Challenging common misconceptions to understand Europe’s new privacy law
By Cristina Onosé
On May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR). The GDPR is the most significant new data privacy regulation to be introduced anywhere in the world in many years. Its new requirements around personal data collection, processing and sharing have an unavoidable impact on data-driven programmes that are used by so many of today’s brand marketers.
The regulation protects the personal data of residents (or “data subjects”) of the 28 EU Member States, along with three other countries in the European Economic Area (EEA)—Iceland, Liechtenstein and Norway—that have decided to participate.
Several jurisdictions outside of Europe are looking at how they can emulate the GDPR approach. In Canada, a Parliamentary committee recently called for significant amendments to the nation’s long-standing federal private-sector privacy law, the Personal Information and Electronic Documents Act (PIPEDA). In addition, the Canadian government announced plans to develop a “national data strategy” to address current consumer privacy concerns.
Two requirements of the GDPR are particularly challenging for organizations in Canada and around the world.
First, the expanded extra-territorial application of the law enables European data protection authorities (DPAs) to pursue alleged offenses well beyond the borders of the EU itself.
Second, there are significant penalties for non-compliance with the regulation of up to 4% of an organization’s annual global revenue or €20 million (approximately $30 million CAD), whichever is greater. This is done at the discretion of the DPAs.
It is not surprising that many misconceptions have emerged among Canadian businesses about their obligations under the GDPR given its significant scope and application. In addition, Canadian companies’ concern is rising about the possibility that similarly strict requirements may be adopted by our own data protection authority, the Office of the Privacy Commissioner (OPC).
What can Canadian marketers reasonably expect from EU enforcement of the GDPR? And what are Canada’s own approaches to data protection likely to be in the months to come? Here are four top misconceptions that will help you understand the answers.
1. The GDPR applies to all Canadian organizations: FALSE
Most Canadian companies that operate solely in Canada will not be subject to the GDPR. However, some Canadian companies could be impacted by the regulation if they meet any of the following criteria:
(a) Have an establishment/ physical presence in the EU/EEA;
(b) Market to or offer goods or services—even at no charge—to EU/EEA residents;
(c) Monitor or profile behaviours of individuals in the EU/EEA; or
(d) Are a third-party processor of EU/EEA personal data.
What constitutes “marketing to” or “monitoring the behaviour of” EU/EEA residents?
Mere accessibility to purchase products on a website is not sufficient. However, feature functionalities that enable EU/EEA residents to use a website (for example, offering a service in a local language or providing pricing in a local currency) may trigger application of the regulation. Information collected for purposes of behaviour monitoring also must relate to activities of persons within the EU and EEA. Monitoring may include, for example, Internet tracking or data collection for the purpose of profiling.
To be clear, companies that have no European operations and do not target EU and EEA citizens/residents for products/services, will not be caught under this legislation.
2. The GDPR requires end-user consent to process personal data: FALSE
In Canada, organizations need to obtain the consent of consumers to process personal data. Many organizations needing to comply with the GDPR assume that they must also obtain an individual’s consent for direct marketing purposes.
There are six lawful bases processing of personal data under GDPR: (1) consent, (2) legitimate interests, (3) contractual necessity, (4) compliance with legal obligations, (5) vital interests and (6) public interest.
Before the GDPR went into force, many organizations flooded their customers with requests for renewed consent. Was this necessary? In some cases, not. For direct marketing activities, two processing options are appropriate and lawful under the GDPR: (1) “consent” and, (2) “legitimate interests”.
The regulation explicitly recognizes that direct marketing does not always require consent and that “the processing or personal data for direct marketing purposes may be regarded as being carried out for legitimate interest”.
Marketers can rely on legitimate interests for marketing activities if they can show that the use of personal data is: proportionate; that it has a minimal privacy impact; and, that individuals would not be surprised or likely to object.
3. The GDPR mandates rules for electronic communications: FALSE
While many marketers are still trying to assess the impacts of the GDPR, yet another European privacy regulation looms on the horizon. The ePrivacy Regulation could have significant impacts on the ways in which advertisers, publishers and marketers interact with EU data subjects electronically. The new ePrivacy law has received far less attention than the GDPR, in part because the regulation remains in draft form and is currently being debated by European policymakers.
Designed to complement the GDPR, the ePrivacy regulation would set rules on electronic communications. This includes marketing e-mails, apps, telephone, instant messaging and personalized online display advertising (e.g. behavioural or interest-based advertising). It would also explicitly regulate the processing of personal data through connected devices, i.e. the Internet of Things (IoT) where data is shared machine-to-machine. The fines will mirror those for the GDPR.
The most disruptive part of the proposed ePrivacy regulation is the requirement that companies obtain explicit consent for any data they retain from users of their services, including marketing and advertising messages. This is a threat to any business reliant on online advertising, particularly when advertising is enabled through web cookie files. Legacy data will not be exempted or “grandfathered in” under the new law.
4. Canada undoubtedly will adopt a GDPR-like regime: FALSE
The Canadian Parliament recently called for GDPR-like provisions to be considered as part of the ongoing review of the federal privacy law, PIPEDA. However, the government has refrained from this approach, opting instead for a more thoughtful analysis before proceeding with any formal revisions. Further, the government has invited a number of constituencies to comment on the process: including Canadian businesses. These “national data consultations” seek to find the right balance between supporting innovation and protecting privacy interests, while promoting trust in the data economy.
The GDPR has been enthusiastically championed by privacy advocates as the new gold standard for consumer privacy regulation. Yet it is a law that is catching up to Canada in many respects, incorporating principles that have been part of PIPEDA and businesses’ best practices for more than 15 years. These long-established privacy principles include accountability, access rights and right to erasure. In addition, data breach reporting requirements were incorporated into PIPEDA in 2015 and come into force later this year.
We need to be mindful about not simply importing a system which might not be suitable in the Canadian context. Profound differences exist between Europe’s history and contemporary attitudes about data collection and the social culture and business environment that exists in Canada today.
The most admirable and unique quality of PIPEDA is that it supports a regulatory environment that protects consumers and fuels an innovative economy. Its stated objective is to support innovation and the growth of the digital economy while providing robust protections for personal privacy. As such, the law is much more than a simple consumer protection tool. Its intent is to promote a responsible and innovative business environment.
Balancing economic objectives with responsible privacy protection
In a volatile global marketplace that is increasingly interconnected and data-driven, the Canadian economy needs flexibility to thrive. Privacy and data protection are extremely important components to ensure continued consumer trust in a digital world; just as innovation and competition are critical to maintaining a healthy business environment. None of these should be addressed to the detriment of the others.
Consumers understand the importance of this balancing act. A recent study conducted by Canadian Marketing Association (CMA) revealed that a significant majority of Canadians (76%) have no fundamental objection to engaging in the data economy. The report also highlighted that consumer concerns around privacy can be mitigated by companies providing trust. Regulation is not the only tool in the toolbox. To build and maintain consumer trust, companies need to provide transparency and make reasonable efforts to help consumers understand how their data is being used.
Canada is well-positioned to showcase innovation and be competitive globally while ensuring that responsible business models are the standard in a marketplace that respects consumer trust. PIPEDA continues to offer the perfect regulatory framework to preserve this balance between consumer protection and business success. While incremental improvements can and should be considered, an entirely new approach that has not been authentically created for the Canadian landscape should not replace a framework that has served us well.
Cristina Onosé is director, government relations at the Canadian Marketing Association www.the-cma.org. She has an MA in international affairs and is a certified privacy professional (CIPP/C). Her areas of expertise include Canadian and EU privacy law, cybersecurity, emerging technologies (Internet of Things, self-driving cars), Canada’s anti-spam law and interest-based advertising. Information in this article does not constitute legal advice.