19 June 2020
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's main private-sector privacy law.
Compliance with PIPEDA is essential for private sector organizations operating in Canada. Violation of PIPEDA can lead to a court action brought by individuals or by the Office of the Privacy Commissioner (OPC).
This overview of PIPEDA will give you a clear understanding of your obligations under this important law.
PIPEDA applies to "private sector organizations." Public sector organizations must comply with a different Canadian law, the Privacy Act (available here).
PIPEDA does not normally apply to nonprofits. However, there are circumstances under which the activities of nonprofits are covered by PIPEDA.
PIPEDA considers a "private sector organization" as an organization or person engaged in "commercial activity."
Here's how PIPEDA defines "commercial activity:"
Some organizations sit between the "private" and "public" sector. In such cases, the Canadian courts and the Office of the Privacy Commissioner (OPC) may decide that the organization is covered by PIPEDA.
For example, the following organizations and people were deemed to fall under PIPEDA:
This means that if a non-profit or semi-public organization collects personal information in the course of conducting commercial activity, it will need to comply with PIPEDA's rules in respect of that personal information.
Yes, much like other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), PIPEDA applies to companies operating in its jurisdiction regardless of where the company is based.
This is known as "extraterritorial application."
While there has been some debate about the extraterritorial application of PIPEDA, there have been several occasions recently on which the Act has been applied to foreign businesses.
The OPC states that non-Candian companies with "a real and substantial connection to Canada" must comply with PIPEDA. And in 2017, Canada's Federal Court applied PIPEDA to a Romanian company with no physical presence in Canada.
Several Canadian provinces have privacy laws that are "substantially similar" to PIPEDA. Some private-sector organizations in these provinces are exempt from PIPEDA, so long as they comply with provincial privacy law. They include
Healthcare providers in certain provinces also follow laws that override PIPEDA with respect to health data:
There are exceptions to these exemptions. Regardless of which province in which they are based, the following types of organizations must comply with PIPEDA:
Federally-regulated organizations, for example:
PIPEDA is constructed around ten "fair information principles." Private-sector organizations must adhere to these principles at all times.
Here's a brief overview of the ten principles:
PIPEDA defines personal information as "information about an identifiable individual."
The Candian authorities generally apply a broad interpretation of this definition. This means that businesses must apply PIPEDA's protections to many different types of data.
Here are some examples of personal information from the OPC:
The OPC also considers that the following types of data can be "personal information:"
Under certain circumstances, you will need to obtain the consent of an individual before you can collect, use, or share their personal information. Since the GDPR's stricter consent requirements, what counts as valid consent has changed around the world.
Here's the definition of "valid consent," at Section 6.1 of PIPEDA:
Under PIPEDA, it's particularly important to provide consumers with clear information about what they are consenting to.
PIPEDA recognizes two forms of consent:
According to the OPC, you must obtain express consent when:
The personal information is sensitive.
Your intended use of the personal information might fall outside of individuals' reasonable expectations.
When there is a "meaningful residual risk of significant harm."
You may be able to rely on implied consent in situations that don't meet this threshold.
Consent in Canadian privacy law is also governed by a separate law called Canada's Anti-Spam Legislation (CASL).
It's important to get to know this law if you plan on engaging in direct marketing via electronic means (such as email).
CASL allows businesses to send direct marketing emails if they have an individual's implied consent. There are three circumstances in which implied consent arises.
You have an "active business relationship" with the individual.
You have an "active non-business relationship" with the individual. This applies to nonprofits such as clubs and charities.
The individual's email address is available in the public domain or has been shared with you.
Here's an example from Ocean Elements that appears to meet the standard for implied consent:
You must let individuals opt out of direct marketing once you have their implied consent, for example via an "unsubscribe" link.
PIPEDA emphasizes that you must ensure individuals understand what they are consenting to.
The OPC provides seven principles that businesses should apply when obtaining consent. These are relevant whether you're collecting consent via an "opt in" or "opt out" mechanism.
Emphasize key elements. When requesting consent, provide clear information about:
Be innovative and creative. Use technological solutions that make it easier to accept, reject, or withdraw consent such as:
Here's the list as it appears in PIPEDA, at Section 4.8.2:
This is quite a short list compared to many other privacy laws.
Compared to other privacy laws such as the GDPR and the California Consumer Privacy Act (CCPA), PIPEDA's personal information rights are quite limited.
This part of PIPEDA is likely to be expanded in the future. For more information, see our article Canada's New Digital Charter and Changes to PIPEDA.
PIPEDA provides individuals with the right to access the personal information you hold about them.
An access request must be made in writing. Upon receiving a request under the right to access, you must be prepared to:
You must fulfill the request:
As soon as possible, within 30 calendar days at the latest. An extension of an additional 30 calendar is available in exceptional circumstances, such as when:
Under certain circumstances, you may be exempt (or prohibited) from fulfilling an access request.
There are six main exemptions to the right of access. You may not be required or permitted to provide the personal information if to do so would:
Or, if the personal information requested was:
Here are the exemptions in full:
Item (c.1) above refers to paragraph 7(1)(b). Here's that paragraph in full:
If you refuse an access request, you must:
There is one further partial exemption to the right of access. Sometimes a data set will contain multiple individuals' personal information. If providing the personal information would expose another individual's personal information, you should either:
If an individual can demonstrate that the personal information you hold on them is inaccurate, they can request that you correct it or delete it.
If you agree to correct or delete an individual's personal information, you may need to notify any third parties with whom you have shared the personal information.
Private-sector organizations must understand their obligations under PIPEDA to ensure they avoid legal and reputational consequences of non-compliance.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.