What Is PIPEDA: The Canadian Data Privacy Law Explained

Key Takeaways: What Is PIPEDA?

• The Personal Information Protection and Electronic Documents Act (PIPEDA) is one of Canada’s most important data protection laws. It applies to private organizations that engage in commercial activities and federally regulated organizations like banks and airlines, and it ensures that consumers’ personal information isn’t mismanaged.
• Under PIPEDA, consumers have a right to see how their data is used, request that corrections be made to any personal information stored, and give or take away consent for data sharing.
• In the event of a data breach or consumer privacy complaint, the Office of the Privacy Commissioner of Canada investigates any potential wrongdoing. Companies may be fined up to CAD $100,000 if convicted of deliberate misuse of consumer data.

Facts & Expert Analysis About the Personal Information Protection and Electronic Documents Act:

• High corporate responsibility: Each organization is responsible for making sure it complies with PIPEDA. This means designating a privacy expert and reporting issues to the Canadian Privacy Commissioner.
• Provinces may apply their own privacy laws: PIPEDA applies to most private sector organizations, but some provinces have their own privacy laws. Most of these provincial laws are similar enough to PIPEDA that the federal law doesn’t need to apply to organizations in those provinces — unless data crosses provincial borders.
• Covers personal information: PIPEDA protects a lot of personal data that can be used for identifying purposes. This includes names, addresses, and health and credit records, to name a few.

Best PIPEIDA-Compliant Cloud Storage

www.sync.com

200GB$2.65 / month

(save 40%) (All Plans)

Visit Sync.comReview

Canada and its provinces have privacy laws that regulate personal information. Most private or federally regulated organizations must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). If you’re using Canada-based companies or services, you should know what this law is and how it affects your privacy.

PIPEDA protects personal information that can be used to identify consumers, like names, contact details or financial data. Under this act, individuals have the right to access their data, correct inaccuracies and file complaints with the Office of the Privacy Commissioner of Canada if their rights are violated. 

A cloud storage provider based in Canada needs to follow PIPEDA or one of the similar provincial privacy laws. See our list of the best cloud storage providers for several privacy-friendly options. If you’re still wondering, “What is PIPEDA?” keep reading to see which data it applies to and how even non-Canadians can benefit.

What Is PIPEDA: The Personal Information Protection and Electronic Documents Act

PIPEDA, or the Personal Information Protection and Electronic Documents Act, is a Canadian federal privacy law. It requires private organizations engaged in commercial activities in Canada to abide by 10 fair information principles. 

The aim of PIPEDA is to protect the privacy of identifiable individuals’ personal information. It also guarantees users the right to be updated on how their data is used, and requires companies to obtain consent before they collect, use or disclose personal information. 

PIPEDA has strong ground rules that prevent organizations from inappropriately disclosing personal data. However, it’s not one of the best privacy laws — Switzerland offers better privacy protections, for example. Read our breakdown of the Swiss Constitution and DPA to see how PIPEDA compares.

What Are the 10 Principles of PIPEDA?

Organizations have to follow 10 fair information principles in order to be compliant with PIPEDA.

What Is Personal Information Under PIPEDA?

PIPEDA covers a lot of information that a company can collect from you. It protects data that can be used to identify individuals, such as:

• Age
• Name
• ID numbers
• Income
• Credit records
• Loan records
• Ethnic origin
• Blood type
• Medical records
• Opinions
• Social status
• Employee files
• Consumer disputes
• Personal intentions (in career, spending or relocation)

What Isn’t Personal Information Under PIPEDA?

Under PIPEDA, only information that can identify an individual is considered personal and subject to protection. The following types of information fall outside of this scope:

• Personal data collected by federal government organizations, like the Canada Revenue Agency or immigration department. Although it is the same data — name, age or ID, for example — it falls under the Privacy Act when held by a government body. 
• Information held by provincial or territorial governments. Most provinces and territories have their own privacy laws and aren’t subject to PIPEDA, unless that data crosses provincial borders.
• Business contact information, business address or other general work information. Data like your job title and work email is considered business contact information and isn’t covered by PIPEDA. However, personal information about employees, such as work records and performance reviews, is covered.
• Data collected by an individual for personal purposes. If an individual collects personal data for private, non-commercial purposes, such as maintaining a personal contact list, PIPEDA doesn’t apply.
• Any information collected for artistic, journalistic or literary purposes. Examples of this include quotations for a news article or personal data collected for an autobiography. 

Who Is Subject to PIPEDA Compliance?

PIPEDA regulations apply to organizations that operate within or have close ties to Canada. Although it doesn’t apply to the government, PIPEDA does encompass federally regulated organizations, such as:

• Airlines
• Banks
• Offshore drilling operations
• Telecommunications companies
• Radio and television broadcasters
• Interprovincial or international transportation companies

Who Is Exempt From PIPEDA Compliance?

There are a few exemptions to this privacy law, including:

• Non-profits
• Political parties
• Charity organizations 
• Organizations covered by provincial laws, such as municipalities, universities and hospitals 

However, these organizations can lose their exemption in certain conditions. If they take part in commercial activities that aren’t related to their mission objectives, they may be responsible for following PIPEDA.

How Private Sector Organizations Comply With PIPEDA

To comply with PIPEDA, private sector organizations are responsible for creating and implementing strong privacy management practices. This means assigning an individual to oversee data, and training new hires on how to treat user information and obtain consent.

Beyond this, organizations also need to keep on top of any security concerns within their industry and know how to protect against them. They can do this by using the latest security technologies, such as implementing client-side encryption and minimizing the amount of data they collect.

Enforcement & Penalties for Non-Compliance With PIPEDA

The Office of the Privacy Commissioner of Canada (OPC) is in charge of overseeing PIPEDA. Any privacy concerns, including concerns that the commissioner spots, are up to the OPC to investigate.

If the investigation reveals inadequate security measures or inappropriate disclosure of personal information, the OPC may refer the case to the Attorney General of Canada. Any company that knowingly violates PIPEDA requirements or interferes with OPC investigations can be found guilty, with the following penalties:

• Up to CAD $10,000 for a summary conviction
• Up to CAD $100,000 for an indictable offence

PIPEDA Data Breach Notification Requirements

One of the key aspects of complying with PIPEDA is responsibility for data security. This means owning up to any major data breaches and seeking to improve security to prevent it from happening again.

Companies don’t need to report every breach to the OPC and affected individuals. Instead, they need to report breaches involving personal information only if they pose a risk of significant harm to an identifiable individual. Significant harm includes physical injury, humiliation and damaged reputation.

Other Canadian Data Privacy Laws

Canada has multiple privacy laws to which businesses may need to adhere. Which laws an organization needs to follow depends on where it is based, whether information is crossing provincial or national borders, and the type of information involved.

• The Privacy Act: One of the two federal Canadian privacy laws (PIPEDA being the second), the Privacy Act deals with personal information collected by the federal government. This data is used to provide services such as retirement funds, employer insurance, border security, the federal justice system and tax collection.
• PIPA: The Personal Information Protection Act is a set of privacy regulations in Alberta with the same scope as PIPEDA. 
• FIPPA: The Freedom of Information and Protection of Privacy Act is similar to PIPEDA but applies only to public sector organizations — government entities like universities and agencies — within British Columbia and Ontario.
• PHIPA: The Personal Health Information Protection Act is a privacy law in the province of Ontario. It manages the collection, use and disclosure of personal health information.
• ATIPPA: The Access to Information and Protection of Privacy Act is similar to PIPEDA and covers Newfoundland and Labrador. 
• FOIPOP: The Freedom of Information and Protection of Privacy Act is a privacy law in Nova Scotia. Unlike PIPEDA, it applies not just to organizations but also to government departments.

Why PIPEDA Is Important for Cloud Storage Companies

Signing up for and uploading files to cloud storage platforms comes with a risk, as you’re giving a lot of personal data to a third party. Privacy laws like PIPEDA are essential for making sure the cloud storage provider keeps your data safe.

Any cloud service based in Canada needs to follow PIPEDA. This means obtaining consent to collect personal data, informing users of how their data will be used and keeping track of data insecurities. Since PIPEDA regulations apply to all customers, not only Canadian residents, users in other countries can also benefit from the extra privacy.

Sync.com — The Best PIPEDA-Compliant Cloud Storage Service

Sync.com Review | The Most Secure Cloud Storage Available?

www.sync.com

200GB$2.65 / month

(save 40%) (All Plans)

Visit Sync.comReview

Pros:

• Client-side encryption across all storage
• Privacy verified through independent audits 
• Compliant with Canadian privacy laws, including PIPEDA
• Complies with foreign privacy regulations such as the GDPR

Cons:

• Not open-source

Sync.com is an Ontario-based cloud storage provider that complies with PIPEDA, FIPPA, PIPA, PHIPA, ATIPPA and FOIPOP legislation. Since Sync.com is based in Canada, it’s required to comply only with Canadian law enforcement. However, the client-side encryption means Sync.com can’t access your files, so your data will never be revealed to anyone.

On top of this, Sync.com follows GDPR regulations and has been independently audited. It is also SOC 1, 2 and 3 certified, which means it has undergone audits that indicate whether a company has sufficient controls in place. You can read our full Sync.com review for more details on its dedication to privacy.

30-days money-back guarantee

Free

• 5GB

FREE

Personal

• 200GB

1-year plan

$2.65/month

$60 $31.80 billed every year

Save 40%

Pro Solo Basic

• 2TB

1-year plan

$4.80/month

$96 $57.60 billed every year

Save 40%

More plans

Pro Solo Professional

• 6TB

1-month plan

1-month plan

$24/month

1-year plan

$11.67/month

$240 $140 billed every year

Save 51%

Pro Teams Standard

• Price includes 3 users
• 1TB

1-year plan

$18/month

$216 billed every year

Pro Teams+ Unlimited

• Monthly price for 1 user (3 users minimum) Yearly price for 3 users
• Unlimited GB

1-month plan

1-month plan

$15/month

Save 59%

1-year plan

$36.67/month

$540 $440 billed every year

Enterprise

• Minimum 100 users, custom requirements, account manager, training options

Contact support for pricing

Final Thoughts

PIPEDA ensures that organizations based in Canada protect personal information, which means that any identifying data you provide won’t be sold or misused. Choosing a cloud service that complies with PIPEDA will keep your data secure. We highly recommend Sync.com.

How do you feel about PIPEDA after reading this guide? Do you feel more comfortable with Canadian services, or do you trust other privacy laws more? Would you use Sync.com knowing that it complies with PIPEDA regulations? Let us know in the comments. Thank you for reading.

FAQ: Canada Data Privacy Laws

• Is There a HIPAA Equivalent in Canada?

  Canada doesn’t have a direct equivalent to HIPAA. However, PIPEDA does cover health-related data that certain private sector organizations collect. Other health data is protected under province-specific privacy laws. PIPEDA aims to protect personal health information and any other data that can identify an individual.

• What Is the Difference Between CCPA and PIPEDA?

  The California Consumer Privacy Act (CCPA) and the Personal Information Protection and Electronic Documents Act (PIPEDA) are similar. PIPEDA is consent-based, so organizations must obtain consent before collecting or using personal data. The CCPA provides the right to opt out of data sales and request that data be deleted.

  PIPEDA covers data collected as a result of commercial activities, whereas the CCPA specifically covers for-profit entities.

• Does PIPEDA Apply to U.S. Companies?

  PIPEDA doesn’t usually apply to U.S. companies since it’s a Canadian privacy law. However, if a U.S. company handles Canadians’ data in its commercial activities, such as transferring personal information across the border, it may be held to PIPEDA standards.