Privacy & Data Protection

On January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect across Canada setting the rules for the collection, use and disclosure of personal information by Canadian organizations in the course of commercial activities, except intra-provincial commercial activities of organizations in a province where the province has enacted substancially similar legislation to the federal law. Currently that is Quebec, British Columbia and Alberta.

Like the privacy provisions in Section J of the CMA Code of Ethics & Standards of Practice, the federal law is based on the ten basic principles of the CSA Model Code for the protection of Personal Information.

Organizations are now subject to new Breach of Security Safeguards Regulations that came into effect in November 2018, and new Guidelines for Obtaining Meaningful Consent that came into effect in January 2019.

In May 2019, the Government of Canada initiated an open consultation on a set of reform proposals to modernize PIPEDA, which followed the release of Canada's Digital Charter earlier that year. See our response here

Many other jurisdictions around the world have enacted privacy legislation. It's incumbent upon an organization to familiarize themselves with the laws of any country where they conduct their business. This includes the European Union passed the General Data Protection Regulation (GDPR), and California's Consumer Privacy Act (CCPA,) as outlined below.

Latest CMA Updates

PIPEDA & Compliance

On January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect across Canada.

In November 2018, new Breach of Security Safeguards Regulations came into effect.

In January 2019, new Guidelines for Obtaining Meaningful Consent came into effect.

International Laws

The General Data Protection Regulation (GDPR) is a regulation by which the European Union (EU) intends to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. This regulation comes into effect in 2018 , and applies to Canadian organizations if they:

  • have an establishment or physical presence in the EU, or
  • offer goods or services to EU residents (even at no charge), or
  • intentionally monitor or profile behaviours of individuals in the EU.

There are also implications if you are a third-party processor of EU personal data.

Organizations found to be non-compliant could run the risk of heavy fines of up to $5 of their global revenue.

The California Consumer Protection Act (CCPA) establishes the rights of California consumers with respect to the collection, use, and disclosure of their personal information. It came into effect January 2020.

The CCPA applies to Canadian for-profit businesses that collect, use, and disclose the personal informaiton of California consumers, even if the businesses are not physically located or have employees in California, and meet or exceed one of the following criteria:

  • have annual gross revenue more than $25 million, or
  • buy, receive, sell, or share the personal information of more than 50,000 California consumers, or
  • derive at least 50% of annual revenue from selling California consumers' personal information.

Technology & Law: Internet of Things (Connected Devices,
Autonomous Vehicles), Blockchain, Artificial Intelligence, etc.

The future is here! The Internet of Things and connected devices, including smartphones, tablets, connected TVs, appliances and more, are being adopted. Meanwhile, connected machines and objects in factories offer the potential for a 'fourth industrial revolution'

How the Law Applies

PIPEDA applies to most private sector organizations across Canada in the course of commercial activities except in Quebec, British Columbia and Alberta. These provinces have their own private sector laws that are deemed "substancially similar" to PIPEDA. PIPEDA also applies to federally-regulated businesses operating in Canada and their employee information, incuding in Quebec, British Columbia, and Alberta. In addition, all businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of which province or territory they are based in.

Pleae note that non-profit status does not automatically exempt an organization from PIPEDA. Non-profit, charitable and membership-based organizations can still be engaged in commercial activity that triggers PIPEDA, such as the selling, bartering, or leasing of donor, membership or other fundraising lists. The court has upheld that PIPEDA has extraterritorial application (to organizations outside of Canada) if there is a 'real and substancial" connection between Canada and the activity undertaken in a foreign jurisdiction.

To find out which Canadian privacy law applies to your organization and its speciic activities, see the Office of the Privacy Commissioner of Canada's website here. Other privacy laws may apply to your organization instead or in addition to PIPEDA, for example, if your organization is a federal government institution subject to the Privacy Act.

Tags: privacy, cybersecurity, code of ethics, PIPEDA, Breach, GDPR