Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Global | Publication | April 2018
The EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018, and will have implications for many Canadian organizations, particularly those controlling or processing personal information in the European Union or of EU data subjects.
The GDPR represents an overhaul of the European Union’s data protection laws and replaces Data Protection Directive 95/46EC and its member state implementing legislation.
The GDPR places onerous accountability obligations on controllers (organizations that determine the purposes and means of processing data) and processors (organizations that actually process the personal data on behalf of controllers).
Below is an overview of the GDPR’s main features.
With an expanded territorial scope, the GDPR will apply to many organizations not currently covered by the European data protection legislation. The GDPR will apply to the processing of personal data by any organizations (including Canadian organizations) that are established in the EU, regardless of where data processing occurs. The GDPR will also apply to the processing of personal data by any organization (including Canadian organizations) that controls or processesdata in connection with (1) offering goods or services (even without charge) to, or (2) monitoring the behaviour of individuals in the EU.
The scope of the GDPR is broad and could apply to many Canadian organizations. Processing captures any operation performed on personal data, including collection, use, disclosure and storage. For instance, a Canadian website in English allowing purchases in euros and deliveries to European citizens and a Canadian website tracking the behaviour of European citizens through persistent cookies would probably be covered by the GDPR.
There is a prospect that the GDPR may not apply to Canadian organizations that do not envisage offering goods or services in the EU.
Any controller or processor not established in the EU that is caught within the GDPR’s scope will have to designate a representative in the EU to act on its behalf. There is an exception where processing is occasional, does not include large-scale processing of special categories of data (such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health) and is unlikely to result in a risk to the rights and freedoms of data subjects.
Under the GDPR personal data can be processed only in certain limited, prescribed circumstances (such as for executing a contract or for legitimate purposes) or with consent. There are particular requirements of a valid consent. The GDPR provides that it must be a freely given, specific, informed and unambiguous indication, given by a statement or by clear affirmative action. Consent must be as easy to withdraw as it is to give. Children under 16 will require parental consent.
Organizations have positive obligations to implement data protection by design and default and must demonstrate compliance with the GDPR and show data protection is taken seriously and given appropriate levels of attention within the organization.
Organizations will be required to appoint data protection officers if: (1) data processing is carried out by a public authority or body; (2) the organization’s core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (3) the core activities consist of processing of special categories of data on a large scale (for example criminal convictions or ethnic origin). Data protection officers must be supported in carrying out their functions, should report to the highest level of management and should have expert knowledge of data protection laws and practices.
The GDPR also formalizes the requirement to carry out privacy impact assessments for types of processing likely to result in high risk to the rights and freedoms of any individual, for example, in the context of profiling, if decisions based on such profiles will produce legal effects.
The GDPR gives data subjects various rights over personal data, including:
the right to have personal data transmitted to the data subject or another controller in a commonly used machine readable format (data portability);
the right to require the controller to erase personal data in certain circumstances and where the data has been made public to take reasonable steps to inform other controllers that are processing the data of the request for erasure (right to be forgotten);
the right to receive more information about the controller’s processing (export solution, storage limits) through a subject access request and to provide the information in a commonly used electronic form;
prohibitions and restrictions in respect of automated decision-making, including profiling (this may affect AI applications);
the right to transparency, which requires data controllers to provide detailed information about the organization’s personal data handling practices; and
the right to object to using personal data for direct marketing.
The GDPR will introduce a new mandatory breach reporting regime. If a breach occurs:
Controllers will have to maintain a breach register.
Sanctions under the GDPR could be significant for companies found to have violated legal rights and obligations related to data processing. There are two tiers of sanctions:
The GDPR will also allow individuals who suffer material or non-material damage due to a GDPR breach to bring a private lawsuit and be represented by public interest organizations.
While there is overlap between the GDPR and various Canadian privacy laws (including obligations under PIPEDA, PIPA in Alberta and BC, and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector), Canadian organizations may have to take additional steps to control or process the personal information of EU data subjects in compliance with the GDPR. The BC Office of the Information and Privacy Commissioner has also published some guidance on GDPR and parallels between BC’s PIPA and the GDPR.
Canadian organizations should be reviewing their operations to determine whether they are subject to the GDPR, and understand the applicable legal obligations. Given the new Canadian federal breach reporting requirements and those in the GDPR, it may be appropriate to review those processes in any event. Canadian organizations should consider strategies to manage their GDPR exposure.
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Publication
On February 2, 2024, the Belgian Presidency of the Council of the European Union confirmed that the Committee of Permanent Representatives had signed the Artificial Intelligence (AI) Regulation, referred to as the AI Act. Approval by the EU Parliament followed on 13 March 2024, and the AI Act is likely to appear in the EU’s Official Journal around May 2024. The AI Act aims to establish a stringent legal framework governing the development, marketing, and utilisation of artificial intelligence within the region, thereby marking a significant advancement in the regulation of this burgeoning domain.
Publication
The private credit market and direct lending have grown and diversified immensely in the past decade, offering alternative sources and terms of debt compared to those historically provided by the syndicated leveraged loan and public issuance markets. Consequently, they are fast becoming pivotal components in the capital ecosystem, so much so that the Bank of England consider that the private credit market is currently responsible for approximately $1.8 trillion of debt issuance, which is four times its size in 2015. This growth has been particularly pronounced in Europe and the US but there has also been significant activity in Asia.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023