Canadian Personal Information Protection and Electronic Documents Act: the basics

Know more about the Canadian Personal Information Protection and Electronic Documents Act, the prior consent that it requires, and how may it be violated
Canadian Personal Information Protection and Electronic Documents Act: the basics

We as consumers regularly give out our personal information – either to businesses or even for certain government transactions. How can we be sure that this information is protected and is not used in any other way? For this purpose, the Canadian Personal Information Protection and Electronic Documents Act or PIPEDA was enacted.

What is the Canadian Personal Information Protection and Electronic Documents Act?

The Canadian Personal Information Protection and Electronic Documents Act – or PIPEDA for short – is the country’s federal statute that regulates the collection, use, or disclosure of personal information. It is one of Canada’s data privacy laws.

This law is enforced or administered by the Office of the Privacy Commissioner. The Office may also receive complaints and conduct investigations into these complaints.

Recent Articles

New corporate transparency requirements: What Canadian companies need to know
BlueCat Network’s GC Alex Ghita on managing local compliance in a global organization
Report highlights cybersecurity concerns and investment challenges faced by businesses

Prior Consent

Under the PIPEDA, a person must give prior consent before any of their personal information may be collected, used, or disclosed for any commercial or for-profit purposes. This can be implied consent or express consent.

In measuring consent, the law provides that the person consenting must understand the nature, purpose, and consequences of its collection, use, or disclosure.

Personal Information

Any information about an identifiable individual constitutes as “personal information” under the PIPEDA. This may include any or the combination of the following:

  • General information: name, age, ID numbers, income, ethnic origin, or blood type.
  • Personal history: personal opinions, social status, or disciplinary actions.
  • Employment records: employee files, credit records, loan records, or medical records.

This list is not exclusive. Other information may be sensitive enough to be protected under the Canadian Personal Information Protection and Electronic Documents Act. This will ultimately depend on factual circumstances in each case.

What is the purpose of privacy laws?

Paige Backman, a Partner at Aird & Berlis LLP and Co-Chair of its Technology Group, shares the recent trends in privacy laws, which includes the area of artificial intelligence. “We are seeing a lot of interest and activity in understanding obligations and compliance in those areas,” Backman says.

She also says that “privacy compliance and data security matters continue to see heightened priority in business acquisitions and transactions with more time and resources spent in preparation for deals and through the due diligence process materially impacting structure, pricing, and risk profiles of the transactions.”

Who is covered by PIPEDA?

PIPEDA is applicable to the following organizations that collect, use, or disclose personal information:

  • Private sector organizations: in their commercial or for-profit activities, including selling, bartering or leasing of donor, membership or other fundraising lists.
  • Federally regulated organizations: such as airports, airlines, banks, transportation and telecommunication companies, and radio and TV broadcasters.

Exemptions from PIPEDA

The Canadian Personal Information Protection and Electronic Documents Act or PIPEDA provides for certain exemptions.

Backman shares the nature of being exempt from PIPEDA’s coverage. “Exemptions from PIPEDA are based more on the nature of the activity and the jurisdiction than a blanket exemption for a particular organization.”

Therefore, “activities that are not commercial in nature and not related to federally regulated employment matters are not regulated by PIPEDA,” says Backman.

Provincially Regulated Organizations

Backman also highlighted that, as to exemptions to PIPEDA, there may also be an interplay between PIPEDA and provincial privacy laws or health-related privacy laws.

“Organizations regulated by a provincial privacy statute may not be regulated by PIPEDA. That said, it’s worth reminding people that an organization can be regulated by a provincial privacy statute for some activities and PIPEDA for others.”

Watch this video to know more about who are covered by the Canadian Personal Information Protection and Electronic Documents Act or PIPEDA:

If you’re based in Toronto, consult with a Lexpert-Ranked best data privacy lawyer in Ontario to find out if your organization or business is covered by PIPEDA.

Other Exemptions

In addition to organizations governed by provincial privacy laws, there are other non-commercial activities that are exempt from PIPEDA:

  • Business-related activities: such as when information is used only to communicate in relation to employment, business, or profession.
  • Other non-commercial activities: such as for personal purposes, or for journalistic, artistic or literary purposes.
  • Government purposes:
    • when the disclosure is made to a government agency, and the information is related to Canada’s national security or international affairs; or
    • when the collection of information is related to investigations of breach of agreement or violations of Canadian laws.

How can PIPEDA be violated?

The PIPEDA is violated when a non-exempt organization or business collects, uses, or discloses any personal information without the necessary prior consent.

As to privacy/data security in general, Backman says that there’s consistent flow of breach mitigation and response work. “Organizations across industry verticals are the targets of third-party incursion events. Recently, we’ve helped mitigate and respond to threat actor events in the energy, education, and government sectors,” Backman says.

“While the nature of the breaches is varied and motivated by different objectives, typically it’s a ransomware or incursion to alter money transfers,” she adds.

Information Sharing Arrangements

Backman shared that information-sharing arrangements is one of the ways where PIPEDA may be violated.

“We see a number of organizations that have information-sharing arrangements with other organizations for marketing or other purposes. This can include sharing personal information with marketing partners and can also link to sites through social media login credentials.

“Logging into websites or platforms using third-party social media login credentials can often result in sharing personal information between the entities that is not expected,” Backman says.

As such, it’s important that organizations and companies that collect and use personal information have prior consent from their consumers.

“Often organizations are not clear about these relationships and the resulting information sharing, and do not obtain the requisite informed consent, consequently violating PIPEDA. Organizations that participate in these relationships need to ensure they are very clear with individuals that this disclosure and sharing of personal information is occurring and obtain express consent to do so,” Backman adds.

To know more about the Canadian Personal Information Protection and Electronic Documents Act or PIPEDA, consult with any of the best data privacy lawyers in Canada as ranked by Lexpert.