OTTAWA — Canada is modelling its new TikTok safeguards on protections instituted by the European Union, but is doing so without the same power to enforce the rules, specialists in the field warn.
Last week, the government reversed its 2024 ban on TikTok’s Canadian business operations after a new national security review, and came to an agreement with TikTok Canada that would allow the video-sharing platform to keep its Canadian offices open.
Talking Points
- Industry Minister Mélanie Joly said Canada is modelling its new approach to TikTok on the European Union, but data privacy experts warn that Canada doesn’t have the same ability to hold the video-sharing app accountable
- The EU is currently pursuing sanctions against TikTok on accusations it failed to uphold similar elements of the deal the company just made with Canada
In exchange, TikTok promised to beef up its data security and address issues flagged by Canadian privacy commissioners related to the app’s collection of teenagers’ data. As part of the pact, a third-party monitor will audit TikTok to keep tabs on the app’s data flows, a measure already in place in EU countries and the United Kingdom.
TikTok says more than 16 million Canadians access the app every month, but Canada and other countries have expressed concerns that users’ sensitive data could be passed by ByteDance to the Chinese government. That’s because China has laws on the books legally requiring companies based there to co-operate with state national security and intelligence activities.
“Aligned with a similar approach taken by the European Union, the government has negotiated enhanced undertakings through this further review, establishing clear guardrails that will better protect Canadians’ data and place Canada in a stronger position with respect to data security and regulatory oversight,” Industry Minister Mélanie Joly said in a statement last week.
Canada’s privacy laws, however, aren’t nearly as robust as the EU’s web of regulations for the digital sphere, said Teresa Scassa, Canada Research Chair in information law and policy and a professor at the University of Ottawa.
This country’s key private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act, is 26 years old and hasn’t been substantially updated since. Known by its acronym, PIPEDA, it was introduced before Facebook was founded. “It doesn’t take into account the very dramatically changed data economy,” Scassa said. “The legislation, similarly, doesn’t really take into account just how vulnerable people are in a data economy, where data is being collected from almost every activity we undertake.”
Crucially, the legislation doesn’t give Canada’s privacy commissioner enforcement powers to hold companies accountable. As a result, it’s not clear what the consequences would be if TikTok reneged on its end of the new bargain—or who would take action.
Joly refused to answer questions about what has changed since the 2024 national security review, saying her statement speaks for itself. Innovation Department spokesperson Riyadh Nazerally would not give specifics about what the government can do if TikTok doesn’t keep its promises, citing confidentiality requirements. In her statement, though, Joly emphasized that the agreement is legally binding under the Investment Canada Act, which lets the government decide if a foreign investment is in the country’s national security and economic interests.
Former innovation minister François-Philippe Champagne, who introduced the ban on TikTok’s Canadian operations in 2024, was also circumspect, saying that “a situation evolves over time.”
Scassa, however, said the government may have to revisit banning the company’s operations if TikTok doesn’t hold up its end of the deal. It’s a blunt instrument, she said, but a creative one in the absence of more refined tools. “It would be better to have updated privacy laws that are ready for the digital age. Failing that, well, if this achieves the objectives, that’s great.”
Europe, on the other hand, has a long history of updating data protection laws and privacy regulations, with enforcement bodies to back them up, said Gabriela Zanfir-Fortuna, vice-president of global privacy at the Future of Privacy Forum, a non-profit focused on data protection, AI and digital governance with offices in Brussels, Singapore and Washington, D.C.
Those measures include regulations governing what happens when Europeans’ information is transferred abroad. “It has very specific rules for this situation,” she said in an interview. Data is not allowed to be transferred to other countries that don’t have approved privacy frameworks, which excludes China, she said.
The EU’s General Data Protection Regulation is one of the strictest privacy laws in the world, while the bloc’s Digital Services Act governs user safety on major online platforms. Using those laws, European commissioners are currently pursuing sanctions against TikTok on accusations it failed to uphold commitments similar to those the company just made to Canada.
The company agreed to give Canadian researchers access to public data to scrutinize the platform, for instance, but the European Commission said last fall TikTok wasn’t abiding by the same condition in Europe.
More troubling still, last May, the Irish Data Protection Commission fined TikTok the equivalent of $829 million after an investigation found that staff in China remotely accessed Europeans’ user data. The commissioner ordered the company to stop it. “As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” deputy commissioner Graham Doyle said in a statement at the time. TikTok is appealing the decision in court.
The accountability can take time and the system isn’t perfect, said Zanfir-Fortuna, but “the European system has many tools, and the authorities really have a lot of tools and powers.”
AI Minister Evan Solomon said he plans to update Canada’s outdated privacy laws, but he hasn’t said what changes he plans to make and did not take questions about whether they would help the government hold platforms like TikTok accountable.
Canada’s privacy commissioner Philippe Dufresne has called for powers to issue fines and orders like those of his counterparts in Europe. For now, he can only refer concerns to federal court in the hope that a judge will issue an appropriate order.
“This takes time. This takes resources. Having order-making power would make it immediate,” Dufresne said last June, after completing a joint investigation into the personal genomics company 23andMe with the U.K. information commissioner. The U.K. commissioner had fined the firm the equivalent of $4.2 million based on their findings. Canada’s commissioner lacked the power to issue any sanction.