GDPR (General Data Protection Regulation) took effect on 25 May 2018, regulating data protection in the EU.
PIPEDA (Personal Information Protection and Electronic Documents Act) regulates privacy in Canada federally, effective 1 January 2001.
Both laws aim to protect individuals' privacy and personal data.
Key Comparisons
1. Scope
Personal Scope
GDPR applies to data controllers and processors including public bodies.
PIPEDA applies to organizations in commercial activities, not public bodies.
Territorial Scope
GDPR applies to EU-based organizations and those processing data from the EU.
PIPEDA applies to organizations with a substantial connection to Canada.
Material Scope
GDPR defines 'personal data' and includes special categories of data.
PIPEDA treats all personal information as sensitive depending on context.
2. Key Definitions
Personal Data: Both define as data about an identifiable individual.
Pseudonymisation: Defined under GDPR but not explicitly under PIPEDA.
Controllers and Processors: GDPR defines these clearly; PIPEDA uses 'organization'.
3. Legal Basis
GDPR: Requires legal grounds like consent, contract necessity, legal obligation, etc.
PIPEDA: Requires reasonable appropriateness for the purposes of data handling.
4. Controller and Processor Obligations
Data Transfers: GDPR has mechanisms for international transfers; PIPEDA places responsibility on the transferring organization.
Data Processing Records: Required under GDPR; not specified under PIPEDA.
Data Protection Impact Assessments: Required under GDPR in specific cases; optional under PIPEDA.
Data Security and Breaches: Both require security measures; GDPR allows exceptions to breach notifications, PIPEDA does not.
5. Individuals' Rights
Right to Erasure: Explicit in GDPR; implied obligations under PIPEDA.
Right to be Informed: More detailed under GDPR; less explicit under PIPEDA.
Right to Object: Detailed under GDPR; not specified under PIPEDA but allows consent withdrawal.
Right of Access: Exists in both, with more specific obligations under GDPR.
6. Enforcement
Monetary Penalties: GDPR allows fines up to 4% of global turnover; PIPEDA fines are significantly lower.
Supervisory Authorities: Both laws provide for supervisory authorities, with more corrective powers under GDPR.
Civil Remedies: Both allow for complaints and court actions; specifics differ.
Conclusion
GDPR and PIPEDA share similarities in purpose and principles but differ significantly in specifics such as scope, legal basis, and enforcement measures.
Organizations must navigate these differences for compliance in different jurisdictions.