PIPEDA
Comply with PIPEDA
The Personal Information Protection and Electronic Documents Act 2000, commonly known as PIPEDA, is the subject of on-going debate regarding its potential reform. Already, PIPEDA sets out principles to which organisations must abide, including principles of accountability, consent, accuracy and safeguards, as well as limiting collection, use, disclosure, and retention.
OneTrust DataGuidance's PIPEDA Portal provides you with the ability to track developments regarding PIPEDA and understand its obligations.
Visit our Canada Federal Jurisdiction Dashboard for further information on the Canadian Data Protection Landscape.
Latest developments
After Bill C-11 for the Digital Charter Implementation Act, 2020 failed to pass in 2021, a new reform was introduced in June 2022, under Bill C-27 for the Digital Charter Implementation Act 2022. The bill is divided into three parts, with each aimed at enacting a new act, namely the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. If passed, the CPPA would become Canada's main privacy regulatory regime for the private sector, thereby replacing PIPEDA. More in detail, Part I of PIPEDA would be repealed and the remaining part of the framework would be renamed as the Electronic Documents Act, thereby changing its nature.
The CPPA largely aligns with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). It would provide for provisions around consent, organizations' obligations, powers, duties, and functions of the Office of the Privacy Commissioner of Canada (OPC), administrative monetary penalties and enforcement orders, and a private right of action, among other things.
You can read the bill and track its progress here.
PIPEDA v. GDPR
OneTrust DataGuidance, in collaboration with Edwards, Kenny & Bray LLP, has produced a PIPEDA v. GDPR report which you can download here, and which assists organizations in understanding and comparing key provisions of the PIPEDA comparative to the GDPR. You can also leverage this information through our GDPR. PIPEDA Comparison in the tab above.
On March 19, 2024, the Office of the Privacy Commissioner of Canada (OPC) announced that it will investigate a complaint made against the Canada Border Services Agency on privacy concerns related to the development of the ArriveCAN mobile app.
The Office of the Privacy Commissioner of Canada (OPC) announced on, March 18, 2024, that it had launched a new online privacy impact assessment (PIA) submission form. The OPC confirmed that the new form provides a simple, secure means for federal institutions to submit PIA information.
On March 4, 2024, the European Commission announced that it adopted and submitted to the Council of the European Union (the Council) a proposal for an agreement between Canada and the EU on the transfer and processing of Passenger Name European Record (PNR) data. The EU opened new negotiations with Canada on June 20, 2018, seeki
On February 29, 2024, the Office of the Privacy Commissioner of Canada (OPC) published its Report of Findings No. 2024-001, as issued on the same date, in which it found Aylo (formerly MindGeek) in violation of the Information Protection and Electronic Documents Act 2000 (PIPEDA) following a complaint.
On December 20, 2023, the Federal Court of Canada released guidance on the use of artificial intelligence (AI) in court proceedings. In particular, the Federal Court confirmed that it expects parties to proceedings to inform it, and each other, if they have used AI to create or generate new content in preparing a document filed with the Court.
On January 31, 2024, the European Commission announced that the EU and Canada's new digital partnership will, among other things, focus on increasing cooperation on artificial intelligence (AI) and cybersecurity.
On January 31, 2024, the UK Government announced that it had signed a Memorandum of Understanding (MoU) with Canada on artificial intelligence (AI) compute. The MoU signals their joint intent to collaborate in four key areas:
On January 22, 2024, the Office of the Privacy Commissioner (OPC) announced the kickoff of the data privacy week and launched its strategic plan.
On January 8, 2024, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued a joint statement with the Office of the Privacy Commissioner (OPC) of Canada regarding the 72nd meeting of the International Working Group on Data Protection in Technology (the Berlin Group) held in Ottawa, Canada, from December
On December 7, 2023, the Office of the Privacy Commissioner (OPC) announced that it had released principles for responsible, trustworthy, and privacy-protective generative artificial intelligence (AI) technologies.
On November 23, 2023, the Office of the Privacy Commissioner (OPC) announced, that it had launched investigations into a cyberattack that resulted in a breach affecting the personal information of federal government personnel who used government-contracted relocation services over the past 24 years.
On November 24, 2023, the European Commission published a joint statement following the EU-Canada Summit 2023 on the same date.
The European Council announced, on October 30, 2023, that the President of the European Council, Charles Michel, together with the European Commission President, Ursula von der Leyden, would be travelling to Canada for the EU-Canada Summit on November 23 and 24, 2023.
The Office of the Privacy Commissioner (OPC) announced, on October 25, 2023, that the Privacy Commissioner, Philippe Dufresne, appeared, on the same day, before the Parliament of Canada, where they discussed the OPC 2022-2023 annual report and the importance of ensuring that children can navigate the online world without risk to their fundamenta
On October 20, 2023, the Office of the Privacy Commissioner of Canada (OPC) announced that it had signed a Memorandum of Understanding (MoU) with the National Privacy Commission of the Republic of the Philippines focused on their agreement to cooperate for data protection. The MoU includes several noteworthy aspects:
On October 20, 2023, the Minister of Innovation, Science, and Industry released draft motions to amend Bill C-27 for the Digital Charter Implementation Act 2022, following the Standing Committee on Industry and Technology adoption of a motion to produce drafts of amendments for potential areas of improvement that the Minister had referenced duri
On September 27, 2023, Innovation, Science and Economic Development Canada (ISED) published a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generativ
Artificial intelligence (AI) is transforming the way we work, learn, and communicate. The rapid development and adoption of new AI-based technologies have prompted regulators around the world to create policies and regulations governing its use, in an effort to ensure that AI is used in a responsible and ethical manner.
In this Insight article, Sarah Nasrullah, from Norton Rose Fulbright LLP, delves into Canada's AI regulatory landscape, examining key aspects of the AI Act, enforcement mechanisms, penalties, and implications for organizations and individuals.
In this report, OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
On 16 June 2022, the Government of Canada introduced in the House of Commons the Artificial Intelligence and Data Act ('AIDA') as part of Bill C-27, for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related
Canada has an existing comprehensive federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), which became law in 2000. Recently, changes to PIPEDA have been proposed via the draft language of Bill C-27 for the Digital Charter Implementation Act 20221 ('Bill C-27').
Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance.
On 16 June 2022, Bill C-27 for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022'), was introduced in the H
Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data.
OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR.
You can access the latest version of the report here.
Key highlights
The PIPEDA and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- refer to accountability as a fundamental principle of the protection of information;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory powers.
However, despite their similarities, PIPEDA and the GDPR also differ sometimes in their approach, such as:
- that PIPEDA does not distinguish personal information as either sensitive or not;
- that PIPEDA does not impose obligations relating to children;
- that the GDPR requires a DPIA to be conducted under specific circumstances, whereas PIPEDA does not;
- the appointment of a data protection officer; and
- the rights afforded to individuals under their respective laws.