Canadian Businesses and the GDPR

Article by: Justin Broomfield

All memorandums are for informational purposes only and do not constitute legal advice. Additionally, the memorandum does not create or intend to create a solicitor-client relationship between the reader and the initio Technology and Innovation Law Clinic

The world has moved online, and it seems that nearly every start-up starts with a website. Building up an online presence can provide a business with greater access to customers, build their brand, and expand their reach. Granting access to consumers from across the world can also expose businesses to laws they may have thought were outside of their jurisdiction. Canadian businesses, both big and small, may now be faced with the question of how international laws apply to them. One particular area of concern, is privacy law.

Private enterprises across Canada are subject to privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), or in some cases substantially similar provincial legislation. PIPEDA follows a principles-based approach that governs the collection, use, and disclosure of personal information in the course of commercial activities. Every business should continually review their policies to ensure that they are compliant with the relevant legislation within Canada. This article further explores developments in the European Union and proposed updates to Canadian privacy law, that have potentially expanded Canadian businesses privacy obligations.

General Data Protection Regulation

A key piece of privacy legislation that Canadian Businesses should be aware of is the General Data Protection Regulation (GDPR) in the European Union (EU). This legislation was updated in 2018 where the scope and the enforcement mechanisms of the previous EU Data Protection Directive were increased. Notably, this update introduced extra-territorial powers meaning the GDPR could apply outside of the EU.

The GDPR can apply to Canadian businesses where the organization has an establishment in the EU, or if the organization offers goods or services or monitors the behaviour of individuals located in the EU. Even without a physical establishment in the EU, a Canadian business may become subject to the obligations under the GDPR.

What are the Obligations under the GDPR?

While some of the principles of the GDPR are similar to those in PIPEDA, there are additional and stricter protections and safeguards to personal information under the GDPR. Key obligations include the right to be forgotten, transparency, and privacy by design.

Much like PIPEDA, the GDPR applies to processing of information relating to an identified or identifiable person or “personal data”. In the context of a small, online business, this could include a person’s name, email address, phone number, shipping address and IP address. 

The GDPR distinguishes between processing and controlling personal data and applies certain obligations to each. A Data Controller is the party that determines the purposes of processing personal data and the means of doing so. If a business is deciding what information to collect and what to do with that information, they are the Data Controller. Data Processors only process the data on behalf of the Controller. Data Processors are typically third parties that offer IT systems such as cloud storage. The Data Controller is responsible for specifying the duties of the Processor. It is important to understand your relationship with any third party that is processing your businesses data to ensure that all relevant privacy obligations are being met.

The right to erasure or the right to be forgotten, grants an individual the right to request an organization to erase their personal data. This request can be made if the data is no longer necessary to serve the purpose that it was collected for, the subject of the data withdraws their consent, or they object to their personal data being processed for the purpose of direct marketing. This creates the need for businesses to implement methods of responding to these requests and ensuring that they can comply with the requirement to remove and erase the relevant information.

The GDPR requires businesses to keep detailed records about the organization’s personal data processing practices. This includes how the information is held, how it is used and shared within the organization, how long the information is retained, who has access to the information and how they are provided with access. Reporting of breaches to the relevant authority is to occur within 72 hours of the occurrence, and to the affected individuals without undue delay. There are similar requirements under PIPEDA, however there is no specific deadline for reporting to the relevant authorities. This is an important distinction that can create a situation where a business is compliant with their obligations under PIPEDA, but in breach of the GDPR.

Privacy by design requires businesses to consider privacy and data protection when designing products and services, rather than after those services or products are in use. This requires a proactive approach to privacy. The GPDR states that business should be able to show that privacy is at the core of the service or product as well as their own internal policies. One way of showing this is to use pseudonymization, which removes personal identifiers from data so that it cannot be connected to an individual, as early as possible when collecting information. Businesses are also expected to keep records of the nature and purpose of personal information and limit any processing of that information to what is necessary for the purpose.

Many Canadian businesses have taken measures to become complaint with the GDPR in response to the substantial fines for non-compliance that were introduced. These fines can reach the higher of 20 million euros or 4% of a business’s global revenue, in addition to individuals having the right to seek compensation for damages. This is a stark contrast to Canada’s Privacy Commissioner’s limited ability to impose fines and could pose a great financial risk.

What can you do as a Canadian Business?

Limiting your target audience or consumer. This may help to limit exposure to the GDPR. It was not the intended purpose of the GPDR to have it apply to all businesses that have any kind of online presence, only those that operate or target individuals within the EU. The purpose is to protect the personal data of Europeans. By advertising your products or services to Canadians, only accepting Canadian Dollars, and not offering shipping services outside of the country, you may limit the potential exposure to GDPR.

Review your privacy policies and procedures. Businesses should be routinely reviewing all privacy policies and procedures to ensure that they are compliant with PIPEDA and that the actual practices within the organization continue to comply with the policies. Many Canadian businesses have taken steps to adopt the obligations of the GDPR in addition to those under PIPEDA, to reduce the risk of significant fines.

Implement the concept of privacy by design into the culture of your business. Reconsider your data processing practices and whether you need to collect the information that you do. Train your employees on privacy issues. Consider the third parties that you work with and how they treat their privacy obligations.

Become familiar with the GDPR. Follow the legislation, understand where and when it is applicable, and the obligations it imposes. If applicable to your business, take the steps to ensure your collection and processing of personal information is compliant.

Consult legal counsel. When unsure of your business’s obligations consult legal counsel that is qualified to speak to the relevant jurisdiction.

Proposed Changes to Canadian Privacy Law

By taking steps to ensure compliance with your privacy obligations and adopting GDPR compliant practices, your business may be a step ahead of upcoming changes to Canadian Privacy Law.

Bill C-27, the Digital Charter Implementation Act, was proposed in June of 2022 and is currently in the stage of consideration in committee in the House of Commons. This bill includes the Consumer Privacy Protection Act, (CPPA), and is intended to replace PIPEDA. If passed, the CPPA would introduce obligations similar to those under the GDPR. Organizations will be required to implement privacy management programs detailing the policies, practices and procedures used to comply with privacy obligations. Individuals will have a limited right to disposal, de-identification and anonymization. A private right of action against organizations that fail to meet their obligations will also be introduced. These new obligations also come with increased penalties. For general offences fines can reach as high as $10 million CAD or 3% of the organization’s global gross revenues, with the higher amount being applied. For the most egregious violations, the fine may constitute the higher of $25 million CAD or 5% of the organization’s global gross revenues.