Canadian companies may soon be impacted by the GDPR
By Mia Clarke, Associate Editor
The European Union’s new rules for data protection will change the way Canadian companies do business there, says privacy lawyer Peter Dillon.
The General Data Protection Regulation (GDPR), which will take effect on May 25, 2018, is designed to give consumers control over their personal information, says Dillon, a partner with Siskinds LLP.
“The GDPR will affect any Canadian-based company that collects or process the personal details of anyone who lives within the European Union,” he tells AdvocateDaily.com.
“It doesn’t matter if the data is processed inside or outside of the EU,” says Dillon. “The GDPR will still apply. It will have an extra-territorial reach across the globe.”
Personal information can be “anything from a person’s name, photo and email address to bank details, posts on social media or even a computer IP address,” explains Dillon. “If the data can be used to directly or indirectly identify a person who lives in the EU then it falls under the GDPR.”
And Canadian-based companies will have to comply if they want to continue to do business in Europe, he says.
“The penalties for non-compliance are capped at 20 million euros or four per cent of a company’s annual global turnover, whichever is greater,” says Dillon.
“These are reserved for the most serious violations, including lacking the proper customer consent to control or process their personal information.”
Lesser offences, such as the improper notification of a data breach, would be subject to a maximum fine of 10 million euros or two per cent of the company's annual global profit, he says.
Dillon says Canadian companies who do business in Europe should consult with a lawyer familiar with the GDPR to ensure compliance with the new rules.
They should be aware that after May 25, they will only be allowed to “store or process personal data of EU citizens who have given proper consent under the new guidelines,” he says.
The GDPR also gives EU citizens the right to see how their information is being used and to have it erased from storage, says Dillon.
Companies will also have to provide — free of charge — a copy of the personal information they’re processing if a person asks for it, he says.
“It also creates a new notification requirement that compels companies to notify EU residents within 72 hours of becoming aware of a data breach,” says Dillon.
He says Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), doesn’t go nearly as far.
“The GDPR certainly puts pressure on Canada to brings its rules in line with the EU to avoid conflicts between the two jurisdictions,” says Dillon.
“And the federal privacy commissioner has already been pushing for regulations to move closer to the European model,” he says.
Canadian data breach regulations set to take effect on Nov. 1 will require companies to report security breaches that pose a “real risk of significant harm,” but they stop short of the new European requirements, says a Canadian Press story.
“The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals 'as soon as feasible' and give organizations flexibility to use any form of communication to individuals that a reasonable person would consider appropriate, such as phone, email or advertisement,” says the article.
By contrast, says Dillon, the GDPR allows a maximum of 72 hours to notify the supervisory authority and if the data breach is likely to be a high risk to rights and freedoms, individuals must be informed immediately.
Further, PIPEDA allows for implied consent in some situations while the GDPR requires companies to get clear and explicit consent, reports the Canadian Press.
“In light of recent data protection scandals, these could be exactly the kind of regulations that Canadians are looking for,” says Dillon.
“It seems likely that the Canadian government will have to do something to improve consumer protection and avoid conflicts with the new EU regulations,” he says.
“This could result in PIPEDA being updated to better reflect the new laws in the EU. That's one of the ways that Canadian consumers are going to benefit from the GDPR.”