Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium

THE IMPACT OF GDPR ON CANADA

DESCRIPTION

As the European Union’s General Data Protection Regulation (GDPR) comes into effect over the next two years, organizations that do business in Europe will face a series of new obligations – and the potential for huge fines if they fail to respond. Like the Data Protection Directive before it, the GDPR will transform the way Canadian companies protect consumer privacy and may even impact Canadian policy and legislation. This session will explore the operational impacts the GDPR will have on Canadian companies as well as the policy implications for international data transfers from Europe to Canada.

What you’ll take away:• An overview of the GDPR’s key provisions and departures from the

Directive• The policy implications of the GDPR for Canada’s adequacy status and

preserving international data transfers• A detailed analysis of how the GDPR will impact the operations of

Canadian businesses

Constantine Karbaliotis, J.D.CIPM, CIPP/C/E/US, CIPTVice President of Privacy Office Solutions

NYMITY366 Bay Street, Suite 1200Toronto, Ontario, Canada, M5H 4B2Tel. 647.260.6230 [email protected]

Gabe Maldoff, J.D.CIPP/USWestin Fellow, IAPP

IAPP75 Rochester Ave., Suite 4Portsmouth, NH [email protected]

https://www.nymity.com/?utm_source=Nymity&utm_medium=email&utm_content=signature&utm_campaign=signature

AGENDA

1. GDPR Primer – Gabea. GDPR Themesb. Bases for Processingc. Individual Rightsd. Breach Notificatione. International Data Transfers

2. Policy Implications of GDPR – Gabe & Constantinea. Canada’s Adequacy Statusb. Issues

3. Operational Implications of GDPR – Constantinea. Canadian Companies as Controllersb. Canadian Companies as Processorsc. The Employee Data Exceptiond. Onward Transferse. The “delta” – What do Canadian Companies have to do differently?f. A modest proposal

4. Questions and Answers – Gabe & Constantine

www.iapp.org

DISCLAIMER

•This represents the views of the presenters, and not of any of his:

–Employer

–Privacy organizations to which he may belong

–Anyone else, perhaps

–But these are questions that may be useful to consider – and have answers to

GDPR PRIMER

THE GENERAL DATA PROTECTION REGULATION

– Regulation, NOT a directive– 99 Articles, 204 pages– New territorial scope:

• Shift from location of equipment to location of data subjects• “Processing of personal data of data subjects residing in the

Union by a controller not established in the Union, where the processing activities are related to:– A) The offering of goods and services to data subjects in the

Union; or,– B) The monitoring of their behaviour

– Fines up to 20 Million Euros or 4% of annual turnover

• Key Concepts: personal data; controller/processor; main establishment

GDPR THEMES AND AIMS

1. Creating a single set of rules that govern across the EU• Contra: carve-outs for Member State implementation;

no pan-EU regulator

2. Putting users in greater control of their personal data• Contra: new challenges on obtaining consent

3. Accountability and heightened enforcement• UK Information Commissioner Christopher Graham:

What scares Google is EU-style data protection rules with U.S.-style enforcement

BASES FOR PROCESSING

1. Enhanced rules around consent• “Freely-given, specific, informed, and unambiguous ... by a

statement or clear affirmative action” (Opt-In)A. Need to be able to demonstrate consentB. Request for consent must be clearly distinguishable from other

terms and conditionsC. Data subject must be able to withdraw it at any timeD. Service cannot be made conditional on consent

2. Contract3. Legal obligation

• Obligation must from from EU law or Member State law only – not a Canadian legal obligation

4. Legitimate interests of the controller• Privacy notice will need to explain what are the controller’s

legitimate interests and why they override the data subject’s interests

BASES FOR PROCESSING (2)

– Special Categories of Data• Broad definition: health, biometric, genetic,

religious/philosophical/political opinions and beliefs

• Prohibited, unless...– Explicit consent

– Necessary for employment

– Vital interests

– Manifestly made public

– Medicine, public health, legal claims, research

– Compatible Secondary Processing• Factors: link between purposes, context and relationship,

nature of the personal data, possible consequences, presence of safeguards

INDIVIDUAL RIGHTS

– Notice• Need to provide notice of legal basis, any transfers to third

countries, how the data subject can obtain more information, retention periods (or how they will be calculated), individual rights

• If data is obtained indirectly, notice must be provided within one month, unless it would take disproportionate effort

– Access and Rectification• Right to receive information about processing activities

• Right to a copy of all personal data

• Right to rectify inaccurate data

• Derogations/exemptions: – Taking reasonable steps to verify the identity of the requester

– Member States may protect both individuals and controllers

– Controllers maybe can consider the motive of the data subject in requesting access

INDIVIDUAL RIGHTS (2)

– Data Portability• Right to structured and machine-readable data• Applies only to automated processing, where data was provided by the

data subject, and processing is based on consent or contract• But, processing the request cannot impact another data subject’s

rights

– Right to be Forgotten• Controllers must erase personal data “without undue delay” if the data

is no longer needed, the data subject objects to processing, or processing was unlawful

• Balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims

– Right to Object• Controller must cease processing that was based on its legitimate

interests or a public interest, unless the controller can demonstrate compelling legitimate grounds for the processing

DATA BREACH NOTIFICATION

– Definition:• “A breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

– Notification to Competent Authorities• Notification within 72 hours

– Unless the breach is “unlikely to result in a risk for the rights and freedoms of natural persons.”

• Processor must notify the controller

– Notification to Affected Individuals• Only where the breach is “likely to result in a high risk for the

rights and freedoms of natural persons.”

RESPONSIBILITIES OF

CONTROLLERS AND PROCESSORS

– Controllers• Must secure greater control over processors• Overall accountability

– Processors• New direct obligations:

– Maintain a register of processing activities– Security measures– Data transfer obligations

– Joint controllers• Need to allocate responsibility and communicate the division of

responsibility to individuals

– Liability• Joint and several liability

– Goal of providing effective compensation– Burden on controller to prove no liability

INTERNATIONAL DATA TRANSFERS

– Adequacy determination• From adequate to “essentially equivalent”• New power for Commission to find a specified territory or sector within a

country “adequate”• Periodic review

– Binding Corporate Rules (BCRs)– Standard Contractual Clauses– Approved and enforceable codes of conduct and/or certifications– Derogations for specific transfers:

• Explicit Consent• Necessary for the performance of a contract• Public interest or vital interest• Exercise or defense of legal claims• Public register• Compelling legitimate interests of the controller with suitable safeguards

– Concerns only a limited number of data subjects– NOT repetitive– NOT overridden by data subject rights

POLICY IMPLICATIONS OF GDPR

THE CASE FOR REFORMING PIPEDA (RELEASED MAY 23, 2013), OFFICE OF THE PRIVACY COMMISSIONER OF

CANADA

• “One of the reasons PIPEDA was enacted was to create a vehicle that would facilitate the flow of personal information from EU member states to Canada…The adequacy concept is retained under the Regulation.”

• “It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”

IS ADEQUACY AT RISK?

• EU has shown willingness to take action on and challenge adequacy of member states

– Hungary

• Regulation explicitly addresses determination of adequacy and extends ability to recognize sub-divisions - as well as to determine that a country or sub-division is not adequate, and to monitor on an ongoing basis

– GDPR, Article 45

http://www.itworldcanada.com/news/eu-takes-action-on-hungarys-poor-data-protection/144697

AREAS OF RISK FOR ADEQUACY

•Adequacy in current version is based upon sufficiency of sanctioning power by an independent data protection authority (GDPR Article 45)

–Issues have been identified by EU authorities and commentators on:

–Breach notification >> soon to be fixed?

–Penalties and order-making >> fixed?

–Onward transfers from Canada

–The right to be forgotten

–National security >> requires fix at an international level

• Lack of coverage of laws to all aspects of personal information

–Employee privacy is not protected under PIPEDA unless under federal jurisdiction, or in a province lucky enough to have a provincial privacy law

REVIEW OF ADEQUACY

• Canada is not likely to be ‘first’ on the list for possible review

• Of the league of the ‘adequate’, other countries may be first to be reviewed:

• Are we keeping up with the league of the

adequate?

• Is adequate, adequate anymore?–Schrems

TREATMENT OF SUB-DIVISIONS

• Could Canada remain considered adequate –but a province not be adequate?– GDPR Article 45

– WADA issue in Quebec – assertions of inadequacy?

– Does adequacy follow being deemed ‘substantially similar’ under PIPEDA?

• Could a province be recognized as adequate –and not the rest of Canada?• Alberta alone has coverage, enforcement, breach –

last one standing?

• Does national security law moot even what the provinces have done?

http://www.wada-ama.org/Documents/World_Anti-Doping_Program/WADP-IS-PPPI/WADA_Statement_WP29_EN.pdf

SUBSTANTIALLY SIMILAR NOT ADEQUATE?

• “At the moment, the Commission Decision does not cover provincial legislation, but it is foreseen that when the Canadian Government recognises a provincial law as being substantially similar to PIPED Act then the Commission decision will be adapted to reflect this.”

• There has never been formal recognition that a substantially-similar finding means adequacy –raised in WADA controversy in relation to Quebec

• Model clauses are therefore required for any transfer to a province deemed substantially similar

POSSIBLE POLICY RESPONSE

• Amendment of PIPEDA in line with May 2013 Discussion Paper – Primarily for ourselves, but also because of our

desire to continue to do business with the EU and perhaps to take advantage of our natural advantages

– Already partially instituted by changes under S-4, and with breach consultations underway to complete breach notification requirements

• Coordination with provinces to ensure:1.“Substantially similar” legislation

2.Coverage of employee data

3.Consistent breach notification requirements

4.Codify federal-provincial cooperation on investigations, other

OPERATIONAL IMPLICATIONS OF GDPR

WHAT ABOUT ADEQUACY?

• Adequacy is not a get-out-of-jail card… this only addresses data transfer requirements, none of the other substantive requirements of the GDPR

OPERATIONAL IMPACTS OF THE GDPR (1)

• As a data controller:

– You are subject to all the requirements of the GDPR, in the same fashion as any company operating in the EU, if you are collecting personal data from EU residents

– You do not need to have a physical presence in the EU


• As a data controller, you must comply with all aspects of the GDPR, and key for Canadian companies:– Right to be forgotten– Record keeping requirements– Data protection impact assessments– Appointment of DPO where warranted– Representative office in Europe– Data breach reporting– Enforcement – fines of up to 4% of global revenue (!)

• And more…


• As a data processor:

– You will be made subject to all the requirements of the GDPR, just as any other data processor, if you are processing personal data of EU residents of behalf of a data controller

– This will be done via contract by your clients – as data controllers, they have the obligation to pass on the requirements of the GDPR to their processors


• What obligations?

– Right to be forgotten

– Record keeping

– Data protection impact assessments

– Data security requirements

– Data breach reporting

– Representative office

• And more…

EMPLOYEE DATA

• For both data controllers and data processors:

– Employee data is not included in the adequacy finding:

• “..if the recipient organisation is not a federal work, undertaking or business, then adequate safeguards must be put into place to protect the data.”

– Standard contractual clauses are the recommended approach to deal with employee data

IMPACT ON DATA TRANSFERS

• For both data controllers and data processors:– An ongoing ‘sticking’ point for EU companies and

regulators has always been that there are no requirements or restrictions relating to onward transfers, i.e. to the United States

– Article 28 will mandate this be addressed by contractual requirements for data processors to ensure adequate protection of personal data for onward transfers – and restrictions prohibiting it without the controller’s approval

ADDRESSING DATA TRANSFERS

• Strategies:

– Standard Contractual Clauses for onward transfers

• Even if not required in some circumstances – a best practice?

• GDPR will ultimately mandate this

– Legitimate interests

• Seems to be ‘coming to life’ – consideration needs to be given to documenting, defending positions

– Privacy Shield?

• Onward transfers to the US – can we leverage Privacy Shield?

SUPPLEMENTING ADEQUACY

• Codes of conduct are permitted under the GDPR and can be used to recognize adequacy to a sector: Article 46

• Codes of conduct can address:– Areas relating to data processing such as:

• fair and transparent data processing;• legitimate interests;• collection of data;• the pseudonymisation of personal data;• information of the public and of data subjects;

– Requests of data subjects in exercise of their rights, including the right to be forgotten;

– Information and protection of children and collection of consent by parents;– Setting standards for security of processing;– Notification of personal data breaches and communication of breaches to data

subjects;– Transfer of data to third countries or international organisations;– Out-of-court proceedings and other dispute resolution procedures

A CANADIAN CODE OF CONDUCT

• So, rather than wait for amendments…• Canadian private sector ‘fixes’ the short-comings in our law by

creating a code of conduct that they can voluntarily adhere to, that addresses the areas allowed, plus:

– Onward transfers – setting our own standard contractual clauses– Employee data – ensuring coverage– Ensuring coverage of organizations under provincial substantially-

similar laws, or where there are no provincial laws– Authorizes federal and provincial commissioners – or possibly another

body? – to monitor and enforce the code of conduct

• A ‘made in Canada’ solution that does not require legislative change, and that protects and enhances our ability to do business with the EU

CONCLUSIONS & Q&A

• GDPR is a sleeper issue for Canadian companies• Safe Harbor/Privacy Shield has provided a window into

how willing the EU is to challenge existing relationships• Canadian privacy professionals can best steer their

organizations clear of potential issues by being up-to-date on requirements for GDPR compliance, and addressing proactively the contractual flow-throughsrequired to satisfy EU consumers and clients

• Perhaps Canadian organizations can best take control of the issues relating to adequacy, and ensure their ongoing business relationships with the EU through a voluntary code of conduct