Canada’s Personal Information Protection and Electronic Documents Act

Canada’s Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act or PIPEDA for short is Canada’s primary federal law in relation to privacy in the private sector. Originally signed into law in 2000, the PIPEDA was initially passed to foster trust in Canada’s electronic commerce infrastructure, though the legislation has since been expanded to apply to other large industries such as the broadcasting, banking, and health sectors. The purpose of the PIPEDA is to “govern the collection, use, and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

Much like the EU’s General Data Protection Regulation or GDPR, the PIPEDA grants individuals within the country of Canada the right to access personal information held by an organization, know who is held responsible for collecting this information, why this information is being collected, and to challenge any inaccurate information. Moreover, the PIPEDA was designed to ensure that Canada’s notification requirements were consistent with its various trading partners, more specifically the EU. Per a regulatory impact analysis statement published by the Canadian government in 2017, “”PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the EU, which allows for the free flow of personal information from the EU to Canadian organizations.”

What are the requirements of organizations under the PIPEDA?

The PIPEDA requires organizations to obtain an individual’s consent, whether it be expressed, implied or deemed, prior to the collection, use, or disclosure of their personal information, beyond what’s required to fulfill the explicitly specified and legitimate purposes of such data processing. To this end, the PIPEDA protects the personal information of all Canadian citizens, with personal information being defined as “information about an identifiable individual”. Under the PIPEDA, the following categories of personal information are considered to meet this definition:

Alternatively, the following forms of personal information are not covered by the PIPEDA:

What’s more, there are various provinces and industries within the country of Canada that are exempt from PIPEDA compliance, as these provinces and industries are instead forced to comply with other provincial privacy laws. These exemptions include:

Health providers within certain Canadian provinces are also required to follow other Canadian laws that override the jurisdiction of the PIPEDA in relation to healthcare data. The provinces include:

Additionally, there are also exemptions to the exemptions stated above, as the following types of sectors and industries must follow PIPEDA regulations, regardless of which province in which said business or company may be located:

What does the PIPEDA amendment related to data breaches mean for data breach notifications rules within Canada?

As of November 1, 2018, all Canadian and international businesses that fall under the jurisdiction of the PIPEDA must determine whether the loss of access to personal data or information can potentially cause a “risk of significant harm to individuals” after experiencing a data breach. Under these new amendments, organizations must engage in the following actions in order to maintain PIPEDA compliance in regards to data breaches:

Organizations are also required to complete a PIPEDA breach report form, enabling organizations to inform individuals “as soon as feasible after it is determined that a breach of security safeguards involving a real risk of significant harm has occurred.” Under the PIPEDA, a data breach is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.”

The Privacy Commissioner of Canada or OPC for short defines harm to mean “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” Furthermore, the OPC assesses the risk of significant harm” to be associated with any of the following:

What are PIPEDA’s ten fair information principles?

The PIPEDA is constructed around ten so-called “fair information principles.” All private sector organizations within and operating within Canada are required to adhere to the following principles at all times.

What are the penalties for violating the PIPEDA?

Organizations that knowingly commit violations of PIPEDA requirements in relation to proactive security safeguards, data breach reporting, or keeping data breach records may be fined up to 100,000 CAD per violation. The OPC oversees all compliance with the PIPEDA, and the law also lists three specific instances in which PIPEDA violations can result in criminal offenses:

Much like the GDPR and U.S. state laws such as the Virginia Consumer Data Protection Act, the PIPEDA was created to protect the privacy and personal information of Canadian residents. As data breaches have increased in regularity in recent years, the PIPEDA also protects Canadian residents from any harm or damages that may result from such data breaches. While Canada is currently in the process of passing a more comprehensive data privacy law, the PIPEDA is still currently the primary legal means of protecting the privacy of Canadian residents and consumers. As such, Canadian residents can have the peace of mind that their personal information is being protected at all times after it is collected, used, or disclosed via online means.

Related Reads