Failure to comply with GDPR could see fines of over EUR 40M. How concerned should Canadian businesses be about this legislation applying to them?
This is Part 1 of a series on Data Protection, Privacy and Compliance. Part 2 will provide an actionable checklist of digital measures to achieve GDPR compliance.
Today (May 25th, 2018) marks the day that the GDPR (“General Data Protection Regulation”) legislation comes into full effect in the European Union. GDPR is designed to protect European citizens by regulating the processing, transfer and protection of anything that can be considered their private or personally identifiable information. This extends beyond email addresses and phone numbers to date of birth, social media handles, IP address, country of origin, and demographic information.
While GDPR is a European law, it explicitly states that any company (or company property such as a mobile app or website) that is accessed by a European citizen falls under its jurisdiction as well. Penalties are severe: up to 20 million Euros, or 4% of global turnover, whichever is highest.
Chances are, if you’re reading this blog post, the most pressing question on your mind is: “Does GDPR apply to my business and marketing efforts?”
Or more to the point: “Can I be fined for non-compliance?”
It turns out that the answer for Canadian organizations is not cut-and-dried, and indeed is open for interpretation. The safest recourse, then, is for all businesses (globally) to upgrade their policies, procedures and digital marketing properties to achieve full GDPR compliance. Avoiding potentially crippling penalties notwithstanding, the intentions of GDPR (data protection, data privacy and human rights observance) are coming from the right place, so there are ethical considerations that lend weight to this decision.
But speaking realistically from a business perspective, achieving full compliance with GDPR can be quite an undertaking. In fact, this legislation has been on the table for well over 2 years to allow companies around the globe to upgrade their data handling and disclosure practices. The operational and technical costs of achieving compliance are not negligible – indeed, today on the 1st day of GDPR applicability we have seen dozens of US news organizations shut down their feeds and websites in Europe rather than achieve compliance.
Savvy marketers and business owners must carefully weigh the costs of achieving GDPR compliance against the likelihood that GDPR legislation actually applies to their operations.
Unfortunately the core documents (found at this cryptic web address – http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679) are difficult to parse and quite open to interpretation as far as compliance eligibility for non-EU organizations, and the official site (buried deep on the European Commission’s website here: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en) is very EU Citizen-centric. This has given rise to a veritable industry of “GDPR Compliance” consultancies, with each posting their own distilled and filtered set of guidelines and checklists (just do a search for GDPR in your favourite search engine and you’ll see for yourself).
In the course of our research for the purpose of advising our own customers on steps they should take, we have waded through the morass of summaries, recommendations and opinions and have synthesized what we feel are a relatively clear set of criteria to which Canadian marketers and businesses can refer, to evaluate their exposure to GDPR legislation (and hence the level of risk of being targeted against legal action for non-compliance). We share these criteria here, under the proviso that we are not a GDPR consultancy and that this article does not constitute legal advice. Our formal position on GDPR is that all organizations, even in Canada, should take whatever measures they can to achieve the highest standard of data privacy and protection, which includes CASL, PIPEDA and now GDPR compliance.
While US companies have recourse to the EU-US Privacy Shield agreement, which was designed to provide a measure of confidence to companies that self-certify that they comply with European data handling and transfer standards (a significant component of GDPR), PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act) currently (as of May 2018) offers no such peace-of-mind.
The Office of the Privacy Commissioner of Canada explicitly states that it “… is not responsible for enforcing compliance with the GDPR” in their February 22, 2018 announcement. It is up to Canadian companies to inform themselves and make their own determination about the extent to which GDPR applies to them.
So let’s start at the beginning. From the Office of the Privacy Commissioner of Canada we learn that
Canadian organizations may [my emphasis] need to comply with the GDPR if they:
- Have an establishment in the EU; or
- Are located outside the EU but either “offer goods or services” to or “monitor the behaviour” of individuals in the EU.
Let’s unpack this. First, note the “may” – even if your organization meets one of the two criteria listed, that does not necessarily mean that GDPR applies to you. However, it’s safe to say that if either (or both) of those criteria (having a physical presence in Europe, or explicitly selling or marketing to Europeans or monitoring their behaviour) apply, you should definitely sit up and pay attention.
I’m going to make a broad assumption here, that if your organization has an office and staff permanently based in Europe, GDPR has already been on your radar, possibly for years, and you have already taken legal counsel on the matter (if not, please do, without delay!) The second criteria however is at the same time much broader and more ambiguous. There are numerous interpretations of this statement and there has been very little further disambiguation coming from official sources. Unfortunately, this clarity will likely only be achieved through legal decisions taken by judges in the arbitration of court cases related to GDPR and fines charged against international entities.
In this optic, it’s prudent to play it safe.
For this reason, what follows is framed as “if you meet these criteria, GDPR likely applies to you” rather than “if none of these criteria apply, you can safely ignore GDPR.” At this point, it is certainly not safe to ignore GDPR.
GDRP legislation and compliance with it is relevant to any company that:
- Offers goods and services to EU customers
- Tracks customer-specific data from users that could include EU users
- Leverages third-party platforms / social media platforms to engage in interest-based advertising to EU customers
- Offers account or subscription-based services to users who could be from the EU
But, this is only relevant insofar as the company collects, handles or transfers personally identifiable or private data. If, for example, your only eligible property is a web blog that features articles (even if explicitly targeted toward European customers), and you collect no data whatsoever about your readers, then it’s possible GDPR does not apply to you.
Be careful, however: you may be collecting data that qualifies as “personally identifiable” without even knowing it.
For example, your website might be tracking user activity via “cookies” for the purpose of generating demographic metrics, or you might be determining a user’s precise location in order to serve relevant content or select a language. Third-party marketing partners or social networks that are integrated to your site may have their own non-compliant tracking mechanisms, which puts your organization on the hook.
There is much ambiguity in some of the applicability criteria. What exactly constitutes “offering goods and services to EU customers”?
It’s pretty clear that if you have a subscription-based service that is open to Europeans, or if you sell and ship goods to Europe, your organization certainly falls under GDPR.
Implied in any subscription-based service or e-commerce offering is the collection of personal data required to fulfill the service or transaction. Insofar as this data is required in the fulfillment of business, it is not against GDPR to collect this information. However, there are many considerations in how your organization processes, protects, anonymizes, transfers and deletes this data that are explicitly stated within the GDPR regulations and must be strictly adhered to, both from a procedural and technical standpoint.
When weighing the economics and responsibility of adopting GDPR measures, it is also useful to consider the likelihood of your non-compliance being discovered by, and further, be disputed by a European body. Certainly the local privately-owned pizzeria that only delivers within a 10km radius in a small town in Saskatechewan is significantly less likely to come under GDPR scrutiny than the Markham, Ontario-based custom parts manufacturer that supplies specialty components to the commercial drone industry. Some discretion is recommended here.
Much like AODA (the Accessibility for Ontarians with Disabilities Act), which can fine companies for not having accessible practices (including a corporate website that does not meet AODA standards), the threat of fines is far greater than the actual number of cases of fines being levied, in terms of achieving the goal of 100% compliance.
At the end of the day, businesses must evaluate their ethical and corporate mandate for full GDPR compliance against the complexity and cost of implementation and the likelihood of enforcement in each specific case. When there is doubt regarding the applicability of GDPR, it is always advisable to seek legal counsel, particularly from firms that specialize in international and digital privacy law.
To further help you evaluate the technical and operational cost of achieving GDPR, CASL and PIPEDA compliance in your digital marketing efforts, we will be continuing the discussion of data privacy implications with a look at the tactical technical changes Canadian companies should adopt in Part 2 of this blog series [coming soon].