PIPEDA
Comply with PIPEDA
The Personal Information Protection and Electronic Documents Act 2000, commonly known as PIPEDA, is the subject of on-going debate regarding its potential reform. Already, PIPEDA sets out principles to which organisations must abide, including principles of accountability, consent, accuracy and safeguards, as well as limiting collection, use, disclosure, and retention.
OneTrust DataGuidance's PIPEDA Portal provides you with the ability to track developments regarding PIPEDA and understand its obligations.
Visit our Canada Federal Jurisdiction Dashboard for further information on the Canadian Data Protection Landscape.
Latest developments
After Bill C-11 for the Digital Charter Implementation Act, 2020 failed to pass in 2021, a new reform was introduced in June 2022, under Bill C-27 for the Digital Charter Implementation Act 2022. The bill is divided into three parts, with each aimed at enacting a new act, namely the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. If passed, the CPPA would become Canada's main privacy regulatory regime for the private sector, thereby replacing PIPEDA. More in detail, Part I of PIPEDA would be repealed and the remaining part of the framework would be renamed as the Electronic Documents Act, thereby changing its nature.
The CPPA largely aligns with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). It would provide for provisions around consent, organizations' obligations, powers, duties, and functions of the Office of the Privacy Commissioner of Canada (OPC), administrative monetary penalties and enforcement orders, and a private right of action, among other things.
You can read the bill and track its progress here.
PIPEDA v. GDPR
OneTrust DataGuidance, in collaboration with Edwards, Kenny & Bray LLP, has produced a PIPEDA v. GDPR report which you can download here, and which assists organizations in understanding and comparing key provisions of the PIPEDA comparative to the GDPR. You can also leverage this information through our GDPR. PIPEDA Comparison in the tab above.
On May 9, 2024, the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), in collaboration with the US Cybersecurity Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), the UK National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ), jointly pub
On May 6, 2024, the Office of the Privacy Commissioner of Canada (OPC) published the results of its survey of Canadian businesses on privacy-related issues.
On April 23, 2024, the Office of the Privacy Commissioner of Canada (OPC) announced that it had provided its submission to Justice Canada on Consultation on the Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence.
On April 19, 2024, Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act, and making consequential amendments to other Acts passed the Standing Committee on Public Safety and National Security consideration.
On April 9, 2024, the Office of the Privacy Commissioner (OPC) announced that it had joined the Global Cooperation Agreements for Privacy Enforcement (Global CAPE).
On April 7, 2024, the Prime Minister of Canada announced a CAD 2.4 billion (approx. $1.7 billion) package of measures from the upcoming Budget 2024 to secure Canada's artificial intelligence (AI) advantage.
On March 28, 2024, the National Security and Intelligence Review Agency (NSIRA) announced that it conducted a review of the dataset regime introduced by the Government of Canada through the National Security Act 2017 as a modification to the Canadian Security Intelligence Service (CSIS) Act in July 2019.
On March 28, 2024, the Office of the Privacy Commissioner (OPC) published its Privacy Act Bulletin, with key takeaways from its investigations into the 2020 Employment and Social Development Canada's GCKey authentication service and Canada Revenue Agency (CRA) sign-in portal cyber breach.
On March 19, 2024, the Office of the Privacy Commissioner of Canada (OPC) announced that it will investigate a complaint made against the Canada Border Services Agency on privacy concerns related to the development of the ArriveCAN mobile app.
The Office of the Privacy Commissioner of Canada (OPC) announced on, March 18, 2024, that it had launched a new online privacy impact assessment (PIA) submission form. The OPC confirmed that the new form provides a simple, secure means for federal institutions to submit PIA information.
On March 4, 2024, the European Commission announced that it adopted and submitted to the Council of the European Union (the Council) a proposal for an agreement between Canada and the EU on the transfer and processing of Passenger Name European Record (PNR) data. The EU opened new negotiations with Canada on June 20, 2018, seeki
On February 29, 2024, the Office of the Privacy Commissioner of Canada (OPC) published its Report of Findings No. 2024-001, as issued on the same date, in which it found Aylo (formerly MindGeek) in violation of the Information Protection and Electronic Documents Act 2000 (PIPEDA) following a complaint.
On December 20, 2023, the Federal Court of Canada released guidance on the use of artificial intelligence (AI) in court proceedings. In particular, the Federal Court confirmed that it expects parties to proceedings to inform it, and each other, if they have used AI to create or generate new content in preparing a document filed with the Court.
On January 31, 2024, the European Commission announced that the EU and Canada's new digital partnership will, among other things, focus on increasing cooperation on artificial intelligence (AI) and cybersecurity.
On January 31, 2024, the UK Government announced that it had signed a Memorandum of Understanding (MoU) with Canada on artificial intelligence (AI) compute. The MoU signals their joint intent to collaborate in four key areas:
On January 22, 2024, the Office of the Privacy Commissioner (OPC) announced the kickoff of the data privacy week and launched its strategic plan.
On September 27, 2023, Innovation, Science and Economic Development Canada (ISED) published a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generativ
Artificial intelligence (AI) is transforming the way we work, learn, and communicate. The rapid development and adoption of new AI-based technologies have prompted regulators around the world to create policies and regulations governing its use, in an effort to ensure that AI is used in a responsible and ethical manner.
In this Insight article, Sarah Nasrullah, from Norton Rose Fulbright LLP, delves into Canada's AI regulatory landscape, examining key aspects of the AI Act, enforcement mechanisms, penalties, and implications for organizations and individuals.
In this report, OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
On 16 June 2022, the Government of Canada introduced in the House of Commons the Artificial Intelligence and Data Act ('AIDA') as part of Bill C-27, for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related
Canada has an existing comprehensive federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), which became law in 2000. Recently, changes to PIPEDA have been proposed via the draft language of Bill C-27 for the Digital Charter Implementation Act 20221 ('Bill C-27').
Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance.
On 16 June 2022, Bill C-27 for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022'), was introduced in the H
Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data.
OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR.
You can access the latest version of the report here.
Key highlights
The PIPEDA and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- refer to accountability as a fundamental principle of the protection of information;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory powers.
However, despite their similarities, PIPEDA and the GDPR also differ sometimes in their approach, such as:
- that PIPEDA does not distinguish personal information as either sensitive or not;
- that PIPEDA does not impose obligations relating to children;
- that the GDPR requires a DPIA to be conducted under specific circumstances, whereas PIPEDA does not;
- the appointment of a data protection officer; and
- the rights afforded to individuals under their respective laws.