Canada’s PIPEDA, or the Personal Information Protection and Electronic Documents Act, was introduced on April 13, 2000. The driving force behind the legislation was a need to address privacy concerns arising from the increasing use of electronic commerce and the collection, use, and disclosure of personal information in Canada.
At the time, there was a patchwork of provincial and territorial privacy laws in Canada, but no overarching federal legislation governing the handling of personal information. PIPEDA was designed to fill this gap and establish a consistent and comprehensive set of privacy rules for organizations operating in Canada.
What is Canada’s PIPEDA privacy law?
Canada’s PIPEDA privacy law is a comprehensive piece of legislation that governs how personal information is collected, used, and disclosed by organizations in Canada. PIPEDA applies to organizations engaged in commercial activities in Canada, including federal works and businesses.
Under PIPEDA, Canadian privacy laws require organizations to obtain consent from individuals before collecting, using, or disclosing their personal information. The law also requires organizations to limit the collection, use, and disclosure of personal information to only what is necessary for the purposes identified. Additionally, organizations are required to implement appropriate security safeguards to protect personal information against unauthorized access, disclosure, or misuse.
PIPEDA strikes a balance between protecting individuals’ privacy rights and allowing organizations to collect and use personal information for legitimate business purposes. Individuals have the right to access and correct their personal information held by an organization. They can also file a complaint with the Privacy Commissioner of Canada if they believe that their privacy rights have been violated.
Are amendments to PIPEDA on the rise?
n November 2020, the federal government introduced Bill C-11, also known as the Digital Charter Implementation Act. If passed, this proposed legislation would modernize PIPEDA and introduce new privacy obligations for businesses, including a requirement to obtain explicit consent for the collection, use, and disclosure of sensitive personal information.
Bill C-11 would also establish a new regulatory body, the Personal Information and Data Protection Tribunal, to oversee privacy complaints and enforcement actions. Additionally, the proposed legislation would introduce significant fines for non-compliance with privacy obligations, with penalties of up to 5% of an organization’s global revenue or $25 million, whichever is greater.
While Bill C-11 has yet to be passed into law, its introduction underscores the government’s commitment to strengthening privacy protections for Canadians and keeping pace with the rapidly evolving digital landscape.
10 PIPEDA principles to know
Canada’s PIPEDA, or the Personal Information Protection and Electronic Documents Act, is based on ten privacy principles that set out the rules for the collection, use, and disclosure of personal information by organizations. These principles are:
- Accountability: Organizations are responsible for the personal information under their control and must appoint an individual to be accountable for their privacy practices.
- Identifying purposes: Organizations must clearly identify the purposes for which they are collecting personal information, and must obtain an individual’s consent before collecting, using, or disclosing their personal information.
- Consent: Organizations must obtain an individual’s consent before collecting, using, or disclosing their personal information, and the consent must be meaningful and informed.
- Limiting collection: Organizations must limit the amount and type of personal information they collect to that which is necessary for the identified purposes.
- Limiting use, disclosure, and retention: Organizations must use, disclose, and retain personal information only for the identified purposes and must take appropriate steps to protect the information.
- Accuracy: Organizations must ensure that personal information is accurate, complete, and up-to-date.
- Safeguards: Organizations must protect personal information with appropriate security safeguards, and must take steps to ensure that their employees and contractors are aware of and adhere to the organization’s privacy policies.
- Openness: Organizations must be open about their privacy policies and practices, and must make information about their policies and practices readily available to individuals.
- Individual access: Individuals have the right to access their personal information and to request that it be corrected if necessary.
- Challenging compliance: Individuals have the right to challenge an organization’s compliance with PIPEDA and to seek recourse if their privacy rights have been violated.
Consent requirements under PIPEDA
To obtain valid consent under PIPEDA, organizations must ensure that the consent is:
- Informed: Individuals must be informed about what personal information is being collected, why it is being collected, and how it will be used or disclosed.
- Meaningful: Individuals must understand the implications of providing or withholding consent, and be able to make an informed decision.
- Specific: Consent must be specific to the purpose for which the personal information is being collected, used, or disclosed.
- Voluntary: Individuals must be able to refuse or withdraw their consent without any negative consequences.
- Implied or express: Consent may be implied in certain circumstances, such as when an individual voluntarily provides personal information to an organization. However, in other cases, such as the collection of sensitive personal information, express consent must be obtained.
It is the responsibility of organizations to ensure that they obtain valid consent under PIPEDA, and to maintain appropriate records of the consent obtained. Organizations must also be prepared to respond to individuals’ requests to access or withdraw their consent, and to take appropriate steps to safeguard the personal information they collect.
The cost of non-compliance
Non-compliance with Canada’s PIPEDA, or the Personal Information Protection and Electronic Documents Act, can result in penalties and other enforcement actions. The penalties for non-compliance depend on the severity of the violation and may include:
- Compliance agreements: The Privacy Commissioner of Canada may enter into compliance agreements with organizations that have violated PIPEDA, setting out measures to be taken to bring them into compliance.
- Voluntary compliance undertakings: Organizations may voluntarily agree to undertake specific measures to address non-compliance issues.
- Recommendations: The Privacy Commissioner of Canada may make recommendations to organizations to address privacy issues, although these recommendations are not legally binding.
- Audits: The Privacy Commissioner of Canada may conduct audits of organizations to assess their compliance with PIPEDA.
- Administrative monetary penalties (AMPs): As of November 1, 2018, the Privacy Commissioner of Canada has the power to impose AMPs of up to $10,000 for non-compliance with certain PIPEDA obligations.
- Court orders: In some cases, the Privacy Commissioner of Canada may seek court orders to enforce compliance with PIPEDA.
It’s worth noting that PIPEDA does not provide for a private right of action, meaning individuals cannot sue organizations for non-compliance with PIPEDA. Instead, individuals may file complaints with the Privacy Commissioner of Canada, who has the power to investigate and take enforcement actions against organizations that violate PIPEDA.
Canada’s PIPEDA is enforced by the Office of the Privacy Commissioner of Canada. The Privacy Commissioner is an independent officer of Parliament who is responsible for overseeing compliance with PIPEDA and other federal privacy legislation.
The Privacy Commissioner has a range of powers to enforce PIPEDA, including the power to investigate complaints, conduct audits, and make recommendations to organizations. In cases where an organization is found to be in violation of PIPEDA, the Privacy Commissioner may also enter into compliance agreements, impose administrative monetary penalties, or seek court orders to enforce compliance.
Individuals who believe that their privacy rights have been violated under PIPEDA may file a complaint with the Privacy Commissioner of Canada. The Privacy Commissioner will investigate the complaint and may take enforcement actions against the organization if a violation is found.
Achieve PIPEDA Compliance with BigID
BigID is a data discovery platform for privacy, security, and governance that leverages advanced AI and machine learning to help organizations achieve PIPEDA compliance and avoid penalties for non-compliance. Here are some ways BigID can help:
- Data discovery: BigID automatically and accurately scans, identifies, and classifies personal information across multiple data sources— giving organizations greater visibility and understanding of their enterprise data.
- Consent management: BigID provides a holistic privacy management approach, empowering organizations to document individual consent for the collection, use, and disclosure of personal information, ensuring that they meet PIPEDA’s consent requirements.
- Data subject access requests: BigID can help organizations respond to requests from individuals for access to their personal information or requests for corrections, helping them meet their obligations under PIPEDA.
- Data retention and deletion: BigID can help organizations manage data retention and deletion policies to ensure that personal information is retained only as long as necessary, reducing the risk of penalties for non-compliance with PIPEDA.
- Data protection: BigID can help organizations protect personal information with appropriate security safeguards, such as DSPM and access controls, reducing the risk of data breaches and penalties for non-compliance with PIPEDA’s safeguarding requirements.