These days, most of my privacy work has been focused on assisting organizations prepare for the coming into force of the EU General Data Protection Regulation (GDPR) on May 25, 2018. With its extra-territorial reach, strict enforcement regime and heavy penalties, the GDPR has grabbed the attention of organizations around the world that collects the data of EU residents.
The GDPR may seem draconian with its rules around maintaining records of processing, obtaining explicit consent at the time of personal data collection and ensuring clear privacy notices, but the result of such rules is more accountable and transparent data handling practices. The Facebook–Cambridge Analytica data scandal couldn’t be a better example of what can go wrong without transparency. The scandal, involving the collection of the personal information of up to 87 million Facebook users to influence voter opinion, is a clear indication of the need for privacy rules that target data mining in today’s interconnected world. And the GDPR is indeed setting a standard that other countries are looking to model.
PIPEDA Breach Regulations will Come into Force this Year
In Canada, the House of Commons Standing Committee on Access to Information, Privacy and Ethics recently tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act recommending 19 changes to PIPEDA. The Report essentially addresses many of the challenging issues raised by new technologies with a specific focus on consent and transparency. The recommendations are clearly heavily influenced by the direction set by the GDPR, including expressly requiring “privacy by design”; giving the Federal Privacy Commissioner order making powers so PIPEDA has more teeth; introducing a default opt-in system; as well as introducing rights to portability and erasure, similar to the data subject rights we see in the GDPR. These changes would certainly satisfy one of the goals of many privacy advocates: To ensure that Canada retains its adequacy designation when PIPEDA is reviewed by the EU against the GDPR. A finding of adequacy would allow personal information to flow freely between the EU and Canada.
On March 26th, an Order in Council announced November 1, 2018 as the day on which PIPEDA amendments introducing mandatory privacy breach notification, reporting and recordkeeping will come into force. The underlying international pressure imposed by Europe, a privacy legal framework influencer, is certainly helping to strengthen Canada’s privacy laws. So we have GDPR to thank because it is not just affecting EU residents. Another example of this: Facebook has just promised to offer its users around the world the same privacy controls required under the GDPR.
Work must be done by business to be accountable for the personal data entrusted to it, transparency must be achieved, employees must be made aware, and the public benefits on a global scale. Privacy finally seems to be headed in the right direction.
For assistance with your GDPR compliance efforts, contact PRIVATECH. To get up to speed and receive valuable templates that prepare you for the coming into force of Canada’s Breach of Security Safeguards Regulations, visit our Privacy Breach Response Toolkit.