Canada has always maintained a comfortable relationship with the European Union in regards to data privacy. However, this relationship has recently been rocked by the introduction of the General Data Protection Regulation known as the GDPR.
Organizations around the world that are responsible for cross-border data transfers with the EU need to comply or face harsh penalties. However, with the current misalignments between Canadian law and the GDPR, compliance is no longer clear-cut.
Among the many important changes, “Data Portability” and “The Right to Be Forgotten” are key conditions that Canadian enterprises need to know to successfully avoid extensive litigation. Organizations are tasked with assessing data breach detection and notification methods, data controller and data processing procedures and training to ensure they are not in violation of new directives. In this article, we examine the rigorous compliance requirements for enterprises and how similar changes may soon be added to Canadian law.
What Are The Basics Surrounding The GDPR?
The GDPR took effect on May 25, 2018. This legal framework aims to give residents of the EU more control over their personal data by imposing regulations on data-collecting companies. It replaced the previous law governing data protection that was passed in 1995. In comparison to its predecessor, the GDPR is considerably more relevant to the modern Internet.
The EU recognized the need for reform in an ever-growing digital landscape and has given its citizens the right to object to the ways organizations use their respective data. Residents who grant companies permission to collect data on them now have the power to dictate its use or misuse. A broad range of personal data is covered under the GDPR – including an individual’s name, home address and government ID number. Protective practices are in place to shield location information, IP addresses and other identifiers from companies. This obstructs a company’s capacity to track a person’s online and real world activities.
Online enterprises operating in the EU and those that offer services to its citizens are now held to stringent compliance measures. The law requires companies to notify users within 72 hours of a data breach – a rare procedure for companies currently. An exceptionally high level of legal liability is at stake for those who are responsible for a breach.
What The GDPR Means Here In Canada
The GDPR affects all Canadian businesses that collect, process, manage and store the personal data of EU citizens. Several clauses contradict the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act that govern Canada.
In light of these changes, one of the most crucial concerns is data portability. Data portability prevents users from having their data stored in closed platforms and allows them to move, copy and transfer it across different IT environments.
PIPEDA gives users the right to know what information companies hold about them. The GDPR conflicts this ruling with a data portability clause that enables users to acquire that information and take it elsewhere.
Companies or “data controllers” are compelled under the GDPR to provide users with data in a form that is structured, commonly used and machine-readable in order to be compliant. To be “structured” is to have data organized in a format comparable to a spreadsheet where all information is in rows and columns. To be “commonly used” is to implement software and a structured format that is widely understood. To be “machine-readable” is to provide a format that is easily read by a computer.
Right To Be Forgotten
Article 17 of the GDPR states that users are granted the right to “erase” personal data held by organizations if the retention of that data is no longer pertinent. This mandate goes beyond PIPEDA’s presiding legal obligation principle. The GDPR requires data controllers to inform other data controllers of this occurrence. For example, if the company has published the data on social media, they must take practical steps to inform other controllers that are processing the personal data that the individual has withdrawn their consent.
Unlike PIPEDA, the GDPR does not allow for an implied consent standard when it comes to data collection. While PIPEDA details clear conditions for valid consent, the GDPR handles things much more meticulously. The new legislation requires consent to be given by a well-defined affirmative act establishing an explicit indication that the user is permitting the processing of their personal information.
For companies, this means reviewing their current contracts, confirming that consent is clearly defined in its own category and making all necessary adjustments to ensure compliancy.
Data Processing Responsibilities
PIPEDA holds the controller accountable for the responsibilities associated with sensitive data. The GDPR imposes these responsibilities on all associated data services or processors. The processor is essentially any external third-party service hired to process data (such as cloud service providers or call centre operators).
It is important for organizations to take an active interest in where their data is physically being stored by their cloud service provider. Location transparency is a fundamental element in keeping compliant with the GDPR, as storing data in regions that are not authorized for EU citizens is an extremely hazardous practice. Meeting with the provider to discuss their data management strategy and understanding of EU regulations will help organizations mitigate unnecessary risk.
Data Breach Reporting
Another significant requirement included in Article 33 of the GDPR is the 72-hour window allocated for breach reporting. If a personal data breach occurs, an in-depth investigation must be carried out, impacted individuals must be informed and an extensive containment plan must be drafted. The party responsible is also required to submit a forensic report detailing the nature of the breach; its estimated impact and the finalized containment plan procedures.
Coming Changes for Canada
With the introduction of the GDPR and the further digitalization of daily life, Canada’s privacy law is in need of an update.
Federal Privacy Commissioner, Daniel Therrien, has recognized this need. Referring directly to the GDPR during a talk at the Privacy Laws and Business International Conference in the U.K. last year, Therrien has publicly addressed consent provisions in PIPEDA.
Two years ago, the Office of the Privacy Commissioner of Canada (OPC) sought public comment on this issue and received 28 submissions from academics, corporations, advocacy groups, legal professionals and the general public. Server Cloud Canada was a part of this assemblage. Among the submissions, commenters cited a “right to be forgotten” that follows the stipulations included in the GDPR. This would give Canadians the right to have personal information removed from online platforms while maintaining freedom of expression.