Personal Information Protection & Electronic Documents Act – PIPEDA and GDPR
Privacy Act Canada PIPEDA and GDPR: A Guided Comparison of Each
The information below is a look at how we compare key provisions of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) with the EU General Data Protection Regulation (GDPR). The goal is to help you determine if there is any duplication of operational effort that you can be avoided if you are migrating from one to another or are in the process of blending both within your organization.
As it stands today, Canada enjoys a partial adequacy designation when facilitating data transfers from the EU to Canada. It should be noted that this designation only applies to Canadian organizations that are subject to PIPEDA in respect of the transferred data. While this may ease compliance challenges for some businesses or organizations, data transfers alone are only the tip of the iceberg regarding compliance obligations under GDPR. If we move beyond transfers, there are a few areas with the GDPR that apply to Canadian organizations doing business in the EU or in the processing of data of residents of the EU. The following information will identify operational similarities and differences that Canadian companies can expect, provided they are subject to both laws.
Using consent as a legal basis
One of the more significant operational difference rests with how PIPEDA and GDPR approach consent as a legal basis for data processing.
Concerning PIPEDA, consent is a major feature of this act. With limited exceptions, an individual’s consent is necessary to the collection of, use and to the disclosure of any personal information. PIPEDA was amended in 2015 to include section 6.1, which states that an individual’s consent is only valid if it reasonably was expected and understood concerning the nature, purpose and consequences of the data information being requested.
As an organization, you would still have the operational choice of whether to seek express or implied consent, but it is understood that express consent remains the default choice. Identifying the appropriate form of consent depends on what is considered sensitive regarding the personal information and any reasonable expectations of the individual (ref. PIPEDA, Schedule 1, cl. 4.3.5). As a requirement of providing an individual with a product or service, an individual cannot be required to consent to the collection of and use of information than what is necessary for the purpose of completing the transaction with the individual.
If we examine GDPR, consent is also a valid foundation for the collection of, use and for disclosure of personal information (Article 6).GDPR may be more flexible than PIPEDA in some ways as it allows organizations to collect, use and disclose personal data based on other factors, such as performance of a contract or legitimate interests. Unlike Canada, where consent is the sole factor for collection, use and disclosure (remember with limited exceptions), organizations looking to create compliance programs for GDPR, most likely will look for other factors to process EU data. To that point, the requirements for consent are so demanding that organizations use this sparingly as a factor for data processing. Primarily, it is because there is no concept of implied consent as consent must be by an affirmative act by the individual. Secondly, you cannot bundle consent into a contract. It must be given each time for each use of the personal information. Thirdly, it must be freely given. GDPR states that consent will not be justified for processing if there is a clear imbalance of power. Similar to PIPEDA, consent is not freely given when an organization makes the collection of personal information more than what is necessary.
Those organizations or businesses subject to GDPR should also consider whether the individual providing consent actually has the capacity to do so. In a difference to GDPR, PIPEDA does not contain a minimum age of consent. With PIPEDA, age is a relevant factor in considering whether informed consent was obtained. The Privacy Commissioner of Canada has put forth that the consent of children under 13 yrs of age would be too difficult to obtain; however, there is not strict threshold for age. In contrast, GDPR sets a threshold of sixteen years of age for consent. Individual countries though can lower the age of consent to between 13 and 16.
Rights to an erasure of data
For GDPR, Article 17 grant individuals a right to be forgotten. This article permits individuals to require organizations to erase all personal information in a number of circumstances. If the personal data obtained is no longer necessary for the purposes for which it was collected (or processed), then the organization will need to erase it. This also applies to individuals who withdraw consent and there are no other legal grounds for the processing of data to continue. With respect to public data controller sites (think of social media sites), the controller is obligated to take all reasonable steps to inform all other data controllers who have received any information of the withdrawal request to disallow consent.
PIPEDA also contains language related to an obligation to destroy data as well. The notable difference here though between GDPR’s Article 17 and PIPEDA’s principle 4.5 begins with PIPEDA not requiring the organization to contact any other organization it has disclosed information to of the erasure request. Additionally, is isn’t clear whether GDPR permits retention in order for it to comply with any foreign retention laws. This becomes an issue for multinational companies that may be subject to retention laws that differ from Europe.
PIPEDA as well, does not cover the same scope of application as does GDPR. Arguments have be made that PIPEDA does not apply to search engines simply because the activity of performing searching and the indexing of website content are not considered commercial activities. As such, principle 4.5 may not apply to have search engines de-link search results. This situation, on the other hand, may be different with respect to internal search engines on a commercial website.
Employee data information
Information that is handled in HRIS platforms is very difficult operationally for multinational corporations under GDPR. For those Canadian organizations, it is vital to recognize that PIPEDA will only regulate the collection, use of and disclosure of personal information with respect to federal works, undertakings and businesses. Think of these employers as airlines, banks, shipping companies and other federally regulated employers. This obviously covers a very limited subset of the Canadian economy. By contrast, the vast majority of employers are regulated by provincial legislation. Except for British Columbia, Alberta, and Quebec, all other provinces are not subject to statutory privacy laws for employee data.
Employee data with GDPR, on the other hand, is firmly within its scope. Article 81 permits EU member countries to enact laws expressly to address employee data, which may be stricter than what GDPR covers. Important to note is that consent is generally not a viable foundation on which to collect and use any personal information of employees because this form of consent is not considered given freely, considering the significant power imbalance between employee and employer. Granted, employers may have legitimate interests to process data, such as payroll, or tax purposes, but parent companies or affiliates need to be careful. If these companies are using this data for business planning or other purposes may need to review if they have legal grounds under the GDPR to use the data without consent.
Additionally, if the data to be processed is being transferred to a Canadian federal work, undertaking or business, the data transfer will no longer be subject to Canada’s partial adequacy designation by the EU Commission. Given this status, it would be necessary to put into place standard contract clauses or binding corporate rules.
Privacy laws in Canada are already fairly strong; however, it is important to note that the GDPR is sufficiently different to the PIPEDA that organizations need to be aware of and examine both in detail to consider operational changes that may be necessary to either minimize the impact or to develop new compliance strategies. It’s worth the effort given the imposition of increasingly higher court fines annually.