The EU General Data Protection Regulation (“GDPR”) came into force on May 25, 2018. With so much recent focus on preparing for and meeting this deadline, there is no doubt that companies will have breathed a sigh of relief to have finally reached the finish line. Or so they thought.
In many ways, this is just the beginning. Among other things, GDPR has acted as a catalyst for “third countries” (i.e., non-EU Member States) to revise and update their data law. This is a logical consequence as many businesses based outside of the EU have to comply with GDPR with regard to their European customers, and some international companies are choosing to implement a single GDPR-compliant standard globally rather than battle the complications of applying different rules around the world. Argentina and Japan, for example, have already started to align their national data protection legislation with GDPR, and Canada is now looking to do the same.
There are already updates to Canada’s data protection rules coming into force in November of this year, but they are not as stringent as GDPR. For example, under Canada’s new federal data breach regulations, companies will be required to report security breaches that pose a “real risk of significant harm” to the federal privacy commissioner and consumers “as soon as feasible,” whereas under GDPR companies must notify regulators and consumers of any data breaches within 72 hours. Particularly in the wake of recent high-profile data leaks and misuse, many in Canada are calling for higher standards to be imposed.
To this end, the Standing Committee on Access to Information, Privacy and Ethics published a report titled “Addressing Digital Vulnerabilities and Potential Threats to Canada’s Democratic Electoral Process” on June 19, 2018, which proposed additional amendments to the Personal Informational Protection and Electronic Documents Act (“PIPEDA”) recommending the immediate introduction of measures to ensure that data protections similar to those applicable under GDPR are put in place for Canadians. In particular, the report suggests that Canada’s privacy commissioner should, similar to GDPR, have greater authority to impose hefty penalties, conduct audits, and seize documents should organisations fail to comply with PIPEDA. A private member’s bill regarding this specific recommendation has already been introduced to the Canadian Parliament.
Also on June 19, 2018, the Canadian government launched national consultations on digital and data transformation. The first roundtable discussion between the government and various stakeholders took place in Ottawa on the same day. These roundtables will continue as part of the consultation process across the country throughout the summer, and citizens are also invited to submit responses online. Although the consultation is still in its early days, it appears that there is an appetite in Canada to go beyond GDPR. Former Information and Privacy Commissioner for the Canadian province of Ontario, Dr. Ann Cavoukian, said that “It would be almost like a step back for us not to raise the bar,” and some industry experts are arguing for the new rules to require Canadian companies to undertake independent audits to certify compliance with the new data privacy laws, which goes beyond current GDPR requirements.
Reporter, Jessica Trevellick, London, +44 20 7551 7507, jtrevellick@kslaw.com.
