In-House Advisor: Erased from Posterity
Europe’s General Data Protection Regulation will soon come into force, requiring major Canadian companies to carry new costs associated with a higher standard of data privacy.
COMPANIES CEASELESSLY COLLECT customers’ personal data because they can — and because they know their competitors can. These companies know that whoever has the most data, and conducts the best analysis, can make impressive gains in the competition for revenue, profit and investment.
They collect and use their customer’s information to understand changing trends and personal preferences, how to get the attention of individual consumers, how to hold it, how much investment it takes to make the first sale to a new customer and how much incremental investment it takes to make the next sale, explains Timothy Banks, a privacy lawyer and partner in the Toronto office of Dentons Canada LLP. The combinations and permutations are endless.
“It’s all about analytics and interest-based advertising,” Banks says. “And that’s a point the privacy commissioners have not given enough attention. Anything that interferes with analytics and interest-based advertising is going to be a concern for business.”
The largest looming concern on the privacy front worldwide is the General Data Protection Regulation (GDPR) of the European Union. Passed by the EU parliament in April 2016, it goes into effect on May 25, 2018, with important implications for any company collecting, retaining or processing personal data on EU citizens. At full stretch, that could include any company, anywhere, selling anything online.
If it all sounds a trifle esoteric or just plain remote from daily business concerns in Canada, the first thing Canadian companies need to know is that fines for violations of the General Data Protection Regulation can reach 20 million euros ($30 million) or four per cent of “worldwide annual turnover” — whichever is more (article 83, section 4). For a company with $2 billion in annual revenue, the maximum works out to $80 million. “The chief concern with the GDPR is the massive fines — and the lack of flexibility,” says Lyndsay Wasser, co-chair of the privacy and data protection group at McMillan LLP in Toronto. The EU law is both prescriptive and punitive, and four per cent maximums could be enormous, Wasser says. “I think those won’t be levied in every case, but the potential is there.”
The second point of interest, Banks says, is that Canada’s Privacy Commission, among others, can very likely be enlisted to support European Union authorities in conducting joint investigations in this country. He notes that Canadian Privacy Commissioner Daniel Therrien closed his May 17 remarks to the International Association of Privacy Professionals conference in Toronto by extolling the virtues of cross-border joint investigations.
“Despite differences in privacy law and practice, it’s important to note that my office enjoys strong partnerships with our counterparts around the world,” Therrien said. “These collaborative efforts are essential to boosting privacy protections globally.”
Wasser notes that law enforcement agencies have “lots of mechanisms for joint enforcement,” including mutual legal assistance treaties between Canada and EU countries. As recently as June 2017, the Supreme Court of Canada called privacy a “quasi-constitutional” right and upheld Canadian jurisdiction in Douez v. Facebook, 2017 SCC 33, despite a forum-selection clause in Facebook’s customer contract requiring legal issues to be tried in California.
“I think extraterritoriality is real,” Wasser says. Privacy lawyers generally agree that, in the age of globalization, the internet, “big data” and the Internet of Things, no country can purport to protect its citizens’ privacy without claiming some level of trans-border reach.
The General Data Protection Regulation asserts global legal authority over all data that can identify or be associated with an European Union citizen, wherever it’s gathered, stored or processed, worldwide. It covers both digital and paper records, requires that EU citizens be given access to any personal data upon request and that any inaccurate information be corrected upon request. It says that any EU citizen may request the erasure of any or all of their personal data held by a commercial entity and places time limits on retention of EU citizen’s data.
All records relating to citizens of the European Union must be protected with a separately secured identification code (“pseudonymization”), so that, in case of a systems breach, individuals cannot be identified. The GDPR mandates that authorities be notified within 72 hours of a data security breach and that all “data subjects” also be notified individually.
The GDPR further decrees that companies collecting information on EU citizens must appoint a privacy officer who is directly liable for any contravention of the new law. David Corry, a partner in the Calgary office of Gowling WLG (Canada) LLP, says this provision places the GDPR in the category of self-regulatory law, where daunting fines and personal liabilities are intended to offset authorities’ lack of a vast enforcement apparatus.
“It’s about a big stick and big teeth,” Corry says. This arrangement also makes enforcement far easier because the mere fact of failing to appoint a privacy officer is an offence in itself for any company handling EU citizens’ information. Yet, Corry says, his own unofficial survey found “the vast majority of Alberta companies said they had no intention of appointing a privacy officer.”
The General Data Protection Regulation says personal data of EU citizens may not be collected by, or transferred to, any foreign entity unless it’s subject to laws or agreements in that country deemed by EU authorities to provide protections substantially similar to the GDPR.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) currently holds such an EU “adequacy” rating — but privacy lawyers have expressed serious doubts as to whether the adequacy ruling will stand up to either a court challenge or a routine review, which the European Union promises to conduct every four years.
Meanwhile, the United States has no overarching privacy law and, therefore, no EU adequacy rating, says David Young of David Young Law in Toronto. US privacy protection depends primarily on tort law, with the exception of the US Privacy Act. That statute regulates information collected by the federal government — but specifically exempts non-US citizens from its protections by way of an executive order under President Donald Trump.
Young says American companies have, so far, relied on EU certifications of corporate privacy-protection policies in order to legally collect, retain and process EU data. But the original Safe Harbor model agreement has been defeated in European courts and the Privacy Shield agreement that replaced Safe Harbor may be defeated as well, observers say.
Young says the GDPR is “getting a lot more air time” from Canadian boards of directors as its May 25, 2018, date of enactment approaches. “It makes any organization that collects information from EU citizens subject to the full regime of the GDPR, and it has another level of prescriptiveness that goes beyond the previous Data Protection Directive,” he says. “But a point that should not be lost sight of is that we have privacy laws that have been determined to be adequate.”
Canada’s PIPEDA accords closely with the GDPR in certain respects, and so Canadian companies that are PIPEDA-compliant are a big step closer to being GDPR-ready, Young says. The right of individuals to access personal information held by companies is assured under PIPEDA, and while the so-called “right to be forgotten,” also known as the right of erasure, is not explicitly guaranteed in Canada, it has effectively been the subject of common-law rulings on the right of individuals to withdraw consent to the retention of their personal data.
“I am of the view that we have that right today,” Young says. “But this issue of deletion is huge. There are always two or three backups and deleting all of that is very complicated.” In an era when storing data has become cheaper than deleting it, “many companies do not have a comprehensive inventory of information.” As a result, he says compliance with the General Data Protection Regulation will place major new demands on the information management capabilities of Canadian companies.
Banks points out that the right of erasure runs counter to the corporate imperative that “transactions need to live,” and it may prove very difficult to preserve transaction records while deleting consumers’ names. If it has to be done manually, he says, large corporations could face huge costs.
The GDPR also imposes an obligation on companies to ensure the “portability” of personal data. “The concept is that it’s my information and I can ask for it to be moved,” Young says. Examples might include moving personal financial information from one bank to another or legal records from one law firm to another. “That right does not exist, generally, in Canada,” he says, although there are sectoral exceptions, such as for medical records. And portability will also require data compatibility or conversion protocols be established between sender and receiver.
Young says the requirement for data protection through encryption, or what the GDPR calls pseudonymization, “is just a cost, and [large Canadian] companies do that already.” But he adds, “There’s always the question of whether you’ve actually achieved anonymization,” as breaches of retail data regularly demonstrate. If not, penalties would rise with the seriousness of any breach.
“Realistically, there’s a scale of compliance [and] some Canadian companies may determine their exposure is limited,” Young says. Corporations with large sales and operations in Europe will be most exposed and will face the GDPR requirement to designate a privacy officer. Where companies have European operations and a privacy officer, he says, the issue of extraterritoriality may be moot, since EU authorities will have the option of proceeding against those entities.
But he warns that it’s unlikely that companies based outside the European Union will be successful if they attempt to set up miniscule European subsidiaries as barriers against large EU fines.“I would suggest they would look beyond the corporate veil,” he says, referring to jurisprudence on limited liability that typically recognizes a legal barrier between a subsidiary and its parent, protecting the parent from liability for the actions of the sub.
Corry agrees that subsidiaries in Europe are unlikely to shelter Canadian parent companies from GDPR liabilities. “They’re not going to prosecute ABC Europe Inc. They’re going to prosecute the ABC parent company because the data goes to the parent,” Corry says. And, of course, global revenue flows to the parent, providing a much larger target for fines.
As the GDPR comes into effect, query: will authorities in the European Union have the time or capacity to conduct widespread compliance examinations of Canadian companies? Young says he doubts routine compliance audits would happen “anytime soon.”
Still, a systems breach or some glaring contravention of the General Data Protection Regulation could easily attract the attention of European Union authorities. Corry observes that the routine act of transferring information to a cloud-based server could be a contravention of the new EU privacy regime if that server is located in the United States.
SIDEBAR: Privacy: The New Standard
The EU’s new regulation will change everything about how customer data is stored and processed.
Whatever else the GDPR may be, it’s inarguably the latest major artifact in the 16-year dispute between the European Union and the United States over the interplay of individual privacy and national security. Since the Sept. 11 terrorist attacks, the United States, through the PATRIOT Act and other legislation, has made security a top priority, often above privacy and other civil liberties, while Europe has more often defended the privacy of its citizens despite the heightened security environment.
Central to the ongoing disagreement between the EU and US are the legal actions of Austrian citizen Max Schrems. In 2011, according to court documents, Schrems was a visiting law student at Santa Clara University. When Facebook privacy lawyer Ed Palmieri spoke at the university, Schrems was taken aback by the lack of regard Palmieri showed for Europe’s Data Protection Directive, which regulates the processing of personal data.
To press his point, Schrems made a request, under the European right of access, for all Facebook’s records on himself and received a CD containing 1,200 pages of data. He then filed complaints with the Data Protection Commissioner (DPC) of Ireland, where Facebook’s European headquarters are located. While the Irish DPC dismissed his complaints, Facebook was nevertheless audited under provisions of the Data Protection Directive and required to delete some files and disable its facial recognition software.
In 2013, when Schrems filed a new complaint with the Irish DPC seeking to prohibit Facebook from transferring data from Ireland to the US, the DPC dismissed his action as “frivolous and vexatious.” Schrems then sought a judicial review of the Safe Harbor model agreement between the EU and US, but the review found that the agreement provided adequate protection for the privacy of EU citizens.
Then, after Edward Snowden revealed the extent of massive electronic spying operations by the US National Security Agency, Schrems argued before the European Union Court of Justice that the data of EU citizens clearly lacked adequate safeguards in the US.
In 2015 all Safe Harbor certifications were struck down, taking with them the rights of US companies to collect and process data of EU citizens. Safe Harbor was rapidly replaced by the Privacy Shield model agreement and data continued to flow to Facebook and other US companies. But Schrems is now pursuing a class action against Facebook, with 25,000 participants. Known as Schrems II, the action alleges that US data surveillance practices render Privacy Shield ineffective in protecting the privacy of EU citizens.
Given the Snowden revelations and President Trump’s decision to remove foreigners from the protections of the US Privacy Act, lawyers say it appears unlikely Privacy Shield will survive for long. “Prior to the current government, I might have said [Schrems’s] concerns were overblown, but now I don’t think I can say that,” Wasser observes. Supporting this view is the recent warning by Therrien that, “Canadians have reportedly faced deeply personal interrogations when travelling to the US and have been forced to turn over passwords to laptops and mobile phones.”
How this all comes together — or comes apart — for Canadian companies can perhaps best be seen in the recent rejection of a proposed EU/Canada agreement on Passenger Name Records (PNRs). Commercial airlines routinely collect data on every passenger and share that information with other airlines in cases where passengers require more than one carrier to reach their destinations. PNRs typically include travel itineraries, travel habits, relationships between travellers, health and financial data and, in some cases, political opinions and sexual orientation. The Canada Border Services Agency (CBSA) and its counterparts worldwide actively monitor PNRs to track movements of suspected terrorists and criminals.
The European Union Court of Justice said in July that Canada’s newly proposed PNR agreement with the EU is incompatible with the Data Protection Directive, the incoming GDPR and fundamental rights of EU citizens. While objectives of the proposed PNR agreement — combatting terrorism and international organized crime — are desirable, the court said, the agreement cannot be concluded in its current form.
Specific points of contention included the overly broad categories of data collection, CBSA’s retention of PNR data for up to five years and the routine transfers of data to authorities in other countries — read the US. “I think Canadian businesses in general have struggled for many years to balance US demands for information with EU privacy protections,” Wasser says. She adds that the PNR issue is at the centre of “a growing divide” between the US and EU on privacy matters.
Wasser says the various players will, hopefully, come to terms on passenger records before the GDPR comes into effect. But she acknowledges that Canada’s PNR proposal was partly about preserving existing data and that could complicate matters because the EU wants data deleted when EU citizens leave for home.
Banks says the Canada Border Services Agency “has a legitimate interest in knowing who’s coming to this country” and travellers have an interest in anything that makes customs clearance less burdensome.
But he adds, “The Europeans mean what they say. They want very precise rules when it comes to personal data, not just broad or vague principles. The European Court of Justice has said EU citizens need protections similar to what they would have at home. We should want our government to do the same.”