If you are an employer in Canada, you need to be aware of the European General Data Protection Regulation (“GDPR”) which will come into force in the spring of 2018.
Organizations with employees in Europe will need to be compliant with the GDPR in accessing and using the personal data of any European employees.
What is the GDPR?
The GDPR is EU legislation adopted by the European Parliament and the Council of the European Union. The GDPR was officially published in April 2016 and will come into force as of May 25th, 2018.
The GDPR wholly replaces the EU Data Protection Directive, under which the Commission of the European Community decided (in 2001) that Canada’s Personal Information Protection and Electronic Documents Act (the “PIPEDA”) provided an adequate level of protection for personal data transferred from the EU to organizations in Canada.
Given that the GDPR contains more stringent data protection requirements than the EU Data Protection Directive, it remains to be seen whether the European Community will continue to view Canada’s PIPEDA as adequate.
Prior adequacy decisions under the EU Data Protection Directive will remain in force until amended or replaced by a EU Commission decision but there has already been speculation that Canada’s adequacy recognition will not be maintained for long, following the GDPR coming into force.1
What do Canadian employers need to be thinking about?
If your organization is part of a larger international corporate group with affiliates located in the EU, you should expect that the EU affiliates will not be prepared to allow the Canadian affiliate to have access to the personal data of EU subjects, even for internal corporate group purposes, unless the Canadian affiliate adheres to “binding corporate rules” which will require the Canadian affiliate to comply with the key elements of the GDPR.
Here are some things you should know :
- The enforcement provisions in the GDPR are very tough. GDPR regulators may levy heavy financial sanctions of up to 4% of the annual worldwide turnover of the organization.
- While the basic principles contained in the GDPR are similar to the basic principles contained in PIPEDA, the GDPR contains some specific requirements which are not currently reflected in PIPEDA; for example:
a. The GDPR contains notification requirements for information security breaches that are more exacting than those contained in the 2016 amendments to PIPEDA (which are not yet in force). For example, the GDPR requires that an organization notify regulators and affected individuals within 72 hours of becoming aware of an information security breach unless the organization can establish that there was a good reason it did not meet the 72-hour rule under all of the circumstances;
b. Under the GDPR a data protection impact assessment is a mandatory pre-requisite before processing personal data for operations that present particular privacy risks to individuals due to the nature or scope of the operation (under Canadian privacy law, privacy impact assessments have generally only been required in the public sector, not in the private sector);
c. The GDPR contains increased transparency obligations – privacy notices to employees, for example, will need to include much more detailed information than is typically provided under PIPEDA; and
d. The GDPR sets out a statutory “right to be forgotten” which would allow employees the right to require their employer to delete data files relating to them if there are no legitimate grounds for retaining the data.
- Particular EU Member States may provide for even more stringent privacy protection for employee personal data within their jurisdiction. Article 88 of the GDPR provides that Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context. Any such specific rules must be made known to the Commission of the European Community by May 25, 2018.
If you have employees in the EU or are part of a larger organization with a presence and employees in the EU, and you wish to access or make use of EU employee data, you need to get up to speed now on the GDPR requirements and then take steps to ensure that you will be able to comply with those requirements.
If your organization requires assistance with navigating the GDPR, please contact the authors and/or consult DLA Piper’s EU GDPR Resource centre.
 See Ryan Chiavetta, “Could Canada lose its Adequacy Standing?” The Privacy Advisor, July 7, 2017