In today’s digital age, privacy is a growing concern for individuals and organizations alike. With the rise of cyber threats and data breaches, governments around the world are taking measures to protect the personal information of their citizens. One such measure is the introduction of privacy laws, which outline the requirements for organizations when collecting, using, and disclosing personal information. In Canada, there are two primary privacy laws: Bill 64 (also called law 25) and the Personal Information Protection and Electronic Documents Act (PIPEDA). But how do these laws compare to the European Union’s General Data Protection Regulation (GDPR)? In this blog post, we’ll take a closer look at the features of each law and explore their similarities and differences.
If you have any further questions or concerns, please do not hesitate to reach out.
Scope:
Bill 64 applies to the public and private sectors in Quebec, while PIPEDA applies to the private sector across Canada. The GDPR applies to the European Union and European Economic Area. While each law has a different scope, they all aim to protect personal information from misuse.
Personal Data:
Bill 64 expands the definition of personal information to include online identifiers and metadata. PIPEDA covers personal information of individuals, while the GDPR covers personal data of individuals. This difference in terminology does not affect the level of protection provided by each law.
Consent Requirements:
Bill 64 requires explicit consent for the collection, use, and disclosure of personal information, with some exceptions. PIPEDA allows for either express or implied consent, depending on the sensitivity of the personal information being collected. The GDPR requires consent to be freely given, specific, informed, and unambiguous. While each law has its own consent requirements, the GDPR sets a higher bar for obtaining consent.
Right to be Forgotten:
Bill 64 introduces the right to erasure, which allows individuals to request the deletion of their personal information. PIPEDA does not include a specific right to erasure, but individuals can request that their personal information be corrected or deleted. The GDPR includes a right to erasure, allowing individuals to request the deletion of their personal data under certain circumstances.
Data Processing Agreements (DPA):
Bill 64 requires data processing agreements to be in writing and include specific provisions. PIPEDA requires organizations to use contractual or other means to protect personal information when transferring it to a third party. The GDPR requires data processing agreements to be in writing and include specific provisions. While the requirements are similar, the GDPR is more prescriptive in its approach.
Data Protection Officer (DPO):
Bill 64 requires certain organizations to appoint a data protection officer. PIPEDA does not require the appointment of a data protection officer, but recommends it for large organizations. The GDPR requires certain organizations to appoint a data protection officer. This requirement is another example of the GDPR’s more prescriptive approach to privacy protection.
Penalties:
Bill 64 carries maximum fines of up to $25 million or 4% of global revenue, whichever is greater, for non-compliance. PIPEDA carries maximum fines of up to $100,000 for non-compliance. The GDPR carries maximum fines of up to €20 million or 4% of global revenue, whichever is greater, for non-compliance. The GDPR’s heavier penalties reflect its more stringent requirements for privacy protection.
Enforcement: Bill 64 empowers the Commission d’accès à l’information du Québec (CAIQ) to enforce the law and investigate complaints. PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC). The GDPR is enforced by supervisory authorities. While the enforcement bodies differ, each law has a mechanism in place to investigate and address complaints.
| Issue | Bill 64 | PIPEDA | GDPR |
|---|---|---|---|
| Impact on private businesses | Applies to businesses that collect, hold, use, or communicate personal information in the course of carrying on an enterprise | Applies to organizations that collect, use, or release personal information during the course of their commercial activities | Applies to organizations established in the EU, or those outside the EU that offer goods/services to EU data subjects or monitor their behavior |
| Who is protected | All individuals regardless of citizenship, but the territorial application is unclear | All individuals regardless of citizenship | Residents and citizens of the EU |
| Protection for private sector employees | Yes, but not expressly stated | No, only applies to employees of organizations considered a “federal work, undertaking or business” | Yes |
| Type of information protected | Any information held by an enterprise that relates to a person | Any information about an identifiable individual, except for business contact information used for communicating or facilitating communication with an individual in relation to their employment, business, or profession | Any information relating to an identified or identifiable individual |
| Requirements for protecting information | Establish and implement governance policies and practices that ensure utmost protection of personal information, proportionate to the nature and scope of enterprise activities and approved by the individual in charge of protecting personal information | Protect information in accordance with the level of risk and sensitivity of the information | Protect information in a way that accounts for all modern forms of technology and associated risks |
| Data protection officer required? | Yes | Yes | Yes if core activities of organization require regular and systematic monitoring of individuals or processing of large scales of special categories of data |
| Data subject access, rectification, deletion, and portability rights | Yes | Yes | Yes |
| Right to object/opt out of targeted ads | Yes | No | Yes |
| Limitation on automated decision-making | Yes | No | Yes |
| Privacy impact assessment required | Yes | No | Yes |
| Carve-out for de-identified, aggregated, anonymized, or publicly available information | Certain sections of the law do not apply to public information; De-identified information is partially addressed in narrow contexts; Anonymized information is carved out if it irreversibly no longer allows the person to be identified; Aggregate information not addressed | Limited carve-out for publicly available information; No for de-identified information, lack of clarity on what qualifies as anonymized information; No carve-out for aggregate information | No carve-out for de-identified or aggregate information; GDPR does not apply to “anonymized” data where data can no longer identify the data subject; “Pseudonymization” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information which must be kept separately |
| Definition of sensitive data | Personal information is sensitive if, due to its nature or context of use or release, it entails a high level of reasonable expectation of privacy | Not defined, driven by context | Prohibits processing of special categories of personal data, including racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, and data concerning a person’s sex life/sexual orientation; Provides exceptions to the prohibition of processing “sensitive data” in certain circumstances |
| Reporting breach to data protection authority and individuals | Notify the CAI and any individuals whose personal information is concerned by the incident if it presents a risk of serious injury | Notify the affected individuals and the Privacy Commissioner of Canada if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual |
Overall, while Bill 64 and PIPEDA have some similarities, the GDPR sets a higher bar for privacy protection and data handling.
