What is the GDPR and Why Should Canadian Businesses be Concerned with it?

By: O'Neil Smith, B.A., LL.B.

The General Data Protection Regulation (GDPR) is an EU regulation governing the protection of personal data of EU residents. It came into force on May 25, 2018 and applies in all EU member countries. It protects the personal data of EU residents with far-reaching and stringent requirements applicable to businesses and other entities who collect, use, process or otherwise work with personal data of EU residents (referred to as “data subjects” under the regulation). The GDPR also imposes strict monetary penalties on organizations who breach its provisions.

So why does this EU legislation matter to Canadian businesses and organizations?

In July of this year, the UK’s Information Commissioner’s Office (ICO) became the first EU jurisdiction to issue an enforcement notice under the UK’s Data Privacy Act and the GDPR. The notice was served on a Canadian data analytics firm which had been allegedly retained by certain UK based political organizations for the purpose of analysing UK voter data (provided to it by those organizations), and targeting certain voters with political ads. The ICO stated in its notice that because the company had processed the UK individuals’ personal data without their knowledge and for “… purposes which they would not have expected and without a lawful basis for that processing" (see UK ICO Enforcement Notice at: https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdf), it had failed to comply with Articles 5 and 6 of the GDPR, among others. It also considered that the company was a “controller” of the personal data under Article 4(7) of the GDPR and noted that the company was still in possession of the data as of May 31st. The ICO decided to serve an Enforcement Notice because damage or distress caused by the failure to comply was likely a result of the UK individuals “…being denied an opportunity of properly understanding what personal data may be processed about them by the controller, or being able to effectively exercise the various other rights in respect of that data afforded to a data subject”. The company was ordered to cease processing any personal data of UK or EU citizens within 30 days or face a substantial monetary penalty. The company has filed an appeal from the notice.

This case makes the point that Canadian businesses and organizations must carefully consider whether their day to day data collection activities, either potentially or in fact, involve the collection or processing of EU residents’ personal data. The GDPR will apply extraterritorially to businesses that: a) use tracking technologies on their website or mobile apps to collect data from EU data subjects, b) offer goods and services to EU data subjects, or c) process the data of EU data subjects on behalf of controllers. Obtaining expert guidance on managing, collecting, processing and retaining personal data of third parties residing abroad is therefore essential. The processing of any personal data of EU residents, even where the activity is undertaken by an organization located in an country outside the EU, makes the GDPR applicable. For Canadian businesses, this means that they must be mindful of the extra-territorial applicability of the GDPR. If an organization obtains, processes or retains personal data from EU residents, even from a third party intermediary, it must comply with the requirements of the GDPR regardless of where the organization is located.

As mentioned earlier, the consequences for breaching the GDPR are serious: financial penalties provide for a fine of up to €20 Million or 4% of the business’s annual revenue, whichever is greater.