For years, Canada and the European Union have enjoyed a safe and comfortable relationship when it comes to data privacy. Next year, that will change. In May 2018, the General Data Protection Act comes into force. This privacy legislation imposes stricter requirements than its predecessor, the Data Privacy Directive, and unlike that instrument is not open to interpretation by national governments. Its shockwaves will travel beyond the EU’s borders.
The GDPR will affect Canadian organizations more than many lawyers here are aware, warns Kirsten Thompson, a partner in the national law group at McCarthy Tétrault LLP. “There’s a misunderstanding that it doesn’t apply to them, and Canadian laws are just fine,” she says.
The GDPR casts a wide net, applying to any company that offers goods or services to EU residents, even if it is based in Canada.
It may even apply to companies that track the online activity of EU citizens, potentially including those companies doing it for targeted advertising purposes, warns Thompson.
“That’s going to be challenging for companies,” she says. “They’ll have to go back to their platform and look at who’s viewing their website. There’s some concern that this may lead to the geo-blocking of websites.”
PIPEDA and the Privacy Act may be adequate for Canadian companies under the EU’s current directive, but things will change with the forthcoming legislation.
Disparities in privacy law
The GDPR has several clauses that don’t align with Canadian law, Thompson warns. One of the most important concerns data portability. While PIPEDA gives Canadians the right to know what information companies hold about them, a data portability clause in the GDPR enables them to obtain that information and take it elsewhere.
Another gap concerns consent for data use. Canada’s consent laws have traditionally been flexible, says David B. Elder, chairman of the communications group at Stikeman Elliott LLP. “An awful lot of the personal information collected by businesses is done by an implied consent standard,” he says.
The GDPR is stricter in its consent mandate. “It’s more granular. Different consents are required for different uses and can’t be buttoned together as a single ‘take it or leave it’ package,” he says.
Federal Privacy Commissioner Daniel Therrien has acknowledged the need for a review of consent rules, referring explicitly to the GDPR during a talk at the Privacy Laws and Business International Conference in the U.K. last year, and he has publicly consulted on consent provisions in PIPEDA. Although written to be technology-neutral, the law is showing its age against a backdrop of breakneck technological change.
“Binary consent is tough to manage in a world of big data and the Internet of Things,” says Thompson, adding that citizens and organizations alike need guidance.
The commissioner could not force through any consent changes himself — they would need to be legislated — but such legislation won’t be straightforward, experts worry. “Some things could be incorporated fairly comfortably, but others are more challenging,” Thompson says.
Take the right to erasure, found in Article 17 of the GDPR. Under this rule, an individual can order a data controller to erase any of their personal data in certain situations without undue delay. “The right to be forgotten bumps up, more so in Canada than in other places, against the right to free speech,” Thompson says. Altering it could create problems with the Charter and with common law.
In any case, privacy legislation is less effective if the national data protection authority does not have order-making capability. It’s another area where Canadian law and the GDPR differ, points out Kris Klein, a partner at boutique law firm nNovation and managing director at the International Association of Privacy Professionals.
Klein cites A.T. v. Globe24h.com as an example of the commissioner’s weak powers. Romanian company Globe24h scraped CanLII for legal case information, which it then made indexable by search engines on its website. When litigants contacted it, concerned about their names appearing in search results, it asked for a removal fee. The privacy commissioner investigated and told the firm to stop.
“Shockingly, that was the end of the matter from the privacy commissioner’s perspective,” he recalls. “There was absolutely no consequence whatsoever to the company and so, of course, it just ignored the privacy commissioner’s report.”
A complainant had to bring the matter to Federal Court, it supported the commissioner’s findings, but it levied just $5,000 in penalties. “Where’s the incentive to do privacy properly?” asks Klein.
The GDPR carries far greater enforcement powers. Data protection authorities can fine violators four per cent of their global revenue or 20 million euros. “We’re lagging quite far behind,” Klein says.
There are other disparities between the new European law and Canada’s own. While PIPEDA and existing European directive placed the burden of responsibility on the data controller (the company primarily tasked with handling sensitive data), the GDPR places legal responsibilities on the data processor. Any third-party service hired by the controller under contract that has access to sensitive data is a processor, from cloud service providers through to call centre operators).
The status quo makes those service providers responsible only within the terms of a commercial contract, points out Elder. That changes under GDPR. “If they are directly subject to the law, all of them will now have to come up to speed on privacy law,” he says.
Anxiety over adequacy
The legal differences between the two privacy frameworks put Canada’s adequacy status in question, warns Klein, who also produces the Privacy Scan Canadian privacy newsletter. “It was always tenuous,” he says.
The European Court of Justice will view Canada’s adequacy in the context of the Max Schrems decision, warns Klein. The Austrian privacy activist took a case to the ECJ arguing that Facebook should not be allowed to transfer his data to the U.S., citing inadequate privacy protections there. Based on his case, the ECJ found the existing Safe Harbour adequacy agreement between the EU and the U.S. invalid, due in part to the potential for state surveillance.
Any cross-border data transfers between the EU and Canada would become more complex, because we’d have to figure out another way to legitimize that transfer,” says Wendy Mee, partner at Blake Cassels & Graydon LLP.
“It would certainly slow things down and create more headaches for Canadian organizations,” she adds.
To keep compliance in cross-border data transfers with the EU, counsel would need to focus on one of two legal instruments: model contracts or binding corporate rules. The former are boilerplate clauses designed to articulate privacy requirements in contractual agreements. The second pertain to companies transferring information internally between divisions in different regions.
Elder wonders whether the legal hoop jumping that may be necessary to keep a blanket adequacy finding would be worth it.
“I see European companies wanting Canadian companies to sign the same model contractual clauses that would be required in countries that don’t have adequacy,” he says. “So I think there’s a question mark about the real need for that adequacy finding.”
Because Canadian companies do not yet know whether the adequacy finding will remain, they should be preparing themselves, argue experts. Bryan Friedman, general manager for Canada at technology legal services company Axiom, breaks GDPR readiness into two main stages.
The first is preparation. It involves reviewing internal policies and processes around data transfer and creating boilerplate clauses to meet privacy requirements. Lawyers must also find the relevant contracts to review. Secondly, in the review and remediation phase, they must analyze those existing contracts to find and update the necessary language.
He argues that lawyers might find contract revision challenging.
“The legal world still relies on this artisanal or bespoke way of dealing with contracting challenges, whereas other large challenges that are technological or operational in nature tend to have an industrial, structured approach,” he warns.
Lawyers should build a base of contracts that are digitally structured and tagged with metadata that enables them to efficiently remediate paper contracts not just once but in future cases, he suggests.
This is all good advice, but some lawyers have more immediate concerns. Robert Piasentin, board member at the Association of Corporate Counsel, is also general counsel and privacy officer at Vancouver tech firm Sierra Systems. He understands GDPR, but he is focused on other matters.
“It’s not a high enough priority just yet because we still have a big enough window to get things in line,” he says. Right now, his attention is focused south of the border.
On Jan. 25, U.S. President Donald Trump signed an executive order titled “Enhancing Public Safety in the Interior of the United States.” Section 14 of that order repealed the protections of the U.S. Privacy Act for non-U.S. citizens or lawful permanent residents. This has Piasentin, whose company deals extensively with the U.S., concerned.
“It is a worry because it has the potential to be very chilling from a privacy perspective in terms of what we’re able to do and how much leverage we have to protect the information of Canadians that have any dealing with American counterparts,” he says.
No one seems equipped to deal with this development yet, given the quickly changing legal landscape in the U.S. The privacy commissioner is “aware of the issue” and “currently analyzing the potential implications for Canadians.”
With changing rules across the Atlantic and south of the border, Canadian counsel faces uncertainty and a potentially time-consuming and far-reaching remediation project. With the GDPR, at least, they have a window in which to do the necessary groundwork. Given the potential scope of the work, they may not want to leave it too long.