The Personal Information Protection and Electronic Documents Act (PIPEDA) represents a Canadian data privacy law that regulates how businesses collect and use personal data within Canadian territory. This federal law came into force in 2000, much earlier than other privacy laws such as the GDPR and CCPA. At that time, Canadian federal legislation had a goal to increase trust in e-commerce and protect consumer personal data. Since then, PIPEDA legal officials have introduced several amendments to include other industries as well. However, there are still organizations that are exempt from this data regulation.
In terms of privacy, we can say that Canada is a progressive country. Besides the fact that it introduced the first federal privacy law in the world, many of its provinces also have their own privacy laws and enjoy special treatment under the PIPEDA. The latest version of PIPEDA compliance greatly resembles the GDPR. This practice contributed to the easing of the trading restrictions between Canada and the EU, which are known as two of the biggest markets in the world.
Although Canada has more inhabitants than most nations worldwide, its population of 38 million is still significantly smaller than the EU’s 446 million residents. These two territories together have a population of about 484 million people, which represents the challenging task of protecting all of their data.
This is why they created data laws with uniform obligations to all organizations across their territories. Both countries rolled out consumer rights rules that guarantee maximum data privacy and protection. However, there is a clear distinction between these two that will be discussed later.
To discover if your business is subject to the Canadian data law PIPEDA, learn more about it, and find out what measures your company needs to take to comply with it, just scroll down!
1. Who needs PIPEDA compliance?
Any private sector organization that collects, stores, and disseminates personally identifiable information (PII) as part of commercial activity inside of Canadian borders must comply with PIPEDA. The key concept here is commercial activity specific to this data privacy regulation. There are many commercial activities but not all are subject to Canadian data law rules.
Under the PIPEDA, commercial activity is seen as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” That said, if you own a business registered in Canada that satisfies this criteria for commercial activity, you must establish PIPEDA compliance to keep your business operations legitimate and your customers happy.
However, Canadian data law can be relevant to you even if your company’s headquarters is based in another country. According to the PIPEDA provisions related to international business, all organizations that process data from Canadian residents for commercial purposes should respect the privacy law of this country.
The PIPEDA is administered by Canada's Office of the Privacy Commissioner. This government body offers a helpful tool that enterprises can use to determine what institution to contact if they face a privacy issue. It also provides a fact sheet on privacy legislation that’s designed to assist organisations in their PIPEDA compliance journey.
2. Who is not subject to PIPEDA compliance?
The Office of the Privacy Commissioner imposed a rule that exempts certain organizations from the PIPEDA requirements. In Canada, besides the PIPEDA and Privacy Act, there are many micro data privacy laws based on location. Provinces such as Quebec, Alberta, British Columbia – and to a lesser extent New Brunswick, Ontario, Nova Scotia, Newfoundland and Labrador - have already established similar legislation.
For instance, Alberta and British Columbia already have a similar act on the books, which is called the Personal Information Protection Act (PIPA). This act closely mirrors PIPEDA’s clauses. Due to the privacy laws’ similarities, private enterprises in these provinces are not required to follow PIPEDA rules. An individual collecting or disclosing data strictly for personal use such as collecting gift cards doesn’t need to think about PIPEDA compliance at all. Similarly, an organization processing personal information solely for journalistic, literary, or artistic purposes is exempt from this law as well.
However, the federal PIPEDA rules are still valid on an interprovincial and international level. All transactions on this level flow across geographical borders, which represent an uncovered data privacy territory. Thus the PIPEDA fills in those territory holes, making sure that everyone’s privacy is protected. Federally supervised organizations such as banks, transportation companies, and telecommunications also operate out of these borders, which is why they fall under the PIPEDA compliance category too.
Regardless of its origin, which can be provincial and subject to its own specific micro data law, personal data collected, used, or disclosed by organizations regulated by the federal authorities is still covered under the PIPEDA. Those organizations can fall under the categories of federal works, businesses or undertakings including:
- Radio and television stations
- Banks
- Inter-provincial trucking
- Airports and airlines
- Railways, canals, pipelines, ferries, etc. that cross borders
- Navigation and shipping by water
- Telecommunication companies like cable companies, internet providers, or phone (cellular or landline firms)
3. The definition of PII under the PIPEDA Canadian data law
According to the PIPEDA, personal information means any kind of data “about an identifiable individual.” In other words, any sensitive data collected in the course of the commercial activity that can be traced back to a specific consumer.
The following data can be considered as PII under the PIPEDA:
- Basics: first name and last name
- Demographics: age, gender, sex, race, nationality, and ethnicity
- Government data: ID numbers, passport number, drivers license, and marital status
- Financial data: income, bank account details, credit card number, insurance, credit records, and loan records
- Medical information: blood type, Social Security Number, fingerprints, facial recognition, DNA, and overall patient records
- Background: education and employment history
- Preferences: opinions, evaluations, comments, social status, and disciplinary actions
- Legal records: documents on an existing dispute between a consumer and vendor, as well as their intentions (for instance, to acquire products or services, or switch jobs)
4. The key principles of PIPEDA
All businesses that need to comply with the Canadian data privacy law need to follow 10 information rules. To build trust in your business and digital economy, you are invited to respect the next key PIPEDA principles:
- Accountability: You should employ a person responsible for PIPEDA compliance, incorporate necessary rules within your company’s privacy policy, and train your staff to deliver exceptional service while keeping your customers’ data safe. There should be ongoing data handling practice analyses that will guarantee their efficiency and effectiveness, and ultimately keep you in compliance.
- Identifying Purposes: Before any data collection move you should note the purposes of any sort of data use in your privacy policy. You should inform your customers about these purposes as well.
- Consent: After informing all your customers about the data collection, selling, or sharing purposes, you should ask them for their consent to conduct such activities. Only then will the use of their PII be legitimate on your side.
- Limiting Collection: Collect only the data relevant to your original and approved purposes.
- Limiting Use, Disclosure, and Retention: Canadian consumers have the right to limit collection and disclosure of their data. For any new purpose you should ask for a new consent. Make sure that you know where all your data is stored and keep it only if you still need to fulfill your original purposes.
- Accuracy: Ensure that the data you collect is accurate. It is possible that someone made a mistake when writing down customer data, which is why the PIPEDA team have given consumers the right to request the correction of their data at any time.
- Safeguards: You are obliged to protect all customer data from cyber theft, data breaches, and any kind of unauthorized access. This applies regardless of its sensitivity or storing practices.
- Openness: Use plain language that everyone can understand when describing your company’s detailed data management practices so that your customers can comprehend your security measures and trust you with their information.
- Individual Access: Consumers have the right to access all of the information a company or institution has on them.
- Challenging Compliance: Your company should provide your customers with tools that enable them to challenge your PIPEDA compliance. This can mean including contact info for the person or people accountable for data compliance.
All of these principles reflect consumer rights and are created with the goal of giving Canadian consumers more power over their data. This is especially important in the age of increasing digital data transfer and a growing amount of cybercrime. How can you establish PIPEDA compliance? You can hire a team with many legal and IT professionals who will be focused on this task or you can hire a single helpdesk solution focused on data security and compliance. You should opt for the most efficient and cost effective solution, right?