Industry associations are already pressuring the Trudeau government in advance of its promised next attempt at reforming Canada’s commercial sector privacy law.
In Privacy Law Pitfalls: Lessons Learned from the European Union, a compilation of findings from more than 30 third-party research reports and commentaries, the Canadian Marketing Association (CMA) today urged the government not to follow the European Union’s General Data Protection Regulation (GDPR) too closely, arguing it “has resulted in immense regulatory burden, heavy costs and threats to innovation and economic growth.”
The GDPR, which governs the way companies handle personally-identifiable data on residents of 27 European Union countries, is seen by privacy advocates as the gold standard in privacy protection. Some of its principles were adopted by the Liberal government in its proposed C-11 (the Digital Charter Implementation Act, which included the Consumer Privacy Protection Act ), which died last year when the fall election was called. It would replace the current Personal Information Protection and Electronic Documents Act (PIPEDA).
The new government promised that it would introduce new legislation to update PIPEDA, without giving details or a timetable.
But the CMA said Canadian policymakers “must ensure that any new law is not simply imported from another jurisdiction, but rather, that it reflects and supports local conditions, practices and expectations, with the goal of achieving equivalent privacy protection as opposed to alignment to another jurisdiction’s legislative approach.”
There has been growing acknowledgment since its inception in 2018 that the GDPR’s shortcomings have led to “some significant unintended consequences that are negatively impacting governments, consumers and organizations,” says the CMA.
“Among those who would be most adversely impacted by having certain GDPR provisions imported to Canada would be small and medium-sized enterprises (SMEs)— the backbone of the Canadian economy,” it adds.
While acknowledging the GDPR framework “represented a significant step forward in drawing awareness to privacy and data protection around the globe, introducing new privacy rights for consumers, and strengthening data protection requirements and penalties,” the CMA says that after more than three years the GDPR “has proven to be much better in theory than in practice.”
These allegedly include:
- creating a staggering regulatory burden;
- hampering the ability of organizations to innovate and contribute to economic growth;
- disproportionately impacting small and medium-sized enterprises;
- creating complexity for consumers;
- triggering other inefficiencies and unintended consequences;
- suppressing emerging technologies;
- and obstructing cross-border business.
Canadian privacy law should continue to be rooted in “an administratively workable, principles-based legislative framework that promotes a technology- and sector-neutral approach to privacy, helping to ensure flexibility in the face of rapidly evolving technologies, business models and consumer expectations,” says the CMA brief.
Any new private-sector law should also include “a balanced purpose statement that enables organizations to use personal information to conduct essential aspects of business in a manner that improves the lives of individuals, while protecting their privacy rights.”