In May of 2018, the European Union passed The General Data Protection Regulation, known as the GDPR and many companies worldwide took notice. If you were a company operating within the EU it was well known and services were made available so you could become compliant. Compliance meant that you were required to take diligent care of customer’s personal data, seek detailed permission within reason to access their data, and use their data in an appropriate and limited fashion. Companies and governments outside of the EU also took notice, and consulting firms and law firms outside of the EU offered compliance advice for any company that would affect the lives of any EU citizen. This also meant that companies that operated in some manner related to the EU or possible citizens of the European Union took the GDPR provisions seriously. Violating the GDPR followed much of the same deterrence methods of a competition act violation, fines, large and record breaking fines for violators of the GDPR.
The question to whether or not a foreign government’s action could violate the GDPR might come into play early in the application of the GDPR. Canada and the European Union recently signed a Free Trade Agreement, one that goes beyond most FTAs by including social and labour issues between the two parties. With so many links between the Canada and the EU beyond simple trade matters, many of the stringent EU regulations need to be considered by Canadian companies and even the Government of Canada when trading with the European Union. While many trade agreements would not seek to enforce social values or labour rights, the close cultural, commercial and legal ties between Canada and the EU made it more palatable for Canadians and Europeans alike as the values of Canadians and many Europeans share a common bond.
Recently in Canada many were shocked to find out that a government agency responsible for data and statistical analysis was using their powers to access the private banking and financial information of a large number of Canadians without their knowledge of consent. The agency of the Federal Government, Statistics Canada were forcing private banks to give over data that showed every transaction, loan, deposit, payment and piece of data collected, including names and addresses to the government. The government in parliament defended these actions and said it was their legal right to access any information at any time for statistical purposes. Even during the general census, signed permission is required, but in this case no permissions were asked, or even knowledge of requests given to the clients of the bank. With so many banks, including Canadian banks, having close connections to the EU, it is likely the case that the European Commission could investigate those banks, and in what might be an interesting application of the GDPR, the EU may be able to fine not only Canadian banks, but the Canadian government itself.
The way the law is written in applying the GDPR is that any EU citizen that has their data abused will be protected by the EU. So in the application of laws in Canada, if the client of the Canadian bank happens to be an EU citizen or perhaps even is incorporated or has commercial ties in the EU in some form, the EU may have jurisdiction over the data violation. With large Canadian cities like Toronto and Montreal having much of their diverse populations being dual citizens of countries like Italy, Portugal, Greece and a number of other EU member states, a violation by their bank as well as the Government of Canada of the GDPR may result in the EU issuing fines against firms and the Canadian government. With such a gross violation of data privacy in Canada and the uproar from citizens and even those in the privacy community in Canada itself, the excessive use of powers by the government may prompt a severe backlash against Canada’s government. Using the GDPR as a defense may prove useful to clever lawyers in Canada and the EU, but the application of a law in 2018 that completely ignores the entire world and privacy experts moving towards the GDPR is simply ignorant of how data privacy should be paramount in the EU and anywhere outside of Europe in modern times.
