Yes. There is no absolute certainty in these matters, but I will give you my sense of what the considerations are.
The bottom line is that I think the committee should give serious consideration to reviewing any gaps or differences that may exist between Canadian privacy law and European law, because ultimately, under the European regulation, Canada's laws will be assessed—at the latest in 2022, four years after the coming into force of the GDPR—as to whether our laws are adequate, i.e., essentially equivalent to European laws.
Now, I say that there is no certainty in this matter because this standard of “essential equivalency” has not been defined very precisely by Europe. We know that equivalency does not mean “sameness”, so Canada's laws will not be expected to be a carbon copy of European laws, but still the standard appears to be quite high. It's one of essential equivalency. There may be some differences, but ultimately the laws should be essentially similar.
There are two areas in which potential differences between Canadian law and European law will have to be looked at. The first area is any differences between PIPEDA and the European regulation, the GDPR. The GDPR adds a few new rights to European law, one being the right to data erasure, which is the child, so to speak, of the “right to be forgotten”. That's one right that does not exist, per se, in Canadian law but exists in European law, and we should give consideration to whether we should bring our law closer to European law, if not to the same place. There is a right to data portability in European law that I urge you to look at.
For Canadian law, as it pertains to private organizations, this is a bit of the landscape. An important development in Europe over the past few years has been a decision of the European Court of Justice, essentially the supreme court of the European Union, which held, in a case called Schrems, that adequacy decisions in Europe should relate not only to privacy laws in other countries that relate to private organizations but also to public sector laws, including laws that govern law enforcement and national security.
What the European Court of Justice said in that case was that U.S. laws, under the previous safe harbour agreement, were not essentially equivalent to European laws for a number of reasons, including the fact that they did not contain criteria of reasonableness and proportionality. I would urge you to have a look at our laws governing the public sector as well for equivalency.
One of the reasons why, in the context of Bill C-51, I recommended that the relevance standard be elevated to proportionality and necessity was the fact that in a few years our laws will be assessed against European laws, and European authorities will give consideration to necessity and proportionality as important factors.