Schwartz Reisman Faculty Affiliate Avi Goldfarb, professor of marketing at the Rotman School of Management, comments on aspects of Canada’s newly-proposed privacy law reform. This piece is the fourth in a series of posts on the features, implications, and controversies surrounding privacy law reforms in Canada and around the world in an increasingly digital and data-rich context. — *Schwartz Reisman Faculty Affiliate* ***Avi Goldfarb****, professor of marketing at the Rotman School of Management, comments on aspects of Canada’s newly-proposed privacy law reform. This piece is the fourth in a* ***series of posts*** *on the features, implications, and controversies surrounding privacy law reforms in Canada and around the world in an increasingly digital and data-rich context.*

When IBM was at its peak, information technology managers around the world embraced the wisdom that “nobody ever got fired for buying IBM.” With so many things that could go wrong with computer systems, buying from the dominant trusted brand made sense.

Today, that same idea of management trusting the largest technology companies with their IT systems has returned. One reason relates to increasing regulation of the industry, particularly with respect to privacy. For example, in the world of online advertising, it seems that nobody gets fired for buying Google.

Of course, advances in technology create new uses of data and new threats to privacy. Canada is in the process of updating its privacy laws through Bill C-11—the federal government’s proposed new privacy legislation for data collected by the private sector. This update is welcome. It is important to protect the privacy of Canadians.

But it’s also important to recognize that privacy is not free. Research suggests that privacy regulations may inhibit innovation, that privacy regulations may increase inequality, and that privacy regulations may hurt competition. Since privacy harms are real as well, privacy regulation is often worth the price. Furthermore, the details of privacy regulation matter. Some regulations are likely to have large costs while the impact of others might be minimal.

There is a growing body of evidence that recent privacy regulations have increased the market share of the largest technology companies. For example, Europe’s General Data Protection Regulation (GDPR) became law in May 2018. Since then, the law has changed the collection, storage, and use of data in Europe and around the world. In this way, the GDPR has increased consumer privacy protections in Europe. At the same time, under GDPR, Google’s share of Europe’s online advertising market has increased. Venture capital financing and startup success has declined. Overall, this early evidence suggests that GDPR led to a substantial short-run decrease in competition.

“It is important to protect the privacy of Canadians. But it’s also important to recognize that privacy is not free.”

Privacy regulation can disproportionately affect newer, smaller companies for two main reasons.

First, such regulation can make it harder to do business. Bill C-11 runs 124 pages. There is a requirement for private sector organizations to implement a privacy management program. The consequences of breaking the law can be severe. A manager purchasing IT services may think twice about buying from a startup. Under C-11, even if a company uses an outside service provider, the responsibility for compliance remains with the organization. Buying from a large technology company means that the data privacy policies have been vetted by a team of top-tier lawyers and that there is someone with deep pockets to blame if something goes wrong. As regulation increases the risk of mishandling data, the appeal of deep-pocketed technology companies with large legal teams rises. As with IBM in the 1970s, a manager won’t get fired for selecting the dominant players.

Second, regulations tend to restrict data flows across companies. This occurs directly through prohibition of data transfers from one company to another, and indirectly through restrictions on unanticipated use of data. The largest technology companies already have both access to the data needed to improve their products and a guaranteed source of new data (their customers).

In contrast, startups and smaller companies—whether in the technology industry or not—disproportionately benefit from accessing the data generated by others. For example, several smaller companies might be able to pool data together in order to have a scope of data similar to that of their larger competitors. Furthermore, when data can only be used for the purpose it was collected, startups will be unable to access this data and put it to new use in ways that challenge the dominant firms. Therefore, generally, these direct and indirect restrictions on data flows are likely to impact small companies more than big companies.

The negative impact of privacy regulation on competition can be mitigated. Data portability rules and consumer control of data, for example, can make it easier for consumers to switch companies. In this way, such regulations may enhance competition—though there are risks in terms of both privacy and competition related to who manages the consumer interface. Relatedly, Bill C-11 contains recommendations for codes of practice and certifications that may reduce uncertainty and the need for a large legal team.

These kinds of pro-competitive strategies need to be enhanced. As we move to protect consumer privacy in Canada, we must also ensure that we do not entrench a handful of large technology companies into dominant positions in our market.

Editor’s note: Bill C-11 failed to pass when Canada’s federal parliament was dissolved in August 2021 to hold a federal election. In June 2022, many elements of C-11 were retabled in Bill C-27. Read our coverage of C-27.