European Union flags flutter outside the EU Commission headquarters in Brussels.Francois Lenoir/Reuters
Matt Malone is an assistant professor at the University of Ottawa Faculty of Law and the director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic.
Building up Canada’s trade relationship with the European Union has become an imperative in our new economic security paradigm. While the EU’s approach to regulation – often, over-regulation – is not without its drawbacks, the erratic spasms of the Trump administration have reminded many Canadians about the importance of having trading partners who exhibit trustworthiness, a commitment to democratic values and respect for the rule of law. Many have turned their attention to Europe.
Securing Canada’s trade relationship with Europe, however, will force us to grapple with an issue we have ignored for years: our anemic privacy and data protection laws.
Europe has taken an aggressive role as a norm-setting power in international governance when it comes to privacy and data governance. The European Commission has the power to make so-called “adequacy” decisions – determinations that foreign jurisdictions “adequately” protect Europeans’ data when it flows out of the EU to other countries.
While it may sound dully technical, in the data economy, securing an “adequacy” decision from the EU is a vital prerequisite to a strong trading relationship.
Canada received such a blessing in 2002. Since then, that decision has been repeatedly renewed. But more recently, European regulators have been eying with concern Canada’s weak privacy and data protection laws. While they viewed with hope a potential update to our outdated private-sector privacy legislation, those reform efforts failed twice, most recently with the prorogation of Parliament.
European regulators have also indicated concern about intelligence-sharing practices. Recent history suggests those concerns are primarily focused on the conduct of U.S. law enforcement, intelligence and national security agencies.
Canada has ignored these concerns for years. For example, last fall the federal government tried to pass a bill ostensibly related to cybersecurity for critical infrastructure, which oversight actors such as the Intelligence Commissioner warned would allow “regulators to carry out the equivalent of unwarranted searches.” The Privacy Commissioner observed that the proposed law “may attract scrutiny of Canada’s adequacy status” with the EU.
The Communications Security Establishment, Canada’s signals intelligence agency, insisted it needed the new powers to protect and beef up its intelligence-sharing work with the United States – precisely the type of activity the EU has been eyeing with concern.
The episode was representative of the federal government’s inattention to the real risks to Canada’s economy that would stem from a revocation of the EU’s adequacy decision.
Instead of bolstering our privacy and data protection laws to safeguard this framework, we have been designing our laws to suit the demands of the United States. Under the first Trump administration, Canada’s negotiation of the USMCA saw the government sign away our rights to impose meaningful restrictions on data flows to the U.S., require localization of sensitive data in Canada and mandate disclosure of source code.
Now that it is clear that trade agreement may not be worth the paper it is written on, politicians may want to take note. Many of the privileges we forewent in the USMCA enjoy wide support. For example, data localization is extremely popular with Canadians. Although it can hurt competition and concentrate state power in concerning ways when done improperly, it can also reassert our sovereignty.
This is part of a bigger issue. As Canada grasps the magnitude of pivoting away from its U.S.-dependent trade posture, we must simultaneously recognize that we now live in a world where data is a strategic and economic asset.
Unfortunately, we have wasted too much time over the past decade leaning into the wrong approaches. Canadian tech policy has focused on giving enormous handouts to programs that underperform (with little to show for it except asking them politely to spend the money in Canada), establishing tech centres in places where vote efficiency secures majority governments and augmenting the privacy rights of corporations instead of citizens.
The federal government’s track record of appointing soporific regulators has produced depressing results, not only in privacy and data protection but related areas such as transparency, telecommunications and consumer protection. It is by design that Canadian watchdogs move at the speed of frozen molasses: For doing so, they often get rewarded with reappointments.
The failure to take these issues seriously is now catching up with us. Canada finds itself in a situation where it must simultaneously assert its sovereignty while protecting vital trading relationships. On both fronts, our economic security would benefit from real privacy and data protection law.