With very little fanfare, but flood of notifications heralding its imminent arrival, the European Union’s General Data Protection Regulation 2016/679 (GDPR) came into direct effect across the 28 member states of the European Union and three of the four states belonging to the European Free Trade Association (EFTA), (collectively the European Economic Area (EEA)) on May 25, 2018. The Regulation has been on the statute books for a couple of years, but only appeared on the legal risk radar recently. The maximum penalties for non-compliance are jaw dropping and headline grabbing – €20M or 2% of global revenue for non-compliance and €40M or 4% of global revenue for more egregious offences.
The effect of the GDPR is completely to rework privacy laws for over 500 million people in the 28 EU member states For a summary of some of the key reforms and innovations introduced by the GDPR, see my SLAW article from September 2017, “Europe’s Data Protection Reform Raises the Bar”. The UK has enacted an analogous data protection law, the Data Protection Act 2018, to come into effect post-Brexit.
The previous Data Protection Directive was silent on extra-territorial effect, but the Court of Justice of the European Union (CJEU) interpreted the Directive broadly as applying to multi-national companies, wherever domiciled, if they had an interest in processing data on European Union residents. Silicon Valley giants, whose business model is predicated upon the processing of individuals’ personal data were and remain particularly in the cross-hairs of the CJEU and other European institutions, who can’t abide the loose privacy protections they adopt. See for example the celebrated Costeja judgment of the CJEU, where Google Inc. sought to wash its hands of responsibility for processing Spanish citizens’ data on the basis of delegating to its Spanish subsidiary, Google Spain. The CJEU was having none of it.
Data, of course, can flow across borders quite effortlessly these days. Therefore, to combat offshore avoidance, the GDPR has explicit extra-territorial application to any data controller or processor that envisages (a) offering goods and services to EEA residents, or (b) monitoring the behaviour of EEA residents.
At first blush, this provision has the potential to be quite troublesome for Canadian data controllers and processors, who might easily control or process personal data relative to EEA residents without being aware of the transgression. However, the voluminous recitals of the GDPR provide some guidance. It would seem that, as presently interpreted, the extra-territorial effect is only properly engaged where the company is actively targeting goods and services at consumers in the EEA, as evidenced by, for example, denomination in a European currency or the adoption of a European generic Top Level Domain, such as .co.uk, .fr, or .eu.
Monitoring of behaviour would seem to be restricted to online behaviour. This limb has more potential as a trap for the unwary. Many Canadian companies will use tracking cookies to gather information and analytics on visitors to websites that will follow those users around the internet. The biggest players in these analytical services are Google and Facebook. If you were to use a browser that supresses and reports on tracking cookies, such as Duck Duck Go, you will understand the extent of tracking activity from innocuous websites. It was for this reason that many international websites excluded access from IP addresses from the EEA rather than risk non-compliance after the GDPR came into effect. Some websites remain blocked to EEA residents, while the operators try to work out the effect of GDPR.
Overall, the broad application of GDPR has the effect that many multinational organizations cannot easily distinguish to whom the GDPR may or does apply, with the result that the GDPR is the new standard for data privacy in those multinational organizations. You may have noticed the emails from search engines and social media companies and their ilk informing you of changes to Privacy Policies as a result of GDPR, or that it’s easier to unsubscribe from email lists recently. That’s the effect of GDPR.
Many Canadian organizations have only just woken up to the implications of the new privacy landscape, often thanks to changes that are being proposed to contracts with EEA companies. In IT contracts, we are seeing companies that would be the data processors in GDPR terms, asking Canadian counterparties either to represent and warrant that GDPR does not apply to the personal information that they send, which can be an onerous representation or warranty to concede, if the company can’t be sure of the applicability of the GDPR. The alternative is to agree to GDPR processor addendums that set out the Technical and Organizational Measures (TOMs) as a roadmap to compliance. The processor addendums are generally proposed when the contract is under review and may specify that the addendum will become effective only in the event that the GDPR does apply.
The good news is that the headline grabbing fines available to member states’ regulators are for the most egregious breaches. Enforcement of GDPR is the responsibility of the member states’ own data protection regulator. Many regulators are taking an education-first approach to compliance, helping companies to move to compliance rather than doling out fines, at least initially. ompanies should not ignore the GDPR and seek to establish whether and how the GDPR may apply. Whether changes come about by the application of GDPR, or changes to Canadian privacy legislation to maintain Canada’s status as having legislation with “adequate” protection, the new standards imposed by GDPR are here to stay and Canadians should start adapting now.