Privacy Gets Pricey: Rising GDPR Fines and the Risks Facing Canadian Companies

October 30, 2020

While the COVID-19 pandemic has dramatically (and negatively) impacted economies around the world, Canadian companies remain keen to do business with the European Union. Since the signing of the Canada-EU Comprehensive Economic and Trade agreement (CETA) in 2016 (and its entering into force in 2017), two-way merchandise trade between Canada and the EU was up 21.1% compared to pre-CETA levels.

However, Canadian companies doing business with partners based in the EU – and where personal data collection, use and/or disclosure could take place – cannot lose sight of the impact the General Data Protection Regulation (GDPR) may have on their operations, especially when it comes to the cost of non-compliance.

The GDPR came into effect in 2018, aiming to provide European citizens and residents with greater control over how their personal data could be collected, used, and disclosed. Notably, enforcement mechanisms are a critical part of the GDPR’s framework, which empower European regulators to enforce compliance measures and levy fines for breaches.

For example, the GDPR provides for two levels of fines.  At Level 1, if an organization subject to GDPR suffers a data breach, or it lacks a Data Protection Impact Assessment (DPIA), the company can face a fine of up to 10 million euros or 2% of a company’s worldwide revenue (whichever is higher).

A Level 2 fine may be applied to breaches involving the GDPR’s eight data subject rights, including consent and limits on data transfers, with a maximum fine of 4% of a company’s worldwide revenue or 20 million euros (whichever is higher).

Previous regulatory fines for privacy breaches had been relatively small, such as the £500,000 paid by Facebook to the U.K.’s Information Commissioner Office for the Cambridge Analytica scandal (which was the maximum allowed under the old data protection rules applied before GDPR became law).

However, recent penalties have shown a very different trend as international companies faced a number of large fines under GDPR in 2019 and 2020.  For example:

  • A German real estate company, Deutsche Wohnen SE, was fined €14.5 million for a non-compliant data storage system that contained highly sensitive information, which also failed to allow for obsolete data to be erased.
  • Austrian Post faced a fine of €18 million for collecting and selling information related to consumers’ political leanings.
  • Google was fined €50 million for failing to meet various GDPR requirements. These related to the improper collection and processing of personal data, and also a lack of transparency regarding how personal data was harvested and then used for advertising.
  • TIM, an Italian telecommunications operator, was issued a €27.8 million fine for an extensive list of violations centering on the company’s marketing program that targeted non-customers without consent and retained excessive data (which was subsequently breached).
  • Another Italian company, Wind Tire S.p.A., faced a fine of €16.7 million related to the organization’s approach to marketing, which involved unsolicited emails to customers and the unlawful processing of their personal data without the ability for them to withdraw their consent.

While the organizations listed above may have their offending offices based in the EU, this does not mean that Canadian companies can disregard the risk from GDPR fines. Any company that is processing the data of EU citizens and residents is required to follow the GDPR in terms of how that data is used and stored, including when an organization is monitoring online behavior (i.e., tracking the data of website visitors).

Given these regulatory trends, Canadian companies doing business involving the personal data of EU citizens and residents must comply with the GDPR or face serious financial risk.  These organizations ought to increase their awareness of privacy law in general, and specifically how the GDPR could impact their operations. Recommended next steps to address compliance concerns include:

  • Data mapping to determine where and how the GDPR may apply to your organization;
  • Completing a privacy audit or impact analysis (PIA);
  • Conducting Data Protection Impact Assessments (as required);
  • Developing and implementing a comprehensive data breach plan; and
  • Considering available cyber-insurance solutions and coverage.

The Cybersecurity and Data Privacy Group at Cox & Palmer is happy to assist organizations prepare for and respond to compliance issues arising from applicable privacy legislation.

Related Services

Cybersecurity & Privacy

Related Articles

Legal Authority and Consent in Generative AI: Ensuring Compliance and Building Trust

As businesses in Canada continue to uncover the potential of generative artificial intelligence (AI), understanding the legal underpinnings of authority and consent becomes paramount. This article explores these concepts within the framework of the Office of the Privacy Commissioner of Canada’s principles, providing actionable insights and practical examples to guide businesses in their compliance efforts. […]

read more

Privacy Law and PIPEDA: Common questions asked by businesses

As someone practicing for several years in the field of privacy law, I am asked to provide advice and to answer a variety of questions from both clients and other legal professionals on a myriad of privacy, access to information, and cyber liability related topics. The purpose of this article is to provide insight into […]

read more

Introduction to OPC’s Generative AI Principles: A Guide for Canadian Businesses 

In late 2023, the Office of the Privacy Commissioner of Canada (OPC) introduced a comprehensive set of principles aimed at guiding the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies. This initiative reflects a proactive stance by Canadian privacy regulators to address the complex challenges and opportunities posed by the […]

read more
view all
Cox & Palmer publications are intended to provide information of a general nature only and not legal advice. The information presented is current to the date of publication and may be subject to change following the publication date.