DATA TRACKERS ARE PUT ON NOTICE
Tough European privacy rules with fines of up to 20 million euros
Twitter denizens looking to catch up on the latest news and Kanye tweets this week were interrupted with a full-screen pop-up message telling them the site was updating its terms of service and privacy policy effective May 25.
Even though the message didn’t say it outright, the date was a hint that big changes in data protection controls are coming and it’s not just because Twitter Inc. thinks offering more transparency and added privacy controls is the right thing to do.
On May 25, Europe’s General Data Protection Regulation (GDPR) comes into force and it should have every company with a significant online presence scrambling to get ready since they could be dinged with millions of dollars in fines if they don’t comply with the new regulations.
GDPR is one of those things that you’ve either never heard of, or you’re sick of it because people who care about privacy and digital information policy just won’t stop talking about it in superlatives.
“It’s going to change the world,” said Ann Cavoukian, a former Ontario privacy commissioner and now distinguished expert-inresidence at Ryerson University in Toronto.
GDPR applies to any company anywhere in the world that collects or processes any information relating to an identifiable resident of the European Union. For example, any website that asks for a name, email address or any other potentially identifiable personal information needs to be GDPR compliant, or the company is tempting fate.
Under GDPR, the potential penalties for non-compliance are immense. For the worst offenders, European regulators are empowered to levy fines of up to 20 million euros or four per cent of a company’s annual global revenue — whichever is greater.
Europe’s new rules come at a time when data breaches are becoming almost mundane. In April alone, Saks Fifth Avenue disclosed that hackers stole credit and debit card information on five million people, and a security researcher revealed to a Canadian parliamentary committee that he had discovered a data breach of 48 million people’s personal information.
Neither story caused much more than a ripple, but the Cambridge Analytica scandal sure caught people’s attention. Facebook Inc. profile information on 87 million users was improperly obtained by Cambridge Analytica, which reportedly attempted to make psychological profiles of users in an effort to influence the U.S. presidential election for Donald Trump.
In the scandal’s aftermath, politicians in Canada, the U.S. and Europe have been talking about ways to bring in tougher regulations related to online privacy rights.
But it’s a coincidence that the GDPRenforcementdeadlinelooms just as many people are becoming more aware of the privacy issues associated with companies such as Facebook and Google since the law has been in the works for years.
“Most businesses, I would say, are not prepared,” said Paige Backman, chair of the privacy and data security group at Aird & Berlis LLP, a Toronto law firm. “I don’t think they’re even aware that it’s going to impact them.”
What does GDPR actually require companies to do? A lot. For starters, companies will have to offer clearer explanations about what data is being collected and how it’s going to be used. The dense legalese of lengthy terms and conditions agreements will no longer cut it.
“Consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” GDPR states. “Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
Simply put, a company has to clearly spell out to the user — in advance — why it is collecting personal information. A user can revoke consent at any point: “It shall be as easy to withdraw as to give consent,” the regulation states.
GDPR also includes sections that give users the right to see a copy of all their personal data a company might hold, and a company must inform affected users of a known data breach within 72 hours.
The consent provisions have the potential to have the most impact on companies, because GDPR kills the business model of scooping as much data as possible through a free service, and then figuring out how to monetize it later.
“It’s going to hit online advertising the hardest, because there’s now a more clear opt-out right away from advertising,” Backman said. “We’re going to see a lot more opt-out rights.”
GDPR is also creating headaches for companies that offer services such as cloud storage and digital security, since they will need to build new mechanisms that track data in order to demonstrate compliance on behalf of their clients.
That Europe is leading the world when it comes to privacy and data protection should not be a surprise. In recent years, it has forced the big search engines to eliminate links from their search results as part of a “right to be forgotten” for citizens, and it also hit Google LLC with a fine of 2.4-billion euros for anticompetitive practices last year.
“It’s no accident that Germany is a leading privacy and data protection country in the world,” Cavoukian said. “It’s no accident that they had to endure the abuses of the Third Reich and the complete cessation of all of their privacy and freedom. And when that ended, they said, ‘Never again will we allow the government to do that.’”
It’s also easier for Europe to get tough on the internet giants, since most of them are U.S. companies, said Michael Geist, Canada research chair in internet and ecommerce law at the University of Ottawa.
He added the EU tends to favour a human rights approach to regulation that puts citizens’ rights ahead of corporate interests.
“In the United States, a sort of freedom-of-contract commercial approach tends to be the more dominant paradigm of privacy, and Canada sort of finds itself somewhere in the middle,” Geist said.
But as GDPR changes the international standard for privacy protection, the middle ground is shifting too, and Canadian companies will need to figure out how to react.
Currently, Canada enjoys an “adequacy” designation that means the EU believes its laws are good enough that data can travel freely back and forth between the two regimes. Other countries that don’t have such recognition have to jump through extra legal hoops to ensure compliance.
Now, Canada’s adequacy designation is in doubt.
Federal politicians have already been mulling over the looming changes. At a parliamentary committee meeting on April 17, Conservative MP Peter Kent mused about Canada adopting something akin to GDPR, and asked federal privacy commissioner Daniel Therrien about it.
“The European model is certainly a good model, and I’ve made a number of recommendations inspired by that model,” Therrien responded. “But the main point is that it is high time — it is past time — to legislate.”
But two days later at a followup committee meeting questioning Kevin Chan, Facebook Canada Ltd.’s head of public policy, Kent hinted at the risks associated with embracing stiffer European-style regulation.
Kent brought up a visit last year to Facebook’s U.S. offices where a group of MPs talked about potentially reforming Canada’s privacy laws. “Now, we were told almost in passing that any new Canadian regulations might well put at risk Facebook investments in Canada, along the lines of the $7 million invested in the artificial intelligence project in the Montreal hub,” Kent said, before asking Chan whether Facebook still feels that way.
Chan denied the company would ever operate like that.
“We certainly do not base our investment decisions on the specific regulatory environment,” he said.
A week later, when Facebook reported its quarterly earnings, chief financial officer David Wehner told analysts the company expects user numbers to stay flat, or even decrease a bit in Europe once GDPR comes into force.
Wehner downplayed the potential impact on Facebook advertising, pointing out that GDPR affects everyone in the online advertising world, so the trick is to stay ahead of the competition. “We’ll just have to watch how that plays out over time,” he said.