When I attended the Institute for the Future of Law Practice boot camp in May 2018 in Chicago, Professor Matthew Kugler from Northwestern University Pritzker School of Law gave a lecture on cybersecurity, explaining how big data companies are turning humans into business products. In this information age, we are creating a breadcrumb trail of information about who we are and what we do almost every day by sending text messages, posting on social media, snapping pictures, and using GPS applications like Google Maps. The records we create are, in turn, creating business opportunity for companies. To be successful in the digital revolution, companies must increasingly seek more and more data about their customers. For example, data is being used to drive strategic decisions about new avenues of business and the development of new products, and to know what kinds of relationships will help businesses grow.
The General Data Protection Plan (“GDPR”) is a regulation on data protection and privacy for all individuals within the European Union and the European Economic Area, made by European Parliament and Council of the European Union in April 2016 and implemented recently in May 2018. Prior to its enactment, it was sufficient for an organization to obtain a consumer’s “implied consent” to the organizations data practices. In essence, implied consent means that by visiting a website or downloading an app, a consumer is implicitly agreeing to everything in the organizations Terms and Conditions agreement, including the fine print that no one has read. However, under the GDPR, a company needs to gain explicit consent for all the things it wants to do with an individual’s personal data, or Personally Identifiable Information (“PII”).
One simple way for individuals to control their data is blocking cookies from running on websites via web browser settings. However, blocking cookies decreases the convenience of web browsing, since cookies allow our favourite sites and apps to remember our online history, such as billing and shipping information. Generally, users would not expect that companies use their PII in ways that they do not agree with, such as political lobbying or insurance telemarketing. Users also think that they have the ultimate control of the their PII, enjoying the right to revise, remove or duplicate the data.
You may think that deleting Facebook posts would mean “permanently” deleting them from Facebook pages, remote servers and all possible storage facilities but in reality that is not the case: the deleted posts may just magically re-appear on your timeline page. In Europe v Facebook, Max Schrems, an Austrian law student brought a class action suit against the Irish Data Protection Commissioner, in which he asserted that the commission should have taken more substantial action when he filed a complaint against Facebook for how they handled his data. In January 2018, Europe’s highest court ruled in favor of the U.S. tech company: Schrems cannot bring a class action lawsuit on behalf of others because each individual, which had a specific contract with Facebook, must file a separate legal case. Although each individual user has the right to personally sue the company for the alleged misuse of PII, the unequal bargaining power between the individual and powerful companies like Facebook will make him a vulnerable target and unable to effectively defend his privacy rights. Shortly after the GDPR coming into effect on 25 May 2018, Schrems filed suit in Ireland against Google and Facebook for coercing their users into accepting their data collection policies.
Douez v Facebook is a recent Supreme Court of Canada (“SCC”) case that touched on the same issue of “unequal bargaining power”. Deborah Douez claimed that Facebook violated s.3(2) of British Columbia’s Privacy Act RSBC 1996 c 373, after the site used her image without her consent for promotional purposes. However, the legal issue considered by the SCC was not privacy infringement, but rather whether the forum selection clause in the consumer contract of adhesion that Ms Douez “signed” is enforceable. This forum selection clause stated that any claim against Facebook must only be pursued in California, irrespective of the user’s geographic location. In a narrow 4-3 decision, the SCC overturned the British Columbia Court of Appeal’s decision and modified the application of the Pompey test for enforceability of forum selection clauses. The majority held that the court should consider public policy considerations related to “gross inequality of bargaining power between the parties and the nature of the rights at stake”. As a result, the British Columbia Supreme Court decision certifying the class action was restored.
The new GDPR rules apply to any organization that has customers in the EU, regardless of whether the organization is based in Europe. An organization that does not comply with the GDPR may be subject to fines of up to 4% of its global revenue, or up to €20 million, whichever is higher. Unsurprisingly, both Facebook and Google were reportedly hit with $8.8 billion in lawsuits on the first day of the GDPR’s application. Click here for a list of some of the GDPR’s notable Articles regarding individuals’ rights over their data.
Ultimately, the implementation of GDPR requires companies to take quick actions, such as adopting and integrating new tools and systems to allow individuals to access, delete, update, share, or control the way that their PII is used. Additionally, an organization may want to sit down with legal counsel to decide if its marketing endeavors and advertising partners are GDPR compliant.
Does GDPR only protect EU citizens or residents? Not necessary. Both Recital 2 and Recital 14 state that the protection should apply to natural persons “whatever their nationality or place of residence”. Recital 22 and Article 3 mention that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union “regardless of whether the processing itself takes place within the Union”. For example, if a Canadian citizen residing in Toronto places an online order from an e-commerce merchant established in EU and the website collects personal information, then GDPR applies. Less than a month before tough new GDPR rules take effect, Facebook changed its terms of service to move users in Asia, Africa, and Latin America under Facebook Inc. in Menlo Park, rather than Facebook Ireland. This act is widely seen as a way of avoiding the application of GDPR as GDPR will not apply to these 1.5 billion users governed by Facebook Inc in the US rather than Facebook Ireland. Although Stephen Deadman, Facebook’s deputy chief global privacy officer, said that “…we have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live”, EU users arguably enjoy greater data protection rights under the GDPR than their non-EU counterparts.
Grace Wang is an IPilogue Editor and a JD candidate at Osgoode Hall Law School.