Who Does PIPEDA Apply to?

PIPEDA stands for Personal Information Protection and Electronic Documents Act, Canada’s federal law for data protection. This law has been in effect since 2000, a long time before the boom of the massive data processing we witness today. It has been amended multiple times to adjust to the most recent technology and the new data collection and processing methods. Canadian legislators made the latest amendments in 2015.

What is the Purpose of PIPEDA?

According to Section 3 of PIPEDA, this law aims to establish rules for collecting, using, and disclosing personal information to ensure the protection of personal information of people.

PIPEDA fulfills its purpose by setting out the 10 PIPEDA principles. The principles are embedded throughout the law and are reflected in the provisions about transparency and accountability, collection, use, and disclosure of personal information, data subject rights, the right to challenge businesses’ compliance, limitation of purposes and collection, and others.

Businesses that need to comply with PIPEDA are obliged to take these principles into account and embed them into their privacy practices.

Whom Does PIPEDA Apply to?

The short answer is that PIPEDA applies to all Canadian businesses and foreign businesses that have some connection with Canada, such as collecting and processing the personal information of Canadians.

The long answer is that PIPEDA explicitly prescribes its applicability to Canadian businesses but doesn’t mention anything about foreign companies.

However, the general case law implies that Canada’s data protection law applies to foreign organizations with a real and substantial connection to Canada.

What does this mean?

According to Section 4 of PIPEDA, it applies to personal information that:

• Any organization collects, uses, or discloses for commercial purposes, or
• Is about an employee or job applicant.

It explicitly does not apply to:

• Government institutions
• Personal information collected, used, or disclosed for personal or domestic purposes, and
• Personal information collected, used, or disclosed for journalistic, artistic, or literary purposes.

Canada laws apply to Canadian companies by default, but PIPEDA mentions nothing about foreign companies collecting, using, or disclosing personal information collected from Canadians. And, many global companies are processing the personal data of Canadians.

The Office of the Privacy Commissioner of Canada (“OPC”) has found, though, that PIPEDA applies to foreign businesses when they handle the personal information of Canadians.

In the 411Numbers case, the OPC found that PIPEDA applies to a business with a real and substantial connection to Canada. The “real and substantial connection” may include whether the business processes personal data of Canadians, whether its privacy practices could impact Canadians, whether they market their products and services in Canada, and so on.

It is safe to conclude that PIPEDA applies to:

• Canada businesses, and
• Foreign businesses handling the personal information of Canadians.
  

Do Provincial and Sector-Specific Laws Apply?

Industry-specific privacy laws, such as the laws dealing with data privacy in the health, insurance, finance, and other sectors, apply simultaneously  with PIPEDA.

So, if your company operates in such a sector, you need to consider all the laws. In general, industry-specific regulations have some additional requirements compared to PIPEDA.

The laws of the Canadian provinces, on the other hand, apply under certain conditions. 

PIPEDA always precedes the provincial law if PIPEDA guarantees better data protection than the provincial legislation. However, if the federal Governor in Council declares a provincial data privacy law substantially similar to PIPEDA, provincial law applies. 

Private-sector privacy laws of Alberta, British Columbia, and Quebec have been deemed substantially similar to PIPEDA. Organizations in these provinces are generally exempt from PIPEDA regarding collecting, using, or disclosing personal information within that province. 

However, business operations rarely remain within the province borders. Businesses from one province usually have customers from other provinces as well. That makes personal information cross provincial or national borders, which makes it subject to PIPEDA and not to the laws of the province in which the organizations are based (including provinces with substantially similar legislation).

Federally regulated organizations such as airlines, airports, radio and television broadcasters, telecommunications companies, inter-provincial and international transport companies that conduct business in Canada are always subject to PIPEDA when they collect and process the personal information of individuals.

Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.

Final Words

If you are a Canadian business, you must comply with PIPEDA. If you are not based in Canada but do some business there, it is safe to assume that you need to comply. Just take the safe road and comply with it. Check out how to have a PIPEDA-compliant cookie banner.

You may also need to comply with the data protection laws of the Canadian provinces. Although most of them are not as comprehensive as the federal ones, some of the provinces have already passed or are about to pass more comprehensive data protection regulations, which means that you need to comply with them.

If you need to comply with PIPEDA, we have a data privacy solution to make your website compliant.