Canadian Firms Could Face Consequences from EU Privacy Law

Any Canadian business which collects personal information about residents of the European Union — be they tourists, students or online customers — risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.

But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU's General Data Protection Regulation (GDPR), which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.

That's equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.

The GDPR's scope covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.

One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules — plus the potentially devastating impact of being hit with a fine for violating the law.

For example,a fine of 4% of annual revenue would be very painful for a large company like Facebook or Google but, according to one commentator, "that's a death sentence for a small company that gets hit with a GDPR fine."

While the EU intends for its fines to be a real deterrent to breaking the privacy law, it does take into account a number of factors, such as whether the infringement is intentional or negligent, the actions taken to reduce damage to the individuals, and preparations in place to prevent non-compliance.

However, it may impose the biggest fine applicable in a particular case and the ultimate maximum fine could be either 20 million euros ($30 million Cdn), or 4% of a company's annual global revenue, whichever is greater.

One experts said many of her larger clients have been grappling with the legal and operational implications of the GDPR for 18 months or more, but others have only recently become aware that they need to be ready, too.