EU Privacy Law

The General Data Protection Regulation (GDPR) was created for the purpose of strengthening and unifying privacy and data protection for all individuals in the EU.

In force since May 25, 2018, the GDPR codifies the rules for all organizations that collect personal data from EU citizens, regardless of their location. It expands individuals' control over how and when their personal data is collected and used.

Violators of the GDPR may be fined up to €20 million, or up to 4% of their annual worldwide turnover for the preceding financial year, whichever is greater.

Canada's adequacy status under the GDPR ensures that data processed in accordance with the GDPR can be transferred from the EU to Canada without the additional data protection safeguards that have been put in place for some other countries. This status is subject to review by the EU every four years, and a decision on Canada's renewed adequacy status is expected in 2020.

CMA Resources

Does the law apply to you?

If you're a Canadian organization, you are subject to the GDPR if you:

  • Have an establishment or physical presence in the EU,
  • Offer goods or services to EU residents (even at no charge), or;
  • Intentionally monitor or profile behaviours of individuals in the EU.

There are also implications if you are a third-party processor of EU personal data.

Expected ePrivacy Regulation

Since the GDPR came into force in 2018, organizations have been waiting for the new ePrivacy Regulation (intended to replace the current ePrivacy Directive), a companion regulation to the GDPR covering the processing of personal information for electronic communication, including cookie usage.

Once adopted, the ePrivacy Regulation will apply uniformly across the EU. By contrast, the existing ePrivacy Directive is only enforced by EU member states who have incorporated it into national law. This fragmented landscape has led to discrepencies in interpretations among the privacy regulators of EU member states - known as the designated supervisory authorities. As European legislators struggle to reach a consensus (the latest draft of the ePrivacy Regulation was voted down in late 2019), implementation of the new regulation may not occur until well into 2021.

Oversight and enforcement

The GDPR is enforced by the designated supervisory authority or "Data Protection Authority" in each member state. Although the GDPR is an EU-wide law, passed by the European Parliament, it's up to each of the EU Member States to develop its own guidance around GDPR and enforce the application of the law within its territory.

Generally, you will deal with the supervisory authority(ies) in the EU Member State(s) where you are established. If you do not have an establishment in the EU, consult the following guidelines to identify your relevant supervisory authority(ies).

Guidelines and best practices from the European Data Protection Board

Organizations should be mindful of general guidance issued by the European Data Protection Board (EDPB) to promote a common understanding of the GDPR, both across the EU and around the world. You should also consult available guidance from your designated supervisory authority(ies). 

For a full list of guidelines from the EDPB, see here.

Tags: privacy, GDPR, EU, Canada