While the COVID-19 pandemic has dramatically (and negatively) impacted economies around the world, Canadian companies remain keen to do business with the European Union. Since the signing of the Canada-EU Comprehensive Economic and Trade agreement (CETA) in 2016 (and its entering into force in 2017), two-way merchandise trade between Canada and the EU was up 21.1% compared to pre-CETA levels.

However, Canadian companies doing business with partners based in the EU – and where personal data collection, use and/or disclosure could take place – cannot lose sight of the impact the General Data Protection Regulation (GDPR) may have on their operations, especially when it comes to the cost of non-compliance.

The GDPR came into effect in 2018, aiming to provide European citizens and residents with greater control over how their personal data could be collected, used, and disclosed. Notably, enforcement mechanisms are a critical part of the GDPR's framework, which empower European regulators to enforce compliance measures and levy fines for breaches.

For example, the GDPR provides for two levels of fines.  At Level 1, if an organization subject to GDPR suffers a data breach, or it lacks a Data Protection Impact Assessment (DPIA), the company can face a fine of up to 10 million euros or 2% of a company's worldwide revenue (whichever is higher).

A Level 2 fine may be applied to breaches involving the GDPR's eight data subject rights, including consent and limits on data transfers, with a maximum fine of 4% of a company's worldwide revenue or 20 million euros (whichever is higher).

Previous regulatory fines for privacy breaches had been relatively small, such as the £500,000 paid by Facebook to the U.K.'s Information Commissioner Office for the Cambridge Analytica scandal (which was the maximum allowed under the old data protection rules applied before GDPR became law).

However, recent penalties have shown a very different trend as international companies faced a number of large fines under GDPR in 2019 and 2020.  For example:

  • A German real estate company, Deutsche Wohnen SE, was fined €14.5 million for a non-compliant data storage system that contained highly sensitive information, which also failed to allow for obsolete data to be erased.
  • Austrian Post faced a fine of €18 million for collecting and selling information related to consumers' political leanings.
  • Google was fined €50 million for failing to meet various GDPR requirements. These related to the improper collection and processing of personal data, and also a lack of transparency regarding how personal data was harvested and then used for advertising.
  • TIM, an Italian telecommunications operator, was issued a €27.8 million fine for an extensive list of violations centering on the company's marketing program that targeted non-customers without consent and retained excessive data (which was subsequently breached).
  • Another Italian company, Wind Tire S.p.A., faced a fine of €16.7 million related to the organization's approach to marketing, which involved unsolicited emails to customers and the unlawful processing of their personal data without the ability for them to withdraw their consent.

While the organizations listed above may have their offending offices based in the EU, this does not mean that Canadian companies can disregard the risk from GDPR fines. Any company that is processing the data of EU citizens and residents is required to follow the GDPR in terms of how that data is used and stored, including when an organization is monitoring online behavior (i.e., tracking the data of website visitors).

Given these regulatory trends, Canadian companies doing business involving the personal data of EU citizens and residents must comply with the GDPR or face serious financial risk.  These organizations ought to increase their awareness of privacy law in general, and specifically how the GDPR could impact their operations. Recommended next steps to address compliance concerns include:

  • Data mapping to determine where and how the GDPR may apply to your organization;
  • Completing a privacy audit or impact analysis (PIA);
  • Conducting Data Protection Impact Assessments (as required);
  • Developing and implementing a comprehensive data breach plan; and
  • Considering available cyber-insurance solutions and coverage.

The Cybersecurity and Data Privacy Group at Cox & Palmer is happy to assist organizations prepare for and respond to compliance issues arising from applicable privacy legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.