What PIPEDA covers
PIPEDA applies to personal information that is collected, used, or disclosed by private-sector organizations in the course of commercial activities, and to all federally regulated businesses (airlines, banks, broadcasting, interprovincial transport, telecommunications).
Some provinces have their own private-sector privacy laws that are 'substantially similar' to PIPEDA. In British Columbia, Alberta, and Quebec, provincial law generally applies to local private-sector activities instead of PIPEDA, though PIPEDA still covers interprovincial and international flows of personal information.
The ten fair information principles
PIPEDA is built around ten principles that every organization must follow:
- Accountability: An organization is responsible for personal information under its control, including information transferred to third parties.
- Identifying purposes: You must be told why your information is being collected at or before the time of collection.
- Consent: Your knowledge and consent are required for the collection, use, or disclosure of personal information (with narrow exceptions).
- Limiting collection: Collection must be limited to what is necessary for the identified purposes.
- Limiting use, disclosure, retention: Information cannot be used or disclosed for purposes other than those you consented to.
- Accuracy: Information must be as accurate, complete, and up to date as necessary.
- Safeguards: Organizations must protect personal information with appropriate security safeguards.
- Openness: Organizations must make their privacy policies and practices readily available.
- Individual access: You have a right to access the personal information held about you and to challenge its accuracy.
- Challenging compliance: You can challenge an organization's compliance with PIPEDA by filing a complaint.
Meaningful consent
Consent is the cornerstone of PIPEDA. The OPC has issued guidance that consent must be 'meaningful', meaning you understand what you are consenting to, what will be collected, with whom it will be shared, and the reasonably foreseeable consequences.
Some activities require express (opt-in) consent: sensitive information like health or financial data, situations where the purpose is not obvious, or where disclosure could have significant consequences. For most other activities, implied consent may be enough.
You can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Breach of security safeguards: mandatory notification
Since November 2018, PIPEDA has required organizations to notify the OPC and affected individuals of any breach of security safeguards involving personal information that creates a real risk of significant harm.
Organizations must also keep records of every breach (even those that do not require notification) for at least 24 months.
Your rights under PIPEDA
PIPEDA gives you the right to:
- Know why an organization is collecting, using, or disclosing your personal information.
- Expect an organization to collect, use, or disclose your information reasonably and appropriately.
- Know who in the organization is responsible for protecting your information.
- Access your personal information and request corrections if it is inaccurate or incomplete.
- Withdraw consent (subject to limits) and have the organization stop processing.
- File a complaint with the OPC if you believe an organization has not respected your rights.
How enforcement works
The Office of the Privacy Commissioner of Canada investigates complaints and issues findings, which may include recommendations. The OPC can also initiate investigations on its own motion.
If the matter is not resolved, you or the OPC may apply to the Federal Court, which has authority to order the organization to comply with PIPEDA and to award damages, including for humiliation suffered.
Proposed federal reform (Bill C-27) would replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and create a new Personal Information and Data Protection Tribunal with order-making and administrative monetary penalty authority.