Recent scandals involving Facebook and Cambridge Analytica show the importance of strong data protection rules, not only for each of us but also for society as a whole, and the very functioning of the democratic process.
The protection of privacy, as a fundamental individual right and a democratic imperative, is also an economic necessity. Without consumers’ trust in the way their data is handled, our data-driven economies will not thrive.
The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, is the European Union’s response to these challenges and opportunities. It seeks to create a virtuous circle between better protection of privacy as a fundamental right, enhanced consumer confidence in how the privacy and security of data is guaranteed, especially online, and economic growth.
While building on foundations in 1995 EU legislation, the GDPR has important new features. Many are particularly relevant to foreign companies doing business in Europe. They now will be able to offer goods and services in a harmonized and simplified regulatory environment.
Instead of having to deal with 28 different data protection laws and 28 different regulators as in the past, one set of rules will apply to their processing operations and will be interpreted in a uniform way throughout the continent
Increased certainty and less red tape
Obligations to notify data processing operations or obtain prior permission from data protection authorities have been scrapped. Several key concepts have been clarified and adapted to the needs of the digital economy. All this will mean increased legal certainty and a significant reduction in compliance costs and red tape.
The GDPR is also based on a modern approach to regulation which rewards new ideas, methods and technologies that improve privacy and data security. The principles of data protection “by design” and “by default” will create incentives to develop innovative solutions from the earliest stages of the development of new products or services.
A “risk-based approach” means that several obligations will not apply to companies that limit the level of risk of their processing operations. Co-regulatory tools, such as codes of conduct or certification mechanisms, are introduced to help companies achieve and demonstrate compliance.
Finally, new rights and safeguards will put individuals in better control of their data while at the same time strengthening competition (e.g. right to portability) and mitigating liability risks (e.g. data breach notification).
Unleash the potential of the digital economy
Empowering consumers also means ensuring that they feel safer and more confident when sharing their data. These are just a few examples of how the effective protection of a fundamental right can go hand in hand with unleashing the full potential of the digital economy.
These developments are of course not limited to Europe. Today more than 120 countries, from almost all regions of the globe, have data privacy laws in place. And many of the new or modernised laws tend to be based on common elements, such as comprehensive legislation (rather than sectorial rules), a set of enforceable rights, and enforcement by an independent supervisory authority.
This is not just good news for individuals who will benefit from a high level of protection when their data is transferred abroad. This developing convergence also offers new opportunities to facilitate trade as well as cooperation between public authorities which increasingly rely on the exchange of personal data.
The European Commission is committed to intensifying its dialogue with its international partners in this area, to promote and further develop elements of convergence between privacy regimes.
At a time when there is an increasing demand for international standards on privacy, Canada and the EU can lead by example and contribute to shape common rules of the game as they did in other areas with the conclusion of the Comprehensive Economic and Trade Agreement (CETA).
Their respective privacy regimes show that it is possible and desirable to combine a high level of protection with openness to international data flows. These shared values are reflected in the 2001 EU "adequacy decision" concerning the Personal Information Protection and Electronic Documents Act (PIPEDA), which allows unhindered transfers of data covered by PIPEDA.
European and Canadian experts are working closely to ensure the continuity of this adequacy finding under the GDPR. And our regulators and stakeholders can learn a lot from each other through the exchange of experience and best practices. In our interconnected world, more than ever, this type of dialogue is essential if we want to address challenges that are increasingly global in nature and scope.
Comments