The Border: EU moves on privacy protection

The European Union is working toward implementing a one-stop regulatory shop for data protection
The European Union is working its way toward a wholesale reform of its data protection regime, and privacy law experts say Canadian businesses should take notice of the impending changes.

Perhaps most importantly, the proposed changes would create a “one-stop” shop for data privacy regulation.

“A one-stop regulatory shop would allow companies to make some intelligent choices about how they are organized in the EU,” says Nick Graham in Dentons' London, UK office.

“Of course they'll still have to consider traditional factors like the tax consequences, but the point is that privacy regulation concerns will be a weightier consideration than they have been in the past.”

Indeed, the pros and cons of operating under the aegis of one national regulator or another can be significant in what has been called a “two-speed Europe” when it comes to data privacy, where cultural differences complicate the landscape.

“For example, it's OK to publish an individual's tax returns in Italy, but in the UK that would be appalling,” Graham says. “The different approaches to privacy between northern jurisdictions like the UK, Ireland and the Nordic countries, and the southern jurisdictions is like the difference between beer drinkers and wine drinkers.”

Under the current regime, which was introduced in 1995, national legislation implemented the EU's Data Protection Directive.

“Because each jurisdiction had discretion as to what features of the Directive it would implement, what resulted was a pretty fragmented structure across the EU,” Graham says.

Individual state regulation also produced double jeopardy – or more – at times. In April, 2013, six countries, including France, Germany, Italy, Spain, the Netherlands, and the UK, announced that they would investigate Google's privacy policy. In December 2013, Spain fined the company the maximum of US$1.2 million allowed under Spanish law; one month later, the French authority imposed a $205,000 fine, which was the maximum allowed under French law.

“The fragmentation is similar to what we have in Canada, where there's a federal statute, provincial statutes in Quebec, BC, Alberta, and Manitoba, and then various health information protection laws across the country,” says Timothy Banks of Dentons Canada LLP's Toronto office.

Under the proposed EU regime, the sole regulator would be from the country in which a company's EU headquarters or main establishment is located. But not everyone's happy about it.

“Some of the objections are being raised on a human rights argument that people would be deprived of their right to complain to a local regulator,fa” Graham explains. “For example, if a company committed a breach in Germany, but its headquarters or main establishment was in Ireland, a German citizen or resident affected by the breach would have to go to Dublin to complain.”

This controversy, and others, has derailed the initial timeline for the passage and implementation of legislation. When the European Parliament's Committee on Civil Liberties, Justice and Home Affairs voted in favour of the reforms in October 2013, the plan was to have the initiative wrapped up by April or May.

“Political issues make it a fair bet that we won't see the legislation until a year later than that,” Graham says.

However that may be, banks caution that Canadian companies operating or planning to operate in the European Union should keep their ears to the ground. The suggested reforms include mandatory breach notification, data erasure measures, requirements that companies of a certain size appoint the equivalent of a chief privacy officer, and other provisions that will raise compliance issues.

“We don't, for example, have mandatory breach notification here in Canada, nor do we have the same level of enforcement or sanctions,” Banks says.

As well, the reform's extra-territorial aspects should be of concern even to Canadian companies who don't have a physical presence in the EU. For example, Canadian companies who target European consumers online or who do data processing for European companies in Canada or elsewhere are likely to be impacted.

“Canada has been a good jurisdiction for companies to consolidate their data, because the EU recognizes our privacy laws as ‘adequate',” Dentons' Banks says. “But to the extent that the reforms strengthen privacy baselines in the EU, we might find that the adequacy of our legislation will be called into question.”