Author finds Canadian digital privacy protection regime to be overbroad, pitting privacy concerns against freedom of speech, market competition and economic growth

OTTAWA, June 10, 2014 – With the appointment of a new Canadian privacy commissioner, new digital privacy legislation, and a new federal digital-economy strategy for Canada, privacy issues are at the forefront of the policy debate. And who could be against stronger protections for something as important as privacy in this digital age?

Well, what many fail to consider is that data protection regimes in Canada are based on principles that were adopted in haste compared to other legal regimes for information such as copyright and trademark law, which is bound to have unintended consequences. A new report from the Macdonald-Laurier Institute, titled “Finding the Balance on Digital Privacy: Toward a New Canadian Model for Data Protection in the 21st Century”,  finds that Canada’s laws governing Internet privacy are overbroad, and often in conflict with other rights and principles such as free expression, competition and economic growth.

The report’s author, Solveig Singleton, a U.S.-based lawyer who has done extensive research on technology law and policy, urges the federal government to resist calls for a comprehensive approach to digital privacy and instead adopt a less stringent regime for the sharing of people’s personal data.

“There has been little time to consider the comparative advantages, disadvantages, costs, and benefits of different types of data protection and privacy regimes”, writes Singleton. “… Broad abstract rules are unlikely to provide enough clarity to economic actors, and will result in a regulatory regime that is a poor fit in many contexts. ... The best way to avoid this dilemma is to adopt only minimal regulation”, writes Singleton.

Singleton’s report finds that the government’s new online privacy legislation, Bill S-4, largely leaves alone the substantive rules of privacy in Canada, which is positive. She notes, however, that calls for more stringent regulations are unlikely to quiet down anytime soon – one of the reasons why Canada should take a measured approach when considering new digital privacy legislation.

“Data protection law and policy should be informed and anchored by identifying real problems involving concrete harm”, she writes. “Rules not needed to address a concrete problem should be avoided, or be maintained as aspirations, voluntary models, or guidelines”.

Singleton notes that strong data protection regulation often will mean less competition and the loss of the benefits of data sharing. These benefits include: A wider array of products and services, lower prices and better product quality, the availability of free products and services funded by advertising, avoiding the annoyance of irrelevant sales pitches and ads through the use of targeting, and control of fraud and other security risks through data sharing and reduction of costs due to effective fraud control.

“Data protection is not unambiguously pro-consumer”, Singleton writes, but “… no one advocates for goods and services that do not yet exist, or for positive externalities of free data flows not yet captured by an existing business model”

The paper contains several recommendations to guide Canada’s still-maturing data protection regime:

  • Maintain the distinction in Canadian law between privacy rules for the public sector and rules for the private sector. This is important to prevent an unnecessary burden for businesses or, conversely, measures that aren’t strict enough for governments.
  • If only rules necessary to address concrete problems are adopted, the problem of outdated rules or “poor fit” will be minimized.
  • Maintain consistency with substantive legal principles consistent with open markets.
  • Focus enforcement on bad actors, fighting fraud rather than privacy breaches that might cause embarrassment but not real harm.
  • Recognize that data protection law is not sufficiently mature for conventional enforcement methods.
  • In trade negotiations, insist that differences in privacy law between national regimes be tolerated.
  • Ensure that common law concepts – such as the respect of implied consent, rather than explicit consent – inform data protection decisions.
  • In reviewing exemptions from data protection law, Parliament should consider the opinions of those with expertise in competition law, free expression law, fraud enforcement, or contract generally, not simply those of privacy experts.
  • Recognize that the problem of rapid technological change and the complexity of the information landscape are in themselves a compelling argument for minimal data protection regulation.
  • Ensure that potentially conflicting principles and goals such as free expression, competition, and security are liberally accommodated.
  • Allow the Office of the Privacy Commissioner to maintain its advocacy role by leaving it as an ombudsman, rather than asking it to rule on disputes.

# # #

Solveig Singleton is a lawyer and author of many articles on technology law and policy. She is a former adjunct senior fellow with the Progress and Freedom Foundation and director of information studies for the Cato Institute.

The Macdonald-Laurier Institute is the only non-partisan, independent national public policy think tank in Ottawa focusing on the full range of issues that fall under the jurisdiction of the federal government.

For more information, please contact Mark Brownlee, communications manager, at 613-482-8327 x. 105 or email at mark.brownlee@macdonaldlaurier.ca. On Twitter @MLInstitute