Strengthening Canada’s Privacy Laws Receives Broad Party Support Drew Wilson | April 28, 2019 With Canada lagging further and further behind in privacy laws, MPs from Conservative, Liberal, and the NDP are now supportive of strengthening the laws. After the Cambridge Analytica scandal broke last year, US regulators began looking into the role Facebook played. After much negotiation, reports suggest Facebook could face up to a $5 billion fine from the FTC. While the issue is ongoing, plenty are watching the issue closely. After a data leak where over half a billion users were exposed along with “millions” of Instagram users earlier this month, Irish regulators launched a probe to investigate Facebook. The possible consequences thanks to Europe’s General Data Protection Regulation (GDPR) is that Facebook could get hit with a fine of 4% of their annual turnover rate. After the Cambridge Analytica story, Canadian privacy commissioners investigated Facebook. After publishing a report suggesting Facebook is only paying lip service to the privacy laws they need to abide by, the commissioners said that they could take Facebook to court. They have no power to levy fines, but they could theoretically get the courts to tell Facebook to pretty please don’t do that again. Notice the difference? While other jurisdictions could be levelling major fines against Facebook after leaks and accusations of wrongdoing, Canada is basically stuck with just wagging their finger. While other jurisdictions could take a chunk out of Facebook’s bottom line, Canadian regulators can say, “Stop, or I’ll say stop again!” It seems that Canadian lawmakers have finally started to notice this as well. According to a report from CTV, MPs from the Conservative, Liberal, and NDP parties are warming up to the idea of strengthening Canada’s privacy laws. From the report: Facebook has said it takes the investigation seriously and offered to enter into a compliance agreement, but privacy commissioner Daniel Therrien said Facebook rebuffed his findings and that he doesn’t have the enforcement powers needed to “insist that they act responsibly.” Conservative MP John Brassard, who represents the Ontario riding of Barrie—Innisfil, said the report makes clear that stronger regulation is necessary. “Not just tougher regulation, but also the ability for them to enforce the privacy breaches like the one they’ve identified with Facebook,” he told CTV’s Question Period in a segment that airs Sunday. New Democrat MP Daniel Blaikie said he agrees that either the privacy commissioner or another regulatory body needs more power to enforce privacy rules. “I think when a multinational company like that picks a fight with a Canadian regulator, it’s the job of the Canadian government to step in,” the Manitoba MP said. “Many of our allies across the world are beginning to implement these kinds of regulations,” Blaikie added. “Canada is becoming a laggard in this regard.” Liberal MP Arif Virani, who is the Parliamentary Secretary to Minister of Democratic Institutions Karina Gould, said he agrees more steps need to be taken, but disagrees with Blaikie’s assertion that Canada is lagging behind. Virani said that Canada was the first country to regulate political interference and political advertising across social media platforms, and that it has implemented $100,000 fines for some types of privacy breaches. Of course, while it seems that most are now in agreement that something needs to be done, the difficult part is figuring out the best approach to tackle this. While a number of digital rights advocates had a positive reaction to the GDPR laws, not everyone agreed to all of its provisions. One point of contention is the requirement for websites to be transparent about cookies. While many may have forgotten about this requirement, website owners will be all too familiar with some of these requirements. For us, for instance, you may notice a notice on the bottom of our comments section discussing the Akismet anti-spam process. We use this service to help keep the website clean of spam. Comments are fed through a third party server and scanned for matching comments against a database of spam comments. Those spam comments are filtered out and what’s left over is a small handful of more manageable comments. If it weren’t for this service, we would have spam comments reaching into the millions flooding the moderation cue every week. In response, we probably would need to shutter that feature simply because the spam comments would be far too great to handle with our resources. While this is a great feature to have, those comments still pass through a third party service. As such, in order to comply with the GDPR standards, that notice has to be put in place to comply with European regulation. Is it really the end of the world to have to do this to comply with regulations in a jurisdiction we don’t really operate in? Some would say it’s an outrage. For us, that line is not the end of the world. Still, it all depends on who you ask. So, for some observers, the GDPR is by no means a holy grail of privacy laws. While Canada does have PIPEDA (Personal Information Protection and Electronic Documents Act), it seems that there is political appetite to strengthen these rules. PIPEDA was once held in high regards as a defacto standard for privacy laws, but now its becoming increasingly an old relic that needs strengthening. After all, that became law in the year 2000 – more than 19 years ago by a week or so. If momentum is going to start building for reforming privacy laws, Canadians will have to start contemplating what kind of reforms they like to see. Should the privacy commissioners have the ability to levy fines against large companies who violate privacy laws? Is there a standard for transparency that websites need to comply with? What happens in a breach? Should websites notify regulators of a breach? If so, what kind of time window are we looking at? What about databases that deal with B2B transactions? Is there a standard minimum for encrypting communication? A lot can really be put on the table if the country decides to start discussing personal privacy online. Even though there is broad political support judging by the report, it will be difficult to predict whether or not this will reach the forefront of the political realm. After all, Canada is going to head into an election in a few months time, so a lot of other political talking points will be flying by that point. Topics like the economy, the SNC Lavalin scandal, the environment, pipelines, jobs, disaster mitigation, wages, healthcare, and many others can very easily push the less sexy privacy laws to the sidelines. So, it will be interesting to see if this topic will manage to break through from the clutter of other topics and make a difference. Drew Wilson on Twitter: @icecube85 and Facebook.