Goodmans comments on impact of GDPR fines on Canada

Canadian businesses must be able to adapt to future direction of local privacy laws

Goodmans comments on impact of GDPR fines on Canada
The Information Commissioner’s Office recently imposed fines on British Airways and Marriott International for infringement of GDPR

According to a bulletin by Goodmans, recent fines under the EU’s General Data Protection are of interest to Canadian businesses operate in the EU, especially if Canada revises its privacy laws in a manner resembling GDPR.

The update comes after the Information Commissioner’s Office (ICO), the UK’s independent authority on data privacy, imposed fines on British Airways and Marriott International, worth £183.4 million ($297.2 million) and £99.2 million (US$160.8 million), respectively, for infringement of GDPR.

GDPR, which came into effect in May 2018, governs personal information collected by organizations. The regulations apply to any information relating to an identifiable person, who can be directly or indirectly identified through the information, such as names and IP addresses. The regulations impose significant accountability obligations on both data controllers (the entity determining how data is collected and used by the organization) and processors (third parties engaged in processing personal data for controllers).

Under the regulations, organizations found to have seriously breached GDPR can be fined up to 4 per cent of annual global turnover or €20 million ($29.3 million), whichever is greater. Lesser infringements, such as failing to notify supervising authorities and data subjects about a breach, or failing to conduct an impact assessment, can result in lesser fines.

According to Goodmans, GDPR applies to Canadian businesses that conduct business in the EU. Aside from companies that have physical offices in the EU, it also applies to businesses that offer goods and services to individuals in the EU through websites or mobile apps. In some circumstances, collecting personal information about individuals in the EU can also engage GDPR.

Furthermore, Goodmans believes that Canada’s own privacy regime take a more GDPR-like approach, with the Government of Canada having announced a Digital Charter, which may be a sign of Canadian privacy law adapting a GDPR-like system. In recent months, the Privacy Commissioner of Canada has taken “aggressive actions” based on a potential interpretation of Canadian legislation that incorporates concepts found in the GDPR.

Canadian businesses should ensure not only that they have the safeguards to comply with current law but also the ability to adapt to future requirements, the law firm advised.

Related stories

Free newsletter

Our newsletter is FREE and keeps you up to date on all the developments in the Ontario legal community. Please enter your email address below to subscribe.

Recent articles & video

Law school students develop app to automate police complaint process

What employment law clients are saying about the new three-day COVID-related paid sick leave

Ontario Court of Appeal ruling ‘sending alarm bells’ through construction industry, says lawyer

Ombudsman for crime victims backs all recommendations of missing person investigations report

Tribunal erred in conflating ‘but for’ test with direct causation test: Divisional Court

Ruling affirms racial profiling can be result of a police officer's unconscious bias: lawyers

Most Read Articles

Ruling affirms racial profiling can be result of a police officer's unconscious bias: lawyers

Next phase of Restoule Treaty annuity appeal beginning in early June

Legal-tech platform promoting access to justice for marginalized communities presented at conference

Insurer not liable when insured’s move from home triggered policy’s vacancy exclusion clause