As a cross border firm, we are legally “bilingual”. Meaning, we translate and interpret the requirements of U.S., Canadian, EU and other international privacy requirements into a comprehensible format for our clients. For example, from the Canadian perspective, we focus on “personal information”, from the EU perspective, the focus is on “personal data”, and both of those are substantially different from the U.S. concept of personally identifiable information (“PII”). It is important to understand that personal information/personal data is much broader than PII — as generally speaking, it applies to anything that can be used to identify a person, including things that wouldn’t be PII, such as an email address or even an IP address associated with a mobile device.
Fundamental paradigm shift
The EU has long held the mindset, and enforced that mindset through regulation, that an individual’s data belongs to the individual not the company that collected the data. In order to understand and comply, it is key to understand the goal of the EU’s General Data Protection Regulation (“GDPR”), which is to ensure that natural persons have control over their own personal data, not the company that collected it. Rather than the company that collected the data owning it, it is merely operating under a license granted by consumers for the use of their personal data.
Following the May 28, 2018 effective date of the GDPR, beginning in 2019, the Canadian Federal Office of the Privacy Commissioner started enforcing its Guidelines for obtaining meaningful consent, which imposes requirements for private sector organizations to obtain legally valid consent for all collection, use and disclosure of personal information. The Guidelines specify requirements for the form and content of privacy policies/notices and for clear and easily accessible privacy consent processes. Cutting right to the chase: the Personal Information Protection and Electronic Documents Act (“PIPEDA”) provides that an individual’s consent is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
To the contrary, outside the healthcare and financial sectors, the US does not have a federal law governing the collection of personal information, though a number of states have passed legislation that mirrors the GDPR and PIPEDA is some respects, with California leading the way with its Consumer Privacy Protection Act, which went into effect on January 1, 2020.
Outside the consent disconnect, there are other differences between the varying jurisdictions in regards to their privacy laws, including regulations regarding storage, transfer for information, data subject rights, etc. These patchwork of laws make it complicated for large U.S. companies like Amazon that have built empires based on long-term collection of personal data, as they are forced to re-examine their data policies and procedures in the cross border context. This means that issues such as how long personal data can be stored and how they have to communicate and ensure data subject rights must re-considered in line with the international, as opposed to just US requirements. Canada and the EU are largely aligned that the data should not be retained longer than necessary to fulfil the purposes of the collection whereas US companies, left without specific direction on the issue, tend to defer to legal statute of limitations and, in the absence of any, retain the information for as long as possible.
Dealing with cross border data security is particularly critical, including, ensuring that the organization’s response plan is designed and implemented with a cross border focus. Given that Canada’s economy is highly integrated with the United States, transfers of personal information for processing requires transparency about handling practices, and best practices suggest that organizations should advise customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
As privacy laws also vary by local jurisdictions, proposed amendments to the Province of Quebec’s provincial privacy laws include some potentially onerous requirements such as requiring businesses to inform individuals of the “names of the third persons” to whom it is necessary to communicate the information for the purposes for which the information is collected.
This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.
About the Authors:
Wendy Hulton is a Partner in Dickinson Wright’s Toronto office. She advises clients on their privacy and cyber security policies and procedures, requests for disclosure of personal information, surveillance issues and other matters arising under Personal Information Protection and Electronic Documents Act, Access to Information Act and Canada’s Anti-Spam Legislation (CASL). Wendy can be reached at 416-777-4035 or email@example.com.
Sara Jodka (CIPP-US and CIPP-E) is a Member in Dickinson Wright’s Columbus office. She is a certified professional privacy professional for the United States and for Europe through the International Association of Privacy Professionals and regularly works with businesses to review and audit their privacy policies and procedure to get them in compliance; preparing for and responding to data breaches. Sara can be reached at 614-744-2943 or firstname.lastname@example.org.