The Personal Information Protection and Electronic Documents Act (PIPEDA) may not get as much attention as its foreign counterparts like the GDPR or CCPA, but that doesn’t mean businesses should sleep on PIPEDA compliance. The Canadian privacy law has been in effect for over 20 years, and during that time it has been enforced on a regular basis.

Here’s a look at how PIPEDA enforcement works, along with some notable cases.

The Privacy Commissioner: PIPEDA’s Gatekeeper

All PIPEDA enforcement starts at the same place: the Office of the Privacy Commissioner (OPC). The OPC was created in 1983 solely to oversee compliance with federal governmental privacy rules, but its mandate was expanded significantly to include private businesses in 2001 when PIPEDA was enacted.

Under PIPEDA, individuals who believe their privacy rights have been violated must make a formal complaint to the OPC before taking the case to court. The OPC then investigates the claim and produces a report—theoretically, within one year—detailing its findings and its opinion as to whether the organization did or did not violate PIPEDA. 

These reports are nonbinding, as the OPC does not have the authority to impose sanctions or injunctions on its own. However, it may negotiate a resolution with the organization, which could involve entering into a voluntary compliance agreement. Once the report is complete, the complainant or the OPC itself can pursue a legal remedy in federal court.

Taking Businesses to Court

Every year, the OPC resolves hundreds of PIPEDA complaints in the early stages of the investigation process, such as by recommending changes to the organization's data practices. This is not always the case, however, and PIPEDA does grant individuals a private right of action in federal court once the OPC’s report is complete. 

The Commissioner's report is not binding on the court, however. That means the case essentially starts over and the court makes its own decision as to whether the business violated its obligations under PIPEDA. Damages awarded to individual plaintiffs can run to the tens of thousands of dollars. 

Class actions are also a possibility under PIPEDA, though it remains an open question even after one such case was settled for $2.25M. The defendant in that case argued that each individual class member is required to first file a complaint with the OPC and await a report; in the end, the parties chose to settle the case before a judge had the opportunity to weigh in on the issue.

The OPC itself may also choose to take a business to court in order to obtain a judicial order against an organization. A high-profile example is the Commissioner’s long legal battle against Meta stemming from the Cambridge Analytica scandal.

Takeaways

PIPEDA enforcement remains active after over 20 years, but the process is cumbersome and cases can take years to resolve. That’s not good for individuals, but it’s not great for businesses, either. When investigations and litigation drag on, legal fees and lost productivity can take a toll.

As with other privacy laws, the best strategy is to get compliant before problems arise. That means data mapping, posting notices, managing consent, and responding to privacy requests. 

TrueVault can help your business catch up on years of privacy compliance in a matter of hours. Contact our team to learn more.

‍