Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): An Overview

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or Loi sur la protection des renseignements personnels et les documents électroniques, is one of the older data privacy laws. It received royal assent and several sections came into effect in 2000, with subsequent parts coming into effect in 2001 and 2009.

In recent years there have been updates and replacement bills proposed, but PIPEDA has not been fully replaced. The law was amended with the Digital Privacy Act in 2015, and Section 29 of PIPEDA requires that the Act be reviewed by Parliament every five years.

PIPEDA is a data privacy law that governs the collection, use of, and disclosure of personal information by private sector commercial organizations in Canada. There are also specific provisions in the regulation relating to electronic documents, as the Act’s name references.

One of the main goals in passing PIPEDA was to promote consumer trust in ecommerce, which was still fairly new in 2000. The law was also intended to demonstrate adequacy in data privacy and protection to the European Union, though the General Data Protection Regulation (GDPR) would not come into effect for 18 more years, and there was less international transfer of personal data in digital formats among countries then than there is today.

Organizations that must become PIPEDA compliant have to follow 10 fair information principles, which cover common requirements of many data privacy laws and provide the foundation for consumers’ privacy rights. The 10 Principles, per the Office of the Privacy Commissioner of Canada, are:

Defined as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

PIPEDA explicitly defines what is required for individuals’ to be valid under the law: “consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”

This is defined as including associations, partnerships, persons, and trade unions.

Defined as “information about an identifiable individual”, and includes any factual or subjective information, recorded or not, about an individual. This is a bit different than many other laws, which focus on data points that can be used, alone or combined, to identify an individual.

Examples of personal information can include:

• age
• name
• ID numbers
• income
• ethnic origin
• opinions, evaluations, comments
• social status or disciplinary actions
• employee files, credit records, loan records
• blood type or medical records,
• existence of a dispute between a consumer and a merchant
• intentions (e.g. to acquire goods or services, or change jobs)

The law also specifically defines health-related personal information, with respect to any living or deceased individual, any information concerning, derived, or collected:

• physical or mental health
• any health service provided
• donation by the individual of any body part or any bodily substance or information
• from the testing or examination of a body part or bodily substance of the individual
• in the course of providing health services
• incidental to the provision of health services

The Office of the Privacy Commissioner (OPC) was established under the Privacy Act (Section 53) to protect and promote privacy rights, PIPEDA compliance, and personal information-handling practices of the federal government’s departments and agencies.

Privacy Commissioner is an appointed position in consultation with and approval of varying government bodies and leaders. The role’s term is seven years, with the option of one additional seven-year term appointment, though the Commissioner can be removed from the position for cause at any time. The Privacy Commissioner ranks comparably with deputy department heads in government and has a similar degree of power to exercise their duties.

While PIPEDA applies to personal information handling by private sector organizations, the Privacy Act applies to the personal information handling by the Canadian federal government’s departments and agencies. It also sets out citizens’ rights regarding the government’s access to and use of their information.

PIPEDA applies to any organization that collects, uses, or discloses personal information of Canadian residents in the course of commercial activities for “operation of a federal work, undertaking or business.” It includes personal information about organizations’ employees and applicants as well as private citizens.

Federally regulated organizations conducting business in Canada are also subject to the data protection law, which also covers their employees’ personal information. These organizations include:

• airports, aircraft and airlines
• domestic and authorized foreign banks
• inter-provincial or international transportation companies
• telecommunications companies
• offshore drilling operations
• radio and television broadcasters
• organizations in the Northwest Territories, Yukon, and Nunavut

PIPEDA does not apply to Canadian federal government institutions, as they are covered by the Privacy Act. It also doesn’t apply to provincial or territorial governments or their agents. Additionally, there are other information exemptions and exempt organizations. PIPEDA may apply under some circumstances, but some of these are also covered under provincial laws:

• business contact information if collected, used, or disclosed only for purposes of communicating with the individual for purposes related to their profession or employment, including:
  • employee name and title
  • business address
  • telephone number
  • email address
• an individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. list of Christmas card recipients)
• an organization’s collection, use, or disclosure of personal information solely for journalistic, artistic or literary purposes
• not-for-profit and charity groups (as long as activities are not commercial)
• political parties and associations
• municipalities
• universities and schools
• hospitals
• exemptions under the Canada Evidence Act

PIPEDA separates out the circumstances under which personal data can be collected, used, or disclosed without individuals’ knowledge or consent. The specific circumstances are rather lengthy, but can be accessed in the regulation’s text, Division 1, Protection of Personal Information.

Broadly, information can be collected, used, or disclosed if doing so falls under the following purposes or justifications:

• reasonably within the individual’s best interests and obtaining consent is not feasible
• relates to an emergency to protect individuals from harm
• relates to law enforcement investigations or crime prevention
• collected as part of a witness statement and is required to settle an insurance claim
• provided during the course of the individual’s profession or employment and is only used for the purpose for which it was produced
• publicly available and specified by law
• made for specific purposes of disclosure and is required by law
• used for statistical study or research purposes that cannot be achieved without it, maintenance of its confidentiality is ensured, and the Privacy Commissioner is notified
• disclosed to a legal professional who represents the organization
• disclosed to comply with a legal order or government request with legal authority (e.g. for purposes of national security)
• needed to contact next of kin of an ill, injured, or deceased individual
• made with the purposes of protecting an individual from or during investigation of abuse (e.g. financial)
• for the purposes of historical records conservation

In line with the 10 Principles, PIPEDA provides Canadian residents with a number of rights relating to their personal data and the collection, use, and disclosure of it.

Right to be informed: to know why an organization collects, uses, or discloses their personal information; and to have access to the information to request corrections.

Right to responsible use: to expect an organization to collect, use, or disclose their personal information reasonably and appropriately and not use the information for any purpose other than that to which they have consented.

Right to security: to expect an organization to take appropriate security measures to protect their personal data, and to know who in an organization is responsible for protecting it.

Right to rectification: to expect the personal information that an organization has about them to be accurate, complete, and up to date; to request corrections if needed.

Right to complain: to be able to complain about an organization’s handling of their personal information if they feel their privacy rights have been violated.

Individuals need to make rights requests to organizations regarding their personal data in writing, which can be done electronically. PIPEDA requires that organizations assist individuals who request help with preparing their request. Organizations are also required to make accommodations for individuals with disabilities, and to provide the information in an alternative format for them if reasonably possible.

Organizations can require individuals to provide a reasonable amount of information to enable identity verification and means to provide access to the individual’s personal information. This information can only be used for the purpose of complying with the individual’s request.

Organizations cannot charge individuals to fulfill their requests, unless the organization has informed the individual in advance of the approximate cost to respond. In response, the individual has to advise the organization that they are not withdrawing the request once they know about the cost.

Organizations must respond to requests in a timely manner, and at most no later than 30 days from the date of receipt of the request. The period of time to respond to the request can be extended by a maximum of another 30 days if meeting the initial deadline would:

• unreasonably interfere with the organization’s activities
• consultation required to meet the request cannot be completed within the time frame
• it would take longer to be able to convert the personal information into an alternative format

The organization must also send a notice of extension to the requestor within the initial 30-day period after the request was received. This notice must include the new time limit, reasons for extension, and information about the individual’s right to complain to the Privacy Commissioner about the extension.

Organizations can explicitly refuse a request, however, if they fail to respond within the law’s time limit, it is also considered a refusal of the request. If an organization refuses a request within the time limit, they must inform the individual in writing about the refusal and include the reasons and any recourse (such as a complaint) that the individual has.

Complaint mechanisms should be easily accessible and easy to use, and individuals must lodge any complaints within six months of the refusal of the request. The Privacy Commissioner also provides resources to help individuals contact the right entity about a complaint if it has not been resolved directly with the organization.

Organizations can refuse requests for a number of reasons, including if the information is covered by attorney-client privilege, if it would reveal confidential commercial information, doing so could threaten another individual’s life or safety, etc.

Organizations can also refuse requests if giving an individual access to personal information would likely reveal personal information about a third party, unless the third party consents to providing the information to the other individual (or there is clear risk to an individual’s life, health, or security). However, if information about a third party is severable, that must be done before the organization gives the individual access to their personal information.

There are additional procedures when an individual requests information relating to disclosures to government institutions, and ways responses or refusals must be handled.

The Canadian privacy law uses something of a hybrid model of consent, requiring prior consent to collect, use, or disclose personal data in many circumstances, like the EU’s GDPR and many other global privacy laws do.

In some circumstances, however, the law allows for organizations to seek consent after personal information has been collected, but before it’s used or disclosed. For example, if an organization wanted to use data it had already collected for a new purpose, it could do so, but first would need to get new consent from individuals for any new purpose they hadn’t yet consented to.

Individuals may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice to the organization. The organization must inform the individual about implications of the withdrawal of their consent (but cannot obstruct the individual doing so).

There are additional laws governing data privacy and protection at the provincial level, and relating to international transfer of data and commercial operations in Canada by foreign entities.

There are privacy laws covering the private sector in British Columbia, Alberta, and Québec. They are officially considered substantially similar to PIPEDA, so organizations are generally exempt from PIPEDA compliance as well for personal information collection, use, and disclosure within that province.

Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have adopted legislation regarding the collection, use, and disclosure specifically of personal health information, that is also considered substantially similar to PIPEDA requirements.

Law 25 resulted from Bill 64 in Québec: An Act to modernize legislative provisions as regards the protection of personal information. It is a provincial privacy law, though like PIPEDA it’s extraterritorial, protecting Québec residents’ data even if companies accessing it are not based in the province. The law does not have compliance thresholds, e.g. company revenue or number of individuals’ whose data is processed in a given year, etc.

The law was inspired by the idea of privacy by design, coming into force in three stages, in September of 2022, 2023 (most of the requirements), and 2024. Law 25 levies a variety of requirements on businesses regarding access to and use of personal data, as well as the requirement of appointing a Data Protection Officer (DPO).

Law 25 is explicitly opt-in, like the GDPR, so individuals must be given notification about data collection and use and their rights before consent is obtained. It uses the principle of confidentiality by default, and so, regarding use of cookies and other tracking technologies, these cannot be activated without explicit prior individual consent.

Unlike with PIPEDA or the US state-level laws, Law 25 does allow for private right of action, so Québec residents can sue organizations for violations of the law and/or their rights, with potential damages of at least CAD 1,000 per individual. Québec’s law has stronger penalties for violations as well. Like with PIPEDA, penalties are decided by the courts, but for the most serious infractions the fines mirror those of the GDPR: 4 percent of global revenue or CAD 25 million, whichever is higher.

The law provides individuals with fairly standard rights in line with other privacy laws, though interestingly, like the GDPR, it provides right of deletion/erasure, which is not provided elsewhere in North American privacy laws. Like a number of more recent privacy laws, Law 25 also provides for data portability.

Bill C-11 was tabled as part of the Digital Charter Implementation Act, 2020, and had two component parts: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). It was intended to substantially modernize Canada’s privacy regulation. The bill was not passed prior to the federal election in September 2021. Work on a new bill was initiated in 2022.

All businesses with commercial operations in Canada, that handle personal data that crosses provincial or national borders, are subject to PIPEDA. This is referred to as extraterritoriality, i.e. it doesn’t matter which province or territory the organization is based in, or if that province or territory has another substantially similar privacy law.

Regarding transfers of personal data between Canada and other countries, rather than focusing on adequacy agreements between Canada and other nations or regions, like the GDPR does, PIPEDA has more of an “organization to organization” focus regarding privacy compliance and data protection, and each organization involved in international data transfer is responsible for security and privacy.

Though implementation of PIPEDA predates the GDPR by nearly 20 years, there are a notable number of similarities between the two regulations. PIPEDA is not Canada’s GDPR equivalent, but it is arguably more similar to the EU law than to the state-level privacy laws passed in the United States in recent years.

• Extraterritoriality to protect the privacy and personal information of residents of the laws’  respective regions, and requiring compliance of organizations doing business in those regions, even if the organizations aren’t based there.
• Organizations are required to enact and maintain reasonable security measures to protect data under their control.
• Similar definitions of what constitutes personal data/information.
• Similar requirements for actions and notifications in the wake of a data breach.
• Two tiers of financial penalties for regulatory violations, though the GDPR’s fines are much higher.
• Contractual agreements must be concluded between data controllers and any third parties performing data processing on their behalf. (Though the controller organization retains ultimate responsibility for legal compliance and data protection.)
• Individuals must be notified about data processing — including what data, for what purposes, and who may have access to it — and consent requirements before or at the point of data collection.
• Individuals’ consent must be obtained before most data processing, or if processing purposes change, and must have the option to change or withdraw consent at any time.
• Unlike the US privacy laws, neither PIPEDA nor the GDPR have thresholds for compliance based on company revenue, number of individuals’ whose data is processed annually, or similar considerations.

• Under the GDPR, enforcement is handled at a country level, with each EU member state having its own data protection authority. The European Commission oversees the GDPR itself and its evolution. Under PIPEDA, there’s one oversight and enforcement body, the Office of the Privacy Commissioner, which is a federal government agency that handles education, compliance assistance, investigations, enforcement, and penalties for violations.
• The GDPR allows for private right of action, but PIPEDA does not. (Law 25 in Québec does enable private right of action only for residents of that province.)
• The GDPR has legal bases, at least one of which is required for compliant data processing. PIPEDA has 10 Principles to govern data processing, e.g. obtaining consent, minimizing data collection, transparency with data subjects, etc.

• GDPR coverage is more broad, and not just for the private sector, whereas Canada has PIPEDA for corporate entities and the Privacy Act to regulate data privacy for the federal government’s departments and operations.
• The GDPR uses a “state to state” model for international data transfers, requiring adequacy agreements between the EU and other countries or regions or another legal basis for privacy compliance. PIPEDA focuses on compliance and data protection at an organizational level, and each company or other organization involved needs to ensure adequate protections and privacy for data transfers across borders.
• The GDPR provides individuals with the right to data portability (as does Québec’s Law 25), but PIPEDA does not. Unlike the GDPR, PIPEDA also does not provide right of deletion/erasure.

Like many other data privacy laws, an organization is responsible for personal data in its possession, including that which has been transferred to a third party for processing.

Organizations are required to conclude contracts or comparable mechanisms to provide reasonable protection while the data is being processed. Such agreements must make the terms and requirements of processing and data protection clear, including limitations of processing, security safeguards, and requirements for deletion or return of personal information at the end of processing.

Under some data privacy laws, like the GDPR, a Data Protection Impact Assessment (DPIA) is legally required, e.g. if the data being processed is sensitive or the processing is high risk. PIPEDA works differently, and includes Privacy Impact Assessments, introduced under the Privacy Act, but they are recommendations rather than strict legal requirements. The Office of the Privacy Commissioner provides guidelines and forms for performing a PIA.

Enforcement of PIPEDA is structured a bit differently than laws in other countries, in that there is an additional step to resolution. For example, in the United States, typically a state’s Attorney General handles investigations and penalties, in Canada the Privacy Commission does not levy penalties, but only makes recommendations that can then be acted on by the courts.

PIPEDA is administered by the Office of the Privacy Commissioner, and there is an ombudsman mode. Complaints are taken to the OPC, which is required to investigate them and produce a report. Further action can then be taken in federal court.

Investigation reports are not binding, but more like recommendations or guidelines for rectification or improvements. The Privacy Commissioner can’t explicitly order PIPEDA compliance, levy penalties, or award damages.

The Commissioner can order an audit or require people to provide information relating to complaints or investigations, either via testimony or documents. They can also require an organization to enter into a compliance agreement if there are reasonable grounds that a violation has or will occur, with the goal of rectifying or preventing a violation of rights, data breach, or other issue.

If a complainant is unsatisfied with the outcome of a complaint, they can take the matter to the Federal Court for a hearing. The Court can order an organization to correct practices (and publicize the steps it will take to do so) and award damages.

Organizations can be fined up to CAD 10,000 per violation for lower severity violations, or for obstructing the Privacy Commissioner in a complaint investigation or audit. For more severe offenses, fines can be up to CAD 100,000 per violation.

If an organization becomes aware of a data breach, under PIPEDA — specifically under the Digital Privacy Act amendment — they must complete the following actions as soon as reasonably possible:

• report the breach to the OPC
• keep a detailed record of any and all breaches involving personal data under the organization’s control
• supply the OPC with a copy of records relating to the breach (upon request)
• notify affected individuals of a breach if there is risk of harm to them (analysis of risk of harm includes the level of sensitivity of the information and probability of its misuse)
• explain to individuals any steps they should take to reduce potential harm (e.g. change passwords)
• notify other organizations or government bodies that can assist with mitigating harm from the breach

If your organization is already GDPR-compliant, then much of the work is already done to comply with Canada’s privacy law. If your organization is compliant with any US state-level privacy laws, like the California Consumer Privacy Act (CCPA), then PIPEDA is quite different and you will have more work to do to comply. We strongly recommend consulting with a data privacy expert and qualified legal counsel.

The 10 Principles provide a strong framework for privacy compliance with PIPEDA, as well as for building trust with your customers, and a foundation for consent-based marketing. It’s a good idea to do an audit of data under your organization’s control, and your data processing activities, to know what data you collect, how, for what purposes, and who has access to it. This will help with strategy to control access and use and create strong compliance and security standards.

The Office of the Privacy Commissioner also provides a wide array of resources to help organizations understand their risks and responsibilities, and to achieve and maintain compliance. Also be aware that PIPEDA requirements apply to third-party data processing as well, and to foreign companies and operations that may require international data transfers.

To learn more about PIPEDA compliance and how to protect your customers’ data and company operations, talk to one of our experts today.