Martin Aquilina, International Business Lawyer
Dustin Paterson, Business Lawyer
Threats around the theft and misappropriation of personal information have been around since the dawn of the internet, but as time goes on, these threats are growing and taking on new significance. From recent revelations about Russian interference in the 2016 U.S. presidential election to reports of Cambridge Analytica’s use of private Facebook data to target users with content, it has become clear that the risks associated with the misappropriation of personal information now go well beyond identity or credit-card theft.
For years, governments around the world have been working to keep pace with these accelerating threats by implementing new laws, and by finding ways to enforce existing laws to address these emerging threats. One of the most significant examples of such efforts is the much anticipated General Data Protection Regulation (the “GDPR” or the “Regulation”) which was approved by the European Union Parliament on April 14, 2016 and is set to come into force throughout the EU on May 25th, 2018. The GDPR has been described as the most significant change to data privacy regulation in twenty years, and is expected to have wide-reaching effects on businesses involved in the collection of data, effects that will reach well beyond the borders of the EU, and which would have significant effects on Canadian businesses operating abroad.
The overarching purpose of the GDPR is to expand and harmonize data privacy regulation throughout the EU. To achieve this, the GDPR takes a very broad approach to privacy regulation, implementing a set of privacy-related rules over a very broad scope (both in geography and subject matter), and imposing severe penalties for non-compliance.
There are three key differences between the GDPR and the 1995 Data Protection Directive that it replaces. These are: (1) the GDPR’s direct legal effect; (2) its increased scope; and (3) stricter penalties for non-compliance.
With respect to its legal effect, the GDPR’s status as a “regulation” means that it is directly binding, and enforceable against any entity that comes within its scope. Where the predecessor to the GDPR required each country to pass specific laws bringing the directive into force, the GDPR by contrast, will be legally binding throughout the EU as soon as it comes into force.
The expansive scope of the GDPR is perhaps the most significant change from the previous regime. According to its terms, the GDPR will apply to any data-collecting entity that is based in the EU and to any entity that collects or processes the personal data of individuals located in the EU, even if such entity does not have a presence in the EU itself. This expanded scope will place Canadian companies that are either collecting or processing the personal information of users in the EU squarely within the scope of the Regulation and subject to its penalties for non-compliance.
The third significant change in the GDPR is the implementation of strict penalties for non-compliance with the Regulation. The GDPR imposes a tiered system of sanctions, ranging from written warnings to fines of up to €20 million or 4% of the infringing entity’s global annual turnover, whichever is higher. Given the severity of these measures, it is in the interest of any Canadian company operating in the EU to take every possible precaution to ensure it is in full compliance with the GDPR when it comes into effect.
The GDPR Framework
Although the most significant changes are those described above, the main thrust of the GDPR is to implement a framework of privacy related rules and principles throughout the EU.
As with many privacy frameworks (including the Canadian privacy regime under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) the central idea running through GDPR is that companies must obtain consent from any subject whose personal information they are collecting or processing, and the consent must satisfy a number of criteria, including that it be explicit, freely-given and tied directly to the purposes for which the information is collected.
Although consent is the key principle of the GDPR, the Regulation imposes other obligations as well. These include:
(1) Breach Notification. In the event of a data breach, entities who collect or process data (referred to in the GDPR as “Controllers”) have an obligation to notify all affected data subjects and the relevant regulatory authorities within certain specified timelines (typically within 72 hours of becoming aware of such breach).
(2) The Right to Erasure. Controllers have an obligation to erase a subject’s personal data, on request, if a specified event has occurred. The list of specified events includes, for instance, withdrawal of consent by the subject, or the personal data no longer being relevant or necessary to the purpose for which it was collected.
(3) Privacy by Design and Default. This principle requires that Controllers implement appropriate technical and organizational measures to enforce data-protection principles and to integrate the necessary safeguards into the collection and processing of personal information. Furthermore, these entities must implement measures to ensure that, by default, the only data processed is that which is necessary for the specific purpose at hand.
(4) Appointment of a Data Privacy Officer. Controllers must appoint a data protection officer (a “DPO”) to be responsible for monitoring, informing and advising the entity with respect to compliance with and fulfillment of obligations under the GDPR and other relevant laws. The DPO must be designated on the basis of his or her professional qualifications and expert knowledge of data protection law and practices.
Impact on Canadian Businesses
As mentioned above, the broad scope of the GDPR will place many Canadian companies squarely within the ambit of the Regulation. The good news for Canadian companies is that for the most part, compliance with the GDPR will likely require very little additional effort, as many of the principles in the GDPR overlap very closely with those found in Canada’s private-sector privacy regime under PIPEDA, such as requirements around consent, while other principles, such as the principle of data breach notification, are expected to come into force under Canadian law later this year. That said, there are provisions of the GDPR that go beyond the requirements under Canadian law that will have to be addressed by Canadian companies operating in the EU, such as the appointment of a DPO.
As a result, it is incumbent on Canadian companies doing business in the EU to carefully look at their protocols, policies and procedures around data collection in light of the GDPR, and if necessary to seek professional advice, to ensure they are fully compliant with the regulation before it comes into effect on May 25th.