Canada Strengthens Pre‑existing Data Privacy Laws
The latest revision of the Canadian Personal Information Protection and Electronic Documents Act (the “PIPEDA”) took effect on November 1, 2018. The stated purpose of the legislation is to protect the privacy rights of individuals by regulating the collection, use, and disclosure of personal information. The law is similar to the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”) but also differs from the GDPR, as it contains various specific provisions not included in the GDPR. Some of the key provisions of the PIPEDA that differ from the GDPR are the following:
- Scope of the Law
- Rights Granted to Consumers
- Data Breach Obligations
Scope of the Law
A key difference between the PIPEDA and the GDPR are the scope to which they apply. The GDPR’s scope subjects all companies regardless of physical location if they collect, store, or process the personal information of EU residents. The PIPEDA on the other hand only applies to private companies located in Canada that collect personal information during the course of their commercial conduct. In addition, the PIPEDA does not automatically preempt the privacy laws of specific provinces such as the Personal Information Protection Act, which governs companies with locations in Alberta and British Columbia. However, companies need to ensure that their compliance with a province specific law closely mirrors compliance with the PIPEDA. Further, the PIPEDA reaches interprovincial and international commercial conduct by Canadian companies collecting personal consumer information regardless of any pre-existing provincial laws.
Rights Granted to Consumers
Similar to the GDPR, the PIPEDA grants consumers specific rights. These rights include but are not limited to the right to access, the right to know who is collecting their information, and the right to know why that data is being collected. Those measures require companies to have a system in place enabling them to quickly identify an individual’s information within their possession so that they are able to fulfill such requests. If those companies do not have a system in place, it could result in a breach of the PIPEDA and the GDPR. Further, it is imperative that companies aim to remain as transparent as possible with consumers when discussing the usage of consumer information. While it may sometimes be difficult for such companies to determine at the outset all of the varying ways in which they might seek to use consumer data in the future, a lack of transparency at the time of collection may be perceived as deceptive and could result in non-compliance under the PIPEDA and the GDPR as well.
Data Breach Obligations
The latest amendment to the PIPEDA places new duties on Canadian companies in the way that they respond to data breach events. The new provisions require a company to determine whether the access or loss of personal information can cause severe harm or risk of severe harm to individual consumers. Harm under the PIPEDA is defined as bodily harm, humiliation, damage to reputation or relationships, loss of employment, damage to business or professional opportunities, financial loss, identity theft, negative effect on credit, or loss of property. To remain in compliance with the PIPEDA, companies must:
- report breaches involving personal information that pose a possible risk of harm to consumer to the Canadian Privacy Commissioner;
- notify individuals that are affected by the breach;
- store records of all breaches for a minimum of 24 months following the day the breach occurred; and
- notify other organizations that may aid in the mitigation of harm to affected individuals.
For companies to comply with the PIPEDA, it is important for organizations to have data protection safeguards in place to identify and swiftly respond to potential security breaches and to ensure personal information is under their actual control.
Ramifications for Businesses
Compliance under the PIPEDA is crucial for Canadian companies. Penalties for non-compliance are significant, and failure to report a data breach and/or to preserve the proper records in connection with the same can cost companies up to $100,000 (in Canadian currency) in fines for each failure. Compliance under the PIPEDA places Canadian companies in a good position to trade with EU companies and sell to EU consumers because it closely overlaps with the GDPR. Similar to the GDPR, the PIPEDA presents several of the same obstacles to data collection and processing information as the GDPR does.
Jason L. Ott, Esq.
Derrick L. Maultsby, Jr.