Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
U.S. companies with operations in Canada that have long had to meet Canadian privacy standards will likely have a leg up on compliance with new European Union privacy rules that take effect May 25.
Companies around the globe are rushing to meet the EU’s General Data Protection Regulation (GDPR) deadline. But U.S. companies that have grown accustomed to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are starting out closer to the goal, because PIPEDA and the GDPR provide similar data protections, privacy attorneys told Bloomberg Law.
U.S. companies operating in Canada and the EU—including airline giant The Boeing Co., bulk grocery chain Costco Corp., and beer conglomerate Molson Coors Brewing Co.—list their revenues in Canada and Europe with the U.S. Securities and Exchange Commission, according to Bloomberg data. Scores of other U.S. companies, including McDonalds Corp., operate in Canada and the EU but don’t report revenues in those regions, according to an analysis of U.S. corporate filings.
Tobi Cohen, spokeswoman for Canada’s Office of the Privacy Commissioner, told Bloomberg Law that any companies operating in Canada that handle EU citizens’ personal information should “take note of important changes coming to Europe’s data protection framework” and take steps to ensure compliance.
The risks are high for companies that fail to comply with the GDPR, with fines of up to 20 million euros ($23.7 million) or 4 percent of a company’s worldwide annual revenue for the prior financial year, whichever is higher.
Most U.S. businesses in Canada and their Canadian counterparts will have to comply with the GDPR because they have business relationships with the EU, Chantal Bernier, head of Denton’s Canadian privacy and cybersecurity practice, told Bloomberg Law. Even those that don’t directly fall under the GDPR will likely also have to comply because their “business partners in the EU are requiring it,” she said.
U.S. companies in Canada and their business partners “have an obligation, where an infraction is punishable by heavy fines, to only transfer personal data to companies that are GDPR compliant,” Bernier said.
In many cases, U.S. companies experienced with PIPEDA that fall under the GDPR’s purview will have to make only minor tweaks to their privacy and data protection approaches, Wendy Mee, privacy partner at Blakes, Cassels & Graydon LLP in Toronto, told Bloomberg Law. These businesses will have an easier time complying with the GDPR’s right to be forgotten, consent, and data transfer standards, she said.
PIPEDA and the GDPR both give individuals the right to request the take-down of search links to user data. The EU’s right to be forgotten, although tackled differently in the text of the GDPR, offers similar protections as PIPEDA, OPC Commissioner Daniel Therrien said in January 2018 guidance.
“PIPEDA applies to a search engine’s indexing of online content and display of search results. As such, search engines must meet their obligations under the Act,” he said.
The U.S. doesn’t have such a requirement, meaning companies without any exposure to complying with PIPEDA may have to start from scratch in creating GDPR right-to-be-forgotten compliance plans, Mee said.
Many U.S. companies in Canada have already begun GDPR preparations and may find it relatively easy to transfer EU individuals’ data from their U.S. operations to their Canadian outposts, Vanessa Henri, legal counsel at Hitachi Systems Security Inc. in Montreal, told Bloomberg Law.
The GDPR requires user consent to move EU citizens’ personal data, in most cases, and says that countries receiving the information must have levels of data protection comparable to those in the EU.
Because the U.S. doesn’t meet that standard, American businesses must rely on work-around methods, such as the EU-U.S. Privacy Shield, binding corporate rules, or standard contractual clauses, to move data from the EU to the U.S. Once the data is in the U.S., it should prove relatively easy to transfer it to corporate partners and vendors in Canada, which the EU has deemed to have adequate data protections, Henri said.
The reverse also holds true. U.S. businesses seeking to obtain EU citizen data from Canada would also have to comply with PIPEDA and the GDPR—and those entering the international data transfer market without any PIPEDA history may find it harder to interact with their Canadian counterparts on EU data dealings.
Looking ahead, U.S. companies will be closely watching how the EU characterizes Canada’s privacy protections in 2020. The European Commission will decide then if Canada’s PIPEDA and other privacy laws continue to provide an “adequate” data transfer mechanism for EU-Canada movement.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)