Michael Ford
Civil Litigation

Canada should follow EU’s privacy changes: Bauer

Canadian Press THE CANADIAN PRESS

TORONTO — The European Union's new privacy protection rules are being described as a game-changing new standard that's already being felt in Canada as companies with transatlantic operations get ready for the sweeping changes that come into effect later this month.

Through the General Data Protection Regulation (GDPR), the EU will attempt to impose fines of up to four per cent of a company's annual revenue — no matter where the business is based — if they violate the rights of EU citizens in any country where they operate.

The pro-consumer GDPR's scope is sweeping — everything from giving people an opportunity to obtain, correct or remove personal data about themselves to outlining rules for disclosing security breaches.

Canada's federal privacy rules have yet to be updated to the higher standards set by the GDPR, but many of the services used by Canadians are already getting ready for its arrival.

``The direct effects for Canadian consumers will arise predominantly in their dealings with multinational corporations, the companies that do business across borders,'' said University of Ottawa law professor Teresa Scassa.

Facebook and Yahoo are but two of the global services that have notified their users of changes to their terms of service and privacy policies by May 25, the day GDPR takes effect. But they've taken radically different approaches.

Yahoo's parent company Oath, for example, has created separate policies for the different markets it serves — resulting in very different privacy provisions for Canada, or the United States than for Europe.

Facebook, by contrast, has committed to applying the EU's General Data Protection Regulation to its operations worldwide.

Ann Cavoukian, a former Ontario privacy commissioner now at Ryerson University in Toronto, says Facebook had also considered separate policies for EU and non-EU markets before the Cambridge Analytica ``debacle.''

``But, come on, they had to do something. Right?'' she said.

The data firm at the centre of Facebook's privacy scandal is declaring bankruptcy and shutting down after it was revealed the firm sought information on Facebook to build psychological profiles on a large portion of the U.S. electorate. The company was able to amass the database quickly with the help of an app that appeared to be a personality test. The app collected data on tens of millions of people and their Facebook friends, even those who did not download the app themselves.

Cavoukian believes Canada will have to do something to bring its privacy laws up to par with the new EU standards to avoid conflicts between the two jurisdictions.

``And when they do, that's how Canadian consumers will benefit from the GDPR,'' Cavoukian said.

In an interview with AdvocateDaily.com, Toronto litigator Sharon Bauer says the GDPR is pro-consumer legislation that gives control over personal data to its rightful owner: the consumer, and she suggests the right to privacy should be universal, not jurisdictional.

“Yahoo, for example, is declaring that consumers should have control over their information,” says Bauer, a partner with Wolfe Lawyers. “If this is the case, why is it only providing access to EU consumers and not to those outside the EU?”

The GDPR sends the message that if organizations want to collect, use or distribute data, they must do so in an ethical manner, Bauer says.

“It mandates transparency and accountability to an extent never seen before with significant fines for organizations that breach the regulation.”

Canada’s privacy legislation for private sector organizations, Personal Information Protection and Electronic Documents Act (PIPEDA), is not as robust as the GDPR, Bauer says.

“The most evident hole in PIPEDA as it compares to the GDPR is ‘data portability,’” she says. “PIPEDA gives consumers the right to have access to their personal information, however, the GDPR takes it one step further and allows consumers to receive their personal data in a structured format and transfer it to another service provider.”

Further, PIPEDA allows for implied consent in some situations while GDPR does not, Bauer points out.

“The GDPR does not allow for a bundled consent, but rather, requires a layered approach. It also provides for an age requirement for valid consent, which PIPEDA does not. While PIPEDA grants consumers the right to withdraw consent or challenge inaccurate personal data, the GDPR allows consumers to erase it in certain circumstances,” she says.

Canada would do well to revamp its privacy laws along the same lines as GDPR, Bauer suggests.

“It is not unfathomable to think that Canada will slowly follow suit and incorporate many GDPR standards in its own privacy legislation,” she says. “This will make for an easier and more efficient trade economy between Canada and the EU. Furthermore, as the privacy rights of EU citizens become more noticeable, Canadian citizens will demand the same rights.”

Federal privacy commissioner Daniel Therrien has already been pushing elected politicians to move closer to the European model and to give his office increased powers.

But at this time, Therrien's biggest impact has been investigations of security breaches by Equifax, Uber, Facebook and others — which will soon be required by federal law to reveal serious breaches to the federal privacy commissioner.

Federal data breach regulations set to take effect Nov. 1 will require mandatory reporting of security breaches that pose a ``real risk of significant harm,'' but stop short of the strict reporting requirements in the GDPR.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals ``as soon as feasible'' and give organizations flexibility to use any form of communication to individuals that a reasonable person would consider appropriate, such as phone, email or advertisement.

By contrast, the GDPR gives organizations in control of data no more than 72 hours to notify the supervisory authority unless the breach is unlikely to result in a risk to rights and freedoms and, if there's a delay, give reasons for it. If the data breach is likely to be a high risk to rights and freedoms, the individuals must be informed without undue delay.

Therrien's office confirmed this week that it's investigating recent revision's to the Yahoo terms of service, part of a GDPR-related effort by its parent Oath, which also owns Huffington Post, TechCrunch, and AOL.

One clause of Oath's Canadian terms of service, in particular, outraged consumers when they discovered they were consenting to allow Yahoo to use the email addresses and phone numbers of friends and other contacts. The company has since removed the clause.

In the version of Oath's revised terms of service that covers the European Union, the company prominently states that users can review or edit marketing preferences, advertising settings and other personal information or withdraw consent for the Oath group to process their information.

``We believe that you should have control of your information,'' it said.

By contrast, there's no reference to withdrawing consent for using personal data in Oath's North American version terms of service. Instead, it says ``by using the services you agree to our privacy policies ... We can only provide many of these services by using your personal data to provide personalized content and ads.''

Scassa, who holds the Canada Research Chair in Information Law, says terms of service have historically provided consumers with little choice if they want the product or service.

``Either you agree to all of this or you don't get the service,'' she said.

``So it becomes one of those things that, I think, is largely considered to be a bit of a joke. Not a good joke, but a joke.''

Cavoukian is encouraged that the GDPR requires companies to get consumers' clear and explicit consent. It also gives people the right to know what data about them is being collected, the right to get a copy of that data to take elsewhere and the right to demand that personal data is erased.

``It's the exact opposite of what happens now,'' Cavoukian said.

``This is such a game-changer.''

© 2018 The Canadian Press

 — with files from AdvocateDaily.com

To Read More Sharon Bauer Posts Click Here
Lawyer Directory
BridgePoint Financial Services Inc.Toronto Lawyers AssociationMKD InternationalFeldstein Family LawLegal Print & Copy Inc.Macdonald Sager Manis JHG Criminal Law/Jordana GoldlistAchkar Law