PIPEDA
Comply with PIPEDA
The Personal Information Protection and Electronic Documents Act 2000, commonly known as PIPEDA, is the subject of on-going debate regarding its potential reform. Already, PIPEDA sets out principles to which organisations must abide, including principles of accountability, consent, accuracy and safeguards, as well as limiting collection, use, disclosure, and retention.
OneTrust DataGuidance's PIPEDA Portal provides you with the ability to track developments regarding PIPEDA and understand its obligations.
Visit our Canada Federal Jurisdiction Dashboard for further information on the Canadian Data Protection Landscape.
Latest developments
After Bill C-11 for the Digital Charter Implementation Act, 2020 failed to pass in 2021, a new reform was introduced in June 2022, under Bill C-27 for the Digital Charter Implementation Act 2022. The bill is divided into three parts, with each aimed at enacting a new act, namely the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. If passed, the CPPA would become Canada's main privacy regulatory regime for the private sector, thereby replacing PIPEDA. More in detail, Part I of PIPEDA would be repealed and the remaining part of the framework would be renamed as the Electronic Documents Act, thereby changing its nature.
The CPPA largely aligns with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). It would provide for provisions around consent, organizations' obligations, powers, duties, and functions of the Office of the Privacy Commissioner of Canada (OPC), administrative monetary penalties and enforcement orders, and a private right of action, among other things.
You can read the bill and track its progress here.
PIPEDA v. GDPR
OneTrust DataGuidance, in collaboration with Edwards, Kenny & Bray LLP, has produced a PIPEDA v. GDPR report which you can download here, and which assists organizations in understanding and comparing key provisions of the PIPEDA comparative to the GDPR. You can also leverage this information through our GDPR. PIPEDA Comparison in the tab above.
On November 23, 2023, the Office of the Privacy Commissioner (OPC) announced, that it had launched investigations into a cyberattack that resulted in a breach affecting the personal information of federal government personnel who used government-contracted relocation services over the past 24 years.
On November 24, 2023, the European Commission published a joint statement following the EU-Canada Summit 2023 on the same date.
The European Council announced, on October 30, 2023, that the President of the European Council, Charles Michel, together with the European Commission President, Ursula von der Leyden, would be travelling to Canada for the EU-Canada Summit on November 23 and 24, 2023.
The Office of the Privacy Commissioner (OPC) announced, on October 25, 2023, that the Privacy Commissioner, Philippe Dufresne, appeared, on the same day, before the Parliament of Canada, where they discussed the OPC 2022-2023 annual report and the importance of ensuring that children can navigate the online world without risk to their fundamenta
On October 20, 2023, the Office of the Privacy Commissioner of Canada (OPC) announced that it had signed a Memorandum of Understanding (MoU) with the National Privacy Commission of the Republic of the Philippines focused on their agreement to cooperate for data protection. The MoU includes several noteworthy aspects:
On October 20, 2023, the Minister of Innovation, Science, and Industry released draft motions to amend Bill C-27 for the Digital Charter Implementation Act 2022, following the Standing Committee on Industry and Technology adoption of a motion to produce drafts of amendments for potential areas of improvement that the Minister had referenced duri
The Office of the Privacy Commissioner (OPC) announced, on October 23, 2023, the publication of a new volume of OPC-funded research projects, focused on the privacy impacts of artificial intelligence (AI). In particular, the projects cover:
The Office of the Privacy Commissioner (OPC) announced, on October 19, 2023, that Commissioner Philippe Dufresne appeared before Parliament on the same day to discuss ways to improve and strengthen Bill C-27 for the Digital Charter Implementation Act 2022.
On October 17, 2023, the Office of the Privacy Commissioner (OPC) announced that it had released two companion documents supporting its resolution on youth privacy.
On October 11, 2023, the Office of the Privacy Commissioner (OPC) announced that it is seeking comments to update the guidance related to handling biometric information for both the private sector and the public sector.
On October 10, 2023, the Office of the Privacy Commissioner (OPC) announced the publication of a brief as part of the consultation, launched by the Department of Finance, to support the upcoming parliamentary review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
On October 6, 2023, the Office of the Privacy Commissioner of Canada (OPC) published a resolution entitled 'Protecting Employee Privacy in the Modern Workplace.' In particular, the resolution highlighted that with the rise of remote working, employee monitoring technologies have also been adopted, alongside the use of artificial intelligence (AI
On October 6, 2023, the Office of the Privacy Commissioner of Canada (OPC) published a resolution entitled 'Putting best interests of young people at the forefront of privacy and access to personal information.' In particular, the resolution highlights other efforts to protect young people's right to privacy, including the UK Age Appropriate Des
On September 26, 2023, Government Bill C-27, known as the Bill for the Digital Charter Implementation Act 2022 underwent discussions in the Standing Committee on Industry and Technology, after it passed the second reading in the Ho
On October 3, 2023, the Office of the Privacy Commissioner of Canada (OPC) announced that it welcomed the Federal Court of Appeal's (FCA) decision in the case Google LLC v the Privacy Commissioner of Canada et al., which co
On September 29, 2023, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) announced that the Federal Court of Appeal (FCA) had affirmed, in Case Number 2023 FCA 200 Google LLC v the Privacy Commissioner of Canada et.
On September 27, 2023, Innovation, Science and Economic Development Canada (ISED) published a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generativ
Artificial intelligence (AI) is transforming the way we work, learn, and communicate. The rapid development and adoption of new AI-based technologies have prompted regulators around the world to create policies and regulations governing its use, in an effort to ensure that AI is used in a responsible and ethical manner.
In this Insight article, Sarah Nasrullah, from Norton Rose Fulbright LLP, delves into Canada's AI regulatory landscape, examining key aspects of the AI Act, enforcement mechanisms, penalties, and implications for organizations and individuals.
In this report, OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
On 16 June 2022, the Government of Canada introduced in the House of Commons the Artificial Intelligence and Data Act ('AIDA') as part of Bill C-27, for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related
Canada has an existing comprehensive federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), which became law in 2000. Recently, changes to PIPEDA have been proposed via the draft language of Bill C-27 for the Digital Charter Implementation Act 20221 ('Bill C-27').
Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance.
On 16 June 2022, Bill C-27 for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022'), was introduced in the H
Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data.
OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR.
You can access the latest version of the report here.
Key highlights
The PIPEDA and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- refer to accountability as a fundamental principle of the protection of information;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory powers.
However, despite their similarities, PIPEDA and the GDPR also differ sometimes in their approach, such as:
- that PIPEDA does not distinguish personal information as either sensitive or not;
- that PIPEDA does not impose obligations relating to children;
- that the GDPR requires a DPIA to be conducted under specific circumstances, whereas PIPEDA does not;
- the appointment of a data protection officer; and
- the rights afforded to individuals under their respective laws.