A Brief Orientation for Canadian Organizations
State borders cannot contain the Internet; data flows freely through national boundaries, and e-commerce and outsourcing continue their rapid global expansion. Nowadays, it’s not just giant corporations that have an international commercial reach – someone in rural Nova Scotia with a specialty online business may have customers all over the world.
Data’s fluid and global nature creates a complicated network of international legal obligations. If you have clients or customers in the United States or the European Union, or are receiving personal data flows from either, you’ll need to be familiar with how each responds to data privacy concerns.
- If you’re doing business with US clients, opening a new office south of the border, or managing flows of US personal data, you’ll need to make sure that your company’s privacy policies and practices meet the requirements of US data protection legislation.
- If your organization employs US-based companies to manage data or communications, you need to understand how US privacy legislation, standards, and enforcement differ from the Canadian regulatory system.
- If you’re doing business with clients in the EU, or managing personal data from people in the EU, you need to make sure that you’re in compliance with the EU General Data Protection Directive (GDPR). The EU’s definition of personal data includes identifiers such as IP addresses and cookies, so if you use any kind of online tracking or web analytics that could be following people in the EU, you have to comply with the GDPR.
Different Privacy Cultures
It is challenging to compare Canadian, US and EU privacy law because each jurisdiction has a distinct regulatory approach.
The US legal approach to privacy protection is sector-specific (or vertical), and laws are often focused on specific technical safeguards. Personal data is considered to be the property of the organization that holds it. Privacy is governed by a patchwork of sectoral legislation and federal and state laws, and privacy standards are largely established by case law. It is often difficult to assess what level of data protection is in place when personal data is transferred to the US.
Outside of regulated sectors such as healthcare and banking, the Federal Trade Commission (FTC) is the primary federal privacy regulator in the US. The Federal Trade Commission Act is a general consumer protection law that prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has general authority to issue consumer protection regulations and to investigate corporate compliance with posted privacy policies. State privacy laws are also important; all US states have specific legislation on breach notification. Of state laws, the broadest in scope is the 2018 California Consumer Privacy Act (CCPA), which sets a benchmark for data protection. While US legislation is far from comprehensive, enforcement is robust. The FTC has issued fines of up to $100 million to companies that have failed to protect personal information from theft.
|Regulatory Approach||Integrated (some sector-specific laws), principle based||Sector-specific, technically focused||Integrated, principle based|
|Data Ownership||Data subject||Data holder||Data subject|
|Key Laws||PIPEDA||FTC Act/case law, state laws (CCPA)||GDPR|
|Principal Regulator||Privacy Commissioners||Federal Trade Commission||Data Protection Authorities|
The EU, on the other hand, has the most comprehensive data protection framework in the world. The General Data Protection Regulation protects the personal data of people in the EU, regardless of where the organizations collecting or processing the data are based. Data protection is understood to be a fundamental individual right, and data subjects are designated as the owners of their own personal data. Organizations that manage personal data are required to:
- enable data subjects to control their personal data,
- implement data protection by design and by default,
- demonstrate compliance with the Regulation, and
- ensure that any third party data processors are compliant.
The GDPR is enforced by data protection authorities in each EU state that have the power to issue warnings, rectification orders, and suspension of data processing and flow. Data protection authorities can also issue fines up to €20 million or 4% of a company’s global annual turnover, whichever is greater.
Because of the broad similarities between the EU and Canadian approaches to privacy, the European Commission has declared Canada to be an “adequate data protection” jurisdiction. This means that, at least for now, data can be easily transferred from the EU to Canada. Canadian data recipients are still responsible for compliance with the GDPR. The US is not deemed an “adequate data protection” jurisdiction. The European Court of Justice recently struck down the Privacy Shield agreement, which set out principles for transfers of personal data from the EU to the US. US companies handling personal data pertaining to people in the EU are now required to sign non-negotiable standard contractual clauses established by the European Commission, which are themselves under scrutiny.
Compliance with US Privacy Regulations
If you are managing personal data from clients or customers in the US, you will need to make sure that you are in compliance with applicable federal and state legislation. Keeping up with new developments in legislation and enforcement can be challenging, so it is better to stay ahead of regulatory changes. Implementing privacy best practices very often mitigates the majority of legal compliance issues.
Fair Information Practice Principles have been developed as a gold standard to help organizations manage personal data. In the US, two complementary sets of practice guidelines are of primary importance: President Obama’s and the FTC’s 2012 privacy reports. The Obama report, titled Consumer Data Privacy in a Networked World, includes a Consumer Privacy Bill of Rights which articulates general privacy principles to follow. The FTC report, Protecting Consumer Privacy in an Era of Rapid Change, outlines technical best practices.
What About US-Based Cloud Services?
The most common question I hear about US privacy standards from Canadian organizations is not whether they need to comply with US privacy law, but rather, how they can employ US-based cloud services in compliance with Canadian law. Small and mid-sized companies often look to the cloud for content management options, as cloud solutions are flexible, scalable, and cost-effective. However, it’s risky for a business to store all of its data in the cloud, or on online platforms, for several reasons:
- Cloud platforms are often the target of external hacks, which can lead to the unauthorized disclosure of personal records. This has recently hit home for many Canadian non-profit organizations using Blackbaud for donor relations management, who are now trying to find out whether donor information was compromised in a ransomware attack.
- Data hosted by US-based cloud operations is open to government surveillance under far-reaching US national security laws.
- Should a breach occur, an online platform may need to be put into lock-down to contain the damage – data may even need to be deleted – which will disrupt service provision.
All these issues can be sidestepped by choosing a server-based records management system, and making sure that you have an integrated back-up system as well – this will help ensure continuity of service in the event of a data breach.
As Ann Cavoukian, former Ontario Information and Privacy Commissioner has said, “You can outsource services, but you cannot outsource accountability.”
Compliance with the EU GDPR
Any Canadian organizations that manage personal data from people in the EU will need to assess their compliance with the GDPR. This usually means a comprehensive review of your data management practices to ensure that they respect the rights of data subjects and fulfill the responsibilities of data controllers and processors as defined by the GDPR.
To bring your organization into compliance, it will be helpful to assess the following areas:
The principles and requirements of the GDPR are generally quite clear and concrete; most of the work towards compliance lies in implementation, not interpretation. After a review of your policies and practices, if there are any points of uncertainty, it may be helpful to consult with a legal expert to understand your organization’s obligations, and ensure that appropriate steps are taken to meet them.
This article is based on my book, Privacy In Design: A Practical Guide to Corporate Compliance.