DATA PROTECTION LAW began to be developed in Europe a number of decades ago. So it is entirely appropriate that the next chapter in data protection law — the European Union’s General Data Protection Regulation (GDPR) — also comes from Europe.
For Canadian organizations with operations or affiliates in the EU, GDPR will be important indeed. But to be caught by GDPR, one doesn’t have to have a branch or affiliate in Europe; it is enough that you have a virtual connection. That is, even if you do not have an “establishment” in the EU where personal data is collected or otherwise processed (which includes stored, used, or retrieved), you can be caught by the GDPR if you undertake any activity (such as offering goods or services to EU residents) that has a “real and effective” connection with the EU (even monitoring remotely the behaviour of EU citizens).
This is why it's important to understand some of the key new parameters of this broad, sweeping data-protection reform effort.
Why a New GDPR?
The EU legislation for GDPR was adopted in April 2016 by the European Parliament, and the new legislation will come into effect in May 2018. GDPR implements some novel concepts, and also reaffirms some of privacy law’s longstanding principles. Currently, even these “fair information handling practices,” as expressed in the EU’s Data Protection Directive now in force, are being implemented differently within the EU because each member state has been able to modify its relevant data protection legislation as it wished. This has led to inevitable inconsistencies across the EU.
This problem will be solved by GDPR, which for the first time will implement the legal privacy-law regime across the full expanse of the 28 (to become 27 after Brexit) member countries of the EU. Doing so will help organizations which have affiliates in EU countries, which is the good news. But while the privacy standards to be met by organizations across the EU will be uniform for the first time, those standards themselves will be set higher.
Old Wine in Old Bottles
Many of the data-handling principles of the EU’s soon-to-be-replaced Data Protection Directive will carry forward into GDPR. For instance, it will remain a core principle that someone managing the data collection and handling process (typically a “data controller,” who oversees the data-handling practices, or a “data processor,” who processes data on behalf of a data controller) adhere to a range of data-processing principles, such as having to process data in a lawful manner pursuant to obtaining express consent, or because it is required for the delivery of a certain service.
Other traditional data-handling principles in the GDPR include: purpose limitation (processing data only for the purposes specified to the data subject); data minimization (collecting only that data that is relevant to the approved function); data accuracy (ensuring the data is kept up to date and accurate, and allowing data subjects to require its rectification when it is stale or inaccurate); and data integrity (ensuring that data is stored in an appropriately secure environment).
These data-protection principles have their analogues in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and its various provincial counterparts, and to that extent they should be familiar to Canadian counsel.
New Wine, New Bottles
Now we turn to the new provisions in GDPR. They are not just more of the same. They are net new, and some of them will prove to be very finicky indeed as they come to be implemented in the real world.
For example, it is now no longer enough to process data lawfully and fairly; under GDPR this must also be done in a transparent manner. This seems innocuous enough until you begin to contemplate what this might mean: to allow data subjects to have the right to information regarding the data controller’s data-processing practices.
Consider that you are a financial institution in Canada with an affiliate in Europe, and your Paris office has a complex new fintech methodology for approving personal loans. The system uses pathbreaking, novel artificial intelligence algorithms and work flows in order to make decisions as to whether to grant credit to individuals (say, students for their university education). The system also implements machine learning; that is, over time it compares its track record for loan repayment rates, and “improves” its credit granting decision making with each loan it approves or denies. In effect, it may be that the bank, for any particular student applying for a loan, does not actually know how the system weighs the various personal characteristics and factual matrix of the individual loan applicant; or, even if it did initially, the system “learns” over time, such that it never is stable enough to allow a human to understand the particular mix of variables that went into a certain decision. In such a case, how is the new “transparency” requirement of the GDPR to be met? What exactly do you tell the disgruntled loan applicant when they ask why they were refused credit?
The GDPR also includes a new data-breach notification regime. In the event of a security breach, you must notify the relevant national data-protection authority, and promptly (typically within 72 hours of learning of the breach). And if there is a potential harm to data subjects, they must also be notified. While these rules are broadly similar to those coming to Canada when Bill S-4’s breach-notification amendments to PIPEDA come into effect, the tighter timelines under the GDPR will require organizations to have even better data-breach plans and procedures.
Another new and related requirement under the GDPR is that controllers and processors implement technical measures to ensure certain levels of security. “Pseudonymisation” will be important; this is a concept by which personal data can be “masked” or modified in a manner so that the data can no longer be attributed to a specific individual. This is an example of the GDPR requiring controllers and processors to undertake “privacy by design” when building their systems and workflows, so that the risk of data breach is reduced.
Perhaps the GDPR data-privacy protection rule garnering the most publicity is the so-called “right to be forgotten.” In practice, this requires an organization to erase personal information of a data subject under certain circumstances when asked to do so by a data subject. This can be demanded, for instance, if the data subject withdraws consent, or the information is no longer necessary for the original purpose for which it was collected.
These requirements are actually reflected (with some different language) in PIPEDA, so to that extent the principle is not that new in Canada. But here is what's different: if the data controller (essentially, the entity collecting the data) has made the data public (for instance, on a social media site), then that entity has an obligation to notify all others it gave the data to in order to have them in turn erase the links to the data and so on down the chain of Internet random distribution. This will likely require organizations to create or adopt fairly elaborate computer systems in order to implement these legislative objectives.
The “right to be forgotten” raises some fascinating questions. In short, our social media-infused age, supercharged by the internet, is creating untold volumes of new data every day. One calculation suggests that more data has been created in the past 24 months than was brought into the world in all of previous recorded history. In such an environment, implementing an effective “right to be forgotten” will be challenging for sure. A similar (but easier to operationalize) new right that will invariably drive material IT development and deployment is the new “data portability” right in the GDPR. For example, when an employee leaves one employer in the EU and joins another, the data subject can require that the previous employer transfer his or her personal information to the new one. Again, IT consultants will see material additional work from implementing this new requirement for data controllers and data processors.
Non-Compliance is not an Option
The GDPR is very serious about compliance, as can be seen in its enhanced penalty regime. A two-tiered approach is mandated. For certain transgressions (such as violation of the data-breach notification), the fine is up to €10,000,000, or, in the case of companies, up to two per cent of global sales in the prior year. This latter figure could be a very hefty amount indeed.
But wait! The total possible fine for a breach of the right to be forgotten, consent requirements, and the right to object (among others) is set at up to €20,000,000, or four per cent of global sales. These are some very significant thresholds for certain companies, and so expect the largest global companies — including some in Canada with meaningful affiliates in the EU — to amplify their global data-protection legal compliance regimes.
Over the past number of years some commentators have taken the view that — with the full-on effects of the internet, e-commerce, and the unstoppable rise of digital generally in our lives — privacy is dead and we should all just learn to live with this new fact of life. Well, clearly the law makers in Europe are not buying that line. Rather, in the GDPR, they are making a bold statement to the very opposite effect: that the principle of data privacy is important, and the legal system should buttress it. And with the size of the new potential penalties, even global tech giants will have to take heed of the privacy-law gauntlet that is being thrown down in Europe.
George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.