Just as the European Union (EU), Canada has always been a leader in regard of data protection.
As soon as the 13th April 2000, the Parliament of Canada enacted the Personal Information Protection and Electronic Documents Act, also known as PIPEDA, which was already so relevant that it received the adequacy ruling from the European Commission (EC), and its core principles have been taken up by the GDPR. These principles are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
The main difference with the GDPR is that PIPEDA does apply to commercial organizations only, whereas the GDPR does apply to every entity that uses data.
PIPEDA was the only binding legal instrument in the data protection field for a long time, until the enactment of the Digital Privacy Act (2015). The latter simply introduced amendments to PIPEDA, especially one which is more protective of the customer’s consent, and another one that create a breach notification obligation.
Even if these acts were ruled « partially adequate » to the GDPR’s standards by the EC, the current Canadian Government decided to go further into data protection. In 2016, there was a citizen consultation process, in which Canadian people expressed concerns about the safety of their personal data. This work has resulted in two important papers: the Digital Charter and the Strengthening Privacy for the Digital Age. Both texts recommend several amendments proposals for PIPEDA. To sum it up, their goal is to grant new individual rights on data, such as better transparency and data portability.
Following the publication of these papers, the Canadian Government delivered a mandate letter on 17 January, 2020, that urges legal institutions to develop new privacy laws, at least as protective as the GDPR. Hence, Canada will probably be the next world leader for data protection.
EL MAMOUNI Habib
M2 Cyberjustice, promotion 2019-2020