How the new European privacy law can affect Canadian firms

A European privacy regulation taking effect this May poses some legal risk for commercial brokers’ Canadian clients, whether those clients know it or not.

The General Data Protection Regulation (GDPR) “should be top of mind” for Canadian risk managers, Terri Mason, CNA Canada’s assistant vice president for cyber and professional liability, told Canadian Underwriter.

GDPR grants legal rights to citizens of European Union member countries (meaning nearly every nation in Western and Central Europe), such as the right to have their personally identifiable information deleted when it is “no longer necessary in relation to the purposes” for which it was collected.

GDPR “applies to any company that has access to or is processing information” on citizens of EU nations, “regardless of where that organization is located,” Mason said.

An organization can face fines of up to 4% of annual revenue or 20 million euros, whichever is greater.

It’s up to individual EU member states to enforce GDPR. Those European national enforcement authorities have relationships with Canadian privacy commissioners at the federal and provincial level, said Imran Ahmad, a Toronto-based lawyer specializing in cyber security with Miller Thomson LLP, in a recent interview with Canadian Underwriter.

So if a citizen of an EU member nation were to complain about a Canadian organization to his or her government, the data protection authority in Europe can reach out to a Canadian privacy regulator to “see if there is any other conduct that maybe [the Canadian regulator] would like to look at,” Ahmad added. “So there is information sharing that could potentially occur between the regulators.”

The personal information encompassed by GDPR includes Internet Protocol (IP) addresses, notes the Republic of Ireland’s data protection commissioner on its website.

A Canadian company with no operations in Europe should nevertheless pay attention to GDPR. A Canadian firm could do business with a traveler from an EU member country, for example, and that European person may leave a data trail by paying for something by credit card or registering for a webinar, said Matthew Tyrer, senior manager of solutions marketing, Americas, at computer storage product vendor Commvault Systems Inc.

Some organizations keep computerized records of data going back years. “For years, the ideology of ‘keep everything forever’ was an approach to [electronic] data management, but it’s not necessarily one that I subscribe to,” Tyrer said. Managing privacy risk means companies need to know what data they are storing, he added.

Ahmad advises his clients that GDPR “is going to become the new gold standard” in managing data privacy breach risk. The regulation applies to “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person,” the EU notes. “It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Any European regulator that wants to “throw the book” at a Canadian organization could get a judgement in a European court and try to have that judgement enforced in Canada, Ahmad noted. But he added it “would be very surprising” to him if that were to happen.

“The chances of them taking any major action against a Canadian company is relatively limited” if there was only one complaint, Ahmad said. If there is a series of complaints, the European regulator would likely “reach out to the company saying, ‘You are caught by GDPR for the following reasons, and we would like you to implement some remedial action.’”