What You Need to Know About Canada’s Privacy Landscape

Data Privacy

Fahad Diwan, Data Privacy Consultant for EY Canada, joins BigIDeas on the Go to discuss his background in data privacy law, the rapidly evolving state of privacy legislation in Canada, and where he sees privacy going in the future.

Data Privacy in Criminal Law

Equipped with a background in corporate law, Diwan chose to take an entrepreneurial path focused on data and privacy law early in his career — within the realm of the criminal justice system.

“I had come across research that showed that if you used machine learning to help decide who we should release on bail we could actually reduce the number of people we detain in jail pending trial without affecting the crime rate,” says Diwan. “And, more importantly, we could reduce the number of people of color that we detain in jail pending trial without affecting the crime rate.”

Diwan hired engineers to help him develop that technology. He raised money, met with government officials in Canada, and saw the same response across the board. “Long story short,” says Diwan, “the idea was too early.”

This initiated Diwan’s transition into the consulting world, where he currently helps companies comply with privacy obligations. “From start to finish, we build out their privacy programs and help them identify and implement privacy technologies that they can use to streamline or automate compliance with their privacy obligations.”

The Federal State of Privacy in Canada

This time, Diwan’s timing was spot-on. “Privacy is going through its renaissance moment in Canada,” he says. “It’s essentially having an upheaval. Since the internet was just getting started, we’ve had the same law in place federally — and that is PIPEDA [the Personal Information Protection and Electronic Documents Act].”

Recently, the federal government introduced a bill — Bill C-11 — to radically change and update existing federal legislation. While Diwan describes this bill as on the “back-burner for now,” he acknowledges that, “sooner or later, companies in Canada are going to have to comply with much more onerous obligations with respect to privacy” on the federal level.

Canada’s Provinces Take the Lead

In terms of Canadian provinces, Diwan says, “we’ve had Quebec implementing new privacy legislation, Bill 64, which is much more aligned with the GDPR [General Data Protection Regulation] and has pretty onerous provisions, as well.

“BC [British Columbia] is trying to update its legislation. Ontario is trying to update its legislation. Alberta is trying to update its legislation. So Canada is going through this period where we’re recognizing that the privacy laws that are currently in place don’t keep up with the state of affairs, and we’re radically changing them to make them more demanding of companies that process personal information.”

Quebec’s legislation is further ahead of Canada’s federal stance. Remarkably, “in Quebec, you have to do a privacy impact assessment [PIA] every time you transfer personal information outside of provincial boundaries — not even national boundaries,” says Diwan. For example, “every time you transfer data from Quebec to Ontario, you have companies that have to do a PIA.”

One way or another, Diwan says, “there will absolutely be some controls on how information is leaving the county. If I were a betting man, I would say that Canada’s new federal sector law would probably align itself closer to Quebec’s current new law.”

Personal Information in Canada

In addition, personal information is very broad in Canada.

“It’s hard to say what is not personal information” in Canada, says Diwan. “It’s any information that could directly or indirectly identify a natural person. That captures pretty much everything — I would say 90% of the data that companies have.”

Bill C-11 also regulates pseudo-anonymized and anonymized data, which goes even further than the GDPR.

Future of Data-Centric Innovation

“Currently what we’re seeing is that the privacy compliance industry is shifting left, so companies are building in privacy controls earlier on,” says Diwan.

Invoking Henry Ford, he notes that, ‘if Ford asked his customers what they wanted, they would have asked for ‘faster horses,’ when what they really needed was a car. Right now, in the industry, many privacy tech vendors are building what I call faster horses.”

What they really need, Diwan maintains, is “innovative thinking that will come from data-oriented companies as the industry continues to shift left.”

Listen to the full podcast to find out more about what innovation looks like — and Diwan’s other insights into how automated tech is replacing manual processes today and in the future.