What is PIPEDA: The Canadian Data Privacy Law?
A Quick Guide to the Personal Information Protection and Electronic Documents Act.
We’ve heard all about GDPR -- it’s hard to miss it, right? But did you know that Canada has actually been leading the charge in data privacy, even ahead of the EU? Until very recently, it hadn’t even been a blip on my radar despite the potential-or even likely-implications this has on many American enterprises that do business in Canada; it also highlights how woefully behind the U.S. is in enacting federal laws to protect its citizens’ data.
By now, nearly everyone is probably familiar with the Equifax data breach that occurred in 2017 and affected the data of nearly 150 million people; in early April, roughly eighteen months after the breach was first reported (6 weeks after Equifax discovered it), the Canadian Privacy Commissioner’s office released the results of its investigation into the breach. Long story short, there were numerous violations of Canadian laws; the Government Accountability Office released two reports, one on the response to the Equifax breach (which included long-term recommendations to restore the trust in the credit-reporting bureau) and another on the need for better oversight of consumer reporting agencies.
In the US, though, the response by the federal government was lackluster at best and the majority of actions against Equifax have come at a local level with eight states issuing consent orders requiring the credit bureau to conduct more risk assessments and internal audit programs for consumers’ personal data. To date, the US has yet to take any strong action against Equifax; neither the FTC nor the CFPB (Consumer Financial Protection Bureau) have taken any steps to reprimand the company or even force it to increase its security moving forward. The current federal government has shown repeatedly that it cares little about this incident, in particular, and data security in general.
Background of PIPEDA
Unbeknownst to me, Canada has been at the forefront of data protection as early as 2000 and was based on the 10 principles outlined in the Model Care for the Protection of Personal Information all the way back in 1996 and included accountability, consent and the limiting of data collection, among others. The Personal Information Protection and Electronic Documents Act (PIPEDA) include ten criteria, referred to as the fair information principles, and represent the foundation of PIPEDA. Today, these principles can also be found in the GDPR legislation.
Speaking of GDPR, the Canadian government was one of the first to acknowledge the need to update its legislation to safeguard the continuity of data transfers between the Great White North and the EU block. An amendment to PIPEDA, the Data Privacy Act, actually predated the final text of GDPR by six months, being adopted in June of 2015, though it did not go into effect until November of 2018.
The Data Privacy Act requires organizations subject to PIPEDA to report to the OPC breaches of security safeguards involving personal information “that pose a real risk of significant harm” to individuals; notify affected individuals of the breach; and keep records of every breach of security safeguards, regardless of whether or not there is a real risk of significant harm.
Smart Encryption Built for Teamwork
Collaborate with always-on encryption, customise your team access permissions, meet regulatory compliance and take control with advanced reporting.
Who does PIPEDA apply to?
PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. Also under this umbrella are federally-regulated businesses such as airlines, banks and telecom companies.
In essence, this means that political parties and associations as well as hospitals, educational institutions and not-for-profit organizations are outside of the jurisdiction, providing they don’t engage in any commercial activities. Although collecting memberships fees and donations, compiling lists of members or donors for communication purposes as well as fundraising are not considered commercial activities, the selling, leasing or bartering of this information is considered a commercial activity and would therefore be subject to PIPEDA regulations. Additionally, federal government departments and agencies do not fall under PIPEDA.
Although not explicitly stated, the Federal Court of Canada has ruled that PIPEDA does apply to businesses found in other jurisdictions if there is a “substantial connection” between an organization’s activities and Canada. In other words, organizations in the US as well as other countries globally that collect, use, or disclose the personal information of Canadians in the course of their commercial activities are regulated under this legislation.
What is “personal information” under PIPEDA?
PIPEDA’s definition of “personal information” is extremely broad. “Personal information” is defined as any “information about an identifiable individual.” This definition of “personal information” encompasses any factual or subjective information, recorded or not, about an individual, including, but not limited to, name, age, ethnic origin, religion, Social Insurance Number, email address, health information, financial information, biometric information, employee files, credit reports, and education history.
Mandatory Notification Requirements
Individuals must be notified of any breach of the security of safeguards involving their personal information if there is a reasonable belief that the breach creates a “real risk of significant harm.” At the same time, the exposed organization must also report to the Privacy Commissioner of Canada.
In order to determine if a breach actually poses a real risk of significant harm to individuals, organizations are granted the chance to undertake a risk-harm analysis prior to beginning the required notifications; if there no risk of significant harm, the organization is not required to issue any notifications. Notifications must occur as soon as possible once the breach has been identified. The Privacy Commissioner must be notified via a secure means; individuals must be notified in person, by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate
PIPEDA will also require organizations to notify additional government institutions if the organization believes that there is an opportunity to reduce or mitigate the risk of harm to the affected individuals by issuing a notification.
Most notably, PIPEDA requires organizations to keep and maintain a record of every breach of security safeguards for two years even if the breach is not required to be reported. Although the definition of record in this case is subject to interpretation, it must contain any information that enables the Privacy Commissioner to verify compliance with PIPEDA. On request, an organization must be prepared to provide the Privacy Commissioner with access to, or a copy of, any record.
While the extent of Canada’s privacy laws by far outpaces any type of federal legislation currently on the books in the US, the Privacy Commissioner, Daniel Therrien, said the updates to PIPEDA were a “step in the right direction,” he also voiced concerns about the law including the lack of insight into an organization’s data safeguards in the required reporting as well as the lack of significant financial sanctions for inadequate data security safeguards citing a missed opportunity to incentivize organizations to prevent breaches (fines are currently capped at $100,000 CAD).
Smart Encryption Built for Teamwork
• Secure collaboration
• Custom user permissions
• Automated encryption
• Powerful reporting
• Data compliance
• Scales with your business
• ...and much more