The European Union’s (“EU”) General Data Protection Regulation (the “GDPR”), which comes into force in May 2018, will impose significant new obligations on businesses that handle the personal data of EU residents. What is unique is that the GDPR applies to entities located both within and outside of the EU, so long as they handle the data of individuals residing in the EU. For Canadian businesses, failure to comply with these regulations, regardless of size or country of domicile, can result in significant fines.
Applicability to Canadian Organizations
The territorial scope of the GDPR is not limited to organizations that have a physical presence in the EU or that are actively targeting customers or users located within the EU. As noted above, regardless of the physical location, the GDPR will apply to businesses that are processing personal data of individuals who are in the EU and where the processing activities are related to: (i) offering goods or services to an individual in the EU (including goods and services offered at no charge); or (ii) monitoring (e.g., internet tracking and profiling) the behaviour of individuals that occurs in the EU.
Cost of Non-Compliance
Businesses that fail to comply with the GDPR could potentially face significant fines. There are two broad tiers of sanctions:
- The upper tier, reserved for serious infringements, can result in an administrative fine of the greater of 20 million Euros, or 4% of the total annual worldwide turnover of the business; and
- The lower tier, reserved for lesser infringements, can result in an administrative fine of the greater of 10,000 Euros, or 2% of total annual worldwide turnover of the business.
The GDPR also allows for public interest organizations to bring class actions for data breaches on behalf of individuals who have had their rights violated.
Key Features of the GDPR
Some of the key features introduced by the GDPR include the following:
Obligations for Controllers and Processors: Under the GDPR, any entity that collects, uses, or discloses personal information of EU citizens will likely be viewed as a Controller or Processor. Broadly, a Controller is an entity which alone or jointly with others determines the purposes and means for the processing of personal data. On the other hand, a Processor is an entity which processes personal data on behalf of the Controller. Canadian privacy laws do not make the same distinction between a “Controller” and “Processor”.
Under the GDPR, Controllers still remain primarily responsible for the protection of personal data and must select a Processor that will employ sufficient protections. The GDPR also contains detailed obligations for a Processor. Controllers will be required to conduct a Privacy Impact Assessment (“PIAs”) for processing highly sensitive data and must also maintain records of processing activities. The GDPR specifies the type of processing that may present risk of harm to individuals in the EU. This includes processing that may give rise to:
- Discrimination or identity fraud;
- Professional secrecy where individuals may be deprived of their rights or control over their data;
- Disclosure of racial, religious, genetic and other special categories data;
- Evaluation of personal aspects, such as work performance, health, reliability or economic situation; or
- Vulnerable persons’ data and processing on a large scale.
PIAs are a process to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. The GDPR also includes specific regulations that govern Processors. For instance, they must implement appropriate safeguards, return or delete data once processing is complete and notify the controller of any data breaches. Processors cannot subcontract any tasks without first obtaining the Controller’s permission.
Consent Requirement: The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The GDPR, broadly, requires that consent be obtained to process personal data. Silence or inactivity does not constitute consent. For children under the age of 16, parental consent is required. Where it is evident that the parties involved have unequal bargaining power, there will be a presumption that consent has not been freely given. For instance, employer-employee relationships are considered to have a clear imbalance of power and therefore, an employee’s consent is often not considered to have been freely given to its employer. The provision of services that are conditional on acquiring consent will be permitted only if, the data processing is central to the service.
Mandatory Data Breach Notification: Individuals affected by a data breach are entitled to a notification by the Controller within 72 hours of discovering the breach. However, where the breach is likely to affect the rights and freedoms of affected individuals, the notification must be made without undue delay. Data processing companies are also obligated to report the breach to the company that collected and controls the data at issue. The GDPR further requires that all operators of essential services notify the relevant data protection authority in the event of a data breach. Essential services includes companies that are engaged in sectors such as finance, energy and transport, and digital service.
Right to Erasure: Controllers will be required to erase personal data without undue delay (i) if the data is no longer needed; (ii) if an individual objects to processing; or (iii) if the processing was unlawful. Where there has been a request to erase certain data, a controller must take reasonable steps to communicate to other controllers, who may have had that data, of this request.
Requirement for Data Protection Officers: Controllers and Processors will be required to designate a “data protection officer” if (i) data processing is carried out by a public authority or body; (ii) core activities involve regular and systematic monitoring of individuals on a large scale; or (iii) core activities consist of large scale processing of certain categories of data (such as data concerning racial or ethnic origin, criminal convictions, political views). The GDPR requires that the officer be equipped with the necessary knowledge of data protection laws and procedures. The officer should be afforded a range of rights and responsibilities to ensure that he or she maintains independence from the data processing activities.
How Canadian Businesses Can Ensure Compliance
Many of the provisions set out in the GDPR are consistent with the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and as such, Canadian businesses that already comply with PIPEDA or substantially similar provincial legislation may already have many appropriate privacy policies and practices in place. However, affected businesses cannot rely on their compliance with PIPEDA as being sufficient for compliance with the GDPR. While several aspects of the GDPR are consistent with the requirements under PIPEDA, there are several requirements under the GDPR that currently have no equivalent in PIPEDA (for instance, the appointment of a data protection officer or a mandatory breach notification). As such, businesses should focus their compliance efforts in those areas.
Given the severity of potential sanctions under the GDPR, businesses should conduct a compliance assessment of their current policies and practices in order to identify gaps in relation to the GDPR. Upon identifying these gaps, in consultation with legal counsel, different strategies can be efficiently developed along with a compliance plan with a clear implementation timeline. In the event of any enforcement action by the EU, such an assessment can serve Canadian businesses in demonstrating the steps taken to comply and allow for a successful defence or, at the very least, demonstrate good corporate governance that may result in a reduction of fines or enforcement action. Commencing this process now will provide sufficient time for businesses to understand their legal obligations relative to their data processing activities to meet the regulatory requirements before the GDPR comes into force in May 2018.