The General Data Protection Regulation (GDPR) came into force almost three years ago, but for such a short period — by the standards of the development of legislative initiatives — it has become a real flagship, an example and in many ways a reason for the revision of local acts on working with personal data in a number of states.
We discuss how the situation in Canada is developing: what regulators are proposing and what risks technology specialists and companies see in potential changes to the regulatory framework.
The extent of the GDPR’s impact is difficult to exaggerate. he has pulled a string of similar measures in the us, brazil and even kenya. In the third year of the victorious march of the law on the planet, Canadian regulators also joined the case. they decided to get their own “localization” of the law-to review the twenty-year-old pipeda (personal information protection and electronic documents act) and develop a new document called the consumer privacy protection act (cppa).
According to official statements, the CPPA aims to bring the conditions for the collection, processing, storage and use of personal data in line with the general level of technological development and the context of interaction between citizens and local organizations. in particular, the government of canada focuses on how the latter should explain the reasons for data collection and the degree of their” mobility ” — for example, warn about cross-border transfer and provide the possibility of safe transfer from one organization to another on request.
The main thing that distinguishes “GDPR in Canadian” is new sanctions for violators of the regulations. They will have to pay 3% of the company’s annual revenue (including earnings of branches around the world) or 10 million, apparently, Canadian dollars.
But in the case of a major leak, deliberate leak or violation of the rules of data de-identification, a fine of up to 5% / 25 million, respectively, is provided.
The upper limit of five percent is not chosen by chance — so the Canadian authorities show strong intentions to surpass the GDPR in all respects. They are not limited to the size of sanctions. Following the CPPA, organizations will be required to provide explanations on request about how their algorithm or recommendation system works, which makes decisions based on the personal data of a citizen of the country. Experts believe that in this regard (as well as on penalties), Canada can bypass European regulators.
As for deidentification — it means a complete ban. There are sanctions for establishing identity based on the personal data provided. The only exception is testing to maintain the proper level of security (probably some system that prevents such attempts). However, it is still difficult to say how conditional social networks will fulfill this requirement if a person decides to specify a valid full name and age. Most likely, the requirement will be applied against malicious violators — for example, organizations engaged in restoring data from many gray databases for subsequent spam of the audience with offers to use a service.
Interestingly, the CPPA also took into account situations when you do not need to obtain consent for the collection of personal data. For example, this includes maintaining network security, plus-everything that does not fall under commercial activities and other attempts to have any influence on a person’s decision-making (for example, about buying).
Another new regulation allows organizations to introduce their own personal data protection measures, which may exceed the level of requirements that are prescribed in the CPPA itself.
What to expect
The canadian version of the gdpr will be applied to all structures that somehow come into contact with the data of citizens. While large companies can allocate two or three full-time specialists to train, keep up-to-date and verify corporate policies on the work and security of PD, this process is likely to be difficult for small businesses, given that CPPA also requires training of employees.
On the other hand, the regulation has the form of a framework document. Most of the wording is too general, so you should expect clarifications in the format of additional acts that explain and regulate certain points from the CPPA. As practice shows, in Canada, this process can take several years, so while entrepreneurs can exhale, and the government can think about how to protect the interests of citizens without compromising the budget of small companies.
Generally speaking, local GDPR options were just the beginning. now many countries are launching campaigns with proposals for targeted regulation of the big data sphere.
So, in the UK, the so — called “National Data Strategy” is gaining momentum-a strategy that aims to deploy a “data economy”. the government wants to understand where and how certain citizens ‘ data is used, and is trying to offer a universal mechanism or even a standard for their anonymous accounting, classification and processing on the side of companies.
Most likely, the development of the document will be delayed for many years, so other countries will still have many opportunities to launch their own analogues and such initiatives (in addition to the GDPR).