The General Data Protection Regulation (GDPR) was created for the purpose of strengthening and unifying privacy and data protection for all individuals in the EU.
In force since May 25, 2018, the GDPR codifies the rules for all organizations that collect personal data from EU citizens, regardless of their location. It expands individuals' control over how and when their personal data is collected and used.
Violators of the GDPR may be fined up to €20 million, or up to 4% of their annual worldwide turnover for the preceding financial year, whichever is greater.
Canada's adequacy status under the GDPR ensures that data processed in accordance with the GDPR can be transferred from the EU to Canada without the additional data protection safeguards that have been put in place for some other countries. This status is subject to review by the EU every four years, and a decision on Canada's renewed adequacy status is expected in 2020.
- CMA Guide: EU GDPR and ePrivacy Regulation
- CMA Blog: GDPR Update: Cookies, new consent guidance, and what's on the horizon
- CMA Blog: How the GDPR impacts Marketers - challenging common misconceptions to understand Europe's new privacy law
- CMA Blog: GDPR's impact on Canadian business - preparing yourself for EU's new privacy law
- CMA Webinar: Europe's new data potection regulation: What Canadian marketers need to know (April 2018)
Does the law apply to you?
If you're a Canadian organization, you are subject to the GDPR if you:
- Have an establishment or physical presence in the EU,
- Offer goods or services to EU residents (even at no charge), or;
- Intentionally monitor or profile behaviours of individuals in the EU.
There are also implications if you are a third-party processor of EU personal data.
Expected ePrivacy Regulation
Since the GDPR came into force in 2018, organizations have been waiting for the new ePrivacy Regulation (intended to replace the current ePrivacy Directive), a companion regulation to the GDPR covering the processing of personal information for electronic communication, including cookie usage.
Once adopted, the ePrivacy Regulation will apply uniformly across the EU. By contrast, the existing ePrivacy Directive is only enforced by EU member states who have incorporated it into national law. This fragmented landscape has led to discrepencies in interpretations among the privacy regulators of EU member states - known as the designated supervisory authorities. As European legislators struggle to reach a consensus (the latest draft of the ePrivacy Regulation was voted down in late 2019), implementation of the new regulation may not occur until well into 2021.
Oversight and enforcement
The GDPR is enforced by the designated supervisory authority or "Data Protection Authority" in each member state. Although the GDPR is an EU-wide law, passed by the European Parliament, it's up to each of the EU Member States to develop its own guidance around GDPR and enforce the application of the law within its territory.
Generally, you will deal with the supervisory authority(ies) in the EU Member State(s) where you are established. If you do not have an establishment in the EU, consult the following guidelines to identify your relevant supervisory authority(ies).
Guidelines and best practices from the European Data Protection Board
Organizations should be mindful of general guidance issued by the European Data Protection Board (EDPB) to promote a common understanding of the GDPR, both across the EU and around the world. You should also consult available guidance from your designated supervisory authority(ies).
- Guidelines on consent (2020)
- Guidelines on the criteria of the Right to be Forgotten in the search engines cases - version for public consultation (2020)
- Guidelines on processing of personal data through video devices (2019)
- Guidelines on the processing of personal data in the context of the provision of online services to data subjects (2019)
- Guidelines on the territorial scope of the GDPR (2018)
- Guidelines on transparency (2018)
- Guidelines on automated individual decision-making and profiling (2018)
- Guidelines on personal data breach notifications (2018)
- Guidelines on the right to data portability (2018)
- Guidelines on Data Protection Officers ('DPO') (2018)
- Guidelines for identifying a controller or processor's lead supervisory authority
For a full list of guidelines from the EDPB, see here.