1 / 42

GDPR & ePrivacy Regulation: Impacts on Canadian Organizations

GDPR & ePrivacy Regulation: Impacts on Canadian Organizations. Bill Hearn, Partner, Fogler, Rubinoff LLP David Young, Principal, David Young Law. OVERVIEW. “ GDPR 101” for Canadian organizations GDPR gap analysis from Canadian compliance perspective

jjacqueline
Download Presentation

GDPR & ePrivacy Regulation: Impacts on Canadian Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR & ePrivacy Regulation:Impacts on Canadian Organizations Bill Hearn, Partner, Fogler, Rubinoff LLP David Young, Principal, David Young Law

  2. OVERVIEW • “GDPR 101” for Canadian organizations • GDPR gap analysis from Canadian compliance perspective • “ePrivacy Regulation (“ePReg”) 101” for Canadian organizations • What Canadian organizations should be doing now about GDPR and ePReg

  3. EC DATA PROTECTION WEBPAGE

  4. “GDPR 101” for Canadian Organizations

  5. “GDPR 101” • In force since May 25, 2018 • Potentially severe penalties for non-compliance • Scope - both substantive and territorial • Data subjects’ rights including right to • Object • Data portability • Erasure • Controllers and processors - definitions and main obligations including • Data protection by design and by default • Data processing contracts • Notification of data breaches • Data protection officer

  6. GDPR CENTRAL CONCEPTS AND KEY CHANGES – OVERVIEWSource: Hengeler Mueller LLP (Germany)

  7. DATA SUBJECTS’ RIGHTSSource: U.K. Information Commissioner’s Office

  8. A GDPR GAP ANALYSIS FROM A CANADIAN COMPLIANCE PERSPECTIVE

  9. OVERVIEW • Obligations of controllers – accountability, infrastructure compliance, security, breach reporting • Obligations of processors – direct application of the law, contracting requirements, extra-territorial reach, cross-border transfers • Consent – how does it differ from the PIPEDA rules? • Legitimate interests – alternative to consent – when is it available?

  10. OVERVIEW Short Term – First Year after May 25, 2018 • Show your commitment to GDPR – document and plan your GDPR implementation; analyze and document data processing in your company • Appoint a DPO • Visibility: Check your website and get your data policy right • Prepare for and deal with information requests • Switch off obviously non-compliant features Medium to longer term • Privacy by design, privacy by default (unless you are in direct focus) • Data portability • Automation of processes

  11. OBLIGATIONS OF CONTROLLERS

  12. OBLIGATIONS OF CONTROLLERS

  13. OBLIGATIONS OF CONTROLLERS

  14. OBLIGATIONS OF CONTROLLERS

  15. OBLIGATIONS OF CONTROLLERS

  16. OBLIGATIONS OF CONTROLLERS

  17. OBLIGATIONS OF PROCESSORS

  18. OBLIGATIONS OF PROCESSORS

  19. OBLIGATIONS OF PROCESSORS

  20. LEGITIMATE INTERESTS AND CONSENT

  21. LEGITIMATE INTERESTS

  22. CONSENT

  23. CONSENT

  24. CONSENT

  25. “ePREG 101” FOR CANADIAN ORGANIZATIONS

  26. ePREG BENEFITSSource: European Commission

  27. ePREG • The ePReg is to replace the existing EU ePrivacy Directive (colloquially known as the “EU Cookie Directive”) * Many GDPR commentators don’t expect the ePReg to become law until 2020 • The ePReg was officially published by the European Commission only on January 10, 2017 and is a law separate from the GDPR • It complements and is aligned with the GDPR in that • a breach can attract the same severe financial penalties – i.e., up to the greater of €20 million or 4% of worldwide turnover • it will be enforced by the same supervising authorities – i.e., the national privacy and information regulators of EU Member States

  28. ePREG • The ePReg attempts to reinforce trust and security in EU’s digital market • It will establish a new privacy legal framework for electronic communications • It has a very wide scope and will broadly apply to any organization that provides any form of online communication service, or that utilizes tracking technologies, or that engages in electronic direct marketing

  29. ePREG • Specifically, the ePReg will apply to • organizations anywhere in the world that provide publicly-available “electronic communications services” to users in the EU or that gather data from the devices of users in the EU. It applies even if there is “no charge” for the services • traditional ISPs and telcos … but also to so-called “over-the-top” providers, such as VOIP services, text messages and email providers that are not subject to the current ePReg • all electronic communications data which includes both content (i.e., what was said) and metadata (i.e., who said it, when, where, and other related info about the communication) • anyone using cookies or similar tracking technologies • IoT and machine-to-machine communications

  30. ePREG • Among other things, the ePReg will • enhance “consent” requirements in line with the GDPR … and end-users will have to be reminded every 12 months of their right to withdraw consent • require website providers to present users with cookie consent choices • some EU legal commentators say this may lead to the end of cookie banners in that clear affirmative action will be required to signify freely given, specific, informed and unambiguous consent to the storage and access of third party tracking cookies • consumers will be the ones setting their privacy settings via their browsers or any mobile apps they use • keep exemption for analytics cookies

  31. ePREG • For direct e-marketing, the ePReg provides that • if B2C, the sender must obtain the opt-in consent of the recipient … but consent will not be required when marketing similar products and services so long as the recipient is given the opportunity to object and opt-out • if B2B, each Member State may put in place whatever it deems appropriate to ensure that the legitimate interests of corporate end-users are sufficiently protected from unsolicited e-communications

  32. WHAT SHOULD CANADIANORGANIZATIONS BE DOING NOW ABOUT THE GDPR and ePReg?

  33. GET TO KNOW THE GDPR • Canadian organizations must assess to what extent the GDPR applies to their activities and what changes are required to comply • The organization’s legal and privacy professionals should make sure that key decision makers within the organization know that, since May 25, 2018, the EU’s privacy law has changed to the GDPR • If an organization is somehow unaware of the GDPR, the time to act is NOW!

  34. FIGURE OUT IF GDPR APPLIES • Again, many Canadian organizations are subject to the GDPR because they • have an establishment/physical presence in the EU or • collect or process personal data of EU residents for offering goods or services (even at no charge) or • monitor the behaviour of individuals in the EU or • are a third party processor of EU personal data

  35. RESTRICT ACTIVITIES OR COMPLY? • If the GDPR applies to a Canadian organization’s activities, that organization must decide whether • to restrict their activities so that they fall outside of the scope of the GDPR • e.g., stop providing services to EU residents … or stop processing data from individuals in the EU or • to comply with the GDPR • If the decision is made to comply, then the Canadian organization must determine what GDPR obligations apply to it

  36. TAKE STEPS TOWARDS COMPLIANCE • The organization should conduct a compliance assessment of current data protection policies and practices in order to identify gaps in relation to the GDPR’s requirements • If enforcement action is ever taken by the EU in the future, such an assessment may help the organization mount a successful defence or at least mitigate fines • Following this assessment, the organization can then develop strategies to achieve GDPR compliance in an effective and cost efficient manner • e.g., consider whether it is possible for the organization to isolate all of its data that is subject to the GDPR and then implement a compliance plan only in respect of that data (as opposed to a plan across the entire organization)

  37. TAKE STEPS TOWARDS COMPLIANCE • There are many similarities between PIPEDA and the GDPR • So, Canadian organizations that are already PIPEDA-compliant have less work to do and should focus on designing and implementing policies and practices regarding those aspects of the GDPR where PIPEDA is not equivalent – such as ensuring the rights of individuals to • data portability (i.e., to port their personal data to another organization) • erasure (i.e., right to be forgotten) • object to marketing and to decisions taken by automated processes • breach notification • e.g., “without undue delay and, where feasible, not later than 72 hours after having become aware of it”; if the notification is not made within 72 hours, the data controller must provide a “reasoned justification” for the delay

  38. TAKE STEPS TOWARDS COMPLIANCE • There are several steps for the organization to consider including reviewing and revising where required by the GDPR • consent forms for EU residents • the selection process for, and contracts with, data processors • the qualifications, placement and duties of the organization’s Chief Privacy/Data Protection Officer • DPOs must be independent and not instructed how to do their job • privacy and data protection policies • practices for handling the personal data of EU residents • the organization’s privacy compliance infrastructure (to ensure it satisfies the GDPR’s accountability requirements)

  39. ICO PUTS AGGREGATE IQ ON NOTICE21st September 2018The UK’s privacy regulator, the ICO, has given a formal notice to a Canadian firm embroiled in questions over Vote Leave’s use of data during the EU Referendum.Although most of the allegations aimed at how Aggregate IQ and the use of data relate to a period before May 25 this year and are not therefore potentially subject to a fine under GDPR, the ICO is reportedly concerned about how the data continues to be used

  40. CMA GDPR GUIDE

  41. CONTACT US Bill Hearn Partner, Fogler Rubinoff LLP bhearn@foglers.com 416.941.8805 David Young Principal, David Young Law david@davidyounglaw.ca 416-968-6286

More Related