Chantelle Thompson, Canadian Credit Union Association
On April 14, 2016, the European Parliament approved and adopted the General Data Protection Regulation (the “GDPR”) to bring a single cohesive system of privacy regulation to the member states of the European Union (EU). The GDPR, which comes into force on May 25, 2018 , will impose significant new obligations on businesses that handle personal data of EU residents. It is a more robust iteration of the EU’s 1995 Data Protection Directive. The GDPR will apply to companies that have a physical presence in the EU or engage in data processing activities that relate to offering goods or services to EU residents, or monitoring the behaviour of EU residents within the EU, which may include tracking internet activity for behavioural advertising purposes. Therefore, the GDPR will apply to businesses worldwide that engage in these activities.
This extra-territorial applicability has led the World Council of Credit Unions (WOCCU) to comment in its recently released EU Data Protection Reform/EU-US Privacy Shield Compliance Guide that says, “The EU Framework establishes standards for privacy for business and financial institutions throughout the European Union (EU) and will apply to credit unions throughout the world if the credit union has a member in the EU.” [emphasis added].
Some Key GDPR Features
Controllers and Processors
The GDPR makes a distinction between “Controllers” and “Processors” in relation to personal data, with Controllers, the entities that determine the purpose and means for the processing of personal data, retaining primary responsibility for the protection of that data, including conducting a Privacy Impact Assessment (PIA) for processing highly sensitive data and maintaining records of processing activities. But unlike Canadian privacy laws, which focus primarily on the Controller role, Processors, the entities that process personal data on behalf of a Controller, must also abide by detailed obligations under the GDPR. Processors are expected to use “appropriate safeguards, return or delete data once processing is complete, and notify the Controller of any data breaches” and are not permitted to subcontract any obligations without the Controller's permission.
Organizations found to have violated legal rights and obligations related to data processing under the GDPR can find themselves subject to significant sanctions, including fines up to the greater of $20,000,000 Euros or 4% of the organization’s annual revenue. Public interest organizations will also be allowed to bring class actions for data breaches on behalf of individuals who have had their rights violated.
The GDPR stipulates that data processing must be “lawful” and requires that consent to process personal data must be freely given by the data subject, be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Moreover, it must be as easy to withdraw consent as it is to give it.
Mandatory Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals” and must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Data Subject Rights and Protections
The GDPR introduces several new rights and protections, including Data Portability, Erasure (right to be forgotten), and Right to Access, that may be new to Canadian entities and have “the potential to significantly alter business structures and processes for companies outside the European Union”.
Steps to Consider
The House of Commons Access to Information, Privacy, and Ethics Committee has been reviewing Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to assess whether changes to PIPEDA are required, including whether PIPEDA needs amendments to come into line with the GDPR.
However, according to McMillan LLP, “many of the restrictions and requirements set out in the GDPR are consistent with requirements” under PIPEDA and therefore, “Canadian organizations that already comply with PIPEDA or substantially similar provincial legislation may already have many appropriate privacy policies and practices in place. However, they are recommending that given the seriousness of the potential sanctions under the GDPR, affected organizations start taking steps now to consider and address the specific requirements of the GDPR where they differ from PIPEDA.
For example, organizations may need to: