A new regulation
In January 2016, the European Commission revealed a draft of its General Data Protection Regulation (GDPR) to replace the previous Data Protection Directive, which was created to regulate the collection and use of personal data within the European Union.
The purpose of the new regulation is to harmonise differing data protection laws in force across the European Union. Importantly, because the legislation is a "regulation" instead of a "directive," it will be directly applicable to all EU member states without a need for national implementing legislation.
Overview of key changes
The impact of the Data Protection Regulation will be broad. Some of the key changes are:
- Single set of rules - A single set of EU-wide rules on data protection, removing burdensome administrative requirements.
- Single authority (sort of) - Companies will only have to deal with the data protection regulator in their main EU jurisdiction. That regulator will have to consult with regulators in other EU countries whose nationals are affected or who have an interest in a particular matter.
The regulation also creates a super-regulator. The new European Data Protection Board will include the head of each national data protection regulator and the European Data Protection Supervisor or their respective representatives. It will also issue guidance and will be empowered to resolve disputes among the national regulators.
- Definitions of data - The scope of "personal data" has expanded slightly. In addition, two new categories of data - genetic and biometric - are included on a list of "sensitive data," which also includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sexual orientation.
- Pseudonymized v anonymized data - Pseudonymized data remains personal data because it can be re-associated with a specific consumer. The regulation does not apply to fully anonymized data.
- Consent - Consent must be freely given, specific and informed. Importantly, if consent is required, it has to be express - "clear affirmative action by the data subject."
However, there are limitations on consent. Consumers cannot be asked to agree to any unfair contractual terms in exchange for their consent. Similarly, consent is not valid where there is "a clear imbalance [of power] between the [consumer] and the [company]."
Different types of data uses require separate consent. As a result, an "all or nothing" choice is not permitted.
Consent is not valid in the context of a contract if the consumer must give consent for use that is not necessary for the performance of the contract. This will significantly affect the business model of free apps or services that rely on selling user data to pay for the costs of providing the service.
- Internal controls - The regulation requires companies to have internal data protection policies and procedures, which may have to be produced in the event of a complaint. Data breaches and subsequent investigations must also be documented.
The regulation requires "privacy by design" in information management systems, which means that security measures need to match the risk of a data breach and potential harm to consumers. In addition, impact assessments are required when a proposed data processing activity poses a "high risk for the rights and freedoms of individuals."
- Data protection officer - Companies must have a data protection officer if they process sensitive data on a large scale or have large scale customer databases. SMEs (less than 250 employees) will be exempt from this requirement unless personal data processing is a core part of their business.
- Data portability - Consumers will have easier access to their data and will be able to transfer it more easily between service providers.
- Right to be forgotten (erasure) - Consumers will be able to delete their personal data if there are no legitimate grounds for retaining it.
- Breach notification - Companies are required to notify their national data protection regulator of all breaches within 72 hours unless "the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals."
Breaches must also be disclosed to the affected consumers "without undue delay if the personal data breach is likely to result in a high risk" to their "rights and freedoms."
- Significant fines - Data protection regulators will be given increased powers to enforce the regulation, including fines of up to 4% of worldwide turnover of the offending "undertaking" - essentially, a corporate group.
- Class actions - The regulation authorizes a form of class action. However, this type of action can only be brought by a public interest organization - a "body, organisation or association which is of non-profit making character, whose statutory objectives are in the public interest and which is active in the field of the protection of personal data."
Companies can still be sued in the home country of a consumer.
Impact on Canadian companies
It is important for Canadian companies to know that the General Data Protection Regulation applies outside of the EU. Those subject to the regulation include:
- Companies that monitor the behavior of consumers who are located in the EU
- Companies based outside of the EU, which provide services or goods to the EU
- Companies with an "establishment" in the EU, regardless of where they process personal data (That means that cloud-based processing performed outside of the EU for an EU-based company is covered by the Regulation.)
- Data processors as well as data controllers are directly liable under the Regulation
In addition, the regulation imposes obligations on companies that transfer personal data outside of the EU:
- Transfers of employee data within a corporate group are not exempt from the rules on transfers outside of the EU.
- There is a new basis for transfers that are not "repetitive and that only concern a limited number of [consumers]," where the company has considered the transfer, imposed safeguards and has a "compelling" legitimate interest in the transfer that is not outweighed by that of the consumer.
- Certification programs - like Safe Harbor - may be approved as a basis for transferring data outside of the EU.
- The EU Commission can now make sector-specific adequacy determinations - for example, health or financial data.
Given the extent and reach of the obligations imposed by the General Data Protection Regulation, Canadian companies collecting data in, or using data from, the EU will need to ensure that they alter their operations appropriately. If they do not, significant business interruption and potential liability could ensue.