PIPEDA is the Canadian privacy law for private-sector businesses. Learn how it affects U.S.-Based companies doing business with Canada.
Companies in the U.S. are increasingly concerned about compliance with federal and state privacy laws. However, if they do business abroad, namely, in Canada, they should also be compliant with Сanadian laws. There are many similarities in privacy protection in Canada, European Union (EU), and the U.S. However, differences still exist. In general, Canada’s data protection laws are more far-reaching than their American counterparts and may even apply to non-Canadian entities. The Canadian federal privacy law – Personal Information Protection and Electronic Documents Act (PIPEDA) – demonstrates both the similarities and differences with the American analogs.
We will figure out what the PIPEDA is in terms of data privacy, what its requirements are, and how it applies to U.S. businesses.
PIPEDA is the Canadian federal privacy law for private-sector organizations. The law was initially enacted on April 13, 2000, to promote trust in electronic commerce. However, it has expanded to include other private-sector industries like banking, broadcasting, and healthcare. The purpose of the law is to “govern the collection, use, and disclosure of personal information in a manner that recognizes the right of privacy of individuals concerning their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
PIPEDA is based on 10 fair information principles on how businesses in Canada must protect individuals’ personal data. These principles are:
By following these principles, businesses remain compliant with privacy requirements, provide protection to their customers’ data, and build trusting relationships with them.
In Canadian data privacy discourse, personal information is “all information about an identifiable individual” other than the name, title, business address, or telephone number of an organization’s employee. Personal information in PIPEDA is broadly interpreted and includes information as diverse as computer internet protocol addresses, salespersons’ sales statistics, photographs of the interior of one’s apartment, etc. The essence of the definition is that the information presents a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.
PIPEDA has a lot in common with the European Union’s General Data Protection Regulation (GDPR), a detailed observation of which we already provided in our previous post – What is GDPR Compliance and Why is it so Important? Like GDPR, PIPEDA grants individuals the right to access personal information held by the organization, know who has access to it, the purpose of their data collection, and challenge its accuracy. An essential aspect of PIPEDA is providing an equivalent level of privacy protection to the EU individuals to allow the free flow of personal information from the EU to Canadian organizations.
Simultaneously, there is a critical difference between how personal data is approached in the U.S. and Canada. State and federal laws in the U.S form a patchwork of the industry and jurisdiction-specific regulations such as the California Consumer Privacy Act (CCPA) or Health Insurance Portability and Profitability Act (HIPAA). Compared to data protection laws in the U.S., Canada’s privacy laws apply more comprehensively and encompass virtually all commercial entities throughout Canada. When discussing the U.S. data privacy legislation, PIPEDA has many similarities with CCPA/CPRA. The last was observed in detail in our previous articles Core Aspects of California Consumer Privacy Act (CCPA) and CCPA vs.CPRA Upcoming Changes to the Law.
Business owners operating in Canada or making transactions that contain the personal information of Canadians must know and understand the main PIPEDA rules and obligations. In other words, these businesses must be PIPEDA compliant. To assure compliance, companies, among other things, are obligated to:
In addition to the abovementioned requirements, organizations must implement policies and practices to respond to individuals’ inquiries, train personnel, and publicize their policies and procedures. Upon request, companies must explain their policies relating to the management of personal information, give individuals access to their personal information, and be able to inform them of the existence, use, and disclosure of their information. In essence, these privacy and security measures are best practices and are consistent with U.S. federal and state laws.
PIPEDA applies to all private-sector enterprises. The law does not cover non-profit organizations, political parties, schools, and hospitals if they do not participate in commercial activities. If these companies retain membership lists that are sold, leased, or traded, PIPEDA regulations also apply. Besides the private-sector commercial businesses, PIPEDA also covers some federal organizations, including financial, telecommunication, and banking institutions.
PIPEDA may apply to non-Canadian companies that obtain personal data of Canadian residents, even if they operate outside Canada’s borders. The easiest way to determine if PIPEDA applies to any U.S.-based company is to look at how it handles data. If the company conducts business in Canada and transmits personal information of Canadians, then the law applies. What if the company does not obtain personal information directly? For instance, it receives this information based on a business contract with a Canadian company. Then, the requirements will be based on the agreement with the Canadian partner.
At the same, U.S.-based companies need to know that some Canadian provinces – Quebec, Alberta, and British Columbia – have separate consumer information privacy laws. If the US organization is located in one of these provinces, it is exempt from PIPEDA rules.
The ability of Canada’s Office of Privacy Commissioner (OPC) to penalize non-Canadian entities for PIPEDA non-compliance is limited. However, it has the authority to investigate cases of non-compliance to the extent these entities obtain and handle the privacy information of Canadians. Depending upon circumstances, a violator may be subject to the jurisdiction of the Canadian courts for a claim for damages by a PIPEDA complainant and may be fined up to $100,000 in Canadian dollars (CAD) per violation. To avoid any penalties for non-compliance, protect reputation, and maintain good business relationships, U.S.-based organizations should consider ensuring that their privacy policies meet the PIPEDA standards.
Thus, U.S.-based companies operating in Canada or making data transactions with Canadians’ personal data must be compliant with Сanadian data privacy laws, especially PIPEDA. Otherwise, they may have substantial difficulties in their business operations or even be subjected to penalties. The good news is that PIPEDA has many similarities with its U.S. counterparts. This means that American businesses know what to expect from PIPEDA requirements.
For more information about PIPEDA or other data privacy laws and regulations consult the Planet 9 team. We’ll be happy to assist: