From our last article to till now we are in the journey of comparative study between PIPEDA and GDPR so that one is not confused and has basic understanding about these two. At times it becomes a tedious task for the attorneys to grab all the information and comply with all of them at once. These articles are in no ways intended to supply or give any legal advice. So now in this article we shall discuss a few more comparative aspects of these two enactments and subsequently we shall conclude the topic.
F) Nomenclature:Personal Data is the nomenclature used and under PIPEDA its Personal Information that has been used and defined.
Personal Data is the nomenclature used under GDPR and under Personal Information is used in PIPEDA.
One should be mindful while using these two nomenclature and referring to them in respect to these two acts.
Personal Data under GDPR is defined as “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”;
And under PIPEDA it is defined as, “information about an identifiable individual”. By a mere reading one can understand and distinguish that GDPR’s definition is wider in nature and makes precise and clear, obviously may be because the GDPR is an enactment by the EU which has 27 countries, so, the need and understanding of many geographical locations have been taken into consideration.
G) Consent:
In GDPR consent is meant as freely given, specific, informed, unambiguous, indication etc., also the definition has more precisely indicated at statements, clear affirmative action or agreement.
In PIPEDA consent has been adopted as the third most essential fair principle rule under Schedule 1. In PIPEDA consent and knowledge both the terms have been used. In the definition part it is not only consent but the term valid consent has been defined, somewhere one can understand the intention of legislature by the terminology used in the act that the consent is important but whether the consent is valid or not shall be liable to be weighed in the eyes of law. At many times a dispute arises on the authenticity of the consent. So this aspect has precisely been taken care of under PIPEDA.
H) Rights:
Rights of data subjects are clearly mentioned under the GDPR but it is not the case with PIPEDA. No such rights are clearly provided, however, implicitly one can infer such rights, as the ‘use/disclosure/collection’ without consent is prohibited so rights are inferred as the protected ones against such unauthorised use/disclosure/collection.
I) Remedies:
PIPEDA’s mode of redressal speaks of filing complaints and speaks of incidents wherein all damages can be calculated and awarded to the complainant but no specific indication is mentioned so the quantum of damages solely depends upon at the mercy of the regulators.
GDPR is clear and strict about it and gives an indication of damages which is upto 2% in some circumstances and 4% in some (annual global turnover) or €10 (in some cases) €20 million whichever is higher (refer article 83 (4) & (5) of GDPR).
In all I would like to conclude here with this post and it is evident that PIPEDA and GDPR play an important role in their respective territories.