In Canada, the Personal Information Protection and Electronic Documents Act (the “PIPEDA”) is a federal law regulating the collection, use, and disclosure of personal information by private organizations during commercial activities. The PIPEDA is key legislation that aims to safeguard the privacy of individuals by setting out clear rules for the management of personal information by private organizations.
The PIPEDA applies to all private organizations that collect, use, or disclose personal information, but it does not apply to journalistic, artistic, or literary purposes or purely personal activities. The law defines personal information as any information that can be used to identify an individual, such as their name, address, age, financial history, criminal history, and so on. Organizations that handle personal information must comply with ten principles listed in the PIPEDA, including accuracy, limitation of use, safeguards, retention, openness, and individual access.
The PIPEDA also includes provisions for the legal recognition of electronic documents and signatures. Electronic documents and signatures are acceptable where federal law requires a document or signature listed in Schedule 2 of the PIPEDA. The Canada Evidence Act has been amended to allow for the recognition of electronic documents as evidence in federal court proceedings, and guidelines have been established to establish the authenticity and credibility of electronic documents as evidence.
Non-compliance with the PIPEDA may result in an investigation by the Commissioner, who may resolve disputes, publish public reports of an organization’s information management practices, and award damages to complainants for humiliation. It is an offence to obstruct an investigation of the Commissioner.
The implementation schedule of the PIPEDA has been in several stages. Since January 1, 2000, the PIPEDA has applied to all personal employee and client information of federally regulated private sectors and all organizations that disclose information for consideration on an interprovincial and/or international basis. Since January 1, 2002, the law has applied to personal health information of the organizations and activities covered in the first stage above. Since January 1, 2004, the law has applied to every private sector organization that collects, uses, or discloses personal information in the course of commercial activity.
Although PIPEDA is a federal law, if a province enacts legislation that is similar to PIPEDA, then that province’s privacy legislation will govern. While the electronic documents provisions of PIPEDA can be significant for businesses that record Internet-related transactions in electronic document format (i.e., PIPEDA has provisions that establish a basis for the legal recognition of electronic documents and signatures), it is important to examine whether the province in question has enacted legislation addressing electronic documents; for example, in Ontario, the applicable legislation is the Electronic Commerce Act.
In conclusion, PIPEDA is a critical piece of legislation in Canada that protects personal privacy and regulates the private sector’s collection, use, and disclosure of personal information. With the rise of electronic documents and signatures, it is important for organizations to be aware of their legal obligations under the law and to take appropriate measures to ensure compliance.