A legal framework that came into effect in Europe on May 25, 2018 is starting to cause ripples an ocean away in North America.
BY ANDREW HIND
WHILE the General Data Protection Regulation (GDPR) is a set of rules to give EU citizens more control over their personal data, many Canadian retailers have yet to appreciate the fact that this piece of European legislation has important repercussions for them as well.
The GDPR is the successor to the EU’s Data Protection Directive (DPD). It raises the bar for privacy compliance. But more significantly, it has expanded extra-territorial applications that see EU privacy laws directly impact North American businesses and organizations for the first time.
Far reaching impacts
Under the 1995 DPD, non-EU organizations were required to comply only if they operated in Europe or conducted information processing activities through physical facilities within the EU. By contrast, the GDPR will apply to any business, wherever located, that sells or ships to Europe, or that uses the personal information of EU residents—not just citizens—for marketing purposes. This application extends to the processing of personal information of EU residents by both data collectors and data processors, wherever they may be located. Clearly, therefore, the GDPR’s reach is significantly broader than its DPD predecessor.
“CANADIAN PRIVACY LEGISLATION SETS OUT BROAD REQUIREMENTS BUT ALLOWS A FAIR AMOUNT OF FLEXIBILITY AS TO HOW BUSINESSES MEET THESE REQUIREMENTS. THE EUROPEAN APPROACH IS FAR MORE RESTRICTIVE, ESPECIALLY WITH RESPECT TO DATA CROSSING BORDERS AND HOW BUSINESSES OBTAIN DATA.”LYNDSAY A. WASSER
“The European Union’s GDPR has created new obligations for Canadian businesses that handle the personal information of individuals living in Europe,” explains Tobi Cohen, Senior Communications Advisor, Office of the Privacy Commissioner of Canada. “While not all Canadian organizations need to comply with the GDPR, the new regulation expands the reach of European Union rules internationally under certain circumstances. In addition to applying to any organizations that operate an establishment inside the EU, the GDPR may also apply to Canadian organizations that offer goods or services to Europeans (regardless of whether payment is required); or if they are monitoring the behavior of Europeans within the EU.”
The same, but different
It’s important for Canadian retailers to note that while the GDPR and Canada’s own federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), share a number of core tenets, and that, indeed, PIPEDA was created in reaction to the DPD, they are in fact different laws.
“The broad concepts are similar, but details are different between the GDPR and PIPEDA,” explains Lyndsay A. Wasser, Co-Chair of the Privacy and Data Protection Group at McMillan LLP, a leading Canada-based business law firm. “Canadian privacy legislation sets out broad requirements but allows a fair amount of flexibility as to how businesses meet these requirements. The European approach is far more restrictive, especially with respect to data crossing borders and how businesses obtain data.”
Wasser explains that for consumers, the most obvious difference between GDPR legislation and Canadian privacy laws involves the businesses obligation getting explicit consent before collecting an individual’s personal information. “Under Canadian law, a business can rely on optout consent when users notify the organization that they no longer want their information collected and processed. That’s not adequate under the GDPR. The GDPR doesn’t allow for opt-out consents, so organizations need to get explicit informed consent anytime they collect personal data for an individual in the EU,” she says.
But a retailer’s responsibility as the data controller doesn’t end there. They must also: contact anyone whose personal data they currently have on file, and obtain consent if they did not do so when first collecting their information; keep a detailed database of everyone who has consented to have their data collected along with proof that they gave consent; have a clear and viable means for data subjects to withdraw consent and have their information erased; implement proper security measures to protect data; respond to data requests within one month; and obtain consent again if they wish to use data in a new manner that was not consented to when the data was originally collected.
Significantly, under the GDPR, businesses are also obligated to report any and all breaches to the relevant ‘data protection authority’ within 72 hours of the occurrence. Similarly, they must inform people if their data has been compromised, and of the steps they can take to protect themselves. PIPEDA rules, by contrast, do not stipulate a specific time-period for reporting.
“Another major difference is the enforcement powers of the GDPR,” explains Wasser. “Canadian privacy laws do not provide for penalty in the event that data is unlawfully collected or transmitted, whereas there are very high fines in EU— up to 20,000,000 EUR or 4 per cent of your company’s total annual turnover of the preceding year, whichever amount is higher,” explains Wasser.
The reach of GDPR is also much greater than most appreciate, going beyond merely retailers that sell goods in Europe. Universities with students from Europe, websites using cookies and other information-tracking features, and even tourismrelated businesses like resorts and tour operators may all be impacted.
As it stands, retailers who are not collecting data from EU residents need not worry about these changes. But Wasser urges against complacency. As people become more concerned about their privacy, businesses must become committed to transparency and taking their role as stewards of their customers information much more seriously.
“Our privacy laws are currently declared adequate by the EU—indeed, what’s lost is that they are fairly comprehensive, and in some cases are actually stricter than the GDPR—but they will be re-evaluated in a few years. If, at that time, the EU finds that our legislation is no longer adequate, it will be much harder to transfer information between Europe and Canada,” she explains. “There is political will to make changes to ensure we remain in good stead with the EU, so even Canadian retailers that are currently unaffected should consider making changes as if they were.”
Experts agree that the GDPR raises the bar in the privacy world, and that it is only a matter of time until citizens in Canada and around the world have better protection of their personal data.
“CANADIAN-BASED ORGANIZATIONS THAT ARE ENGAGED IN SELLING TO THE EU OR COLLECTING INFORMATION ON EU CITIZENS MAY WISH TO SEEK LEGAL ADVICE REGARDING THEIR OBLIGATIONS, PARTICULARLY AS THE GDPR INTRODUCES NEW CONCEPTS THAT MAY NOT BE REFLECTED IN PIPEDA.”TOBI COHEN
Office of the Privacy Commissioner of Canada
Seeking guidance and counsel
The changes to privacy laws under the GDPR are significant, and for many retailers seem like a lot to take in. Cohen admits as much and says business owners should seek assistance in navigating these newly implemented regulations.
“Canadian-based organizations that are engaged in selling to the EU or collecting information on EU citizens may wish to seek legal advice regarding their obligations, particularly as the GDPR introduces new concepts that may not be reflected in PIPEDA,” he explains. “They may also wish to have a look at the European Commission website, which offers information to help businesses comply with GDPR requirements. The Article 29 Data Protection Working Party has also developed a fact sheet offering information and advice to help Canadian businesses.”
It’s important that businesses which may be subject to the GDPR’s rules immediately review them in detail and determine what changes in their operational behaviour may be required. But the impact of the new legislation goes beyond those businesses that may currently be impacted; growing appetite for increased privacy security suggests that all Canadian retailers should make similar changes in their procedures as those directed by the EU.