The Personal Information Protection and Electronic Documents Act 2000 (PIPEDA) is one of two main federal privacy laws in Canada that make up a patchwork of provincial and federal legislation. At a federal level, PIPEDA regulates how private-sector organizations that conduct commercial activities collect, use, and disclose personal information, while the Privacy Act regulates the use of personal information by federal government bodies. Alberta, British Columbia, and Quebec have all enacted provincial laws relating to privacy which, unlike PIPEDA, in most cases have a wider scope of application. However, these laws have been deemed ‘substantially similar’ to PIPEDA.

PIPEDA is a relatively old piece of legislation in the privacy and data protection space. It was originally introduced in April 2000 and in recent years there have been growing calls for modernization and legal reform to the federal law. In 2015, the Digital Privacy Act amended many of PIPEDA’s provisions including making data breach notifications a mandatory requirement. Further amendments in 2018 strengthened PIPEDA’s breach notification requirements.

In December 2020, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts (Bill C-11) was introduced into Canadian Parliament but failed to pass. And in June 2022, a new federal reform bill was introduced in Parliament titled An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.

Keep reading to learn more about PIPEDA and some of its key requirements.

What is PIPEDA?

PIPEDA is a federal privacy law in Canada that is focused on the processing of personal information during the course of commercial activities of private-sector businesses. Compliance with PIPEDA is overseen by the Office of the Privacy Commissioner of Canada (OPC).

PIPEDA regulates the collection, use, and disclosure of personal information by requiring organizations to observe ten fair information principles and offering data subjects rights such as a right of access and a right to correction. In order to collect personal information, covered organizations must obtain valid consent from the data subject. The ongoing modernization of the law has led to strict data breach notification requirements also being placed on commercial organizations.

Who does PIPEDA apply to?

PIPEDA applies to private-sector organizations that collect, use, and disclose personal information for commercial or for-profit activities.

There are certain exemptions where PIPEDA doesn’t apply. These include personal information handled by federal government organizations covered by the Privacy Act and the collection, use, or disclosure of employee files or for personal information strictly for personal purposes or journalistic purposes.

PIPEDA definitions of personal information

PIPEDA only explicitly defines personal information in two ways. Personal information and personal health information.

Personal information is defined as information about an identifiable individual.

Personal health information is defined as information relating to an individual, whether living or deceased including:

• Information concerning the physical or mental health of the individual
• Information concerning any health service provided to the individual
• Information concerning the donation by the individual of any body part or any bodily substance of the individual
• Information derived from the testing or examination of a body part or bodily substance of the individual
• Information that is collected in the course of providing health services to the individual
• Information that is collected incidentally to the provision of health services to the individual

What are the 10 principles of PIPEDA?

Schedule 1 of PIPEDA outlines ten fair information principles that organizations are required to comply with in order to protect personal information. These include:

• Accountability: Organizations are responsible for the personal information they control. Organizations must appoint someone to be accountable for compliance with PIPEDA’s ten principles
• Identifying purposes: The purposes for the collection of personal information must be identified by the organization before or at the time of collection
• Consent: Organizations must obtain consent to collect, use, or disclose an individual’s personal information
• Limiting collection: The collection of personal information must be limited to the purposes identified by the organization
• Limiting use, disclosure, and retention: Similar to the General Data Protection Regulation’s (GDPR) purpose limitation principle, personal information must only be used or disclosed for the purposes for which it was originally collected and kept only as long as required to serve those purposes.
• Accuracy: Personal information must be kept accurate, complete, and up-to-date.
• Safeguards: Organizations must implement an appropriate level of security to ensure personal data is protected.
• Openness: Organizations are required to make public information about their data handling policies and practices
• Individual access: Individuals may request to be informed of the use and disclosure of their personal information and to be given access to such information.
• Challenging compliance: Individuals can challenge an organization regarding their compliance with PIPEDA’s ten principles.

PIPEDA Data Breach Notification Requirements

Organizations covered by PIPEDA are required to report any breach or security incident involving personal information to the OPC if it is likely to ‘create a real risk of significant harm to an individual’. This can include:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment
• Business or professional opportunities
• Financial loss
• Identity theft
• Negative effects on the credit record and damage to or loss of property

When determining whether an incident has created a risk of significant harm to the individual, organizations must consider the sensitivity of the information involved and the probability of unauthorized access and misuse of personal information.

Organizations should make a notification to the OPC ‘as soon as feasible’ after determining whether a data breach has occurred and should notify the individual when it is reasonable to believe that the breach will create a risk of significant harm. When notifying the individual, organizations should include relevant information about the breach that would allow the individual to understand the nature of the breach and steps that can be taken to mitigate that risk.

Organizations that determine a notification is necessary due to the nature of the incident will also be required to notify other organizations that may be affected by the incident.

What is valid consent under PIPEDA?

Under PIPEDA, organizations must obtain valid consent from the data subject before collecting personal information. In order to ensure the individual’s consent is valid it must be obtained with the reasonable expectation that the data subject understands the nature, purpose, and consequences associated with the collection of their personal information for the specific purpose it is collected for.

In certain instances, organizations can lawfully collect personal information without the consent of the data subject, these include:

• When the collection is in the interests of the individual and consent cannot be obtained in a timely way;
• When it is reasonable to expect that the collection of personal information with valid consent would compromise the availability or the accuracy of the information
• Where personal information is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
• When the individual provides personal information in the course of their employment and the collection is consistent with its original purposes 
• When the collection is solely for journalistic, artistic, or literary purposes
• Where the information is publicly available

PIPEDA also outlines a set of similar conditions for the use and disclosure of personal information without valid consent that can be found under sections 7(2) and 7(3).

Penalties for non-compliance with PIPEDA

While the OPC oversees compliance with PIPEDA, it does not have the power to issue fines for violations of its provisions.

The OPC can issue its findings and make recommendations in cases of non-compliance. Cases are referred to federal courts which determine whether monetary penalties are issued.

PIPEDA sets out the following activities that constitute an offense:

• Obstructing the OPC in an investigation
• Failing to report security breaches involving personal information under an organization's control
• Failing to maintain records of security breaches involving personal information under an organization's control
• Disciplining a whistleblower

Monetary penalties can be issued in two ways. For offenses punishable by summary conviction fines can range up to CAD 10,000 and for indictable offenses, fines can range up to CAD 100,000.

Follow OneTrust DataGuidance on LinkedIn to keep up to date with new resources, insights, and more.