With the recent proliferation of data privacy laws around the globe, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) often gets overlooked. This is perhaps partly due to the fact that PIPEDA is not a new law; it has been on the books and regularly enforced for over 20 years. 

As is the case with many other privacy laws, PIPEDA can apply to organizations around the world, meaning it should at least be on the radar of businesses that process the personal information of Canadian residents.

Here is a brief introduction to PIPEDA and what it takes to comply with Canada’s privacy law.

PIPEDA in a Nutshell

PIPEDA was passed into law in 2000, largely to bring Canada in line with Europe’s Data Protection Directive (the predecessor to the GDPR). It is a wide-ranging law that is well summed-up by its 10 “Fair Information Principles”:

1. Accountability - Organizations are responsible for the personal information under their control.
2. Identifying Purposes - Purposes for processing personal information must be identified at or before the point of collection.
3. Consent - Organizations must have an individual’s consent before collecting, using, or disclosing their personal information.
4. Limiting Collection - Collection of personal information should be minimized to what is necessary for the identified purposes.
5. Limiting Use, Disclosure, and Retention - Personal information can only be used or disclosed for the identified purposes, unless an individual provides their consent. The data should only be kept as long as is necessary.
6. Accuracy - Personal information should be as accurate, complete, and up-to-date as possible.
7. Safeguards - Personal information should be protected by security measures that are appropriate to the sensitivity of the data.
8. Openness - Organizations must make detailed information about their privacy policies and practices available to the public.
9. Individual Access - Individuals must be informed of the existence, use, and disclosure of their personal information, and be given access to that information. They may also challenge the accuracy and completeness of the data.
10. Challenging Compliance - An individual can challenge an organization’s compliance with these principles.

Who Does PIPEDA Apply To?

PIPEDA applies generally to any organization processing the personal information of Canadian individuals “in the course of commercial activities.” 

That last part means that mostly only applies to for-profit businesses. However, it’s important to note that PIPEDA can apply to nonprofits if some of their activities are of a commercial character. The law specifically calls out the “selling, bartering or leasing of donor, membership, or other fundraising lists” as being commercial activity.

Can PIPEDA apply to foreign businesses? Yes, though the business must have what the Office of the Privacy Commissioner (OPC) calls a “real and substantial connection to Canada.” While this is a somewhat squishy standard, so too is the extraterritorial scope of the GDPR;  the analysis for the applicability of the two laws is likely similar.

For example, if an eCommerce business is based in the United States, it should be considering issues such as:  Does it have a significant number of customers in Canada? Does it display prices in Canadian dollars? Does it specifically make customers aware that it offers shipping to Canada? In the end, there is no black-and-white answer, and businesses (or regulators) must make a judgment call.

PIPEDA Privacy Notices

As with other data privacy laws, a core requirement of PIPEDA compliance is the posting of a privacy notice. This falls under the “Openness” principle, and is meant to give individuals concrete details about how a business is handling their personal information.

Required information includes:

• A description of what personal information your business collects, and for what purposes.
• A description of what personal information your business discloses to third parties, and why it does so.
• An explanation of the individual’s privacy rights.
• An easy mechanism for submitting privacy requests and complaints.
• The name (or title) and contact information of the person within your organization who is accountable for its privacy compliance and to whom privacy requests can be sent.
• A notice that data may be transferred outside of Canada (if applicable) and may be accessed under the laws of the foreign country.

Fulfilling these requirements will depend on having an accurate understanding of how your business collects, uses, and discloses personal information.

Consent

Consent plays a major role in the PIPEDA framework; all collection, use, and disclosure of personal information requires the individual’s consent. This is a significant departure from other privacy laws.

However, consent under PIPEDA is very different from privacy laws such as the GDPR or California Consumer Privacy Act. When those other laws mention consent, they mean express consent—i.e., the person must take some affirmative step such as checking a box or clicking “I accept” to indicate their consent. This is also called “opt-in consent.”

Under PIPEDA, consent may be either express or implied.

What is implied consent? When the consumer has been informed of the organization’s data practices, typically through the privacy policy or other timely notice, their continued use of the organization’s services is interpreted to mean that they have impliedly consented to those practices. Another term for this is “opt-out consent.” Under most circumstances, implied consent is considered valid under PIPEDA.

There are some circumstances, however, in which consent must be expressly given. According to the OPC, express consent is required when:

• The personal information involved is sensitive,
• The collection, use, or disclosure is outside of the reasonable expectations of the individual, and/or,
• The collection, use, or disclosure creates a meaningful residual risk of significant harm. (“Significant harm” can mean financial loss, identity theft, damage to reputation, humiliation, etc.)

The OPC has also stated specifically that businesses may process personal information for behavioral advertising on an opt-out basis, provided a few conditions are met:

• Individuals are made aware of the practice and the parties involved.
• Individuals may opt out of behavioral advertising.
• The opt-out takes effect immediately and is persistent.
• The data is limited to non-sensitive personal information and is destroyed or de-identified as soon as possible.

PIPEDA and Employee Data

PIPEDA typically does not apply to personal information collected and used in an employment context. There is an exception to this rule for organizations classified as a “federal work, undertaking, or business.” These are organizations operating in federally regulated industries such as air travel, radio broadcast, and banking.

Privacy Rights Under PIPEDA

Determining the privacy rights of individuals under PIPEDA can be a little tricky. While the text of the statute does clearly lay out some rights, the OPC has also interpreted the law in a way that implies the existence of other rights, especially in relation to the right to withdraw consent.

Here’s a rundown on PIPEDA privacy rights:

• Right to Access - Individuals have the right to be informed of the existence, use, and disclosure of their personal information, and to be given access to that information.
• Right to Correct - Individuals can challenge the accuracy and completeness of their personal information, and request that it be amended as appropriate.
• Right to Withdraw Consent - Individuals can withdraw their consent to the processing of their personal information at any time; in that event, the processing should cease. This creates some ancillary privacy rights as a result.
  • Right to Delete - While PIPEDA does not have an explicit right to delete, individuals can withdraw consent, and organizations should not retain personal information that is no longer necessary. The OPC has interpreted this as implying a right to delete, at least in some circumstances. The exact contours of this right, such as when an organization may still keep data despite a request to delete, are a bit murky.
  • Right to Opt-Out - As discussed above, online behavioral advertising is allowed on an opt-out basis under PIPEDA. Of course, this means that organizations using behavioral advertising must therefore offer a way to opt out.
• Right to Challenge Compliance - Individuals can challenge an organization’s PIPEDA compliance, and the organization must have procedures in place to receive and respond to those challenges. Organizations must investigate all of these challenges and take action if justified.

In general, organizations should respond to privacy requests within 30 days. This period may be extended by a further 30 days if necessary and if the individual is notified before the original 30 days have passed. Opt-outs, on the other hand, should be processed immediately or soon as possible.

Enforcement

PIPEDA is primarily enforced by the Office of the Privacy Commissioner, albeit in its role as an ombudsman. That means the OPC is tasked with investigating privacy complaints and attempting to resolve violations, but it does not have the authority to issue orders, levy fines, or take organizations to court.

For example, if an individual files a complaint with the OPC, the OPC will investigate the complaint and produce a report on its findings. (It may also attempt to mediate a resolution.) The complaining individual can then take this report to a federal court and pursue their own legal remedy against the organization. In this sense, PIPEDA does have a private right of action.

In some situations, the OPC may also refer the case to a federal or provincial prosecutor’s office, which could result in large fines.

‍