The London Free Press with Teresa Scassa 12 December 2018
With about two-dozen politicians from nine different countries clustered around a committee table in London, NDP MP Charlie Angus somehow managed to get the last word.
“Perhaps the simplest form of regulation would be to break Facebook up or treat it as a utility,” said Angus, who was part of an “international grand committee” convened on Tuesday to investigate the scandal surrounding Cambridge Analytica Ltd.’s use of personal data from millions of people’s Facebook profiles without their consent for political purposes.
“It depends on the problem we’re trying to solve,” said Richard Allan, vice-president of policy solutions at Facebook, who had spent the preceding three hours parrying similarly pointed questions.
“The problem is Facebook,” Angus snapped back. “That’s the problem.”
Like most committees, the talk was tough, and the three Canadian MPs present were among the toughest talkers. But their steely approach belied an uncomfortable reality back home: As the European Union pushes ahead with sweeping new privacy rules specifically designed for the era of big data, Canada lags behind, relying on an outdated regime enacted before data-hungry companies such as Facebook Inc. even existed.
“We have a national private-sector data protection law that was designed for the early days of electronic commerce when people were just trying to figure out how to buy shoes online,” said Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa. “We are in a completely different data environment now and what we have is legislation that is just not up to the task.”
Federal privacy commissioner Daniel Therrien, experts such as Scassa and a house committee on which Angus serves have all called for a rewrite of Canada’s data privacy law. Recent polls show Canadians are also clamouring for beefed-up legislation, but the early lessons from Europe’s stringent new rules show that the trade-off for keeping our browser history to ourselves is dampened investment and possible job losses.
Facebook and Google LLC may dominate the conversation when it comes to privacy legislation in Europe, but the laws are “targeted at every single business that uses data,” said Daniel Castro, director of the Information Technology and Innovation Foundation’s Center for Data Innovation in Washington, D.C.
The laws mean small businesses are dealing with high compliance costs and confusion about what their responsibilities are. In some cases, they are deciding to simply shut up shop.
“We’ve seen businesses shut down in certain areas, because it’s just not worth it anymore,” said Castro, referencing video game makers and U.S. news organizations that chose to simply block Europeans from seeing their websites, rather than comply with the EU’s General Data Protection Regulation (GDPR) that came into force in May.
In Canada, the rules for the private sector’s collection and use of personal information are set out in the Personal Information Protection and Electronic Documents Act (PIPEDA) — legislation crafted in the late 1990s with an eye to both promoting trust in e-commerce and ensuring alignment with Europe.
Then, as now, reassuring the EU that its citizens’ information would be adequately protected in Canada was essential to safeguarding the flow of data between the two jurisdictions, said Michael Power, a professor of privacy law at the University of Toronto who helped design the original law.
“That was the whole impetus of PIPEDA,” he said. “But you know, we wrote that stuff in ’96, ’98, before internet web browsing, the dot-com boom, certainly before the rise of search engines and well before social media.”
By contrast, GDPR is a “third-generation statute meant to respond to the internet as it is now,” Power said.
GDPR puts new restrictions on how much data companies can collect and for how long the information can be stored. It also significantly expands individual rights over that data, enabling Europeans to move personal information collected by one company to another company, and granting them “the right to be forgotten” or require search engines such as Google to remove certain personal content from its platform.
Also central to GDPR is “privacy by design,” a concept developed by former Ontario privacy commissioner Ann Cavoukian that calls for privacy rights to be considered at every stage of product development.
Those measures were among a range of recommended updates to PIPEDA made in February following a review by the House of Commons’ standing committee on access to information, privacy and ethics — on which Angus serves as vice-chair.
The committee also called on Ottawa to bolster the enforcement powers of the federal privacy commissioner, who, unlike counterparts in other countries, cannot make binding orders on companies or issue fines.
Yet no major changes to PIPEDA — beyond new provisions requiring companies to disclose data security breaches — have been put forward, even as other countries race to upgrade their privacy laws to GDPR levels.
Meantime, privacy concerns are reaching “crisis levels,” privacy commissioner Daniel Therrien warned. “Unfortunately, progress from government has been slow to non-existent.”
The lack of action is likely rooted in concerns that date back to when the law was first drafted, said the University of Ottawa’s Scassa.
“In Canada, there’s a real fear, as there was back in 2001, that small and medium-sized businesses will be completely overwhelmed by having to comply with stricter privacy regulations and that they simply don’t have the resources and money to spend on privacy compliance,” she said. “There’s a concern, too, that it will make Canadian businesses uncompetitive in North America, because they’re going to have a heavier burden of regulatory compliance than their counterparts in the U.S.”
According to Castro, complying with GDPR could cost a company millions of dollars, and the Financial Times has reported that Fortune 500 companies have earmarked US$7.8 billion in total to comply with the EU’s new rules.
Early research shows GDPR is having a tangible effect on reducing the amount of tracking software on the web, but the same data show small businesses are struggling under the new regime while Google eats up even more market share.
In Europe, small advertising firms have lost somewhere between 18 and 31 per cent in market share, while Facebook declined seven per cent. Google was able to increase its market share by one per cent, and at least part of the increase was due to the significant resources that it can throw at compliance, according to a study by Cliqz International GmbH and Ghostery, two European privacy companies.
Overall investment may be suffering in the wake of GDPR, too. A recent research paper by three U.S. economists found that new and emerging tech firms are struggling to raise money since Europe’s privacy rules came into effect.
The average amount raised by startups declined by US$3.4 million, a 40 per cent drop from before GDPR was put in place, according to the paper co-authored by Liad Wagman, an economist at the Illinois Institute of Technology. With some “back of the envelope” calculations, the paper estimates that the rules could cost anywhere between 3,600 to 30,000 jobs.
Though it may be too early to draw any firm conclusions, Wagman said “the results are supported by existing economic theories which show that compliance costs tend to reduce new venture formation and disproportionately impact nascent firms.”
Nevertheless, global compliance with GDPR — considered the gold standard of privacy protection — may be inevitable, said Anu Bradford, a law professor at Columbia University and director of the Center for European Legal Studies.
Deep-pocketed global firms such as AirBnB Inc., Microsoft Corp. and Google have already made changes to conform to the law, and have extended those changes into global policies rather than absorb the costs of maintaining multiple frameworks.
In addition, more than 120 countries, including India, Brazil and China, have aligned their privacy regimes to the EU’s in an effort to secure the flow of data with the EU. And powerful industry leaders such as Apple Inc. chief executive Tim Cook have thrown their support behind GDPR, urging the U.S. to adopt a similar policy.
“It’s the market incentives that are globalizing the GDPR rules,” said Bradford, who calls the phenomenon “the Brussels Effect. It is everywhere. So the ability to take advantage of lower standards when dealing with the rest of the world is really diminishing, because the rest of the world is following the EU.”
That leaves the U.S. as the “outlier,” Bradford said.
The U.S. has long been reluctant to conform to EU regulatory standards and tends to view privacy as a matter contracted between companies and individuals. In May, U.S. Commerce Secretary Wilbur Ross wrote an op-ed for the Financial Times complaining that GDPR “creates serious, unclear obligations” for companies that could disrupt trade and impose unnecessary costs on businesses.
But scandals such as the one involving Cambridge Analytica, together with a restrictive new data protection law imposed in California, may soon push Washington’s hand, Bradford suggested.
“There is only so much space for the U.S. to say, ‘We’re going to do it our way,’” she said. “It’s hard to make a full-throated, free-market, no-regulation argument about data privacy in today’s political climate.”
The pressure for change is mounting in Ottawa too, though Scassa is skeptical that any new legislation will be enacted before the next federal election. Still, data privacy is increasingly a “hot button issue,” suggesting the government will have to do something.
“Canada doesn’t have to go full-on GDPR,” she said. “We just need to do something.”
Therrien, who has long pushed for changes to PIPEDA as well as new powers for his office to enforce it, believes a made-in-Canada approach that is scaleable to small businesses is entirely possible.
“I don’t think privacy and innovation and economic growth are in opposition,” he said. “The best strategy would be for Canada to seek to achieve both privacy and innovation at the same time and I think that’s entirely possible.”