Data protection concept. GDPR. EU. Cyber security. Business man using mouse computer with padlock icon and internet technology network on blue background.

Digital regulation can be something of a high-wire act, balancing the efficient use of personal data against the potential for abuse.

This past June, the Office of the Privacy Commissioner of Canada (OPC) reversed their long-standing position regarding the cross-border transfer of personal data. Simply put, they had previously posited that if personal information was being processed for the purpose for which it was originally collected, further consent from the owner of the personal data was not required — even if it was being processed outside of Canada by a third party. Canadian entities could outsource data-processing activities and/or share personal data with affiliates without issue, and firms retained the ultimate responsibility for the safety and integrity of client data.

But the OPC then reversed its position and released a discussion document on the matter. The result was an outpouring of objections from stakeholders, including the Investment Industry Association of Canada (IIAC), which weighed in with a robust submission.

The OPC’s new stance was problematic for myriad reasons. The proposed requirements for consent were unprecedented, even within the EU privacy rules, which are among the most stringent in the world. The reversal would have imposed a sizeable and unnecessary cost burden on the industry, including dealers and other financial institutions that routinely outsource to service providers inside and outside Canada (think payment service providers, cloud service providers, information vendors, and HR and marketing services providers). Institutions would have had to upend their information practices, privacy notices and consent documents to comply with the new requirements. Lastly, practice often makes precedent — using third parties to process data outside Canada is well-established and routine. Trying to shift into reverse now would be tremendously difficult.

In response to this negative backlash, the OPC relented and announced last month a return to their original position. This brought considerable relief to the dealer community, but it may be premature to celebrate this victory.

The OPC, which is still emphatic that existing protections for cross-border data transfers are “clearly insufficient,” will be making recommendations to strengthen the protections in a future law. In addition, the federal government has already joined the fray and called for submissions and input around their proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) in a May 2019 discussion paper, including — you guessed it — regulations related to cross-border data flows.

The larger goal is noble: the proposed legislative changes were created to provide Canadians with transparency on the management of their personal data, giving them better control and access to their information, integrating the federal government’s ten-point “Digital Charter,” increasing consumer trust in the digital economy and bringing privacy laws into better alignment with the expanding and increasingly innovative world of data analytics and artificial intelligence.

However, the reality is much more nuanced and challenging.

If the amendments are implemented, they will result in a more extensive rule framework; a need for substantial investment in systems and technology and reliance on third-party vendors to meet improved disclosure and transparency requirements; and new governance and compliance procedures.

The powers of the privacy commissioner will undoubtedly increase to ensure compliance with the rules and uniform standards of service and protection of privacy and personal data across firms.

As a first step, the privacy commissioner should work closely with the financial regulators of institutions subject to the legislation to coordinate rule-making and compliance oversight. The objective should be to embed new privacy rules as necessary within the existing regulator’s rulebook to streamline rules and compliance oversight by delegating to the existing regulator. Moreover, the portability requirements for personal data will be workable only if institutions have compatible technology for the interface and transfer of personal data, and if firms have confidence that the firm receiving personal data can meet the required standards of data protection. It is clear that the proposed privacy rules, once given final approval, will have to be phased in over an extended implementation schedule to achieve the policy objectives.

All this will add significantly to operating and capital costs of dealers and increase potential liability. As the federal government seeks comment on the proposed amendments to PIPEDA legislation, the investment industry will have to respond vigorously over the coming year or so. While there is no doubt the regulatory framework will expand considerably, the industry must ensure proposed rules are practical, absolutely necessary, make common sense and are not duplicative of existing securities regulation.

But, whether these changes are brought into law remains to be seen, given the upcoming federal election.