BC Companies and GDPR – What You Don’t Know May Hurt You

Article by Samson Chan |  Singleton Urquhart Reynolds Vogel LLP

On May 25, 2018, the European Union General Data Protection Regulation (GDPR) became effective upon all member states of the European Union (EU).  GDPR is a comprehensive data protection law that governs the collection, use and dissemination of personal information in the EU.  Unlike its predecessor, Directive 95/46/EC, and British Columbia’s Personal Information Protection Act (PIPA), GDPR imposes stricter requirements and obligations on organizations with respect to the use, collection, disclosure, and maintenance of personal information.  Most importantly, with its wider territorial scope, GDPR has implications for businesses that operate outside of the EU, including businesses in Canada and British Columbia.

How does GDPR apply to businesses in BC?

“Personal information” is defined as any information that can indirectly or directly identify a person.  Usually, a nation’s data protection laws do not govern the processing of personal information by organizations in other countries.  GDPR, however, is applicable to the processing of personal information extraterritorially if the organization, as the controller or processor:

  1. offers goods or services to data subjects in the EU; or
  2. monitors the behaviour of the data subjects as far as their behaviour takes place within the EU.

Businesses in BC that fall under either of the above categories will be subject to GDPR.  They may also be subject to GDPR if they provide data processing services to organizations that are subject to GDPR.

How does GDPR affect businesses in BC?

GDPR has specific requirements and obligations with which BC businesses must comply.  It is prudent to be compliant with GDPR because of its punitive penalties and fines.  For example, a lower level fine can be up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.  An upper level fine, on the other hand, can be up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.  The key areas of GDPR for businesses in BC to note, in light of PIPA, include, but are not limited, to the following:

Consent

Aside from certain exemptions, PIPA requires consent for data processing.  It, however, allows for both express and implied consent.  Under GDPR, consent is one of the lawful bases that allows organizations to process personal information. Once chosen as the lawful basis, consent under GDPR has onerous requirements: GDPR mandates affirmative, express consent for each use of the personal information.  It expressly requires specific, informed, and unambiguous consent, freely given by a clear affirmative action.  The existing practice of “opt-out” consent, where the burden is on the data subject to opt-out, is eliminated.  Furthermore, the withdrawal process must not be difficult and should be as easy to do as it is to give consent.

Breach Notification

Businesses in BC may be subject to the requirement of mandatory breach notification pursuant to the amendment to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) that will come into effect on November 1, 2018.  Currently PIPA does not have such mandatory breach notification requirements, but it is subject to amendments to include such requirements if PIPA aims to remain substantially similar to PIPEDA.  This includes reporting high risk breaches to affected individuals, reporting such breaches to the Privacy Commissioner of Canada, and maintaining records of such breaches.  GDPR has similar requirements, but instead of requiring the organization to report the breaches as soon as feasible, it requires the organization to report to the supervisory authority within 72 hours except with explanations of the delay.

Access to Information

Under PIPA, data subjects may request a copy of their personal information from businesses in BC that have collected the data.  Businesses must provide access to a copy of the personal information, but such copy does not have to be in an easily transferable format.  GDPR, on the other hand, requires that the copy be provided in a structured, commonly used, machine-readable format.  This relates to the data subject’s right to data portability under GDPR, in which the data subject may request that the personal information, in transferable format, be transmitted to another controller.

Right of Erasure

Under PIPA, data subjects do not have the right to seek erasure of their personal information.  Businesses in BC do not have to delete such data, but they should not process data that is no longer necessary for the consented purpose.  GDPR, on the other hand, requires data that is no longer necessary to be erased without undue delay upon request of the data subject. If subject to GDPR, businesses in BC must act on a deletion request within one month, either to erase the requested data or seek an extension with explanations.

Privacy Impact Assessments (PIA)

PIA is an assessment performed to identify and mitigate privacy risks of processing personal information.  It involves a proportional exercise between the necessity of the personal information and risk of the processing based on the purpose of the processing and evaluation of the necessary security measures.  PIAs can be costly and time-consuming.

PIPA does not require organizations to complete PIAs before processing any personal information, although it may be good business practice to do so.  GDPR, on the other hand, requires organizations to complete PIAs before processing personal information.

Both PIPA and GDPR require businesses to appoint a privacy officer to ensure legal compliance with the respective law.  However, businesses in BC, as controllers or processors outside of EU, will have to appoint a designated representative in one of the EU states where the data subjects reside under GDPR, unless the processing is occasional and does not include, on a large scale, processing of special categories of data such as biometrics or data that poses a risk to the rights and freedoms of the data subjects.

How can businesses in BC comply with GDPR?

Obligations of Controllers and Processors

Affected businesses in BC should quickly determine whether they might be defined as a controller or processor; although GDPR has jurisdiction over both controllers and processors, controllers bear the majority of the compliance responsibilities.  As defined in GDPR, controllers set the purpose of the processing, while processors follow the instructions of the controllers.  In particular, a controller is required to use only processors providing sufficient guarantees to implement the required technical and organizational measures of the GDPR. These measures include: maintenance of the record of data, the appointment of a data privacy officer and an EU representative to report to the GDPR’s authorities, and data minimization.   It is prudent for businesses in BC to have data sharing agreements established with their clients who may be controllers or processors to allocate the risks and responsibilities.

Adequacy of Canadian Privacy Laws Pursuant to GDPR

Businesses in BC are subject to PIPA, the provincial act that governs privacy in the BC private sector.  PIPA is deemed to be substantially similar to the federal act, PIPEDA.  Since 2001, the EU has recognized PIPEDA as providing adequate privacy protection, which means that transfers of personal information of EU data subjects to organizations in Canada are permitted without additional safeguards.   This recognition was reaffirmed by the EU in 2006. With the implementation of GDPR, PIPEDA and consequently PIPA are likely to now be considered inadequate. While there are no sunset clauses to remove Canada’s adequacy status, the EU, pursuant to GDPR, will reevaluate Canada’s adequacy status by May 25, 2020.

Recommendations Moving Forward

Businesses in BC that are subject to GDPR should, if they have not already, review and update their privacy policies and data processing practices to be compliant with GDPR.  Even if GDPR is inapplicable, businesses in BC may eventually be required to be held at similar standards locally as amendments to PIPEDA and possibly PIPA are being made to match GDPR’s standards.   For example, the most recent amendments to PIPEDA that impose requirements of mandatory breach notification on the Canadian private sector are in line with the updates imposed by GDPR, and it may be possible to further amend PIPEDA so that it complies with GDPR by May 25, 2020.

PIPA, which is designed to be substantially similar to PIPEDA, may be amended similarly.   Eventually, whether or not they are subject to GDPR, businesses in BC may have to comply with GDPR standards.

With GDPR in effect already and the anticipation that PIPEDA and PIPA will eventually include similar data privacy requirements, we have the following recommendations for businesses in BC:

  1. Review current data processing and business practices to determine if the business is subject to GDPR, directly or indirectly;
  2. Review current privacy policy and practices to determine if the business already meets certain requirements of the GDPR and update as necessary;
  3. Consider encrypting and de-identifying personal information as much as possible to minimize the application of privacy law and the possibility of data breaches;
  4. Consider upgrading current infrastructure to secure personal information collected; and
  5. Enter into data sharing agreements with clients who may be considered controllers or processors under GDPR.