Should Canadians worry about the European Union’s General Data Protection Regulation (GDPR)?

2018-05-14

SHOULDCANADIANSWORRYABOUTTHEEUROPEANUNION’S
GENERALDATAPROTECTIONREGULATION(GDPR)?

PIERREANTOINEVAILLANCOURTANDMARCELNAUD*
ROBIC,LLP
LAWYERS,PATENTANDTRADEMARKAGENTS

Withtherecentpersonaldatamanagementscandals,thenewGeneralDataProtection
Regulation(GDPR),effectiveasofMay25ofthisyear,istimely,atleastforEUresidents.
However,CanadiancompaniesshouldtakeaninterestintheGDPRsinceitsscopewill
extendbeyondtheoldcontinent.
1)WhatistheGDPR?
TheGDPR,asitsnamesuggests,“laysdownrulesrelatingtotheprotectionofnatural
personswithregardtotheprocessingofpersonaldataandrulesrelatingtothefree
movementofpersonaldata1.”Itimposesnumerousobligationsoncompanies(whether
theyactasthecontrollerortheprocessors)intermsofpersonaldata,whicharemore
onerousthanthosecurrentlyinforce.
Inaddition,eachsupervisoryauthority,responsibleforenforcingtheGDPRonthe
nationallevel,hasthepowertoimposefinesfordeliberateornegligentviolationofthe
regulation,whichmaybeashighas20millioneurosor4%oftheglobalturnoverofthe
non-compliantcompany2.Hencetheimportanceofensuringthecomplianceofyour
company,ifnecessary.
2)AreCanadiancompaniescoveredbytheGDPR?
ThenewregulationhaseffectsoutsidetheEU.Thus,theGDPRcoversanycompany
(establishedornotestablishedintheEU)thatprocessespersonaldataofEuropean
residentswhenthisprocessingoccursinthecontextofactivitiesaimedat:
a.offeringgoodsorservices(evenfreeofcharge)toEuropeanresidents;or
b.monitoringoftheirbehaviourthroughprofiling.

©CIPS,2018.*PierreAntoineVaillancourtisalawyerandMarcelNaudisalawyerandtrademarkagentforROBIC,
LLP,afirmoflawyers,patentandtrademarkagents.1Art.1GDPR.2Art.83GDPR.

2

ROBIC,LLPMONTREALQUEBECLAWYERS,PATENTAGENTSANDTRADEMARKAGENTS1001VictoriaSquare,BlocE–8thfloor2875LaurierBoulevard,Delta-3–Suite700Montreal(Quebec)CanadaH2Z2B7Quebec(Quebec)CanadaG1V2M2ROBIC.COMTel:514987-6242Tel:418653-1888INFO@ROBIC.COM

IfaCanadiancompanyengagesinanyoftheseactivities,itissubjecttotheGDPRand
facedwithachoice:eitheritlimitsitsactivitiessothatdatafromEUresidentsarenolonger
processedbythecompany,oritcomplieswiththeobligationsimposedbytheGDPR,
otherwiseriskingheavyfines.
3)WhataretheobligationsundertheGDPR?
TheGDPRstrengthensexistingobligationsandimposesnewones.Hereisanoverview
oftheobligationsthatmayrequirethemostadaptation.
-Appointmentofarepresentative3:CompanieslocatedoutsidetheEUmustappoint
arepresentativeinEuropewhocanserveasalinkbetweentheEuropeanauthorities
concernedandtheforeigncompany.Someexceptionsareprovided,buttheyappear
sorestrictivethatacompanywillprefertoerronthesideofcautionandappointa
representative.
-Detaileduse4:Accordingtoafairlywidespreadcurrentpractice,acompanyliststhe
usesofthedatainrathervaguestatementssuchas“toensuretheproperfunctioning
oftheservices.”ThisapproachisnolongersufficientundertheGDPR;companies
mustspelloutthepurposesoftheprocessingforwhichthepersonaldataareintended
andthelegalbasisofthisprocessing.
-Manifest,freeandenlightenedconsent,givenforspecificpurposes5:TheGDPR
requiresthecontrollertodemonstratethatthedatasubjecthasgivenconsent,ina
formthatclearlydistinguishestheconsentrequestfromanyotherquestionwhen
consentisgivenaspartofawrittenstatementwhichalsoconcernsotherissues.
Amongotherthings,companiescannotuseasimplenoticeatthebottomofthescreen
andpresumeconsentorofferanalreadychecked.Inaddition,itmustbeassimpleto
withdrawconsentasitistogiveit.Thedatasubjectmustalsobeabletoacceptor
refuseindividuallythedifferentdataprocessoperationswithouttheexecutionofa
contractbeingsubjecttotheconsentthatwouldnotbenecessaryforthisexecution.
-Dataprotectionbydesignandbydefault6:Theprinciplesofdataprotectionby
designandbydefaultshouldalsobetakenintoconsiderationnotonlyatthetimeof
theprocessingitself,butalsowhendeterminingthemeansofsuchprocessingthrough
appropriatetechnicalandorganizationalmeasuressuchas“pseudonymization.”This
alsoinvolvestheminimizationofdata,sothatonlyadequateandrelevantdatais
collected,limitedtowhatisnecessaryforthepurposeforwhichitisprocessed.A
certificationmechanismcanbeusedtodemonstratecompliancewiththese
requirements,whichmaybeofinterestinsomecircumstances.

3Art.27GDPR.4Art.13c)GDPR.5Art.7GDPR.6Ar.25GDPR.

3

ROBIC,LLPMONTREALQUEBECLAWYERS,PATENTAGENTSANDTRADEMARKAGENTS1001VictoriaSquare,BlocE–8thfloor2875LaurierBoulevard,Delta-3–Suite700Montreal(Quebec)CanadaH2Z2B7Quebec(Quebec)CanadaG1V2M2ROBIC.COMTel:514987-6242Tel:418653-1888INFO@ROBIC.COM

-Responsibilityofthecontroller7:Theprincipleofresponsibilityofthecontroller
obligescompaniestoimplementappropriatetechnicalandorganizationalmeasuresto
ensurethattheirdataprocessingiscarriedoutinaccordancewiththeGDPRandthat
theyareabletodemonstratethis,giventhenature,thescope,contextandpurposeof
theprocessingaswellastherisks(thedegreeofprobabilityandseverityofwhich
varies)fortherightsandfreedomsofnaturalpersons.Companiescannotadopta
passiveornonchalantattitudetowardtheprotectionofthesedata.
-DataProtectionOfficer8:SomecompaniesmustappointaDataProtectionOfficer
(DPO).TheDPOisanindividualwhosedutiesincludeinformingandadvisingdata
controllersoftheirobligationsandmonitoringcompliancewiththeGDPR.Similarto
anombudsman,hemustbeindependent,thatistosaythathereceivesnoinstructions
fromanyoneinrelationtohisdutiesandcannotberelievedofhisdutiesorpenalized
becauseoftheexerciseofhisduties.
Practicestoadjust
ThisoverviewoftheobligationsofthenewEuropeanregulationillustratestheEU’sdesire
tosignificantlyincreasetheprotectionofpersonaldata.Forcompaniesthatarenotdirectly
targetedbytheGDPR,theystillhaveaninterestinadjustingtheirpracticesinthisarea,
sinceitwouldnotbesurprisingtoseeotherjurisdictions,includingCanada,followsuit.
7Art.24GDPR.8Art.37etseq.GDPR.