Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.
The GDPR and What it Means for Canada
The GDPR is one of the most important pieces of data protection legislation to come out in the last 20 years. It outlines a set of comprehensive guidelines for all members of the European Union to follow and it concerns data privacy and protection laws for any business is using their customers’ data.
Given the proliferation of data used in marketing and profile creation by companies across the world, this has resulted in a major shakeup of data legislation and has already had wide-ranging ramifications.
Below, you can find a record of the GDPR and what it means for Canadian legislation and its companies. You’ll also find an explanation of the most similar collection of regulations to the GDPR in Canada – PIPEDA. Further, you can find a record of recent new stories concerning the GDPR and its effects on Canada as well as important documents explaining both pieces of legislation.
What is the GDPR?
The GDPR, or General Data Protection Regulation, is a regulation that replaces the Data Protection Directive formally followed by members of the European Union. The GDPR was agreed upon in April 2016 and came into effect in spring 2018, with a compliance deadline for companies affected by the GDPR of May 25, 2018.
The GDPR has had wide-ranging consequences for digital businesses both in the EU and across the world, as it not only affects companies hosted by the EU or its member states but also companies that do business with citizens of those member states. Thus, the GDPR is perhaps the widest-ranging Internet information legislation passed so far.
The GDPR is a lengthy document, but the major sticking points for its requirements – and those that apply to every member of the European Union – include:
- the anonymization of collected data in order to protect citizens’ privacy
- the requiring of consumers’ consent for their data to be processed
- the providing of notifications to consumers if their data is lost or breached
- the safe handling of data transfers across country borders
- the requiring of a data protection officer, appointed by companies themselves, to ensure GDPR compliance
Basically, the GDPR requires that companies who do business with EU citizens’ data (which essentially means every company in the modern era) must take certain steps to protect that data. This includes both the processing and the movement of data, as well as its sale and potential use or misuse by the first company or any other companies.
What is Consent?
Consent, as described by the GDPR, is only measurable if it is on ambiguously given by the individual in question. Therefore, any customer whose data will be used by a company or service must explicitly give consent for their data to be used in either a written or verbal manner.
Former methods of consent, as permitted by the previous Directive, are no longer acceptable. These illegal means of obtaining consent include:
- Opt-out consent, which assumes consent on the part of an individual unless they state otherwise.
- Implied consent, such as data processing necessary for drawing up a contract.
- Consent derived from an imbalance of power.
- Continual consent, such as that gained from companies when they switch a customer from one plan to another.
Under the GDPR, consent must be:
- Repeated whenever a customer changes services or contracts
- Include an option for withdrawal or refusal
- Knowledge of direct marketing
- The withdrawal or refusal of consent must be as easy as giving consent, and users must be informed of this right
- Above 16, otherwise requiring parental consent
How Far Does the GDPR Reach?
There has been some confusion about the reach of the GDPR since it is an EU law. Of course, the GDPR is applicable to any company within the EU. This law affects every member state of the coalition so that every state doesn’t need to write different laws that may come into conflict with one another.
Additionally, any EU company that markets goods or services to EU residents is subject to the GDPR. This includes companies based in other countries. As an example, Amazon, which sells to customers across the world, is subject to the GDPR’s requirements if they sell products to an EU citizen. This is why the GDPR has had such wide-ranging effects on global commerce.
Already, this has produced significant strain for companies without the resources or foresight to adjust their behavior, resulting in several fines or in some companies ceasing delivery or services to EU citizens.
Canadians business owners need to be aware of the major articles within the GDPR that directly affect their operations and commerce.
Articles 17 and 18 both give consumers more control over their personal data, even and especially if it is processed automatically by a website or system. This “right to portability” also allows consumers to transfer their personal data between service providers much more easily than before. This encourages customers to switch Internet service for wireless service providers more frequently in search of a better deal.
Additionally, article 18 ensures that consumers have the right to erase their personal data under specific circumstances – this is called the “right to erasure”.
Articles 23 and 30 require that all companies handling data for their customers implement reasonable data protection measures. This will defend their customers’ data from exploitation and prevent their data or privacy from being lost or unduly exposed. This is relevant both to misuse by the company itself and by outside forces or individuals.
Article 31 and 32 concern data breach notifications. Specifically, article 31 requires that any data controllers (meaning any employees who handle personal data to any degree) must notify any supervisory authorities (which can include managers or chief executive officers) to personal data breaches within 72 hours of initially learning of said breach. Specific details about the breach must also be provided; this includes the nature of the breach and how many data subjects are affected.
Article 32 then covers the customer side of things. Specifically, it requires that data controllers must tell the subjects of that data as soon as possible that their data was breached or lost, especially when their rights or freedoms are placed at risk.
Articles 33 and 33a both involve Data Protection Impact Assessments. These are required procedures that companies must undergo to preemptively identify risks to their customers’ data. They must also perform Compliance Reviews; these ensure that any risks that are identified are addressed rather than being ignored or dismissed as unlikely.
Article 35 concerns the aforementioned data protection officers. It describes that any company which handles data about a customer or subject’s health, demographic information, genetic information, or other important (i.e. identifying) data must also have a designated data protection officer. Such officers’ duties involve advising their host companies about GDPR compliance and to act as intermediaries between supervisory authorities and GDPR officials.
Naturally, the vast majority of companies who handle any kind of data at all will require a data protection officer automatically. However, it is not specified that the data protection officer needs to be a new employee; companies may transition an existing employee into the role provided that the position’s duties are fulfilled adequately.
Thus, Articles 36 and 37 are written to outline the position of data protection officer and make sure that its responsibilities are crystal-clear. This involves procedures for ensuring GDPR compliance and procedures involving supervisory authority reporting.
Article 45 is about extended data protection requirements. This relates to international companies, identifying them as subject under the GDPR regulations if they handle data about EU citizens. It’s essentially there to make sure no international company escapes the GDPR’s net.
Finally, Article 79 talks about GDPR noncompliance penalties.
What are the Consequences of GDPR Noncompliance?
While the EU’s former data regulatory measure, the Data Protection Directive, had relatively lax penalties, the GDPR has much more severe consequences for noncompliance. In this new legislation, supervisory authorities have much more authority to enact meaningful change for consequences in their employing companies. In addition, supervisory authorities can now investigate and correct any noncompliance issues they find.
Other powers include the ability to perform audits to ensure compliance, issue warnings, demand that companies make specific improvements, prescribe deadlines for those improvements, order the erasure of citizens’ data, and prevent companies from transferring data to other companies. Any data controllers – that is, employees that handle the data of customers – are subject to the powers of supervisory authorities.
Additionally, the GDPR provide supervisory authorities the ability to issue much larger fines than before. Any noncompliance fine is determined based on the circumstances of the error, and fines are not necessary unless a supervisory authority deems it necessary. Fines may be up to two or 4% of global annual turnover, or €10 million or €20 million, whichever is greater.
What Data Does the GDPR Apply To?
Broadly speaking, the GDPR applies to any personal data, just like its predecessor, the Data Protection Act. This includes personal but general data, such as an individual’s IP address. But it also includes sensitive data that is unique to an individual – this is distinct from data like the above IP address, which could theoretically be used by more than one individual.
Sensitive data includes genetic or biometric data. It’s generally understood as data that cannot be shared with another person. Personal data also includes names, photos, email addresses, bank details, or posts on social networking websites.
Who does the GDPR Apply To?
As described above, any company that sells or markets goods or services to any EU residents, no matter that company’s location, must adhere to the regulations described in the GDPR. If they fail to comply with these regulations, they must pay the requisite fines or make improvements.
At this time, any websites that are not GDPR compliance are not accessible by EU member states. As an example, both the Chicago Tribune and the LA Times were temporarily blocked to members of the EU until they achieved GDPR compliance.
What Are the Goals of GDPR?
The GDPR is clearly an extensive piece of legislation, but what are its goals and to its current directives make measurable progress toward those goals?
The GDPR’s purpose is to define standardized data protection laws across all member countries in the European Union. Before the 1990s Directive, data protection laws were largely left up to the decisions of each member state, which made commerce and law enforcement a much more complicated and difficult affair. In addition, consumers’ data rights were not very well known and were frequently violated by companies for the purposes of exploitation.
By standardizing data protection laws across the entirety of the EU, the GDPR will reportedly:
- improve the privacy and data rights of all EU residents
- help those residents understand their personal data use
- address personal data exportation outside the EU
- provide regulatory authorities with better powers to act against companies or organizations who do breach the new regulations
- simplify regulations for international businesses so they don’t have to remember separate data laws for each member state of the EU
- require that new businesses abide by GDPR regulations
These goals are important in the modern economic world because users’ data is arguably a commodity in and of itself.
Marketers and companies for all types of products and services use the data they gather from both their consumers and the consumers of other websites or services in order to better market their products to those consumers. Consider Facebook or similar social networking websites. These websites frequently sell the data they collect on their users to marketing companies, who then sell that data to actual producing companies or services.
Armed with specific data, companies can then target an individual by providing advertisements specifically tailored to their interests. Alternatively, they can broaden their marketing efficacy by targeting specific demographics or individuals.
Of course, this may seem discriminatory and its legality is very gray. One of the biggest ways in which this type of data use is seen as bad is because it necessarily uses information about individuals that may constitute “private information”. A good example is browsing data, which marketing companies use to extrapolate consumer habits or demographic facts.
This apparent violation of privacy is a part of the GDPR. Its primary focus is on returning more privacy to the citizens of the EU.
What do GDPR Laws Mean for Canada?
As a country with many companies and organizations that frequently do business with EU companies or citizens, GDPR regulations are of chief concern to many of Canada’s people. As a basic example, any Canadian website that allows the purchase of its goods or services in euros or which provides deliveries to European citizens will require compliance with the GDPR.
GDPR compliance for Canadian organizations and citizens is particularly important because many Canadian privacy laws are already very similar to the GDPR. Thus, it may be easy for companies or individuals to mistake compliance when actually they are not in compliance.
Canada has its own GDPR-esque legislation designed to protect the personal data of consumers from private sector organizations across Canada. This Act – the Personal Information Protection and Electronic Documents Act – was written to provide rules for the collection, use, and disclosure of personal information for all Canadian private businesses. It was originally enacted in 2000 but has recently been updated in the wake of the GDPR.
PIPEDA currently applies to any private sector organization in Canada that uses personal data in the course of a commercial activity. A commercial activity, defined by this act, is any transaction, conduct, or action that is of a commercial character. This includes buying, selling, leasing, fundraising, or membership transitions.
However, the territories of Québec, British Columbia, and Alberta already have similar private-sector privacy laws. These are very similar to PIPEDA and thus, any organizations within those territories who follow those laws are often considered exempt from PIPEDA so long as any transactions pertaining to those companies or organizations happen within those provinces. If a company in Alberta were to perform an international transaction, that transaction would be subject to the regulations described by PIPEDA.
Like the GDPR, any businesses that operate in Canada and handle personal information that crosses international or provincial borders at any point are subject to PIPEDA regulation. As a result, it’s often easier for companies to ensure PIPEDA compliance rather than territorial or provincial compliance.
Additionally, all federally regulated organizations in Canada are subject to PIPEDA. This includes banks, airlines, telecommunications companies, and radio and television broadcasters.
Under PIPEDA, personal information is defined as any factual or subjective information that may or may not be recorded about an identifiable individual. This includes similar factors as the GDPR’s definition, including age, ID numbers, ethnic origin, blood type, credit records, and more. However, it also includes more subjective information such as social media comments, social status, opinions, or disciplinary actions.
PIPEDA does not cover business contact information that is solely used for the purpose of communicating with an individual in relation to their profession or their place of employment. In addition, PIPEDA does not cover the use or disclosure of information strictly use for personal purposes, such as information gained from a greeting card list. Any collection or use of personal information for artistic, literary, or journalistic purposes is also not subject to the regulations described by PIPEDA.
This tends to exclude nonprofit or charity groups, political parties and associations, and artistic groups.
All Canadian businesses must follow 10 fair information principles, which are laid out in Schedule 1 in PIPEDA:
- identifying purposes
- limiting collection
- limiting use, disclosure, and retention
- individual access
- challenging compliance
PIPEDA consent also looks very similar to consent as described by the GDPR. The main sticking points are as follows:
- companies must obtain consent to collect or use personal information
- information collected must only be used as an individual has consented
- you must limit your collection and use of information to “what a reasonable person would consider appropriate in the circumstances”
- individuals must have the ability to access and change or correct mistakes about their information at any time
Consent under PIPEDA is explicit, intentional, and specific.
Differences Between the GDPR and PIPEDA
In a nutshell, PIPEDA is slightly less strict than the GDPR across several aspects. As an example, Canadian companies are required to report any security breaches that pose real risks of harm to subjects. However, this report must come “as soon as feasible” rather than within 72 hours, as dictated by the GDPR.
However, there have been significant calls to update Canadian data protection laws in the wake of the GDPR even further.
How to Ensure GDPR Compliance in Canada
All Canadian organizations should review their data processing operations and compare them to the regulations described in the GDPR.
Firstly, all Canadian organizations or individuals subject to GDPR compliance should physically read the document if they have the time. While it is written in a very legal language, it is not difficult to read and is lengthier than it is complex. Anyone already familiar with PIPEDA compliance guidelines should find a lot that is similar in the GDPR.
An additional tactic is to examine other organizations affected by the GDPR. You can either reach out to those organizations or companies directly and ask for their advice on compliance or examine what they do outwardly and copy their efforts.
Of course, your own website or company should be examined thoroughly. If you are a part of an international company, you already must appoint a data protection officer; this is one of their chief duties. Spend a lot of time examining your data collection methods, both intentional and inadvertent, to ensure GDPR compliance.
The GDPR will not discriminate between accidental and intentional breaches of its regulations.
Good strategies involve mapping out how the data you collect enters your systems, examining how the data is stored, investigating how the data is transferred between different companies or across borders, and finally investigating how the data is deleted (if at all). This will allow you to get a good insight into how data moves throughout your organization and where you need to pay closer attention or change your procedures.
You should also investigate any contracts or consent forms that you currently have with EU citizens to make sure that the contract is in compliance with GDPR regulations. It may be that your previous contracts or terms of the agreement are not compliant. You should additionally review any contracts you have with data processors (i.e. any employees in your company that handle the data of your customers or consumers) to make sure that their duties are laid out correctly.
For instance, any data processor whose contract does not include GDPR regulations may have ground to stand on if they claim that you are ordering them to do something not in their contract.
It may also be a good idea to consult legal counsel. They may be able to interpret your own contracts and the GDPR’s legislation and make sure there are no blind spots you aren’t seeing and no compliance issues. As the GDPR has already passed and the compliance deadline is long gone, there is no longer any time to wait for data-using companies.
Finally, those Canadian companies who have already been PIPEDA-compliant in recent years may find that the majority of their data infrastructure is already GDPR-compliant. You can also rely on your PIPEDA compliance procedures to follow the above advice, although it’s still important to be aware of the major differences between the legislations.
Recommended Digital Privacy Tools
Recent GDPR News in Canada
Thus far, the GDPR has already been significantly influential on Canadian privacy law, in particular, because it has inspired updates to the Canadian PIPEDA legislation. This is partially because many Canadian businesses also do international business to one degree or another. It has been thought that updating PIPEDA to make it more like the GDPR will improve business flow from Canada to EU countries.
As a smaller example, many of the terms used in the GDPR are commonly used by Canadian lawmakers and other professionals. The GDPR has forced many businesses and individuals to become familiar with the concepts and ideas present in the legislation much more quickly than anyone imagined.
Users of many Canadian websites and companies have already received emails detailing updates to those companies’ privacy policies and contract agreements. This is because the GDPR’s adoption by the EU Parliament has required that any companies doing business with EU citizens must be in compliance with new data privacy laws.
However, this is good news for many Canadian citizens. The GDPR is inspiring updated looks at existing data privacy laws and encouraging many large companies to adopt consumer-friendly practices in relation to their data and its use. Microsoft, as an example, is adopting the GDPR rights to its users all across the world, not just those in the EU. Apple has followed a similar trend.
Others, like Facebook, have stated that they intend to be more transparent, although some have criticized them for making their notification guidelines notoriously difficult to opt-out of.
Since the GDPR came into effect on May 25th, 2018, it has acted as a catalyst for other countries to update their own data privacy laws and encouraged new looks at what responsible data use means. Argentina and Japan were among the first companies to align their national data protection laws with the GDPR. This is largely because many of their companies do international business and adopting similar laws makes business easier across the board.
Canada is now looking to do the exact same thing by updating its PIPEDA legislation. However, these updates will not necessarily be quite as strict as the GDPR.
Additionally, new national concentrations on digital and data transformation will take place in the near future. These will re-examine the role of net neutrality in data protection for Canadians and consider how best to adopt new laws or adjust existing PIPEDA legislation.
The Office of the Privacy Commissioner of Canada has released a new breach reporting requirement for businesses. This is an official update to PIPEDA, which first became a law in 2000. It will affect any private sector organizations that do business with or operate with Canadians.
Specifically, the updates pertain to data breach reporting. While these updates are not as strict as the ones currently adopted by the GDPR, they are much more explicit and will result in more consistent data breach reporting than previous legislation.
In brief, an organization subject to PIPEDA must report to the Privacy Commissioner’s office if any data breach may result in real risk of significant harm and notify individuals of said security breach. Records of security breaches must be kept for two years. Some have noted that these steps are not complete but are at least in the correct spirit of better data protection.
As the GDPR’s new legislation has resulted in several companies facing fines, these fines have come under scrutiny by Canadian companies. Specifically, British Airways and Marriott international have been fined 183.4 million British pounds and 99.2 million British pounds respectively.
These examples have provided valuable insight for Canadian companies to see the actual results of GDPR noncompliance firsthand. Under the GDPR, organizations that have breached said regulations can be fined up to 4% of their annual turnover or €20 million, whichever is greater. Thus, companies can weigh the potential risks of breaching GDPR regulations. It should be noted that actual GDPR fines are dictated by authorities rather than distributed as preset amounts.
- Guide to Canadian PIPEDA Legislation
- Office of the Privacy Commissioner of Canada – PIPEDA in Brief
- Office of the Privacy Commissioner of Canada – PIPEDA Compliance Help for Companies
- Office of the Privacy Commissioner of Canada – PIPEDA Main Resource
- Official GDPR Main Legal Text
- GDPR Compliance Checklist