LEGAL
Beginning in May 2018, users of social media may have
noticed they were inundated with updated Terms
and Conditions to which they had to agree before
they were permitted to continue using the platform.
Those who live and die by their smartphone were subjected
to a deluge of these prompts. What instigated this? Four let-ters:
GDPR.
GDPR stands for General Data Privacy Regulation, which
is the European Union’s (EU) landmark privacy legislation –
adopted on April 14, 2016 – and made enforceable on May
25, 2018. The GDPR is noteworthy because it is pro-consumer
and gives individuals unprecedented control of – and access
to – their data. The flip side is that the GDPR places onerous
demands on businesses to store, handle and process cus-tomer
data appropriately.
Canadians may wonder whether the GDPR matters to
them. The short answer is that it affects Canadian businesses
that transact in Europe. For example, mobile application
developers whose applications are approved for listing in
Apple’s App Store, Google’s Play Store and their ilk, typically
make their applications as widely available as possible. If you
are a Canadian app developer seeking a large and affluent
customer base, you would be remiss to exclude Europe.
Companies updated their Terms and Conditions to inform
customers of new protocols and procedures regarding data
collection, storage, processing and deletion. Essentially,
these companies were informing users that they are GDPR
compliant. For large entities like Facebook or Google that
have infinitely deep pockets, ensuring compliance is not a
significant burden. For smaller Canadian businesses, it may
be difficult to financially justify full-scale compliance, or per-haps
the amount of business done in the EU does not make
it worthwhile.
For Canadian businesses that operate in the EU, there are a
few points to consider. GDPR compliance is onerous because
it places various demands on businesses. These demands
depend on whether one is a data controller or data processor
(or both), which are defined in Article 4:
(7) ‘controller’ means the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are deter-mined
by Union or Member State law, the controller
or the specific criteria for its nomination may be
provided for by Union or Member State law;
WUTWHAN/123RF
Is Non-Compliance an Option?
Canadian businesses and the European Union’s
General Data Privacy Regulation
By Ranish Raveendrabose, Fillmore Riley LLP
PILING CANADA 53
/profile_wutwhan
