ARTICLE
14 January 2020

Understanding The Differences Between GDPR, CCPA, And PIPEDA – A Guide For Canadian Businesses

SL
Siskinds LLP

Contributor

Since 1937, Siskinds has been that firm of specialists serving individuals, families and businesses in southwestern Ontario and Canada from our offices in London, Sarnia and Quebec City. We’ve grown as the world around us has evolved. Today, we are a team of over 230 lawyers and support staff covering personal, business, personal injury and class action law and over 25 specialized practice areas.
Gone are days of unregulated and untethered data gathering. With the rolling out of the California Consumer Privacy Act, Canadian businesses are now finding themselves navigating a sea awash...
Canada Privacy

Gone are days of unregulated and untethered data gathering. With the rolling out of the California Consumer Privacy Act, Canadian businesses are now finding themselves navigating a sea awash with a patchwork of extraterritorial legislation. The laws are sometimes inconsistent, often vague, and certainly confusing. It has therefore become critical that companies understand their obligations under each of these major regimes, and to delineate the nuanced details between them. Failure to do so may result is severe fines.

In light of this, I have created a quick reference guide for companies looking to better understand their legal obligations under GDPR, CCPA, and PIPEPA.

Issue

PIPEDA

GDPR

CCPA

Does each law apply to my business?

PIPEDA applies to private sector organizations that collect, use, or disclosure personal information during the course of commercial activity. Notably, this applies to small businesses, and some non profits and charities that may be considered as conducting "commercial activity".

Applies to processing of personal data by all organizations (Canadian ones too) that are established in the EU, regardless of where data processing occurs. Equally, to organizations that control or processes data with regard to the offering of goods or services, or monitoring the behaviour of EU residents for advertising.

For-profit companies engaging consumers and households in California. The for-profit companies must have at least $25 million in annual revenue must comply with the law. And companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data.

Who is protected by the legislation?

A natural person. Does not have to be a citizen, or a resident of a specific province.

Natural persons resident in the EU, or EU citizens.

Consumers resident in California, if they are natural persons.

Are employees protected?

Generally, yes.

Generally, yes.

Limited application, however this may change.

What kind of information is protected?

Personal information may be factual, subjective, recorded or not, about an identifiable individual. This could include employee files, loan records, or blood type.

Personal information may be factual, subjective, recorded or not, about an identifiable individual. This could include employee files, loan records, or blood type.

Personal information that could identify a consumer or household.

In what ways is information safeguarded?

Information must be protected in accordance its sensitivity, and in light of developing risks.

Taking into account current day technologies, risks, and severities, appropriate technical and organisational measures.

No explicit requirements, however, expect to take appropriate measures.

Notification requirements in event of a breach

In the event that a real risk of significant harm is posed to the individual(RROSH test) as soon as feasible.

Where possible, within 72 hours, unless of an unlikely risk to the rights and freedoms of natural persons.

There are different requirements based on the nature of the businesses. Generally breach individuals must be notified very quickly.

Note, notification with the CCPA is triggered by several events, not just a breach. This includes selling of data, and transfer of data during a merger.

Potential Penalties

Up to 100,000 Canadian Dollars.

Up to 20,000,000 euro, or up to 4% of annual worldwide turnover of the preceding financial year.

$100 to $750 per consumer per incident, or actual damages, whichever is greater.

There are also civil penalties.

As this chart demonstrates, there are several differences between PIPEDA, GDPR and CCPA. Some differences are slight, while others are more obvious. In any case, businesses need not only be aware of their privacy obligations but also take proactive measures to ensure compliance. This means working hand in hand with your IT team to understand where your servers are, what kind of information your business is processing, and what kind of security measures are put in place. It also means making sure your business is working together with competent legal counsel that understands the peculiarities of each law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Privacy Law and Privacy Regulations

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More