Canada’s PIPEDA Act on Personal Information

We have talked many times before on our blog about privacy and data protection; about the subject in general, about GDPR, LGPD and even CCPA, but never before have we addressed the subject of PIPEDA - The Personal Information Protection and Electronic Documents Act.
So in this article, we are going to take a look at Privacy Laws in Canada, the present legislation and future law proposals.
 

The country has two federal laws, enforced by the Office of the Privacy Commissioner of Canada (OPC), the specialized institution responsible for dealing with and protecting privacy rights, the equivalent of the Data Protection Authority (DPA) in the EU. 
According to the OPC official website (which is very elaborate and you should definitely check it out if you are a Canadian website owner), the country’s federal privacy laws are the following:

The Privacy Act

The Privacy Act regulates how the government handles personal data about its citizens, data used for implementing public policies and national programs.
It states that Canadians have the right to know when and how their personal information is being collected and how it is being used by governmental agencies. This act protects the personal information held by these institutions and grants citizens the right to access their data.
The Privacy Act usually applies to the following services provided by the government:

• employment insurance

• pension security benefits

• public safety and federal policies

• tax collection and refunds

• border security.

Understanding PIPEDA: Protecting Personal Information

PIPEDA regulates how the private sector handles personal data and was last revised in May 2019.
According to the OPC, PIPEDA defines personal data as subjective information about an identifiable individual “in any form such as:

• age, name, ID numbers, income, ethnic origin, or blood type;

• opinions, evaluations, comments, social status, or disciplinary actions; and

• employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”

In order for a business to be PIPEDA compliant, it must always get the individual’s consent before collecting their personal data and that data can only be used for the sole purpose it was collected for. A new consent is needed if the data is about the be disclosed and used in any other way than it was previously approved by the individual. People are entitled to access their data at any time and challenge its accuracy. 

This may sound very strict, but keep in mind that the GDPR is stricter than and it is better defined. While for PIPEDA consent can be "express" or "implied", leaving room for debate, the GDPR consent must be very specific.
Another very big difference has to do with fines, the PIPEDA fines being much lower (CAD$100,000, approximately €65,000) in comparison to the GDPR fines (€20 million or 4% of the business’s annual turnover). Extraterritorial applicability and data breaches are also being treated differently between the two. You may access a more elaborate comparison between PIPEDA and GDPR by checking out this brochure.

Besides PIPEDA and the Privacy Act, there are also regional privacy laws, variating from one province to another. For example, Alberta and British Columbia have passed data privacy laws to better regulate employee information, and several other provinces including Ontario have health-related privacy laws to better protect medical patients’ information. There are also privacy laws that are sector-specific, such as the Bank Act, that ensures the accuracy of data and limits the disclosure of information.

The Digital Charter Implementation Act, 2020

This pandemic has sure changed the way people live, making them interact more than ever through technology. More personal information than ever before is being transferred through online mediums especially with the current switch from offices to WFH, most legal documents from companies now being transferred online. 
Of course, this is happening all over the World, but the Canadian government saw this as a stepping point for improving their current privacy laws, and on these premises, the Canadian Minister of Innovation, Science and Industry, Navdeep Bains proposed a new law project: the Digital Charter Implementation Act, 2020.

“The COVID-19 pandemic has accelerated the digital transformation which is changing how Canadians work, access information, access services, and connect with their loved ones. This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement. This legislation represents an important step towards achieving this goal.” – Navdeep Bains, Minister of Innovation, Science, and Industry, source: the Government of Canada, canada.ca.

In conclusion, changes and improvements are in motion, but here at TWIPLA we always do our best to stay up to date with international laws and to provide the best privacy-compliant web analytics tool on the market, so that our users are safe from lawsuits and fines.