Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
As the seismic shifts in world trade continue, the impacts are being felt across the board in Canada. As IAPP Managing Director for Canada Kris Klein mentioned in last week's digest, the suggestions of Canada becoming "the 51st state" and the threat of tariffs led to a dramatic shift in fortunes for the Liberal Party, with them forming the new — albeit minority — government, as of this past Monday. We can anticipate, therefore, that some of the initiatives commenced by the government may continue, notably efforts to diversify trade.
Innovation Science and Economic Development Canada, the country's trade ministry, has commenced consultations on implementing the Global Cross-Border Privacy Rules, an expansion of the Asia-Pacific Economic Corporation Cross-Border Privacy Rules. Consultation feedback must be submitted by 30 June.
The CBPR, in short, are a principles-based framework for privacy management. It is a government-backed privacy certification that provides consistent protections for personal data, consumer rights and a complaint resolution mechanism. To join, companies must be assessed by an accountability agent and agree to submit to ongoing monitoring. The CBPRs are also referenced by the Canada-U.S.-Mexico Agreement as a valid mechanism for cross-border transfers.
Accountability agents are the essential mechanism for the CBPRs by which companies certify and maintain certification under monitoring provided by the agents, as well as ensure complaints resolution. While Canada belongs to the CBPR and is a founding member of the Global CBPR Forum, it does not have an accountability agent, which has inhibited Canadian businesses' participation in the CBPR thus far.
This is a chicken-and-egg dilemma. Without accountability agents, awareness of the CBPR as a vehicle to enhance trade remains low, and without demand, it isn't easy to see accountability agents entering the market.
So, the challenge for the Canadian government will be to resolve this by creating incentives for accountability agents to be established, and for Canadian businesses to use them. Models vary from the U.S., which has a number of private sector agents, to South Korea and Japan, which rely on government or nonprofit agencies as agents, to Singapore which uses a hybrid system.
It is no accident that ISED has responsibility for our privacy legislation. It was after all due to the EU Privacy Directive that our federal privacy law, the Personal Information Protection and Electronic Documents Act, was enacted, to attain adequacy and continue the flows of data and thus trade between the EU and Canada.
The CBPR was not considered sufficient for adequacy purposes when Japan's adequacy determination was being made, so initially the adequacy finding excluded onward transfers. Subsequently, additional measures were identified that must be implemented to address the risks of onward transfer. This is a consideration Canada will have to think about, given our ongoing questions on trade with the U.S. and our reliance on U.S.-owned infrastructure, and in light of our own recently renewed — January 2024 — adequacy with the EU's General Data Protection Regulation.
What does this mean for Canadians and Canadian businesses? There is no question that there is some urgency or at least some pressures in this exercise, as Canada seeks to expand trade with other countries — data goes with trade.
It is interesting to see that Canada wants to participate fully in the CBPR. It also represents a fundamental shift — or return to roots — that one of the critical functions of privacy professionals is to support Canada's trade by enabling trust with businesses and consumers in our partner trading nations.
I am delighted to say I will be speaking on a panel on this very topic, along with Office of the Privacy Commissioner of Canada Manager, Policy and Research Laura Crestohl, CIPP/C, and TrustArc Senior Assurance Program Manager, AI and Global Privacy Maciej Piszcz, CIPP/C, at a special joint meeting of the Toronto, Vancouver and Victoria KnowledgetNet Chapters 22 May.
And before then, it will be great to see the Canadian privacy profession gather again at the IAPP Canada Privacy Symposium 2025, less than two weeks away. See you there.
Constantine Karbaliotis, AIGP, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP, is counsel at nNovation.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
