Understanding European Privacy Laws: Impacts on Canadian Business

By Ken Mark, Freelance writer.

On November 16 at the KPMG offices at 333 Bay Street the Belgian Canadian Business Chamber hosted  seminar on the recently announced European Union’s General Data Protection Regulation (GDPR).

In his opening remarks, Christian Frayssignes, vice-president of the Canadian Belgian Canadian Business Chamber (CBBC)  reported that in the first year of the Comprehensive Economic and Trade Agreement (CETA) with the 28-member European Union,  Canadian exports increased 3.3 -per cent imports rose 12.5 per cent.

André van der Heyden, CBBC vice-president and COO also reminded  the audience that Brussels is the de facto capital of Europe being the home for several major European Union governing bodies as well as the ideal entry point for goods to reach more than half of the EU’s 510 million consumers

Cristina Onosé, Director Canadian Marketing Association,  explains  that under General Data Protection Regulation (GDPR), Canadian firms must strengthen their IT data security practices and procedures to comply with of the EU’s requirement. As of November 1, 2018, its mandatory data breach notification will  be coming into force in Canada.  

GDPR  requires Canadian firms doing business with the EU to notify the Privacy Commissioner of Canada and all affected individuals if they suffer any type of loss of personal information that causes a real risk of major  harm. If Canadian companies offering goods or services to European Union (EU) residents or monitor the behavior of EU residents within the EU, they will now need to comply with strict new rules around how they collect, handle and secure information.

Says Derek Lackey, Toronto-based Managing Director of Newport Thomson, a data & privacy compliance consulting firm, “ concludes that Personal Information Protection and Electronic Documents Act (PIPEDA), which sets out the privacy obligations that firms must adhere to when they handling  personal information obtained in commercial is no longer adequate. 

He supports GDPR proposed  rules requiring firms to protect the personal and other data of their consumers and clients and formally requesting permission to share the personal data which they have collected. As well, he supports imposing penalties for non-compliance which do not exist under PIPEDA. “Enforcement is the key to protecting Canadians’ personal electronically collected data,“ he says.

Lackey also notes that the so-called FANG group of high-tech titans Facebook, Amazon, Netflix and Google may soon face huge fines from European and other regulators for their casual approach to sharing and selling their consumer data without informed consent.

In his comments, Donald Johnson, a partner with the law firm Air& Berlis and Honorary Consul General of Belgium in Toronto explained that existing data protection rules are inadequate in the today’s IT world based on involving external cloud computing solutions. He also notes that since 2012, the European Union has moved forward to become the world  leader in consumer data protection laws. He says, “Originally, personal data protection laws were based on principles, not rules.” 

He also mentions that many Canadian firms believe that they do not need to meet the new GDPR rules.  But if they have any business links with European firms, they should check if they need to comply. In fact, at the end of 2017, almost 40 per cent of EU companies were not ready for the new legislation.

In her comments, Sharon Bauer, a partner with the consulting firm KPMG outlined that GDPR requires that forms must inform regulators that their data system has been breached and if there is severe damage to  customer data  its cause and how it was repaired. Failure to  comply may lead to severe fines.

However, Bauer concludes that a positive certificate of assessment becomes  a seal of approval for the firm that increases the comfort level of its customers buying their products or services.

“It assures them ‘You can do business securely with us’.”