Hear from prominent industry experts on the state of play and what’s next for the sector in our feature Q&As from Claudette McGowan of Protexxa and Talia Abramowitz of Deloitte Ventures.
Privacy advocates, regulators and policymakers often claim that enhanced privacy and data security give companies a competitive advantage, asserting that this builds consumer trust and loyalty, enhances reputation, and increases investor confidence.
The recent privacy laws reform in Québec guarantees to put this premise to the test. Indeed, with the adoption of An Act to modernize legislative provisions as regards the protection of personal information1, more commonly referred to as “Bill 25”, the Québec legislator has adopted a privacy regime that goes well beyond the Canadian standard, particularly with respect to requirements related to consumer consent, transparency—including around automated decision-making (ADM)—and restrictions on profiling and targeted marketing. As a result, Québec’s substantial sector of startup and growth-stage tech companies, along with the large percentage of small- and medium-sized businesses that drive the Québec economy, are now having to comply with these stringent laws, which, in many cases, is no small feat.
Will these new requirements give Québec-based startups a competitive advantage over their peers in the rest of Canada or the U.S.?
Privacy-oriented companies—a better investment?
Bill 25 requires companies of all sizes to have robust internal privacy management frameworks. These frameworks must include a number of policies and processes related to the protection of personal information, employee training, a designated privacy officer, contracts with vendors that meet minimum privacy requirements and the ability to verify that these vendors comply with their obligations.
While these are best practices across Canada, many startups may not have the resources to implement mature compliance programs until they have a significant customer and revenue base, which may only come when the company already holds an important amount of personal information. This creates space for non-compliance and significant regulatory risk.
On the other hand, privacy program maturation is a common post-closing condition from investors. Investors will want to avoid having to bear the costs (in terms of time, human resources and capital) of implementing an adequate compliance program. A well-maintained program can also reduce the risk that data or technology will not be used in compliance with the law. Added to these benefits is a lower risk of fines or litigation for the future, but also for the past, especially since decision #2002-005 of the Privacy Commissioner of Canada2 (commonly referred to as the “Marriott” decision), where the acquirer of a company was held responsible for pre-existing flaws in the target's data protection infrastructure. As such, having a comprehensive privacy program at an early stage may make Québec startups a better investment target for VC firms.
What about commercial growth?
A considerable part of a tech startup’s value may lie in the customer information it holds. While consumers may appreciate the new transparency requirements, which give them more visibility into how their information is used and shared, and more control over how it can be used to market to them across platforms, Bill 25’s new privacy requirements may make it more difficult for small and medium enterprises, including startups, to sign profitable data-sharing agreements—which are a frequent occurrence, for example, in the loyalty or fintech space—making them less appealing to acquisition by companies that want to combine or use this data in new ways. It may also make it harder for such businesses to market to prospective customers compared to their peers in the rest of North America.
Are enhanced privacy requirements a barrier to innovation?
Bill 25’s enhanced privacy requirements may also hinder the ability for businesses to use new technologies, which aim to simplify processes and increase productivity. As an example, many artificial intelligence and machine learning applications involve automated decisions based on personal information to quickly onboard customers, process applications or otherwise operate their technology. Bill 25’s new requirements include an obligation to notify consumers of these automated processes and give them explanations, on request, of how the processes work. While these additional requirements may enhance trust and attract increasingly better-informed customers, it may be more burdensome for smaller organizations to provide sufficient notice. These organizations may also not be able to explain their ADM processes.
This issue creates additional risk of reputational harm and possible financial penalties for companies with more limited resources, such as start-ups, and may thus slow down the use of cutting-edge technologies by these companies.
Will Bill 25 act as a deterrent to foreign companies and investments?
Finally, looking outside Québec, there is a risk that these legal reforms will discourage other Canadian or American tech firms from offering services to Québecers, just like it has long been the case with contests, which were closed to Québec residents due to stricter regulatory requirements in the province. It is questionable whether international firms will see the competitive advantage of aligning with the Québec law, bearing in mind that it is also typically very difficult to apply different rules from different jurisdictions to data. However, while this could deprive Québecers of access to some innovative products, it could also open the field for Québec tech firms to capture the market if their compliance posture is seen as favourable by the market.
The impact that the privacy laws reform will have on the Québec economy, and whether or not Québec companies will benefit from a return on their investment, remains largely to be determined. However, while it is expected that the governments of other jurisdictions, including other Canadian provinces, will follow suit in strengthening individual privacy rights and data protection requirements, there is no doubt that this development will be closely monitored by governments, regulators and organizations across Canada and elsewhere.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.