Canadians must prepare for new EU privacy rules


The European Union's new privacy regulations could have a big impact on Canadian businesses, Toronto corporate lawyer Peter Murphy tells

The EU's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, replacing the Data Privacy Directive (DPD) with more comprehensive data privacy rules.

“Many Canadian companies assume this new European regulation will not apply to them,” says Murphy, a partner with Shibley Righton LLP, “but actually, it has a broad reach that will extend to many Canadian organizations. It imposes significant new requirements that are more stringent than what Canadian organizations are used to, and the penalties for violations are potentially very severe.”

“Canadian organizations should be preparing for this now to ensure they will comply by May 25, 2018,” he adds.

The reach of the GDPR will not be limited to organizations with an establishment in the EU. It will also apply to organizations outside the EU that collect or process personal information about EU residents.

“Whether your organization collects personal information on EU residents, or processes it on behalf of someone else, it will have to comply,” Murphy says.

The new regulation also takes an expansive approach when it comes to fines for non-compliance, which can reach as high as the larger of four per cent of an organization’s global turnover and 20 million euros.

“Class actions will also be available for enforcement of the GDPR,” Murphy says. “This creates another element of risk that Canadian companies need to be aware of.”

He says companies that currently comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) can't assume that means they will be in compliance with the GDPR once May 2018 rolls around.

“Adhering to PIPEDA will make them somewhat compliant, but the GDPR is more stringent in a number of ways,” Murphy explains.

For example, data controllers and processors will be required to carry out privacy security assessments to test their technical and organizational security measures under the GDPR. In addition, affected companies will be required to conduct privacy impact assessments before carrying out data processing that may pose a high level of risks to the individuals concerned.

“Data processors will be required to use encryption and to keep a register of their activities,” Murphy adds.

The GDPR also incorporates new rights for individuals whose personal information has been collected, such as the right to be forgotten, which allows people to object to, and request the deletion of, information about themselves under certain circumstances.

The GDPR’s data portability rules will also pose new requirements for subject Canadian organizations. PIPEDA already requires Canadian organizations to provide individuals with access to the information the organization holds about them. In certain circumstances, the GDPR will also require subject organizations to provide the information to the individual, on request, in a format that allows them to use it in another database.

“It’s not a carte blanche right for everyone, but it’s still something that will require businesses to update their infrastructure in order to be able to comply if needed,” Murphy says.

Like its predecessor DPD, the GDPR allows data to flow out of the EU to other jurisdictions whose privacy control regimes are deemed adequate. For the moment, Canada is among the approved countries, but Murphy says there’s no guarantee that it will retain its status indefinitely.

“There is a risk that the EU will consider Canadian privacy protection inadequate at some point, so organizations will have to be prepared for that eventuality,” he says.

Murphy says the implementation of what the GDPR calls “binding corporate rules” or contracts with “standard contractual clauses” is one way Canadian companies will be able to insulate themselves in the event the EU changes its mind on Canadian privacy practices.