On May 25, 2018 the European Union's General Data Protection Regulation (GDPR) will come into force. The GDPR will create new requirements for Canadian companies that handle the personal information of European individuals. The GDPR also allows for heavy penalties to be imposed on organizations that fail to comply with this new regulatory regime. Based on this, Canadian companies who are involved in M&A transactions should be sure to determine whether the GDPR applies to a target and carefully consider the risks associated with non-compliance.

The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. Similar to Canadian privacy law, "personal data" is constituted by any information that relates to an identified or identifiable living individual and "data processing" captures a wide range of manual and automatic operations performed on personal data. Importantly, the GDPR applies to activities that take place outside of the borders of the EU and also applies regardless of the size of the organization.

Given the broad scope of activity the GDPR captures, it is safe to assume that most Canadian businesses that sell to Europeans or have operations in Europe should obtain legal advice in order to determine whether the GDPR applies to them.

This is especially important when considering that organizations who found to be non-compliant can face large fines of up to four per cent of their global revenue or €20 million, whichever is higher. The GDPR also gives individuals the right to seek compensation for damages caused by violations of the GDPR.

Given the magnitude of these penalties and the wide scope of organizations and activities that are caught by the GDPR, both potential targets and acquirers should be aware of the impact the GDPR could have once it is force. Targets should conduct an analysis to determine which, if any, of their operations may be caught by the GDPR and document any compliance measures that are implemented. Acquirers, on the other hand, should familiarize themselves with the GDPR in order to put themselves in the best position to identify any possible issues with the GDPR in a transaction. For more on the due diligence process related to the GDPR, see our previous blog post on this topic.


About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.