- The European Union’s (“EU”) new privacy regulations impact companies in Canada that collect or use personal information from people in the EU.
- If your Canadian e-commerce business collects or uses EU personal information, you will want to make sure you have a plan to comply.
- Some of the main compliance matters include (i) ensuring you have ‘informed’ consent to collect and process someone’s personal information; and (ii) having appropriate technical and organizational measures in place to protect against the misuse of personal information.
If your business collects personal information from customers or users in the EU, it is time to make sure you are familiar with, and have a plan to comply with, the EU’s General Data Protection Regulation (“GDPR”). The GDPR reshapes EU privacy laws, and in many respects, might be regarded (at the time of writing) as the most comprehensive privacy framework for protecting personal information in the world.
You can access the long and dense text of the GDPR on the EU’s website. However, in this post, I summarize some of the issues Canadian businesses who collect EU personal information should consider.
The GDPR purports to have extra-territorial effect, meaning it governs businesses that collect or use a European data subject’s personal information, whether the business is located in Europe or not. As a result, the GDPR can impact Canadian businesses that collect, store or process personal information from Europeans.
The GDPR’s primary objective is to ensure that where EU personal information is collected, the businesses that hold and process it have implemented appropriate security and organisational measures to protect the information from misuse. Although, perhaps more importantly, the GDPR sets out guidelines for obtaining consent from people to use their personal information.
Obtaining Informed Consent to Use the Personal Information
The GDPR requires that businesses obtain ‘informed’ consent from each person they collect personal information from. It says:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement…
An action to provide clear and unambiguous consent can include ticking a box when visiting a website, choosing technical settings in an online account or some other form of statement or conduct which clearly indicates the person’s acceptance.
However, silence, pre-ticked online boxes or privacy policies merely lingering in the footer of a website likely do not constitute consent.
In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.
In order to provide informed consent, businesses are likely also required to ensure that the person granting consent is aware of the legal entity (or entities) who they are disclosing their personal information to, not just what it is going to be used for.
Transferring Personal Information Outside the EU
One of the matters Canadian businesses will need to obtain informed consent on is the transfer of personal information outside the EU. For Canadian businesses, receiving EU personal information can become complicated where it is collected by a third party. In such situations, you will want assurances that the information you receive was collected in accordance with the GDPR, and all other laws, rules and regulations for that matter.
The party that collects personal information is also required to comply with the GDPR’s rules on contracting with you to provide you with the information. In fact, the European Commission, an institution of the EU, publishes two sets of standard contractual clauses for transfers of personal information outside the EU. These clauses are available for download from the Commission’s website.
Technical and Organisational Measures to Protect Personal Information
Your business needs to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used to store and process personal information. The measures a business is required to take to protect personal information may depend on the context in which it was collected. Factors to consider include the sensitivity of the information you hold and the availability of different technology to protect it.
Of course, one of the primary means of protecting personal information includes implementing security measures, such as encryption, to prohibit a third party from obtaining unauthorized access. The GDPR also suggests that the pseudonymisation of personal information can play a role in complying with your obligation to protect it. The GDPR says:
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.
Aside from technical measures, organizationally, personal information should also only be available to people, including IT staff, on a need to know basis.
The Right to Be Forgotten
Section 65 of the GDPR’s preamble says,
… a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.
Many commentators have rightly pointed out that compliance with the GDPR can become problematic when using certain systems. For example, the promising pitch of blockchain technology is its ability to create an immutable record of transactions and data processing. How then does a business reconcile the right to be forgotten, with an immutable blockchain record that might hold personal information?
Enforcement of the GDPR in Canada
There will be substantial fines for organisations that do not comply with the GDPR. Perhaps of primary concern for Canadian businesses will be penalties related to transferring personal information internationally without appropriate consent.
Under Article 83 of the GDPR, violations of obligations related to legal justification for processing, such as obtaining informed consent and cross-border data transfers may result in penalties of the greater of €20 million or 4% of a company’s “total worldwide annual turnover of the preceding financial year”.
Whether Canadian courts will enforce a breach of the GDPR by a Canadian business will of course remain to be seen. However, the recently concluded Comprehensive Economic and Trade Agreement (“CETA”) between the EU and Canada deals with personal information protection in the context of e-commerce (see section 16.4) and encourages both the EU and Canada to adopt laws that protect personal information. Considering Canadian courts will have regard to the principle of comity in deciding to enforce international judgements, fines and penalties, CETA may play a role in encouraging Canadian courts to enforce GDPR breaches in Canada.
While the GDPR deals at great length with a whole host of other obligations businesses who collect personal information have, this article was intended to bring to light only a few of the issues Canadian businesses will need to consider.
DISCLAIMER: The information in this article is not (and is not intended to be) legal advice. This is legal information only. Reviewing information about the law may help you determine whether you need legal advice. Do not rely on the contents of this post to make any decisions about how to comply with the GDPR. Consult an EU lawyer for advice on the GDPR.