Blog Post:

One Set of Privacy Rights for Europeans, a Lesser One for Canadians? Why the Canadian Consumer Privacy Protection Act and the EU’s General Data Protection Regulation Should Be in Alignment

The federal government’s new Consumer Privacy Protection Act (Bill C-11) implementing its Digital Charter is not consistent with the global standard for international privacy protection, the EU’s General Data Protection Regulation (GDPR).   And it needs to be for Canadian consumers and for our businesses.  

For 20 years, Canada has enjoyed the status as a jurisdiction that offers an adequate level of protection for data imported from the EU.   This is significant.  It means that businesses do not then have to negotiate separate contractual arrangements if they want to process personal data on Europeans in Canada.   Recently the standard has been strengthened, as the European Court of Justice has insisted that personal data should only flow outside of the EU to countries whose laws display an essential equivalence to the GDPR.   

The GDPR is the EU-wide set of rules that came into force in 2018 designed to update privacy rules and make them generally compatible with the contemporary digital economy.   As the regulatory framework that applies to the world’s largest single trading block, the GDPR of course has significant influence outside of Europe.  It has served as the model for new privacy laws in countries such as S. Korea and Brazil. 

Many regard the GDPR as the gold standard for international privacy protection and many multinational companies have striven for one harmonized global policy based on that standard.  Consulting and auditing firms, such as Price Waterhouse Coopers,  provide key advice for companies in Canada on GDPR compliance, in such relevant areas as: strategy and governance; policy management; data life cycle management; cross-border data strategy; privacy by design; accountability; information security; and employee training.

The big tech companies have all, in their own ways, acknowledged the need to trade up their policies to the GDPR standard.  Microsoft acknowledges that the  European Union’s General Data Protection Regulation (GDPR) sets a new bar globally for privacy rights, information security, and compliance…Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation, and resources to support our customers in meeting their compliance obligations under the GDPR. 

Google asserts that compliance with the GDPR is a top priority for Google Cloud and our customers.   

Apple has a privacy governance framework as part of its Human Rights Policy which is heavily influenced by the GDPR.   And they state that: as part of our GDPR and human rights work, we undertake Privacy Impact Assessments (PIA) of our major products and services and integrate PIAs as we develop new products and services.     

Shopify, the Canadian commerce platform, which serves businesses globally, has adopted a privacy policy which is explicitly framed around the legitimate interests framework in the GDPR.  And it complies with several provisions of the GDPR, including that on automated decision-making.   Furthermore,  when we send your personal information outside of Europe, we do so in accordance with European law.  

Some large Canadian companies are, of course, owned by European multinationals.  An example is the Fairmont hotel chain owned by the French Accor Group.   Accor has instituted ten privacy principles for protecting your personal data in accordance with applicable regulations and in particular the GDPR.  

Other companies, however, only go so far as to state that the GDPR applies to data transferred outside the European Economic Area (EEA).[1] The Bank of Montreal, for instance, has developed a separate privacy code for its European operations.  This acknowledges that “your Personal Data may be accessed by staff or suppliers in, transferred to, and/or stored in a country outside the EEA, in which data protection laws may be of a lower standard than within these jurisdictions. Regardless of location, we will impose the same data protection safeguards that we use inside the EU, the EEA, or the UK.”  

And here is Scotiabank’s separate EU Policy:  “Where we transfer personal data outside the EEA, we will ensure that it is protected in a manner that is consistent with how personal data will be protected by us in the EEA.”  

The GDPR guarantees citizens the right to port their data from one organization to another. The Royal Bank of Canada’s Global Privacy Notice explicitly guarantees residents and citizens of the UK or Europe (but not presumably Canadians), rights of portability or removal of the personal data that we process about you at any time…  

Air Canada’s updated privacy policy contains a separate section on the rights of members of the European Economic Area (EEA), the UK and Switzerland, including a statement of the legal bases for processing of personal data.   Specifically, some of Air Canada’s data analytics and sharing practices do not apply to these citizens, unless they separately consent to them.  

Thus, some companies have tried to figure out contorted ways to limit the application of the GDPR to some data, on some individuals, and only for some legal provisions and rights.  And one has to wonder whether these distinctions overall entail higher compliance costs than if they were to try to establish the same standard globally.   

These, of course, are big multi-national companies that may have offices and employees in the EU.   But Canadian small and medium-sized enterprises might also be subject to the GDPR’s provisions, as it applies to the processing of personal data about individuals in the EU, regardless of where those data are processed.   

Thus, if that business offers goods and services to individuals in the EU through their website or app, the GDPR applies.  If the business uses cookies on its website or mobile app to capture the IP address of a customer in Europe, it applies.  If a Canadian service provider processes data of individuals in the EU on behalf of European business clients, it applies.  If a Canadian business in any way monitors the behavior of individuals in the EU, it applies.  

Of course, corporate privacy policies are complex and are often hedged and refined with legal qualifications, but the overall picture is that the GDPR is inescapable for many companies (large, medium and small) operating in Canada.    

In this context, why should the government’s new Consumer Privacy Protection Act (CPPA), be any weaker than the GDPR?   When companies in Canada are either ramping up their compliance operations to the GDPR standard, either generally or with respect to personal data on Europeans, why should C-11 seemingly offer lower levels of protection for Canadians? 

And it does.  As the federal Privacy Commissioner has recently pointed out, C-11 offers a weaker definition of express consent.  It contains far broader exemptions for the processing of personal data without consent.   It does not oblige companies to conduct privacy impact assessments (PIAs) when they introduce new products and services.   It does not require companies to design privacy into their products by default.   It fails to define what is meant by sensitive data.  It does not provide quick and effective remedies.  It does not allow consumers to port their data to another platform with the same freedom.  And it is questionable as to whether or not it extends to the non-profit sector, even when they engage in commercial activity.  

The attempt to create a Canadian-made statute that is consistent with our Constitution, faithful to the principles contained in the current statute (PIPEDA), and supportive of the processing of data for socially beneficial innovation, has created a legal framework that is not consistent with the GDPR standard, and which may not be essentially equivalent to the European standard.   It may thus jeopardize our existing adequacy status with the EU, as I have recently argued in an article for Privacy Laws and Business International.   

As the few illustrations above demonstrate, many companies operating in Canada are already having to comply with the GDPR.    Further, and as the BC Information and Privacy Commissioner (among others) have argued, compliance offers competitive advantages to Canadian business.  

Our new privacy protection framework needs to be in alignment with the GDPR to strengthen the rights of Canadian citizens.  But it also needs to be aligned to assist the Canadian commercial sector, and promote digital innovation.  Privacy rules need to be interoperable. At the moment, there are some companies that are applying one set of rules for the personal data of Canadians, and another for that of Europeans.   There is surely something wrong with this picture and it cannot be allowed to continue.   


[1] This is the member states of the EU, plus the three countries of the European Free Trade Area (EFTA)