Blog Post

GDPR Now in Force Has Worldwide Reach

The General Data Protection Regulation (GDPR) was implemented on May 25, 2018. While it officially only affects European citizens, it has worldwide effects. As discussed previously on The Spotlight, any organization offering goods or services to residents of the European Union (EU) are expected to comply with the GDPR, even without a physical presence in the EU. Therefore, Canadian businesses which collect or process personal data on individuals resident in the EU have been (or should have been) preparing for these changes.

An interesting development is the public announcement of large technology companies, such as Microsoft and Facebook, to have GDPR-compliant services for all users worldwide. Microsoft’s Corporate Vice President and Deputy General Counsel, Julia Brill, announced that the company has always supported GDPR and believes privacy is a fundamental human right. Microsoft will extend GDPR rights worldwide through tools and services backed by contractual commitments. While Facebook’s commitment is not as strong, it is rolling out the option of GDPR-compliant privacy settings to non-EU citizens. GDPR provisions mean more control and protection for users to know where and why their data is being used. With the obvious size of Facebook’s and Microsoft’s user base, the exposure to such options may alter the expectations of the public for any business they deal with. Naturally, businesses have to adapt with changing privacy threshold expectations for managing public relations and legal risk. From a practical standpoint, maintaining two privacy policies for EU and non-EU clients can also be more costly for businesses. It would seem that trends point to stricter privacy policies worldwide. In Canada, Parliament’s intentions mirror these trends independent of societal pushes.

In an attempt to maintain the adequacy of the Personal Information Protection and Electronic Documents Act (PIPEDA) with the varying and often stricter requirements of GDPR, the Standing Committee on Access to Information Privacy and Ethics released 19 recommendations to the federal government on February 28, 2018. Many recommendations signal the Canadian regulator’s attempt to bolster existing laws to offer similar controls over personal information to those afforded under the GDPR, such as the controversial position of interpreting PIPEDA as already incorporating a right to erasure.

As the privacy landscape continues to change worldwide and in Canada, it is more important than ever for all businesses to keep abreast of their policies on an ongoing basis.