Canada’s PIPEDA vs. EU’s GDPR: what are they, and why should companies heed then?
Simply put, they are in place to protect consumers’ privacy. The laws are so similar that the EU has decided that the practices in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are ‘adequate’ by their standards.
While the EU may agree with Canada’s privacy policies, it does not mean that if a U.S. company is compliant with one, it automatically meets the requirements of the other. The General Data Protection Regulation (GDPR) and PIPEDA do have some differences, and if your company does business in Canada and Europe it must be compliant with both.
In this article, you find information about PIPEDA and the GDPR that will help ensure that your company is compliant with all global data privacy requirements.
Comparing PIPEDA to the GDPR
It is impossible to comply with either PIPEDA data rights or those required by the GDPR if you are not familiar with what types of information these laws cover.
The GDPR applies to any organization that collects, uses, and stores personal information that is doing business in any country belonging to the European Union (EU). Since this includes the majority of Europe, this privacy act affects U.S. companies.
The GDPR defines personal data as any information that can be used in whole or part to identify an individual that is still alive. It does not apply to individuals that are deceased. The EU purposely left the definition of personal data broad because hackers can take small pieces of information, put it together, and determine the identity of the individual.
Under the GDPR guidelines, personal information includes,
- First and last names
- Home addresses and email addresses that include the individual’s name
- Driver’s license or I.D. numbers
- Location data from mobile devices
- IP addresses
- Cookie I.D. numbers
- Health data that can be used for identification purposes
- Advertising identifiers on cell phones
The GDPR equivalent in Canada is similar. PIPEDA defines personal data as any information that can be used to identify an individual. It includes,
- Age, name, date of birth
- All I.D numbers
- Race and ethnicity
- Blood type
- Opinions, comments, evaluations, social status
- Disciplinary actions and employee files
- Credit, loan, and medical records
- Disputes between consumers and merchants
When you are comparing PIPEDA to the GDPR, it can seem like Canada’s privacy act covers more than the EU’s. It is important to remember that obscure information like IP addresses and cookies can also be used by hackers to gain access to an individual’s identity.
Which Law Applies to Your Company
While the GDPR applies to U.S. companies that do business in Europe and PIPEDA is a Canadian privacy law, it does not automatically mean that your company must meet each act’s standards every time you do business. There are exceptions to each law.
The GDPR requires two main groups to be compliant with its regulations, data controllers and processors.
- Data controllers determine how and why the data is processed. It includes businesses, individuals, and government departments. If any of these entities collect, use, or store consumer data they are subject to GDPR regulations.
- Data processors do not collect the information, instead they are most often third-party vendors. An example of a data processor is the service your company uses to send emails to your customers. Since this third-party has access to identifiable information, they are required to follow GDPR protocols.
Unlike the GDPR that applies to all organizations that deal with personally protected data, PIPEDA concentrates on private-sector industries that conduct commercial activities. However, some federal entities can also fall under PIPEDA guidelines.
PIPEDA is broader in scope than the GDPR in defining what is considered commercial activities. It applies to any organization that collects, uses, and sells data, including non-profits that barter mailing lists. It is one example of why companies that are GDPR compliant might not meet PIPEDA standards.
PIPEDA vs the GDPR: How They Apply to Your Company
The internet has blurred the lines where one country ends and another begins, and this has led to the need for certain measures to be placed on foreign companies to protect the rights of residents.
The GDPR guidelines are in place for foreign companies doing business in the EU, the same as Canada’s privacy protection act.
GDPR Applies To
- Any company that offers goods and services in the EU that is not located within the boundaries.
- An organization that monitors the behavior of EU residents, this applies to marketing and scientific studies.
In addition, if your company is not based in the European Union, you are required to have an EU representative that is established and able to represent your client in court if there is a serious data breach.
PIPEDA Applies To
If your organization is not in Canada, but you do business there it is vital that you are PIPEDA compliant.
In 2005, the Office of the Privacy Commissioner (OPC) stated that all foreign organizations were subject to PIPEDA if they were involved in any commercial activities, after a complaint was made against KLM Royal Dutch Airlines.
Some organizations do question if the OPC has the authority to level penalties against foreign companies, but when the costs incurred during an audit are weighed in, it makes financial sense to follow PIPEDA regulations.
How Does Consent Work In PIPEDA vs GDPR
One of the cornerstones of both PIPEDA and GDPR is consent. Both acts require that the consumer knows their data is being collected and given consent. Even though consent is a requirement, how it is gotten differs.
There are six elements of consent that must be given according to GDPR. It can not be a simple ‘sign here’ form. The 6 aspects that a company has to meet before the consent to collect an individual’s information are,
- Data freely given
- Informed about data usage
- Specific knowledge of data use and security
- Unambiguous – not pressured to supply data
- Affirmative – ensuring the individual wants to release data
- Revocable – the individual can stop data usage anytime
Since the GDPR makes it clear that any individual can revoke usage of their data at any time, foreign organizations need to make it easy for people to unsubscribe from the service.
It does seem like PIPEDA makes it easier to get consent, but this can be misleading if you’re not compliant with the act’s standards.
PIPEDA does have principles of consent similar to the GDPR, but it only has to be implied. It is easier to get implied consent, but you are still limited in how the data can be used and stored. These regulations also apply to your third-party vendors.
Consumers have the right to access their information and if you have collected sensitive data or used it without consent, your organization could be facing penalties.
PIPEDA and GDPR: Rights of Individuals
A part of most laws designed to protect personal data is to give individuals a degree of access and control over how their data is used. Some laws are tilted more strongly in the consumers’ favor than others, and this also applies to PIPEDA and the GDPR.
- Right of access – provide the individual with a copy of their PII
- Right to retractification – correct inaccurate information
- Right to erasure – delete personal information upon request
- Right to restrict processing – Temporarily stop using a person’s information
- Right to data-portability- provide the individual with an electronic copy of their data
- Right to object – stop processing an individual’s data when requested
The eighth right pertains to automated decision-making. It states that if a company is making automated decisions using an individual’s data, there must be human interaction.
Individuals are typically the ones that make the complaint to the data controller. While data processors can help controllers with the requests, under GDPR guidelines they are not allowed to respond. Once the complaint is made, organizations have one calendar month to respond.
Companies also cannot charge for responding to the request, unless there is another stipulation that allows for a fee.
Under the Canadian privacy act, individuals have a general right to access their personal information.
Data can be requested, and organizations must comply within 30 days, and the individual can challenge the accuracy and completeness of their information. Where PIPEDA doesn’t meet GDPR standards is with erasure and charges.
Individuals have few rights when it comes to having their information erased. Companies are allowed to charge for this process, even though it is not encouraged by the OPC.
Privacy Requirements: PIPEDA and GDPR
Both the EU and Canadian privacy acts demand that an organization’s information gathering policies are clear. Privacy policies are a requirement for both laws, and necessary for transparency, and openness.
All information about the individual’s rights must also be included, along with details about any automated decision-making.
Under PIPEDA, an organization can also charge a fee to request the information.
Who Enforces the Laws?
If countries and consumers want privacy laws to mean something, there must be enforceforement. Both acts use investigation, warnings, and financial penalties, but the severity levied on a company can vary.
The EU has a data protection authority (DPA) in each belonging european country. It is this authority that enforces GDPR compliance When a complaint is made, there will be an investigation.
Depending on the severity of the non-compliance issue, the company can be given a warning or a stiff penalty. The highest fine, under GDPR regulations, is 4 percent of an organization’s annual earnings.
The Office of the Privacy Commissioner (OPC) investigates complaints under PIPEDA. It is an independent authority, with limited powers. The OPC is mainly an investigative branch, but it does have the power to request all information and perform audits.
The fines for a data breach under PIPEDA range from $10,00 to $100,000, along with the costs for the investigation and audit.
Comparing PIPEDA vs GDPR shows that both privacy acts focus on accountability and transparency. It also points out that there are differences. If you are doing business in the European Union or Canada, you must follow their privacy act standards.
At RSI Security, we are familiar with both the GDPR and PIPEDA. We are here to answer your questions, or help your organization become compliant.