Canadian Companies Unprepared for New EU Privacy Regime

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peter Menyasz

Canadian companies are largely unprepared for the looming new European Union privacy regime, privacy attorneys told Bloomberg BNA.

Companies based in Canada that do business in the EU face potential massive fines if they are not ready for the May 2018 implementation of the the EU General Data Protection Regulation (GDPR). Although large Canadian companies, such as train and airplane manufacturing giant Bombardier Inc., are better prepared for the coming challenge, smaller companies may not be ready when the GDPR takes effect.

Many companies will be unprepared when the GDPR comes into force, Bernice Karn, an information technology and privacy partner in the Toronto office of Cassels Brock LLP, said.

The GDPR “has the potential to significantly alter business structure and processes for companies outside of the EU,” Paige Backman, chair of the privacy and data security group at Aird & Berlis LLP in Torornto, said. That is catching many Canadian businesses “by surprise,” she said.

The GDPR sets strict new consent, record keeping, data breach notification, and other requirements. It authorizes privacy regulators to issue fines of up to 20 million euros ($23 million) or 4 percent of a company’s worldwide revenue, whichever is higher.

The GDPR may also affect have an effect on data transfers to Canada. In 2001, the European Commission, the EU’s executive arm, held that Canada’s privacy laws were adequate to protect the privacy of EU citizens’ personal data. That ruling allowed companies in the EU to freely transfer personal data to Canada. But the new GDPR standards might mean the commission would reconsider that adequacy determination, Daniel Therrien, Canada’s privacy commissioner, recently said.

Data Transfers

In January, the commission said that Canada’s adequacy status to accept the transfer of personal data from the EU is “partial” because it only covers the federal Personal Information Protection and Electronic Documents Act (PIPEDA), not subsequent privacy provisions in other federal laws or provincial privacy laws. Future adequacy decisions from the EU will include a comprehensive assessment of Canada’s privacy regime, Therrien said.

“The EU’s assessment of PIPEDA’s adequacy status is a pressing issue with possible far-ranging implications,” he said. The Canadian Parliament should review any gaps between Canadian and European privacy laws, including differences in the enforcement powers of data regulators in the EU and Canada, Therrien said.

Parliament’s House of Commons Access to Information, Privacy, and Ethics Committee is expected to make recommendations on how the government and Canadian businesses should best respond to the new GDPR compliance obligations. No date for releasing a report has been set.

Committee Hears GDPR Concerns

The potential impact of the GDPR on Canada is expected to figure prominently in the pending report on the committee’s statutory review of PIPEDA.

Committee hearings wrapped up June 13, with witnesses, including Therrien, raising concerns about Canada’s readiness for the GDPR. No date for release of the report has been set, House of Commons Procedural Clerk David Gagnon told Bloomberg BNA.

Therrien said that the new EU law contained provisions that don’t appear in Canada’s privacy law, including those about the right of individuals to request the erasure of certain personal data, privacy by design, and building in privacy settings as a default rather than always requiring individuals to invoke privacy settings.

Suzanne Morin, vice-chair of the Canadian Bar Association, urged the committee to carefully monitor Canada’s EU adequacy status, but suggested it would be premature to amend the federal privacy law to anticipate changes that could be required to maintain that status.

In its formal submission to the committee, the association said that PIPEDA is only one part of Canada’s privacy framework, and not necessarily the appropriate vehicle to address adequacy concerns on information sharing.

Toronto privacy attorney David Young told the committee that the new EU rules aren’t so dramatically different that they require Canada to make legislative changes.

The Ottawa-based Public Interest Advocacy Centre urged the committee to recommend amendment of PIPEDA. “As the global market for online user data grows multiple-fold over the next few years, the committee is in a timely position to ensure privacy laws under PIPEDA can protect Canadians as they navigate that market in the future,” it said.

To contact the reporter on this story: Peter Menyasz in Ottawa at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The David Young submission is at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security