New privacy regulations coming into force in Europe next year are calling into question whether canada’s approach to privacy is keeping up with its global peers.
Industry observers are suggesting that if canada does not continue to modernize its approach to privacy, it could face roadblocks in maintaining its status as an adequately protected jurisdiction – a status that allows for more fluid trade with the European market.
In May, 2018, Europe’s new General Data Protection Regulation (GDPR) will come into force, and will impose sweeping changes on how privacy is protected in the European Union.
Businesses with operations there are – or should be – working to prepare for that deadline, but it could impact privacy controls beyond EU borders as well.
Right now, Canada has “adequacy” status from the European Commission, which determined in 2001 that Canada’s law under PIPEDA (the Personal Information Protection and Electronic Documents Act) was strong enough to satisfy that any data transferred from the EU to Canada would be adequately protected. But things are changing.
“We cannot take for granted that Canada would be recognized as adequate under the GDPR, because it is very different from our current legislation, and very different from the previous European legislation under which we were deemed adequate,” said Chantal Bernier, former interim privacy commissioner of Canada, and an adviser in the privacy and cybersecurity practice at law firm Dentons Canada LLP.
The new regulations are far stricter than their predecessors in Europe and the rules in many countries. They will have an impact on marketers, since gathering and storing customers’ data is becoming a valuable part of targeted advertising. Any ad agencies doing business with clients in the EU, or companies targeting ads to potential customers there will have new rules to contend with – including the law’s broadened definition of personal Information to include computers’ IP addresses.
The law also allows individuals in many cases to withdraw their consent for companies to keep their data, particularly if the use of that information is not related to the reason that it was collected in the first place. And they have the right to ask to see the data companies have about them.
But the law goes way beyond marketing: It also changes the way companies must handle their own employee data and how they protect against the kind of data breaches that have made headlines in recent years – and how such breaches are reported. Penalties for non-compliance could be up to €20-million (almost $30-million Canadian) or 4 per cent of a company’s total global revenue, whichever is greater.
Adequacy status is important, because it allows for fluid exchange of personal information between the EU and Canada for commercial purposes. It paves the way for Canadian companies to do business with firms and consumers in Europe.
“They know that they are transferring information to a company that is in compliance with the obligations that they are under,” Ms. Bernier said.
For trade purposes, losing that status would make doing business much more difficult. In any circumstance where data is moving digitally across those borders, more onerous measures would be needed to ensure European firms could trust that the Canadian firms are compliant under their new stricter laws.
