ARTICLE
30 January 2019

Understanding The GDPR - Comparing Consent Provisions To PIPEDA, PIPA And CASL

BJ
Bennett Jones LLP

Contributor

Bennett Jones LLP logo
Bennett Jones is one of Canada's premier business law firms and home to 500 lawyers and business advisors. With deep experience in complex transactions and litigation matters, the firm is well equipped to advise businesses and investors with Canadian ventures, and connect Canadian businesses and investors with opportunities around the world.
Explore Firm Details
Lexpert Firm Profile
The breach notification obligations for Canadian organizations will change significantly in 2018:
Canada Privacy
Photo of Stephen D. Burns
Photo of J. Sébastien Gittens
Authors

The European Union's General Data Protection Regulation (GDPR) came into force on May 25, 2018. To assist Canadian organizations with their potential compliance efforts with respect to this legislation, the following is intended to provide a non-exhaustive, high-level comparison between the consent provisions of:

  1. the GDPR;
  2. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA);
  3. the Personal Information Protection Acts of Alberta and British Columbia (collectively, the PIPAs); and
  4. Canada's Anti-Spam Legislation (widely known as CASL).

While there are important nuances to each of these regulatory frameworks, they broadly draw on fair information practices that result in substantial commonality among them. In fact, a number of elements in Canadian private sector privacy law, especially in the PIPAs, have anticipated some provisions in the GDPR.

EXPRESS CONSENT

The Alberta and B.C. Privacy Commissioners have held that consent must be "meaningful" (i.e., an individual must understand what an organization is doing with their information).

On or before collecting personal information about an individual, an organization must generally disclose to the individual verbally or in writing: (i) the purposes for the collection of the information; and (ii) the position name or title and the contact information of a person who is able to answer the individual's questions about the collection. Consent can also be implied or deemed in certain circumstances.

The PIPAs provide that an organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.

Canada's privacy regulators plan to adopt new guidelines applicable to meaningful consent as of January 1, 2019.



Originally published by Canadian Privacy Law Review

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Stephen D. Burns
Stephen D. Burns
Photo of J. Sébastien Gittens
J. Sébastien Gittens
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More