The European Union’s new General Data Protection Regulation (GDPR), which creates a comprehensive regulatory regime for handling the personal information of EU citizens, came into force on May 25, 2018.
It has extensive extraterritorial reach.
“Any company, wherever it is in the world, that offers products or services in the EU and whether it has a physical establishment there or not, must comply with the GDPR regarding the processing of personal information,” says Chantal Bernier of Ottawa, Canada’s interim privacy commissioner from 2013 to 2014, and now counsel at Dentons Canada LLP. “The GDPR also applies to any organization wherever located that monitors the behaviour of EU residents.”
Factor in the broad sweep of the GDPR to its wide jurisdictional ambit and it’s not hard to see why Canadian and other foreign companies are concerned.
“Canadian legislation speaks of the collection, use, disclosure and retention of personal information,” Bernier says. “The GDPR goes further, bringing all of this under the umbrella of ‘processing’, which means that any contact with personal data comes under the GDPR.”
That’s particularly important in the case of companies which not only collect personal information that users themselves put on sites, but also amass data about users and non-users by way of onsite and offsite tracking mechanisms, including cookies, pixels and social plug-ins embedded on third party websites. Indeed, the data processing regime is of significance not only to web giants like Facebook or Google, but to any company involved in “ad tech,” which refers to different types of analytics and digital tools used in online advertising.
“Essentially, the GDPR can be read as applying not only to advertisers collecting personal information but to anyone providing the tools and intermediaries that facilitate the collection of this type of information,” says Éloïse Gratton, a partner in Borden Ladner Gervais LLP’s Montréal and Toronto offices.
Indeed, even companies that don’t face the EU on the client or customer side may find themselves dealing with the GDPR. “Very locally focused organizations who have service providers from the EU are suddenly being confronted with requests to update agreements or clauses so they comply with the GDPR,” says Ryan Berger in Norton Rose Fulbright Canada LLP’s Vancouver office.
What’s not quite clear, however, is just what amounts to “personal information” under the GDPR.
“The GDPR explicitly states that any ‘identifier’ collected when an individual visits a website constitutes personal information,” says David Young of David Young Law in Toronto.
While that’s broad enough to embrace IP addresses, for example, the addresses in isolation cannot be used to track or identify particular individuals. For that reason, while both Canadian and American regulators have acknowledged that IP addresses can constitute personal information, they have given companies collecting them a pass.
“The thinking is that if the individual can’t be tracked or identified from the data, it’s no problem because it’s anonymized,” Young explains. “So right now there’s a major focus in the ad tech industry on anonymizing data.”
But even anonymization is a complex issue. “The difficulty is that IP addresses can be paired with other databases to reveal something about an individual that will identify them,” Young says. “Data brokers hold such massive databases on everyone that even if you only provide them with a needle, they can find it in the haystack.”
GDPR compliance and non-compliance, then, appear to be moving targets. “What’s most challenging for Canadian companies is the lack of guidance on the GDPR’s extraterritorial reach,” Gratton says. “Not even the European lawyers who are heavily engaged with the Regulation know exactly how it will be enforced.”
Lurking in the background is the question of whether Canadian privacy law meets GDPR standards.
“Canada is one of 11 countries that has ‘adequacy’ status, meaning that the European Commission has formally recognized that we offer ‘equivalent’ protection for privacy,” Bernier says. “The legal consequence is that European companies can transfer personal data to Canadian companies without further authorization.”
Canada has enjoyed “adequacy” status since 2001. But the GDPR’s adequacy provisions makes the criteria clearer and requires a review of adequacy every four years, witht he next one coming in 2022.