Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU - Canada: Comparing privacy laws - GDPR v. PIPEDA

In this report, OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). 

The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR. 

You can access the latest version of the report here.

What is PIPEDA?

PIPEDA regulates privacy in Canada at a federal level. It was introduced on 13 April 2000, and entered into force in stages, beginning on 1 January 2001.

Key highlights

The PIPEDA and the GDPR share some similarities, particularly in regards to their personal and material scope. Both laws:

  • regulate the transfer of data to third parties;
  • require organizations to implement appropriate security measures with respect to personal information;
  • refer to accountability as a fundamental principle of the protection of information;
  • impose monetary penalties for non-compliance; and
  • provide supervisory authorities with investigatory powers.

However, despite their similarities, PIPEDA and the GDPR also differ sometimes in their approach, such as:

  • that PIPEDA does not distinguish personal information as either sensitive or not;
  • that PIPEDA does not impose obligations relating to children;
  • that the GDPR requires a DPIA to be conducted under specific circumstances, whereas PIPEDA does not;
  • the appointment of a data protection officer; and
  • the rights afforded to individuals under their respective laws.