What is PIPEDA Canada?

The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s personal data privacy law, came into force in stages, beginning on January 1, 2001. The law became fully effective on January 1, 2004. PIPEDA is enforced through Canadian criminal law and through monetary fines, PIPEDA Canada enforcement is explained below.

What is PIPEDA Canada? Criminal Offenses

As is the case with certain violations of the Health Insurance Portability and Accountability Act (HIPAA), certain PIPEDA Canada violations are a crime. Normally, when a PIPEDA violation is alleged, the Canadian government investigates the violation. The investigation includes mediation of a dispute between the person complaining and the organization alleged to have violated the law. Three specific violations, however, are generally not mediated; they are prosecuted. These include:

PIPEDA Canada
  • Purposely destroying information after receiving a request to review that information.
  • Retaliatory behavior against employees who attempt to follow PIPEDA. HIPAA OCR investigations also prohibit retaliation against individuals who have filed complaints.
  • Obstructing investigations after a complaint is lodged.

What is PIPEDA Canada? Monetary Fines

PIPEDA Canada, like HIPAA in its early days, lacked a mechanism for effective enforcement. Although HIPAA was signed into law into 1996, it was not until March of 2006 that the HIPAA Enforcement Rule went into effect. With the creation of the HIPAA Enforcement Rule, the Office for Civil Rights (OCR) was given the authority to enforce the HIPAA Privacy Rule and the HIPAA Security Rule.  The HIPAA enforcement rule authorized OCR to issue civil monetary penalties (CMPs) to non-compliant organizations.

Want to learn more about Canadian data privacy compliance? Click here

Before 2018, reporting data breaches was voluntary under PIPEDA. In 2018, PIPEDA was amended to require reporting of breaches that risked harming one or more individuals. Now, under PIPEDA, organizations must maintain records of all data breaches for 24 months following the initial discovery of a breach. To put teeth into PIPEDA enforcement, the 2018 amendments also created monetary penalties for non-compliance. Organizations that knowingly violate PIPEDA requirements for proactive security safeguards, data breach reporting, and keeping data breach records may be fined up to $100,000 in Canadian dollars (CAD) per violation. Canada’s Department of Justice decides which cases to prosecute. 

What is PIPEDA Canada? The Complaint Process

The PIPEDA Canada complaint process begins when an individual files a complaint with the Office of the Privacy Commissioner of Canada (OPC). When an individual files a complaint under PIPEDA, the OPC first determines whether the matter is covered by PIPEDA. If the matter is not covered by PIPEDA, OPC does not investigate. If the matter is covered by PIPEDA, OPC accepts the complaint and makes an investigation. When appropriate for the privacy issue in question, OPC then works with individuals and companies to resolve complaints in the early stages of the investigation process. If mediation efforts are not successful, a formal investigation is conducted. OPC may find the complaint to be well-founded, or to be not well-founded. If a complaint is found to be well-founded, it can be prosecuted in federal court.