medium-sized businesses will be completely overwhelme­d by having to comply with stricter privacy regulation­s and that they simply don’t have the resources and money to spend on privacy compliance,” she said. “There’s a concern, too, that it will make Canadian businesses uncompetit­ive in North America, because they ’re going to have a heavier burden of regulatory compliance than their counterpar­ts in the U.S.”

According to Castro, complying with GDPR could cost a company millions of dollars, and the Financial Times has reported that Fortune 500 companies have earmarked US$7.8 billion in total to comply with the EU’s new rules.

Early research shows GDPR is having a tangible effect on reducing the amount of tracking software on the web, but the same data show small businesses are struggling under the new regime while Google eats up even more market share.

In Europe, small advertisin­g firms have lost somewhere between 18 and 31 per cent in market share, while Facebook declined seven per cent. Google was able to increase its market share by one per cent, and at least part of the increase was due to the significan­t resources that it can throw at compliance, according to a study by Cliqz Internatio­nal GmbH and Ghostery, two European privacy companies.

Overall investment may be suffering in the wake of GDPR, too. A recent research paper by three U.S. economists found that new and emerging tech firms are struggling to raise money since Europe’s privacy rules came into effect.

The average amount raised by startups declined by US$3.4 million, a 40-per-cent drop from before GDPR was put in place, according to the paper co-authored by Liad Wagman, an economist at the Illinois Institute of Technology. With some “back of the envelope” calculatio­ns, the paper estimates that the rules could cost anywhere between 3,600 to 30,000 jobs.

Though it may be too early to draw any firm conclusion­s, Wagman said “the results are supported by existing economic theories that show that compliance costs tend to reduce new venture formation and disproport­ionately impact nascent firms.”

Neverthele­ss, global compliance with GDPR — considered the gold standard of privacy protection — may be inevitable, said Anu Bradford, a law professor at Columbia University and director of the Center for European Legal Studies.

Deep-pocketed global firms such as Airbnb Inc., Microsoft Corp. and Google have already made changes to conform to the law, and have extended those changes into global policies rather than absorb the costs of maintainin­g multiple frameworks.

In addition, more than 120 countries, including India, Brazil and China, have aligned their privacy regimes to the EU’s in an effort to secure the flow of data with the EU. And powerful industry leaders such as Apple Inc. chief executive Tim Cook have thrown their support behind GDPR, urging the U.S. to adopt a similar policy.

“It’s the market incentives that are globalizin­g the GDPR rules,” said Bradford, who calls the phenomenon “the Brussels Effect. It is everywhere. So the ability to take advantage of lower standards when dealing with the rest of the world is really diminishin­g, because the rest of the world is following the EU.”

The leaves the U.S. as the “outlier,” Bradford said.

The U.S. has long been reluctant to conform to EU regulatory standards and tends to view privacy as a matter contracted between companies and individual­s. In May, U.S. Commerce Secretary Wilbur Ross wrote an op-ed for the Financial Times complainin­g that GDPR “creates serious, unclear obligation­s” for companies that could disrupt trade and impose unnecessar­y costs on businesses.

But scandals such as the one involving Cambridge Analytica, together with a restrictiv­e new data protection law imposed in California, may soon push Washington’s hand, Bradford suggested.

“There is only so much space for the U.S. to say, ‘We’re going to do it our way,’ ” she said. “It’s hard to make a full-throated, free-market, no-regulation argument about data privacy in today’s political climate.”

The pressure for change is mounting in Ottawa too, though Scassa is skeptical that any new legislatio­n will be enacted before the next federal election. Still, data privacy is increasing­ly a “hot button issue,” suggesting the government will have to do something.

“Canada doesn’t have to go fullon GDPR,” she said. “We just need to do something.”

Therrien, who has long pushed for changes to PIPEDA as well as new powers for his office to enforce it, believes a made-in-Canada approach that is scaleable to small businesses is entirely possible.

“I don’t think privacy and innovation and economic growth are in opposition,” he said. “The best strategy would be for Canada to seek to achieve both privacy and innovation at the same time and I think that’s entirely possible.”

The best strategy would be for Canada to seek to achieve both privacy and innovation at the same time and I think that’s entirely possible.

?? DANIEL LEAL-OLIVAS/AFP/GETTY IMAGES ?? A demonstrat­or wearing a mask of Mark Zuckerberg questions the refusal of the Facebook CEO to give evidence for the U.K. government’s investigat­ion into disinforma­tion last month in London. Canada’s privacy concerns are said to be reaching “crisis levels.”
DANIEL LEAL-OLIVAS/AFP/GETTY IMAGES A demonstrat­or wearing a mask of Mark Zuckerberg questions the refusal of the Facebook CEO to give evidence for the U.K. government’s investigat­ion into disinforma­tion last month in London. Canada’s privacy concerns are said to be reaching “crisis levels.”
?? ADRIAN WYLD/THE CANADIAN PRESS ?? Federal privacy commission­er Daniel Therrien is among the officials who are calling for a rewrite of Canada’s outdated data privacy law, which was enacted before Facebook existed.
ADRIAN WYLD/THE CANADIAN PRESS Federal privacy commission­er Daniel Therrien is among the officials who are calling for a rewrite of Canada’s outdated data privacy law, which was enacted before Facebook existed.

Newspapers in English

Newspapers from Canada