Privacy Law Pitfalls

Lessons Learned from the European Union

In 2022, the Government of Canada is expected to introduce legislation to advance its Digital Charter and strengthen privacy protections for consumers. 
 
This legislation will replace a made-in-Canada law (the Personal Information Protection and Electronic Documents Act, known as PIPEDA), which served for more than a decade as the international gold standard for the protection of personal information but now needs to be updated.
 
The CMA has prepared a detailed report: Privacy Law Pitfalls – Lessons Learned from the European Union – that compiles critical analyses of the European Union (EU)’s experience with its privacy law, the General Data Protection Regulation (GDPR), which took effect in 2018. The report is a cautionary tale for Canadian policymakers to avoid the serious negative consequences that have resulted—for governments, consumers and organizations alike—from the GDPR’s overly complex, prescriptive or otherwise disproportionate provisions. The European Union’s troubled experience with its data privacy law is one of the chief reasons that the Canadian Marketing Association is calling for another made-in-Canada balanced approach to privacy law reform.

Although the GDPR was a significant step forward in drawing awareness to privacy and data protection around the globe and much has been written on its benefits, the report focuses on pitfalls for other jurisdictions to avoid. The report compiles a growing body of research and commentary— including from some of the law’s original drafters—in the following seven areas. Creating a staggering regulatory burden.

1. Hampering the ability of organizations to innovate and contribute to economic growth
2. Disproportionately impacting small and medium-sized enterprises
3. Creating complexity for consumers
4. Triggering other inefficiencies and unintended consequences
5. Suppressing emerging technologies
6. Obstructing cross-border business 

These pitfalls underscore the importance of ensuring that Canadian privacy law continues to be rooted in an administratively workable, principles-based legislative framework that promotes a technology- and sector-neutral approach to privacy, helping to ensure flexibility in the face of rapidly evolving technologies, business models and consumer expectations. They also illustrate the importance of ensuring privacy law continues to be guided by a balanced purpose statement that enables organizations to use personal information to conduct essential aspects of business in a manner that improves the lives of individuals, while protecting their privacy rights.

A made-in-Canada approach to privacy reform—one that balances effective privacy protection with the enormous social and economic benefits of data to Canadians—will enable Canada to reclaim its reputation as a global leader in protecting citizens’ privacy while fostering innovation by business.

Download the full English report with detailed research findings.

Access the French synopsis of the report.