Canada & Mexico Overview: Data Protection & Privacy Regulations

by | Global Regulations

In a previous post, we gave an overview of data privacy legislation in the United States, both federal and state.  We’ll discuss our North American neighbors here.


We must ensure that while we support the greater use of data, we are also protecting the trust and privacy of Canadians.
Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians

Canada has two major pieces of legislation covering privacy. First is the Privacy Act, which governs how the Canadian Federal Government collects and uses personal information. The act applies only to Canadian Federal Institutions and specifies how the Canadian government can collect, use, disclose, keep, or dispose of PII, all in the process of delivering government services to Canadian citizens. In other words, unless you are a member of the Canadian government, move along: this act doesn’t apply to you.

The second piece of legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA), enacted in early 2000. PIPEDA was amended by the Canadian Digital Privacy Act, which received Royal Assent in June of 2015. It is this amended act that is currently in effect and the one that we examine here.

Nation of Canada and foreign businesses doing business in Canada; came into force (as amended) November 1, 2018.

The Privacy Act amendment was introduced such that PIPEDA, which governed how businesses could collect, use, and disclose PII, would be better aligned with the European Union’s GDPR.

Intent and Major Provisions
PIPEDA establishes ten major principles for the protection of Personal Identifiable Information.

Principle 1—Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

Principle 2—Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Principle 3—Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4—Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Principle 5—Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Principle 6—Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 — Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8—Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9—Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10—Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.


PII Definition
Under PIPEDA the definition of personal identifiable information is very broad. It states that: “Personal Information means information about an identifiable individual.”

PIPEDA does give a little more definition to personal health information: “Personal Health Information, with respect to an individual, whether living or deceased, means:

(a) information concerning the physical or mental health of the individual;
(b) information concerning any health service provided to the individual;
(c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
(d) information that is collected in the course of providing health services to the individual; or
(e) information that is collected incidentally to the provision of health services to the individual.”

Inclusion Criteria
PIPEDA’s purpose and application, according to the act, is: “to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

PIPEDA specifically excludes the following:

  1. a) any government institution to which the Privacy Act applies;
  2. b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
  3. c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Enforcement Agency
PIPEDA is administered by the Canadian Federal Privacy Commissioner, who can refer violations to the Canadian Federal Court.

PIPEDA penalties can be as high as $100,000 (Canadian dollars).

Complete Text
Here’s the complete text for the Personal Information Protection and Electronic Documents Act.

All Canadian businesses and all businesses doing business in Canada.


Following Mexico’s constitutional reform in 2005, the legislators were able to focus on privacy passing the first Mexican privacy law: The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). This law has since been enhanced by several additional regulations, recommendations, and guidelines, the most important of which is The General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección deDatos Personales en Posesión de Sujetos Obligados).

The nation of Mexico and foreign businesses that process Mexican citizens’ data.

The goals of the Mexican legislature are clearly spelled out in Article one of the original law:

This Law is of a public order and of general observance throughout the Republic, and has the purpose of protecting personal data held by private parties, in order to regulate its legitimate, controlled and informed processing, to ensure the privacy and the right to informational self-determination of individuals.

Intent and Major Provisions
The law explicitly defines the following principles of personal data protection and rights of data owners. These include: data can only be collected in a lawful manner, with consent of the data owners, and not through deceptive means; there must be a reasonable expectation of privacy; and data owners may revoke their permission or adjust incorrect data at any time.

PII Definition
The law defines two types of data: personal and sensitive.  Personal data is simply “any information concerning an identified or identifiable individual.”

Mexico’s definition of sensitive personal data is a bit more detailed, but it is roughly what it sounds like: data touching on the most private areas of the data owner’s life, or whose misuse might lead to discrimination or involve a serious risk for said data owner.”  These “private areas of life” include but aren’t limited to race and ethnicity, health, genetics, religious beliefs and political views, and sexual preference

Inclusion Criteria
Any businesses that process Mexican citizens’ data.


Enforcement Agency
The law is enforced by the Mexican National Institute of Transparency for Access to Information and Personal Data Protection—called “The Institute” for short—along with the Ministry of Economy and related administrative authorities.

The penalties provisions of the law are interesting! Along with potential jail time for the offenders, the fines are based on multiples of the current minimum wage in Mexico City.

Complete Text
Here’s the full text for the Federal Law on the Protection of Personal Data Held by Private Parties and the General Law for the Protection of Personal Data in Possession of Obligated Subjects.

The impact of this law is worldwide, in the sense that it affects any business that transacts in Mexico and deals with Mexican citizens’ data.


Submit a Comment

Your email address will not be published. Required fields are marked *