skip to main content
Back to all blog posts

Posted in: Data Security/Privacy | CASL | GDPR | Data Protection

Jul 21, 2017

With All Eyes Turned to CASL, is Anyone Paying Attention to GDPR?

With Less Than 1 Year Before GDPR Takes Effect, Make Sure Your Organization is Ready

By Paige Backman and Aaron Baer

In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who feared frivolous million dollar lawsuits, compliance with CASL is still a reality for businesses. As we discussed on the Spotlight in April, the three federal agencies that enforce CASL still have the authority to impose administrative monetary penalties against businesses.

However, lost in all the CASL attention is the pending introduction of the European Union’s General Data Protection Regulation (GDPR). Just as businesses scrambled to become CASL compliant prior to July 1, 2017, there is no doubt that the same scramble will take place as businesses turn their attention to the GDPR.

If your organization offers goods or services to residents of the European Union over the Internet, or processes the personal data of any such European Union residents, your organizational will likely be required to comply with the GDPR, even if your organization has no physical presence in the EU.

The GDPR, which is expected to come into force on May 25, 2018, imposes a number of additional burdens on organizations, and the penalties for breaches are steep: up to 4% of annual worldwide turnover (revenue).

The new rules contained in the GDPR include:

  • requirements to obtain unambiguous consent;·obligations to report data breaches within prescribed time periods;
  • contractual and other obligations between a data collector and data processor;
  • special consent requirements for the collection of children’s data and special  protections for children’s personal data (this can particularly impact social media, users of mobile apps and education industry); and·new terms required to be included in privacy policies (which must be written in clear and plain language).

As Paige Backman, Chief Privacy Officer at Aird & Berlis, noted in a recent article for Bloomberg Law, the GDPR has the potential to significantly alter business structures and processes for companies outside the European Union. This is catching many businesses by surprise.

The Canadian Parliament’s House of Commons Access to Information, Privacy, and Ethics Committee has been reviewing Canada’s PIPEDA to assess whether changes to PIPEDA are required, including whether PIPEDA needs amendments to accord with the GDPR. If PIPEDA is not deemed to offer sufficient protection to the GDPR, our business relationships in the EU and Canadian businesses’ abilities to process EU data may be compromised. Paige Backman provided testimony to the House of Common’s Privacy, and Ethics Committee on recommending changes to PIPEDA, including certain changes that would accord with the GDPR requirements.

The Privacy and Data Security Group at Aird & Berlis is well-equipped to help your business prepare for GDPR. For more information, please contact Paige Backman, Aaron Baer or any other member of the firm’s privacy team.

Areas of Expertise

Related Blogs

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops By Paige Backman Aug 21, 2017 If you are a utility monitoring consumption data, think twice before providing any of that information to the police. You may need to ensure the police first provide you with a warrant or other judicial authorization specifically requesting the information. The Ontario Court of Appeal, distinguis...

Posted in: Data Security/Privacy | Data Protection

Insights TheSpotlight
Cyber Security, Risk, Response and Cyber Insurance By Paige Backman, Aaron Baer and Monica Carinci Jul 10, 2017 Relying on cyber infrastructure to operate has become fundamental to most businesses. Critical infrastructure, such as the power grid, hospitals, emergency response, water and transportation (land, water and air) rely heavily on cyber infrastructure that is often networked with many other systems...