On September 22, 2021, the Quebec government adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, enacting significant changes to the requirements governing the use and protection of personal data in Quebec.
Bill 64 grants Quebecers significantly increased rights and control over their personal data. The bill requires that data processors (from Facebook to Uber Eats to the smallest operation with a digital presence in Quebec) offer privacy settings which ensure that users’ personal data is protected at the “highest level of confidentiality by default“, without any intervention by the user. In other words, a company like Facebook would not be able to extract a user’s personal data unless that user opts into Facebooks personal data tracking regime on his own initiative. This approach goes beyond the European Union’s (EU) GDPR’s “privacy by design” regime in that in the new Quebec scheme, the highest level of personal data protection is the default setting in which all tracking cookies are turned off.
Quebec is clearly betting on the “Brussels Effect” with this rigorous new personal data privacy legislation. The “Brussels Effect” refers to the EU’s power to influence the regulation of global markets – particularly global digital markets.
The Brussels Effect in the context of Canadian jurisdictions’ recent (and forthcoming) efforts to update their privacy legislation, refers to the voluntary adaption of the EU’s landmark data-privacy law (the GDPR) aimed at restricting the ability of data processing companies to collect personal data from users without their explicit consent. The EU law took effect in 2018 and on January 4 of this year, Meta (Facebook and Instagram’s parent company) was hit with a $414 million (USD) fine for violating the GDPR by burying its request for consent to use an individual’s personal data deep in the fine print of its massive “terms of service” document. In other words, European users were being forced to consent to having Meta use their personal data for personalized advertising in order to have access to any of Facebook’s features. The EU court ruled that this violated the GDPR and Meta has until April 4 to comply.
Quebec was told loud and clear by business lobby groups that a personal data protection scheme that was more rigorous than the GDPR’s could come at an economic cost. Nevertheless, the Quebec government ignored them.
What Quebec is surely counting on is that as the European operations of the giant US and Chinese data processors (not to mention the European data processors, themselves), are forced to comply with their new GDPR obligations regarding explicit consent for the use of personal data, the de facto global privacy standard for digital operations of all sizes will become the GDPR. That is, after all, how the Brussels Effect works.
Will the federal government and other provinces follow Quebec’s privacy path?
Of course, there are a myriad of reasons (cultural, economic and political) why Quebec might be more comfortable adapting EU digital standards than other Canadian provinces or the federal government. The big question for Canada, therefore, is whether any other province will follow Quebec’s more stringent approach to personal data privacy and whether the federal government will toughen up its proposed privacy regime in its Bill C-27 (now at second reading in the House).
There is, in fact, a strong long-term economic argument for the provinces and the federal government to align their privacy laws with those of the EU and reject the corporate arguments that such laws “stifle innovation”, are not “technologically neutral”, and are “overly prescriptive” (as opposed to “principles-based”).
The jist of that argument is this: If one looks five to ten years into the future, it is a good bet that not just the GDPR, but a whole raft of new EU laws regulating the digital realm, will become the new global standard and jurisdictions that embrace these rules now, will prosper in the future.
That said, private sector data processors such as Google and Facebook have both short-term and long-term objectives. It is certainly very clear that in the short-term, technology companies (of any size) that derive a good part of their revenue from the $500 billion personalized online ad market, do not want to be forced to ask their users in simple, straightforward language, whether or not they will allow their personal data to be tracked all over the internet to be used to sell them personalized ads. After all, as of 2022, Facebook derived 97.5% of its revenue from personalized online ads and Google 80%. Those companies (and many, many others) do not want dramatic changes in the personalized online ad market in the next three to five years! They know that when Apple gave iPhone users the choice to be tracked or not in 2021, it cost Facebook $10 billion in lost revenue and other platforms billions more!
Put bluntly, companies like Meta and Alphabet (Google’s parent company) believe they need time before privacy regimes are strengthened to diversify away from the world of personalized ads and tracking cookies.
As a result, much of the digital world is fighting EU style digital regulation tooth and nail (witness the bully boy tactics of Meta and Google in opposing Bill C-18 in Canada. That is why groups such as the Canadian Marketing Association (CMA) are such aggressive advocates of Bill C-27 which stops well short of the GDPR privacy standard. Groups such as the CMA are anchored in the present online ad economy and have difficulty imagining a future in which personal data can’t be easily tracked and used for personalized ads!
So it is understandable that, unlike Quebec, most Canadian jurisdictions may prefer not to stray too far from the comfort zone of Big Tech at the present moment.
Understandable, perhaps, but ultimately short-sighted. As mentioned above, the tech scene five to ten years from now will likely be very different from today’s with the online ad market playing a greatly reduced role in digital enterprises. The EU’s GDPR (along with Apple’s anti-tracking moves) are certainly beginning to have an impact and the internet is beginning to evolve in the direction the EU intended with their digital regulations. For example, on February 19, Meta announced that it was starting a subscription tier of Facebook and Instagram for $11.99/month. And Twitter announced a new $7.99 subscription tier several months ago. Most observers believe these moves represent long-term attempts by Meta and Twitter to diversify away from their online ad-based revenue streams – as is Meta’s previously announced deep dive into the Metaverse.
And in the long run, there will be only three digital regulation regimes – and one of them will be China’s. Assuming that Canada does not want to align itself digitally with China, that leaves a choice between the EU and the US.
The truth of the matter is that the current American effort to regulate tech is too modest and too fragmented to provide a coherent set of standards for long-term tech business operations. A policy is only as strong as the institutions backing it. While the individual components of the EU digital regulatory framework are part of a larger, holistic effort by the EU to shape the digital ecosystem in the Union and beyond, US legislation such as the Innovation and Choice Online Act and the Open App Markets Act, constitute only fragmented attempts at tech regulation – and the prospects of even this limited legislation getting through a bitterly divided US Congress is uncertain.
There is another important truth – giving individual users more say over how their personal data is used (or not used) is very popular with the general public. And governments know this – even those governments that are unwilling to go the EU route at the present moment because of their fear of a tech political backlash.
At the present moment, the EU may seem antagonistic to Silicon Valley, but in reality the EU has identified a lack of governance in the international technology sphere, and has simply stepped in to fill this vacuum. In the process, they are imprinting the digital world with their vision of a fairer, safer, and more democratic internet – one that protects privacy rights, staves off disinformation, and promotes a competitive market.
The beginnings of a move away from ad supported business models towards subscription models by Meta and Twitter are examples of the impact of EU legislation.
Of course, technology policy does not have to be dominated by the EU. But despite some bipartisan support, the US legislation cited above has stalled in Congress. It is possible that the United States could redouble its efforts and pass this legislation as well as complementary legislation that would provide a comprehensive alternative to the EU regulatory tech package – but it is unlikely. Meta, Google, Amazon and a vast economy rooted in the personalized online ad industry, are fiercely resisting short-term changes in the US, even if they envision a long-term future where EU-like digital policy is the global norm.
Meanwhile, Quebec clearly has no interest in waiting around for the US to gets its digital regulation act together. At least on the personal data privacy front, it has gone one step further than even the EU’s GDPR with the most consequential changes to kick in as of September 30, of this year!
Federally, on its second try (remember Bill C-11?), the Liberal government appears to be content with legislation (Bill C-27) that falls somewhat short of the GDPR privacy standard. And while the third and fourth parties in the House (the Bloc and NDP respectively) appear to be more comfortable with the GDPR approach than the governing party, they also seem committed to voting for the legislation – perhaps after some very significant amendments.
And Poilievre’s Conservatives? Depends on the day and the speaker….
In any case, Bill C-27 will likely be going to committee in the coming weeks where a final version of the bill that can command a majority in a House vote, will be cobbled together.
And provinces other than Quebec? Are they likely to think long-term and go with EU digital standards like Quebec, or will they take their lead from Bill C-27 and not unduly upset Meta, Google and the Canadian online ad industry which takes barrier-free access to personal data as the natural order of things?
Probably a mixed bag with most provinces likely deferring to the updated federal privacy regime of Bill C-27 (Only B.C., Alberta and Quebec currently have their own private sector privacy regimes).
Ontario is of some interest as it currently lacks its own private sector privacy law but floated the idea of developing its own regime in a detailed discussion paper tabled two years ago. Little has been heard from the Province on the matter since then.
But B.C. has a longstanding provincial privacy regime and just over a year ago, an all-party legislative committee produced a report calling for the harmonization of revised B.C. privacy standards with the GDRP (yet to be introduced).
Without question, B.C. will be very interesting to watch on the privacy front!