Enacted by the European Parliament to simplify business rules for companies operating in the EU market and to strengthen the privacy rights of EU citizens, the General Data Protection Regulation (GDPR) comes into effect May 25, 2018.
When it comes into effect, Canadian businesses with a presence in an EU country, or that offer goods and services to an EU resident, or monitor the behavior of an EU citizen, will be subject to the GDPR. It extensively regulates the ability of Canadian businesses to use the information they collect from EU citizens. There is unlikely to be grace period. This will mark the beginning of a new global era in data protection.
The GDPR will effectively bar entities from the EU if they do not comply with its requirements. If they want entry to the lucrative European market they will have to adapt. Economic—not legislative—pressure means the GDPR is a world-wide game changer that will impact all aspects of global data protection and management.
Heather A. Sanderson, principal, Sanderson Law
The GDPR compels compliance through grossly punitive sanctions. A serious failure to comply could result in a penalty of 20 million Euros or four percent of the corporate group’s annual worldwide revenue. Sanctions for a less serious compliance failure are half those amounts. If that is not enough, public interest organizations may bring class actions on behalf of those whose rights have been allegedly violated. No business can absorb these penalties.
Canada’s ‘adequacy’ status is in jeopardy
Canadian companies that comply with the current version of PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act) meet the current EU standards for data protection and are deemed to be ‘adequate’.
‘Adequacy status’ means that Canadian PIPEDA-compliant entities can receive data transfers from the EU without concern that they are violating EU data protection legislation and privacy laws, and without any further requirements.
However, that level of adequacy may not continue when the GDPR comes into effect, thanks to these changes:
- The consent requirement: Data processing must be “lawful” and requires that consent to process personal data must be freely given by the EU citizen in issue; the request for consent must be clear and distinguishable from other matters, provided in an intelligible, plain language and easily accessible form. Moreover, it must be as easy for the EU citizen to withdraw consent as it is to give it.
- Rights of Rectification and Erasure (or the right to be forgotten): The data of an EU citizen must be accessible; that citizen has the right to rectify it. Further, entities receiving the data must permanently erase it without ‘undue delay’ if it is no longer needed; or the EU citizen objects to its retention; or it was unlawfully processed.
- Conduct Data Protection Impact Assessments: The entity receiving the data must routinely assess how the party delivering the data would be impacted in the event that the data is lost or diverted.
- Breach Notification: Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals” and must be done within 72 hours of first having become aware of the breach. Entities holding the data will also be required to notify the affected individuals, “without undue delay” after first becoming aware of a data breach.
The ability to receive data from the EU enables Canadian businesses to participate in a market of more than 50 million individuals—a critical economic advantage. In September 2017, in an effort to enable Canadian business to continue to operate under ‘an adequacy’ umbrella, the federal government proposed amendments to modernize PIPEDA and, in part, bring it into line with most of the changes under the GDPR. The amendments specify content requirements for reporting data breaches to the Privacy Commissioner and notifying those affected, while clarifying the scope and retention period for record-keeping.
However, the amendments do not address all of the GDPR requirements. For example, the key GDPR issue of consent is currently the subject of debate in Canada and it is not part of the package of amendments to PIPEDA. Further, the amendments do not address the requirement to conduct data protection impact assessments nor do they address the right to rectify and to be forgotten.
This means that the European Court of Justice will be able to re-evaluate Canada’s current ‘adequacy’ status.
However, PIPEDA is not the only data-protection statute in Canada. British Columbia, Alberta and Quebec have their own statutes that are substantially similar to PIPEDA. So, even if PIPEDA is deemed inadequate, it is possible for the European Court of Justice to declare that one of the provinces meets the adequacy standard.
The threat to ‘adequacy’ means that Canadian entities doing business in the EU must retain counsel to carefully review their data collection and handling practices to ensure GDPR compliance and avoid sanctions.
A code of conduct
The European Commission has drafted model clauses to be inserted into commercial agreements to force contractual compliance with the GDPR. This will allow Canadian entities to enter and compete in the EU market even if Canada loses its adequacy standard. These clauses will contractually bind Canadian entities to the same standard of data protection and European privacy law as set out in the GDPR. They also render Canadian entities liable to be audited by the party transferring the data.In view of the uncertainty as to ‘adequacy’, voluntary assumption of the GDPR standards of data protection is the best defence against draconian enforcement.
Cyber to be common coverage
The risk of non-compliance with the GDPR standards, coupled with the exacting nature of a breach response, increases the risk of business failure following a breach. In the event of a data breach, or an allegation of mismanagement of data, management will be reaching for the protection of any available policy.
Most modern property policies and general liability policies exclude the risks associated with allegedly improper data protection and management. The exceptions are some types of first-party crime coverage and, in the third-party coverage arena, errors and omissions coverage, as well as directors’ and officers’ coverage. For the most part, any real protection against these risks will be found, if at all, in first- and third-party cyber coverage.
Most first-party cyber coverage extends to the loss of company information held by a vendor; coverage for cyber extortion payments; losses generated by social engineering such as phishing attacks resulting in improper transfers of funds; and data replacement costs. Most policies offer some degree of business interruption and extra expense coverage for disruptions due to dealing with a breach.
Further, cyber insurance policies often include a service element resulting in the availability of pre-approved incident response specialists, including lawyers and forensic experts whose fees are paid by the insurer. Other cyber policies require the insured to appoint appropriate vendors, but the insurer will provide indemnity for such services.
However, few policies cover ‘breach-less’ claims—in other words, few policies cover consumer class-action claims where it is alleged that the entity in issue collected data that it had no right to obtain, sold it, or otherwise ‘mined’ it without consent. Consequently, allegedly wrongful collection practices and, for example, violation of the GDPR’s right to rectify data, may not be risks easily covered under existing cyber policies.
Despite the limitations of coverage, the catastrophic financial risks that are likely to follow a failure to comply with GDPR standards mean that over the next year or two, cyber policies will become as common as commercial property and liability policies are now.
Heather Sanderson, a member of the Alberta Bar, is a nationally recognized coverage lawyer and author who provides coverage litigation services, opinions and support to Canadian and American insurers. She is a director of Canadian Defence Lawyers and the Defense Research Institute, a member of the Federation of Defense and Corporate Counsel, and the American College of Coverage and Extra-Contractual Counsel.