Looking to compare PIPEDA vs GDPR?
What are the important differences between PIPEDA vs GDPR?
How does Canada stack up against the EU with regards to data protection and privacy laws?
In this article, we will discuss that in detail and give you a breakdown of the main differences between PIPEDA and GDPR.
Are you ready?
Let’s get started…
Why look at PIPEDA vs GDPR
Organizations around the world dealing with Canadian or Europen individuals, clients, prospects or web users need to understand the key differences between PIPEDA and GDPR to ensure proper measures are in place to comply with these laws.
PIPEDA is Canada’s main data privacy and protection law.
PIPEDA stands for Personal Information Protection and Electronic Documents Act.
GDPR is the equivalent European data protection and privacy law where the acronym stands for General Data Protection Regulation.
Partial adequacy status
Canada’s data protection and privacy laws, since its inception in 2000, provided an important level of protection to personal information.
For this reason, the European Commission, in its Directive 95/46/EC considered PIPEDA to offer partial adequacy when compared with its own data protection requirements.
As such, Canadian and European entities have a greater ability to exchange personal information while ensuring reciprocal legislation protects personal information.
International scope of application
When we look at PIPEDA vs GDPR, an important distinction has to do with its scope of application.
GDPR has become a worldwide reference with respect to data protection and privacy due to the aggressive stance taken by the European Union to protect personal data and information.
Due to the application of GDPR to the member states in Europe and the European market size, GDPR has impacted personal data protection and privacy around the globe.
PIPEDA does not have the same level of international reach as GDPR particularly due to limitations and exceptions reducing its international reach.
Let’s look at the application criteria of PIPEDA and GDPR more closely.
When does PIPEDA apply?
PIPEDA will be applicable in the following circumstances:
- When there is a collection, use and disclosure of personal information
- Data is collected by private or public organizations including federally-regulated organizations
- If the collection, use and disclosure is in the context of commercial activities
When doesn’t PIPEDA apply?
PIPEDA does not apply to the federal government or agencies, they are regulated by the Privacy Act.
Also, as long as they do not enter into commercial activities, the following organizations are not subject to PIPEDA:
- Non-for-profit organizations
- Political parties
- Educational institutions
PIPEDA does not apply to Canadian provinces who have adopted statutes deemed substantially similar to PIPEDA.
The following provinces have adopted substantially similar statutes to PIPEDA governing companies in the private sector:
- British Columbia
The following provinces have adopted statutes substantially similar to PIPEDA governing personal health information:
- New Brunswick
- Nova Scotia
- Newfoundland and Labrador
When does GDPR apply?
GDPR has a much larger scope of application than PIPEDA.
While PIPEDA applies mainly to commercial organizations, GDPR applies to:
- Any natural or legal person, agency or body
- That stores and processes sensitive data of EU data subjects
GDPR applies to any individual, entity, agency or government.
Also, under GDPR, there is no concept of data collection, use and disclosure, rather, we refer to storing and processing of data.
Definition of personal information
Article 2(1) of PIPEDA defines personal information as “information about an identifiable individual”.
Article 4 of GDPR refers to personal data instead of personal information and it is defined as “any information relating to an identified or identifiable natural person”.
Where there are some nuances to make is with respect to personal data that at first may not appear as personal information.
The definition of personal information under GDPR is broader than PIPEDA.
Under GDPR, indirect personal data is considered as personal information such as:
- IP address
- Cookie data
- Device data
- Location data
GDPR is far-reaching when compared with PIPEDA.
Any company collecting, processing or storing personal data of EU individuals, whether they operate in Europe or not, are subject to the terms and conditions of GDPR.
What this means is that any company or individual around the world dealing with European individuals and data subjects must comply with GDRP.
On the other hand, PIPEDA does not specifically address the notion of extraterritoriality.
Based on the actual text of the legislation, companies outside of Canada although collecting, using and disclosing personal information of Canadian data subjects may not be bound by the terms of PIPEDA.
Arguments can be made that PIPEDA may apply when there is a strong and substantial connection between the collection, use and disclosure to Canada but that remains an argument.
The Office of the Privacy Commissioner, in a complaint against KLM Royal Dutch Airlines, stated that “foreign organizations engaged in commercial activities and that have a real and substantial connection to Canada are subject to PIPEDA.“
The actual statute does not make it clear as to its extraterritorial application.
There are some important differences between PIPEDA and GDPR on the notion of consent of individuals.
PIPEDA requires the following conditions for a valid consent:
- A reasonable person
- Must understand the nature of the personal information required
- Purpose of collection, use and disclosure
- Consequences of collection, use and disclosure
Depending on the sensitivity of the information being collected along with the reasonable expectation of individuals, companies can choose between:
- Express consent (opt-in consent)
- Implied consent (opt-out consent)
The Office of the Privacy Commissioner issued guidelines on how to get meaningful consent in January 2019 where they outline seven guiding principles.
GDPR is stricter than PIPEDA as it relates to consent.
Under GDPR, organizations must:
- Get express consent from data subjects
- Data subjects must be informed of a request for consent
- Consent must be distinguishable from other matters
- Request for consent must be intelligible and easily accessible to data subjects
- Request for consent must be clear and in plain language
To summarize this differently, under GDPR, consent must be given freely, in an informed fashion, be specific, unambiguous, given affirmatively and revocable.
The rule is thus express consent (opt-in consent) under GDPR.
Right to be forgotten
Under PIPEDA, the right to be forgotten may be implicitly derived while in GDPR it’s an explicit right granted to data subjects.
We can derive an implicit obligation for an individual to be forgotten using the following analysis:
- Individuals have the right to withdraw their consent
- Companies are authorized to retain personal data in accordance with their data retention periods
- Companies are not authorized to keep personal data for longer than it is necessary for the purpose of its collection
As a result, if an individual withdraws its consent and requests that the company delete its information, the company will no longer have a purpose to collect, use and disclose the information.
Implicitly, the individual has the right to have their personal data be deleted.
Under GDPR, the law explicitly grants the right to data subjects to be forgotten.
If a data subject withdraws their consent and requests that a company delete their personal information, companies must adhere to the obligation unless there is an exception under GDPR explicitly authorizing the company to continue to retain the data.
What is the difference between Canada’s PIPEDA and GDPR with respect to data portability?
Under PIPEDA, individuals have the right to access the information companies hold about them.
There is no specific right granted to individuals to have their data ported from one organization to another.
Under GDPR, the data portability is a specific right granted to data subjects.
Data portability means that data subjects can not only demand to access their data but their data must be given to them in a machine-readable format that can be transferred from one organization to another.
Data breach notifications
Both PIPEDA and GDPR have generally the same obligations as to the obligations companies must observe in the event of a data breach.
- Record all data breaches
- Notify the individuals of the data breach represents a real risk of significant harm to the individual
- Notify the data protection authorities if the data breach represents a real risk of significant harm to the individual
The differences between GDPR and PIPEA is with respect to the timelines to notify a data breach.
PIPEDA states that an organization must report the breach to the Privacy Commissioner of Canada and the individual as soon as feasible.
GDPR states that the data breach must be notified within 72 hours starting from when the company became aware of the breach.
The fines that can be levied against companies under GDPR is not comparable to PIPEDA in their magnitude.
Violations to GDPR can cost companies a lot of money.
The fines are significantly elevated by GDPR to deter companies from violating data protection and privacy laws.
Under GDPR, the data protection authorities can issue a fine to companies 20 million euros or 4% of their annual worldwide turnover.
Under PIPEDA, companies can be fined for up to a total of CAD $100,000 if companies take action against a whistleblower, if a company does not retain the personal data for as long as necessary for individuals to exhaust any recourse or if a person obstructs a privacy investigation following a complaint or during an audit.
If we simply look at the total fines that are issued under PIPEDA vs GDPR, clearly companies will consider GDPR as a much greater legislative risk to mitigate than PIPEDA.
PIPEDA and GDPR are data protection and privacy laws designed to help protect and safeguard personal information.
PIPEDA and GDPR have similarities but also important differences.
In this article, we’ve outlined some of the important nuances and differences in the application of PIPEDA vs GDRP.
Here is a quick recap.
GDPR and PIPEDA define personal information broadly.
As a result, companies dealing with European or Canadian data subjects must be mindful of their obligations under privacy laws.
The important differences are the following:
- GDPR applies to all companies, domestic or foreign, while PIPEDA may apply to foreign companies with a real and substantial connection with Canada
- GDPR applies to all types of entities storing or processing personal data while PIPEDA targets organizations collecting, using and disclosing for commercial purposes only
- Consent must be express under GDPR while PIPEDA also recognizes implied consent
- GDPR applies to the entire EU member countries while PIPEDA may not apply to all Canadian provinces
- The fines under GDPR are very severe while they are significantly milder under PIPEDA
Companies collecting, using, retaining, storing or processing personal information should understand their rights and obligations under the applicable privacy laws.
When doing business online or e-commerce, the entire globe is your marketplace.
It is crucial to understand your obligations wherever you operate or applicable to those you serve.
We hope you enjoyed this article.
If you have any feedback to give us, drop us a comment!