Data Processing Regulations in Canada – a Primer on PIPEDA
According to the Canadian federal government Canada has more computers per capita than any other country worldwide. Canadians are also the heaviest internet users worldwide with the average Canadian spending 40 hours online per month. However, our collective internet use comes with risks to both individuals and business. In fact, 70% of Canadian businesses have been victims of a cyber-attack.
Therefore, it is crucial that Canadian businesses are aware of their responsibilities regarding how to handle personal information of their users.
PIPEDA is the Personal Information Protection and Electronic Documents Act. This federal privacy law for private-sector organizations outlines the ground rules for how businesses must handle personal information in the course of their commercial activity. PIPEDA applies to private sector organizations in Canada that process personal information in the course of commercial activity. All businesses operating in Canada and handle information that cross Canadian provincial or national borders are subject to PIPEDA.
In a 2017 holding the Federal Court of Canada has found that PIPEDA will apply to businesses established outside of Canadian jurisdictions as long as “real and substantial connection” exists between a business’s activity and Canada. This effectively includes all Canadian startups.
Appointment of Processors
Under PIPEDA any organization is required to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. The failure to have appropriate confidentiality agreements in place with third party contractors has been found to be a breach of the accountability principle. These agreements do not have specific provisions or requirements. The industry standard is an acceptable metric (i.e. industry standard for health data).
Transferring Data Outside of Canada
PIPEDA generally permits even non-consensual transfer of data outside of Canada provided the organizations use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. However, it is good practice and required by some jurisdictions (Alberta) that if an organization uses a data processor outside of Canada they specify the foreign jurisdictions in which the transfer is taking place and for what purposes the foreign service provider has been authorized to process data on their behalf.
Notice of Breach
PIPEDA underwent a number of amendments in 2015. This included a three-pronged notice requirement in the event of a security breach. The three include:
A. a description of the circumstances of the breach;
b. the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
c. a description of the personal information that is the subject of the breach to the extent that the information is known;
d. a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
Failure to report a breach or to maintain records as required is an offence under PIPEDA, punishable by a fine of up to C$100,000.
Businesses, especially startups, should proactively conduct an audit of their existing consent policies and practices in order to ensure they are compliant with the new GOMC. Businesses should be ready and prepared to demonstrate compliance with PIPEDA in particular relating to these new consent requirements. Periodic review and reassessment of best practices is also highly recommended.
Blog posts are by students at the Business Venture Clinic. Student bios appear under each post.