In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Timothy Banks, CIPM, CIPP/C, compares key provisions of the Canadian Personal Information Protection and Electronic Documents Act with the EU GDPR.
Canada currently enjoys a partial “adequacy” designation to facilitate data transfers from the EU to Canada, but this designation only applies to Canadian organizations subject to PIPEDA in respect of the transferred data. While this will ease some compliance challenges for certain organizations, data transfers are just the tip of the iceberg of compliance obligations under the GDPR. Beyond transfers, there are numerous substantive obligations under the GDPR that may apply to Canadian organizations doing business in the EU or processing data of residents of the EU. In particular, we examine five key areas to compare some of the operational similarities and difference that Canadian businesses can expect if they are subject to both laws.
One of the biggest operational differences between PIPEDA and the GDPR is the different approach to consent as a legal basis for data processing.
Consent is a central feature of PIPEDA. Subject to limited exceptions, an individual’s consent is a necessary condition to the collection, use and disclosure of personal information. In 2015, PIPEDA was amended to include section 6.1, which provides that “the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
Although express consent is generally the default, organizations still have the operational choice of whether to seek express or implied consent. The appropriate form of consent depends on a consideration of the sensitivity of the personal information and the reasonable expectations of the individual (PIPEDA, Schedule 1, cl. 4.3.5). An individual cannot be required, as a condition of providing an individual with a product or service, to consent to the collection and use of more information than is necessary for the purposes of completing the transaction with the individual.
Consent is also a valid basis for the collection, use and disclosure of personal information under the GDPR (Article 6). In some ways, the GDPR is more flexible than PIPEDA because it permits organizations to collect, use and disclose personal information based on other grounds, such as the performance of a contract or legitimate interests. Therefore, unlike the situation in Canada, where consent is the only basis for collection, use and disclosure (with limited exceptions), organizations creating compliance programs for the GDPR will be looking for other bases to process EU data. Indeed, the requirements for consent are so onerous that organizations will likely use it sparingly as a ground for data processing. First, there is simply no concept of implied consent; consent must be by an affirmative act by the individual. Second, consent cannot be bundled into a contract.; it must be separately given for each use of the personal information. Third, consent must be freely given; the recitals to the GDPR state that consent will not be a valid ground for processing if there is a clear imbalance of power. Like PIPEDA, consent is not freely given if the organization makes the collection and use of more information than is necessary a condition of performing a contract with the individual.
Organizations subject to the GDPR must also be careful to consider whether the individual providing consent has the legal capacity to do so. Unlike the GDPR, PIPEDA does not contain a minimum age of consent. Under PIPEDA, age may be a relevant factor in considering whether informed consent was obtained and the Privacy Commissioner of Canada has suggested that consent of children under 13 years of age would be difficult to obtain. However, there is no strict age threshold. By contrast, the GDPR sets a threshold of 16 years of age for consent, although individual countries can lower the age of consent to between 13 and 16.
Both PIPEDA and the GDPR grant individuals the right to access the personal information that organizations have about them. However, the GDPR also introduces a right to “data portability.” Article 20 grants individuals the right to receive their personal data in a structured, commonly used and machine-readable format and to allow the individual to send that data to another data controller. For example, an individual would be permitted to obtain an export of his or her contacts from an online platform. The online platform would have to provide that information in a format that could be uploaded to another service provider. This right to data portability applies when the organization is collecting the personal information on the basis of consent or for performing a contract with the individual.
Article 20 provides individuals with unprecedented control over their personal information. Many organizations already find it difficult to manage access requests, so the possibility of designing new interfaces to permit the export of data in a useable format may be daunting. Moreover, there appears to be a disagreement brewing within Europe regarding the scope of this right. In recent guidance on data portability, the Article 29 Working Party suggested that Article 20 of the GDPR granted a right to portability of not only data that was provided knowingly and actively by the individual but also other data generated by the individual’s activities. This could involve a broad swath of data collected or generated automatically by the use of the organization’s services. As David Meyer wrote in The Privacy Advisor, this has generated some concern within the European Commission that the Article 29 Working Party has gone too far. However, time is running short. Canadian organizations subject to the GDPR will need to consider how to address data portability urgently if they are going to have scalable solutions in place in a year’s time.
Right to erasure
Article 17 of the GDPR grants individuals a right to be forgotten. This right permits individuals to require organizations to “erase” personal information in a number of circumstances. An organization will need to erase information if the personal information is no longer necessary for the purposes for which it was collected or otherwise processed. If the individual withdraws consent and there is no other legal grounds for processing, the data must be erased. In cases where the data controller made the data public, such as on a social media site, the controller has the obligation to take reasonable steps to inform other data controllers who have received the information of the withdrawal of consent.
Arguably, PIPEDA also contains a basic right to erasure. Principle 4.5 of Schedule 1 of PIPEDA states that “personal information shall be retained only as long as necessary for the fulfilment of those purposes.” The word “shall” in principle 4.5 is a mandatory obligation and is one of the provisions that can be enforced in court under an application under s. 14 of PIPEDA. For example, in the investigation into the Ashley Madison data breach, the Privacy Commissioner of Canada found that indefinite retention of information constituted a breach of principle 4.5.
Under PIPEDA, the obligation to destroy data is qualified, as it is under the GDPR, for other countervailing legal obligations or rights, such as compliance with another data retention law. However, there are notable differences between Article 17 of the GDPR and principle 4.5 of PIPEDA. First, PIPEDA does not require the organization to contact other organizations to which it has disclosed the data to inform those organizations of the erasure request. Second, it is not clear whether the GDPR permits retention in order to comply with a foreign data retention law. This could be problematic for multi-national corporations who may be subject to retention laws that are different from those in Europe.
Another point worth mentioning is that PIPEDA does not have the same scope of application, as the GDPR. For example, it has been argued that PIPEDA does not apply to general search engines because the activity of indexing website content and performing the search function are not commercial activities. Therefore, principle 4.5 may not apply to require general search engines to de-link search results. The situation may be different with respect to internal search engines on a commercial website.
Data Breach Reporting
Currently there are no mandatory data breach reporting provisions in force in PIPEDA. However, amendments have been passed in the Digital Privacy Act, 2015, to address breach reporting. These amendments may come into effect sometime this year or next. There are three main obligations under these data breach provisions. First, organizations must keep records of any breach of security safeguards. These breach logs must be produced to the Privacy Commissioner, if requested. Second, if it is reasonable to believe that the breach creates a real risk of significant harm to an individual, the organization must report the breach to the Privacy Commissioner of Canada as soon as feasible after the organization determines that the breach occurred. Third, the organization must also notify the individual if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. This notification must also be made as soon as feasible.
The GDPR contains strict data breach provisions in Articles 33 and 34. Data breaches must be reported to the supervisory authority without undue delay. However, unlike the Digital Privacy Act, the GDPR specifies that this report must be made, where feasible, not later than 72 hours after the organization becomes aware of it. Like the Digital Privacy Act, the risk of harm to the individual is relevant to determine whether a report must be made to the supervisory authority. Interestingly, however, it is only when the breach is likely to result in a high risk to the rights and freedoms of individuals that the organization must communicate the breach to the individual. This suggests that there will be cases where a breach may be reported to the supervisory authority but no individual notification will be required. This is not the case under the Canadian law.
Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed." In comparison, the Digital Privacy Act defines a “breach of security safeguards” is defined as the loss of, unauthorized access to or unauthorized disclosure of personal information that either results from a breach of an organization’s administrative, technical or physical security safeguards or from a failure to establish those safeguards. Operationally, there are few substantive differences between the definitions of a breach under the two laws. In most cases, unauthorized alternation or destruction will involve some form of unauthorized access. However, the wording of the GDPR leaves open the possibility that technical failures resulting in the destruction or alteration of data without any human intervention could be reportable. These would not appear to be reportable in Canada.
The good news is that there is significant overlap between breach provisions in the Digital Privacy Act and those in the GDPR. However, Canadian organizations preparing for the data breach provisions in the Digital Privacy Act are likely to find that there is an incremental compliance obligation under the GDPR. Key issues will be: (a) to ensure that the potentially broader definition of a breach under the GDPR is captured in breach response planning; and (b) to ensure that breaches are reported within the tighter timeframe required under the GDPR.
In recent years, many organizations have begun to employ human resource information systems to manage employee data. These systems are often cloud-based and allow multinational companies to leverage efficiencies by using a common platform to manage onboarding of employees, payroll, benefits, accounting functions, and, in some cases, accommodation of employees when returning to work following a disability.
Handling employee data in HRIS platforms is perhaps the most significant operational challenge for multinational companies under the GDPR. For Canadian organizations, it is important to recognize that PIPEDA only regulates the collection, use and disclosure of employee personal information for federal works, undertakings and businesses. These are usually employers such as airlines, banks, shipping companies and other federally regulated employers. However, this covers a very limited subset of the Canadian economy. The vast majority of employers are regulated by provincial legislation. With the exception of employees in three provinces (British Columbia, Alberta and Quebec), provincial employers are not subject to statutory privacy laws for employee data.
By contrast, employee data is firmly within the scope of the GDPR. Moreover, Article 81 of the GDPR permits EU member countries to enact specific laws to address employee data, which may be more strict than the GDPR. The implications for multinational companies was discussed by Philip Gordon in Privacy Tracker. Critically, consent is generally not a viable basis on which to collect and use personal information of employees because this form of consent will not be considered to be free, given the significant power imbalance between the employee and the employer. Although employers may have legitimate interests to process data, such as for payroll and tax purposes, a parent company or affiliate who is using the data for business planning or other purposes may need to review carefully whether it has proper grounds under the GDPR to use this data without consent. In addition, unless EU data is being transferred to a Canadian federal work, undertaking or business, the data transfer will not be subject to Canada’s partial adequacy designation by the European Commission. This means that it is necessary to put in place standard contractual clauses or binding corporate rules.
Preparation is Worth the Effort
Canadian organizations are already used to strong privacy laws. However, the GDPR is sufficiently different to PIPEDA that organizations should ensure that they examine that applicability of the GDPR to their operations and consider what operational changes may be necessary to either minimize the impact of the GDPR across their activities or to develop compliance strategies. With potential fines of up to 2 percent or 4 percent of annual worldwide turnover (depending on the nature of the violation), preparation is worth the effort.
photo credit: archer10 (Dennis) 94M Views NS-02463 - Proud to be Canadian and FREE via photopin (license)
photo credit: MPD01605 EU Flagga via photopin (license)
There are still a few seats left for the IAPP Canada Privacy Symposium, May 16-18. Click here to register now.
If you want to comment on this post, you need to login.