Blog Posts

What is PIPEDA? An Overview of the Canadian Data Privacy Law

What is PIPEDA? An Overview of the Canadian Data Privacy Law

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that governs data privacy. Its objective is to ensure that private sector organizations responsibly handle Canadian personal information while providing goods and services at the commercial level.

The Office of the Privacy Commissioner in Canada (OPC) defines commercial activity under PIPEDA as:

“…any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

PIPEDA gives Canadians oversight and control over their personal information via the 10 Fair Information Principles. These principles guide organizations in collecting, using, and disclosing personal information, with provisions for providing access to individuals’ personal data upon request.

Importantly, any collection, use, or disclosure of personal information must be limited to reasonably appropriate purposes. Inappropriate purposes, termed “no-go zones” by the Office of the Privacy Commissioner in Canada, include collecting, using, or disclosing personal information in ways that:

  • Profile individuals
  • Lead to unfair treatment
  • Cause significant harm to individuals
  • Charge for the removal of personal information
  • Require social media passwords for employee screening
  • Conduct surveillance using personal devices’ audio or video functions

Who Needs to Comply With PIPEDA?

PIPEDA applies to private sector organizations that collect, use, and disclose personal information while conducting commercial activities in Canada. Even if a Canadian province or territory has similar legislation, PIPEDA still applies to businesses engaged in commercial activities that involve the cross-border transfer of information. Federally regulated organizations and businesses are also subject to PIPEDA – such as:

  • telehealth providers
  • medical centers
  • hospitals
  • nursing homes
  • wholesale businesses
  • eCommerce platforms
  • transportation companies

Who is Exempt from PIPEDA?

Canadian provinces with privacy laws similar to PIPEDA are exempt and non-profit organizations because they are not collecting information for commercial purposes.

According to the Office of the Privacy Commissioner in Canada, further activities that fall under exemption (as long as they are for non-profit activities) include:

  • Collecting membership fees
  • Organizing club activities
  • Compiling lists of members’ names and addresses
  • Mailing out newsletters
  • Fundraising

Breakdown of the 10 Fair Information Principles

PIPEDA outlines the following responsibilities for each of the ten fair information principles:

  • Accountability: Organizations must appoint someone accountable for ensuring compliance.
  • Identifying Purposes: The reasons for collecting personal information must be communicated to individuals.
  • Consent: Individuals must consent to collect, use, and disclose their personal information.
  • Limiting Collection: Personal information collection must be limited to specific purposes.
  • Limiting Use, Disclosure, and Retention: Personal information can only be used, disclosed, and retained for the purposes it was collected, unless otherwise consented or required by law.
  • Accuracy: Personal information must be accurate, up-to-date, and complete.
  • Safeguards: Appropriate security safeguards must be implemented to protect personal information.
  • Openness: Organizations must provide clear and accurate information about their policies and practices regarding personal information.
  • Individual Access: Upon request, organizations must provide individuals with access to their personal information and related details.
  • Challenging Compliance: Individuals have the right to challenge an organization’s compliance with the fair information principles.

Who Enforces PIPEDA?

The OPC oversees compliance with PIPEDA. The handling of breaches under PIPEDA can be quite complex. There are two ways in which a breach can be identified. First, a complaint is issued by an individual, or the Office of the Privacy Commissioner finds an issue. 

In both situations, an intake is undergone, and an investigation only takes place if the complaint or issue is deemed acceptable and the organization hasn’t taken steps to resolve the issue on its own. An early resolution can also be met with mediation between individuals and the organization by an officer from the Office of the Privacy Commissioner who issues a report of findings and recommendations. 

If recommendations aren’t followed, the case goes to a formal investigation and can face further enforcement by way of federal court in which an organization’s practices will have to change in order to comply with PIPEDA, and/or further audits and compliance agreements will be made necessary.

In 2018, a reporting requirement for data breaches was introduced in which any breach that constituted potential harm to individuals would have to be reported to authorities. In addition to this requirement, stiff fines were also introduced. Any organization in violation of PIPEDA could face a fine of up to $100,000 CAD per violation.

Criminal offenses do occur under PIPEDA as well. There are three specific offences:

  • Purposely destroying information after a request for access is made
  • Retaliating against an employee’s legitimate behavior in complying with PIPEDA
  • Obstructing an official investigation into a PIPEDA complaint

What is the Difference Between PIPEDA and GDPR?

PIPEDA and the General Data Protection Regulation (GDPR) are both privacy laws that protect individuals’ personal information. However, GDPR applies to all organizations within the European Union (EU), while PIPEDA only applies to for-profit organizations in Canada. Additionally, GDPR has higher fines and more stringent requirements than PIPEDA. You can read more about GDPR compliance here.

How Will the Consumer Privacy Protection Act Update PIPEDA?

If Bill C-27 is passed, then the Consumer Privacy Protection Act (CPPA) (along with potentially two other privacy acts will be turned into law. If adopted into law, CPPA will modernize PIPEDA in some of the following ways:

  • Adding requirements to determine if the purpose of data collection is appropriate
  • Updating consent requirements and adding certain exceptions to said requirements
  • A focus on children’s privacy – determining it to be sensitive and placing new requirements for the collection and disposal of sensitive info

Currently, Bill C-27 hasn’t passed into law in the Canadian parliament, but preparing your organization now by being PIPEDA compliant will put you in the best position possible to get CPPA compliant if Bill C-27 passes.

Simplify PIPEDA Compliance with Carbide

Carbide simplifies the task of adhering to Canadian privacy laws with its streamlined approach and a dedicated team of security experts. Our platform is crafted to reduce the time and effort required for compliance and alleviate the complexities of ongoing maintenance through a suite of comprehensive tools. This enables you to concentrate on your core business activities. Book a demo to learn how.