On May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) will come into force. The GDPR will create new requirements for Canadian companies that handle the personal information of European individuals. The GDPR also allows for heavy penalties to be imposed on organizations that fail to comply with this new regulatory regime. Based on this, Canadian companies who are involved in M&A transactions should be sure to determine whether the GDPR applies to a target and carefully consider the risks associated with non-compliance.
The GDPR regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU. Similar to Canadian privacy law, “personal data” is constituted by any information that relates to an identified or identifiable living individual and “data processing” captures a wide range of manual and automatic operations performed on personal data. Importantly, the GDPR applies to activities that take place outside of the borders of the EU and also applies regardless of the size of the organization.
Given the broad scope of activity the GDPR captures, it is safe to assume that most Canadian businesses that sell to Europeans or have operations in Europe should obtain legal advice in order to determine whether the GDPR applies to them.
This is especially important when considering that organizations who are found to be non-compliant can face large fines of up to four per cent of their global revenue or €20 million, whichever is higher. The GDPR also gives individuals the right to seek compensation for damages caused by violations of the GDPR.
Given the magnitude of these penalties and the wide scope of organizations and activities that are caught by the GDPR, both potential targets and acquirers should be aware of the impact the GDPR could have once it is in force. Targets should conduct an analysis to determine which, if any, of their operations may be caught by the GDPR and document any compliance measures that are implemented. Acquirers, on the other hand, should familiarize themselves with the GDPR in order to put themselves in the best position to identify any possible issues with the GDPR in a transaction. For more on the due diligence process related to the GDPR, see our previous blog post on this topic.
In Canada, Norton Rose Fulbright recently rolled out an artificial intelligence legal chatbot called Parker for clients seeking to know if they are affected by GDPR. Parker uses natural language processing to answer a variety of questions businesses in Canada may have about GDPR.
Stay informed on M&A developments and subscribe to our blog today.