AI Summarize

Share

Businesses today often operate on a global scale, having customers located all over the world. While this is great for businesses and consumers alike, it can create some complexities when it comes to complying with global privacy laws.

For example, consider an individual, or a data subject, who's located in Canada but interacting with an EU-based company. This individual wishes to invoke GDPR data subject rights.

This situation raises questions about whether GDPR rights extend to Canadian data subjects, affording them the same protections granted to EU residents.

This article explores the implications of a Canadian data subject invoking GDPR rights. It considers the overlaps and differences between the GDPR and Canada's PIPEDA, and provides practical steps for EU-based companies when it comes to handling such requests.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Do GDPR Rights Apply to Canadians?

The GDPR applies only to individuals located "in the EEA" at the time of the data processing. This means that GDPR rights don't automatically apply to Canadians unless they are physically located within the European Economic Area (EEA) when they are interacting with the company.

In general, a Canadian resident invoking GDPR rights for data processed while he was in Canada is generally not entitled to GDPR protections.

PIPEDA protections and rights will usually apply when the GDPR does not.

The GDPR and PIPEDA's Scope and Applicability

While the GDPR and PIPEDA have some similarities, they will apply differently when it comes to Canadian data subjects. Here's a brief overview of each law.

The GDPR

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection framework. It's designed to protect the personal data of individuals located within the EEA.

The GDPR will apply to businesses around the world if they offer goods or services to individuals located within the EEA, or if they monitor the behavior of individuals in the EEA. It goes on where the user is located, and not where the company is.

The GDPR grants data subjects under its protection the following 8 rights. Note that not all of them are always absolute. Some are only available under certain circumstances, or have exceptions:

  1. Right to be informed: To know how their data will be used, such as via a Privacy Policy
  2. Right of access: To view/obtain copies of their personal data that the business has
  3. Right to rectification: To correct inaccurate data that the business has
  4. Right to erasure: To have their data deleted
  5. Right to restrict processing: To request the company don't do certain things with their personal data
  6. Right to data portability: To receive their personal data in a machine-readable format that can be used elsewhere
  7. Right to object: To object to their data being used for certain types of data processing, usually direct marketing
  8. Rights around data being used for profiling and making automated decisions: To object to having an automated decision made about them, and request a real human review of information instead

Not complying with the GDPR can land you with fines of up to €20 million or 4% of your company's annual global turnover, whichever amount is higher.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law that governs private-sector organizations engaging in commercial activities.

PIPEDA applies to organizations that collect, use, or disclose personal information in the course of commercial activities (unless a different but substantially similar Canadian law overrides it.provincial laws.

PIPEDA's scope includes organizations located within Canada, as well as organizations located outside of Canada, if they process personal information of Canadians in connection with commercial activities.

For example, an EU-based company that sells its products to customers located in Canada would fall under the scope of PIPEDA.

Similarly to the GDPR, PIPEDA offers the following rights to the consumers it aims to protect:

  1. To be informed: If asked to do so, organizations must provide a user with what purposes the organization has identified for processing personal data, either verbally or in writing.
  2. To access: To request access to what personal information the organization has on the user, how it is used, and how it is disclosed
  3. To correct: To request that any inaccurate pieces of personal information are corrected by the organization and updated with any third parties the organization sent the data to as well
  4. To withdraw consent: To withdraw consent at any time after it has been given
  5. To file a complaint: Individuals are able to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if they believe an organization is violating PIPEDA.

What Happens When a Canadian Invokes GDPR Rights?

When a Canadian data subject attempts to exercise a right granted by the GDPR and submits a request to an EU-based company, there are some factors to consider. Whether the GDPR rights will apply to the Canadian data subject will rely on:

  • If the data was collected while the user was in Canada
  • If the data was collected while the user was in the EEA
  • It's unclear, or there is a mix

Let's look at these in more detail.

Scenario 1: A Canadian Resident, in Canada When Data Was Collected

If the individual was physically located in Canada and the personal data was collected while the user was in Canada, the GDPR typically does not apply.

The user must instead evoke his rights under PIPEDA.

Example: A Canadian user signs up for an EU-based eCommerce platform while she's in Toronto. She later changes her mind and makes a GDPR subject access request that the company erase all of her data.

The EU-based company determines that the user was actually in Canada during the time that data was collected, and thus it processes the request under PIPEDA instead of under the GDPR.

Outcome: PIPEDA requires that organizations provide access to personal information and correct any inaccuracies in the data, but it does not require data be erased or made portable. The EU-based company would be able to legally deny the erasure request of the Canadian user, and explain that PIPEDA applies instead and doesn't offer this right.

Scenario 2: A Canadian Resident, in the EEA When Data Was Collected

If the individual was physically located in the EEA when the personal data was being collected, the GDPR typically will apply.

Example: A Canadian traveler, while in Germany, creates an account with and signs up for an EU-based SaaS platform. Later, when the user returns back home to Canada, he makes a data portability right request under the GDPR.

The EEA-based company is able to confirm that the Canadian user's location during signup (when the personal data was shared) was in the EEA, and thus the GDPR will apply to that data.

Outcome: The EEA-based company must comply with the Canadian user's GDPR rights request and provide the data in a structured, machine-readable format within one month.

Scenario 3: Mixed or Unclear Jurisdiction

Companies face ambiguity if it cannot be determined where the user was located when the data was collected, or if it is a heavily mixed use situation. For example, where a user spends equal amounts of time in the EEA and Canada and travels back and forth very frequently.

Example: A Canadian user accesses an EU-based streaming service over the course of several months. Sometimes the service is accessed from Canada and sometimes during her regular travels within the EEA. It cannot be determined where the user was when she signed up for the account.

The user requests access to all of her data that the company has on her under a GDPR right. The company will have to determine which of her data falls under the scope of the GDPR (was done in the EEA), and which of it falls under PIPEDA's scope instead (was done in Canada).

Outcome: The EEA-based company may need to organize and segment its data by jurisdiction. This will allow it to appropriately apply GDPR rights to EEA-related data, and PIPEDA to Canada-related data. This requires having good data tracking and geolocation systems in place.

In this case, while it may be more costly to the company, it would probably be best to honor the GDPR right requests versus risking legal fines and penalties for unintentionally violating the GDPR.

In What Ways Do PIPEDA and the GDPR Overlap or Differ?

Since an EU-based business may get GDPR rights requests and PIPEDA rights requests from its users, it's a good idea to know where these laws meet, as well as where they differ.

Here are some ways that PIPEDA and the GDPR overlap or differ in ways that can affect data subject rights:

  • Consent: Both laws have similar requirements around consent for the collection and use of data being informed. PIPEDA requires "meaningful" consent, while the GDPR notes it as "freely given, specific, informed, and unambiguous."
  • Transparency: Both require that clear information is provided about how a company collects, uses and stores personal data, such as by having a Privacy Policy.
  • Scope of User Rights: While some rights do overlap, the GDPR's scope of rights is more broad and protective in general. The GDPR offers rights to erasure, portability, and objection, all of which PIPEDA lacks. PIPEDA rights focus more on accessing and correcting data versus removing, moving or limiting it. The GDPR's right to object to automated decision-making/profiling has no direct PIPEDA equivalent either.
  • Accountability: Both the GDPR and PIPEDA require that businesses take steps in accountability for collecting, using and protecting data under their control. This means maintaining appropriate and accurate records and making sure personal data is kept with high integrity.
  • Right Request Response Timelines: The GDPR gives businesses one calendar month to respond to data subject access requests, which can be extended by two months in certain circumstances. PIPEDA requires a response within 30 days. If more time is needed, the business must communicate a valid reason for the delay to the data subject.

The overlap means that companies that are already operating in a GDPR-compliant manner will be able to meet PIPEDA requirements as well.

However, the differences can create challenges like the need to maintain at least 2 compliance processes to address each law.

How Should EU-Based Companies Compliantly Facilitate Both GDPR- and PIPDEA-Granted Rights?

An EU-based company that has Canadian users who may file data subject rights requests should adopt the following strategies. They will help make it easier for the company to comply with the GDPR, and/or PIPEDA as necessary.

Always Verify User Locations

Use IP addresses, geolocational data, or specific user-provided information to determine where exactly the user was when the personal data was collected.

Once you establish this, maintain different logs for the data to separate and differentiate what falls under EEA data (GDPR) and Canadian data (PIPEDA) requirements.

For example, you can implement an automatic geolocation check as part of your account signup process to help flag users based on location and route the data correctly.

Good data mapping practices can help you here as well so you can easily see the flows of data, from collection to how it's used. This will help you make sure that you're not using collected personal data in violation of either the GDPR or PIPEDA based on what rights the data subject has around that data.

Develop and Implement a Solid Plan for Handling Rights Requests

Make sure that whoever is responsible for responding to rights requests has a clear process in place that accounts for when different laws will (or won't) apply. Train them thoroughly on what must be included in a response, and what the timeframe for responding is.

It's smart to create legally compliant templates for responses to user rights requests. You can make these templates relevant to individual laws like the GDPR and PIPEDA, and they can easily be reused again and again.

If a Canadian user invokes GDPR rights and isn't entitled to them, always explain politely that in their case, PIPEDA applies because the data was processed in the EEA. Offer them details and information on what rights they do have under PIPEDA. You can link them to your Privacy Policy for further guidance as well if you implement the next section below.

Communicate Regional User Rights Clearly in Your Privacy Policy

It's common to see Privacy Policies that have many region-specific sections that are relevant only to users in those regions. To help make it more clear what rights a user has, make sure to include this type of regional information.

For example, your Privacy Policy can have a section called "California Privacy Rights" or "For Customers Located in the EEA."

Here's how Amtrak's Privacy Policy includes specific information for users in the EEA, and Californian users:

Amtrak Privacy Policy Table of Contents with EU and California sections highlighted

When a user clicks on the EEA section, he's presented with a clause that says it applies if the online service is used from a member state of the EU/EEA or UK. This helps make it clear exactly who the rights and information listed in this section apply to.

You can see how this would help keep people who accessed the online services from Canada from thinking the rights and information in that section apply to them:

Amtrak Privacy Policy - EEA user clause excerpt

Note that the clause above is only an excerpt of a long and detailed clause.

You can include a FAQ section in your Privacy Policy that directly addresses this issue if it keeps arising and your Canadian customers keep trying to exercise GDPR rights.

Summary

When a Canadian data subject invokes GDPR rights, EU-based companies will have to carefully assess where the user was located when data was collected from the Canadian.

This will be key in determining whether the GDPR or PIPEDA will apply.

While the two laws share a number of general principles like protecting data subject rights and holding businesses to standard of transparency, the GDPR grants broader rights to users under its scope. EU-based companies may not be obligated to always grant GDPR rights to Canadian users, and knowing this can help save the company both time and money.

Always verify the locations of your users whenever they're sharing personal data with you. Make sure you have a robust plan in place for sorting and handling rights requests, and be clear in your Privacy Policy as to what rights users will have.

This will keep you from both wasting resources on filling rights requests that you aren't required to fill, and accidentally violating either the GDPR or PIPEDA.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy