Canadian tech companies say they are patching together their own standards, mostly borrowed from European laws, to guide them through the limbo of prorogation.

When Prime Minister Justin Trudeau prorogued Parliament until March 24, that automatically wiped tabled cybersecurity, privacy, artificial intelligence, data and online harms bills from the agenda.

Tech companies which had eagerly been watching them wind through Parliament were then faced with the reality that for these bills to become law, they would have to be reintroduced and go through readings and debate once more or be reinstated at their previous stage through unanimous consent of the House or a motion to that effect.

鈥淚t鈥檚 another kick down, right?鈥� said Will Christodoulou, co-founder of Toronto-based fintech startup Cyder.

鈥淚t鈥檚 going to have to get reread in Parliament and going to have to go through all those processes again 鈥� but it鈥檚 like, when is that going to be?鈥�

While companies wait for Parliament to reconvene and then decide which bills to revive, many say they are choosing the most advanced and strict international regulations to abide by.

In most cases, those regulations come from Europe.

鈥淎 lot of things they do, we typically would just copy,鈥� Christodoulou said.

Patricia Thaine, the co-founder and chief executive of data protocol firm Private AI, agreed.

Without updated Canadian legislation, she said most large companies will likely comply with the most stringent regulations 鈥� namely the European Union鈥檚 General Data Protection Regulation 鈥� and then make adaptations for other markets they鈥檙e in with more local requirements.

GDPR is an expansive piece of legislation that requires anyone handling the data of EU citizens or residents to only keep personally identifying information for as long as necessary and ensure any processing prioritizes security, integrity, and confidentiality.

Violating the law comes with high penalties that max out at the higher of 鈧�20 million or four per cent of global revenue. Users also have the right to seek compensation for damages.

Bill C-27 was set to modernize Canada鈥檚 Personal Information Protection and Electronic Documents Act (PIPEDA), which dates back to 2000 but had one of its last major updates in 2015.

The bill would have created three new acts rooted in consumer privacy, data protection and AI guardrails. Increased fines for certain serious contraventions of the law would be the higher of five per cent of gross global revenue or $25 million.

Thaine said she saw value in Bill C-27 because PIPEDA fines are 鈥減retty low, so there isn鈥檛 that much incentive for companies to actually comply with data protection regulations.鈥�

鈥淚t鈥檚 a pretty outdated legislation that we鈥檙e dealing with here and I worry as a Canadian about what data-handling practices are out there for the data that we provide to companies,鈥� she said.

She also saw it as important for the country to offer direction around AI.

鈥淣ot having an AI legislation itself just really lets companies decide for themselves what it is that they need to do, which 鈥� can lead to certain questionable decisions,鈥� she said.

But Antoine Guilmain, a partner at Gowling WLG and co-lead of the firm鈥檚 national cybersecurity and data protection law group, argued 鈥渋t鈥檚 not like there鈥檚 nothing in Canada at the moment.鈥�

PIPEDA is 鈥渘ot as modern as we would like it to be鈥� but 鈥渋t鈥檚 still something that works,鈥� he said.

The federal government also has a voluntary AI code of conduct any organization can sign. Signatories promise to outfit their AI systems with risk mitigation measures, use adversarial testing to uncover vulnerabilities in such systems and keep track of any harms the technology causes.

Then, there are the provinces filling in the gaps. Guilmain pointed to Law 25 in Quebec, which requires organizations to have privacy officers, report privacy breaches and increase transparency and consent required to collect personal information.

The law can be used as a reference for organizations who were watching Bill C-27 along with Bill C-26 and Bill C-72.

Bill C-26, which made it all the way to the Senate before it was amended and sent back to the House of Commons, would have boosted cybersecurity requirements for federally regulated industries.

Bill C-72, which made it to its second reading at the House of Commons, would have made it easier for information to be securely shared between health care providers, patients and tech firms offering medical services.

Robert Fraser had his eye on the interoperability bill because his Vancouver-based firm, Molecular You, offers personalized health assessments that often rely on medical data.

Interoperability has long been 鈥渁 challenge鈥� in Canada, especially when the country is compared with the U.K. and U.S., where Fraser has observed more progress.

鈥淭ime doesn鈥檛 seem to matter so much in Canada. We take a leisurely pace,鈥� he said.

鈥淚鈥檓 sure politicians are working very hard and lawmakers the same, but it鈥檚 frustrating, I think, to an industry that really wants to get things done. We don鈥檛 have all the time in the world.鈥�