You may have noticed your email inbox overflowing this month with emails from companies and apps鈥攆rom Quora to Ticketmaster to Apple to Spotify鈥攁ppealing to let them keep in touch with you and outlining changes to their privacy policies.
That鈥檚 because on May 25th, the General Data Protection Regulation, Europe鈥檚 landmark new set of data rules, will go into effect.
The 99 articles contained in the 88 pages of the GDPR represent the most extensive overhaul of data protection rules in Europe in a generation鈥攁nd they affect companies and consumers in Europe and beyond, including Canadians.
Ann Cavoukian, who served three terms as Ontario鈥檚 privacy commissioner, said in an interview with CTVNews.ca that the GDPR is 鈥渁 game changer,鈥 particularly at a time when 鈥渃oncern for privacy is at an all-time high.鈥
What is the GDPR?
The GDPR was designed to tighten and harmonize data privacy laws across Europe and to give individual consumers enhanced data protection rights and more control over how their data is used.
Supporters of the legislation say that recent revelations about how the now-defunct political consulting firm Cambridge Analytica may have acquired the data of 87 million Facebook users in a possibly nefarious fashion highlight the need for it.
Though the European Parliament and the European Council adopted the legislation in April 2016, they gave countries and companies a two-year grace period to allow them to prepare for and implement the sweeping changes.
The legislation makes 鈥減rivacy by design,鈥 a framework designed by Cavoukian, mandatory, and requires any requests for consent to process personal data to be easy to find and written in plain language.
鈥淧rivacy is the default,鈥 said Cavoukian. 鈥淚nstead of you having to scour to find the opt-out box, it鈥檚 the exact opposite.鈥
Firms can collect only the data necessary for their services to work and if they wish to use data for a different purpose, they must obtain consent from users.
They will have to appoint data protection officers and provide notice to regulators and consumers of any data breaches within 72 hours, a dramatic change from the way companies like Equifax and Uber have responded to such breaches in the past.
Consumers covered under the law can demand to view鈥攆or free鈥攁ll of the data a company has about them and how it鈥檚 being used.
They can also request to have their data deleted or corrected, and will be able to download their data and take it elsewhere, such as from one music streaming service to another.
The GDPR covers both personal data, like your name and phone number, as well as personal sensitive data, like your religion or criminal record.
What happens if companies don鈥檛 apply?
Penalties for non-compliance include limits and outright bans on data processing and compulsory audits of data handling.
Regulators will also look to hit the pocket books: Companies can be fined up to 4 per cent of their global revenue or 鈧20 million, whichever is larger.
Why does this European law affect Canada?
The GDPR applies to everyone from big multinationals to small, family-owned businesses, and from nonprofits to entrepreneurs, irrespective of where they are located as long as their business targets users in the EU.
Though companies only have to comply with the new rules with respect to their European customers, some鈥攍ike Microsoft鈥攕ay it will be unfeasible to have more than one set of rules around the world and are choosing instead to implement one standard universally.
Beth Dewitt, the Canadian leader for data protection and privacy at Deloitte, said in an interview with CTVNews.ca that eventually, the GDPR could become 鈥渁 global standard鈥 for data privacy and protection legislation. Governments in Argentina and Japan are already beginning to align their national data protection policies with the law.
Many large Canadian companies are 鈥渨ell down the path towards compliance with the GDPR or are compliant,鈥 Dewitt said, but some smaller ones 鈥渁re just waking up to it right now.鈥
How does the GDPR compare to Canadian data privacy laws?
The European law is much stronger than its Canadian equivalent, the Personal Information Protection and Electronic Documents Act.
Canadian companies that must comply with the GDPR are finding there is 鈥渁n uplift鈥 in their privacy requirements when it comes to individual consumer rights such as the right to be forgotten or the right to take their data elsewhere, said Dewitt.
Canada鈥檚 new federal data breach regulations, for instance, which will be implemented in November, require companies to report security breaches that pose a 鈥渞eal risk of significant harm鈥 to the federal privacy commissioner and consumers 鈥渁s soon as feasible鈥濃攁 less strict standard than the 72 hour timeline outlined in the GDPR.
鈥淲ith the GDPR, our laws are now lacking,鈥 Cavoukian said, adding that the inferiority of Canada鈥檚 legislation makes her optimistic that there will be 鈥渁 real push to upgrade our laws here.鈥
鈥淚t would be almost like a step back for us not to raise the bar as well,鈥 she said.
With files from the Canadian Press
