Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.
Canadian companies, even those located outside of the EU, must comply with GDPR requirements if they are controlling or processing data from EU residents. Performing assessments or better yet, building a comprehensive compliance program, does not only help Canadian organizations achieve GDPR compliance but also help align with other compliance requirements on an ongoing basis.
The increased value of data resulted in a fast-rising increase in data compliance requirements for companies. These requirements were initially driven by cybersecurity standards, such as PCI DSS, NIST, and the likes. Companies have grown quite familiar with this compliance approach, but the General Data Protection Regulation (GDPR) tackles data protection from a human rights perspective. It starts from the premise that the use of technologies, such as big data analytics, can result in the infringement of human rights, such as discrimination, profiling, abusive surveillance and censoring free speech, for instance.
Related post: GDPR: Frequently Asked Questions (FAQ)
For many entities, not being able to tick the box for compliance creates an additional level of difficulty, especially when GDPR compliance is being driven by IT (as opposed to Legal). The GDPR is a risk model and must be applied as a mindset instead of a checkbox approach. This is more obvious in concepts such as Privacy by Design or the requirements for a Data Protection Impact Assessment (DPIA).
Canadian companies should be familiar with PIPEDA (the Personal Information Protection and Electronic Documents Act), which is based on the concept of sensitivity of data, and always required such contextual and risk analysis.
This law applies to the inter-provincial and international collection, use, and disclosure of personal information, as well to all organizations that collect, use and disclose personal information during a commercial activity if it takes place within a province. This being said, PIPEDA does not apply if a province has enacted a law that is substantially similar. Alberta, British Columbia, and Quebec have all enacted substantially similar legislation for the private sector.
In these provinces, PIPEDA only applies to entities involved in a commercial activity in the case of inter-provincial and international collection, use, and disclosure of personal information.
It’s noteworthy that PIPEDA does not apply to employee data. Therefore, provinces that have not enacted provincial laws often have no protection for employee data.
Related article: PIPEDA 101: Personal Information & Data Privacy in Canada
Nonetheless, PIPEDA was notoriously softly enforced, leading to a situation where Canadian companies are not in a better position than their European counterparts to navigate the perceived ambiguity of the GDPR. A prominent example is the misunderstanding around the concept of “legitimate interests” where we commonly need to provide clarification around this lawful basis for processing.
The ambiguity is also because the GDPR contains 50 opening clauses that are addressed differently by the implementation laws of each Member State. Generally speaking, companies don’t know how to approach the compliance burden and therefore articulate the GDPR within a larger privacy compliance plan. They frequently have trouble organizing their compliance efforts to meet accountability requirements as well as managing their resources effectively, which leads to a high implementation cost.
There are several sectoral laws that apply to some types of data, such as health data. In fact, the health privacy statutes in Ontario, New Brunswick, Newfoundland and Labrador have been deemed substantially similar to PIPEDA. Federal and provincial public-sector institutions are subject to their own legislations.
Canada has also enacted the Canada Anti-Spam Legislation (“CASL”) which apply to e-marketing and also includes text messages.
In Quebec, the Civil Code of Quebec contains some dispositions related to the right to privacy which can be leveraged in the context of a civil lawsuit.
In addition to this, organizations have many contractual requirements with suppliers, clients, subcontractors, and employees. This includes long privacy schedules that they are often required to flow down, and which has been flown down to them.
To determine the respective legal framework that is applicable for a Canadian organization, the following questions are useful;
A transfer of personal data to a third country or an international organization may only take place if adequate safeguards are in place. This can be achieved through standard contractual clauses, binding corporate rules, codes of conducts, certification mechanisms, adequacy decisions or consent. While consent is an additional option for cross-border data transfers, it is subject to many conditions and may be revoked at any given moment. For this reason, it’s not always recommended to use this legal basis for cross-border data transfers. Out of these mechanisms, adequacy decisions are those that are the most easily-actionable mechanisms for corporations.
The legal concept of “adequacy decisions” allows data transfer to take place without requiring any further authorization from the Supervisory Authority or additional safeguards. Under the previous legislation, the European Union (EU) has recognized twelve countries as providing adequate protection, including Canada. Precisely, in 2001, the EU recognized PIPEDA as providing adequate privacy protection. This was reaffirmed in 2006.
Under the GDPR, article 45(5) allows the European Commission the right to repeal, amend or suspend existing adequacy decisions through the involvement of the European Data Protection Board by requesting its opinion pursuant to article 70(1)(s) GDPR. In addition, article 45(4) GDPR allows the European Commission to monitor developments that could affect the adequacy decision, and article 45(3) GDPR provides that a periodic review must take place at least every four years. Based on this, there is no guarantee that PIPEDA will continue to be recognized as essentially equivalent, which is the applicable standard.
Related post: GDPR Compliance and Data Privacy
Even with the added enforcement of the mandatory data breach notification requirements of PIPEDA in November 2018, PIPEDA still has important gaps with the GDPR, in particular with regards to data subjects’ rights. As early as December 2, 2016, the Office of the Privacy Commissioner of Canada (“OPC”) issued a letter to the Standing Committee on Access to Information, Privacy and Ethics regarding areas of focus for their study of PIPEDA, identifying that Canada may not be able to keep its adequacy status under GDPR.
On a side note, Article 29 Working Party refused the adequacy decision to Quebec’s Act respecting the protection of personal information in the private sector of Quebec in 2011. Even though this decision was strongly criticized as a misunderstanding of the Canadian legislative system, it remains that only PIPEDA, the Canadian federal law has been recognized as adequate.
In practice, it is not clear what the implications will be for the multinationals located in Quebec, British Columbia and Alberta, where provincial laws have been enacted.
What is critical to understand is that the GDPR does not provide for an intra-group exemption. Consequently, data transfers between different group members require a legal basis and are treated like any other data transfer.
Each group member is solely responsible for any data processing activity taking place under its control. The role of each group member has to be determined separately, as a controller or as a processor. Each entity must provide an adequate level of data protection under the GDPR.
The EU-US Privacy Shield contains seven privacy principles that were already provided for in the Safe Harbor Act but have been enhanced to comply with the European Court of Justice’s requirements for adequacy. As for Canada, the adequacy decision is, at least for now, offering sufficient safeguards. Therefore, the flow of data from the EU to the US and to Canada would be relatively easy to manage for American corporations operating in Canada. However, to answer the above question, one would need to know the group structure (e.g. what does it mean to “operate” in Canada?) as well as the quality and nature of data flows within this structure.
Unfortunately, it looks like most entities have not been able to bring their privacy posture to an acceptable maturity level in time for May 25, 2018.
What companies must do, therefore, is to create a Privacy Compliance Plan demonstrating their commitment towards compliance and developing an actionable plan to reach their objectives, while reducing their risks as much as possible in the interim. A Privacy Compliance Plan allows enterprises to implement their obligations efficiently, such as by leveraging their financial, technical and human resources without doubling up efforts.
This plan should begin with a legal analysis of the organizational and security measures required for compliance. This allows entities to build a framework for a gap assessment and evaluate what they currently have in place and what is left to be completed. In many cases, companies have more in place than they think, as many of the GDPR requirements overlap with the efforts required for other standards such as ISO, PCI, NIST, etc.
This gap assessment is then completed by a risk assessment that will help entities prioritize their compliance efforts.
Attention: It’s impossible to do everything at once. Entities will have to evaluate their risk level and available resources for each measure to determine how they will proceed.
Note that most enterprises will use one privacy compliance plan for all their regulatory requirements, and not just for the GDPR. An all-encompassing privacy compliance plan helps them to have an executive overview and coordinate all compliance efforts for effective results and maximum return on investment.
Current Canadian laws do not recognize the right to be forgotten or the right to erasure, even if the Office of the Privacy Commissioner of Canada has called for this measure in its position on online reputation. There is a lively debate on this issue in Canada.
First, it is not clear whether and how PIPEDA applies to online search engines results. Second, the right to be forgotten must be balanced against the liberty of expression – in other words, since it limits a constitutional right, it must be justified in a free and democratic society. The applicable test has been decided by the Supreme Court of Canada in Oakes. Among other things, in order to be a justifiable limit to a constitutional right, the right to be forgotten must provide sufficiently-clear standards to avoid arbitrary or discriminatory application.
As an example, Nova Scotia’s anti-cyberbullying law (which was introduced after a teenager was bullied, attempted suicide, and subsequently died) was entirely struck down by Justice Glen McDougall as an unjustified violation of the freedom of expression. It goes without saying that the debate surrounding the right to be forgotten is critical to keep the adequacy status granted by the European Union, but application in the Canadian constitutional and federal systems may be more challenging than it appears.
Related post: Data Breach Notification Laws: Canada, U.S. & Europe
On June 18, 2015, Canada passed into law Bill S-4, The Digital Privacy Act, which generated important amendments to PIPEDA. Most amendments came into force on June 18, 2015. However, the provisions of the law related to mandatory breach and record-keeping were set to come into force upon the adoption of regulations that more precisely outlined corporations’ obligations. On March 26, 2018, through an order-in-council, the federal government announced that the breach notification amendments will come into force on November 1, 2018. On April 18, 2018, the final version of the Breach of Security Safeguards Regulations was published.
While the intent is for PIPEDA to align with GDPR, there are discrepancies between both regimes that corporations must be aware of. The GDPR’s definition of a “personal data breach” does not entirely correspond to PIPEDA’s definition of a “breach of security safeguards”. Under GDPR, all personal data breaches must be reported to the Supervisory Authority, unless it is “unlikely to result in a risk to the rights and freedoms of natural persons” (Art. 33(1) GDPR). Under PIPEDA, the reporting duty to the Commissioner only applies if “the breach creates a real risk of significant harm to the individual” (Art. 10.1(1) PIPEDA).
There are variations in language and obligations between both legislations, and Canadian corporations would be well advised to adapt their incident response planning and data breach notification procedures accordingly and begin by comparing their compliance requirements. PIPEDA also states that businesses will be required to maintain records of all data breach incidents for a minimum of 24 months, irrespective of whether the business concludes that the breach gives rise to a real risk of significant harm to affected individuals. Given the definition of “breach of security safeguards”, the recordkeeping requirements for PIPEDA are different from those required under Art. 33(5) GDPR.