PIPEDA vs GDPR: The Key Differences
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was considered a progressive law when it first stepped onto the legislative scene in 2000. It received a partial adequacy decision from the European Commission that considered its requirements in line with its own data protection provisions as set out in Directive 95/46/EC.
The Data Privacy Act, an amendment to PIPEDA, adopted on 18 June 2015, anticipated the release of the final text of the EU General Data Protection Regulation (GDPR), updating its requirements to the latest international standards. However, PIPEDA failed to have the impact the GDPR has had on data protection legislation around the globe. It can be argued that it’s mostly due to the EU’s much larger market size, but it’s also because of a few key differences that exist between the two laws.
PIPEDA, while incorporating some of the newest international data protection practices that were later included in the GDPR, was weakened in its scope by limitations and exceptions that reduced its international reach. The GDPR meanwhile took an intransigent stance on its policies from day one, firmly putting the interests of EU data subjects first.
The European Commission’s adequacy decision concerning Canada is restricted to commercial organizations. The reason for this is PIPEDA’s applicability criteria: the law only applies to the collection, use or disclosure of personal information in the course of a commercial activity and includes federally-regulated businesses like banks, airlines and telecommunications companies.
While personal data handled by federal government departments and agencies is regulated under the Privacy Act, there are a number of organizations that fall outside both the Privacy Act and PIPEDA’s scope. Not-for-profit organizations, political parties and associations, educational institutions and hospitals, as long as they don’t engage in any commercial activities, are outside the scope of PIPEDA.
PIPEDA also does not apply to companies that operate entirely in provinces where local statutes have been deemed to be substantially similar to PIPEDA. Should data be transferred across province lines or national borders however, PIPEDA applies.
The GDPR, on the other hand, has a much broader scope. It applies to any natural or legal person, public authority, agency or other body that stores or processes the sensitive data of EU data subjects. It also applies not only to targeted data collection practices, but also to the monitoring of behavior of individuals in the EU.
Extraterritoriality is not explicitly mentioned in PIPEDA meaning that companies operating outside of Canada may not need to be PIPEDA compliant even if they collect, use or disclose the personal information of Canadian data subjects. That being said, some experts do believe that PIPEDA could apply in a foreign jurisdiction if a real and substantial connection were to exist between Canada and the processing activities undertaken.
One of the reasons why the GDPR has had such a far reaching international impact has been because of its extraterritoriality clause. Any company collecting or processing the personal information of EU data subjects, whether they have offices in the EU or not, fall under the incidence of the GDPR. Given the strong commercial ties between the European Union and the world’s biggest economies, many governments around the globe have decided to enact their own data protection regulations to ensure businesses within their countries adopt the newest data protection practices in line with the GDPR.
Consent for data processing
One of the biggest differences between PIPEDA and the GDPR concerns data subjects’ consent for data processing. The GDPR requires explicit consent from data subjects, who must be informed of a request for consent in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Consent is therefore given only through an affirmative act by the data subject. There are exceptions to consent. For example, the GDPR allows for data processing without consent for the performance of a contract to which the data subject is party or in case of legitimate interests.
PIPEDA received an update to its consent policy in 2015 which states that consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. This essentially means that organizations can choose between seeking implied or explicit consent. The appropriate form of consent is often judged based on the sensitivity of the personal information collected and the reasonable expectations of the data subject.
The Right to be Forgotten
Another major difference between PIPEDA and GDPR comes from individual rights. GDPR gave EU data subjects the right to be forgotten, under which individuals can request that companies erase the data they have collected on them from their systems. PIPEDA gives individuals the right to withdraw consent, but companies can still retain their data in accordance with their minimum and maximum data retention periods. On the other hand, the law does state that organizations may retain personal information as long as it is necessary for the purpose for which it was collected, implying that individuals can request the deletion of their personal information after that purpose was fulfilled.
Be that as it may, the right to be forgotten is merely implied in PIDEDA whereas in the GDPR, it’s explicit. While there are certain circumstances in which companies may refuse a request of erasure under the GDPR such as legal obligations or public interest, if a data subject withdraws consent for data processing and requests their personal information’s deletion, organizations must respond to the request within a month.
Data controllers subject to the GDPR are also obligated to inform any data processors authorized to process the data whose deletion is being demanded that a request has been made for the erasure of any links to, copy or replication of that personal data. Under PIPEDA, companies have no such obligation.
While both PIPEDA and the GDPR grant individuals the right to access the personal information companies have collected about them, only the GDPR includes the right to data portability. This means that, data subjects have a right to receive the personal data a company has collected about them in a structured, commonly used and machine-readable format that can be easily transferred to another data controller. PIPEDA grants no such right.
Data breach notifications
Mandatory data breach notifications were added to PIPEDA through the 2015 Data Privacy Act amendment and follow, in general, the same principles set out by the GDPR. All data breaches must be recorded and if a breach creates a real risk of significant harm to an individual, it must be reported to the data protection authorities and the affected data subjects.
The difference lies in the time frame that is allowed for companies to notify the authorities. The GDPR requires companies to report serious data breaches within 72 hours after they become aware of them, whereas PIPEDA simply states that organizations must report the breach to the Privacy Commissioner of Canada as well as the individuals whose data has been affected as soon as feasible.
The GDPR’s fines are, by now, legendary: companies found to be violating its core principles can be fined up to €20 million (roughly $22 million) or 4% of annual worldwide turnover, whichever is higher. PIPEDA’s fines are much milder in comparison. They can go only as high as CAD$100,000 (approximately $76,000) under three specific circumstances: if companies take action against employees that acted as whistle blowers, if an organization does not retain personal information that is the subject of a request for as long as is necessary to allow the individual to exhaust any recourse that they may have or if a person obstructs the federal Privacy Commissioner in the investigation of a complaint or in conducting an audit.