Canada’s digital privacy laws should focus on preventing “concrete harm,” not abstract concepts of autonomy and human dignity, and should minimize the compliance burden on businesses, according to a new report from the Macdonald-Laurier Institute for Public Policy.
Finding the Balance on Digital Privacy: Toward a New Canadian Model for Data Protection in the 21st Century claims that reducing the privacy regulatory burden on business will increase competition and benefit consumers. Internet users generally do not read privacy policies, and requiring businesses and websites to produce them is often a waste of resources, it says.
Report author Solveig Singleton says she was partly motivated by a 2013 position paper from then-federal Privacy Commissioner Jennifer Stoddart calling for stronger enforcement powers. “My sense was that to maintain a more liberal regime would generally benefit consumers because there would be more freely available benefits from the use of data, and businesses wouldn’t be distracted and burdened and have added expenses due to increased regulatory requirements,” Singleton said.
The report comes as federal opposition parties are criticizing the Harper’s government choice for Stoddart’s permanent replacement. It suggests that the Office of the Privacy Commissioner should be retained as an advocate for privacy, but without an enforcement or mediatory role in privacy conflicts.
The government is also under fire over Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill S-4 is currently before the Senate, and has not been passed by the House of Commons.
“The Bill I think is actually generally a very sensible one,” says Singleton, vice-president and senior analyst at the Arlington, VA-based Convergence Law Institute. She cites particularly the inclusion of a fraud exemption that would allow the use of data by non-specialist bodies like businesses to tackle fraud cases.
Critics say that the bill would allow private companies to swap clients’ data without consent or notification. Singleton says the new rules will help consumers by increasing competition. “Sometimes you have large companies that have established relationships with customers for a long time, and with data protection rules coming in on top of that, the information about that consumer then stays with the large established firm,” she explains. “It can’t flow through the economy and get to any of that firm’s competitors.”
American retailer Target, which opened stores across Canada in 2013, experienced a severe security breach in late November, with data connected to 40 million credit and debit cards stolen.
Security breach disclosure requirements are one instance in which data protection laws are not “regulatory overkill,” according to the report. “I generally think that as far as privacy laws go the security breach disclosure ones are not a bad thing — they’re focused, they only kick in when there’s actually a problem, and so on,” Singleton says, but they can sometimes focus attention on the errant business rather than on systematic security issues.
The report suggests that Canada should seek to emulate the US regulatory structure, which has a more ad-hoc system without broad data protection law.