Canada | PIPEDA  |  Privacy

PIPEDA | Privacy

The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy.[1] It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce.

PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association's Model Code for the Protection of Personal Information, developed in 1995.

In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, identity theft/ criminal code etc.) that govern the protection of personal information in the private, public and health sectors. Although each statute varies in scope, substantive requirements, and remedies and enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.

The summary below focuses on Canada’s private sector privacy statutes:

Personal Information Protection and Electronic Documents Act ('PIPEDA')

Personal Information Protection Act ('PIPA Alberta')

Personal Information Protection Act ('PIPA BC'),

Personal Information Protection and Indentity Theft Prevention Act ('PIPITPA') (not yet in force), and

An Act Respecting the Protection of Personal Information in the Private Sector ('Quebec Privacy Act'), (collectively, 'Canadian Privacy Statutes').

 

PIPEDA applies:

  1. to consumer and employee personal information practices of organisations that are deemed to be a ‘federal work, undertaking or business’ (eg banks, telecommunications companies, airlines, railways, and other interprovincial undertakings)
  2. to organisations who collect, use and disclose personal information in the course of a commercial activity which takes place within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec Privacy Act have been deemed ‘substantially similar’), and
  3. to inter provincial and international collection, use and disclosure of personal information.

PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of organisations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.

PIPEDA, PIPA Alberta, PIPA BC and PIPITPA expressly require organisations to appoint an individual responsible for compliance with the obligations under the respective statutes.