19 June 2020
The EU and Canada see eye-to-eye on data protection. So much so that the European Commission has deemed Canada's private sector data protection standards "adequate." That might not sound like high praise. But coming from the Commission, it's quite a compliment.
However, the EU General Data Protection Regulation (GDPR) and Canada's Protection of Personal Information and Electronic Documents Act (PIPEDA) are quite different laws. Whilst Canada's privacy regime has been endorsed by the EU, this doesn't mean that complying with one law guarantees compliance with the other.
Below we've answered some key questions for businesses about how these two laws compare.
Before you can apply with the GDPR or PIPEDA, it's essential that you understand what types of information each law applies to.
The GDPR calls personal information "personal data." To avoid confusion we'll be using the term "personal information" when discussing both laws.
Personal information is defined at Article 4 of the GDPR, as "any information relating to an identified or identifiable natural person." This can mean any information that might "directly or indirectly" identify a living individual.
The EU applies a very broad definition of personal information. This is because increasingly sophisticated methods can be used to piece together seemingly innocuous data points to reveal a person's identity.
Here's a list of examples of personal information provided by the European Commission:
PIPEDA's definition of personal information is very similar to that of the GDPR. Personal information is defined at Section 2 (1) of PIPEDA, as "information about an identifiable individual."
Here's a list of examples from Canada's Office of the Privacy Commissioner (OPC):
This might seem a little more constrained than the EU's definition. But the OPC has also found that more obscure types of information, such as an IP address and cookie data, can constitute personal information.
Both the GDPR or PIPEDA will have a significant impact on most businesses operating in their respective jurisdictions. But neither applies to every person in every context.
There are two main types of organization who must comply with GDPR:
Data controllers decide how and why personal information should be processed. A data controller can be anyone - a business, an individual, a government department. For example, Amazon is a data controller when it emails a customer an update on their order.
Data processors are not generally interested in the end result of the processing. Again, anyone can, in theory, be a data processor. MailChimp is a data processor when it emails a business' customers on behalf of that business. (Note that MailChimp would be the data controller in a situation where it emails its customers/businesses that it processes emails for.)
The GDPR applies across all parts of the public and private sectors, but does not cover personal information used for "purely personal or household activity."
PIPEDA only applies to private sector organizations when they are engaged in "commercial activity." Public sector bodies are subject to another law, the Privacy Act.
The EU is made up of separate sovereign countries. Canada consists of provinces which enjoy some degree of autonomy. This affects how each law is applied across each jurisdiction.
The EU is a political and economic union made up of sovereign countries, rather than a federal state. However, the GDPR is a regulation, and so it takes legal effect directly in each EU country. Therefore, the GDPR applies whether you're in Spain, Slovakia or Sweden.
Each EU country does have a national law that implements the GDPR directly onto its statute books. The UK, for example, has the Data Protection Act 2018, and Germany has the Federal Data Protection Act (BDSG).
The differences between these national laws can be significant in specific areas. But the GDPR can be considered to apply fairly uniformly across the whole of the EU.
PIPEDA is a federal law, and so applies across the whole of Canada, except in provinces where a substantially similar private-sector data protection law exists.
In certain provinces, therefore, businesses are exempt from PIPEDA but must comply with a similar provincial law:
And the following provinces have provincial data protection law in the healthcare sector that overrides PIPEDA in this respect:
PIPEDA will always apply where businesses are transferring personal information across provincial or national borders.
Both laws attempt to regulate the activities of foreign companies. This is increasingly important as the internet continues to blur national borders.
The GDPR applies to a company that is not established in the EU, provided that it:
This could apply to any Canadian company that targets EU consumers with personalized ads or ships products to the EU.
When it comes to enforcement, any company not established in the EU is required to appoint an EU representative. This is someone who is established in the EU and can be subject to legal action in an EU-based court.
Non-Canadian businesses operating in Canada absolutely should comply with PIPEDA.
In the course of investigating a complaint against KLM Royal Dutch Airlines, the OPC stated that "foreign organizations engaged in commercial activities and that have a real and substantial connection to Canada are subject to PIPEDA."
Although the investigative remit of the OPC is clear, there is some question about whether PIPEDA's rules can be enforced against foreign entities (discussed in the case of Lawson v Accuserve).
But if you weigh up the small cost of compliance with PIPEDA against the potentially huge cost of being investigated by the OPC, non-compliance with PIPEDA is not a realistic option for any company wanting to do business in Canada.
The key to a legally-compliant direct marketing strategy is understanding how to obtain lawful consent from customers and potential customers.
The GDPR has a very strict model of consent. Six elements must be in place in order for consent to be valid.
Consent under the GDPR must be:
This is a high bar. It means that businesses cannot rely on pre-checked boxes or unclear sign-up forms to demonstrate that a customer has given their consent.
The GDPR also states that it will be "as easy to withdraw as to give consent." So, clear unsubscribe mechanisms are essential.
It is also possible for businesses to send direct marketing to existing customers on the lawful basis of "legitimate interests." While this is legally distinct from obtaining user consent, it is a similar mechanism to "implied consent."
Here's how the UK's Information Commissioner's Office characterizes this rule:
This rule actually derives from another EU law called the ePrivacy Directive, but it is still valid under the GDPR.
At face value, PIPEDA's consent is less strictly defined than the GDPR's. However, it's important not to be complacent about requesting consent.
A 2015 amendment to PIPEDA added the following statement:
"consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting."
The OPC published Guidelines for Obtaining Meaningful Consent in January 2019. The seven guiding principles of consent suggested by the OPC create a model quite similar to the GDPR's.
Under PIPEDA, consent can be "express" or "implied." It may be possible to argue that you have a customer's implied consent for direct marketing if they are a regular customer, and your marketing correspondence is likely to be of interest to them.
However, implied consent is not appropriate if you're planning to use someone's personal information in a way that they might not reasonably expect.
Businesses must also be careful not to collect sensitive personal information without express consent (see Royal Bank of Canada v Trang).
Most data protection laws offer people some degree of access to and control over personal information. But the strength of these rights varies considerably.
The GDPR provides eight data subject rights.
Below is a list of these rights, accompanied by the corresponding obligations on data controllers to facilitate the rights:
Except for number 1 (and, some argue, number 8), all of these rights are initiated by an individual's request, made directly to the data controller. Data processors are only responsible for assisting their data controllers in carrying out a request, and must not comply with an individual's request directly.
There must normally be no charge for carrying out a request, and it must normally be completed within one calendar month.
There are exceptions to most of these rights, and data controllers will not have to comply in every situation. Familiarize yourself with the specifics of each right so you can adequately provide them to your EU customers and stay compliant with an important aspect of the GDPR.
PIPEDA's personal information rights are less emphatic and extensive than those granted under the GDPR.
PIPEDA provides a general right of access to personal information. PIPEDA Section 4.9 states:
"Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information."
Section 4.9 also provides a right to rectification similar to that under the GDPR:
"An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate."
There is also a very limited right to erasure, although this is far narrower than the equivalent right under the GDPR (which is sometimes known as the "right to be forgotten"):
"Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information."
A business should not normally charge for carrying out a request. However, it can charge a small fee if an estimate is provided to the individual beforehand.
A business must normally comply within 30 days.
Privacy Policies give individuals up-front information about an organization's privacy practices. They are essential to compliance with a fundamental obligation of transparency.
Privacy Policies must be accessible, particularly at the point at which personal information is collected, and written in clear and plain language.
"Openness" is an important principle in PIPEDA. Under the principle of openness, businesses are obliged to make the following information available:
Data protection laws require "teeth" and legally binding rules in order to be effective. This usually means a combination of investigative powers, warnings, and financial penalties.
Each EU country has a Data Protection Authority (DPA) that enforces the GDPR. These independent public authorities have a process for working together across national borders.
DPAs are independent public bodies with three broad types of powers:
Fines under the GDPR can be very severe. At worst, they can reach €20 million, or 4 percent of a company's annual turnover (whichever is higher).
The French Data Protection Authority issued Google with a fine of €50 million in January 2019 in relation to its practices around consent.
Individuals can also bring a civil legal claim against a company that has violated their data protection rights.
The Office of the Privacy Commissioner (OPC) is the independent public authority responsible for investigating complaints made under PIPEDA.
The OPC's powers are largely investigatory, meaning that it can demand information and conduct audits.
The only monetary penalties specifically set out explicitly in PIPEDA are for failing to comply with an investigation of the OPC into a data breach. This can lead to fines of up to $10,000 or $100,000 depending on the offense.
Some provinces have separate commissioners: the Office of the Information and Privacy Commissioner for Alberta and the Office of the Information and Privacy Commissioner for British Columbia.
We've covered many of the differences between the GPDR and PIPEDA. It should be clear to you that the GDPR is more comprehensive and demanding. But principles of transparency and accountability pervade both laws.
There are many similarities. Both the GDPR and PIPEDA:
There are also many differences. For example: