Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

The Compliance Burden for Private Sector Businesses under the GDPR in light of PIPEDA: A Comparative Analysis of the European and Canadian Data Privacy Laws

Mazalova, Elizaveta LU (2023) JAEM01 20221
Department of Law
Faculty of Law
Abstract
Information and communication technology has emerged significantly over the past two decades. The ever-growing trade and monetization of digital encounters are likely to extend technology even more in the upcoming decades. Recent technological developments have brought various advantages worldwide, such as effective communication, increased production, and artificial intelligence, which can solve complex problems and make life easier for companies and consumers. Nonetheless, technology also allows for the possibility of different negative privacy-related consequences. Particularly, access to personal information threatens people's privacy and reduces the amount of control over their data.

Swift digital advancements made it difficult... (More)
Information and communication technology has emerged significantly over the past two decades. The ever-growing trade and monetization of digital encounters are likely to extend technology even more in the upcoming decades. Recent technological developments have brought various advantages worldwide, such as effective communication, increased production, and artificial intelligence, which can solve complex problems and make life easier for companies and consumers. Nonetheless, technology also allows for the possibility of different negative privacy-related consequences. Particularly, access to personal information threatens people's privacy and reduces the amount of control over their data.

Swift digital advancements made it difficult for governments to create new data privacy laws which would adjust to the needs of the continuously changing technology. Internationally, countries struggled to develop privacy laws addressing data protection issues. Striking a balance between data subjects and companies' rights seemed an impossible task for the time being. Those existing data privacy laws became quickly outdated and failed to adequately address the challenges of an increasingly digital world. The lack of sufficient data protection laws led to organisations having considerable discretion in managing personal data as they deemed appropriate. This, however, raised significant data privacy concerns among people whose data was collected. People became disquietude about the security and lawfulness of their information. The main concern was the extent to which personal information was collected, how it was processed, and who it was shared with. People wanted to benefit from the advantages that technology offered but without losing their autonomy and anonymity. Consequently, a need arose to solve data privacy issues and introduce an adequate legal framework worldwide.

The EU was the first to introduce the strictest data protection legislation in the world, the GDPR, which replaced its predecessor, the DPD. Globally, the GDPR obtained a "gold standard" protection level for processing personal information. Organisations can process the personal information of EU data subjects but only under strict circumstances provided by the GDPR. Unlawful processing of personal data can be subject to harsh penalties. Following the creation of DPD, the Canadian government established its first federal legislation relating to information protection for private sector organisations, PIPEDA. The GDPR and PIPEDA share various similar traits. Both legislations apply to private sector organisations and protect data subjects with respect to their personal information. Nevertheless, there are significant differences in how each legislation constrains organisations when it comes to processing personal information.

This thesis aims to compare the GDPR and PIPEDA to determine how each legislation constrains private sector organisations. More specifically, the paper seeks to 1) identify the major conceptual differences between GDPR and PIPEDA and 2) determine which legislation places more compliance burdens. To answer the research questions, the thesis uses doctrinal and comparative methodologies. The doctrinal method is used to explain the EU and Canadian legal systems, data protection evolution, and criticism relating to GDPR and PIPEDA. The comparative methodology is utilized to compare the two legal systems, data protection approaches, and business obligations of each legislation. Finally, the paper establishes reasons for having different compliance burdens. (Less)
Please use this url to cite or link to this publication:
author
Mazalova, Elizaveta LU
supervisor
organization
course
JAEM01 20221
year
type
H1 - Master's Degree (One Year)
subject
language
English
id
9121249
date added to LUP
2023-06-27 10:33:06
date last changed
2024-03-07 13:08:36
@misc{9121249,
  abstract     = {{Information and communication technology has emerged significantly over the past two decades. The ever-growing trade and monetization of digital encounters are likely to extend technology even more in the upcoming decades. Recent technological developments have brought various advantages worldwide, such as effective communication, increased production, and artificial intelligence, which can solve complex problems and make life easier for companies and consumers. Nonetheless, technology also allows for the possibility of different negative privacy-related consequences. Particularly, access to personal information threatens people's privacy and reduces the amount of control over their data. 

Swift digital advancements made it difficult for governments to create new data privacy laws which would adjust to the needs of the continuously changing technology. Internationally, countries struggled to develop privacy laws addressing data protection issues. Striking a balance between data subjects and companies' rights seemed an impossible task for the time being. Those existing data privacy laws became quickly outdated and failed to adequately address the challenges of an increasingly digital world. The lack of sufficient data protection laws led to organisations having considerable discretion in managing personal data as they deemed appropriate. This, however, raised significant data privacy concerns among people whose data was collected. People became disquietude about the security and lawfulness of their information. The main concern was the extent to which personal information was collected, how it was processed, and who it was shared with. People wanted to benefit from the advantages that technology offered but without losing their autonomy and anonymity. Consequently, a need arose to solve data privacy issues and introduce an adequate legal framework worldwide.

The EU was the first to introduce the strictest data protection legislation in the world, the GDPR, which replaced its predecessor, the DPD. Globally, the GDPR obtained a "gold standard" protection level for processing personal information. Organisations can process the personal information of EU data subjects but only under strict circumstances provided by the GDPR. Unlawful processing of personal data can be subject to harsh penalties. Following the creation of DPD, the Canadian government established its first federal legislation relating to information protection for private sector organisations, PIPEDA. The GDPR and PIPEDA share various similar traits. Both legislations apply to private sector organisations and protect data subjects with respect to their personal information. Nevertheless, there are significant differences in how each legislation constrains organisations when it comes to processing personal information. 

This thesis aims to compare the GDPR and PIPEDA to determine how each legislation constrains private sector organisations. More specifically, the paper seeks to 1) identify the major conceptual differences between GDPR and PIPEDA and 2) determine which legislation places more compliance burdens. To answer the research questions, the thesis uses doctrinal and comparative methodologies. The doctrinal method is used to explain the EU and Canadian legal systems, data protection evolution, and criticism relating to GDPR and PIPEDA. The comparative methodology is utilized to compare the two legal systems, data protection approaches, and business obligations of each legislation. Finally, the paper establishes reasons for having different compliance burdens.}},
  author       = {{Mazalova, Elizaveta}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{The Compliance Burden for Private Sector Businesses under the GDPR in light of PIPEDA: A Comparative Analysis of the European and Canadian Data Privacy Laws}},
  year         = {{2023}},
}