With the advent of computer databases in the early 1970s, there was a general uneasiness about the power of the state becoming overbearing. The concern about individual privacy centred on the potential for governments to collect and process a vast amount of information about its citizens on a scale only imagined in sci-fi before. Appropriate safeguards were enacted, even if legal uncertainty over government department’s power to share data with each other became the major obstacle in completing e-government projects. (The Indian Supreme Court’s finding of privacy as fundamental right in response to the government’s compulsory biometric identity card system brings that issue back into sharp relief this month.)
Since the concerns were first raised, internet behemoths in the private sector have grown to the point that they are, in some ways, as powerful as some sovereign states. Facebook now has two billion monthly users. These mega-corporations are not rich in tax revenues or other state monopolies like the quasi-sovereign joint-stock corporations chartered to rule vast territories from the sixteenth to the nineteenth century. Rather, their trove consists of data about us – mountains of it – collected and processed in return for providing free online services.
For a long time, it seemed that there was little the individual could do about fate of the information about them that had been collected. The corporation was in the asendency. Scott McNealy, CEO of Sun Microsystems seemed to summarize their attitude to information privacy when he famously remarked to a group of reporters and analysts concerned about privacy that, “You have zero privacy anyway. Get over it.”
This approach does not play well in Europe and has led to tensions between the US and the EU. Remember that EU countries have enshrined respect for everyone’s right to his or her private and family life, home and communications in both the EU Charter and the European Convention on Human Rights.
Legislation has fallen behind technological advances. The EU’s Data Protection Directive (95/46/EC) was completed before Google, Facebook and Tencent even existed. Google, as the world’s source for indexing, linking and retrieving data about people, has been has been the lightning rod for individuals, regulators and governments concerned about information privacy, particularly in the EU. The Court of Justice of the European Union (CJEU) purposively interpreted the Data Protection Directive to try to keep it up to date with the rapid technological change that has unfolded since it was made into law. For an example, look no further than the celebrated Costeja v. Google decision of the European Court of Justice in 2014. Costeja not only established the “right to be forgotten” in European Union law for the first time, but also held that even though Google Inc. did not itself operate directly in Spain, its data processing activities fell within the ambit of the Directive.
In EU data protection law, the customer or client is the data subject, the supplier is the data processor, while the data controller is the individual or legal person responsible for for the keeping and use of the data. So in Costeja, Sr. Costeja was the data subject, the website containing the material was the data processor, but Google Inc. and Google Spain (Google Inc.’s subsidiary) were one economic unit and therefore Google was the data controller because it indexes and links the data on its computers.
The EU Commission and Parliament have finally caught up and the General Data Protection Regulation (GDPR) is the result. The changes in the GDPR will have far-reaching effects for Canadian corporations even with minimal operations in the EU, when it comes into force on May 25, 2018. This will be particularly relevant as trade increases when the Canada-EU Comprehensive Economic and Trade Agreement (CETA) is provisionally implemented on September 21, 2017.
Unlike the Directive, which had to be transposed in national law by member states’ parliaments over a period of years, the GDPR has direct effect across the Union. There follows an overview of some of the key changes.
While the Directive was ambiguous about its extra-territorial effect, the GDPR is crystal clear. The EU data protection regime and all that entails will apply to any data controller who processes data about an EU resident, regardless of their location, if:
- they are deemed to be established in the EU (Google was held to be established in the EU with EU-based sales and advertising); or
- if not established in the EU, where the processing of data relates to the offering of goods and services to EU residents or monitoring behaviour of EU residents.
In addition, data controllers established outside the EU but caught by either of these provisions will have to appoint a representative in the EU.
The implications for non-compliance are severe. Fines can be up to €10 million ($15 million) or 2% of global revenue, whichever is greater, for offences such as not having records in order, failing to notify a supervising authority of a privacy breach, or not conducting an impact assessment. For the more egregious offences, such as breaches of basic data protection principles, data subjects’ rights, international transfer restrictions etc., fines can be up to €20 million ($30 million) or 4% of global revenue, whichever is greater.
Personal data itself is now defined as “any information relating to an identified or identifiable natural person”. Identifiable is defined by reference to using “all means likely to be used”. In this way, any identifier will likely be regarded as personal data such as a DNS address, car license plate, or a person’s identification number.
Consent to data being collected must be given in an intelligible and easily accessible form, fully unbundled from other terms and conditions. The consent must be freely given, specific, informed and unambiguous. The consent form would be best written in plain language, with the purpose for the data processing attached to that consent. The data subject has the right to withdraw consent at any time. It must be as easy for the data subject to withdraw consent as is to give consent.
Similar to COPPA in the USA, which applies to the online collection of personal information by individuals or entities under US jurisdiction about children under 13, the GDPR again raises the bar by providing that children under 16 must have the consent of a parent for their personal data to be collected and processed. Member states may derogate from the GDPR provided that the age limit is no less than 13.
Withdrawal of Consent
Withdrawal of consent also attracts the Right to be Forgotten, as established in EU law in the Costeja case, which is now codified in the GDPR as the Right to Erasure. Data controllers should not, therefore, hold personal data for longer than is necessary. There is also an entirely new Right to Data Portability, where the data subject has right to have their personal data sent to them or to another data controller in a structured, commonly used and machine readable format. The Directive’s Right to Object to the processing of data for direct marketing purposes remains.
Privacy by Design
The GDPR embraces Data Protection by Design and by Default. Data Protection by Design calls for data protection to be to be included from the onset when designing process, products or services, rather than as an afterthought. Data Protection by Default requires mechanism to ensure that by default only personal data that are necessary are processed, including minimizing the amount of data processed and storing for no longer than is necessary.
Mandatory Breach Notification
For the first time in EU law, notification of a privacy breach is now mandatory across the Union. The data processor must notify the Information Commissioner for the relevant member state within 72 hours and the data subjects and data processors (suppliers) “without undue delay”.
Canada is currently one of the countries that has passed the EU’s adequacy tests for export of data from the EU. However, this adequacy is only in respect of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and where provincial law is not to an equivalent standard, contractual clauses will be required to provide adequate safeguards in respect to the protection of the individual’s privacy. Once the GDPR is implemented, it is unlikely that PIPEDA will still be considered as an adequate equivalent by the EU, with the result that many of these reforms may end up being implemented in Canada.
We live in a global world, where data flows easily across borders and it can be hard to tell which regime governs the data. However, the GDPR reform to EU data protection law means that Canadian businesses with even a minimal amount of trade in the EU will be captured by the EU regime. The penalties for non-compliance are severe and the time limits for breach notification are short. Canadian businesses must prepare now for the forthcoming changes.