PIPEDA

PIPEDA The Personal Information Protection and Electronic Documents Act is federal Canadian legislation enacted to regulate the collection, use and disclosure of personal information in the private sector. It was introduced amid debates involving figures and institutions such as Jean Chrétien, Stephen Harper, Supreme Court of Canada, Office of the Privacy Commissioner of Canada, and stakeholders including Canadian Bankers Association, Bell Canada, Rogers Communications, and Canadian Internet Policy and Public Interest Clinic. The statute intersects with provincial regimes like those in Quebec, British Columbia, and Alberta and with international frameworks represented by Organisation for Economic Co-operation and Development, European Union, and Council of Europe instruments.

Background and enactment

The roots of federal private-sector privacy legislation trace to policy developments during the tenure of Brian Mulroney and legislative initiatives influenced by events such as debates following the passage of the Access to Information Act and controversies involving corporations like Eaton's and Royal Bank of Canada. Drafting drew on comparative models including the United States’ Fair Credit Reporting Act, the United Kingdom’s Data Protection Act, and principles articulated by the Organisation for Economic Co-operation and Development. Parliamentary consideration involved committees chaired by members from parties such as the Liberal Party of Canada, the Conservative Party of Canada, and the New Democratic Party, with testimony from civil society groups like Canadian Civil Liberties Association and industry groups such as the Information Technology Association of Canada. Royal assent followed parliamentary processes overseen by officials including the Governor General of Canada.

Scope and application

The statute applies to commercial activities carried out by entities including banks like Toronto-Dominion Bank and retailers such as Hudson's Bay Company, telecoms like Telus Corporation, and service providers engaged in cross-border data flows to jurisdictions like United States and United Kingdom. It operates alongside provincial statutes such as the Act Respecting the Protection of Personal Information in the Private Sector and provincial privacy regimes administered by offices like the Information and Privacy Commissioner of Alberta and Commission d'accès à l'information (Québec). Coverage extends to federally regulated undertakings such as Air Canada, Canadian National Railway Company, and broadcasters including Canadian Broadcasting Corporation, while certain activities by not-for-profits and provincial public bodies fall under distinct frameworks like those overseen by the Ontario Information and Privacy Commissioner.

Key principles and requirements

The law embeds a set of fair information practices reflected in requirements for consent, purpose specification, limited collection, accuracy, safeguards, openness, individual access, and challenging compliance. These obligations are akin to principles found in instruments such as the Universal Declaration of Human Rights, the European Union General Data Protection Regulation, and recommendations from the United Nations Conference on Trade and Development. Organizations must establish policies and practices that address handling of identifiers used by platforms and services like Facebook, Google, Apple Inc., Microsoft, and payment processors such as Visa Inc. and Mastercard. Notable duties include breach notification, data minimization, and cross-border disclosure safeguards comparable to mechanisms in bilateral instruments like the Canada–United States Safe Third Country Agreement in import contexts and corporate governance guidelines promoted by groups like the Canadian Securities Administrators.

Enforcement and oversight

Oversight is led by an independent oversight institution, the Office of the Privacy Commissioner of Canada, which conducts investigations, audits, and public reports and which has engaged in litigation before the Federal Court of Canada and the Supreme Court of Canada to determine statutory scope. The Commissioner's functions are comparable to those of counterparts such as the Information Commissioner's Office and the Data Protection Commission (Ireland). Enforcement measures include findings, compliance agreements, and public naming; criminal or administrative penalties intersect with provisions of the Competition Bureau and prosecutions under statutes like the Criminal Code (Canada) for specific offences. The law also allows affected persons and organizations such as Canadian Civil Liberties Association and corporate actors to participate in tribunals and courts, invoking remedies through judicial review under rules similar to those in proceedings before the Federal Court of Appeal.

Amendments and legal challenges

Since enactment, the statute has been subject to legislative amendments and sustained litigation. Notable reform proposals were pursued under cabinets led by Paul Martin and Stephen Harper, with later modernization initiatives linked to ministers such as Tony Clement and Stéphane Dion. Judicial interpretation in cases heard by the Federal Court of Canada and the Supreme Court of Canada has clarified issues including extraterritorial reach and consent doctrines, with interveners such as the Canadian Internet Policy and Public Interest Clinic, Canadian Bankers Association, and TechNet shaping arguments. Legislative amendments have responded to technological shifts involving actors like Amazon (company), Twitter, WhatsApp, Shopify, and developments in fields including cloud computing by providers such as Amazon Web Services and Google Cloud Platform. Ongoing debates engage international trade partners represented by entities like the World Trade Organization and regulatory harmonization efforts with the European Commission.

Category:Canadian federal legislation