šØš¦ Canada
Informations
Extracts :
Extract :
"PIPEDA does not explicitly refer to the nationality or place of residence of individuals. Instead, PIPEDA broadly states that personal information which is collected, used, or disclosed by organizations during the course of commercial activities will be subject to PIPEDA."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"PIPEDA does not explicitly refer to the nationality or place of residence of individuals. Instead, PIPEDA broadly states that personal information which is collected, used, or disclosed by organizations during the course of commercial activities will be subject to PIPEDA."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"There is currently no right to data portability. However, the Amendment Act contains a set of provisions relating to data portability which are yet to come into force. These provisions will impose an obligation for a porting organisation to transmit personal data upon an individualās request to a receiving organisation (in Singapore or in a prescribed foreign country or territory). The obligation is expected to apply to personal data in the possession or under the control of the porting organisation if such personal data belongs to a class of personal data that is prescribed in the regulations and if the requesting individual has an ongoing relationship with the porting organisation. The data portability rule is not, however, expected to apply to certain types of data including āderived personal dataā, which is personal data about an individual that is derived by the organisation in the course of business from other personal data."
2022
Reference :
Data Protection in different countries | Linklaters
Database for comparing other databases for the same information on data protection
Link to reference Extract :
"PIPEDA protects the personal information of individuals 'individual' is not defined in PIPEDA but guidance from the OPC, such as the OPC's Questions and Answers, clarifies that 'individual' means a natural person."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
There are no variations from the GDP
2021
Reference :
Germany Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Although PIPEDA does not directly spell out extra territorial scope, it has been found out that there is practical applicability of this extra-territoriality.
Extracts :
Extract :
"PIPEDA applies to organization within CANADA that collect, use, or disclose personal information in the course of a commercial activity."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"There are no definitions for the below listed terms in the part of the BDSG that supplements the GDPR."
Reference :
BLANK
BLANK
Extract :
"PIPEDA does not distinguish between data controllers and data processors."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Although PIPEDA does not directly spell out extra territorial scope, it has been found out that there is practical applicability of this extra-territoriality.
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
There is no definition of sensitive data under PIPEDA.
Extracts :
Extract :
There is no definition of sensitive data under PIPEDA.
Extracts :
Extract :
There is no definition of sensitive data under PIPEDA.
Extracts :
Extract :
There is no definition of sensitive data under PIPEDA.
Extracts :
Extract :
There is no definition of sensitive data under PIPEDA.
Extracts :
Extract :
There is no definition of sensitive data under PIPEDA.
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Canada Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Except for Consent, there is no other legal base.
Extracts :
Extract :
Except for Consent, there is no other legal base.
Extracts :
Extract :
Except for Consent, there is no other legal base.
Extracts :
Extract :
Except for Consent, there is no other legal base.
Extracts :
Extract :
Except for Consent, there is no other legal base.
Extracts :
Extract :
Except for Consent, there is no other legal base.
Extracts :
Extract :
"the "business activity" exemption to consent includes an additional exception: an organization may collect or use an individual's personal information without the individual's knowledge or consent for the purpose of an activity in which the organization has a "legitimate interest" that outweighs the potential adverse effect on the individual, subject to certain conditions;"
2022
Reference :
Bill C-27: Canada reintroduces sweeping changes to federal privacy law, proposes new AI legislation
Information on Bill C-27 | CAN
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"For offences punishable on sum- mary conviction, fines do not ex- ceed CAD 10,000 (approx. ā¬6,610). For indictable offences, fines do not exceed CAD 100,000 (approx. ā¬66,140)."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
"Under PIPEDA, the OPC was envisioned to be an ombudsman and lacked any significant powers ā it could not issue orders directly, had no power to levy fines or penalties, and, after investigations, could issue only non-binding 'findings' instead of binding decisions. It worked through persuasion and 'naming and shaming' to nudge organisations into compliance.
The proposed CPPA reflects a more traditional regulatory approach. It proposes to grant the Privacy Commissioner broad audit and order-making powers, and enable the Privacy Commissioner to make recommendations to the Tribunal for the imposition of significant administrative monetary penalties ('AMPs') on organisations for violating the key provisions (however, the Privacy Commissioner could not itself levy the AMPs; that falls to the Tribunal). The Privacy Commissioner would also be granted greater powers in regards to conducting inquiries and making compliance orders.
The Tribunal would be authorised to impose AMPs of up to CAD 10 million or 3% of the organisation's global gross revenues, whichever is higher. It is unclear at this time whether this means the global revenue of the Canadian entity, or the revenue of the entirety of an organisation's global operations.
The most egregious violations of the new legislation, such as failing to report breaches to the Privacy Commissioner or maintaining records of same, knowingly using de-identified information to identify an individual, or knowingly contravening a compliance order issued by the Privacy Commissioner, would constitute offences punishable, upon prosecution, with a fine of up to CAD 25 million or 5% of the organisation's global gross revenues."
2023
Reference :
Canada: An overview of Bill C-27 and its proposed changes to PIPEDA
Information on Bill C-27 | CAN
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"PIPEDA provides that the Federal Court may award damages to individuals."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
Does not exist as per present time.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The GDPR requires a DPIA to be conducted under specific circumstances. Although a PIA is not required under PIPEDA, an organization may conduct a PIA as part of its policies and practices implemented to give effect to the privacy principles ā¦..."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
"Anonymising and de-identifying data
PIPEDA does not address either technique. While evolving guidance from the Privacy Commissioner attempted to address issues of anonymisation and de-identification, such guidance was not consistent with evolving international norms. The CPPA would address both concepts directly. To anonymise is defined as 'to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means'. The CPPA states expressly that it does not regulate anonymous data because, by definition, there is no reasonable prospect of re-identification.
To de-identify data means 'to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains'. The CPPA does regulate de-identified data and generally prohibits attempts to re-identify it. The CPPA would also expressly allow for organisations to use an individual's personal information without their consent in order to de-identify their data. It would also require that in some cases, de-identified data must be used in place of fully identifiable personal information (for instance, in business transactions such as a merger or acquisition in order to take advantage of the provisions that say consent to disclose personal information pursuant to such transactions is not required).
Under certain circumstances, organisations can also disclose de-identified data to public entities for socially beneficial purposes."
2023
Reference :
Canada: An overview of Bill C-27 and its proposed changes to PIPEDA
Information on Bill C-27 | CAN
Link to reference Extracts :
Extract :
"Unless otherwise prohibited by law, an organization must notify an individual of any breach of security safeguards involving the individual's personal information under the organization's control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. The notification to the individual must be given as soon as feasible after the organization determines that the breach has occurred."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
"In the case of a breach of personal information under its control, an organization must notify the OPC if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
There is no specific information on processor notification requirements.
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Individuals have the right to submit complaints to organisations, to withdraw consent (subject to some
limitations), and to file complaints with the OPC. Based on guidance from the OPC, opt-out consents are
permissible under PIPEDA in limited circumstances involving non-sensitive information provided that a
set of requirements are met."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Data portability and deletion
PIPEDA currently contains the rights of access and rectification, and a right to withdraw consent. The CPPA would expand and clarify these existing individual rights, and provide for new individual rights of data portability and deletion. Consumers would be able to require an organisation to transfer their data to another organisation, provided that the organisations are connected to a 'data mobility framework'. The mechanism for such frameworks to is left to regulations which have not yet been drafted.
The CPPA would allow an individual to withdraw consent subject to similar limitations that currently exist in PIPEDA. However, unlike PIPEDA, under the CPPA an individual can also specifically request that an organisation dispose of their information; notably, disposal includes deletion and rendering the data anonymous.
If an organisation disposes of personal information at an individual's request, the CPPA would require it, as soon as feasible, to inform any service provider to which it has transferred the information of the individual's request and ensure that the service provider disposed of the information."
2023
Reference :
Canada: An overview of Bill C-27 and its proposed changes to PIPEDA
Information on Bill C-27 | CAN
Link to reference Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
There is no specific right not to be subject to automated decision-making under PIPEDA, AB PIPA, or BC
PIPA. The amended Quebec Private Sector Act will require organisations that make decisions based exclusively
on the automated processing of personal information to notify the person concerned that the
decision was made in this manner, and to provide the individual with certain additional information
concerning the decision-making process upon request."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
Canadian private sector privacy laws generally require the knowledge and consent of the individual, except
in certain circumstances where consent is not required. Organisations must be open and transparent
about their practices and inform individuals about the information collected, used, and disclosed, as
well as the purposes for such activities, among other requirements. One way that organisations meet
this obligation is through a public-facing privacy policy; this will soon be a statutory requirement for all
organisations collecting personal information using technological means in Quebec.
The amended Quebec Private Sector Act will also include more specific disclosure obligations for organisations,
including requirements to indicate whether there is a possibility that an individual's personal information
will be communicated outside of Quebec, and to provide individuals with the names of the
third parties or categories of third parties to whom it is necessary to communicate their personal information."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Section 62(1): 'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
"Under Canadian data protection laws, individuals have a general right to obtain access to their personal
information held by organisations. Access requests must be processed in accordance with the applicable
statute, within prescribed timeframes. Organisations are permitted to refuse access only in enumerated
circumstances, and generally must sever exempt information from non-exempt information where
possible. For example, under PIPEDA, organisations may refuse access to personal information where,
among other exceptions, the information is protected by solicitor-client privilege or would reveal confidential
commercial information."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
Under PIPEDA, when an individual successfully demonstrates the inaccuracy or incompleteness of
personal information, an organisation must amend the information as required. Depending upon the
nature of the information challenged, amendment involves the correction, deletion, or addition of information.
Where appropriate, the amended information will be transmitted to third parties having access
to the information in question."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Data portability and deletion
PIPEDA currently contains the rights of access and rectification, and a right to withdraw consent. The CPPA would expand and clarify these existing individual rights, and provide for new individual rights of data portability and deletion. Consumers would be able to require an organisation to transfer their data to another organisation, provided that the organisations are connected to a 'data mobility framework'. The mechanism for such frameworks to is left to regulations which have not yet been drafted.
The CPPA would allow an individual to withdraw consent subject to similar limitations that currently exist in PIPEDA. However, unlike PIPEDA, under the CPPA an individual can also specifically request that an organisation dispose of their information; notably, disposal includes deletion and rendering the data anonymous.
If an organisation disposes of personal information at an individual's request, the CPPA would require it, as soon as feasible, to inform any service provider to which it has transferred the information of the individual's request and ensure that the service provider disposed of the information."
2023
Reference :
Canada: An overview of Bill C-27 and its proposed changes to PIPEDA
Information on Bill C-27 | CAN
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The GDPR requires a DPIA to be conducted under specific circumstances. Although a PIA is not required under PIPEDA, an organization may conduct a PIA as part of its policies and practices implemented to give effect to the privacy principles ā¦..."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
"the "business activity" exemption to consent includes an additional exception: an organization may collect or use an individual's personal information without the individual's knowledge or consent for the purpose of an activity in which the organization has a "legitimate interest" that outweighs the potential adverse effect on the individual, subject to certain conditions;"
2022
Reference :
Bill C-27: Canada reintroduces sweeping changes to federal privacy law, proposes new AI legislation
Information on Bill C-27 | CAN
Link to reference Extracts :
Extract :
No direct information found on this requirement anywhere.
Extracts :
Extract :
"Guidance from the OPC, including the PIPEDA Self-Assessment Tool and the Accountability Guidance, outline recommended and required responsibilities of privacy officers, which include informing and monitoring compliance, as well as acting as a point of contact, among other things."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
Yes, a business may appoint a single DPO to cover multiple entities.
Reference :
ICLG Website
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"PIPEDA does not provide exemptions to the requirement to notify individuals when the breach of security safeguards creates a real risk of significant harm to the individual."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
"Organisations are not specifically required to maintain general data processing records under private sector data protection law. However, in order to demonstrate compliance, consent, and other require- ments if challenged by a complainant, commissioner, or the court, it can be crucial to maintain records. Certain record keeping is specifically required in respect of breaches under PIPEDA or provincial privacy laws in certain circumstances as noted below. Certain record keeping is also required in relation to CASL."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"PIPEDA does not require organizations to maintain a record of processing activities under their responsibility."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - CAN
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Canadian Radio-television and Telecommunications Commission (CRTC) | Regulator | Independant agency | 1968 | |
| Office of the Privacy Commissioner of Canada (OPC) | OPC | Regulator | Govt authority/ministry | 1977 |
| Competition Bureau | Regulator | Independant agency | 1952 | |
| Canadian Intellectual Property Office (CIPO) | Regulator | Under the government authority | 1991 | |
| Ministry of Innovation, Science and Economic Development | Regulator | Ministry | 1993 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Consumer Privacy Protection Act | Privacy Act | General privacy/data protection law | 1983 | Active | 1983 | 2022 | Several aspects |