Codes of practice and certification programs are among some of the new regulatory tools referenced in the Consumer Privacy Protection Act, which proposes to reshape Canada’s federal framework for privacy protection and is introduced by the recent Bill C-11.

Under the provisions (ss 76-81), organizations could voluntarily set and enforce norms of practice to establish compliance with the CPPA, effectively giving them a say in defining what compliance entails at the level of implementation and practice. While University of Ottawa Faculty of Law Professor Michael Geist suggests these to be “one of the more controversial aspects” of the new bill, University of Calgary Faculty of Law Associate Professor Emily Laidlaw refers to them as “one of the most interesting provisions in the CPPA."

Since the approval of the Privacy Commissioner of Canada is required for the codes and certification schemes to count toward compliance, government oversight is included under the proposed provisions, which reflect a co-regulatory approach that sits in between traditional government regulation and unmonitored industry self-regulation.

In general, co-regulation aims to combine the efficiency and adaptability of industry self-regulation with public accountability and transparency emphasized by traditional government regulation. It recognizes government as being ultimately responsible for protecting the public interest, with baseline statutory requirements serving as an incentive for businesses to undertake proactive privacy-protecting measures.

Drawing on industry knowledge and expertise, a co-regulatory approach gives industry a role in shaping the rules that would operationalize broadly worded legislation and translating it into concrete indicators for manufacturers and service providers. While detailed law risks jeopardizing tech-neutrality and could easily become obsolete, standards devised by industry could be sector-specific, more adaptive, have faster development than the legislative process, yield rules more likely to be tailored, workable and innovative.

Less adversarial and encouraging greater cooperation between regulators and industry, this approach is especially useful in contexts involving rapid technological development. Industry is also more likely to commit to rules that they help shape, encouraging more compliance. Furthermore, state regulatory authorities always face budgetary constraints. In allowing non-state actors to play a role in monitoring and enforcing compliance, with the state supervising that role through audits and other monitoring mechanisms, co-regulatory regimes could ease state monitoring and enforcement burdens without compromising compliance. 

Given its many benefits, co-regulation is on the rise in privacy legislation. It is endorsed by the EU General Data Protection Regulation, whose Articles 40 through 43 allow industry and other representative groups to establish codes of conduct, certification mechanisms, seals and marks to demonstrate compliance. Recent guidelines issued by the European Data Protection Board and other data protection authorities (e.g., the U.K. Information Commissioner's Office and Ireland's Data Protection Commission) offer useful references when considering the implications of Bill C-11. 

The EDPB defines codes as “voluntary accountability tools which set out specific data protection rules for categories of controllers and processors” ... “providing a detailed description of what is the most appropriate, legal and ethical set of behaviors of a sector.”

Along with data protection impact assessments and certification, codes are part of a suite of accountability tools the GDPR offers. They “encourage code owners to have a direct input into the establishment of data protection standards and rules for their processing sectors.” Their effects are significant. Adherence to an approved code represents a way “to demonstrate compliance with regard to specific parts or principles of the regulation or the regulation as a whole” and “a factor taken into consideration by supervisory authorities when evaluating specific features of data processing such as the security aspects, assessing the impact of processing under a DPIA or when imposing an administrative fine.”

Adherence might indicate “how comprehensive the need is to intervene with an effective, proportionate, dissuasive administrative fine or other corrective measures from the supervisory authority” in case of a breach. Some of the benefits of codes that the EDPB refers to are:

• Creating codes that are context-sensitive: e.g., codes can be drawn up that take account of "the specific characteristics of processing within certain sectors and the specific needs of micro, small and medium enterprises." 
• Creating codes that are flexible: e.g., codes can be "drafted in as narrow or as wide-ranging a manner."
• Codes that are less reliant on data protection supervisory authorities to provide "granular guidance."
• Encourage industry initiatives to develop consistent, best practice rules and solutions for a given sector.
• Promote "trust and confidence of data subjects."
• Provide a "significant and useful mechanism in the area of international transfers." 

To ensure these benefits are met, the EDPB requires code owners to show that the code "meets a particular need” and facilitates the effective application of the GDPR, not just restates it but contains standards and rules that are “unambiguous, concrete, attainable and enforceable (testable),” and provides sufficient safeguards and effective oversight mechanisms. 

It is also worth highlighting the threshold issues the EDPB has outlined that relate to public accountability.

First is the representativeness of a code creator. To be admissible for approval, “a code must be submitted by an association/consortium of associations or other bodies representing categories of controllers or processors.” A “non-exhaustive list of example of possible code owners would include trade and representative associations, sectoral organizations, academic organizations and interest groups.” Implicit in the requirement of representativeness is also the issue of expertise, as code owners must demonstrate that they are “an effective representative body and that they are capable of understanding the needs of their members.” 

Second is the issue of public participation. In relation to the process of code making, the EDPB states “code owners should confirm and demonstrate that an appropriate level of consultation has taken place with the relevant stakeholders,” including “data subjects, where feasible” when submitting a code for approval. To be admissible for approval, “a draft code must contain information as to the extent of consultation carried out,” and if such consultation is not feasible, information about why. Public involvement in later stages of code monitoring may also be possible since the EDPB recognizes “clear and transparent complaint handling and dispute resolution procedures,”  as well as “policies for reporting breaches of its provisions” as part of a code’s oversight mechanisms. 

In analyzing the GDPR’s co-regulatory regimes, some commentators have raised the issue of public confusion when there is a proliferation of certification schemes, each with a varying degree of coverage in terms of compliance, industry or sector, processing scope or territorial scope.

Questions have also been raised about the risk of co-regulation to the independence of regulatory authority. When a regulator becomes involved in approving codes and certification schemes, a potential or a perceived conflict of interest emerges that could compromise its impartiality as a regulator of data controllers.

More critical questions like these will undoubtedly be raised as co-regulation gains greater prominence in privacy legislation. Analyzing the European experience so far could help us unpack similar provisions in Bill C-11 and formulate questions about the bill as it makes its way through the legislative process.  

Photo by Nabil Saleh on Unsplash