EU - Canada: Comparing privacy laws - GDPR v. PIPEDA
In this report, OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR.
You can access the latest version of the report here.
What is PIPEDA?
PIPEDA regulates privacy in Canada at a federal level. It was introduced on 13 April 2000, and entered into force in stages, beginning on 1 January 2001.
The PIPEDA and the GDPR share some similarities, particularly in regards to their personal and material scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- refer to accountability as a fundamental principle of the protection of information;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory powers.
However, despite their similarities, PIPEDA and the GDPR also differ sometimes in their approach, such as:
- that PIPEDA does not distinguish personal information as either sensitive or not;
- that PIPEDA does not impose obligations relating to children;
- that the GDPR requires a DPIA to be conducted under specific circumstances, whereas PIPEDA does not;
- the appointment of a data protection officer; and
- the rights afforded to individuals under their respective laws.