Blog Post

With All Eyes Turned to CASL, is Anyone Paying Attention to GDPR?

With Less Than One Year Before GDPR Takes Effect, Make Sure Your Organization is Ready

Person at desk looking at laptop

In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who feared frivolous million dollar lawsuits, compliance with CASL is still a reality for businesses. As we discussed on the Spotlight in April, the three federal agencies that enforce CASL still have the authority to impose administrative monetary penalties against businesses.

However, lost in all the CASL attention is the pending introduction of the European Union’s General Data Protection Regulation (GDPR). Just as businesses scrambled to become CASL compliant prior to July 1, 2017, there is no doubt that the same scramble will take place as businesses turn their attention to the GDPR.

If your organization offers goods or services to residents of the European Union over the Internet, or processes the personal data of any such European Union residents, your organizational will likely be required to comply with the GDPR, even if your organization has no physical presence in the EU.

The GDPR, which is expected to come into force on May 25, 2018, imposes a number of additional burdens on organizations, and the penalties for breaches are steep: up to 4% of annual worldwide turnover (revenue).

The new rules contained in the GDPR include:

  • requirements to obtain unambiguous consent;·obligations to report data breaches within prescribed time periods;
  • contractual and other obligations between a data collector and data processor;
  • special consent requirements for the collection of children’s data and special  protections for children’s personal data (this can particularly impact social media, users of mobile apps and education industry); and·new terms required to be included in privacy policies (which must be written in clear and plain language).

As Paige Backman, Chief Privacy Officer at Aird & Berlis, noted in a recent article for Bloomberg Law, the GDPR has the potential to significantly alter business structures and processes for companies outside the European Union. This is catching many businesses by surprise.

The Canadian Parliament’s House of Commons Access to Information, Privacy, and Ethics Committee has been reviewing Canada’s PIPEDA to assess whether changes to PIPEDA are required, including whether PIPEDA needs amendments to accord with the GDPR. If PIPEDA is not deemed to offer sufficient protection to the GDPR, our business relationships in the EU and Canadian businesses’ abilities to process EU data may be compromised. Paige Backman provided testimony to the House of Common’s Privacy, and Ethics Committee on recommending changes to PIPEDA, including certain changes that would accord with the GDPR requirements.

The Privacy and Data Security Group at Aird & Berlis is well-equipped to help your business prepare for GDPR. For more information, please contact Paige Backman, Aaron Baer or any other member of the firm’s privacy team.