Since it came into force on May 25, 2018, the General Data Protection Regulation ("GDPR") has been on the mind's of many in the industry – both within the European Union and in the rest of the world (including Canada). Given this attention and the GDPR's far-reaching scope, any developments concerning the interpretation and application of the GDPR need to be followed closely.
With four months of life behind the GDPR, now is an opportune time to review those developments. Indeed, after assessing those four months we can make the following four findings.
1. Organizations and individuals are embracing the GDPR
On September 25, 2018, the Commission nationale de l'informatique et des libertés de France (the "CNIL") published a series of indicators (available in French only) of GDPR implementation.
Beyond the French government amending the Loi Informatique et Libertés and its decrees, organizations in France and throughout Europe appear to be truly embracing GDPR compliance. This is evidenced by the following statistics for the four month period following May 2018:
- 24,000 organizations designated a data protection officer;
- over 600 notifications of personal data breaches were received;
- the CNIL website had three million visitors; and
- the CNIL received 3,767 complaints compared to 2,294 complaints for the same period in 2017 – according to the CNIL, "this represents an increase of 64% and attests to the fact that citizens have largely accepted the GDPR."
2. Sanctions are being issued
On the other side of the Channel, the United Kingdom's Information Commissioner's Office (the "ICO") did not wait very long before issuing its first warning.
On July 6, 2018, the ICO sent an Enforcement Notice demanding that Canadian company AggregateIQ comply with the GDPR (PDF) within 30 days. AggregateIQ has been linked to the controversy about the use of personal data for online campaigning, with alleged ties to Cambridge Analytica and its parent company, SCL. In this case, the ICO alleged that AggregateIQ processed personal data for purposes that data subjects could not have expected, without any lawful basis under the GDPR, and without transparency. In the event of non-compliance, AggregateIQ risks receiving an administrative fine of up to 20 million euros, or 4% of its annual global turnover, whichever is higher. At the time of writing, AggregateIQ has denied any involvement with Cambridge Analytica and appears to have appealed the ICO Enforcement Notice.
3. Guidelines are under development
The European Data Protection Supervisor (the "EDPS") is an independent European body that supports the consistent application of data protection rules across the European Union, and encourages cooperation between national supervisory authorities. The EDPS replaced the Article 29 Working Party.
In a press release dated September 26, 2018, the EDPS announced that it had met to discuss several subjects, including the European Union-Japan adequacy decision, the Data Protection Impact Assessment Lists, and above all, the adoption of guidelines on the GDPR's territorial scope.
With respect to this last item, the EDPS stated that these guidelines are meant to provide a common interpretation of article 3 of the GDPR, while clarifying the various situations in which the GDPR may apply extra-territorially, including when designating a representative. These guidelines, which have yet to be published at the time of writing, will be subject to public consultation once released.
4. Canadian adequacy is a concern
At the end of September 2018, the Office of the Privacy Commissioner of Canada (the "OPCC") published its 2017-2018 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act.
In it, the OPCC "stressed the importance of maintaining Canada's "adequacy status" with the European Union." While the free movement of data has been authorized between the European Union and Canada since 2001, the GDPR could be a game-changer in that it substantially differs from Canadian privacy laws. Although the method of ensuring Canadian adequacy is still under discussion, one concern remains following the GDPR's coming into force: Canada must take appropriate action to ensure that Canada-European Union data flows are uninterrupted and seamless.