At Singleton Reynolds, our people are what makes us great. We come together every day with the common goal of providing exceptional legal services and ensuring we go above and beyond for each and every client.
The range of backgrounds of the partners, counsel, associates and staff of Singleton Reynolds enables us to offer a broad range of services.
Singleton Reynolds’ lawyers spend a significant amount of time researching and thinking about how industry or legislative changes could affect your business.
Singleton Urquhart Reynolds Vogel LLP is recognized as a leader in construction and infrastructure, insurance, commercial litigation, real estate and business law.
Singleton Reynolds has offices to serve you in Vancouver and Toronto.
How was Singleton Reynolds first established? Find out more here.
Recognizing the leadership that contributes to the company successes.
Singleton Reynolds prides itself in being a leader in corporate social responsibility. We encourage diversity, charity, mentorship, civic dedication and neighbourhood support.
Singleton Reynolds strives to understand the balance between your career and your personal goals and encourages our legal and operations staff in the pursuit of their interests outside of the firm.
We are always on the lookout for talented professionals to contribute to our team. Singleton Reynolds offers a professional and challenging work environment, with a competitive compensation and benefits package.
Our goal is to develop strong lawyers from student right through to partner. Mentoring and training start when you are a student and continue throughout your practice.
On May 25, 2018, the European Union General Data Protection Regulation (GDPR) became effective upon all member states of the European Union (EU) and it replaced the past legislation, Directive 95/46/EC. GDPR is a comprehensive data protection law that governs the collection, use and dissemination of personal information in the EU. Unlike its predecessor and British Columbia’s Personal Information Protection Act (PIPA), GDPR has stricter requirements and obligations imposed on organizations with respect to the use, collection, disclosure, and maintenance of personal information. Most importantly, with its wider territorial scope, GDPR has implication for businesses that operate outside of the EU, including businesses in Canada and British Columbia.
Personal information is defined as any information that can indirectly or directly identify a person. Usually, data protection law of a country does not have jurisdiction over the processing of personal information of organizations in other countries. GDPR, however, is applicable to the processing of personal information extraterritorially if the organization, as the controller or processor, envisages:
Businesses in BC that fall under either of the above categories will be subject to GDPR. They may also be subject to GDPR if they provide data processing services to organizations that are subject to GDPR.
GDPR has specific requirements and obligations for applicable businesses in BC to follow. It is prudent to be compliant with GDPR because of its punitive penalties and fines. For example, a lower level fine can be up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. An upper level fine, on the other hand, can be up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. The key areas of GDPR for businesses in BC to note, in light of PIPA, include, but are not limited, to the following:
Aside from certain exemptions, PIPA requires consent for data processing. It, however, allows for both express and implied consent. Under GDPR, consent is one of the lawful bases that allows organizations to process personal information; and once chosen as the lawful basis, consent under GDPR has onerous requirements as GDPR mandates affirmative, express consent only for each use of the personal information. It expressly requires the consent to be freely given specific, informed, and unambiguous by a clear affirmative action. The existing practice of “opt-out” consent where the burden is on the data subject to opt-out is eliminated. Furthermore, the withdrawal process must not be difficult and should be as easy to do so as it is to give consent.
Businesses in BC may be subject to the requirement of mandatory breach notification pursuant to the amendment to the federal privacy act, the Personal Information Protection and Electronic Documents Act (PIPEDA) that will come into effect on November 1, 2018. Currently PIPA does not have such mandatory breach notification requirements, but it is subject to amendments to include such requirement if PIPA aims to remain substantially similar to PIPEDA. This includes notifying high risk breaches to the affected individuals, reporting such breaches to the Privacy Commissioner of Canada, and maintaining records of such breaches. GDPR has similar requirements, but instead of requiring the organization to report the breaches as soon as feasible, it requires the organization to report to the supervisory authority within 72 hours except with explanations of the delay.
Under PIPA, data subjects may request a copy of their personal information from businesses in BC that have collected the data. Businesses must provide access to the copy, but such copy does not have to be in an easily transferable format. GDPR, on the other hand, requires the copy to be provided in a structured, commonly used, machine-readable format. This relates to the data subject’s right to data portability under GDPR in which the data subject may request the personal information, in transferable format, to be transmitted to another controller.
Under PIPA, data subjects do not have the right to seek erasure of their personal information. Businesses in BC do not have to delete such data, but they should not process data that is no longer necessary for the consented purpose. GDPR, on the other hand, requires data that is no longer necessary to be erased without undue delay upon request of the data subjects. If subject to GDPR, businesses in BC must take action on the request within one month, either to erase the requested data or seek for extension with explanations.
PIA is an assessment performed to identify and mitigate privacy risks of processing personal information. It involves a proportional exercise between the necessity of the personal information and risk of the processing based on the purpose of the processing and evaluation of the necessary security measures. PIAs can be costly and time-consuming.
PIPA does not require organizations to complete PIAs before processing any personal information, although it may be good business practice to do so. GDPR, on the other hand, requires organizations to complete PIAs before processing the personal information.
Both PIPA and GDPR require businesses to appoint a privacy officer to ensure legal compliance to the respective law. However, businesses in BC, as controllers or processors outside of EU, will have to appoint a designated representative in one of the EU states where the data subjects reside under GDPR, unless the processing is occasional and does not include, on a large scale, processing of special categories of data such as biometrics or data that poses a risk to the rights and freedoms of the data subjects.
Affected businesses in BC should quickly determine whether they might be defined as controller or processor; although GDPR has jurisdiction over both controllers and processors, controllers bear the majority of the compliance responsibilities. As defined in GDPR, controllers set the purpose of the processing while processors follow the instructions of the controllers. In particular, a controller is required to use only processors providing sufficient guarantees to implement the required technical and organizational measures of the GDPR which include: maintenance of the record of data, the appointment of a data privacy officer and an EU representative to report to the GDPR’s authorities, and data minimization. It is prudent for businesses in BC to have data sharing agreements established with their clients who may be controllers or processors to allocate the risks and responsibilities.
Businesses in BC are subject to PIPA, the provincial act that governs privacy in the BC private sector. PIPA is deemed to be substantially similar to the federal act, PIPEDA. Since 2001, and reaffirmed in 2006, the EU has recognized PIPEDA as providing adequate privacy protection which permits transfers of personal information of EU data subjects to organizations in Canada without additional safeguards. With the implementation of GDPR, PIPEDA and consequently PIPA are likely to now be considered inadequate. While there are no sunset clauses to remove Canada’s adequacy status, the EU, pursuant to GDPR, will reevaluate Canada’s adequacy status by May 25, 2020.
Businesses in BC that are subject to GDPR should, if they haven’t already, review and update their privacy policies and data processing practices to be compliant with GDPR. Even if GDPR is inapplicable, businesses in BC may eventually be required to be held at similar standards locally as amendments to PIPEDA and possibly PIPA are being made to match GDPR’s standards. For example, the most recent amendments to PIPEDA that impose requirements of mandatory breach notification on the Canadian private sector are in line with the updates imposed by GDPR, and it may be possible that PIPEDA will be further amended to be fully compliant with GDPR by May 25, 2020.
PIPA, which is designed to be substantially similar to PIPEDA, may be amended similarly. Eventually, subject to GDPR or not, businesses in BC may have to comply to GDPR standards.
With the GDPR in effect already and the anticipation that PIPEDA and PIPA will eventually include similar data privacy requirements, we have the following recommendations for businesses in BC:
For more information, please contact:
Articles | Feb 22, 2019
Articles | Aug 23, 2018
Articles | Jul 26, 2018
Or call toll-free at 1-877-682-4404 or (604) 682-7474 (Vancouver) or (416) 585-8600 (Toronto)
This field is required