The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, has been dubbed “the most important change in data privacy regulation in 20 years.” This is by no means an overstatement. While the GDPR applies to processors and controllers in Europe, it will also have far-reaching application to businesses outside the EU, including Canadian-based franchisors and franchisees, to the extent they offer goods or services to data subjects in the EU or monitor the behaviour of data subjects that takes place in the EU, which includes tracking their online behaviour for behavioural advertising purposes. The GDPR wind is going to be a mighty gusty blow, so wise are those who batten down the hatches.
As a first order of business, Canadian companies need to determine – if they have not already done so – whether the GDPR applies to their data processing activities in Canada.
Second, companies need to assess to what extent the GDPR applies to them, as some of its provisions depend on the size of the organization. For example, the penalty provisions which set out fines for violating certain articles can be as high as 20 million Euros or 4% of total worldwide annual turnover, whichever is higher. The level of fines imposed will depend on the size of the organization, which specific provisions were contravened, and a number of prescribed aggravating and/or mitigating factors intended to inform an “effective, proportionate and dissuasive” regulatory response.
In addition, a company’s obligation to designate a Data Protection Officer, with significant expertise, resources, responsibilities and independence in the organization, will be triggered if its processing activities are “large-scale.” This determination could depend on the number of data subjects concerned, the volume of the data being processed, and the duration, permanence and geographic extent of its data processing activities.
Third, companies need to assess how GDPR requirements differ from their existing obligations under Canadian private sector privacy laws, and then strive to meet the more exacting of these standards. This may require adopting new governance and accountability frameworks, more stringent safeguards and new mechanisms for respecting data subjects’ rights introduced by the GDPR that are not yet explicitly required in PIPEDA or other substantially similar private sector laws in Canada. Here are a few examples of such requirements:
- Right to data portability: The GDPR goes further than PIPEDA’s right of access by including a right to data portability, meaning that an individual has the right to receive their personal data from a controller in a structured, commonly used and machine-readable format so they can transfer those data to another data controller without hindrance.
- Right to erasure: While PIPEDA affords individuals the right to withdraw consent and challenge the accuracy, completeness and currency of their personal data, the GDPR grants the more express and expansive right to require organizations to "erase" or delete individuals’ personal information without undue delay in certain circumstances. This GDPR "right to be forgotten" is nonetheless subject to certain exceptions, including when the processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation or the establishment, exercise or defence of legal claims; or for reasons of public interest such as public health, archiving, statistical purposes, or for scientific or historical research.
- Consent requirements: While PIPEDA sets out clear conditions for valid consent, the GDPR requirements are even more exacting. Under the GDPR, consent must be given by a statement or a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of an individual’s agreement to the processing of their personal data. A request for consent cannot be bundled together with other terms in a contract; it must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Whereas PIPEDA allows for implied consent in appropriate circumstances, the GDPR does not – though it does provide for alternative legal grounds of processing, including legitimate business interests.
- Data protection by design and by default: The GDPR requires controllers to adopt internal policies and implement appropriate technical and organizational measures which meet the principles of data protection by design and data protection by default. These include data minimization measures and privacy-protective default settings. While “Privacy by Design” is originally a Canadian concept and touted as a best practice, it is not a legal requirement in Canadian privacy law.
- Data protection impact assessments: Canadian regulators encourage the completion of privacy impact assessments before deployment of new (or significantly amended) data programs or initiatives. Under the GDPR, data protection impact assessments will become mandatory when processing data, particularly using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons.
- Breach notification requirements: The GDPR requires that data breaches be reported to the competent supervisory authority (of the EU Member State concerned) without undue delay, and where feasible, within 72 hours of the organization becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When such risk is likely to be high, the organization must also communicate the personal data breach to the data subject(s).
While there are notable differences between the GDPR and existing Canadian laws, the delta may eventually close in over time. For instance, as of November 1, 2018, Canada’s own breach notification requirements, with related fining provisions in the event of contravention, will come into force federally.
Legislators are looking to the GDPR as the new data protection standard we should aspire to. In a recent report, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the ETHI Committee) calls on government to consider introducing many GDPR-like features into the next iteration of PIPEDA. Chief among these are: stronger consent requirements, with a GDPR-like exception for legitimate business interests; explicitly giving life to the right to data portability and the right to erasure; mandatorily requiring privacy by design and privacy by default as central principles; and giving stronger enforcement powers to the Federal Privacy Commissioner of Canada, including the power to make binding orders and issue monetary fines for non-compliance.
Most significantly, the ETHI Committee urged the federal government to take immediate action to assess what legislative changes to PIPEDA (and related provincial private sector laws) would be required for Canada to retain its adequacy standing vis-a-vis the GDPR and either make those changes or create other mechanisms to allow for the seamless transfer of data between Canada and the EU.