This report will discuss the applicability (if any) of the European General Data Protection Regulation (GDPR) to Library and Archives Canada (LAC), as a government institution, and the Co-Lab tool. The GDPR does not presently impact LAC and Co-Lab, as LAC does not target its programs and services to citizens of the member states of the European Union (EU) nor does it use their data for behaviour monitoring.
- The GDPR is an EU privacy regulation that is a compilation of one set of data protection rules. This set of data protection rules seeks to provide European citizens with more control over their personal data. The GDPR came into effect in May 2018, and applies to both data controllers and data processors. Footnote1
- Co-Lab is a crowdsourcing tool provided by LAC, which allows users to transcribe, tag, translate, and describe digitized records found in LAC's collection. By using Co-Lab, Canadians can help improve their own and others' knowledge of Canadian history.
Applicability of the GDPR to LAC and the Co-Lab tool
The GDPR is applicable to data processors outside the EU in two scenarios: when they are directly targeting their services to EU data subjects, and when they are monitoring the behaviour of these subjects. Section 23 of the GDPR states that a third-country processor (outside the EU) is subject to the regulation if there is an intent to offer goods or services to EU data subjects. Footnote2 Section 24 states that third-country processors are subject to the GDPR if they monitor the behaviour Footnote3 of EU data subjects (regardless of whether the data is collected from services targeting Europeans).
As LAC is an organization that collects and stores the personal data of the users of its various programs, it would become subject to the GDPR if it were to target any of these services to EU data subjects or to monitor their behaviour using data collected. However, at the current time, LAC does not target its services to EU citizens. The LAC website, for example, clearly identifies Canadians as LAC's primary user group. Upon preliminary review, it is also unlikely that LAC tracks and profiles the users of its services in a way that meets the GDPR definition of behaviour monitoring. Footnote4
The Co-Lab tool is an example of an LAC program that could bring LAC under the GDPR, but ultimately does not meet the requirements. Firstly, though there is no restriction on Europeans using the tool, there is no clear intent to offer services to them. The marketing of the tool clearly identifies Canadians as the target audience. For instance, a news release about the tool's launch states, "by using Co-Lab, Canadians will be helping to unveil important parts of our history." Secondly, there is likely no monitoring of users' behavior. Co-Lab uses LAC's user-account system to collect and store personal data of users upon registration, and, based on a basic knowledge of this system, it is unlikely that it allows for activities that meet the GDPR's definition of behaviour monitoring. Footnote5
Currently, the GDPR does not apply to LAC as a whole nor to Co-Lab specifically. However, should LAC choose, in the future, to implement programs that are targeted at European data subjects or to monitor the behaviour of these subjects, further work will need to be done to ascertain our responsibilities under the GDPR.