European Privacy Directive Lands on Canadian Shores

Since May 25, 2018, a new European privacy law, the EU General Data Protection Regulation (GDPR) requires compliance by any business, regardless of size, if the business has a presence in the EU, offers goods or services to EU residents, or tracks the behavior of EU residents. On May 24, 2018, the Canadian Office of the Privacy Commissioner published new guidance documents – on obtaining meaningful consent and on inappropriate data practices – to help Canadian organizations ensure they comply with their privacy obligations in the digital age. While the scope of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is similar to the GDPR, there are a few significant differences.

  1. The statutory scope of the GDPR is broader in terms of coverage, since PIPEDA applies when the personal information is being collected, used or disclosed “in the course of commercial activities”.
  2. An EU resident has a right to be forgotten. If an EU resident requests, the business must generally delete all of the EU resident’s personal information that it holds. Under Canadian law, there may be freedom of expression rights and other reasonable bases not to delete all personal information.
  3. Under the GDPR, businesses must appoint a ‘privacy champion’. To satisfy PIPEDA’s accountability standards, an organization should have a privacy officer; but should is not mandatory. The GDPR seems to have more teeth.
  4. The Canadian Digital Privacy Act amends PIPEDA and becomes effective in November, 2018. After November 2018, an organization must promptly report any data breaches to Privacy Commissioner’s Office and notify affected individuals and relevant third parties (in certain circumstances) when such breaches pose a “real risk of significant harm” to affected individuals. The GDPR is similar, but the reporting time is 72 hours!
  5. The GDPR penalties are potentially much bigger. Damages for a data breach of the GDPR may be up to €20 million (approximately C$30.5 million) or 4% of the business annual worldwide income (whichever is higher). Currently, PIPEDA does not include statutory damages. A Canadian resident can collect damages for the data breach if he can show a quantifiable loss as a result. Due to the difficulty in proving actual loss, the Canadian Privacy Commissioner is considering the issue of statutory damages.

In short, privacy matters and failure to comply is expensive.

The foregoing is advertising and a heads-up. It is not legal advice.