Canadian Businesses and compliance with the EU’s General Data Privacy Regulation

Beginning this past May, social media users may have noticed they were inundated with updated Terms and Conditions to which they had to agree before they were permitted to continue using the service.  Those who live and die by their smartphone were subjected to a deluge of these prompts. What instigated this? Four letters: GDPR.

GDPR stands for General Data Privacy Regulation, which is the European Union’s (EU) new landmark privacy legislation, adopted on April 14, 2016, and made enforceable on May 25, 2018. GDPR is noteworthy because it is extremely pro-consumer and gives individuals unprecedented control of and access to their data. The flip side is that GDPR places onerous demands on businesses to store, handle, and process customer data appropriately.

Canadians may wonder whether the GDPR matters to us. The short answer is that it affects Canadian businesses that transact in Europe. For example, mobile application developers whose applications are approved for listing in the Apple App Store, the Google Play Store and their ilk typically make their applications available as widely as possible. If you are a Canadian app developer seeking a large and affluent customer base, you would be remiss to exclude Europe.  

Companies updated their Terms and Conditions to inform customers of new protocols and procedures regarding data collection, storage, processing, and deletion. Essentially, these companies were informing us that they are GDPR compliant. For large entities like Facebook or Google that have infinitely deep pockets, ensuring compliance is not a significant burden. For smaller Canadian businesses, on the other hand, it may be difficult to financially justify full-scale compliance, or perhaps the amount of business done in the EU does not make it worthwhile.

For Canadian businesses that operate in the EU, there are a few points to consider. GDPR compliance is onerous because GDPR places various demands on businesses. These demands depend on whether one is  a data controller or data processor (or both), which are defined in Article 4:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Granted, the above is not entirely straightforward. Basically, if Company A sells items, but uses marketing Company B to track information about their customers, Company B would be the processor (processing the personal data on behalf of Company A), and Company A would be the data controller (because it determines why the data is being processed).

It is important to recognize into which category a business falls as the duties of processors and controllers differ under the GDPR. Data controllers are responsible for obtaining and managing consent and the right to access. The processor is primarily responsible for processing the data, things like encryption and anonymization. The processor is also responsible for ensuring that the data is handled in accordance with the requirements of the controller and the GDPR.

While the above hardly captures the breadth of the requirements GDPR places upon entities operating in the EU, it does demonstrate that this level of data micromanagement is beyond what is typically expected of Canadian businesses. Inevitably, becoming GDPR compliant will require significant investment on behalf of Canadian businesses that operate in the EU.

For small- and medium-sized businesses, it may be worthwhile asking: what happens if I am not GDPR compliant? There are fines associated with non-compliance. There are two tiers of fines: the first tier is up to 2 per cent of annual global turnover or 10 million euros (whichever is higher); the second tier is up to 4 per cent of annual global turnover or 20 million euros (whichever is higher). When a data processor or controller breaches one of its obligations, that is governed by the lower tier of fines. Breaching consumer rights will likely be subject to the higher tier. These fines can be debilitating, but these are maximum values and in reality, the severity of the penalty will correspond with the seriousness of the noncompliant act.

The best way to avoid fines is to become as GDPR compliant as possible. That said, there may be some instances where a Canadian business may find the cost of becoming GDPR compliant disproportionate to the level of business it does in the EU and may seek to avoid compliance altogether.

There are scenarios where noncompliance is arguably a reasonable alternative. The risk of penalty would be minimized if: the data is not sensitive; there is irregular interaction with the data subject (the person whose data is being collected); and interaction is passive as opposed to active. For example, if you are a game developer that collects anonymized data about which colour a user prefers, a data breach would have little real-world consequence. If a European intermediary performs all data subject interaction, any penalty would seemingly be minimal under the criteria used to determine the fine amount (see GDPR Article 83). Nonetheless, the above would only be applicable if you are the data controller. GDPR is clear— regular data processing requires compliance. If you are the data processor, you must become compliant.

As this legislation is new, much remains up in the air. The GDPR indicates that there will be “regular monitoring” to ensure compliance. However, there is no clear definition of what regular monitoring entails. Ultimately, for Canadian businesses, the question of compliance becomes a business decision pertaining to risk tolerance. Additionally, the pressure to become compliant not only arises from the risk of fines but also from clients who may demand compliance or move to competitors who are, depending on the services provided. There may be significant insurance implications as well. Canadian businesses must consider how much transacting they do in the EU and the sensitivity of the data they deal with in determining whether the European marketplace is worth the cost of GDPR compliance or the risk of noncompliance. The fines are based on global revenue, so the risk of noncompliance is significant if revenue from the EU is only a fraction of the global total.

For Facebook and Google, large data processing companies, becoming GDPR compliant was a foregone conclusion (and even they have already been subject to lawsuits alleging contravention of the GDPR). For Canadian businesses that are or are considering operating in the EU, it is not nearly as straightforward and will require a careful weighing of the pros and cons.