Key takeaways

Canada's legislative framework

PIPEDA applies to private sector organisations, and to the collection, use, or disclosure of personal information in the course of commercial activities, though PIPEDA does not apply to activities which occur solely within provinces that have enacted substantially similar legislation, examples being British Columbia, Alberta, and Quebec. Organisations may be subject to provincial and federal privacy legislation and some other legislation or regulations may impose privacy obligations (e.g. sector specific legislation, legislation relating to personal health information or public bodies).

Similarities

Both the GDPR and PIPEDA protect personal data/information about an identified or identifiable individual. The GDPR applies to organisations outside the EU where processing activities occur within the EU, while PIPEDA applies outside of Canada if activities have a real and substantial connection to Canada. The GDPR recognises consent as a legal basis to process personal data. PIPEDA requires consent prior to the collection, use, or disclosure of personal information, unless an exception applies. In terms of security, both the GDPR and PIPEDA require organisations to implement appropriate physical, organisational and technological security measures. Both provide individuals with a right to access their personal data/information.

Differences

Regarding legal bases for the processing of personal data, the GDPR provides a detailed list, while PIPEDA provides that organisations may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In terms of data transfers, the GDPR contains an adequacy assessment mechanism, while PIPEDA places the onus of ensuring adequate protection on the transferring organisation. The GDPR distinguishes between domestic and international transfers and provides legal grounds for international transfers. PIPEDA does not distinguish between domestic and international transfers. With respect to enforcement, EU supervisory authorities can issue binding orders and fines, while supervisory authorities in Canada do not have such powers currently.

Impact of GDPR on Canadian privacy laws

The entry into force of the GDPR substantially impacted PIPEDA in several ways. For example, on 1 November 2018, organisations became subject to mandatory breach reporting regulations under PIPEDA and the Office of the Privacy Commissioner of Canada ('OPC') has initiated consultations and discussions regarding the requirement to obtain consent for international transfers of personal data. There have been other areas impacted such as data processing agreements, GDPR compliant policies and procedures, and risk mitigation efforts.

What's next in Canada

There is much Provincial reform, such as British Columbia's Special Committee to review the Personal Information Protection Act, Quebec's Bill 64 to modernise legislative provisions on protection of personal information, and Ontario also contemplating provincial private sector privacy legislation. Federally, reform has been discussed through the OPC's 2018/2019 Annual Report and the Federal government's proposals to modernise PIPEDA, which are both important to the development of the privacy landscape in Canada.

How OneTrust DataGuidance helps

OneTrust DataGuidance™ is the industry's most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 800 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.

OneTrust DataGuidance offers a GDPR Benchmarking tool and report, which includes a comparison of the GDPR to PIPEDA. The suite of tools assist organisations to understand and examine core requirements under each law in order to determine their consistency for gap analysis and assessment, and contribute to the development of global compliance programs.

OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.