GDPR and Canada’s Privacy Regime: What Are the Differences?
Title: GDPR and Canada’s Privacy Regime: What Are the Differences?
Jurisdictions:Canada / EU
Authors: Caroline Deschênes and Pascal Archambault
Law firm: Langlois lawyers
Since its implementation on May 25, 2019, the European Union’s General Data Protection Regulation (the “GDPR”) has become one of the primary references in matters of privacy protection and digital trust.
While it is true that an adequacy decision rendered by the European Commission recognizes that Canada’s Personal Information and Electronic Documents Act (“PIPEDA”) ensures an “adequate” level of protection of personal data, it was rendered pursuant to EU Data Protection Directive 95/46/EC, which has since been replaced by the GDPR.
There are now significant differences between the two privacy protection regimes. Consequently, Canadian organizations subject to the GDPR can no longer assume they are complying with the GDPR merely because they are complying with the rules and principles laid down in PIPEDA. The inverse is also true for EU organizations doing or seeking to do business in Canada.
This contribution is intended to provide a practical summary of some of the most important differences between the two regimes.