What is PIPEDA?
There are two distinct federal privacy laws in Canada: the Privacy Act, which applies to the federal government, and the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies to private organizations. PIPEDA aims to balance the privacy rights of individuals with the legitimate needs of organizations to collect, use, and share personal information in their commercial activities across Canada.
Who does PIPEDA apply to?
PIPEDA applies to all for-profit private organizations that collect, use, and share personal information, except organizations conducting business in Alberta, Quebec, and British Columbia, which have their own privacy laws that are largely similar to PIPEDA.
PIPEDA does not apply to organizations that are not engaged in commercial, for-profit work. Furthermore, PIPEDA generally does not apply to not-for-profit and charity groups, nor political parties and associations, unless their involvement in commercial activities is significant to their primary purpose and involves personal information.
What is “Personal Information”?
PIPEDA defines personal information as “information about an identifiable individual”. This could include any piece of information which could identify an individual, such as age, race, national or ethnic origin, religion, marital status, education or employment history, DNA, financial information, etc. Information that is generally not considered to be personal information can include information not specifically relating to an individual, information about an organization, information that has been anonymized, government information, etc.
Ten FAIR Information Principles
Organizations that are governed by PIPEDA must put privacy first by complying with the following ten fair information principles as set out therein:
- Accountability: Organizations are responsible for personal information under their control and must designate someone to ensure compliance with PIPEDA.
- Identifying purposes: Organizations must identify the purposes for which they collect personal information before or at the time of collection.
- Consent: Organizations must obtain the knowledge and consent of individuals before collecting, using, or disclosing personal information, except where inappropriate.
- Limiting collection: Organizations must collect information fairly and lawfully, and limit collection to the personal information which is required for the identified purposes.
- Limiting use, disclosure and retention: Organizations may only use or disclose personal information for the purposes for which it was collected, unless an individual consents otherwise or it is required by law. Additionally, organizations must only retain personal information as long as necessary to fulfill those purposes.
- Accuracy: Organizations must ensure that personal information is accurate, complete, and current to the extent required to meet the purposes for which it is used.
- Safeguards: Organizations must protect personal information with security measures appropriate to the sensitivity of the information.
- Openness: Organizations must provide publicly and readily available detailed information about their policies and practices for managing personal information.
- Individual access: Organizations must, upon request, inform individuals about the existence, use, and disclosure of their personal information and provide access to it. Individuals have the right to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging compliance: Individuals can challenge organizations’ compliance with all principles by addressing the person accountable for the organizations’ compliance with PIPEDA.
The Future of PIPEDA
PIPEDA entered force in 2000 and since then, there have been significant developments in the privacy and artificial intelligence spaces. While PIPEDA currently remains in effect, it is possible that, in the near future, PIPEDA will be replaced.
In 2020, Bill C-11, known as the Digital Charter Implementation Act, 2020, was introduced to repeal certain provisions of PIPEDA. Bill C-11 failed to pass when Parliament was dissolved before the 2021 federal election. In 2022, Bill C-27, known as the Digital Charter Implementation Act, 2022 was introduced. Bill C-27 proposed three different legislations: The Personal Information and Data Protection Tribunal Act (PIDPTA); The Consumer Privacy Protection Act (CPPA); and The Artificial Intelligence and Data Act (AIDA). The CPPA would have, if enacted, replaced PIPEDA. However, on January 6, 2025, Parliament was prorogued, putting an end to the parliamentary session and Bill C-27 ultimately died at the same time on the Order Paper. Stay tuned for future updates.
If you have any questions about whether PIPEDA applies to your organization and whether you are in compliance with the applicable laws, please reach out to Blaney McMurtry LLP.
The author would like to acknowledge and thank articling student Callum Paleczny for his contributions to this article.
The information contained in this article is intended to provide information and comment, in a general fashion, about recent developments in the law and related practice points of interest. The information and views expressed are not intended to provide legal advice. For specific legal advice, please contact us.