Apr 2018 Charity & NFP Law Update
The European Union’s (“EU”) Regulation 2016/679, General Data Protection Regulation (“GDPR”) will be implemented across the EU as of May 25, 2018. The GDPR harmonizes data protection and privacy laws across all EU jurisdictions and has been referred to by the House of Commons Standing Committee on Access to Information, Privacy and Ethics, as well as the Office of the Privacy Commissioner of Canada, as a point of comparison for Canadian legislation. Of particular note, while the GDPR will apply to organizations with a physical presence in the EU, it has also been given an extraterritorial scope, applying also to organizations that are not established in the EU if they process personal data of EU residents to offer them goods or services (whether or not a fee is charged) or to monitor their behaviour within the EU. Therefore, in certain circumstances, organizations in Canada, including charities and not-for-profits, may be subject to the GDPR and must comply with it, including its breach notification requirements, because of the strict sanctions for non-compliance. Breaches of the GDPR can attract fines as high as €20 million, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Additionally, the ramifications of the GDPR’s extraterritorial scope are so broad that trademark enforcement, particularly as it regards domain names and “WHOIS data” of EU residents, may be affected. This Bulletin provides a brief outline of the more prominent changes introduced to privacy law through GDPR, and discusses its application to Canadian charities and not-for-profits, as well as its potential impact on trademark enforcement globally.
For the balance of this Bulletin, please see Charity & NFP Law Bulletin No. 419.