Canadian Privacy Laws: the GDPR's transatlantic cousin?
On December 20, 2001, the European Commission formally recognized that the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) provided an adequate level of protection for personal data transferred from EU to Canada (see the Commission Decision 2002/02/EC). Therefore, personal data can flow from EU to Canada without additional safeguards.
However, with the adoption of the General Data Protection Regulation (GDPR) on May 25, 2018, and as here at Gerrish Legal we have been acting for a few Canadian software, SaaS and new technologies companies lately, we had to ask ourselves - are both data protection regime really that similar?
Scope of the PIPEDA
Both the EU and Canadian laws are designed to regulate how businesses can collect, use and disclose personal information in the course of commercial activities. The PIPEDA defines personal information as being any factual or subjective information, recorded or not, about an identifiable individual from age or name, to opinion or social status, including even employee files or loan records. Ultimately, as well as the GDPR, it applies to any information about an identified or identifiable individual.
PIPEDA applies only to businesses in Canada (exceptt in Quebec, British Columbia and Alberta which have their own privacy law acts), in all federally regulated business activities (such as transportation or banking) and to any information that crosses national and/or regional borders.
Real substantial connection to Canada
While the GDPR applies to organizations outside EU where processing activities occur within, the PIPEDA only applies when there is a real substantial connection to Canada decided by a test on a case by case basis looking at several factors of connection such as the profit location, public targeted, the location of the business…
Cross-border transfers
Unlike the GDPR, the PIPEDA does not have an adequacy mechanism to decide whether a data transfer provides enough protection, it puts the responsibility on the organization, through the use of contractual clauses, to find a comparable level of protection. It is also the responsibility of the organization to make a clear statement that the personal information transferred might be accessed by the court of the concerned jurisdiction (here, the consent is not mandatory).
Another main difference, that complicates the exchange of data for businesses from Canada to the EU, is that the PIPEDA is not based on rights, nor on a list, but on general law principles called "the 10 fair information principles", which are broadly as follows:
Accountability: Similar, to the GDPR, organizations have to appoint someone to be responsible for compliance, to protect all personal information held by them and put in place policies and practices in order to do so.
Identifying purposes: Organizations must document the purposes for which they are collecting information and tell their customers about those purposes before or at the time of the collection. Consent must be sought for each new purpose identified.
Consent: This is the key word here; the whole act is based on the meaningful consent given by the customer to the organization. The office of the Privacy Commissioner even issued non-binding guidelines to get full consent. While the GDPR gives a list of what information processes need consent prior collection, PIPEDA requires for the customer to be aware of the nature, the purpose and the consequences of his consent. The more sensitive the information is, more the organization has to be explicit about the consent sought. must take into account the sensitivity of the info. Of course, the customer can withdraw its consent at any time.
Limiting collection: Only what is needed to fulfill a legitimate and identified purpose is to be collected by fair and lawful means.
Limiting use, disclosure and retention: Only used the information collected for the identified purpose, unless the customer consents otherwise. That information can only be kept serving this purpose or any purpose a reasonable person would consider appropriate in the circumstances.
Accuracy: Organization must minimize the possibility of using incorrect information.
Safeguards: Organization implement policies and technological measures to protect in an appropriate way the information.
Openness: Personal information management practices must be clear and easy to understand. Customers are not expected to understand legal language, it must be attainable.
Individual access: As the GDPR provides, customers must be able to access their personal information, to challenge their accuracy and completeness, and to remove them at any time. These procedures must be done at minimum/ no costs for the customers.
Challenging compliance: Finally, customers msut be able to challenge the organization’s compliance on the basis of the fair information principles. The organization is then responsible to create a platform to do so.
Going through the 10 fair information principles, it is fair to say that the PIPEDA is similar, in substance at least, to the GDPR.
The material scope, protection of personal data, is similar. They both are focused on the consent, even though they don’t use the same process to collect it. Both acts require organizations to implement appropriate physical, organizational and technological measures to protect personal information. And finally, they provide individuals with a right to access their personal information.
Yet, even if some principles in the Canadian law echo the GDPR’s rights, such as the principle of challenging compliance which is similar to the right to object, the fact that it is only based on general principles of law makes the exchange of data complicated.
When using contractual clauses, the Canadian organizations do not really have a requirement of law they can point at to negotiate, especially when those principles are applied on a case by case basis. Therefore, they often chose to comply with the higher standard of law which is the GDPR.
Moreover, the Office of the Privacy Commissioner cannot issue binding orders nor fines, he can only recommend an order to courts after doing an investigation. Meaning, for an organization to be challenged on the basis of the PIPEDA, customers have to go to court; and even doing so, the fines are far less onerous than the ones we could see imposed in the EU.
The impact of the GDPR in Canada
For the above reasons, the GDPR already has an impact on Canadian Privacy laws.
Since November 1, 2018, organizations are now subject to mandatory breach reporting regulations under PIPEDA with a slightly different test than the one in the GDPR: the report is only mandatory when the breach creates a risk of physical harm; and only has to be reported as soon as possible (the GDPR requires it to be done in the next 72 hours).
The Office of the Privacy Commissioner is making consultations and discussions to make a requirement to obtain consent for international transfers of data instead of just a notification. Other provincial reform in Canada (see the British Columbia’s Special Committee to review BC Personal Information of Protection Act and the Quebec’ Bill 64) have been implemented going in the sense of the GDPR in using a right based act rather than relying on general principles of law.
What next?
Today, the COVID-19 created an unprecedented collection of data from every other organization with the democratization of working from home, and e-learning. Canadian privacy laws, enacted in 2001, are prone to change as the federal government issued an annual report in order to modernize the PIPEDA.
For now, the Adequacy Decision still stands but organizations should deal with precaution when transferring data from from/ to both the EU and Canada.
If you have any queries about the contents of this article or if you’d like general advice about your business’ data processing obligations, then please do not hesitate to get in touch!
Article by Ornella Kono-n'taba @ Gerrish Legal, September 2020 / Cover photo by Silvestri Matteo on Unsplash