GDPR Guidelines for Canadian Business

by David Canton

The new EU GDPR privacy rules can apply to businesses outside of the EU that provide goods and services to EU data subjects. It is important for businesses outside of the EU to know when they are subject to the GDPR, as penalties for non-compliance are significant. An occasional sale to someone in the EU probably won’t be an issue – but what will?

The European Data Protection Board just released for public consultation draft guidelines on when the GDPR applies to those without a presence in the EU.

Article 3(2) of the GDPR says it applies to businesses without an EU presence with activities relating to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The guideline’s examples under the targeting criteria in (a) include:

Having a website with an EU based TLD (such as .eu)
Mentioning EU countries by name
Having marketing aimed at an EU audience
Using EU currency
Offering delivery to the EU

The guideline’s examples under the behavioural monitoring criteria in (b) include:

Behavioural advertisements
Geo-localisation activities, in particular for marketing purposes
Online tracking through the use of cookies or other tracking techniques such as fingerprinting
Personalised diet and health analytics services online
Market surveys and other behavioural studies based on individual profiles
Monitoring or regular reporting on an individual’s health status

The guideline says that to be caught as “monitoring”, it must be with a specific purpose in mind for the collection and use of data on EU subjects.

Canadian companies should look at their websites, social media, and other marketing materials to see if they might cross the thresholds outlined in the guideline. And check again when the guideline is final. The choice is to either alter their practices to avoid the thresholds, or become GDPR compliant.

The guidelines are available here. Comments are being accepted until January 18.

Comments are closed.

Most Recent Comments

Robert McKay on Law Publishing Doom-Mongers, Self-Styled Heroes and Others:

Thanks Sarah. Of course, the term "publishing" has always been too wide a definition, and to put the likes of… more »
Sarah A. Sutherland on Law Publishing Doom-Mongers, Self-Styled Heroes and Others:

Robert, Your post makes sense to me, and I certainly don't participate in the discussions you describe looking toward the… more »
Melanie Bueckert on Am I Just a Husky by Nature? Determining if You’re a Work-Based Person or Workaholic:

Thank you for this article, Melanie. Food for thought, for sure. I appreciated the acknowledgment in the CMHA article that… more »
John on The Inevitability of AI in Court: What Does It Mean for Self-Represented Litigants?:

(Part 2) Perplexity is catching up with Claude as an AI companion. The latest studies show AI’s primary use is… more »

+ -

Law Publishing Doom-Mongers, Self-Styled Heroes and Others

Am I Just a Husky by Nature? Determining if You’re a Work-Based Person or Workaholic

In the Absence of Federal AI Laws, Privacy Regulators Lead the Way: Lessons From the Clearview Case

Letting Our Research Run With AI Content

Professional Identify Formation: What It Is and Why It Matters

Free AI Is All You Need to Supercharge Your Practice

GDPR Guidelines for Canadian Business