The European Union General Data Protection Regulation (the “GDPR”) is a new privacy regulation that affects all individuals in the 28 European Union member states, as well as all companies that conduct business in the European Union (the “EU”). The law comes into effect on May 25, 2018 and largely affects digital data of a personal nature. The GDPR replaces the old EU Data Protection Directive that has been in place for 22 years. The GDPR alters key privacy law elements, and updates the law to include new protections for individuals, such as:
- the right to erasure;
- new consent rules; and
- stricter penalties and compliance provisions.
What is the Territorial Scope of the GDPR?
The GDPR applies to data controllers and data processors with an establishment in the EU, or with an establishment outside the EU that targets individuals in the EU by offering goods and services or monitoring the behavior of individuals in the EU. Even if a company never sets foot in the EU, it is possible that they must comply with the GDPR.
The GDPR updates some definitions previously applied under EU law, but many of the key concepts remain the same. Definitions that remain substantially similar in the GDPR and are crucial to understanding and maintaining compliance under the new regime include:
Personal Data – information about any “identified or identifiable natural person”;
Identifiable Natural Person – an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Data Subject – the individual to whom the Personal Data pertains;
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(Data) Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; and
(Data) Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
It is important to note that while the GDPR does update many specific rules, the underlying principles centered around the privacy of individual data subjects remain the same. These principles focus on protecting the fundamental rights and freedoms of natural persons and their right to the protection of their personal data.
Consent Requirements and the Right to Erasure
All companies conducting business in Europe must comply with the consent requirements of the GDPR. Under the GDPR, consent of the data subject means: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Silence, pre-ticked boxes or inactivity do not constitute consent under the GDPR, and when the processing of personal data has multiple purposes, consent must be given for all purposes. In addition, the GDPR considers many of the recommendations of the previous EU Directive, including:
- the right to withdraw consent at any time; and
- special protections for individuals under 16 years of age.
In addition to the requirement to delete personal data when a person revokes their consent, the GDPR provides individuals an explicit right to erasure. In general, this means that a data subject has the right to have their personal information erased without undue delay in certain circumstances. These circumstances include:
- when personal data has been processed unlawfully;
- due to legal obligations; and
- is no longer necessary in relation to the purposes for which the information was originally collected or processed.
While the right to erasure is not exactly new, as case law provided this right to EU citizens a few years prior to the enactment of the GDPR, the right is now encased in regulatory law.
Data Protection Officer (“DPO”) and Designated Representative
The GDPR imposes two new requirements for certain companies involved with EU personal data. Firstly, it will now be mandatory for companies that process or store substantial amounts of EU personal data to appoint a data protection officer. Secondly, companies that are not established within the EU might now be required to designate a representative in the EU to represent the company with respect to its obligations under the GDPR. These functions are separate and distinct and are both important for compliance.
A personal data breach is when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Under the GDPR, controllers must notify supervisory authorities and individuals without undue delay upon becoming aware of a personal data breach. The breach notification must include when possible:
- the nature of the breach, including categories and approximate number of data subjects concerned, and categories and approximate number of personal data records concerned;
- the name and contact details of the DPO or other point of contact where additional information can be obtained;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
The controller or processor must document all facts and evidence relating to a personal data breach to allow the authorities to verify compliance with the GDPR.
Maximum penalties for non-compliance with the GDPR can be up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year; whichever of the two is greater. There has been great debate as to what types of investigations and fines will be imposed by the GDPR and the relevant supervisory authorities. While the maximum fines are quite extreme, it is doubtful that the EU will impose maximum fines on companies with minor violations or those that are unaware they are even violating the law.
Besides the basic application of an effective, proportionate and dissuasive analysis, factors that will be considered in the apportionment of a fine include:
- the nature, gravity and duration of the infringement;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor related to certain GDPR provisions;
- relevant previous infringements;
- the degree of cooperation with the supervisory authority;
- the type of data involved;
- the timeline and manner of the infringement;
- compliance with previous measures;
- adherence to approved codes of conduct or approved certification; and
- any other aggravating or mitigating factor applicable to the circumstances of the case.
Furthermore, since each supervisory authority within each member state has the right to impose fines, the amount of the fine and whether an authority will be more lenient will be largely based on how each country chooses to enforce the GDPR and may vary between countries.
Under the GDPR, the “main establishment” of a controller is, in most cases, the place of its “central administration” in the EU. Companies should be careful in selecting where they set up business in the EU as they will be, in effect, subjecting themselves to the supervisory authority that governs the area in which their main establishment is situated. If a company based outside the EU does not set up a main establishment within the EU, then each member state in which the company holds EU personal data will have the authority to enforce penalties under the GDPR. For example, if a Canadian company has one EU resident from Spain in their database and it collects that individual’s personal data, then the Spanish supervisory authority for the GDPR can bring enforcement actions against the Canadian company for any violation of the GDPR in relation to that individual.
It is important for Canadians to understand the GDPR has altered the way the EU views Canadian privacy law. The Personal Information Protection and Electronic Documents Act (“PIPEDA”) controls private sector privacy law in Canada. Under previous EU privacy law, PIPEDA was found to provide adequate protection for EU citizens. Canadian companies dealing with EU personal data were granted a safe harbor right that excused them from specific compliance with EU law if they were already compliant with Canadian privacy law.
Under the GDPR, new elements, such as the right to erasure, the right to information and the increased penalties for enforcement, could mean that PIPEDA is no longer classified as “adequate” privacy protection under EU law. This suggests that companies conducting business in the EU may have to comply with the GDPR on their own, either under a voluntary compliance regime such as the US-EU Privacy Shield or, more likely, with individual company compliance such as:
- individual data protection contract clauses;
- binding corporate rules;
- approved ethical codes of conduct; or
- privacy certifications.
As of late March 2018, it was unclear as to whether Canada will be granted adequacy status by the EU in connection with the GDPR. The current head of PIPEDA enforcement, Daniel Therrien, and Krista Campbell, Director of Innovation, Science and Economic Development Canada, the body in charge of amendments to PIPEDA, both believe that maintaining adequacy status under the GDPR is an important concern for Canada and they have recommended to Parliament that Canada consider a change to our privacy laws in the near future.
Impact on the Current Business Environment in Canada
Canada recently signed the Comprehensive Economic and Trade Agreement (“CETA”) with the EU and its member states. Even if the CETA is only provisionally approved, this agreement is a strong indication that economic relations between the two regions will increase in the next few years. The EU is Canada’s second largest trading partner after the US and has a GDP of 18.4 trillion USD. With the GDPR coming into force in May 2018, it is unclear what impact the new rules will have on Canadian companies dealing with EU citizens and whether there will be any negative economic fallout. Industries that hold or process large amounts of personal data, such as the healthcare industry, the financial industry and various businesses based significantly online, will all be looking at spending major resources in order to become compliant with the GDPR.
An additional concern is that the GDPR could fundamentally alter the way online companies conduct business. Currently, within seconds of a customer accessing an online shopping site or social media platform, their information is shared with hundreds, even thousands of third-parties. Personal information is often being shared with all these third-parties and the customer is shown relevant advertising or links associated with their previously monitored activity. If under the GDPR, companies must obtain explicit consent for the dissemination of their personal information to multiple third-parties, then it may be too difficult or cumbersome for companies to continue operating under the current model.
A likely outcome is that the current industry regime will be forced to make changes causing a revolution in the online marketing industry. Alternatively, some companies may wish to geoblock EU residents from their system and continue to operate as usual. If the online marketing world changes its model, it will need to adhere to new “privacy-by-design” principles that are expressly written into the GDPR. In its simplest form, privacy-by-design means placing privacy as a fundamental part of the program that is being designed. Currently, the GDPR conflicts with several functions that many sites use on a regular basis, such as behavior advertising, cookies that monitor activities of users, and the abuse of all or nothing consents that causes users to agree to share personal data in excess of the reasons they use a website. The idea of privacy-by-design is that one would have full functionality of a program without compromising security or privacy. Simple procedures such as anonymization, pseudonymization, data minimization, restricted access to databases, encryption, blockchain technology or other security protocols drastically reduce the risk of breach and provide greater control over personal data.
The GDPR presents a new model of privacy protection for all members of the EU and companies that conduct business in the EU. Companies that wish to either conduct business in the EU or handle personal data of persons from the EU must comply with the GDPR or otherwise risk facing EU authorities and potential fines. Certain elements of the GDPR, such as the right to erasure, are very new and may present a compliance challenge for companies from countries that do not afford their citizens a similar right. Companies with privacy policies that are not in compliance with the new EU regime can expect to encounter some hurdles moving forward, especially those based in countries that are not declared as “adequate” under the GDPR. With the ability of hackers and offensive tools for digital criminals ever increasing, compliance with privacy laws becomes a major concern as non-compliance in the face of a large breach of personal data may costs some companies millions of dollars and a significant blow to their reputations. It is highly recommended that companies that wish to continue operating within the EU update their privacy procedures and consult with privacy experts and legal professionals before the GDPR comes into force on May 25, 2018.
This article is for informational purposes only, does not constitute legal advice and should not be relied upon for legal advice.