EU Privacy Rules Easier for U.S. Companies Versed in Canada’s Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

U.S. companies with operations in Canada that have long had to meet Canadian privacy standards will likely have a leg up on compliance with new European Union privacy rules that take effect May 25.

Companies around the globe are rushing to meet the EU’s General Data Protection Regulation (GDPR) deadline. But U.S. companies that have grown accustomed to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are starting out closer to the goal, because PIPEDA and the GDPR provide similar data protections, privacy attorneys told Bloomberg Law.

U.S. companies operating in Canada and the EU—including airline giant The Boeing Co., bulk grocery chain Costco Corp., and beer conglomerate Molson Coors Brewing Co.—list their revenues in Canada and Europe with the U.S. Securities and Exchange Commission, according to Bloomberg data. Scores of other U.S. companies, including McDonalds Corp., operate in Canada and the EU but don’t report revenues in those regions, according to an analysis of U.S. corporate filings.

Tobi Cohen, spokeswoman for Canada’s Office of the Privacy Commissioner, told Bloomberg Law that any companies operating in Canada that handle EU citizens’ personal information should “take note of important changes coming to Europe’s data protection framework” and take steps to ensure compliance.

The risks are high for companies that fail to comply with the GDPR, with fines of up to 20 million euros ($23.7 million) or 4 percent of a company’s worldwide annual revenue for the prior financial year, whichever is higher.

Most U.S. businesses in Canada and their Canadian counterparts will have to comply with the GDPR because they have business relationships with the EU, Chantal Bernier, head of Denton’s Canadian privacy and cybersecurity practice, told Bloomberg Law. Even those that don’t directly fall under the GDPR will likely also have to comply because their “business partners in the EU are requiring it,” she said.

U.S. companies in Canada and their business partners “have an obligation, where an infraction is punishable by heavy fines, to only transfer personal data to companies that are GDPR compliant,” Bernier said.

Canadian Experience

In many cases, U.S. companies experienced with PIPEDA that fall under the GDPR’s purview will have to make only minor tweaks to their privacy and data protection approaches, Wendy Mee, privacy partner at Blakes, Cassels & Graydon LLP in Toronto, told Bloomberg Law. These businesses will have an easier time complying with the GDPR’s right to be forgotten, consent, and data transfer standards, she said.

PIPEDA and the GDPR both give individuals the right to request the take-down of search links to user data. The EU’s right to be forgotten, although tackled differently in the text of the GDPR, offers similar protections as PIPEDA, OPC Commissioner Daniel Therrien said in January 2018 guidance.

“PIPEDA applies to a search engine’s indexing of online content and display of search results. As such, search engines must meet their obligations under the Act,” he said.

The U.S. doesn’t have such a requirement, meaning companies without any exposure to complying with PIPEDA may have to start from scratch in creating GDPR right-to-be-forgotten compliance plans, Mee said.

U.S.-Canada Data Transfers

Many U.S. companies in Canada have already begun GDPR preparations and may find it relatively easy to transfer EU individuals’ data from their U.S. operations to their Canadian outposts, Vanessa Henri, legal counsel at Hitachi Systems Security Inc. in Montreal, told Bloomberg Law.

The GDPR requires user consent to move EU citizens’ personal data, in most cases, and says that countries receiving the information must have levels of data protection comparable to those in the EU.

Because the U.S. doesn’t meet that standard, American businesses must rely on work-around methods, such as the EU-U.S. Privacy Shield, binding corporate rules, or standard contractual clauses, to move data from the EU to the U.S. Once the data is in the U.S., it should prove relatively easy to transfer it to corporate partners and vendors in Canada, which the EU has deemed to have adequate data protections, Henri said.

The reverse also holds true. U.S. businesses seeking to obtain EU citizen data from Canada would also have to comply with PIPEDA and the GDPR—and those entering the international data transfer market without any PIPEDA history may find it harder to interact with their Canadian counterparts on EU data dealings.

Looking ahead, U.S. companies will be closely watching how the EU characterizes Canada’s privacy protections in 2020. The European Commission will decide then if Canada’s PIPEDA and other privacy laws continue to provide an “adequate” data transfer mechanism for EU-Canada movement.

Request Bloomberg Law: Privacy & Data Security