Scoping Europe’s long reach on data protection

Facing the threat of massive fines, Canadian businesses with interests in Europe are undertaking efforts to comply with the complexities of the European Union’s General Data Protection Regulation (GDPR). Following the release of new guidelines on territorial scope in November 2019, companies have clearer guidance as to when the GDPR will apply.

The GDPR’s reach is broad and its details are complex. It standardizes the laws relating to data protection and privacy across the European Union and the European Economic Area—and covers the transfer of personal data outside those areas. Since its implementation in May 2018, the extra-territorial scope has been the source of much speculation and concern among businesses, says Lyndsay Wasser in Toronto, who co-chairs McMillan LLP’s Privacy & Data Protection and Cybersecurity groups. 

The new guidelines bring some clarity. “Just the fact that you have one person’s data wouldn’t necessarily subject you to the GDPR. There’s a much more sophisticated test for that,” Wasser says. The regulations can apply “if you have an establishment in the GDPR, or if you’re offering goods or services to data subjects in the EU, or if you’re monitoring the behaviour of persons in the EU,” says Wasser. The new guidance document discusses in detail when firms meet each of those three tests.

The GDPR has intensified attention to data privacy issues and compliance. But Wasser says it often came as a surprise to companies that Canada has its own laws with which they were not complying. She advises them not to neglect the Canadian requirements, which are not always the same as the GDPR. The Canadian penalties may not be as severe, but Wasser warns that there can be consequences.

“It’s very common for me to experience a company saying, ‘we don’t need to worry about the Canadian laws, we’re GDPR-compliant, so we’re okay across the world.’ And it’s not actually true. The GDPR is a lot stricter in many respects than Canadian laws, but not all.”

Potential penalties under the GDPR can be as much as €20 million or 4 percent of an organization’s annual worldwide turnover, whichever is greater. As of September 2019, the EU’s supervisory authorities had announced or issued fines totalling over €372 million. In the UK this year, European regulators slapped British Airways with a record £183 million fine for a data breach and Marriott was subsequently fined close to £100 million. In comparison, the penalty provisions and regulatory powers under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are less punitive, including fines up to $100,000 for non-compliance.

Misconceptions remain about the GDPR, how it applies and what it means for a business. “It’s a pretty complicated legal framework,” says David Krebs of Miller Thomson LLP in Saskatoon, whose business law practice focuses on compliance, privacy and cybersecurity. A company, he says, can be subject to the GDPR without having a physical office in Europe. 

The new guidelines are helping to clarify situations in which Canadian businesses are not data controllers, but, instead, are considered to be data processors. “The distinction there is: if the company kind of ‘owns the data’ and decides the purposes and the means, you’re a data controller,” says Krebs.

The GDPR has in place very detailed and specific requirements to have a contract between a data controller and a data processor. The new guidelines are more explicit about which sections of the GDPR will apply, even to companies that are processors. 

“The main difference from my perspective—in terms of a privacy compliance program where you already had one for PIPEDA and now you need to revise it to take into account the GDPR—is that many of the things that you might have been doing, you might have to adjust to meet these very specific and proscriptive provisions in the GDPR.”

Wasser says it’s challenging for a company to be fully in compliance with every aspect of the GDPR since it has so many detailed requirements, and not all of them are easy to control. Many of them require organizational-wide compliance, so one individual who’s not aware of a requirement can unintentionally put the organization offside.

“The key is to have an appropriate compliance program to document the efforts that you’ve made, including training your people on compliance in order to defend against these one-off, unintentional breaches to show that the organization has made best efforts and conducted due diligence and have really done their best to comply with GDPR.”

There are several legal grounds to process personal data under the GDPR. “You can obtain consent, or you can process data to perform a contract or to achieve legitimate interests of the organization,” says Wasser, but under Canadian rules, consent is always required. “Make sure if you’re operating in Canada that your compliance program complies with all the laws in the jurisdictions where you operate, not just the GDPR. And don’t assume that GDPR compliance means we’re complying with a high standard across the world, we don’t have to take into account local laws.”

Uncertainty lingers around enforcement in Canada from GDPR data protection authorities, says Krebs. “We have minimal precedent about how data protection authorities will actually enforce on non-resident companies that are subject to GDPR.” 

Krebs urges Canadian lawyers to understand and stay on top of the GDPR. “As soon as you know that your client is operating or somehow has the potential for gathering data on Europeans or has future plans to operate in Europe, the GDPR needs to be a consideration, especially if it’s a data-heavy business,” he says. “As soon as there’s potential that the GDPR applies, I think they need to advise their clients that they need to take this seriously.”