TORONTO — Canadian tech companies say they are patching together their own standards, mostly borrowed from European laws, to guide them through the limbo of prorogation.
When Prime Minister Justin Trudeau prorogued Parliament until March 24, that automatically wiped tabled cybersecurity, privacy, artificial intelligence, data and online harms bills from the agenda.
Tech companies which had eagerly been watching them wind through Parliament were then faced with the reality that for these bills to become law, they would have to be reintroduced and go through readings and debate once more or be reinstated at their previous stage through unanimous consent of the House or a motion to that effect.
"It's another kick down, right?" said Will Christodoulou, co-founder of Toronto-based fintech startup Cyder.
"It's going to have to get reread in Parliament and going to have to go through all those processes again ... but it's like, when is that going to be?"
While companies wait for Parliament to reconvene and then decide which bills to revive, many say they are choosing the most advanced and strict international regulations to abide by.
In most cases, those regulations come from Europe.
"A lot of things they do, we typically would just copy," Christodoulou said.
Patricia Thaine, the co-founder and chief executive of data protocol firm Private AI, agreed.
Without updated Canadian legislation, she said most large companies will likely comply with the most stringent regulations — namely the European Union's General Data Protection Regulation — and then make adaptations for other markets they're in with more local requirements.
GDPR is an expansive piece of legislation that requires anyone handling the data of EU citizens or residents to only keep personally identifying information for as long as necessary and ensure any processing prioritizes security, integrity, and confidentiality.
Violating the law comes with high penalties that max out at the higher of €20 million or four per cent of global revenue. Users also have the right to seek compensation for damages.
Bill C-27 was set to modernize Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which dates back to 2000 but had one of its last major updates in 2015.
The bill would have created three new acts rooted in consumer privacy, data protection and AI guardrails. Increased fines for certain serious contraventions of the law would be the higher of five per cent of gross global revenue or $25 million.
Thaine said she saw value in Bill C-27 because PIPEDA fines are "pretty low, so there isn't that much incentive for companies to actually comply with data protection regulations."
"It's a pretty outdated legislation that we're dealing with here and I worry as a Canadian about what data-handling practices are out there for the data that we provide to companies," she said.
She also saw it as important for the country to offer direction around AI.
"Not having an AI legislation itself just really lets companies decide for themselves what it is that they need to do, which ... can lead to certain questionable decisions," she said.
But Antoine Guilmain, a partner at Gowling WLG and co-lead of the firm's national cybersecurity and data protection law group, argued "it's not like there's nothing in Canada at the moment."
PIPEDA is "not as modern as we would like it to be" but "it's still something that works," he said.
The federal government also has a voluntary AI code of conduct any organization can sign. Signatories promise to outfit their AI systems with risk mitigation measures, use adversarial testing to uncover vulnerabilities in such systems and keep track of any harms the technology causes.
Then, there are the provinces filling in the gaps. Guilmain pointed to Law 25 in Quebec, which requires organizations to have privacy officers, report privacy breaches and increase transparency and consent required to collect personal information.
The law can be used as a reference for organizations who were watching Bill C-27 along with Bill C-26 and Bill C-72.
Bill C-26, which made it all the way to the Senate before it was amended and sent back to the House of Commons, would have boosted cybersecurity requirements for federally regulated industries.
Bill C-72, which made it to its second reading at the House of Commons, would have made it easier for information to be securely shared between health care providers, patients and tech firms offering medical services.
Robert Fraser had his eye on the interoperability bill because his Vancouver-based firm, Molecular You, offers personalized health assessments that often rely on medical data.
Interoperability has long been "a challenge" in Canada, especially when the country is compared with the U.K. and U.S., where Fraser has observed more progress.
"Time doesn't seem to matter so much in Canada. We take a leisurely pace," he said.
"I'm sure politicians are working very hard and lawmakers the same, but it's frustrating, I think, to an industry that really wants to get things done. We don't have all the time in the world."
This report by The Canadian Press was first published Jan. 17, 2025.
Tara Deschamps, The Canadian Press
