Canada’s Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act or PIPEDA for short is Canada’s primary federal law in relation to privacy in the private sector. Originally signed into law in 2000, the PIPEDA was initially passed to foster trust in Canada’s electronic commerce infrastructure, though the legislation has since been expanded to apply to other large industries such as the broadcasting, banking, and health sectors. The purpose of the PIPEDA is to “govern the collection, use, and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

Much like the EU’s General Data Protection Regulation or GDPR, the PIPEDA grants individuals within the country of Canada the right to access personal information held by an organization, know who is held responsible for collecting this information, why this information is being collected, and to challenge any inaccurate information. Moreover, the PIPEDA was designed to ensure that Canada’s notification requirements were consistent with its various trading partners, more specifically the EU. Per a regulatory impact analysis statement published by the Canadian government in 2017, “”PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the EU, which allows for the free flow of personal information from the EU to Canadian organizations.”

What are the requirements of organizations under the PIPEDA?

The PIPEDA requires organizations to obtain an individual’s consent, whether it be expressed, implied or deemed, prior to the collection, use, or disclosure of their personal information, beyond what’s required to fulfill the explicitly specified and legitimate purposes of such data processing. To this end, the PIPEDA protects the personal information of all Canadian citizens, with personal information being defined as “information about an identifiable individual”. Under the PIPEDA, the following categories of personal information are considered to meet this definition:

• Name, Age, ID numbers, and financial or income-related information.
• Race, nationality, or ethnic origin.
• Marital status.
• Blood type.
• Medical, employment, or education history.
• DNA information.
• Driver’s license or social insurance number
• Comments, opinions, evaluations, social status, or disciplinary actions related to an individual.
• Employee files, medical records, loan records, credit records, the existence of a dispute between a consumer and a merchant, and a Canadian citizen’s specific intentions, for example, to change jobs or acquire goods and services.

Alternatively, the following forms of personal information are not covered by the PIPEDA:

• Personal information that is handled by Canadian federal government organizations in relation to the Privacy Act.
• Provincial or territorial governments and their associated agents.
• Business contact information such as an employee’s name, business address, title, email address, or telephone number that is collected, used, and disclosed for the purposes of communicating with an employee in relation to their employment or profession.
• An organization’s collection, use, or disclosure of personal information for artistic, literary, or journalistic purposes.

What’s more, there are various provinces and industries within the country of Canada that are exempt from PIPEDA compliance, as these provinces and industries are instead forced to comply with other provincial privacy laws. These exemptions include:

• Alberta– governed by the Personal Information Privacy Act or PIPA.
• British Columbia– also governed by the PIPA.
• Quebec– governed by the Act Respecting the Protection of Personal Information in the Private Sector.

Health providers within certain Canadian provinces are also required to follow other Canadian laws that override the jurisdiction of the PIPEDA in relation to healthcare data. The provinces include:

• Ontario– governed by the Personal Health Information Protection Act.
• New Brunswick– governed by the Personal Health Information Custodians in New Brunswick Exemption Order.
• Newfoundland and Labrador– governed by the Personal Health Information Custodians in Newfoundland and Labrador Exemption Order.
• Nova Scotia– governed by the Personal Health Information Act.

Additionally, there are also exemptions to the exemptions stated above, as the following types of sectors and industries must follow PIPEDA regulations, regardless of which province in which said business or company may be located:

• Private-sector organizations that handle personal information that crosses both national and provincial borders.
• Federally-regulated organizations, including airlines and airports, banks, international and national transportation companies, offshore drilling operations, T.V. and radio broadcasters, and telecommunications companies.

What does the PIPEDA amendment related to data breaches mean for data breach notifications rules within Canada?

As of November 1, 2018, all Canadian and international businesses that fall under the jurisdiction of the PIPEDA must determine whether the loss of access to personal data or information can potentially cause a “risk of significant harm to individuals” after experiencing a data breach. Under these new amendments, organizations must engage in the following actions in order to maintain PIPEDA compliance in regards to data breaches:

• Report to the Privacy Commissioner of Canada concerning any breaches of security safeguards involving personal information that pose a real risk of significant harm to Canadian individuals.
• Notify all affected individuals concerning a data breach.
• Notify any other organizations that may be able to mitigate the harm to individuals affected by a data breach.
• Track and maintain records in relation to data breaches for at least 24 months following the date that it was determined that a data breach has occurred.

Organizations are also required to complete a PIPEDA breach report form, enabling organizations to inform individuals “as soon as feasible after it is determined that a breach of security safeguards involving a real risk of significant harm has occurred.” Under the PIPEDA, a data breach is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.”

The Privacy Commissioner of Canada or OPC for short defines harm to mean “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” Furthermore, the OPC assesses the risk of significant harm” to be associated with any of the following:

• The sensitivity of the personal information that was involved in the data breach.
• The probability that the personal information leaked in a data breach has been, is being, or will be misused.
• Any other applicable or prescribed factors.

What are PIPEDA’s ten fair information principles?

The PIPEDA is constructed around ten so-called “fair information principles.” All private sector organizations within and operating within Canada are required to adhere to the following principles at all times.

• Accountability– Organizations are responsible for any personal information they control. Organizations must appoint someone who is accountable for PIPEDA compliance, otherwise known as a “Privacy Officer”.
• Identifying purposes– Organizations must identify the purposes for which they are collecting personal information, before or at the time of said collection.
• Consent– Where appropriate, organizations are responsible for obtaining consent for the collection, use, or disclosure of personal information they obtain from Canadian citizens. PIPEDA recognizes two forms of consent. The first is express consent, also known as opt-in consent, meaning that an individual actively agrees to something. The second is implied consent, also known as opt-out consent, meaning that an individual is given the opportunity to refuse something and chooses not to.
• Limiting Collection– Organizations must only collect the amount of personal information that is necessary for the specifically identified purposes for which they are collecting it.
• Limiting Use, Disclosure, and Retention– Organizations may only use or share personal information for the purposes for which it was collected, unless they have consent or are legally obliged to use or share it for another purpose. Organizations must also refrain from storing personal information for longer than is necessary.
• Accuracy– All personal information collected from consumers must be accurate, complete, and up-to-date.
• Safeguards– Organizations must take appropriate security measures to protect the personal information of Canadian consumers.
• Openness– Organizations must make detailed information about their personal information policies and practices in relation to privacy available to the public. Under the PIPEDA, an organization’s privacy policy must contain contact details for the person who is to be held accountable for the privacy policy (i.e. a privacy officer), details concerning how consumers can exercise their private right of action, a description of the types of personal information an organization holds, what an organization uses said information for, a copy of any other information that explains an organization’s policies, and an explanation of what personal information an organization makes available to other related organizations, such as subsidiaries or third parties.
• Individual Access- Individual Canadian consumers have the right to access and correct their personal information.
• Challenging Compliance– Individuals must be able to challenge the compliance of an organization with PIPEDA by the means of filing a complaint.

What are the penalties for violating the PIPEDA?

Organizations that knowingly commit violations of PIPEDA requirements in relation to proactive security safeguards, data breach reporting, or keeping data breach records may be fined up to 100,000 CAD per violation. The OPC oversees all compliance with the PIPEDA, and the law also lists three specific instances in which PIPEDA violations can result in criminal offenses:

• The purposeful destruction of information after receiving a request to review said information.
• Retaliatory behavior that is levied against employees who attempt to follow PIPEDA regulations.
• Hampering or interfering with investigations after a PIPEDA complaint is filed.

Much like the GDPR and U.S. state laws such as the Virginia Consumer Data Protection Act, the PIPEDA was created to protect the privacy and personal information of Canadian residents. As data breaches have increased in regularity in recent years, the PIPEDA also protects Canadian residents from any harm or damages that may result from such data breaches. While Canada is currently in the process of passing a more comprehensive data privacy law, the PIPEDA is still currently the primary legal means of protecting the privacy of Canadian residents and consumers. As such, Canadian residents can have the peace of mind that their personal information is being protected at all times after it is collected, used, or disclosed via online means.