Data privacy regulation recently underwent a fundamental change with the enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018. This set of data protection rules applies across the European Union and governs the processing by an individual, company or organization of personal data relating to natural persons in the EU.1
The GDPR aims to give back to consumers control over their personal data, and the scope of the regulation is significant: all companies operating in the EU will now be subject to this single set of data rules, regardless of where they are based and regardless of whether the processing takes place in the Union or not.2 Many Canadian businesses will face new challenges in their data collection and processing practices under this new privacy regime.
However, too great a focus on compliance or sanctions obscures the potential opportunities that can arise out of the GDPR. Indeed, the GDPR is absolutely a chance for organizations to provide consumers with clear and transparent guidelines about how their personal data will be used, disclosed and retained in order to maximize business value.
Which Canadian organizations will be affected by the GDPR?
Because the GDPR imposes more onerous obligations on organizations than Canadian privacy laws, it is imperative that businesses be cognizant of the law’s broad territorial and material scope.
The GDPR applies to Canadian businesses that have an establishment in the EU, regardless of where their data is processed, or that process data relating to:
- The offering of goods and services (free or at cost) to people residing in the Union;
- The monitoring of behaviour taking place within the Union.3
It is noteworthy that the UK will be subject to the GDPR, despite its impending plans to leave the Union on March 29, 2019. There is a cross-over period between the GDPR entering into force and the UK exiting the Union, and as a result the UK will need to comply with the GDPR while it remains in the Union. Moreover, UK companies that continue to do business with the Union post-Brexit will still have to comply with the GDPR to avoid infringements.4
The wide net cast by the GDPR means that Canadian organizations affected by the legislation must ensure they comply with the new GDPR requirements. The GDPR establishes several obligations that go beyond what is required under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Of note are the requirements regarding consent and information to be provided to data subjects.
Consent as a legal basis underlies both PIPEDA and GDPR, but the two regulations take a different approach to the concept as it applies to data processing. Valid consent under PIPEDA exists when “it is reasonable to expect that someone can understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting” 5, and can be express or implied, in strictly defined circumstances depending on the sensitivity of the information or the targeted individual’s expectations.
Under the GDPR, however, consent only exists when agreement is specific, unambiguous and freely given, and occurs through a statement or by a clear affirmative action.6 Silence, inactivity or pre-ticked boxes do not constitute clear affirmative action.7 Canadian businesses falling within the ambit of the GDPR must revise their methods of obtaining consent, particularly in cases where implied or opt-out consent was previously sufficient. Furthermore, even if the consumer is willing to give his or her express consent, the processing of data revealing racial or ethnic origin, political opinions or data concerning health is prohibited.8
Obtaining consent in accordance with the GDPR is a great opportunity for organizations to increase data subjects’ confidence in their data governance strategy. Under the GDPR, the controller shall provide consumers with specific information, namely the period for which the personal data will be stored as well as the existence of automated decision-making, including profiling.
Organizations that take a transparent approach in how they manage their privacy breaches (which must be notified to consumers if they are likely to result in a high risk to the rights and freedoms of the involved persons9) stand a better chance of winning consumer trust.
What about provincial privacy laws?
Quebec, notably, has its own privacy law (the Act Respecting the Protection of Personal Information in the Private Sector) which governs the collection, use or disclosure of personal information that occurs within the province. PIPEDA still applies in Quebec with respect to the collection, use or disclosure of information relating to federal undertakings.10
The Quebec law has been deemed substantially similar to PIPEDA; that is, it provides privacy protection that is consistent and equivalent to that provided under PIPEDA and incorporates the same principles as PIPEDA does.11 Accordingly, the GDPR will affect the Quebec privacy sector in substantially the same manner it affects provinces that are exclusively subject to PIPEDA.
What role can Canadian law firms take in this new regulatory context?
Non-compliance with the GDPR can result in extremely hefty penalties: those who infringe the law can face fines of up to 20,000,000 EUR or up to 4% of their total global annual turnover of the preceding year, whichever is higher.12 A penalty under the GDPR is also very likely to damage a brand’s image. There are therefore important financial and reputational incentives for Canadian organizations to take GDPR compliance seriously. It is noteworthy that in September of this year, the Information Commissioner’s Office in the UK issued the first formal enforcement action under GDPR on a Canadian data analytics firm AggregateIQ Data Services Ltd.
Organisations focusing on the positive outcomes arising out of the GDPR can reap rewards extending far beyond mere compliance. For example, consumers are much more likely to trust a service provider who values privacy and is transparent about how the involved persons’ data is used.
- European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en, art 1 GDPR.
- Art. 3 GDPR
- “GDPR and Brexit”, GDPR Associates, online: <https://www.gdpr.associates/gdpr-brexit>.
- PIPEDA Fair Information Principle 3- Consent https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act
- GDPR 4(11)
- Recital 32 GDPR
- Art 9 GDPR
- Art 34 GDPR
- “Provincial legislation deemed substantially similar to PIPEDA”, Office of the Privacy Commissioner of Canada, online: <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/provincial-legislation-deemed-substantially-similar-to-pipeda/> .
- 83.5 GDPR