2. DESCRIPTION
As the European Union’s General Data Protection Regulation (GDPR) comes
into effect over the next two years, organizations that do business in Europe
will face a series of new obligations – and the potential for huge fines if they
fail to respond. Like the Data Protection Directive before it, the GDPR will
transform the way Canadian companies protect consumer privacy and may
even impact Canadian policy and legislation. This session will explore the
operational impacts the GDPR will have on Canadian companies as well as the
policy implications for international data transfers from Europe to Canada.
What you’ll take away:
• An overview of the GDPR’s key provisions and departures from the
Directive
• The policy implications of the GDPR for Canada’s adequacy status and
preserving international data transfers
• A detailed analysis of how the GDPR will impact the operations of
Canadian businesses
3. Constantine Karbaliotis, J.D.
CIPM, CIPP/C/E/US, CIPT
Vice President of Privacy Office Solutions
NYMITY
366 Bay Street, Suite 1200
Toronto, Ontario, Canada, M5H 4B2
Tel. 647.260.6230 x240
constantine.karbaliotis@nymity.com
www.nymity.com
Gabe Maldoff, J.D.
CIPP/US
Westin Fellow, IAPP
IAPP
75 Rochester Ave., Suite 4
Portsmouth, NH 03801
gmaldoff@iapp.org
4. AGENDA
1. GDPR Primer – Gabe
a. GDPR Themes
b. Bases for Processing
c. Individual Rights
d. Breach Notification
e. International Data Transfers
2. Policy Implications of GDPR – Gabe & Constantine
a. Canada’s Adequacy Status
b. Issues
3. Operational Implications of GDPR – Constantine
a. Canadian Companies as Controllers
b. Canadian Companies as Processors
c. The Employee Data Exception
d. Onward Transfers
e. The “delta” – What do Canadian Companies have to do differently?
f. A modest proposal
4. Questions and Answers – Gabe & Constantine
www.iapp.org
5. DISCLAIMER
•This represents the views of the presenters,
and not of any of his:
– Employer
– Privacy organizations to which he may belong
– Anyone else, perhaps
–But these are questions that may be useful to consider – and
have answers to
7. THE GENERAL DATA
PROTECTION REGULATION
– Regulation, NOT a directive
– 99 Articles, 204 pages
– New territorial scope:
• Shift from location of equipment to location of data subjects
• “Processing of personal data of data subjects residing in the
Union by a controller not established in the Union, where the
processing activities are related to:
– A) The offering of goods and services to data subjects in the
Union; or,
– B) The monitoring of their behaviour
– Fines up to 20 Million Euros or 4% of annual turnover
• Key Concepts: personal data;
controller/processor; main establishment
8. GDPR THEMES AND AIMS
1. Creating a single set of rules that govern across
the EU
• Contra: carve-outs for Member State implementation;
no pan-EU regulator
2. Putting users in greater control of their personal
data
• Contra: new challenges on obtaining consent
3. Accountability and heightened enforcement
• UK Information Commissioner Christopher Graham:
What scares Google is EU-style data protection rules
with U.S.-style enforcement
9. BASES FOR PROCESSING
1. Enhanced rules around consent
• “Freely-given, specific, informed, and unambiguous ... by a
statement or clear affirmative action” (Opt-In)
A. Need to be able to demonstrate consent
B. Request for consent must be clearly distinguishable from other
terms and conditions
C. Data subject must be able to withdraw it at any time
D. Service cannot be made conditional on consent
2. Contract
3. Legal obligation
• Obligation must from from EU law or Member State law only – not a
Canadian legal obligation
4. Legitimate interests of the controller
• Privacy notice will need to explain what are the controller’s
legitimate interests and why they override the data subject’s
interests
10. BASES FOR PROCESSING (2)
– Special Categories of Data
• Broad definition: health, biometric, genetic,
religious/philosophical/political opinions and beliefs
• Prohibited, unless...
– Explicit consent
– Necessary for employment
– Vital interests
– Manifestly made public
– Medicine, public health, legal claims, research
– Compatible Secondary Processing
• Factors: link between purposes, context and relationship,
nature of the personal data, possible consequences,
presence of safeguards
11. INDIVIDUAL RIGHTS
– Notice
• Need to provide notice of legal basis, any transfers to third
countries, how the data subject can obtain more information,
retention periods (or how they will be calculated), individual rights
• If data is obtained indirectly, notice must be provided within one
month, unless it would take disproportionate effort
– Access and Rectification
• Right to receive information about processing activities
• Right to a copy of all personal data
• Right to rectify inaccurate data
• Derogations/exemptions:
– Taking reasonable steps to verify the identity of the requester
– Member States may protect both individuals and controllers
– Controllers maybe can consider the motive of the data subject in
requesting access
12. INDIVIDUAL RIGHTS (2)
– Data Portability
• Right to structured and machine-readable data
• Applies only to automated processing, where data was provided by the
data subject, and processing is based on consent or contract
• But, processing the request cannot impact another data subject’s
rights
– Right to be Forgotten
• Controllers must erase personal data “without undue delay” if the data
is no longer needed, the data subject objects to processing, or
processing was unlawful
• Balanced against freedom of expression, the public interest in health,
scientific and historical research, and the exercise or defense of legal
claims
– Right to Object
• Controller must cease processing that was based on its legitimate
interests or a public interest, unless the controller can demonstrate
compelling legitimate grounds for the processing
13. DATA BREACH NOTIFICATION
– Definition:
• “A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored or otherwise
processed.”
– Notification to Competent Authorities
• Notification within 72 hours
– Unless the breach is “unlikely to result in a risk for the rights and
freedoms of natural persons.”
• Processor must notify the controller
– Notification to Affected Individuals
• Only where the breach is “likely to result in a high risk for the
rights and freedoms of natural persons.”
14. RESPONSIBILITIES OF
CONTROLLERS AND PROCESSORS
– Controllers
• Must secure greater control over processors
• Overall accountability
– Processors
• New direct obligations:
– Maintain a register of processing activities
– Security measures
– Data transfer obligations
– Joint controllers
• Need to allocate responsibility and communicate the division of
responsibility to individuals
– Liability
• Joint and several liability
– Goal of providing effective compensation
– Burden on controller to prove no liability
15. INTERNATIONAL DATA
TRANSFERS
– Adequacy determination
• From adequate to “essentially equivalent”
• New power for Commission to find a specified territory or sector within a
country “adequate”
• Periodic review
– Binding Corporate Rules (BCRs)
– Standard Contractual Clauses
– Approved and enforceable codes of conduct and/or certifications
– Derogations for specific transfers:
• Explicit Consent
• Necessary for the performance of a contract
• Public interest or vital interest
• Exercise or defense of legal claims
• Public register
• Compelling legitimate interests of the controller with suitable safeguards
– Concerns only a limited number of data subjects
– NOT repetitive
– NOT overridden by data subject rights
17. THE CASE FOR REFORMING PIPEDA (RELEASED MAY 23,
2013), OFFICE OF THE PRIVACY COMMISSIONER OF
CANADA
• “One of the reasons PIPEDA was enacted
was to create a vehicle that would
facilitate the flow of personal information
from EU member states to Canada…The
adequacy concept is retained under the
Regulation.”
• “It is an open question as to what effect
the proposed Regulation, if passed in its
present form, might have on Canada’s
adequacy status, given the current state
of PIPEDA.”
18. IS ADEQUACY AT RISK?
• EU has shown willingness to take action on and
challenge adequacy of member states
– Hungary
• Regulation explicitly addresses determination of
adequacy and extends ability to recognize sub-
divisions - as well as to determine that a country
or sub-division is not adequate, and to monitor on
an ongoing basis
– GDPR, Article 45
19. AREAS OF RISK FOR ADEQUACY
•Adequacy in current version is based upon
sufficiency of sanctioning power by an independent
data protection authority (GDPR Article 45)
–Issues have been identified by EU authorities and
commentators on:
–Breach notification >> soon to be fixed?
–Penalties and order-making >> fixed?
–Onward transfers from Canada
–The right to be forgotten
–National security >> requires fix at an international level
• Lack of coverage of laws to all aspects of personal
information
–Employee privacy is not protected under PIPEDA unless
under federal jurisdiction, or in a province lucky enough
to have a provincial privacy law
20. REVIEW OF ADEQUACY
• Canada is not likely to be ‘first’ on the list for
possible review
• Of the league of the ‘adequate’, other
countries may be first to be reviewed:
• Are we keeping up with the league of the
adequate?
• Is adequate, adequate anymore?
– Schrems
21. TREATMENT OF SUB-DIVISIONS
• Could Canada remain considered adequate –
but a province not be adequate?
– GDPR Article 45
– WADA issue in Quebec – assertions of inadequacy?
– Does adequacy follow being deemed ‘substantially similar’
under PIPEDA?
• Could a province be recognized as adequate –
and not the rest of Canada?
• Alberta alone has coverage, enforcement, breach –
last one standing?
• Does national security law moot even what the
provinces have done?
22. SUBSTANTIALLY SIMILAR NOT
ADEQUATE?
• “At the moment, the Commission Decision does not cover
provincial legislation, but it is foreseen that when the Canadian
Government recognises a provincial law as being substantially
similar to PIPED Act then the Commission decision will be adapted
to reflect this.”
• There has never been formal recognition that a
substantially-similar finding means adequacy –
raised in WADA controversy in relation to Quebec
• Model clauses are therefore required for any
transfer to a province deemed substantially
similar
23. POSSIBLE POLICY RESPONSE
• Amendment of PIPEDA in line with May 2013
Discussion Paper
– Primarily for ourselves, but also because of our
desire to continue to do business with the EU and
perhaps to take advantage of our natural
advantages
– Already partially instituted by changes under S-4,
and with breach consultations underway to
complete breach notification requirements
• Coordination with provinces to ensure:
1.“Substantially similar” legislation
2.Coverage of employee data
3.Consistent breach notification requirements
4.Codify federal-provincial cooperation on
investigations, other
25. WHAT ABOUT ADEQUACY?
• Adequacy is not a get-out-of-jail card… this
only addresses data transfer requirements,
none of the other substantive requirements of
the GDPR
26. OPERATIONAL IMPACTS OF THE
GDPR (1)
• As a data controller:
– You are subject to all the requirements of the
GDPR, in the same fashion as any company
operating in the EU, if you are collecting personal
data from EU residents
– You do not need to have a physical presence in the
EU
27. OPERATIONAL IMPACTS OF THE
GDPR (2)
• As a data controller, you must comply with all
aspects of the GDPR, and key for Canadian
companies:
– Right to be forgotten
– Record keeping requirements
– Data protection impact assessments
– Appointment of DPO where warranted
– Representative office in Europe
– Data breach reporting
– Enforcement – fines of up to 4% of global revenue (!)
• And more…
28. OPERATIONAL IMPACTS OF THE
GDPR (3)
• As a data processor:
– You will be made subject to all the requirements of
the GDPR, just as any other data processor, if you
are processing personal data of EU residents of
behalf of a data controller
– This will be done via contract by your clients – as
data controllers, they have the obligation to pass
on the requirements of the GDPR to their
processors
29. OPERATIONAL IMPACTS OF THE
GDPR (4)
• What obligations?
– Right to be forgotten
– Record keeping
– Data protection impact assessments
– Data security requirements
– Data breach reporting
– Representative office
• And more…
30. EMPLOYEE DATA
• For both data controllers and data processors:
– Employee data is not included in the adequacy
finding:
• “..if the recipient organisation is not a federal work,
undertaking or business, then adequate safeguards
must be put into place to protect the data.”
– Standard contractual clauses are the
recommended approach to deal with employee
data
31. IMPACT ON DATA TRANSFERS
• For both data controllers and data processors:
– An ongoing ‘sticking’ point for EU companies and
regulators has always been that there are no
requirements or restrictions relating to onward
transfers, i.e. to the United States
– Article 28 will mandate this be addressed by
contractual requirements for data processors to
ensure adequate protection of personal data for
onward transfers – and restrictions prohibiting it
without the controller’s approval
32. ADDRESSING DATA TRANSFERS
• Strategies:
– Standard Contractual Clauses for onward transfers
• Even if not required in some circumstances – a best
practice?
• GDPR will ultimately mandate this
– Legitimate interests
• Seems to be ‘coming to life’ – consideration needs to be
given to documenting, defending positions
– Privacy Shield?
• Onward transfers to the US – can we leverage Privacy Shield?
33. SUPPLEMENTING ADEQUACY
• Codes of conduct are permitted under the GDPR and can be used to
recognize adequacy to a sector: Article 46
• Codes of conduct can address:
– Areas relating to data processing such as:
• fair and transparent data processing;
• legitimate interests;
• collection of data;
• the pseudonymisation of personal data;
• information of the public and of data subjects;
– Requests of data subjects in exercise of their rights, including the right to be
forgotten;
– Information and protection of children and collection of consent by parents;
– Setting standards for security of processing;
– Notification of personal data breaches and communication of breaches to data
subjects;
– Transfer of data to third countries or international organisations;
– Out-of-court proceedings and other dispute resolution procedures
34. A CANADIAN CODE OF CONDUCT
• So, rather than wait for amendments…
• Canadian private sector ‘fixes’ the short-comings in our law by
creating a code of conduct that they can voluntarily adhere to, that
addresses the areas allowed, plus:
– Onward transfers – setting our own standard contractual clauses
– Employee data – ensuring coverage
– Ensuring coverage of organizations under provincial substantially-
similar laws, or where there are no provincial laws
– Authorizes federal and provincial commissioners – or possibly another
body? – to monitor and enforce the code of conduct
• A ‘made in Canada’ solution that does not require legislative
change, and that protects and enhances our ability to do business
with the EU
35. CONCLUSIONS & Q&A
• GDPR is a sleeper issue for Canadian companies
• Safe Harbor/Privacy Shield has provided a window into
how willing the EU is to challenge existing relationships
• Canadian privacy professionals can best steer their
organizations clear of potential issues by being up-to-
date on requirements for GDPR compliance, and
addressing proactively the contractual flow-throughs
required to satisfy EU consumers and clients
• Perhaps Canadian organizations can best take control
of the issues relating to adequacy, and ensure their
ongoing business relationships with the EU through a
voluntary code of conduct