How Canada’s cyber-terrorism law could harm Canadian tech companies

Bill C-51 requirements complicate data security for Canadian companies with global reach

Kobo e-readers and apps


Much has been made about how the Canadian government’s proposed Cybersecurity Information Sharing Act, Bill C-51, could make criminals of ordinary people and expand warrantless spying.

But not as much has been said about how the legislation, which the Conservatives are trying to ram through Parliament with little debate, will affect business.

A recent post in the Guardian suggests Canadian companies that operate globally—in this particular case, e-book seller Kobo—could be hurt by so-called anti-terror measures in the same way that National Security Agency spying has negatively affected the interests of U.S. businesses abroad.

In the United Kingdom, for example, supermarket chain Tesco recently shut down its BlinkBox e-book efforts and transferred customers’ purchases to Kobo, which is Japanese-owned but based in Toronto.

According to the post, some Tesco customers opted against the transition because of concerns over what could happen to their data should C-51 come to pass:

While it’s highly unlikely that any Kobo users will end up on a Canadian watchlist, the point remains: ship your data abroad, and it falls into other jurisdictions and other legal systems that you don’t necessarily vote for or understand.

Could Canadian businesses operating abroad face a chill because of local laws? Kobo isn’t quite sure yet how C-51 would play out, as per this lengthy response I was sent:

Canadian legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) has governed for many years the privacy of personal information of consumers held by the private sector. This legislation was based on OECD privacy standards, which are the same standards underlying UK private sector privacy laws.

Oversight of this legislation has been under the control of a Privacy Commissioner operating at arm’s length from the government, much as the Information Commissioner’s Office in the UK holds a similar role. Kobo has continuously acted in compliance with this law. Like comparable provisions in the UK act, for many years PIPEDA has explicit exceptions allowing disclosure of personal information to comply with efforts related to law enforcement, national security and defence. In fact, the European Commission has declared that Canada’s privacy laws provide an adequate level of protection for personal data.

The newly proposed Bill C-51 does not propose to amend PIPEDA. Kobo is aware of Bill C-51 and will monitor its progress through the parliamentary process. At the present time, Kobo continues to analyse the Bill and it has not determined whether to make representations before government.

It’s questionable whether consumers and governments in other countries are familiar with the finer points of PIPEDA, which means even just the perception of overreaching data-snooping capabilities could be enough to instill a chill.

A number of U.S. companies—notably Google, which European policy makers and regulators have gone after with a vengeance—have paid the price for the NSA’s overzealousness. It would be unfortunate to see the same happen to likes of Kobo and other Canadian companies.