Europe's tough new data privacy laws will benefit Canadians, too

On Friday the European Union will bring into effect some of the world's strictest online privacy rules — new regulations that some experts say will afford Canadian internet users more protections, as well.

Some companies already extending GDPR compliance to their customers worldwide

Illustration showing a padlock over an EU flag, representing Europe's new data privacy regulations — the toughest in the world — which come into effect Friday. (Dado Ruvic/Reuters)

Chances are, over the past few days you've been getting emails from the apps and mailing lists you subscribe to, alerting you to their new privacy policies.

That's because on Friday the European Union will bring into effect some of the world's strictest online privacy rules — new regulations that some experts say will afford Canadian internet users more protections, as well, if companies opt to extend the privacy features to users worldwide.

Here's what you need to know about the General Data Protection Regulation (GDPR).

"Simply put," says Robin Mansell, a professor at the London School of Economics and Political Science, and head of the Department of Media and Communications, "the GDPR requires that all organizations in the EU be explicit with citizens and customers about what personal data they collect and what they do with it."

Companies can no longer bury those details deep within a seemingly endless terms-of-service agreement, Mansell says.

In addition, says Ontario's former privacy commissioner, they may only use that data "for the primary use intended."

"If they want to use it for something else later on, they have to come back to you and get positive consent," says Ann Cavoukian, founder of Privacy by Design, a philosophy that is central to the GDPR.

The GDPR also enforces the right to be forgotten, which gives individuals the ability to request that information about themselves be removed from a digital platform, and stipulates that organizations must divulge privacy breaches that affect their customers within 72 hours. 

Hefty fines

While becoming GDPR-compliant can be expensive for companies, Cavoukian argues that being mindful of users' privacy is actually good for business.

And given what a valuable commodity data has become, the penalties for its misuse have to be greater than the financial gain. 

In the case of the GDPR, companies that infringe on sections of the GDPR could face costly punishments, including potential fines of up to 20 million euro or four per cent of their total global revenue from the preceding year — whichever is greater.

And it's not just European companies that must adhere to the new rules around data collection, storage and third-party sharing: any company that collects user data from European citizens or does trade with European companies has to comply.

That includes all of the major tech companies and digital media platforms, from Facebook to Twitter to Pinterest, as well as any Canadian companies that do business in the EU, explains Mansell.

Our laws 'not adequate'

An underlying premise of the GDPR has been the potential global ripple effect of the new EU regulation, but in fact, companies only have to comply with the new rules with respect to their European customers. Still, some of them are choosing to extend compliance to their customers worldwide, as an act of goodwill, says Cavoukian.

In fact, among the big tech companies this is where the line is being drawn in the sand: between those who want to be seen as industry leaders when it comes to privacy protection and those still clinging to their stronghold of user data.

This week, Microsoft announced it would extend the rights central to the GDPR to users around the world, and Apple has stated that new web-based privacy settings being made available to European customers will eventually be expanded globally. 

While Facebook is trying to play along, saying it plans to bring the transparency and notification guidelines to all of its users, critics have noted that opting out seems to be deliberately difficult.

Cavoukian is hopeful the new European law will set a precedent closer to home, so that more companies extend their new privacy updates to Canadians.

"For the first time ever, our laws will not be considered adequate," she says.

"Eventually, when our laws get an upgrade, which the privacy commissioner is desperately trying to do, we will have the same privacy protections," Cavoukian says. "But for now, we don't."

The nature of the world's biggest and most popular digital companies is that they are often global and borderless. But as this new European law demonstrates, they are now required to be compliant with the region that has the most rigorous regulations.

As such, says Cavoukian, because of the GDPR, "Canadians will now have more protections than if companies were just complying with Canadian laws."


Ramona Pringle

Technology Columnist

Ramona Pringle is an associate professor in Faculty of Communication and Design and director of the Creative Innovation Studio at Ryerson University. She is a CBC contributor who writes and reports on the relationship between people and technology.