On May 25, 2018, the European Union General Data Protection Regulation (GDPR) became effective upon all member states of the European Union (EU) and it replaced the past legislation, Directive 95/46/EC. GDPR is a comprehensive data protection law that governs the collection, use and dissemination of personal information in the EU. Unlike its predecessor and British Columbia’s Personal Information Protection Act (PIPA), GDPR has stricter requirements and obligations imposed on organizations with respect to the use, collection, disclosure, and maintenance of personal information. Most importantly, with its wider territorial scope, GDPR has implication for businesses that operate outside of the EU, including businesses in Canada and British Columbia.
How does GDPR apply to businesses in BC?
Personal information is defined as any information that can indirectly or directly identify a person. Usually, data protection law of a country does not have jurisdiction over the processing of personal information of organizations in other countries. GDPR, however, is applicable to the processing of personal information extraterritorially if the organization, as the controller or processor, envisages:
- offering of goods or services to data subjects in the EU; or
- monitoring the behavior of the data subjects as far as their behavior takes place within the EU.
Businesses in BC that fall under either of the above categories will be subject to GDPR. They may also be subject to GDPR if they provide data processing services to organizations that are subject to GDPR.
How does GDPR affect businesses in BC?
GDPR has specific requirements and obligations for applicable businesses in BC to follow. It is prudent to be compliant with GDPR because of its punitive penalties and fines. For example, a lower level fine can be up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. An upper level fine, on the other hand, can be up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. The key areas of GDPR for businesses in BC to note, in light of PIPA, include, but are not limited, to the following:
Aside from certain exemptions, PIPA requires consent for data processing. It, however, allows for both express and implied consent. Under GDPR, consent is one of the lawful bases that allows organizations to process personal information; and once chosen as the lawful basis, consent under GDPR has onerous requirements as GDPR mandates affirmative, express consent only for each use of the personal information. It expressly requires the consent to be freely given specific, informed, and unambiguous by a clear affirmative action. The existing practice of “opt-out” consent where the burden is on the data subject to opt-out is eliminated. Furthermore, the withdrawal process must not be difficult and should be as easy to do so as it is to give consent.
Businesses in BC may be subject to the requirement of mandatory breach notification pursuant to the amendment to the federal privacy act, the Personal Information Protection and Electronic Documents Act (PIPEDA) that will come into effect on November 1, 2018. Currently PIPA does not have such mandatory breach notification requirements, but it is subject to amendments to include such requirement if PIPA aims to remain substantially similar to PIPEDA. This includes notifying high risk breaches to the affected individuals, reporting such breaches to the Privacy Commissioner of Canada, and maintaining records of such breaches. GDPR has similar requirements, but instead of requiring the organization to report the breaches as soon as feasible, it requires the organization to report to the supervisory authority within 72 hours except with explanations of the delay.
Access to Information
Under PIPA, data subjects may request a copy of their personal information from businesses in BC that have collected the data. Businesses must provide access to the copy, but such copy does not have to be in an easily transferable format. GDPR, on the other hand, requires the copy to be provided in a structured, commonly used, machine-readable format. This relates to the data subject’s right to data portability under GDPR in which the data subject may request the personal information, in transferable format, to be transmitted to another controller.
Right of Erasure
Under PIPA, data subjects do not have the right to seek erasure of their personal information. Businesses in BC do not have to delete such data, but they should not process data that is no longer necessary for the consented purpose. GDPR, on the other hand, requires data that is no longer necessary to be erased without undue delay upon request of the data subjects. If subject to GDPR, businesses in BC must take action on the request within one month, either to erase the requested data or seek for extension with explanations.
Privacy Impact Assessments (PIA)
PIA is an assessment performed to identify and mitigate privacy risks of processing personal information. It involves a proportional exercise between the necessity of the personal information and risk of the processing based on the purpose of the processing and evaluation of the necessary security measures. PIAs can be costly and time-consuming.
PIPA does not require organizations to complete PIAs before processing any personal information, although it may be good business practice to do so. GDPR, on the other hand, requires organizations to complete PIAs before processing the personal information.
Both PIPA and GDPR require businesses to appoint a privacy officer to ensure legal compliance to the respective law. However, businesses in BC, as controllers or processors outside of EU, will have to appoint a designated representative in one of the EU states where the data subjects reside under GDPR, unless the processing is occasional and does not include, on a large scale, processing of special categories of data such as biometrics or data that poses a risk to the rights and freedoms of the data subjects.
How businesses in BC should prepare for GDPR?
Obligations of Controllers and Processors
Affected businesses in BC should quickly determine whether they might be defined as controller or processor; although GDPR has jurisdiction over both controllers and processors, controllers bear the majority of the compliance responsibilities. As defined in GDPR, controllers set the purpose of the processing while processors follow the instructions of the controllers. In particular, a controller is required to use only processors providing sufficient guarantees to implement the required technical and organizational measures of the GDPR which include: maintenance of the record of data, the appointment of a data privacy officer and an EU representative to report to the GDPR’s authorities, and data minimization. It is prudent for businesses in BC to have data sharing agreements established with their clients who may be controllers or processors to allocate the risks and responsibilities.
Adequacy of Canadian Privacy Laws to GDPR
Businesses in BC are subject to PIPA, the provincial act that governs privacy in the BC private sector. PIPA is deemed to be substantially similar to the federal act, PIPEDA. Since 2001, and reaffirmed in 2006, the EU has recognized PIPEDA as providing adequate privacy protection which permits transfers of personal information of EU data subjects to organizations in Canada without additional safeguards. With the implementation of GDPR, PIPEDA and consequently PIPA are likely to now be considered inadequate. While there are no sunset clauses to remove Canada’s adequacy status, the EU, pursuant to GDPR, will reevaluate Canada’s adequacy status by May 25, 2020.
Recommendations Moving Forward
Businesses in BC that are subject to GDPR should, if they haven’t already, review and update their privacy policies and data processing practices to be compliant with GDPR. Even if GDPR is inapplicable, businesses in BC may eventually be required to be held at similar standards locally as amendments to PIPEDA and possibly PIPA are being made to match GDPR’s standards. For example, the most recent amendments to PIPEDA that impose requirements of mandatory breach notification on the Canadian private sector are in line with the updates imposed by GDPR, and it may be possible that PIPEDA will be further amended to be fully compliant with GDPR by May 25, 2020.
PIPA, which is designed to be substantially similar to PIPEDA, may be amended similarly. Eventually, subject to GDPR or not, businesses in BC may have to comply to GDPR standards.
With the GDPR in effect already and the anticipation that PIPEDA and PIPA will eventually include similar data privacy requirements, we have the following recommendations for businesses in BC:
- Review the current data processing and business practices to determine if the business is subject to GDPR, directly or indirectly;
- Consider encrypting and de-identifying personal information as much as possible to minimize the application of privacy law and the possibility of data breaches;
- Consider upgrading the current infrastructure to secure personal information collected; and
- Enter into data sharing agreements with clients who may be considered controllers or processors under GDPR.