The new European privacy regime—the General Data Protection Regulation (GDPR)—is now in force.
Although its broad scope may impose new privacy obligations on a larger number of Canadian businesses, the impact of the GDPR in Canada is unlikely to be significant in the short term. Rather, the influence of EU privacy standards on how Canadian privacy laws are amended and interpreted in the longer term promises to have a more direct impact on Canadian businesses than the GDPR itself.
GDPR, like Canada’s federal privacy law, PIPEDA, imposes obligations on companies which handle personal data: information that can be used to directly or indirectly identify individuals (e.g., name, email address, social networking posts, etc.). It also requires organizations to have consent of the individual to handle their personal data unless certain exceptions apply.
Although GDPR and PIPEDA share many of the same core tenets, Canadian businesses subject to GDPR will have to comply with several additional substantive obligations, such as the right to be forgotten and the right to object to automated decision making.
GDPR has received substantial attention in Canada because of its extra-territorial application—it purports to extend to organizations based outside the EU that offer goods or services to individuals in the EU or who engage in practices that monitor online behaviour of those in the EU. This is similar to the Canadian privacy regulator's power to enforce PIPEDA against foreign organizations who handle data about Canadians.
Although GDPR and PIPEDA share many of the same core tenets, Canadian businesses subject to GDPR will have to comply with several additional substantive obligations, such as the right to be forgotten and the right to object to automated decision making. Organizations who provide services to EU companies may also see these obligations imposed through contractual provisions.
As a general guide, three main factors will attract the application of GDPR to Canadian businesses:
- the organization has an establishment in the EU (e.g., office or employees); or
- the organization offers goods or services to individuals located in the EU; or
- the organization engages in activities that monitor the behavior of individuals in the EU (e.g., devices, platforms or apps that track online activity).
The GDPR includes guidance on how to evaluate the application of these factors. Consequently, there are some nuances that must be considered in determining whether a Canadian organization is caught by the EU data protection rules. The legislative intention is not to subject every company with a website that could be accessed from the EU to the GDPR.
GDPR Challenges for Canadian Companies
Under GDPR, data subjects have increased control over their personal information. The GDPR is more extensive than PIPEDA in that it grants data subjects the right to be forgotten and the right to have automated decisions made by a person. Additionally, the GDPR mandates “data mapping” practices and “privacy by design.”
The Right to be Forgotten
A data subject can request erasure of their personal data under the following circumstances:
- the data is no longer necessary to serve the purpose for which it was collected, as outlined by the data controller; or
- the data subject withdraws consent to the processing of their personal data and there is no other legal justification to override the withdrawal; or
- the data subject objects to their personal data being processed for the purpose of direct marketing.
When a request for erasure is made, the business must inform third party processors of the erasure request. Additionally, if the personal data was made public, the controller must take reasonable steps to inform other controllers of the data subject's request for erasure.
The Right to Object to Automated Profiling-Based Decisions
The GDPR gives data subjects the right not to be subject to decisions based only on automated processing if those decisions produce legal effects for that person or significantly affect him or her. This provision seeks to prevent profiling and to avoid the risks associated with having important decisions, such as those relating to credit applications or e-recruitment practices, made without any human intervention. Businesses should consider, and develop an inventory of, any activities they carry out which may be considered 'profiling'. Furthermore, they should implement review procedures that allow individuals to opt out of data analytics, targeted marketing, and other forms of profiling.
The GDPR requires that businesses maintain a detailed record of how personal information is processed. When working towards compliance with GDPR, businesses should consider whether they monitor what personal information is held, how that information is used within and shared outside the company, how long the information is, or should be retained, who has access to the information internally and externally, and where the information is stored.
Privacy by Design
The concept of “privacy by design” in GDPR involves implementing technical and organizational measures, such as pseudonymization, to minimize processing of personal information and to limit processing to what is necessary to the purpose for which consent was received. Businesses should consider implementing a process for documenting the nature and purpose of personal information processing activities and the safeguards implemented in designing those activities. The reason for doing this would be to minimize data collection, ancillary uses of personal information, and retention beyond the periods required by law or to provide services.
Sanctions for Non-Compliance
Given that the extra-territorial scope of GDPR is not quite as broad as many pundits have claimed, and that the privacy obligations under the new regime are not entirely different from Canadian privacy laws, some businesses may wonder why the GDPR has received so much attention domestically. The answer largely rests on the enforcement powers under the GDPR. Maximum fines for non-compliance with GDPR reach 4% of annual global turnover or €20 million, depending on which is higher. In contrast, the Canadian privacy regulator currently has very limited powers to impose fines for violations of PIPEDA. Many organizations are therefore working to bring their data handling practices in line with GDPR in order to avoid the risk of large fines and preserve their ability to conduct business with EU companies.