Why the CMA doesn’t want lawmakers to follow the example of GDPR

The organization has offered a "cautionary tale" to parliament as it prepares to update Canadian privacy regulations this spring.
data privacy

Online privacy is going to be a hot topic in Canada this spring when the federal government is expected to introduce updated legislation aimed at bringing privacy protection in Canada’s private sector into the modern era.

Privacy commissioner Daniel Therrien has been vocal about the need to overhaul out-of-date privacy regulations like the Personal Information Protection and Electronic Documents Act (PIPEDA) to better reflect privacy needs in the modern online world. This was reiterated in Therrien’s annual report to parliament in November – his final one before his term expires in June – which also re-stated many of his objections to the previous Bill C-11. The commissioner’s overall issue with the bill, which died when the federal election was called, was that the provisions to update PIPEDA were actually a step backward, and well behind regulations from other jurisdictions, such as the European Union’s GDPR.

But others might not consider being out of line with GDPR as a bad thing. The Canadian Marketing Association has published a 33-page report which it describes as a “cautionary tale” detailing the pitfalls of the regulations including regulatory burdens, hampering innovation, impact on small and medium-sized businesses, suppression of emerging technologies, obstruction of cross-border business, complexities for customers, and triggering inefficiencies.

“The GDPR is very prescriptive and very specific and it doesn’t anticipate the evolution of technology,” says Sara Clodman, VP, public affairs and thought leadership at the CMA. “PIPEDA has some really great strengths that we think the new legislation should build on.”

When PIPEDA was introduced in 2000, Clodman says it was considered the “international gold standard” for protecting personal information. But that was 22 years ago, a time when smartphones, streaming, and social media weren’t a part of our vocabulary. While there’s no doubt Canada’s legislation needs to better reflect modern behaviors, the CMA heralds PIPEDA for what it sees as a “balanced” purpose statement that’s concerned with protecting privacy while also allowing for innovation.

The report says the GDPR is not flexible enough to allow new technologies –  specifically AI-based technologies that rely on user data-driven systems, including recommendation engines, customer service chatbots and marketing geared towards consumer preferences  – to develop. While the CMA broadly believes there are some positive features in the GDPR, Clodman says its “over-regulation” and calls it an “overreach.”

One section of the CMA’s report says the GDPR uses “disproportionate use of human rights framework,” meaning that, at its core, the GRPR assumes that regardless of context or potential outcome, any collection, use or disclosure of personal information erodes an individual’s right to privacy. “The fundamental conception of data use as an incursion on human rights is flawed and potentially detrimental to a number of other societal objectives.” The report concedes that some use of personal data may be cause for concern, but lists addressing public health issues like the COVID-19 pandemic, which saw corporate data reserves deployed for contact tracing as one example of how processing personal data can be socially beneficial.

But if the GDPR is an overreach, as Clodman says, what kind of new regulations would the CMA support when lawmakers try to enact legislation that’s reflective of the modern world?

“We want regulations that protect consumer information but also allow businesses to innovate. We’re talking about the ability to serve an ad to someone on something that interests them… Consumer data should be protected, but is it damaging to a consumer if they get an ad for a lawnmower when they are looking to buy a lawnmower? Marketers need data to be able to reach and serve consumers in this day and age.”

Much of the CMA’s report focuses on the impact GDPR-like provisions would have on small and medium-sized businesses in Canada, claiming that privacy requirements could prove “debilitating in terms of capital required and limitations on their ability to automate and optimize.”

The report claims that smaller businesses don’t have the access to legal advice and representation necessary to navigate regulations as complex as those belonging to the GDPR.

Clodman cites the GDPR’s right to deletion (right to be forgotten) article, which ensures personal data is deleted when it is no longer necessary for the purpose it was collected and allows consumers to request that their information be deleted.

“We support the goal of ensuring that personal information is not held by organizations longer than necessary and for having control over the confidentiality of information, but there needs to be some exceptions to a right to deletion to make sure that businesses can retain information for legitimate reasons, like if they’re legal or business purposes,” she says, adding regulations can’t allow for consumers to demand that companies stop everything to delete their information.

“And it’s difficult for companies, especially small and medium-sized businesses to have to dispose of information on request, sometimes without disrupting the processes of other data. It’s not always a simple thing to delete a record,” Clodman says.

The GDPR does outline exceptions to the right to deletion – instances where the organization can override requests for users’ data to be removed and even says companies can request “a reasonable fee” if a user request to delete personal information is unfounded or excessive.

The heftiest GDPR fines to date have been levied against the likes of Amazon, Google, and Facebook, with enforcement for smaller organizations and private individuals typically in the range of a few thousand Euros.

Despite having years to adapt, some sectors of the media industry are still having difficulty complying with GDPR. Last month, Belgian authorities levied a $280,000 fine against IAB Europe and ordered it to update its technology within two months after it was found that the organization’s Transparency and Consent Framework – a set of tools and technology created to help agencies and marketers stay GDPR compliant – didn’t provide adequate transparency to users about how their data was used.

Clodman says new legislation is a big opportunity for Canada and it’s important for the law to recognize the importance of emerging technologies. And it seems to be coming, regardless of what happens at the federal level: updates to Quebec’s own privacy laws were adopted last fall and will begin to be phased in this September. In British Columbia, a parliamentary committee struck to update that province’s privacy rules recently began accepting feedback from the public.

Though the organization hasn’t had any formal feedback from policymakers on its report yet, Clodman says the feedback it has received from its members has been “extremely positive.”