GDPR is one of those things that you\u2019ve either never heard of, or you\u2019re sick of it because people who care about privacy and digital information policy just won\u2019t stop talking about it in superlatives.<\/p>\n
\u201cIt\u2019s going to change the world,\u201d said Ann Cavoukian, a former Ontario privacy commissioner and now distinguished expert-in-residence at Ryerson University in Toronto.<\/p>\n
GDPR applies to any company anywhere in the world that collects or processes any information relating to an identifiable resident of the European Union.<\/p>\n
For example, any website that asks for a name, email address or any other potentially identifiable personal information needs to be GDPR compliant, or the company is tempting fate.<\/p>\n
![\"\"](\"http:\/\/wpmedia.business.financialpost.com\/2018\/04\/0427twitter.jpg?w=640&h=480\")
<\/a><\/p>\nAny website that asks for a name, email address or any other potentially identifiable personal information needs to be GDPR compliant.<\/p>\n<\/div>\n
Under GDPR, the potential penalties for non-compliance are immense. For the worst offenders, European regulators are empowered to levy fines of up to 20 million euros or four per cent of a company’s annual global revenue \u2014 whichever is greater.<\/p>\n
Europe’s new rules come at a time when data breaches are becoming almost mundane. In April alone, Saks Fifth Avenue disclosed that hackers stole credit and debit card information on 5 million people, and a security researcher revealed to a Canadian parliamentary committee that he had discovered a data breach of 48 million people’s personal information.<\/p>\n
Neither story caused much more than a ripple, but the Cambridge Analytica scandal sure caught people’s attention.<\/p>\n
Facebook Inc. profile information on 87 million users was improperly obtained by Cambridge Analytica, which reportedly attempted to make psychological profiles of users in an effort to influence the U.S. presidential election for Donald Trump.<\/p>\n
In the scandal’s aftermath, politicians in Canada, the U.S. and Europe have been talking about ways to bring in tougher regulations related to online privacy rights.<\/p>\n
But it’s a coincidence that the GDPR enforcement deadline looms just as many people are becoming more aware of the privacy issues associated with companies such as Facebook and Google since the law has been in the works for years.<\/p>\n
\u201cMost businesses, I would say, are not prepared,\u201d said Paige Beckman, chair of the privacy and data security group at Aird & Berlis LLP, a Toronto law firm. \u201cI don\u2019t think they\u2019re even aware that it\u2019s going to impact them.\u201d<\/p>\n
![\"\"](\"http:\/\/wpmedia.business.financialpost.com\/2018\/04\/0427facebook.jpg?w=640&h=480\")
<\/a><\/p>\nA demonstrator wears a mask depicting Facebook Inc. Chief Executive Officer Mark Zuckerberg, centre, as he stands with demonstrators wearing angry emoji masks outside the venue of a U.K. parliamentary committee hearing in London, U.K., on Thursday, April 26, 2018.<\/p>\n<\/div>\n
What does GDPR actually require companies to do? A lot.<\/p>\n
For starters, companies will have to offer clearer explanations about what data is being collected and how it\u2019s going to be used. The dense legalese of lengthy terms and conditions agreements will no longer cut it.<\/p>\n
\u201cConsent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” GDPR states. “Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.\u201d<\/p>\n
Simply put, a company has to clearly spell out to the user \u2014 in advance \u2014 why it is collecting personal information. A user can revoke consent at any point: \u201cIt shall be as easy to withdraw as to give consent,\u201d the regulation states.<\/p>\n
GDPR also includes sections that give users the right to see a copy of all their personal data a company might hold, and a company must inform affected users of a known data breach within 72 hours.<\/p>\n
The consent provisions have the potential to have the most impact on companies, because GDPR kills the business model of scooping as much data as possible through a free service, and then figuring out how to monetize it later.<\/p>\n
\u201cIt\u2019s going to hit online advertising the hardest, because there\u2019s now a more clear opt-out right away from advertising,\u201d Beckman said. \u201cWe\u2019re going to see a lot more opt-out rights.\u201d<\/p>\n
GDPR is also creating headaches for companies that offer services such as cloud storage and digital security, since they will need to build new mechanisms that track data in order to demonstrate compliance on behalf of their clients.<\/p>\n
One such company, Redwood City, Calif.-based cloud storage company Box, has built a system to track which specific servers are storing customer data.<\/p>\n
\u201cSome of those regulatory obligations may be data residency issues,\u201d said Crispen Maung, Box\u2019s vice-president of compliance. \u201cSo because we wanted to make sure our customers were whole, and we didn\u2019t want them to fragment any cloud implementation, we developed Box Zones, which enables us to actually store content within their geographic regions.\u201d<\/p>\n
That Europe is leading the world when it comes to privacy and data protection should not be a surprise. In recent years, it has forced the big search engines to eliminate links from their search results as part of a \u201cright to be forgotten\u201d for citizens, and it also hit Google LLC with a fine of 2.4 billion euros for anti-competitive practices last year.<\/p>\n
\u201cIt\u2019s no accident that Germany is a leading privacy and data protection country in the world,\u201d Cavoukian said. \u201cIt\u2019s no accident that they had to endure the abuses of the Third Reich and the complete cessation of all of their privacy and freedom. And when that ended, they said, \u2018Never again will we allow the government to do that.\u2019\u201d<\/p>\n
It\u2019s also easier for Europe to get tough on the internet giants, since most of them are U.S. companies, said Michael Geist, Canada research chair in internet and e-commerce law at the University of Ottawa.<\/p>\n
He added the EU tends to favour a human rights approach to regulation that puts citizens’ rights ahead of corporate interests.<\/p>\n
\u201cIn the United States, a sort of freedom-of-contract commercial approach tends to be the more dominant paradigm of privacy, and Canada sort of finds itself somewhere in the middle,\u201d Geist said.<\/p>\n
But as GDPR changes the international standard for privacy protection, the middle ground is shifting too, and Canadian companies will need to figure out how to react.<\/p>\n
Currently, Canada enjoys an \u201cadequacy\u201d designation that means the EU believes its laws are good enough that data can travel freely back and forth between the two regimes. Other countries that don’t have such recognition have to jump through extra legal hoops to ensure compliance.<\/p>\n
Now, Canada’s adequacy designation is in doubt.<\/p>\n
Chantal Bernier, former interim Canadian privacy commissioner and privacy and digital security lead at law firm Dentons Canada LLP, in July 2017 wrote an article headlined, \u201cYes \u2014 Canada could lose its adequacy standing.\u201d<\/p>\n
Bernier said she believes GDPR will drive a global standard, partly because countries and companies want to maintain a trade relationship with Europe, but also because citizens will demand it.<\/p>\n
![\"\"](\"http:\/\/wpmedia.business.financialpost.com\/2018\/04\/0427bernier.jpg?w=640&h=480\")
<\/a><\/p>\nChantal Bernier, former interim Canadian privacy commissioner and privacy and digital security lead at law firm Dentons Canada LLP.<\/p>\n<\/div>\n
\u201cI think that the ecosystem will transform towards a fairer deal,\u201d she said. \u201cPeople are now speaking of refusing to download apps that they feel are overly intrusive, walking away from platforms they feel are overly intrusive.\u201d<\/p>\n
Federal politicians have already been mulling over the looming changes. At a parliamentary committee meeting on April 17, Conservative MP Peter Kent mused about Canada adopting something akin to GDPR, and asked federal privacy commissioner Daniel Therrien about it.<\/p>\n
\u201cThe European model is certainly a good model, and I\u2019ve made a number of recommendations inspired by that model,\u201d Therrien responded. \u201cBut the main point is that it is high time \u2014 it is past time \u2014 to legislate.\u201d<\/p>\n
But two days later at a follow-up committee meeting questioning Kevin Chan, Facebook Canada Ltd.’s head of public policy, Kent hinted at the risks associated with embracing stiffer European-style regulation.<\/p>\n
Kent brought up a visit last year to Facebook\u2019s U.S. offices where a group of MPs talked about potentially reforming Canada\u2019s privacy laws.<\/p>\n
\u201cNow, we were told almost in passing that any new Canadian regulations might well put at risk Facebook investments in Canada, along the lines of the $7 million invested in the artificial intelligence project in the Montreal hub,\u201d Kent said, before asking Chan whether Facebook still feels that way.<\/p>\n
Chan denied the company would ever operate like that.<\/p>\n
\u201cWe certainly do not base our investment decisions on the specific regulatory environment,\u201d he said. <\/p>\n
A week later, when Facebook reported its quarterly earnings, chief financial officer David Wehner told analysts the company expects user numbers to stay flat, or even decrease a bit in Europe once GDPR comes into force.<\/p>\n
Wehner downplayed the potential impact on Facebook advertising, pointing out that GDPR affects everyone in the online advertising world, so the trick is to stay ahead of the competition. “We\u2019ll just have to watch how that plays out over time,” he said.<\/p>\n
Watch and wait might work for Facebook, which has been preparing for GDPR for a long time, but lawyer Paige Beckman said it’s already too late for smaller companies to start getting ready. She said the looming regulation is like a dark cloud threatening to burst once European regulators get to work.<\/p>\n
“We are a month away. It\u2019s unrealistic for people starting now to be fully compliant,” she said. “All we can do with businesses that come to us who are impacted, we say \u2018Let\u2019s start hitting the high points. Let\u2019s hit the most sensitive points. Let\u2019s start complying as much as we can, and then build out a compliance plan in as short order as possible,\u2019 understanding that a month isn\u2019t long enough, and there will be risks after that.” \u2022 Email: jmcleod@nationalpost.com<\/a> | Twitter: jamespmcleod<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Any website that asks for a name, email address or any other potentially identifiable personal information needs to be compliant, or the company is tempting fate<\/p>\n","protected":false},"author":578,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/posts\/7612"}],"collection":[{"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/users\/578"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/comments?post=7612"}],"version-history":[{"count":1,"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/posts\/7612\/revisions"}],"predecessor-version":[{"id":7614,"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/posts\/7612\/revisions\/7614"}],"wp:attachment":[{"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/media?parent=7612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/categories?post=7612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lifeinsurance-orleans.ca\/index.php\/wp-json\/wp\/v2\/tags?post=7612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\nFinancial Post<\/em><\/p>\n