Regina Leader-Post with Teresa Scassa 03 May 2018
The European Union’s new privacy protection rules are being described as a game-changing new standard that’s already being felt in Canada as companies with transatlantic operations get ready for the sweeping changes that come into effect later this month.
Through the General Data Protection Regulation (GDPR), the EU will attempt to impose fines of up to four per cent of a company’s annual revenue — no matter where the business is based — if they violate the rights of EU citizens in any country where they operate.
The pro-consumer GDPR’s scope is sweeping — everything from giving people an opportunity to obtain, correct or remove personal data about themselves to outlining rules for disclosing security breaches.
Canada’s federal privacy rules have yet to be updated to the higher standards set by the GDPR, but many of the services used by Canadians are already getting ready for its arrival.
“The direct effects for Canadian consumers will arise predominantly in their dealings with multinational corporations, the companies that do business across borders,” said University of Ottawa law professor Teresa Scassa.
Facebook and Yahoo are but two of the global services that have notified their users of changes to their terms of service and privacy policies by May 25, the day GDPR takes effect. But they’ve taken radically different approaches.
Yahoo’s parent company Oath, for example, has created separate policies for the different markets it serves — resulting in very different privacy provisions for Canada, or the United States than for Europe.
Facebook, by contrast, has committed to applying the EU’s General Data Protection Regulation to its operations worldwide.
Ann Cavoukian, a former Ontario privacy commissioner now at Ryerson University in Toronto, says Facebook had also considered separate policies for EU and non-EU markets before the Cambridge Analytica “debacle.”
“But, come on, they had to do something. Right?” she said.
The data firm at the centre of Facebook’s privacy scandal is declaring bankruptcy and shutting down after it was revealed the firm sought information on Facebook to build psychological profiles on a large portion of the U.S. electorate. The company was able to amass the database quickly with the help of an app that appeared to be a personality test. The app collected data on tens of millions of people and their Facebook friends, even those who did not download the app themselves.
Cavoukian believes Canada will have to do something to bring its privacy laws up to par with the new EU standards to avoid conflicts between the two jurisdictions.
“And when they do, that’s how Canadian consumers will benefit from the GDPR,” Cavoukian said.
Federal privacy commissioner Daniel Therrien has already been pushing elected politicians to move closer to the European model and to give his office increased powers.
But at this time, Therrien’s biggest impact has been investigations of security breaches by Equifax, Uber, Facebook and others — which will soon be required by federal law to reveal serious breaches to the federal privacy commissioner.
Federal data breach regulations set to take effect Nov. 1 will require mandatory reporting of security breaches that pose a “real risk of significant harm,” but stop short of the strict reporting requirements in the GDPR.
The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible” and give organizations flexibility to use any form of communication to individuals that a reasonable person would consider appropriate, such as phone, email or advertisement.
By contrast, the GDPR gives organizations in control of data no more than 72-hours to notify the supervisory authority unless the breach is unlikely to result in a risk to rights and freedoms and, if there’s a delay, give reasons for it. If the data breach is likely to be a high risk to rights and freedoms, the individuals must be informed without undue delay.
Therrien’s office confirmed this week that it’s investigating recent revision’s to the Yahoo terms of service, part of a GDPR-related effort by its parent Oath, which also owns Huffington Post, TechCrunch, and AOL.
One clause of Oath’s Canadian terms of service, in particular, outraged consumers when they discovered they were consenting to allow Yahoo to use the email addresses and phone numbers of friends and other contacts. The company has since removed the clause.
In the version of Oath’s revised terms of service that covers the European Union, the company prominently states that users can review or edit marketing preferences, advertising settings and other personal information or withdraw consent for the Oath group to process their information.
“We believe that you should have control of your information,” it said.
By contrast, there’s no reference to withdrawing consent for using personal data in Oath’s North American version terms of service. Instead, it says “by using the services you agree to our privacy policies … We can only provide many of these services by using your personal data to provide personalized content and ads.”
Scassa, who holds the Canada Research Chair in Information Law, says terms of service have historically provided consumers with little choice if they want the product or service.
“Either you agree to all of this or you don’t get the service,” she said.
“So it becomes one of those things that, I think, is largely considered to be a bit of a joke. Not a good joke, but a joke.”
Cavoukian is encouraged that the GDPR requires companies to get consumers’ clear and explicit consent. It also gives people the right to know what data about them is being collected, the right to get a copy of that data to take elsewhere and the right to demand that personal data is erased.
“It’s the exact opposite of what happens now,” Cavoukian said.
“This is such a game-changer.”