Commercial Obligations under the Personal Information Protection and Electronic Documents Act and the Potential Changes to Canada’s Privacy Laws
With the rising prevalence of electronic commerce and the Government of Canada’s new proposed Bill C-27, the Digital Charter Implementation Act, your business or organization should take active steps to comply with its obligations under Canada’s privacy legislation.
Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Application
PIPEDA is a federal legislation which governs the collection, use, disclosure and deletion of personal information by private sector companies and organizations in relation to commercial activities.
PIPEDA defines personal information as “information about an identifiable individual.” Examples of personal information include:
- Age, name, ID numbers, income, ethnic origin, health related information;
- Opinions, evaluations, comments, social status, or disciplinary actions;
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
The definition of “personal information” should be interpreted broadly. Personal information “about” an identifiable individual means the information relates to or concerns the subject. “Identifiable individual” means there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.
PIPEDA defines commercial activity as a “particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Because PIPEDA’s application is tied to commercial activities, PIPEDA generally does not apply to not-for-profit corporations, charities or political parties and associations. However, such entities are not exempt from PIPEDA. PIPEDA generally applies to these organizations if they are engaging in commercial activities and involve personal information. For example, PIPEDA may apply to not-for-profit athletic clubs that engage in commercial activities.
Furthermore, PIPEDA typically does not apply to:
- Personal information held by federal government organizations listed under the Privacy Act;
- Provincial or territorial governments and their agents;
- Information such as an employee’s name, title, or contact information that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment;
- An individual’s collection, use or disclosure of personal information strictly for personal purposes; and
- An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.
Nevertheless, all organizations that collect personal information should be aware of the ten fair information principles in PIPEDA so that the best practices for privacy in relation to its commercial activities (or activities that could be commercial in nature) can be followed.
Ten Fair Information Principles and the Standard of Reasonableness
Under PIPIEDA, personal information may only be collected, used or disclosed with the knowledge and consent of the individual; the collection of personal information must be limited to what is necessary for identified purposes; and personal information must be collected by fair and lawful means.
PIPEDA’s ten fair information principles form the rules for the collection, use, storage and disclosure of personal information, as well as for providing access to personal information.
The ten principles are the following:
- Accountability: An organization is responsible for personal information under its control.
- Identifying Purposes: The purposes for which personal information is being collected must be identified before or at the time of collection.
- Consent: The knowledge and consent of an individual is required for the collection, use, or disclosure of their personal information.
- Limiting Collection: The collection of personal information must be limited to that which is necessary for the purposes identified by the organization before or at the time of collection.
- Limiting Use, Disclosure, and Retention: Unless an individual consents or is otherwise required by law, personal information can only be used or disclosed for the purposes for which it was collected. Moreover, personal information must only be retained as long as required to serve such purposes.
- Accuracy: Personal information must be as accurate, complete, and up to date in order to properly satisfy the purposes for which it is to be used.
- Safeguards: Personal information must be protected by appropriate security relative to the sensitivity of the information collected.
- Openness: An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
- Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual should be able to challenge an organization’s compliance with PIPEDA.
Additionally, the standard of reasonableness applies to such collection, use and disclosure to avoid unfair, unethical or discriminatory treatment of any individual contrary to human rights law.
Enforcement of PIPEDA
The Office of the Privacy Commissioner of Canada (“OPCC”) oversees compliance with PIPEDA. The role of the OPCC is to facilitate the resolution of complaints. The OPCC may investigate complaints and issue a report setting out non-binding recommendations. The OPCC can also investigate issues even in the absence of a complaint if they believe an investigation is warranted. Once an investigation is completed, the OPCC or the complainant may apply to the Federal Court to seek enforcement and or damages.
Anticipated Changes to Canada’s Privacy Laws
On June 16, 2022, the Government of Canada tabled Bill C-27, the Digital Charter Implementation Act to “strengthen Canada’s private sector privacy law, create new rules for the responsible development and deployment of artificial intelligence (AI), and continue advancing the implementation of Canada’s Digital Charter.” Bill C-27 recently completed its second reading at the House of Commons. The Digital Charter Implementation Act introduces the following: The Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.
According to the Government of Canada, the Consumer Privacy Protection Act will “raise the bar for privacy protection in Canada” by providing clearer rules for handling personal information. The Consumer Privacy Protection Act would replace part 1 of PIPEDA about the protection of personal information, will provide for more significant consequences for non-compliance, and new opportunities for legal claims in response to breaches of privacy.
For more information about your commercial obligations under Canada’s privacy legislation, our experienced Business Law lawyers can assist you. To learn more about how we can assist you, please contact us online or by telephone at (416) 863-0125.
At Mills & Mills LLP, our lawyers regularly help clients with a wide range of legal matters including business law, real estate law, estate law, employment law, health law, and tax law. For over 130 years, we have earned a reputation amongst our peers and clients for quality of service and breadth of knowledge. Contact us online or at (416) 863-0125. The material provided through the Mills & Mills LLP website is for general information purposes only. It is not intended to provide legal advice or opinions of any kind.