Europe’s privacy law tells a cautionary tale for Canada’s Digital Charter

It's time for Canada to act.

Unnecessarily complex rules, staggering regulatory costs, and barriers to innovation and small business are just a few of the pitfalls that Europe is facing as a result of its privacy law—the GDPR.

As Canada prepares to reform its own private sector privacy law to implement key aspects of its Digital Charter, ignoring the pitfalls of the European experience would be a serious mistake.

Although the GDPR was a significant step forward in drawing awareness to privacy and data protection around the globe and introducing new privacy rights and protections for consumers, it has proven to be much better in theory than in practice. Once heralded as the gold standard for the world to follow, the last three-and-a-half years have revealed a cautionary tale of negative consequences.
There is a growing understanding—even among some of its original drafters—that the GDPR’s pitfalls are stifling innovation, overwhelming regulators and creating complexity for consumers.

A new report Privacy Law Pitfalls: Lessons Learned from the European Union compiles findings from more than 30 third-party research reports and commentaries that highlight where the GDPR went wrong. Among the major findings:

A staggering regulatory burden. Two-thirds of European member countries don’t have the human, financial and technical resources to effectively regulate the full set of requirements of the EU’s new rules.

Stifled innovation. Organizations in the EU are diverting significant resources to understanding and interpreting the law’s prescriptive provisions at the expense of creating innovative new products or investing in international expansion.

Steep hurdles for small business. Small and medium-sized enterprises have been the hardest hit, experiencing challenges in interpreting and understanding the law’s complexity at a time when consumer data is critical to their ability to compete and contribute to local economic growth.

Consumer complexity and fatigue. Consumers in the EU are suffering from increased “consent fatigue,” being less likely to carefully review notices and make informed decisions. They are also facing a slow and overly complex complaint resolution process as it relates to cross-border cases.

Canada’s current privacy law, known as PIPEDA, has been guided by the dual objective of protecting consumer privacy and enabling responsible data use and innovation for years. For more than a decade, PIPEDA served as the global gold standard in privacy law. But it needs to be modernized.

With Canadians—and our economic recovery—so reliant on the digital economy, the stakes are high. We can’t afford to get this wrong. We need to borrow from the strengths of other laws—including the many aspects of PIPEDA, that have stood the test of time. And we must avoid the GDPR’s pitfalls to provide something more effective and practical for Canadians.

If we get this right, our made-in-Canada approach can serve as the new global gold standard, re-establishing Canada as a leader with a law that protects consumer privacy while preserving the enormous social and economic value of data to Canadians.

Protecting consumer privacy is fundamental and must continue to be at the core of Canadian privacy law. Consumer loyalty and trust is the foundation for business success, and organizations know that strong privacy and data protection practices provide a competitive advantage in today’s data-driven economy.

At the same time, the pandemic has underscored the need—and widespread appreciation—for the value data adds to our daily lives. As consumers, we spend much of our time interacting with technologies, products and services that are fuelled—at least to some degree—by data.

As we interact online more than ever before, we need to ensure consumers have modernized protections, and that Canadian businesses have a balanced framework with clear rules to spur innovation to compete successfully at home and globally.

The GDPR’s pitfalls show us that rigidity and complexity create extensive hurdles for businesses, governments and consumers alike, and Canada needs to take a more proportionate and less burdensome approach.

Other jurisdictions have already begun to take steps to learn from the GDPR’s shortcomings. The U.K. has seized a post-Brexit opportunity to backtrack on the GDPR by consulting on how it can implement “a more pro-growth and pro-innovation data regime”—one that takes a more principles-based approach to better support the U.K.’s growing digital economy.

In early 2022, the U.K. government, indicated its intention to create legislation that establishes “a more proportionate and less burdensome data rights regime compared to the EU’s (GDPR).”

It’s time for Canada to act.

Our policy-makers have the capability to modernize privacy protection without creating hard barriers to essential aspects of business in the digital age.

The future of our digital economy depends on it.