Is Canada ready for the new EU data protection rules?
The European Union’s General Data Protection Regulation, which comes into force in May 2018, is meant to allow people tighter control over their data and requires businesses to get explicit consent for how they use it.
The new regulations have extra-territorial reach, and carry costly fines for violations (up to 4 per cent of global revenues.) CBA National caught up with Anick Fortin-Cousens, the Program Director in IBM's Corporate Privacy Office, to discuss the impact on Canadian businesses.
CBA National: The EU’s GDPR comes in force next May. Why is this important?
Anick Fortin-Cousens: For over two decades Europe has possessed what has been seen by many as the gold standard as it pertains to data privacy laws. Most countries who have legislated in that space have followed its model to various extents. One reason for this is that it encompasses cross-border data flow restrictions which can be lifted if the transfer of personal information is made to a country that has laws deemed to be adequate by the European Union authorities. By adequate we really mean similar, substantially similar, to the European law. Those countries may want to keep it that way for trade and investment reasons, so may adopt similar models. Beyond this, it’s also important because it’s going to require many organizations to up their game.
N: So what’s the impact on businesses?
AFC: The intent is to give people greater control over whether and how their data is collected, used, shared and otherwise processed. The GDPR also demands more transparencyand accountability from organizations at a time where technology, more than ever before, enables the collection, harvesting and mining of data, and at a time where there seems to be growing prevalence of surveillance. It's extremely prescriptive, unlike our own federal law, PIPEDA (Personal Information Protection and Electronic Documents Act). And its extra-territorial reach is quite considerable – unprecedented really. It applies to organizations located outside of the EU if they offer goods or services in the European market or if they track the behaviour of individuals in the EU. Also the penalties are harsh – we're talking up to 4 per cent of a company's global annual turnover.
N: Where does Canada stand on adequacy?
AFC: Any country's adequacy status might be at risk, and Canada is not alone in that boat. There are worries that because Canada has not significantly updated its PIPEDA since 2001, when we were first granted adequacy, we could lose our status if the gap between our law and theirs is too wide. Our legal framework pertaining to law enforcement access to data, and our national security framework, could also jeopardize it. The important question is whether we should take steps to ensure we maintain that adequacy status. The jury's still out on that. It’s hard to tell how Canadian companies might have benefitted from adequacy in a financial way. There’s no hard statistical evidence to substantiate the claim that they have. There is also the fact that these decisions tend to be politically motivated. Certainly, many are of the view that Canada’s privacy framework should not be dictated by Brussels.
N: Data localization restrictions are back on the trade agenda with NAFTA talks. How does that square with GDPR requirements in how data is handled?
AFC: Maintaining the free flow of personal information is of critical importance. However the way to achieve that in support of trade and investment objectives varies. Adequacy is not the only means by which the free flow of information can be supported. There are several data transfer mechanisms that are available to companies to move data outside of Europe. Most countries don’t have adequacy, yet that hasn’t stopped them from trading, because their companies can use other data transfer mechanisms.
N: But the GDPR is still presumably going to ensure that Europe has the gold standard for data privacy. Is that the one everyone should follow?
AFC: The world is not getting simpler. Over 100 countries in the world now have comprehensive data privacy laws, and I'm not even talking about sector-specific laws and other consumer-protection type laws, and all those laws have regulations and local regulatory interpretations. Adopting a standard that is a very high watermark helps with complying with all of those laws and, just as importantly, helps meet stakeholder expectations. That is sometimes a fundamental principle that we forget. Everything we do as privacy practitioners should support and help foster a relationship of respect and trust with our constituents and strive to carry out the ultimate policy objective that all those privacy laws and regulations pursue.
Anick Fortin-Cousens spoke at CBA’s Access to Information and Privacy Law Symposium in October 2017