Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): Top Things to Know

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) incorporates and makes mandatory provisions of the Canadian Standards Association’s Model Code for the Protection of Personal Information, developed in 1995; it became law on April 13, 2000. The Act aimed to promote consumer trust in e-commerce and to reassure the European Union (EU) that the Canadian privacy law was adequate to protect the personal information of EU citizens to ensure cross-border data flows would continue.

The implementation of PIPEDA occurred in three stages:

1. In 2001, the law applied to federally regulated industries including airlines, banking, and broadcasting. 
2. In 2002, the law was expanded to include the health sector. 
3. In 2004, the law was applied to any organization that collected personal information in the course of commercial activity.

PIPEDA is not the only privacy law in Canada; provincial privacy laws in Alberta, British Columbia, and Quebec, deemed as “substantially similar” to PIPEDA, come into play with exemptions applying where overlap with PIPEDA occurs.  

The Legislation at a Glance

• Personal information is defined as about an identifiable individual but does not include the name, title or business address, or telephone number of an employee of an organization
• Consent is required for the collection of personal information
• Collection of personal information is limited to reasonable purposes
• Limits access to, use, and disclosure of personal information
• Stored personal information must be accurate and complete
• Designates the role of the Privacy Officer
• Requires documented policies and procedures for breaches of privacy
• Introduced measures for resolution of complaints

Seven Rights for Citizens

• The right to know why an organization collects, uses, or discloses their personal information
• The right to expect an organization to collect, use, or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented
• The right to know who in the organization is responsible for protecting their personal information
• The right to expect an organization to protect their personal information by taking appropriate security measures
• The right to expect the personal information an organization holds about them to be accurate, complete, and up-to-date
• The right to obtain access to their personal information and ask for corrections if necessary
• The right to complain about how an organization handles their personal information if they feel their privacy rights have not been respected

Duties of Organizations

PIPEDA also outlines specific duties that organizations must comply with, including:

• Obtaining consent when they collect, use, or disclose their personal information
• Supply an individual with a product or a service even if they refuse consent for the collection, use, or disclosure of your personal information unless that information is essential to the provision of the product or service
• Collect information by fair and lawful means
• Have personal information policies that are clear, understandable, and readily available

10 Conditions for Lawful Data Processing

PIPEDA sets out 10 Fair Information Principles, described as the “ground rules” for processing data in Canada:

• Accountability: Organizations should develop a privacy management program and relevant privacy policies which should be reviewed at regular intervals to ensure ongoing compliance and staff should be trained to understand how the organization’s privacy requirements affect their role. 
• Identifying purposes: Must be identified and documented before or at the time of collection; at the time of collection, individuals must be informed of the identified purpose and if the purpose for processing that personal information changes, new consent must be obtained. 
• Consent: Organizations must obtain “meaningful consent” to collect, use, or disclose an individual’s personal information; this means individuals must be informed of what they are consenting to, who the personal information is being shared with, and any potential risks. 
• Limiting collection: The collection of personal information must be limited to legitimate purposes and must be collected in a fair and lawful manner. 
• Limiting use, disclosure, and retention: Personal information must only be used or disclosed for the purposes for which it was originally collected and kept only as long as required to fulfill those purposes. 
• Accuracy: Organizations must endeavor to keep personal information accurate, complete, and up-to-date. 
• Safeguards: Personal information must be protected from loss, theft, and unauthorized access. 
• Openness: Data handling policies and practices should be easy to access, easy to understand, available in multiple formats, and inform the individual of how their information is used or disclosed, information detailing who is responsible for privacy, and details for how individuals can make a complaint. 
• Individual access: On request, organizations must provide access to personal information, in addition to explanations relating to where the information was collected, its specified purpose, and any disclosures that have been made. 
• Challenging compliance: Following a complaint, organizations need to also ensure that all complaints are documented and that individuals must be made aware of the outcome of the complaint, in addition to the steps taken to rectify the issue. 

A Few Words on Consent

While consent should generally be explicit, it can be implied in strictly defined circumstances. Organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context. Organizations must generally obtain explicit consent when:

• the information being collected, used, or disclosed is sensitive;
• the collection, use, or disclosure is outside the reasonable expectations of the individual; and/or,
• the collection, use, or disclosure creates a meaningful residual risk of significant harm.

However, there are a number of exceptions where information can be collected, used, and disclosed without the consent of the individual. Examples include reasons of national security, international affairs, and emergencies. 

Under the Act, personal information can also be disclosed without knowledge or consent to investigations related to law enforcement, whether federal, provincial, or foreign. 

There are also exceptions to the general rule that an individual shall be given access to his or her personal information which may include information that would likely reveal personal information about a third party; information that cannot be disclosed for certain legal, security, or commercial proprietary reasons; and information that is subject to solicitor-client privilege.

Cross-Border Data Transfers

PIPEDA contains no rules prohibiting or restricting cross-border data transfers. However, the Federal Privacy Commissioner issued guidelines stating that notice of such transfers must be given to affected individuals. These notices are recommended to include that their personal information may be transferred out of the country for processing and that their personal information may be accessed by the courts, law enforcement, and national security authorities of the recipient country. As noted earlier, PIPEDA is not the only privacy law in Canada; provincial privacy laws deemed as “substantially similar” to PIPEDA come into play with exemptions applying where overlap with PIPEDA occurs. For cross-border data transfers:  

• The Quebec Private Sector Privacy Act contains a stipulation similar to GDPR in that the recipient jurisdiction must have in place privacy protection legislation equivalent to that existing under the Regulation. No other Canadian privacy legislation contains such a rule.  
• In British Columbia and Nova Scotia, the public sector access and privacy laws stipulate conditions for government institutions and Crown agents, as well as their service providers, with respect to transferring personal information outside of Canada.  
• The Alberta Personal Information Protection Act (PIPA) currently is the only private sector privacy regime of general application that contains any statutory requirements for transfer of personal information outside of Canada. Under PIPA, an organization that intends to transfer personal information outside of Canada for processing (i.e. outsourcing) must previously have provided notice to individuals of its policy and procedures addressing such transfer, as well as contact information of its representative who can respond to questions regarding such activities.  

Enforcement Against Non-Compliance Is Not Straightforward

PIPEDA primarily emphasizes guidance and corrective measures through investigations and recommendations. PIPEDA does not create an automatic right to sue for violations of the law’s obligations. Instead, PIPEDA follows an ombudsman model in which complaints are taken to the Office of the Privacy Commissioner of Canada. The Commissioner is required to investigate the complaint and to produce a report at its conclusion. The report is not binding on the parties but is more of a recommendation. The Commissioner does not have any powers to order compliance, award damages, or levy penalties. The organization complained about does not have to follow the recommendations. 

PIPEDA provides the complainant with the right to apply to the Federal Court of Canada for a hearing with respect to the subject matter of the complaint. The court has the power to order the organization to correct its practices, to publicize the steps it will take to correct its practices, and to award damages, which are capped at CAD100k (€67k / $75k / ¥530k) per violation.

Examples of Notable Enforcement

• AIQ, a British Columbia company, failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States, and the United Kingdom. It was recommended that AIQ take reasonable measures to ensure that any third-party consent it relies on for its collection, use, or disclosure of personal information on behalf of its clients is adequate under PIPEDA.
• Cadillac Fairview, one of North America’s largest commercial real estate companies, embedded cameras inside their digital information kiosks at 12 shopping malls across Canada and used facial recognition technology without their customers’ knowledge or consent. In response to the investigation, the company removed the cameras from its digital directory kiosks and deleted all information associated with the video analytics technology that is not required for potential litigation purposes, and confirmed it will not retain or use such data for any other purpose.

Compared to GDPR

Similarities:

• Both PIPEDA and GDPR emphasize the importance of consent, transparency, and individual control over personal data.
• They both require organizations to implement appropriate safeguards to protect personal information.
• Both laws provide individuals with the right to access, correct, and erase their personal data.

Differences:

• PIPEDA applies to private-sector organizations in Canada that engage in commercial activities, while GDPR applies to any organization processing personal data of EU residents, regardless of location.
• PIPEDA’s consent requirements are less stringent than those found in the EU under GDPR, as there are exceptions requiring explicit consent. 
• GDPR requires companies to report serious data breaches within 72 hours, while PIPEDA requires notification as soon as feasible, but without a specific time frame.
• Under GDPR, fines of up to €20m (CAD30m / $22m / ¥159m) or 4% of annual worldwide turnover can be imposed, whereas PIPEDA’s fines are capped at CAD100k (€67k / $75k / ¥530k).

What’s Next for Privacy Law in Canada

There have been several attempts to reform PIPEDA in recent years. After Bill C-11 for the Digital Charter Implementation Act 2020 failed to pass in 2021, a new reform was introduced in June 2022, under Bill C-27 for the Digital Charter Implementation Act 2022. The bill is divided into three parts, with each aimed at enacting a new act, namely the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. If passed, the CPPA would become Canada’s main privacy regulatory regime for the private sector, thereby replacing PIPEDA. It remains to be seen whether this latest attempt at reform will make it into law. If you’re not sure where to start in creating your privacy strategy, we’re here to talk.