Our podcast, Torys in 10, features quick, candid conversations with our lawyers on issues affecting your business: critical changes in the law, deal trends, market and industry developments and more.
Molly Reynolds and Ronak Shah sit down to discuss the Digital Charter initiative which outlines proposals to modernize Canada's privacy laws. The pair talks about the Charter's principles that will guide future policy making, how much substance there is behind those principles, and what the businesses can expect over the next few years.
A full episode transcript follows.
Molly Reynolds: Hi, I'm Molly Reynolds and I'm Privacy Counsel here at Torys. Okay.
Ronak Shah: I am Ronak Shah, I'm an Associate in the Privacy and Technology group at Torys.
MR (00:21): And today we're going to talk about the Digital Charter. So, Digital Charter is bit of a buzz word now. We've been hearing a lot about it in the last couple of months, but I think there's questions about what this really is and what it means for Canada. So let's jump right in, Ronak, what is the Digital Charter?
RS (00:38): It basically is a set of broad principles, 10 principles, which act as a bit of a roadmap that will inform the Federal Government's policies, programs, and legislative agenda as it relates to data and the digital economy. What it is not, is it's not a new law. It's not a charter in the sense of a Charter of Rights, it doesn't confer any new privacy rights on anyone. So these are basically 10 principles, like almost like an ethical framework and they can be broken down into, I'd say, like four different baskets of principles. The first set of principles are focusing on enhancing the obligations of the private sector. One of the principles is control and the consent principles, the aim of this is to provide more control to Canadians over how their data is shared, how it is used.
(01:37) The second basket focuses on enhancing the public sector's obligations around data and digital innovation. One of the principles around that is I'm looking at making sure that the government is open and digital, so people have access to services more digitally. Another one is looking at data and digital for the good, which basically says the government will use all the data that they have more ethically and employ ethical frameworks.
A third basket is focusing on building public trust. These principles are looking at safety and security and then addressing freedom from hate and violence. The last basket is basically around proactive policy making with a focus on data innovation beyond the regulation functions. Things like universal access to the internet. These principles that the government has outlined are not supposed to be static, they're supposed to be evolving over time and this is just the starting foundation.
MR (02:51): So it all sounds good like laudable policy objectives. Is there much meat on the bones at this stage?
RS (02:58): So at the moment these are just principles that are supposed to guide policymaking and there aren't, any concrete short term plans for the government. The government is looking to do a few legislative reforms, one of them is reforming PIPEDA, which is the private sector privacy law. Another one they're looking at updating [is] the Privacy Act, which governs how the federal institutions manage data. So, there are some legislative reforms, but as we all know of legislative reforms take a long time so it will happen in the next few years but nothing imminent.
MR (03:45): Yeah, it's kind of funny, the document that announces the Digital Charter kind of lauds the Government's implementation of mandatory privacy breach reporting as a major area of privacy law reform. But that took 10 years of consultation and various legislative amendment efforts to get that into place.
So it does sound like it's going to be a long row road ahead and you know, at this stage it's been described as a framework, it's being described as a set of ethical principles and a charter but it's interesting because we're still kind of in the consultation phase and really socializing a lot of these ideas. I say it's interesting because we've been in that consultation stage in Canada for a very long time, so this Digital Charter was proceeded by a formal consultation process that ran for about six months last year in 2018. Before that the House of Commons Standing Committee was looking at potential amendments to PIPEDA—the private sector law—and online reputation and published a report in 2018 that the Federal Government then issued a response to with potential amendments. And even now, you know, we have probably more detail and more of these categories and principles that you're talking about, but it's still really is at the exploratory stage and I think they're at the point of identifying the existing legislation that they might tweak, identifying the different areas of law that might be engaged here, but we're not really seeing proactive proposals for what the specific obligations are going to be. And where we are seeing it, of course, that's really going to be subject to a whole bunch of debate and perhaps, you know, policy changes as this moves from conceptual phase through the consultation and really into more of a legislative amendment or a bill that's actually being debated.
(05:40) But a lot of these principles that are better being addressed in the Charter I think still are relevant and are certainly issues that have been discussed in many other areas for many years. And you know, the charter points, I think largely to the erosion of public trust in the online space and the number of ways that people's information can be used against them or large volumes of commercial data can be used for negative purposes or for harm or fraud.
And that's certainly something we've seen discussed in the news all the time. We see the Cambridge Analytica scandal with Facebook. We see all kinds of coverage of data breaches in the news, deep fakes, fake videos and the sort of viral nature of inappropriate content like the video resulting from the Christchurch shooting. These are social issues. They're issues in the media, you know, it's of public importance and so it makes a lot of sense for the government to be trying to tackle a lot of the issues in one document or in one framework and bring them together. But certainly, it's not going to be a matter of just introducing one bill or your one new law. It really is going to be engaging these various existing instruments that we have. And that's probably going make it more complicated.
RS (07:04): Absolutely. And I think what is also interesting is this part of it is obviously addressing this issue of a lack of trust in the way data is handled. But I think the other issue is the government wants to make sure that it creates a competitive innovation system and framework that will allow companies to be able to use data. And so there's a ying and yang of trying to be able to provide the protections for the consumer, but also making sure that it doesn't stifle innovation. I think this is a fundamental problem that we've seen: PIPEDA talks about the purpose of it being trying to promote privacy rights, but also innovation. So this is a continuous struggle, I think legislation that wants to allow innovation kind of struggles with. So the focus being both data privacy and data innovation I think [it will be] interesting to see how it develops into action.
MR (08:09): And there's some interesting international components here too, right? So, in addition to this pretty lengthy consultation process that Federal Government and House of Commons Committee were engaged in over the last few years, as part of this project, the government was looking at international standards and approaches as well. So they looked at the OECD Digital Government project, they looked at some G7 initiatives that had been underway in terms of international principles for data governance and digital innovation and fostering innovation. And of course, we've been talking a lot about international trade obligations recently, too. And how, you know, a domestic approach to digital governance can really play into those international obligations.
RS (08:54): Especially in the white paper that they released that discusses the private sector reform—the proposed private sector reform—a reoccurring word was interoperability. And I think that that sense of being able to continue data flows and making sure that Canada's digital strategy is in line with our global partners is something that is seen both in the Digital Charter through like things like data portability and open banking. But also in specifically in say this white paper as well, where they talk about wanting to make sure that there's like data flows there and wanting to be aligned with the EU, especially with their change in legislation with GDPR. I think a part of the impetus behind some of this legislative reform is to make sure that we continue to keep our adequacy standing.
MR (09:58): And let's talk about that a little bit in terms of what the next steps are. So, in terms of this adequacy standing, we know that Canada has been deemed by the EU Commission to have private sector privacy laws that are effectively equivalent to EU laws. And that allows us to have a free flow of data between EU countries and Canada, which is great for innovation and great for multinational businesses. That's coming up for review in 2020 by the EU Commission with the new GDPR and heightened privacy rules in the EU. So, what does that mean in terms of timing for legislative reform under the Digital Charter or amendments to Canada's privacy legislation as a result?
RS (10:42): In my discussions with ISED [Department of Innovation, Science and Economic Development], they were saying that they want to have a consultation process that will continue until the end of the summer. They're welcoming organizations' feedback on the reforms that are proposed in the white paper for PIPEDA. Then depending on the EU adequacy report that comes out in early January next year, that would be the starting point of the legislative amendment process. I think in the short term obviously organizations can provide their input to the consultation. But in the long term we probably won't see any major change for another two or three years. If we use Japan or South Korea as the adequacy example, because when the EU and Japan got into negotiations for their adequacy standings it took two or three years. I think any private sector would take them that long.
MR (11:55): And it's funny, it's easy—we're in an election year—to say, you know, all of this is great to put out publicly, but this might change after the election. But I think your view, Ronak, was that these are continuing issues, right? Public trust, maintaining free flows of data with international partners, it's going to be an issue for any government, any political party. So we may be in this lengthy consultation process, we may be in this legislative reform process for a few years, but it's unlikely to get dropped entirely. That's really one of the reasons why it's relevant to understand the framework in this charter because it's unlikely to just disappear.
RS (12:31): Absolutely. I think these issues are not going to go away. It's going to be an interesting space to watch in the next few years and we're looking forward to continuing this discussion over the next few years.
MR (12:47): Absolutely. We do have a detailed bulletin already online on the digital charter, if you want more information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.