- An expanded “right to be forgotten”. Not only would an organization have to delete personal information that it could not demonstrate any legitimate need to retain, the organization may be required to inform third parties to facilitate the erasure of links to or replication of the personal information.
- Explicit consent for data use. If consent is required for data processing, the consent will have to be explicit (not implied).
- Breach notification. National data protection authorities must be notified of serious data breaches within 24 hours (if feasible) or as soon as possible.
- Extra-territorial reach. EU rules would apply to any organization active in the EU market even if the data is processed elsewhere.
- Expanded jurisdiction to investigate. National data protection authorities would be able to investigate complaints even though the complainant’s data is processed by an organization outside of the EU.
- Enhanced penalties. Organizations may be subject to fines for non-compliance of up to €1 million (approx. Cdn. $1.3 million Jan 27/12) or up to 2% of the global annual turnover of a company.
These proposed changes are relevant to Canadians. The outcome of this regulatory reform may affect Canadian firms processing data collected in EU member states or marketing to residents of EU member states. But more broadly, these are all issues that Canadian privacy regulators are examining.