Calls grow to modernize privacy laws
New privacy regulations next year, coming into force in Europe are currently calling into question whether the approach to privacy of Canada is keeping up with its peers.
Industry observers are suggesting that if Canada doesn’t continue to update its approach it might face roadblocks in preserving its status as an protected jurisdiction — a status which allows for fluid trade with the industry.
In May, 2018, Europe’s new General Data Protection Legislation () will come into force, and will impose sweeping changes on how privacy is protected in the European Union.
Firms with operations there are — or should be — working to prepare for this deadline, but privacy controls could be impacted by it beyond EU borders.
Right now, Canada has “adequacy” status from the European Commission, which determined in 2001 that Canada’s law under (the Personal Information Protection and Electronic Documents Act) was powerful enough to satisfy any information transferred to Canada from the EU would be protected. However, things are changing.
“We can’t take for granted that Canada will be considered adequate under the GDPR, since it’s extremely different from our present laws, and quite different from the last European laws under which we had been deemed adequate,” said Chantal Bernier, former interim privacy commissioner of Canada, and an adviser at the solitude and cybersecurity practice at law firm Dentons Canada LLP.
The regulations are much stricter than the principles in many countries and their predecessors in Europe. They are going to have an effect on marketers, since storing and collecting customers’ information is currently becoming a part of advertising that is targeted. Any advertising agencies doing business or businesses there will have rules that are new to contend with — such as the law definition of data that is personal computers’ IP addresses.
The law allows people in many instances to withdraw their approval for organizations to keep their information if the use of the information isn’t about the reason that it had been collected in the first location. And they have the right.
However, the law goes way Additionally, it changes the way they protect against the sort of data breaches that have made headlines in recent years — and how breaches are reported and the way companies need to take care of their own employee data. Penalties for non-compliance may be around $20-million (nearly $30-million Canadian) or 4 percent of a business’s total worldwide earnings, whichever is higher.
Status is essential, since it allows for commercial purposes for exchange of data between the EU and Canada. It paves the way for companies to do business with customers and companies in Europe.
“They know they’re transferring information to a business that’s in compliance with the duties which they’re under,” Ms. Bernier said.
For trade purposes, losing that status would make doing business more challenging. In any circumstance where information is currently moving across those boundaries measures will be required to guarantee companies could trust that the companies are compliant under their laws.
“The flow of data should occur,” said Kris Klein, partner at law firm nNovation LLP and an expert in privacy and data security. “We do a whole lot of trade with European businesses. Probably 25 to 30 percent of it’s currently dealing doing business. That’s a fair quantity of information flow that goes back and forth”
The U.S. Doesn’t possess adequacy standing, but has its own treaty known as To enable transaction. Just 11 countries, including Canada, have adequacy status with the EU, and in coming years, these nations will be up for review: Article 45.3 of the European law provides for “a mechanism for a periodic review, at least every four years, which will take into consideration all relevant developments in the third country or international organization.”
“There are still quite a few places where I believe if the Europeans were looking at us, they would say we fall short,” Mr. Klein said. The major change to PIPEDA came in when the passed into law. That made it mandatory to report any information breaches or face fines of up to $100,000. But some think Canada needs do more.
By way of instance, complaints still, largely, drive authorities of the Privacy Act and PIPEDA of Canada. As federal Privacy Commissioner Daniel Therrien stated in a recent speech, “people are not likely to submit a complaint about something they don’t know is happening, and at the time of large data and the “Internet of Things,” it is quite tricky to know and understand what is happening to our private information.”
This calls into question not whether complaints which could trigger enforcement under the law will be made by people, but whether people are given the opportunity when their information is gathered, to offer consent. (The fine-print sophistication of privacy policies doesn’t help matters. The OPC has been pushing for the development of privacy policies which are easier to digest for customers.)
Since February, the House of Commons’ standing committee on access to integrity, privacy and information has been holding meetings also to hear from witnesses across the academic and regulatory spheres business, and individuals, and to review PIPEDA. Whether it is going to lead to changes in the law has not yet been determined.
“I’m looking forward to hearing from the Canadian authorities how they’re addressing the problem of an eventual review of Canada’s adequacy standing under GDPR” Ms. Bernier said.
In an appearance before the standing committee in February, Mr. Therrien suggested that lawmakers should think about bringing Canadian law “nearer to European law, or even to the exact same location.” He has been asking the government for enforcement powers, including the right to make orders to hand down fines, and to comply. At this time, the national watchdog “is in several respects, weaker than a few of our provincial and worldwide counterparts,” he told the committee.
Mr. Klein pointed out that when PIPEDA was initially passed in the late 1990s, part of the inspiration was a response to regulation in other markets, especially the EU — and a desire to demonstrate that Canada had equal protections in place.
“Maybe it is a sad state of affairs that we are going to be pressed into doing something which is long overdue,” Mr. Klein said. “But I do believe it finally will be exactly what happens.”