What Canada's Simple but Effective Privacy Model Can Teach the U.S. | Opinion

As the Congress debates legislative options for national privacy rules, the question of which model to follow becomes critical.

Should lawmakers follow the European Union's recently adopted General Data Protection Regulation (GDPR), with its all-in-one approach? Or build up from the extensive American consumer protection experience? Or replicate state statutes like California's new Consumer Privacy Act on a federal scale?

Lawmakers would do well to consider the simplicity of the 20-year-old Canadian model, where regulators respect privacy as a human right while also appreciating the challenges faced by industry.

Canadian federal privacy legislation adopts 10 key privacy principles, the foremost of which is accountability—that a commercial organization is responsible for personal information under its control. The Canadian model attempts a practical approach to commercial reality, for which the easy exchange of information is vital.

Prior to the adoption of federal privacy legislation, there was broad business acceptance of a Canadian standard that enumerated key principles for the protection of personal information. Those were drawn from principles previously established by the Organization for Economic Co-operation and Development.

But Canadian business at that time feared the administrative costs and burdens. They feared giving too much power to bureaucracy.

So, the Canadian federal government chose a simpler path. Instead of adopting a top-down approach, the government simply attached the broadly accepted privacy principles to a fairly simple law requiring that commercial organizations comply with those principles.

Central to the Canadian approach has been the principle of accountability—that a commercial organization is responsible for the personal information in its possession, including information transferred to a third party for processing.

Accountability means that commercial organizations must apply the 10 principles to their own activities, and they must stand ready to demonstrate their compliance if a regulator calls.

True accountability means taking privacy seriously and incorporating the key principles into all processes that involve the collection, use or disclosure of personal information. It means obtaining appropriate consents and implementing sufficient data security. It also demands being transparent to consumers about the collection, use and disclosure of their personal information, particularly when that information is shared with third parties for purposes that may not be obvious to the consumer.

The Canadian approach has given broad leeway to commercial organizations to craft privacy compliance programs that suit their business needs, on the condition that those organizations can—when called upon to do so—demonstrate that the legal requirements have been met. This is the bottom-up nature of the Canadian model.

In an age of increasing regulatory oversight, accountability remains the most critical component of compliance. It speaks to an organization's culture of respect for the personal information of its consumers, and the organization's commitment to handle it legally and fairly.

The principle of accountability has been recognized as a cornerstone of data protection and in enforcing privacy as a fundamental human right. For example, Article 5(2) of the GDPR requires that organizations subject to the GDPR be accountable for compliance with the basic principles of data protection.

Canada's approach to enforcement has been flexible and low-key. Provincial regulators in British Columbia, Alberta and Quebec, whose laws are substantially similar to the federal legislation and who have order-making powers, were not given the power to level major penalties. In Canada, prevention and compliance continues to be the operative regulatory tool. Privacy by design was championed as the ideal basis for privacy protection. Privacy impact assessments of the effects of new surveillance technologies became standard requirements for Canadian governments. Both concepts have been incorporated into the GDPR.

But things will soon change.

Canada, like the rest of the world, is feeling the impact of the GDPR. In 2001, Canada became the first country outside Europe to be judged "adequate" for the export of European personal information. This important designation means that Canada has long enjoyed greater freedom for international trade with the EU. A status akin to that conferred by the Privacy Shield for U.S. companies. However, by 2020 the European Commission will begin reviewing the adequacy status of those countries who now enjoy it, including Canada. Canada is now feeling the pressure to change its privacy legislation to something more like the GDPR in order to retain that "adequacy" status.

Canadian privacy legislation will doubtless eventually be modified, both federally and provincially, to meet the EU's new standards for the appropriate content of data protection for the 21^st century, as well as global consumer expectations. Data portability, meaningful consent by the individual, and much stricter enforcement with significant penalties are some of the likely attributes of future legislation. The Canadian government has just begun in-depth consultation on modernizing the current law. Data de-linkage or data erasure, both sometimes labelled "the right to be forgotten," are now being litigated before the Federal Court of Canada.

Privacy protection for Canadian consumers will be reinforced. But it will continue to carry the same hallmarks of pragmatism.

America's lawmakers understandably want to have robust standards for privacy protection for their citizens. But to be truly effective and equitable in a world of massive and continuous data flows, those standards must carry the hallmarks of pragmatism. Legislators might do well to see how it's been done in Canada, where regulators respect privacy as a human right with constitutional value while also appreciating the importance of innovative data use and deployment of new technologies for economic prosperity.

Jennifer Stoddart is a strategic advisor in the Privacy and Cybersecurity Group of the Canadian law firm Fasken. From 2003-13 she served as Privacy Commissioner of Canada and previously chaired the Access to Information Commission for Quebec.

The views expressed in this article are the author's own.​​​​​