Skip to main content

Personal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law, built on ten Fair Information Principles and overseen by the Office of the Privacy Commissioner. It governs commercial collection, use, and disclosure of personal information and requires breach reporting.

Jurisdiction
Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for the private sector. It was enacted in 2000 and came fully into force on January 1, 2004. PIPEDA governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. It is built around ten Fair Information Principles set out in a schedule to the Act and is overseen by the Office of the Privacy Commissioner of Canada (OPC).

PIPEDA takes a principles-based, technology-neutral approach. It is intended to balance individuals' privacy with organizations' legitimate need to use personal information. The European Commission has recognized PIPEDA as providing adequate protection, which facilitates data transfers from the EU to covered Canadian organizations.

Who It Applies To

PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activities. It also applies to federally regulated businesses such as banks, airlines, and telecommunications companies for employee data. Some provinces, including British Columbia, Alberta, and Quebec, have their own private-sector laws deemed substantially similar, which apply within those provinces in place of PIPEDA for many activities. Public-sector bodies are covered by the separate federal Privacy Act.

Key Requirements

The ten Fair Information Principles are accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Organizations must obtain meaningful consent, collect only what is necessary for identified purposes, protect information with appropriate safeguards, keep it accurate, and let individuals access and correct their information. Since 2018, organizations must report breaches of security safeguards that pose a real risk of significant harm to the OPC and to affected individuals, and must keep records of all breaches.

Penalties for Non-Compliance

The OPC investigates complaints and issues findings and recommendations but cannot itself levy fines. Matters can be taken to the Federal Court, which can order remedies and award damages. Failing to report a qualifying breach or to keep breach records is an offence that can carry fines of up to CAD 100,000. Reform efforts have proposed stronger enforcement and higher penalties.

How to Comply

Adopt a privacy management program built around the ten principles. Identify and document the purposes for collection and obtain meaningful consent. Limit collection, use, and retention to what is necessary. Implement security safeguards proportionate to sensitivity. Provide access and correction mechanisms. Establish a breach response process that assesses real risk of significant harm and maintains breach records. Check whether a substantially similar provincial law applies to your activities.