WHY ‘GDPR’ IS GOING TO CHANGE THE DIGITAL WORLD.
GIANT FINES AWAIT COMPANIES AS TOUGH EUROPEAN PRIVACY REGULATION LOOMS.
Twitter denizens looking to catch up on the latest news and Kanye tweets this week were interrupted with a full-screen pop-up message telling them the site was updating its terms of service and privacy policy effective May 25.
Even though the message didn’t say it outright, the date was a hint that big changes in data protection controls are coming and it’s not just because Twitter Inc. thinks offering more transparency and added privacy controls is the right thing to do.
On May 25, Europe’s General Data Protection Regulation (GDPR) comes into force and it should have every company with a significant online presence scrambling to get ready since they could be dinged with millions of dollars in fines if they don’t comply with the new regulations.
GDPR is one of those things that you’ve either never heard of, or you’re sick of it because people who care about privacy and digital information policy just won’t stop talking about it in superlatives.
“It’s going to change the world,” said Ann Cavoukian, a former Ontario privacy commissioner and now distinguished expert-inresidence at Ryerson University in Toronto.
GDPR applies to any company anywhere in the world that collects or processes any information relating to an identifiable resident of the European Union.
For example, any website that asks for a name, email address or any other potentially identifiable personal information needs to be GDPR compliant, or the company is tempting fate.
Under GDPR, the potential penalties for non-compliance are immense. For the worst offenders, European regulators are empowered to levy fines of up to 20 million euros ($31 million) or four per cent of a company’s annual global revenue — whichever is greater.
Europe’s new rules come at a time when data breaches are becoming almost mundane. In April alone, Saks Fifth Avenue disclosed that hackers stole credit and debit card information on five million people, and a security researcher revealed to a Canadian parliamentary committee that he had discovered a data breach of 48 million people’s personal information.
Neither story caused much more than a ripple, but the Cambridge Analytica scandal sure caught people’s attention.
Facebook Inc. profile information on 87 million users was improperly obtained by Cambridge Analytica, which reportedly attempted to make psychological profiles of users in an effort to influence the U.S. presidential election for Donald Trump.
In the scandal’s aftermath, politicians in Canada, the U.S. and Europe have been talking about ways to bring in tougher regulations related to online privacy rights.
But it’s a coincidence that the GDPR enforcement deadline looms just as many people are becoming more aware of the privacy issues associated with companies such as Facebook and Google since the law has been in the works for years.
“Most businesses, I would say, are not prepared,” said Paige Backman, chair of the privacy and data security group at Aird & Berlis LLP, a Toronto law firm. “I don’t think they’re even aware that it’s going to impact them.”
What does GDPR actually require companies to do? A lot.
For starters, companies will have to offer clearer explanations about what data is being collected and how it’s going to be used. The dense legalese of lengthy terms and conditions agreements will no longer cut it.
“Consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” GDPR states. “Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
Simply put, a company has to clearly spell out to the user — in advance — why it is collecting personal information. A user can revoke consent at any point: “It shall be as easy to withdraw as to give consent,” the regulation states.
GDPR also includes sections that give users the right to see a copy of all their personal data a company might hold, and a company must inform affected users of a known data breach within 72 hours.
The consent provisions have the potential to have the most impact on companies, because GDPR kills the business model of scooping as much data as possible through a free service, and then figuring out how to monetize it later.
“It’s going to hit online advertising the hardest, because there’s now a more clear opt-out right away from advertising,” Backman said. “We’re going to see a lot more opt-out rights.”
GDPR is also creating headaches for companies that offer services such as cloud storage and digital security, since they will need to build new mechanisms that track data in order to demonstrate compliance on behalf of their clients.
One such company, Redwood City, Calif.-based cloud storage company Box, has built a system to track which specific servers are storing customer data.
“Some of those regulatory obligations may be data residency issues,” said Crispen Maung, Box’s vice-president of compliance. “So because we wanted to make sure our customers were whole, and we didn’t want them to fragment any cloud implementation, we developed Box Zones, which enables us to actually store content within their geographic regions.”
That Europe is leading the world when it comes to privacy and data protection should not be a surprise. In recent years, it has forced the big search engines to eliminate links from their search results as part of a “right to be forgotten” for citizens, and it also hit Google LLC with a fine of 2.4 billion euros for anti-competitive practices last year.
“It’s no accident that Germany is a leading privacy and data protection country in the world,” Cavoukian said. “It’s no accident that they had to endure the abuses of the Third Reich and the complete cessation of all of their privacy and freedom. And when that ended, they said, ‘Never again will we allow the government to do that.’”
It’s also easier for Europe to get tough on the internet giants, since most of them are U.S. companies, said Michael Geist, Canada Research Chair in internet and e-commerce law at the University of Ottawa.
He added the EU tends to favour a human rights approach to regulation that puts citizens’ rights ahead of corporate interests.
“In the United States, a sort of freedom-of-contract commercial approach tends to be the more dominant paradigm of privacy, and Canada sort of finds itself somewhere in the middle,” Geist said.
But as GDPR changes the international standard for privacy protection, the middle ground is shifting too, and Canadian companies will need to figure out how to react.
Currently, Canada enjoys an “adequacy” designation that means the EU believes its laws are good enough that data can travel freely back and forth between the two regimes. Other countries that don’t have such recognition have to jump through extra legal hoops to ensure compliance.
Now, Canada’s adequacy designation is in doubt. Chantal Bernier, former interim Canadian privacy commissioner and privacy and digital security lead at law firm Dentons Canada LLP, in July 2017 wrote an article headlined, “Yes — Canada could lose its adequacy standing.”
Bernier said she believes GDPR will drive a global standard, partly because countries and companies want to maintain a trade relationship with Europe, but also because citizens will demand it.
“I think that the ecosystem will transform toward a fairer deal,” she said. “People are now speaking of refusing to download apps that they feel are overly intrusive, walking away from platforms they feel are overly intrusive.”
Federal politicians have already been mulling over the looming changes. At a parliamentary committee meeting on April 17, Conservative MP Peter Kent mused about Canada adopting something akin to GDPR, and asked federal privacy commissioner Daniel Therrien about it.
“The European model is certainly a good model, and I’ve made a number of recommendations inspired by that model,” Therrien responded. “But the main point is that it is high time — it is past time — to legislate.”
But two days later at a follow-up committee meeting questioning Kevin Chan, Facebook Canada Ltd.’s head of public policy, Kent hinted at the risks associated with embracing stiffer European-style regulation.
Kent brought up a visit last year to Facebook’s U.S. offices where a group of MPs talked about potentially reforming Canada’s privacy laws.
“Now, we were told almost in passing that any new Canadian regulations might well put at risk Facebook investments in Canada, along the lines of the $7 million invested in the artificial intelligence project in the Montreal hub,” Kent said, before asking Chan whether Facebook still feels that way.
Chan denied the company would ever operate like that.
“We certainly do not base our investment decisions on the specific regulatory environment,” he said.
A week later, when Facebook reported its quarterly earnings, chief financial officer David Wehner told analysts the firm expects user numbers to stay flat, or even decrease a bit in Europe once GDPR comes into force.
Wehner played down the potential impact on Facebook advertising, pointing out that GDPR affects everyone in the online advertising world, so the trick is to stay ahead of the competition. “We’ll just have to watch how that plays out over time,” he said.
Watch and wait might work for Facebook, which has been preparing for GDPR for a long time, but lawyer Paige Backman said it’s already too late for smaller companies to start getting ready. She said the looming regulation is like a dark cloud threatening to burst once European regulators get to work.
“We are a month away. It’s unrealistic for people starting now to be fully compliant,” she said. “All we can do with businesses that come to us who are impacted, we say ‘Let’s start hitting the high points. Let’s hit the most sensitive points. Let’s start complying as much as we can, and then build out a compliance plan in as short order as possible,’ understanding that a month isn’t long enough, and there will be risks after that.”