Personal Information Protection and Electronic Documents Act

Personal Information Protection and Electronic Documents Act
An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act
Citation S.C. 2000, c. 5
Enacted by Parliament of Canada
Date assented to 13 April 2000
Date commenced Section 1 in force 13 April 2000; Parts 2, 3 and 4 in force 1 May 2000; Part 1 in force 1 January 2001; Part 5 in force 1 June 2009
Legislative history
Bill 36th Parliament, Bill C-6
Introduced by John Manley, Minister of Industry

The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy.[1] It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act ("Protection of Personal Information in the Private Sector") must be reviewed by Parliament every five years.[2] The first Parliamentary review occurred in 2007.[3]

PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association's Model Code for the Protection of Personal Information, developed in 1995. However, there are a number of exceptions to the Code where information can be collected, used and disclosed without the consent of the individual. Examples include reasons of national security, international affairs, and emergencies. Under the act, personal information can also be disclosed without knowledge or consent to investigations related to law enforcement, whether federal, provincial or foreign.[4] There are also exceptions to the general rule that an individual shall be given access to his or her personal information. Exceptions may include information that would likely reveal personal information about a third party, information that cannot be disclosed for certain legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client privilege.[5]

Overview

"Personal Information", as specified in PIPEDA, is as follows: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

The law gives individuals the right to

The law requires organizations to

Implementation

The implementation of PIPEDA occurred in three stages.[6] Starting in 2001, the law applied to federally regulated industries (such as airlines, banking and broadcasting). In 2002 the law was expanded to include the health sector. Finally in 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces that have "substantially similar"[7] privacy laws. Five provincial privacy laws have been declared by the federal Governor in Council to be substantially similar to PIPEDA:

Personal Information Protection Act (British Columbia)

Notable provisions of PIPA:

[13]

Personal Health Information Protection Act (Ontario)

The Personal Health Information Protection Act, known by its acronym PHIPA (typically pronounced 'pee-hip-ah'), established in 2004, outlines privacy regulations for health information custodians in Ontario, Canada. Breaches of PHIPA are directed to the Ontario Information and Privacy Commissioner.[14]

The Personal Health Information Protection Act serves three important functions:

Remedies

PIPEDA does not create an automatic right to sue for violations of the law's obligations. Instead, PIPEDA follows an ombudsman model in which complaints are taken to the Office of the Privacy Commissioner of Canada. The Commissioner is required to investigate the complaint and to produce a report at its conclusion. The report is not binding on the parties, but is more of a recommendation. The Commissioner does not have any powers to order compliance, award damages or levy penalties. The organization complained about does not have to follow the recommendations. The complainant, with the report in hand, can then take the matter to the Federal Court of Canada. The responding organization cannot take the matter to the Courts, because the report is not a decision and PIPEDA does not explicitly grant the responding organization the right to do so.

PIPEDA provides, at section 14, the complainant the right to apply to the Federal Court of Canada for a hearing with respect to the subject matter of the complaint. The Court has the power to order the organization to correct its practices, to publicise the steps it will take to correct its practices and to award damages.

Proposed Bill C-475

As a result of long-enduring and central gap in Canada’s privacy protections, bill C-475 was proposed in February 2013 by Charmaine Borg, MP, which is a revision of the now outdated PIPEDA Act.[15] Bill C-475 was defeated in January 2014.[16]

See also

References

  1. McClennan, Jennifer P.; Schick, Vadim (2007). "O, Privacy: Canada's Importance in the Development of the International Data Privacy Regime". Georgetown Journal of International Law 38: 669–693.
  2. Section 29 of the Act
  3. PIPEDA Review – Privacy Commissioner of Canada
  4. Section 7, subparagraph (3)(c.1)(ii) of the act
  5. Subsection 9(3) of the Act
  6. "Implementation Schedule - PIPEDA". Privcom.gc.ca. Retrieved 2012-07-25.
  7. "Canada Gazette". Gazette.gc.ca. 2010-11-10. Retrieved 2012-01-17.
  8. "An Act respecting the protection of personal information in the private sector". .publicationsduquebec.gouv.qc.ca. Retrieved 2012-01-17.
  9. "BILL 38 - 2003: PERSONAL INFORMATION PROTECTION ACT". Leg.bc.ca. 2004-01-01. Retrieved 2012-01-17.
  10. "Alberta Queen's Printer:". Qp.gov.ab.ca. Retrieved 2012-01-17.
  11. "Personal Health Information Custodians in New Brunswick Exemption Order:". Department of Justice. 2011-11-17. Retrieved 2012-11-24.
  12. "Personal Health Information Custodians in Newfoundland and Labrador Exemption Order". Canada Gazette. 2012-10-10. Retrieved 2012-12-01.
  13. Perun, Halyna; Michael Orr; Fannie Dimitriadis (2005). "2". Guide to the Ontario Personal Health Information Protection Act. Toronto ON, Canada: Irwin Law. pp. 19–20. ISBN 978-1-4593-1363-7.
  14. "ipc.on.ca". ipc.on.ca. Retrieved 2012-01-17.
  15. "Private Member Bill Seeks to Bring Long Overdue Privacy Protections for Canadians". cippic.ca. Retrieved 2013-06-26.
  16. "Bill C475". openparliament.ca. Retrieved 2014-12-13.

External links