On May 25, 2018 the world will experience a seismic shift in privacy protection. On that date, the European Union’s General Data Protection Regulation (GDPR) will come into effect, altering the global privacy landscape and bringing privacy into the 21st Century.
Europe has long set the global standard for privacy protection. Starting with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, Europe codified a set of principles that established a privacy framework used by countries around the world. This was extended in 1995 with the European Union Data Protection Directive that mandated data protection legislation in all European Union member countries. The European Directive went further by restricting trade with countries that did not have adequate privacy legislation in place.
Canada responded to European developments in 1996 with the development of the CSA Model Code for the Protection of Personal Information, which was based largely on the OECD Guidelines. and in 2001 with the enactment of the Personal Information Protection and Electronic Documents Act (PIPEDA) which was deemed “adequate” by the European Union later that year.
It’s been almost 4 decades since the development of the OECD guidelines. Those were the days of mainframe computers, the emergence of client/server architecture, and the first personal computers. The Internet, smartphones, and Big Data were but glints the eyes of the most forward-looking thinkers. The foundations of our current privacy laws were established in the last century. Surely, it’s time for an upgrade
Enter the GDPR with new rights for data subjects, and new responsibilities for data controllers and processors. Rights for data subjects include:
- The right to be informed about the nature of data processing conducted by data controllers.
- The right of access to their personal information.
- The right to rectification of any personal data that is inaccurate or incomplete.
- The right to erasure/the right to be forgotten when data is no longer necessary for the purpose for which it was collected or processed.
- The right to restrict processing where data subjects have contested the accuracy of the data or objected to the nature of the processing.
- The right to data portability that allows data subjects to move, copy or transfer their personal data from one IT systems environment to another.
- The right to object to processing of their personal information.
- The right not to be subject to a decision made on the basis of automated decision-making and profiling.
New responsibilities for data controllers and processors include:
- Applying Data Protection by Design (a.k.a. Privacy by Design) principles to the development of IT systems and processes.
- Applying Data Protection by Default principles to systems and practices that process personal data.
- Maintaining records of processing activities.
- Ensuring the security of personal data.
- Notifying data subjects and supervisory authorities of personal data breaches.
- Conducting Data Protection Impact Assessments (a.k.a. Privacy impact Assessments) where sensitive or high-risk personal data is processed.
- Designating a Data Protection Officer (a.k.a. Privacy Officer)
The GDPR calls out special categories of personal data that require special consideration for the application of privacy and security controls. This includes data concerning health, genetic data, biometric data, and information about a person’s sex life or sexual orientation.
The territorial scope of the GDPR is not restricted to organizations operating in Europe. Organizations in any country that process the personal data of European residents is subject to the regulation. This shouldn’t be a concern to Canadian healthcare organizations that provide treatment to European residents visiting Canada, but it would apply to any Canadian company or organization processing the personal data of European residents in the EU. For example, a Canadian healthcare organization or company providing telemedicine or other health services to people in Europe, where the data is stored and processed in Canada or in the cloud, would be subject to the regulation.
Maximum fines under the GDPR can be especially severe; up to €20 million, or 4% of annual global turnover, whichever is higher. However, supervisory authorities under the regulation have a range of corrective powers and sanctions to enforce the GDPR. This includes issuing warnings and reprimands, imposing a temporary or permanent ban on data processing, ordering the rectification, restriction or erasure of data, and suspending data transfers to third countries. One would expect that the nature of the sanction will be commensurate with the severity of the infraction.
At the moment, Canada’s PIPEDA and associated provincial legislation is considered “adequate”, facilitating the transfer of personal data from Europe to Canada. However, continuation of this privileged status is far from certain. There are a number of areas where Canadian privacy law is not consistent with the GDPR; for example, in the areas of data portability, the right to be forgotten, and consent for data use. In time, Canada’s status will be reviewed by the EU and it remains to be seen if our adequacy standing is maintained, possibly forcing changes to our own laws.
In an age of digital disruption, where digital health is a global enterprise, the GDPR is poised to become the International standard for data privacy. The Regulation takes a global view of privacy challenges and flexes the economic might of the European Union to protect the privacy rights of its citizens. As with the previous Data Protection Directive, we can expect Canada and other countries to fall in line with the GDPR’s 21st-century view of a digital world.