Like Toto pulling back the wizard’s curtain to reveal the protector of Oz to be a facade, the Cambridge Analytica–Facebook (Nasdaq:FB) scandal revealed online data privacy to be more superficial than many thought.
And so this month’s rollout of the European Union’s long-
gestating General Data Protection Regulation (GDPR) is serendipitous for EU citizens who will soon be protected by privacy legislation widely considered the world’s strongest.
While GDPR casts a net wide enough to entangle firms on this side of the pond, some experts say Canadian businesses are already better positioned than American counterparts.
“I somewhat take exception to these doom and gloom attitudes around compliance obligations with respect to the GDPR,” said Ben Young, general counsel for Vancouver-based Elastic Path.
His company specializes in back-end software for e-commerce services and has been spending more than a year ensuring its products comply with new rules so regulators don’t target its customers.
“I don’t want to discount the fact that compliance is difficult stuff and the costs of compliance are real,” Young said. “It’s not like we’re starting from scratch in Canada and British Columbia.”
The lawyer added that federal and provincial regulations are already very strong in Canada, and he anticipates further harmonization with EU legislation in the coming months.
GDPR, meanwhile, extends to companies that target any EU citizen with its services, such as a Vancouver-based firm that markets to or sells products online to a Brit or a German.
Companies that don’t properly protect user data face fines of up to 20 million euros or 4% of global revenue – whichever figure is higher.
Young said weaker privacy laws in the U.S. mean American firms have to do more to ensure they comply than their Canadian counterparts if they wish to avoid the large fines.
“It’s going to be less of a burden [in Canada] and will already be incorporated into a company’s culture in terms of compliance,” he said.
Ross Woodham also believes Canadian companies have the advantage over U.S. companies.
But the general counsel and privacy officer for hosting and cloud services company Cogeco Peer 1 said it might be a while before the EU draws a bead on most players in Canada or the U.S.
“Whether EU authorities are able to effectively enforce these [rules] against a company that’s sitting outside the EU is another question altogether. And I suspect the reality is they would be challenged to directly enforce these things against a Canadian company,” he said.
“They’ll be focusing on the major players who are processing incredibly large amounts of data. Say, the Facebooks of this world, the Googles of this world, who really can influence people’s lives by the way that they process this data.”
Meanwhile, Snaptech Marketing co-founder Flavio Marquez, whose Burnaby company specializes in digital advertising, has been in contact with software vendors to ensure all its online tools comply with the new rules.
His “gut feeling” is that most Canadian firms are not doing the same because they either aren’t aware of GDPR or mistakenly don’t believe it applies to them.
As for the Canadian firms that are already compliant with GDPR, Marquez said it’s most likely because they’ve been checking with their software vendors to ensure everything is above board when the rules go into effect.
More often than not, he said, the software vendors are American companies that also sell to American clients, which would negate any competitive advantage.
“The U.S., they are probably being a little more strict about compliance … especially with what happened with Facebook,” he said. “If you’re using platforms like Google, for example, whether you’re in Canada or the U.S., everything is going to have to be GDPR-compliant.”