Comply with PIPEDA
The Personal Information Protection and Electronic Documents Act 2000, commonly known as PIPEDA, is the subject of on-going debate regarding its potential reform. Already, PIPEDA sets out principles to which organisations must abide, including principles of accountability, consent, accuracy and safeguards, as well as limiting collection, use, disclosure, and retention.
OneTrust DataGuidance's PIPEDA Portal provides you with the ability to track developments regarding PIPEDA and understand its obligations.
Visit our Canada Federal Jurisdiction Dashboard for further information on the Canadian Data Protection Landscape.
After Bill C-11 for the Digital Charter Implementation Act, 2020 failed to pass in 2021, a new reform was introduced in June 2022, under Bill C-27 for the Digital Charter Implementation Act 2022. The bill is divided into three parts, with each aimed at enacting a new act, namely the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. If passed, the CPPA would become Canada's main privacy regulatory regime for the private sector, thereby replacing PIPEDA. More in detail, Part I of PIPEDA would be repealed and the remaining part of the framework would be renamed as the Electronic Documents Act, thereby changing its nature.
The CPPA largely aligns with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). It would provide for provisions around consent, organizations' obligations, powers, duties, and functions of the Office of the Privacy Commissioner of Canada (OPC), administrative monetary penalties and enforcement orders, and a private right of action, among other things.
You can read the bill and track its progress here.
PIPEDA v. GDPR
OneTrust DataGuidance, in collaboration with Edwards, Kenny & Bray LLP, has produced a PIPEDA v. GDPR report which you can download here, and which assists organizations in understanding and comparing key provisions of the PIPEDA comparative to the GDPR. You can also leverage this information through our GDPR. PIPEDA Comparison in the tab above.
OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR.
You can access the latest version of the report here.
The PIPEDA and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- refer to accountability as a fundamental principle of the protection of information;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory powers.
However, despite their similarities, PIPEDA and the GDPR also differ sometimes in their approach, such as:
- that PIPEDA does not distinguish personal information as either sensitive or not;
- that PIPEDA does not impose obligations relating to children;
- that the GDPR requires a DPIA to be conducted under specific circumstances, whereas PIPEDA does not;
- the appointment of a data protection officer; and
- the rights afforded to individuals under their respective laws.