Proposed changes to PIPEDA & GDPR - Ready for the Change?

By: O'Neil Smith

Privacy law practitioners advising corporate clients as well as Corporate Counsel for corporations with international operations are dealing with rapid changes in technology and the implications for personal information and data privacy. These developments include a quickly changing regulatory environment, especially in the context of proposed updates to the Personal Information Protection and Electronic Documents Act (PIPEDA). While Canada’s existing PIPEDA has been deemed to be “adequately compliant” with existing EU privacy regulations, the legislation will need to be amended soon in order to maintain its adequacy status in relation to the more stringent requirements of the GDPR which come into force on May 25, 2018.

Some organizations feel that they or, in the case of law firms, their clients don’t do enough business in the EU to warrant being overly concerned with the General Data Privacy Regulation (GDPR) and that what happens in the EU isn’t relevant to their day to day corporate operations.

On February 28th the Standing Committee on Access to Information Privacy and Ethics announced the release of its report which includes the following, among its 19 recommendations to the Federal Government for updating PIPEDA:

• consider including in PIPEDA a framework for a right to erasure based on the model developed by the European Union (EU) that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;

• work with its EU counterparts to determine what would constitute adequacy status for PIPEDA in the context of the new General Data Protection Regulation(GDPR);

• determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR; and, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, create mechanisms to allow for the seamless transfer of data between Canada and the EU;

• work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the EU;

Given the proposed enhancements to PIPEDA, can Corporations that currently do business in the EU and the legal professionals who advise them afford to be complacent on the need to track global data privacy regulatory developments?

The GDPR significantly updates the EU’s regulatory regime to take into account rapid and wide-ranging technological developments and the continued evolution of privacy law since the inception of the EU’s existing data privacy directive in 1995. One major change from the 1995 directive is that it applies to both controllers of data and entities that process data regardless of where they are located. It also applies to many more types of organizations, including Canadian companies that monitor behaviour of EU residents - or “data subjects” as they are referred to in the Regulation. It is essential therefore, that Canadian companies review the GDPR’s provisions to determine whether their activities come under its scope and jurisdiction, especially for organizations that offer services online and/or do business in the EU so that they can ensure their privacy policies are in compliance. This is important given Parliament’s focus on maintaining the adequacy of Canadian privacy laws under the GDPR as this will further inform policy privacy development and approaches of Canadian companies.

Data Privacy Advisor from Thomson Reuters provides firms with an important tool/resource for tracking the requirements and jurisprudence following from implementation of the GDPR. With trusted answers from Thomson Reuters Data Privacy Advisor, Data Privacy professionals, Corporate Counsel and Legal Professionals can stay informed of issues and better understand how to proceed.

Learn more about Data Privacy Advisor