PIPEDA: Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private-sector data privacy law. It’s one of several Canadian privacy laws that impose restrictions on how organizations collect and use private information.

However, unlike counterparts in other regions — like the General Data Protection Regulation (GDPR) in Europe — PIPEDA has a relatively limited scope. PIPEDA compliance is an issue for businesses when they handle the information of most, but not all, Canadians, and only when they engage in certain activities.

In November 2020, the Canadian government introduced a bill that would substantially overhaul PIPEDA and replace it with new legislation. However, that bill has yet to receive Royal Assent. Since the government called an election for September 2021, all bills not passed (including the one that would update this piece of privacy law) died on the order paper. As a result, PIPEDA hasn’t yet been revised or replaced, so Canadians are left with the old legislation.

Read on to learn what the PIPEDA Act is and how your business can meet its regulations.

PIPEDA: Preliminary Notes

Private-sector organizations need to comply with PIPEDA if they collect or use personal information when carrying out commercial activities.

Let’s break that down into the two essential components:

• Private sector organization: An association, corporation, partnership, or trade union that is privately owned rather than government-controlled
• Commercial activities: Any transaction or act that is of commercial character, such as selling, buying, or trading

However, non-profits can fall under the scope of PIPEDA. Holding non-profit status is not an automatic pass to ignore PIPEDA if an organization meets certain criteria. For example, a non-profit who leases, barters, or sells its membership list is engaged in commercial activity, which means it has to comply with PIPEDA.

Many people immediately think of online data collection, such as e-commerce websites gathering personal information on customers and website visitors. Because of this inclination, PIPEDA may be misconstrued as a law that only covers virtual information or digital data. This is not the case. PIPEDA is an older law whose implementation started in 2001. It was therefore never meant to only apply to the digital space.

Since PIPEDA is not restricted to online enterprises, all businesses that might fall under its jurisdiction should understand its implications. PIPEDA applies in such circumstances as the employment relationship when the employer is a private sector entity covered by PIPEDA. The law also covers offline entities that collect and hold private information about people, including clients. In other words, the paper filing system in the back office of a company that falls under PIPEDA is also subject to its provisions.

Table of Contents

1. What Is PIPEDA?
2. PIPEDA Compliance Requirements
3. PIPEDA Compliance Examples
4. PIPEDA Breaches
5. Comparing PIPEDA and GDPR
6. Comply With PIPEDA Now

What Is PIPEDA?

PIPEDA, Canada’s national private-sector data privacy law, is enforced by the Office of the Privacy Commissioner (OPC). The OPC enforces both PIPEDA and the Privacy Act, which are parallel laws in Canada that protect the rights of citizens. While PIPEDA covers the private sector, the Privacy Act applies to activities of the federal government of Canada.

Notably, the OPC cannot issues fines under PIPEDA. It is a “violation” under the Act to knowingly contravene PIPEDA’s provisions. The violation can result in a fine of up to $100,000 CAD ($79,815 USD), but this is the result of federal prosecution. The OPC can merely recommend prosecution proceedings to the federal government.

However, the OPC does regularly conduct investigations in response to complaints under PIPEDA. It then issues recommendations as part of its investigative findings.

PIPEDA aims to protect privacy rights by mandating organizations to have a Data Privacy Officer on staff who is responsible for PIPEDA compliance. Organizations must collect the least amount of information necessary to complete a specific task. If they ask for additional information, users must have the option to opt out.

What Is Personal Information Under PIPEDA?

Under PIPEDA, personal information refers to any factual or subjective information about an identifiable individual.

Examples of personal information under PIPEDA include:

Personal information under PIPEDA does not include personal information handled by federal government organizations listed under the Privacy Act, or business contact information used for direct communications.

Notably, personal information under PIPEDA includes information not just directly related to the subject, but about the subject. That’s where opinions, evaluations, and disciplinary actions come into play. At a federal, private workplace where employee evaluations are regularly conducted, a manager’s opinion about a specific team member is that team member’s personal information — is not exempt from PIPEDA on the grounds that it belongs to the company or to the person who holds the belief.

Whom Does PIPEDA Apply to?

PIPEDA applies to private-sector organizations across Canada that collect, use, or share personal information when conducting commercial activities.

Federally-regulated organizations must also comply with PIPEDA, including:

• Airlines and airports
• Banks
• Telecommunications companies
• Inter-provincial and international transportation companies

Who Does PIPEDA Not Apply to?

PIPEDA does not apply to non-profit organizations, charity groups, and political parties, unless they engage in commercial activities that aren’t part of their core operations.

Organizations in Alberta, British Columbia, and Quebec are also exempt from PIPEDA, as they’re subject to comply with provincial private-sector privacy laws similar to PIPEDA.

For example, the Personal Information Protection Act (PIPA) is applicable to businesses in British Columbia and Alberta in place of PIPEDA.

However, Canadian organizations that transfer data across provincial and national borders are subject to comply with PIPEDA, regardless of where they operate from and their province’s applicable privacy laws.

It’s also key to note that although provincial regulation may be substantially similar to PIPEDA, there are many differences. Organizations operating in Alberta and British Columbia specifically should look closely at the laws to understand how they may apply. Understanding who is exempt from PIPEDA, Canada’s federal privacy law, does not automatically create an understanding of who is exempt from the provincial privacy laws.

For example, the definition of “organization,” and therefore to whom the Act applies, is a bit different in every jurisdiction. In British Columbia, a trust and a non-profit organization are both specifically covered by the law. Professional regulatory organizations fall within the scope of the Alberta law. In British Columbia, these professional organizations are excluded, yet included under a different British Columbia privacy law: the province’s Freedom of Information and Protection of Privacy Act.

The upshot: Know the law in your jurisdiction and double- and triple-check whether you fall within its range.

PIPEDA Compliance Requirements

To comply with PIPEDA, your organization must follow PIPEDA’s 10 fair information principles, which outline the standards for the collection, use, and disclosure of personal information, as well as users’ rights. These are the pillars of PIPEDA, otherwise known as the basic ideas upon which the legislation is based.

Here are the 10 PIPEDA fair information principles:

1. Accountability

Organizations are responsible for the personal information they store, and must appoint someone to ensure the organization’s compliance with the 10 principles. Accountability is an important principle. Courts have ruled that organizations may not say that, although they violated PIPEDA, they met industry standards.

2. Identifying Purposes

Organizations must state the purposes for data collection before or at the time of data collection. The OPC notes that being able to identify the reason for data collection decreases the chances users will be uncertain or unwilling to share that information.

3. Consent

Organizations must obtain implicit or explicit “meaningful consent” in order to collect, use, and share users’ personal information.

Organizations can implement either opt-in or opt-out measures to obtain consent depending on the sensitivity of the personal information collected.

4. Limiting Collection

Organizations must only collect the necessary amount of information for processing purposes. This imposes an even bigger task for businesses that do engage in digital commerce, as it has become increasingly easy (and profitable) to gather more data than is necessary. PIPEDA, like most major pieces of privacy legislation, urges businesses to make privacy the first principle before rolling out a data collection scheme.

5. Limiting Use, Disclosure, and Retention

Organizations must use personal information only for stated purposes, unless affected users give additional consent.

6. Accuracy

Organizations must keep personal information accurate, complete, and up-to-date.

7. Safeguards

Organizations must implement security measures to protect personal data.

8. Openness

Organizations must be transparent about their data handling practices to the public.

You can apply the openness principle by including a privacy policy on your site. Customize a privacy policy template to describe your organization’s data handling practices to comply with the PIPEDA openness requirement.

9. Individual Access

Organizations must honor users’ rights in accessing, reviewing, and correcting personal information. There’s an important technical note on this point from the OPC: information can include video or audio, and when organizations comply with an access request from an individual, they must simultaneously protect the privacy of any third-parties who may also be affected by this disclosure.

10. Challenging Compliance

Individuals have the right to challenge an organization’s compliance with the 10 principles. Inquiries should be addressed to the person responsible for the organization’s compliance with PIPEDA, who is often their chief privacy officer.

PIPEDA Compliance Examples

Let’s take a look at some examples of PIPEDA-compliant websites to see how they address the above requirements.

The Ontario Psychological Association’s PIPEDA page details how the organization follows the 10 fair information principles in their data collecting and processing practices.

You can follow this example’s approach by listing the 10 fair information principles and explaining how your organization applies these principles when collecting and using personal information.

As another example, insurance software company Indio’s PIPEDA page goes over what information is collected, how information is used, and how it’s shared.

It also explains how cross-border data transfers work, how users can access or request to erase their data, and how they can file reports for PIPEDA violations.

While this PIPEDA page doesn’t explicitly refer to the 10 fair information principles, it addresses users’ rights based on the fair information principles, such as consent, access, and challenging compliance.

You can follow this example by using questions as headings for readers’ convenience, as long as you cover the required information under PIPEDA.

To demonstrate that your organization is meeting PIPEDA’s requirements, dedicate a separate webpage or a section in your privacy policy to PIPEDA compliance.

PIPEDA Breaches

According to PIPEDA, a data breach refers to the loss of, unauthorized access to, or unauthorized disclosure of personal information.

Whenever there’s a small or large data breach that poses a “real risk of significant harm” to individuals, organizations need to report it to the Office of the Privacy Commissioner (OPC) of Canada by sending a PIPEDA breach report form.

Examples of significant harm include:

• Physical harm
• Reputational damage
• Financial loss
• Employment loss

Additionally, organizations must notify affected individuals about the breach as soon as possible, and keep records of all data breaches for two years.

Not following proper data breach notification procedures counts as a PIPEDA violation.

What About Daily PIPEDA Compliance?

Even in the absence of a breach, people whose rights are affected by PIPEDA can file complaints with the OPC. These can take many forms, including allegations a company isn’t doing enough to safeguard individual privacy in the course of its commercial activities. The result may be an OPC investigation and recommendations that the private enterprise take specific steps to comply with PIPEDA.

One recent example is the OPC’s investigation into CoreFour Incorporated, a learning management system adopted by the school board of the children of the complainant. CoreFour collects personal information of hundreds of thousands of Canadian school children, much of it sensitive. In a March 2021 investigation report, OPC found CoreFour did not meet its PIPEDA obligations because it lacked a robust security framework and lacked a privacy management framework. The OPC recommended that the business reform its practices, and the company agreed to do so.

Comparing PIPEDA and GDPR

Canada’s PIPEDA and Europe’s General Data Protection Regulation (GDPR) are comparable laws, as they both govern data privacy and give users more control over their data. However, there are some key differences between the two:

• Applicability: PIPEDA applies to many private-sector organizations processing personal data for commercial purposes, whereas GDPR applies to any business that collects and uses personal data of European Economic Area (EEA) residents.
• Jurisdiction: The GDPR applies to all EEA businesses, as well as non-EEA businesses that serve or monitor the behavior of EEA residents. PIPEDA doesn’t apply in every Canadian province, and only applies to foreign organizations that have a “real and substantial connection to Canada,” states the OPC.
• Consent: The GDPR requires active consent from users for data collection and processing, whereas PIPEDA allows either implied or explicit consent depending on the sensitivity of the data collected.

‌While the two privacy laws differ in scope and compliance requirements, they both emphasize accountability and transparency.

Whether your business operates in Europe or Canada, you need to follow the applicable privacy law requirements to avoid legal and financial penalties. As there is a growing movement as well to revise PIPEDA, it is essential to know the law as it currently stands, so you can be ready for any new changes that may affect your commercial activities in Canada.

Comply With PIPEDA Now

So far you’ve learned what PIPEDA is, who it applies to, and how to comply. Let’s go over the main points:

To better understand PIPEDA’s compliance requirements, read the PIPEDA legislation or head to the OPC website to check out various resources related to PIPEDA.

To lawfully operate your organization in Canada, make sure that your website meets PIPEDA’s requirements.