GDPR Guidelines for Canadian Business

by David Canton

The new EU GDPR privacy rules can apply to businesses outside of the EU that provide goods and services to EU data subjects. It is important for businesses outside of the EU to know when they are subject to the GDPR, as penalties for non-compliance are significant. An occasional sale to someone in the EU probably won’t be an issue – but what will?

The European Data Protection Board just released for public consultation draft guidelines on when the GDPR applies to those without a presence in the EU.

Article 3(2) of the GDPR says it applies to businesses without an EU presence with activities relating to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The guideline’s examples under the targeting criteria in (a) include:

Having a website with an EU based TLD (such as .eu)
Mentioning EU countries by name
Having marketing aimed at an EU audience
Using EU currency
Offering delivery to the EU

The guideline’s examples under the behavioural monitoring criteria in (b) include:

Behavioural advertisements
Geo-localisation activities, in particular for marketing purposes
Online tracking through the use of cookies or other tracking techniques such as fingerprinting
Personalised diet and health analytics services online
Market surveys and other behavioural studies based on individual profiles
Monitoring or regular reporting on an individual’s health status

The guideline says that to be caught as “monitoring”, it must be with a specific purpose in mind for the collection and use of data on EU subjects.

Canadian companies should look at their websites, social media, and other marketing materials to see if they might cross the thresholds outlined in the guideline. And check again when the guideline is final. The choice is to either alter their practices to avoid the thresholds, or become GDPR compliant.

The guidelines are available here. Comments are being accepted until January 18.

Comments are closed.

Most Recent Comments

Norm Keith on The Cream of the Crop? King’s Counsel and Certified Specialists in Ontario:

Dear Mr. Semple: Thank you for you article and the sharing of your opinions. While I agree with your views… more »
Sarah A. Sutherland on Writing Your Book Once You’ve Planned It:

That's absolutely true. It's much easier to start building on things that you've already written. Even if you write everything… more »
Neil Guthrie on Writing Your Book Once You’ve Planned It:

It's really helpful if you can take material you've already written or published for another purpose and use that as… more »
Sarah A. Sutherland on Writing Your Book Once You’ve Planned It:

Thank you Marcelo! more »

+ -

Joining the Call for Canadian Copyright Reform Now

End of Summer US Legal Research Update

Torts and Family Violence: Ahluwalia v Ahluwalia

Why Should I Teach From (And Contribute To) a Casebook?

Discussions of Professional Identity in Legal Education

Get Up to Date News About Unbundled Legal Services and Legal Coaching in BC and Beyond

GDPR Guidelines for Canadian Business