The EU adopted the Data Protection Directive in 1995. The law regulated the processing of personal information in the EU and although the EU enacted the Directive, individuals and companies were not bound by it. As time passed, many saw the need for change, and in 2016, the General Data Protection Regulation (GDPR) was adopted by the EU Parliament which replaced the Data Protection Directive 95/46EC. This law into force on May 25, 2019 in the EU and has affected companies globally since it acted as a single unifying system that controlled the online privacy of EU citizens.
Since the GDPR can affect international businesses, it’s critical that Canadians know how they will be affected if they would like to continue to operate in the EU market.
The Privacy Rights of an EU Citizen
With the introduction of the GDPR, Canadians dealing with EU citizens need to know that they will require different consents for different users. Unlike the Data Protection Directive of 1995, the GDPR has a wider reach. Impacting international companies conducting business in the EU. As a business interacts with individuals in the EU, the first thing they need to know is that GDPR upholds individual rights on personal data for EU citizens. The focus is for businesses to show that data use is fair, transparent and permitted by a user. So as Canadian consent laws have long been flexible when it comes to collecting personal information from users, caution should be taken.
As such, EU citizens are entitled to the following rights, even if they are interacting with a Canadian business or organization:
- The ability to access their data,
- The ability to restrict the processing of data,
- The ability to request an explanation on automated decisions,
- The ability to ask how data is being used,
- The ability to ask for errors to be rectified,
- And the ability to request for their data to be removed under Right to Erasure, or otherwise known as the right to be forgotten.
Among the rights that the GDPR provides EU citizens, it’s important to highlight Article 17 (Right to Erasure). Article 17 allows users to request for a data controller to erase personal data in a certain situation without undue delay. While there are a number of reasons for why someone would request for their data to be removed, some common reasons are; the personal data is no longer relevant or necessary, the data was unlawfully processed, or that the data was collected in relation to Article 8 (child’s consent in relation to information society services). Displaying the presence of measures to correct errors in the user’s data when requested.
Data Breach Notification
In addition to the privacy rights that the GDPR provides EU citizens, it also has regulations relating to data breaches. Specifically, it requires international companies to inform EU users of any data breach. Where possible, users should receive notifications from the company within 72 hours. The only exception to this law is if the breach impacts the freedom and rights of users.
In terms of processing companies, they are required to report any breaches to the company that controls the data. When it comes to international data transfers, the general data protection regulation Canada restricts this. An exception is provided for businesses with adequate protection for the information.
Data Protection Officers
With the adoption of the GDPR, businesses will also have to employ a data protection officer (DPO). This is true if the company performs regular and systematic data monitoring on a large scale. The officer will work as an enterprise security leadership role and will ensure that there is not only a company data protection strategy, but that the company is complying with GDPR requirements. With this being said, officers must have expert knowledge of data protection laws and practices to ensure the company is abiding by rules and regulations.
The GDPR and PIPEDA
While the GDPR was adopted by the EU it did impact Canadian businesses dealing with a European market. Even though Canada had similar regulations that were in effect prior to the GDPR such as Canada’s Anti-Spam Legislation (CASL), the GDPR is said to pose many similarities to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA came into force on January 1, 2001, and 10 fair information principles were created for businesses to follow:
- Accountability in terms of being responsible,
- Identifying the purpose of why someone’s data is being collected,
- Ensuring consent,
- Limiting collection of what data is collected,
- Limiting use, disclosure, and retention of data,
- Accuracy in terms of keeping information up-to-date,
- Safeguards to keep information secure,
- Openness to users,
- Allowing access to individuals requesting to review what data collected,
- Allowing individuals to challenge compliance.
Compliance in Canada
Compared to other countries, Canada is way ahead in compliance with data protection regulations. As a leader in privacy regulation, the country has put in place data governance policies. Whether it’s abiding to other protection regulations or updating our own, Canada is focused on data protection and data breach reporting.
If you would like to consider investing in cybersecurity, the Evolve Cyber Security Index Fund (CYBR.B) invests in companies that are involved in this endeavor. This fund was Canada’s Top Performing equity ETF in 2018. To learn more about this cyber security ETF, click here or visit our website.