On May 25, the new privacy protections in the EU come into force and will have far-reaching consequences well beyond the EU borders. This new regime brings major changes to data protection worldwide. If you do business in Europe or if your business engages with citizens of the EU, you need to be ready. Even if your business is located in Canada.
What is the GDPR?
The General Data Protection Regulations is an Directive from the EU that provides specific protections for personal data, governs the required consent for collecting personal data from individuals, ensures users are fully aware of what data is being collected and why, and requires notice about what cookies are being used by certain websites or web-based services, among other things.
Does GDPR align with Canadian Privacy Law?
In many ways the European Regulations combine aspects of various Canadian laws that govern privacy and access to information. In other ways, GDPR veers off course. One major area of divergence relates to the provisions relating to the right to access one\’s personal information.
Under GDPR, individuals have the right to access their own information from the controller along with details of how and why their information has been collected – and more importantly, for how long the information will be retained. Under PIPEDA, the Canadian privacy regime that governs private business, the right to access of information and to know the retention policies of various organizations, is significantly more limited than the European model.
Another area of divergence is the area of consent. Under PIPEDA, companies can use implied consent in a broad number of ways. This allows for greater flexibility for businesses to use personal information for legitimate business purposes. Under GDPR, however, consent must be expressed specifically in many circumstances. GDPR does give allowance for the collection of data without consent for legitimate business purposes, which adds a degree of flexibility. However, this exception to the need to obtain consent is defined differently from Canadian law. It is important to speak with a professional to determine whether your business model can fall within this exception to the consent provisions.
The GDPR also allows individuals to request that their information be erased from the record kept by companies – the right to be forgotten. This, however, is not the case in Canada and this may be difficult to attain depending on your use of the information or the technology you use.
What happens if your company runs afoul of GDPR?
The penalties for the GDPR are substantially higher – exponentially so – when compared to penalties levied in Canada for violations of the Regulations. While in Canada, the penalties maybe as low as a few thousand dollars, depending on the facts of the case. By contract, the penalties under these European Regulations can go as high as 4 percent of global revenues or $20 million Euros.
What do you need to do to get ready?
The most important step you can take is to make sure you are prepared. Make sure your policies for privacy and access to information can work well within the context of both PIPEDA and GDPR so you are compliant in both jurisdictions. You would also be well advised to ensure you have boiler plate language for contracts with European companies. You will want to have something ready to go that you are comfortable with at the outset to avoid delays when your European business partners or clients demand this.
Do you have a Privacy Policy or Privacy Notice?
If you collect personal data, then GDPR requires that you inform the public of the purpose of the collection and how you manage this data. It also requires that you obtain consent from the individuals providing personal data, in certain situations. Each business is different and these policies or notices must be crafted to reflect your business model and the needs of the individuals who provide their personal data to your company. Working with an experienced lawyer is critical to ensure you have struck the right balance between complying with the legal requirements for both the EU and Canada along and the legitimate interests of your own business.