November 23rd, 2018  |  par Eudes Réthier  |  News

Personal information: respecting the laws in Canada is not enough

Renseignements personnels
Canadian companies, even SMBs that do not export, are affected by several US and European laws related to personal data. Overview.


The bare minimum: PIPEDA / PIPEDA and its similar laws in Canada

personal data

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the primary legal framework. Adopted in 2000 and amended in 2015, it applies to all Canadian companies.

personal data

In Quebec, businesses are subject to a similar law similar: the “Act respecting the protection of personal information in the private sector” .


Even if your company is most probably in compliance with the Quebec or Canadian legislation, you need to realize the impact that some foreign legislation may have on your business.


For all contact with Europeans: the GDPR

personal data

The General Data Protection Regulation (RGPD) was adopted by the European Parliament in 2016. It was implemented in May 2018.

Your business is subject to it if you collect any personal data from a customer, a prospect or a single web visitor from a European Union country.

Although the Canadian and European legislative frameworks are similar, there are differences between PIPEDA and the GDPR. Here are two examples:

  • the notion of consent is larger in Canada, while the GDPR specifies several levels of consent, each corresponding to specific uses of the data;
  • If PIPEDA allows any individual to know what information a company got about him, the RGPD goes further by requiring the company to provide the data to the individual at their request.

The differences, sometimes subtle, between the two texts have been analyzed in detail here.

personal data

The RGPD provides extremely heavy penalties. They can reach 20 million euros or 4% of the global annual turnover of the company!

The difficulty of complying with both legislations at the same time has led many Canadian companies to deny access to their website to European visitors.


In the United States … and anywhere in the World: Patriot Act, Freedom Act, CLOUD Act

personal data

The Patriot Act is an anti-terrorism law passed by the US Congress in response to the attacks on September 11, 2001. It was replaced in 2015 by the Freedom Act, which effectively extends many of the provisions of the Patriot Act. These laws were completed in 2018 by the CLOUD Act (for Clarifying Lawful Overseas Use of Data Act).

The spirit of these laws is very different from the Canadian and the European laws. Its primary purpose is to enable US intelligence services to obtain data on individuals for the purposes of defense and protection against terrorism.

personal data

In the United States, the Freedom Act has limited the surveillance of the US National Security Agency (NSA) by requiring it to obtain permission from a court. But this limitation does not apply to communications entering and leaving the United States, which the NSA can continue to monitor.

personal data

The CLOUD Act allows the US government to access all data hosted by US cloud service providers, anywhere in the world. So, if your data is hosted by a US company, regardless of where its servers are located, Washington assumes the right to access it under certain circumstances.


If data is important to your business and your customers, you would probably benefit from an explanation of the impact of legislation on your business.

With more than 25 years of experience in the information technology world, GTI Canada offers outsourcing, technology consulting and cyber security services designed to meet the needs of SMEs.

To find out how we can help you, contact us!