On May 25th 2018, the General Data Protection Regulation (GDPR) legislation will come into force. This legislation, adopted by the European Union (EU) in 2016, will bring a single cohesive system of privacy regulation to Europe. The GDPR has higher privacy obligations and required procedures as compared to the standards set out by Canadian legislation and if the GDPR applies to your firm, a degree of work will be required to ensure compliance.

The GDPR is intended to have a wider reach than just European countries and may impact Canadian firms if:

  1. the Canadian firm is processing personal data on a site in the territory of a state that is a signatory to the GDPR (“Member State”);
  2. the Canadian firm is established in a place where the Member State’s national law applies; or
  3. the Canadian firm processes data using equipment located in the territory of the Member State, unless it is only used for transit through the territory.

If the Canadian firm has an establishment in the EU, then the GDPR will apply if:

a) the Canadian firm offers goods or services to EU residents; or

b) the Canadian Firm monitors the behavior of EU residents within the EU (i.e. internet tracking activities).