What is the Personal Information Protection and Electronic Documents Act (PIPEDA)?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal statute that governs how private-sector organisations collect, use, and disclose personal information in the course of commercial activities, and how individuals can access and request correction of their personal information. PIPEDA received Royal Assent on April 13, 2000 and came into force in stages between January 1, 2001 and January 1, 2004. It is administered and enforced by the Office of the Privacy Commissioner of Canada (OPC), an independent agent of Parliament.

PIPEDA applies to all private-sector organisations engaged in commercial activities anywhere in Canada except in provinces with substantially similar legislation. Quebec's Act respecting the protection of personal information in the private sector (1994, modernised in 2021 by Law 25), Alberta's Personal Information Protection Act (2004), and British Columbia's Personal Information Protection Act (2004) have been declared substantially similar; in those provinces PIPEDA still governs federally regulated employers (banks, airlines, telecommunications) and interprovincial and international transfers of personal information.

PIPEDA is built on 10 fair-information principles drawn from the Canadian Standards Association Model Code: accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance. Organisations must obtain meaningful consent before collecting personal information, must use it only for the identified purposes, must protect it with appropriate safeguards, and must allow individuals to access and correct their information. The Digital Privacy Act of 2015 added mandatory breach reporting (in force November 1, 2018).

Enforcement of PIPEDA has been comparatively weak by international standards. The Privacy Commissioner can investigate complaints, conduct audits, and make recommendations, but cannot directly issue fines for most violations. Bill C-27 (the Digital Charter Implementation Act, 2022), which has been before Parliament since 2022, would replace PIPEDA with the Consumer Privacy Protection Act and create the Personal Information and Data Protection Tribunal with administrative monetary penalties of up to 5 per cent of global revenue or $25 million. The Bill also includes the Artificial Intelligence and Data Act and the Personal Information and Data Protection Tribunal Act.