How Europe's tough new data protection rules affect Canadians, too
In the last few weeks, you may have found yourself inundated with emails from many of the apps and online services you use.
They've been informing you of new terms and conditions, and asking you to "opt in" to continue using the service.
This isn't a coincidence. On May 25th, the General Data Protection Regulation, or GDPR, comes into force. It's a sweeping set of strict laws that govern privacy for anyone living in, doing business with, or even visiting the European Union.
And even though the GDPR was announced two years ago, it seems to be taking a lot of people by surprise.
That's because if your work includes using data collected about anyone even visiting the EU, the law will affect you.
"The penalties, for instance are extraordinary: 20 million euros or 4 per cent of global revenue, whichever is higher, depending on what's been breached," she added.
People must "opt in" to have sensitive personal data collected, and there will be strict rules surrounding how much data can be used, and how long it can be kept.
The GDPR takes existing privacy laws to the next level.- Paige Backman
Also included in the GDPR is the "right to be forgotten," which allows individual people to petition to have a particular web article or post removed from search results if it is untrue or unfair, she said.
There is going to be a challenge in applying it, however, because so many companies have operations in both the U.S., and Europe, which have different interpretations of digital privacy, and how to balance that privacy with freedom of expression, Backman said.
"In the EU, privacy or protection of personal data is a fundamental human right. In Canada it's a quasi-constitutional human right. So it's one step shy of being a fundamental human right. And in the U.S. it's even lower," she said.
However, she said Canadian privacy law is starting to be interpreted more aggressively. Canada's Privacy Commissioner has suggested Canada will be adopting stance more consistent with the GDPR.
Canada currently enjoys "adequacy status" with EU data protection regulators, which means the EU accepts that Canada is doing enough to protect the digital rights of citizens. But that is going to be reviewed in light of the new laws, and it's important Canada maintains that status.
On the other side, Backman said, the big tech companies like Google and Facebook have been lobbying for a more liberal interpretation of privacy laws. "So there's now lobbying efforts on all sides."
In the short term, she said it's unlikely individual Canadian users will notice much of a difference in their digital experience. But recent events have caused people to realize just how their personal data might be used, and many are becoming more activist in their demands for the highest level of privacy rights.
"We're well beyond marketing shoes to somebody who may want a particular pair of shoes. We're talking about general behavior modification.
"I think people are seeing and they're feeling it now they're demanding a reaction from the regulators," she said.