GDPR may require changes to Canadian data contracts


peter murphy headshotCanadian businesses may need to account for the European Union’s wide-reaching General Data Protection Regulation (GDPR) in their processing contracts, Toronto business lawyer Peter Murphy tells

The GDPR came into effect in May last year, replacing the looser Data Privacy Directive (DPD) which had governed the handling of personal data within the EU for more than two decades.

Murphy, partner with Shibley Righton LLP, says Canadians may wonder why they must comply with a regulation from a foreign jurisdiction, but he explains that GDPR’s reach is extensive.

"The GDPR applies to any business that engages in data processing related to goods and services offered to EU residents, regardless of where their business is located," he says.

“It also applies to businesses that monitor the behaviour of individuals where the behaviour takes place in the EU,” Murphy adds. “Where the GDPR applies, Canadians may be surprised by some of the resulting requirements.”

Whatever difficulties that compliance with the new regulation imposes on data processing businesses in this country, Murphy says they can’t afford to ignore the GDPR, thanks to the eye-watering nature of its potential penalties. Under the GDPR, fines for non-compliance may be imposed in amounts up to the larger of four per cent of an organization’s global turnover, or 20 million euros — about $30 million Canadian.

“That’s way beyond any fines that may be awarded under Canadian privacy laws,” Murphy says.

This is an excerpt from an article that appeared on

Please click here to read the rest of the story.

Name and Title