Canada: BC Corporations And Societies May Be Required To Comply With Europe's New Privacy Law

Does your business or organization offer goods and services overseas? Or otherwise collect or use personal information of Europeans? If so, you may find yourself unwittingly caught by Europe's new privacy regulations.

The General Data Protection Regulation (GDPR) is the European Union's (EU) new privacy law and it came into force on May 25, 2018. The GDPR applies not only to European-based organizations, it also applies to all organizations that collects, uses, or discloses the personal information of persons residing in the EU – even if those organizations are physically located in Timbukto (Mali) or Tofino (BC).

However, Canadian organizations that comply with the Personal Information Protection and Electronic Documents Act or substantially similar provincial laws (such as BC's Personal Information Protection Act (PIPA)) have been granted "adequacy status" for the time being. Adequacy status permits transfers of information about EU data subjects to organizations in Canada without additional safeguards or the need for Canadian organizations to show compliance with the GDPR. The EU will review Canada's adequacy status within the next four years.

Those organizations with a physical presence within the EU, or who wish to get ahead of the game, have a resource in BC's Office of the Information and Privacy Commissioner. The Commissioner has released a useful Guidance Document on how British Columbian organizations can best comply with both PIPA and the GDPR. The document outlines the requirements under each law and helpfully indicates which standard should be followed to guarantee compliance with both laws.

The Commissioner's GDPR Compliance guide indicates that overall the GDPR provides a higher level of privacy protection than PIPA, so organizations that are caught by both rules should generally adhere to the standards in the GDPR. However, organizations should pay special attention to the different regulations for handling personal data without consent and comply with whichever is required in the circumstances. Organizations should also take note that the GDPR permits sanctions of up to €20,000,000 (~$30 million CAD).  In comparison, the maximum fine under PIPA is $100,000.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.