The entry into force of GDPR was subject to broad press coverage in Canada. At a time when data protection scandals such as those faced by Facebook were also receiving a lot of media attention, the legitimacy of regulations such as the GDPR appeared undeniable in principle.
When it came to compliance, and as is often the case with laws of extraterritorial reach, many Canadians wondered why and to what extent they were concerned by GDPR. In this regard, a frequently asked question is whether a fine imposed under GDPR to a Canadian based company by a European supervisory authority would be enforceable in Canada. As of today, there is no legal certainty with respect to the answer.
Generally speaking, there are no statistics, studies or reports known by the undersigned that have assessed the degree of response to GDPR in Canada. In the practice of technology law, however, it can be observed that many of the largest corporations decided to voluntarily comply with GDPR, for reasons ranging from corporate image to risk mitigation. Small and medium enterprises (SMEs), on the other hand, tend to consider the protection of personal data as a lower priority, until they have a specific reason to address this issue. As a matter of fact, many SMEs that decided to become GDPR compliant needed this status to benefit from business opportunities in Europe, in most cases as processors of data from a European data controller. Certain business sectors, such as tourism, are also more inclined to offer their European customers the standard of protection set by the GDPR.
Canadian legislation in this area is also evolving and, in the digital era, the protection of personal information is not only a trend but a reality that will remain. Many Canadian practitioners therefore advise their clients to use the opportunity of GDPR to distinguish themselves from their competitors, develop best practices and be ready for the upcoming changes in the Canadian legislation.