Canadian businesses and the European Union’s General Data Privacy Regulation
By Ranish Raveendrabose, Fillmore Riley LLP
Beginning in May 2018, users of social media may have noticed they were inundated with updated Terms and Conditions to which they had to agree before they were permitted to continue using the platform. Those who live and die by their smartphone were subjected to a deluge of these prompts. What instigated this? Four letters: GDPR.
GDPR stands for General Data Privacy Regulation, which is the European Union’s (EU) landmark privacy legislation – adopted on April 14, 2016 – and made enforceable on May 25, 2018. The GDPR is noteworthy because it is pro-consumer and gives individuals unprecedented control of – and access to – their data. The flip side is that the GDPR places onerous demands on businesses to store, handle and process customer data appropriately.
Canadians may wonder whether the GDPR matters to them. The short answer is that it affects Canadian businesses that transact in Europe. For example, mobile application developers whose applications are approved for listing in Apple’s App Store, Google’s Play Store and their ilk, typically make their applications as widely available as possible. If you are a Canadian app developer seeking a large and affluent customer base, you would be remiss to exclude Europe.
Companies updated their Terms and Conditions to inform customers of new protocols and procedures regarding data collection, storage, processing and deletion. Essentially, these companies were informing users that they are GDPR compliant. For large entities like Facebook or Google that have infinitely deep pockets, ensuring compliance is not a significant burden. For smaller Canadian businesses, it may be difficult to financially justify full-scale compliance, or perhaps the amount of business done in the EU does not make it worthwhile.
For Canadian businesses that operate in the EU, there are a few points to consider. GDPR compliance is onerous because it places various demands on businesses. These demands depend on whether one is a data controller or data processor (or both), which are defined in Article 4:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Granted, the above is not entirely straightforward. Basically, if Company A sells items, but uses Company B to track information about their customers, Company B would be the processor (processing the personal data on behalf of Company A) and Company A would be the data controller (because it determines why the data is being processed).
It is important to recognize which category a business falls into as the duties of processors and controllers differ under the GDPR. Data controllers are responsible for obtaining and managing consent and the right to access. The processor is primarily responsible for processing the data; things like encryption and anonymization. The processor is also responsible for ensuring that the data is handled in accordance with the requirements of the controller and the GDPR.
While the above hardly captures the breadth of the requirements the GDPR places upon entities operating in the EU, it does demonstrate that this level of data micromanagement is beyond what is typically expected of Canadian businesses. Inevitably, becoming GDPR compliant will require significant investment on behalf of Canadian businesses that operate in the EU.
For small- and medium-sized businesses, it may be worthwhile asking: What happens if I am not GDPR compliant? There are two tiers of fines associated with non-compliance.
The first tier is up to two per cent of annual global turnover or €10 million (C$15.1 million) – whichever is higher. The second tier is up to four per cent of annual global turnover or €20 million (C$30.1 million) – whichever is higher. When a data processor or controller breaches one of its obligations, that is governed by the lower tier. Breaching consumer rights will likely be subject to the higher tier. These fines can be debilitating, but these are maximum values and in reality, the severity of the penalty will correspond with the seriousness of the non-compliant act.
The best way to avoid fines is to become as GDPR compliant as possible. That said, there may be some instances where a Canadian business may find the cost of becoming GDPR compliant disproportionate to the level of business it does in the EU and may seek to avoid compliance altogether.
There are scenarios where non-compliance is arguably a reasonable alternative. The risk of penalty would be minimized if: The data is not sensitive; there is irregular interaction with the data subject (the person whose data is being collected); and interaction is passive as opposed to active. For example, if a game developer collects anonymized data about which colour a user prefers, a data breach would have little real-world consequence. If a European intermediary performs all data-subject interaction, any penalty would seemingly be minimal under the criteria used to determine the fine amount. Nonetheless, the above would only be applicable to the data controller. The GDPR is clear – regular data processing requires compliance. If you are the data processor, you must become compliant.
As this legislation is new, much remains up in the air. The GDPR indicates that there will be “regular monitoring” to ensure compliance. However, there is no clear definition of what regular monitoring entails. Ultimately, for Canadian businesses, the question of compliance becomes a business decision pertaining to risk tolerance. Additionally, the pressure to become compliant not only arises from the risk of fines, but also from clients who may demand compliance or move to competitors who are compliant; depending on the services provided.
There may be significant insurance implications as well. Canadian businesses must consider how much transacting they do in the EU and the sensitivity of the data they deal with in determining whether the European marketplace is worth the cost of GDPR compliance or the risk of non-compliance. The fines are based on global revenue, so the risk of non-compliance is significant even if revenue from the EU is only a fraction of the global total.
For large data processing companies such as Facebook and Google, becoming GDPR compliant was a foregone conclusion (and even they have already been subject to lawsuits alleging contravention of the GDPR). For Canadian businesses that are or are considering operating in the EU, it is not nearly as straightforward and will require a careful weighing of the pros and cons.
Ranish Raveendrabose is an associate of Fillmore Riley LLP who practises primarily in the areas of corporate and commercial law as well as intellectual property law. You may reach him at rraveendrabose@fillmoreriley.com or 204-957-8396. This article originally appeared in Fillmore Riley LLP’s newsletter, The Brief, and is reprinted here with permission. 
-
Donald Bailey’s Bridge
April 23, 2024 -
From Historic Foundations to Modern Marvels
April 18, 2024 -
Canadian Construction Trends for 2024
April 16, 2024 -
Substance Use in the Trades
April 12, 2024 -
Putting Technology to Work in Your Business
April 12, 2024