PIPEDA – The Canadian General Data Protection Regulation

In this article we explain everything about the Canadian data protection regulation PIPEDA and the upcoming CPPA regulation. In the next article we will go into more detail about Cookies & Consent.

What is PIPEDA?

PIPEDA is the abbreviation for Personal Information Protection and Electronic Documents Act and refers to the new Canadian General Data Protection Regulation. The amendment combines the two previous Canadian data protection laws Consumer Privacy Protection Act (CPPA) and Personal Information and Data Protection Tribunal Act (PIDPTA) into a comprehensive regulation equivalent to the GDPR. The reference to the European General Data Protection Regulation can be seen in many places in PIPEDA, which is why it is often also called GDPR Canada.

Similar to the GDPR, the Canadian Data Protection Act regulates the handling of personal data collected and stored in the course of commercial activities. The Personal Information Protection and Electronic Documents Act PIPEDA is therefore important for all companies that want to reach consumers in Canada with services and products – whether stationary or distance selling. Commercial activities within the meaning of PIPEDA are all transactions and actions of commercial origin or with commercial intent.

PIPEDA applies to companies and organizations that are federally regulated and subject to Canadian legislation. The Personal Information Protection and Electronic Documents Act also applies to the private sector of each province, unless a province has enacted its own data protection law, which is broadly similar to the Personal Information Protection and Electronic Documents Act PIPEDA. Only British Columbia, Alberta and Quebec have privacy laws that are broadly similar to the Personal Information Protection and Electronic Documents Act PIPEDA. If a company is based in British Columbia, Alberta, or Quebec, the Personal Information Protection and Electronic Documents Act applies to personal information collected by those organizations where commercial uses of the information exceed the boundaries of that province.

The 10 privacy principles in the Personal Information Protection and Electronic Documents Act PIPEDA

Businesses that need to comply with PIPEDA regulations should consider the data protection principles of this GDPR for Canada in a timely manner. 10 points outline the rights and obligations that organizations must follow when conducting commercial transactions with Canadian consumers under the GDPR for Canada :

1. accountability
2. earmarking
3. consent
4. Data avoidance and data economy
5. Storage, Use and Processing
6. accuracy
7. integrity and confidentiality
8. transparency
9. right of providing information
10. right of appeal

Anyone who is familiar with the General Data Protection Regulation will already recognize many aspects in the overview of the 10 principles of PIPEDA that can also be found in the EU GDPR. Nevertheless, there are differences in detail , also and especially with regard to the consent to the collection of personal data. Let’s take a quick look at each of the 10 points:

1. Accountability

The principle of accountability means that, above a certain size, an organization must appoint a person to be responsible for the management of the collected and personal data. This person is called the data protection officer in the GDPR – in the Personal Information Protection and Electronic Documents Act PIPEDA he is called Privacy Officer or Chief Privacy Officer (CPO) . In smaller companies, the Privacy Officer may also perform his or her role on a part-time basis . Its main task lies in the development, implementation and monitoring of procedures that meet the data protection requirements according to the PIPEDA . Furthermore, the data protection officer has to receive and answer complaints about data collection . Another important area is the training of employees and the communication of data protection requirements relevant to individual areas of responsibility. If the consumer has given consent for data processing by third parties, the Privacy Officer is responsible for compliance with the PIPEDA requirements by the third parties.

2. Purpose Limitation

Why does the company want to store a customer’s personal information ? The purpose must be stated to the consumer at the latest at the time the data is recorded. Disclosure creates transparency, but also makes it easier for the company to implement specific access. According to PIPEDA, the purpose of data collection is to be communicated to every employee who comes into contact with customers. If, for example, a customer is asked for the address or telephone number when making a purchase at the checkout, the use of the data information must be explained to him upon request . Paper forms and online forms that collect personally identifiable information from customers must also clearly describe the purpose of collection. Collected personal data may not be used for a new purpose without the express permission of the customer. An exception are legal requirements that require this.

3. Consent

A company must not collect, use or disclose personal data without the knowledge and consent of the customer. The intention to collect customer data must be clearly and unambiguously communicated. If personal data is requested in a form, ambiguous formulations are therefore not permitted. A person will not be disadvantaged if he or she refuses to provide information. Companies must therefore also make their products and services available to consumers who do not want to provide data that is not related to the product or service. There are a few exceptions: A company can refrain from giving consent if there are legal or medical reasons not to do so. Safety reasons can also apply to certain products. And if information is collected for law enforcement, consent is also waived. Consent can also be waived in cases where a person is a minor, seriously ill or mentally handicapped. However, consent can also be given by an authorized representative.

When it comes to the type of consent, a distinction is made between:

• explicit
• implicitly
• opt out

In many cases – such as online registration – as in the European General Data Protection Regulation, explicit consent from the consumer is also required here. An opt-out is usually not provided. For example, no ticks or buttons may be pre-assigned to the Cookie Consent PIPEDA – equivalent to the cookie regulations in the GDPR. In principle, consent does not have to be given in writing – verbal consent is sufficient. For example, it is sufficient if an interested party gives their consent to be included in a newsletter by telephone. However , consent given over the phone regularly makes it more difficult for a company to provide evidence . In some cases, consent can also be derived directly from the actions of the consumer.

Consumers can withdraw their consent at any time, subject to contractual and legal restrictions and deadlines. The company must inform the customer of the consequences of withdrawing consent.

4. Data avoidance and data economy

The principle of limiting data collection to the amount of data required for a purpose is a principle that also plays an important role in the European GDPR. The personal data collected by a company should be limited to what is necessary for an action within the framework of a business relationship.

The collection and storage of unnecessary personal data is also to be avoided according to PIPEDA. The fair and lawful handling of data, which is hidden behind the phrase “Fair and Lawful Means”, aims at the data sovereignty of the customer and the need for transparent processes. The purpose for which certain personal data should be collected must not be obscured by deception or ambiguous statements.

5. Storage, Use and Processing

The use of recorded data may only move within the corridor that is known to the customer and to which he has given his consent. Disclosure or other use of personal data is not permitted under the Canadian General Data Protection Regulation PIPEDA. The retention periods are based on company requirements and other legal regulations. The recommended minimum retention period for companies is one year. This period leaves the company with sufficient capacity to check and comply with legal requirements. The maximum retention period is to be determined and disclosed by the company.

An unlimited storage of data is not permitted – the consumer must be informed on request when his data will be permanently deleted. If desired, data can be anonymized and destroyed ahead of time, taking into account deadlines. In addition, an organization must be able to disclose who has received consent to the processing of the data and to what extent.

6. Accuracy

The principle of accuracy ensures that the personal data collected by a company is correct, complete and up-to-date for the purposes for which it is used.

It should be borne in mind that the data collected is to be used in the best interest of the consumer.

The specification of correctness in the PIPEDA is not only important for the relationship between company and customer. For example, if an organization collects personal data in order to check applicant profiles before a recruitment process, it must be ensured that incorrect or incomplete recording does not result in disadvantages for applicants.

Updating Personal Information

Automatic and regular updating of personal data is generally not permitted. This guideline in the PIPEDA also applies to information that is passed on to third parties.

7. Integrity and Confidentiality

The principle of integrity and confidentiality means that personal data must be protected against loss or theft , unauthorized access, disclosure, copying, alteration or unauthorized use. This principle applies regardless of the format in which the data is stored.

Appropriate protective measures

The effort depends on the size of the company. A small business that is collecting customer email addresses for an online newsletter can store the email addresses in a spreadsheet. If the table is protected with a password and additionally encrypted to a high degree, adequate protection can be assumed.

Large organizations often manage sensitive personal data on a large scale – despite all data economy. These companies are also more likely to be targets for attackers, so much stronger security precautions need to be taken here.

All security measures should offer above-average protection for the personal data to be protected in order to ensure a high level of integrity.

Destruction of Personal Information

If personal data is to be disposed of or destroyed, recovery based on human judgment and by using high technological standards for data destruction can be ruled out. This applies both to the physical destruction of paper documents and to the destruction of databases on memory modules.

8. Transparency

A company must make its policies and procedures for handling personal information easily accessible . Customers must therefore be able to access this information without complicated detours. Responses to consumer inquiries about data protection must be answered in a reasonable time and as directly as possible . The information provided must be formulated in a way that is generally understandable. Legal terminology should be avoided.

Requirements from PIPEDA

According to PIPEDA, an organization must provide this data upon request:

• Name or title and address of the person responsible for the organization’s policies and practices and to whom complaints or inquiries may be referred.
• Ways to Access Personal Data
• Type of personal data collected including a description of its use.
• Written information that explains company organization policies and standards

9. Right to information

Upon request, a company must provide a person with information about personal data stored and their use after authentication. If a customer doubts the correctness or completeness of the personal data, he can insist on changing the data recorded. This can mean correcting , deleting or adding data .

exceptions

Information about personal data can be refused for various reasons. This is the case when the information is subject to attorney-client privilege or where confidential business information would be disclosed.

Authentication Requirements

Before granting access to personal data, a company must ensure that it is communicating with the right person.

Some organizations do this by asking for government-issued ID. If necessary, verification based on account information in combination with other information such as the maiden name or a stored password is also possible. However, strict authentication requirements must not constitute an obstacle to the right to information.

Information – time and costs

Requests for information shall be responded to in a reasonable time and at minimal or no cost to the individual. No later than 30 days after receipt of a request, it must be answered. If, exceptionally, a company needs more time to provide information, it must send the person an interim decision and give a plausible reason for the delay.

10. Right to Complain

The right of appeal anchored in PIPEDA enables customers and consumers to take targeted action against companies in the event of a violation of points of the GDPR Canada.

Businesses must provide procedures to receive and respond to complaints and inquiries. These procedures should be simple and easy to use. Furthermore, under GDPR Canada, companies are required to follow up and investigate complaints even if they believe the complaint appears to be unfounded . If the complaint proves to be valid, appropriate corrective measures must be taken. The company’s data protection officer is responsible for receiving complaints and initiating procedures.