With a deep background in drafting and analyzing international trade agreements, Desiree Sainthrope has a unique perspective on the global currents shaping data privacy. As an authority on compliance, intellectual property, and the legal questions raised by artificial intelligence, she is perfectly positioned to dissect the complex conversation happening around digital regulation. We explore the divergence between the European Union’s proposal to simplify its rules and Canada’s trend toward more stringent privacy laws. Our discussion touches on the very real compliance burdens felt by businesses, the counterintuitive idea that simpler rules might offer stronger protection, and the critical challenge of legislating for a future dominated by AI.
The European Commission has proposed simplifying its digital rules to be more “cost-effective and innovation-friendly.” In Canada, what are the most significant compliance burdens for small and medium businesses under current privacy regulations, and what are the specific trade-offs between easing those burdens and protecting individual rights?
For small and medium-sized businesses in Canada, the most significant burden isn’t a single rule but the cumulative weight of a complex, resource-intensive compliance regime. These are not large corporations with entire legal departments. Often, it’s one person trying to navigate a labyrinth of requirements, from data mapping to impact assessments. This creates a real risk of what I call “overregulation”—we ask so much of these organizations for what ultimately amounts to a very limited impact in terms of actually protecting individuals. The trade-off is this: we can maintain a highly complex system that looks great on paper but is so daunting that smaller players can’t meaningfully comply, or we can simplify the rules. Easing the burden might mean sacrificing some granular requirements, but it could lead to much broader, more consistent adoption of core privacy principles, which is arguably a better outcome for everyone.
Some experts suggest that making privacy regulations easier for companies to manage could paradoxically result in stronger protections for individuals. Can you explain the mechanics behind this? Please walk me through a scenario where simplifying a specific rule could lead to a better, more tangible privacy outcome for consumers.
It’s a fascinating but logical idea. The core mechanic is simple: compliance becomes achievable. When rules are straightforward, more companies, especially smaller ones with limited resources, will actually follow them. Imagine a complex rule about data breach notifications that requires a multi-page, legally vetted report to a commissioner for even minor incidents. A small e-commerce shop that suffers a minor breach might feel so overwhelmed by the process that they do nothing, hoping it goes unnoticed. The consumer is left completely in the dark. Now, let’s simplify that rule. What if the requirement was a clear, one-page form for the regulator and a plain-language email to affected customers explaining what happened and what steps to take? The business is far more likely to comply. In that scenario, the consumer receives a timely, understandable warning and can take action. The protection is tangible and immediate, whereas the more complex rule resulted in no protection at all.
While the EU considers rolling back some rules, Quebec’s Law 25 has established a standard that is, in many ways, more stringent. What specific elements of Law 25 create this higher bar, and what can federal lawmakers learn from Quebec’s implementation as they consider a new national law?
Quebec’s Law 25 is a clear signal that the direction in Canada is not toward deregulation. It took effect in 2023, and it’s built on the foundation of the EU’s GDPR but pushes further in several areas, creating a higher compliance bar. For instance, its requirements for privacy impact assessments and the new consent rules are notably rigorous. It demonstrates a proactive approach, specifically designed to address the challenges of new technologies. The key lesson for federal lawmakers is twofold. First, there is a clear appetite in Canada for robust, modern privacy protections. Second, Quebec’s experience provides a real-world model for how to integrate principles for emerging technologies directly into the legislative framework. It shows that it’s possible to create a law that is not just reactive but is built with the future in mind, something that will be absolutely critical for any new federal act.
Given that Canada’s federal trend is toward a modernized, comprehensive privacy law rather than deregulation, what are the key challenges in drafting legislation that effectively governs new technologies like AI? Could you outline the most critical protections that must be included to future-proof such a law?
The single greatest challenge is legislating for a moving target. AI is evolving at a breathtaking pace, and a law written today could be obsolete tomorrow if it’s too specific. The key is to draft a principles-based, technology-neutral framework. Instead of outlawing a specific algorithm, the law should establish fundamental rights and protections. The most critical protections to include would be the right to a meaningful explanation for automated decisions, strong prohibitions on discriminatory or biased outcomes, and mandatory human oversight in high-stakes applications like hiring or credit scoring. We also need clear rules around the data used to train these systems. Future-proofing a law means focusing on the “what” and the “why”—protecting human rights, ensuring fairness, demanding transparency—rather than getting bogged down in the technical “how,” which will inevitably change.
What is your forecast for Canadian data privacy regulation over the next five years?
My forecast is that Canada will continue to chart its own course, diverging from the EU’s potential simplification and moving decisively toward a more robust federal privacy framework. The momentum is undeniable. We won’t see a rollback; instead, we will see a new, modernized national law that replaces our decades-old legislation. This new act will be heavily influenced by the high standards set by Quebec’s Law 25 and will almost certainly include specific, forward-looking provisions to govern artificial intelligence. The national conversation is focused on strengthening, not weakening, privacy rights, and I expect the legislative outcome in the coming years to reflect that very clearly.
