Data privacy laws have grown much more numerous and powerful in recent years. The enactment of the General Data Protection Regulation (GDPR) in 2018 spurred many jurisdictions to create or update their own data privacy laws.
In addition to the sheer number of laws, some of the biggest challenges for companies attempting to achieve compliance are the differences between the different regulations. Laws with similar intents and protections often differ significantly in the details, complicating compliance.
For example, the UK and Canada both have laws in place or in the pipeline designed to provide data privacy and security for their citizens. However, these laws have several key differences.
A Brief Introduction to UK and Canadian Data Privacy Laws
In the UK, the primary data privacy law is the Data Protection Act 2018 (DPA). This regulation is the UK’s answer to GDPR and its “adequacy” requirements for cross-border data transfers. The DPA is largely identical to the GDPR, and the Information Commissioner’s Office (ICO) — the UK body responsible for the DPA — is one of the most active regulatory authorities under GDPR and similar laws.
Currently, Canada’s main privacy law is Personal Information Protection and Electronic Documents Act (PIPEDA), which first took force in 2000. PIPEDA primarily applies data security requirements to Canadian private-sector organizations. Additional privacy legislation may apply depending on the province (e.g., British Columbia and Alberta have enacted comprehensive private–sector privacy legislation under the Personal Information Protection Act (PIPA), while Québec operates under the Québec Privacy Act) and sensitivity (e.g., most provinces have special privacy legislation pertaining to health information).
A new law — the Digital Charter Implementation Act (DCIA) or C-27 — is currently in the works to update and expand PIPEDA. DCIA/C-27 makes Canada’s data privacy laws more closely resemble the GDPR and adds data privacy protections focused on the emergence of artificial intelligence (AI). These functions are broken up into three acts:
- Consumer Privacy Protection Act (CPPA): Updates and replaces PIPEDA with expanded privacy protections.
- Personal Information and Data Protection Tribunal Act (PIDPTA): Creates a new tribunal and penalties for regulatory non-compliance.
- Artificial Intelligence and Data Act (AIDA): Implements governance for the use of AI systems that impact Canadian citizens.
Key Differences Between the Laws
The UK’s DPA and Canada’s PIPEDA and DCIA are all intended to protect their constituents’ data against misuse and potential theft. However, the laws differ significantly in terms of what they provide and how they are enforced by regulators.
1. Scope
The GDPR had a profound influence on the data privacy landscape, and one of the reasons for this is its wide-reaching scope. GDPR’s requirements apply to all organizations that collect, process, or store the data of EU citizens, even if the business is located outside of the EU. The DPA is modeled on the GDPR and has a similar global impact for data privacy.
PIPEDA, on the other hand, has a more complex scope of protection. PIPEDA’s requirements primarily apply to private sector organizations within Canada; however, the precise definitions and scope can vary from province to province. The law doesn’t explicitly mention foreign companies, but case law has determined that it also applies to organizations processing the data of Canadian citizens.
DCIA has some restrictions for companies outside of Canada. However, it lacks the same restrictions on cross-border data transfers as GDPR/DPA.
2. Consent
GDPR and DPA are widely considered the “gold standard” for consent requirements for data processing. They require users to give informed consent to their data being collected and processed, with the organization describing exactly how the data will be used.
In 2022, the ICO fined Clearview AI over 7.5 million pounds for collecting publicly available images for facial recognition. It also mandated that the company delete the images of all UK citizens.
PIPEDA also requires explicit consent for data processing; however, it is less explicit and prescriptive about the form that consent should take, weakening its protections. One of the goals of DCIA/C-27 is to enhance these consent requirements by mandating explicit and valid consent.
3. Enforcement
Data privacy laws like the GDPR and DPA can enforce their mandates through imposing penalties on companies that breach their requirements. The GDPR/DPA can impose fines up to 17.5 million pounds or 4% of global turnover — whichever is greater — for data breaches.
Historically, the UK’s ICO has been one of the more active regulatory authorities. Its 2020 fines of British Airways and Marriott International Inc. for data breaches broke records at the time. While these fines decreased due to appeals, the ICO has successfully fined several companies for non-compliance.
PIPEDA, on the other hand, doesn’t provide the Office of the Privacy Commissioner of Canada (OPC) with the power to levy fines directly. While the OPC takes complaints and performs investigations, they have to go through the Federal Court of Canada to impose fines and other penalties. Attempts to do so have been rare, with an attempted suit over the Cambridge Analytica scandal failing in 2023.
DCIA updates this by creating a new tribunal to rule on compliance offenses. Penalties are modeled off of the GDPR/DPA, allowing fines of up to CA$25 million or 5% of global turnover, providing the new law with more teeth than even GDPR.
AI/Next-Gen Technologies
The emergence of ChatGPT and generative AI (GenAI) technologies in late 2022 spurred many companies and individuals to rapidly adopt AI. While these technologies have significant potential, they also create unique data security risks. In March, the EU parliament approved the Artificial Intelligence Act, landmark legislation that lays down a uniform legal framework for the development, deployment, and use of AI systems. The regulation seeks to promote the principled use of AI while ensuring a high level of protection of health, safety, and fundamental human rights. Some uses of AI are explicitly prohibited, while other “high risk” uses of AI may only be explored under strict guidelines of ethics and transparency. This regulation will likely serve as a model for the UK, Canada, and other countries to follow.
GDPR/DPA includes provisions regarding “automated decision making”, which can apply to the use of AI systems. The UK also published a National AI Strategy in 2021 that outlined its AI roadmap, including plans for how the technology will be governed.
One of the main drivers of DCIA is to update Canada’s privacy regulations to address the security risks of AI. By building AI-related provisions into the updated law, they clearly apply its new enforcement powers to the evolving technology.
Managing the Compliance Challenge
The DPA, PIPEDA, and DCIA are a small subset of the data privacy laws — and laws with data privacy components — that companies must comply with. However, these laws have significant differences in their requirements, enforcement, and potential penalties for non-compliance. Navigating the compliance landscape is easiest with expert guidance. If you want to learn more about how changes to PIPEDA and other laws can affect your business and how to optimize your compliance management, contact ISA Cybersecurity for more information. We are here to help.
