Electronic Commerce in Canada

Questions and Answers

Government of Canada Reintroduces Amendments to Canada's Private Sector Privacy Law

Q1. What is PIPEDA?

A. PIPEDA, the Personal Information Protection and Electronic Documents Act, sets out rules that organizations must follow when collecting, using or disclosing personal information in the course of commercial activity (referred to as Part 1). The Act also recognizes electronic signatures and allows for an electronic alternative when doing business with the federal government (referred to as Parts 2–5).

PIPEDA is an important mechanism in maintaining trust and confidence in the digital economy. Clear and consistent rules for the protection of personal information are crucial to the online marketplace. The Act has broad support in Canada and is recognized internationally as an effective and balanced approach to privacy protection.

Q2. How is PIPEDA enforced?

A. PIPEDA relies on an ombudsman model, with oversight and redress mechanisms provided through the Privacy Commissioner of Canada and the Federal Court.

Q3. Why was PIPEDA reviewed?

A. Part 1 of the Act is mandated to be reviewed by Parliament every five years. The Act came into force on January 1, 2001, and the first statutory review took place from November 2006 to May 2007.

The review, conducted by the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI), provided Parliament and the government with the opportunity to hear from a broad range of consumer and business representatives, as well as academics and privacy commissioners, on the impact and effectiveness of the Act in protecting the privacy of Canadians.

Return to Top of Page
Top of Page


Q4. What conclusions did the Committee reach?

A. Following the Committee hearings and the review of the various stakeholder submissions, the Committee released a report in May 2007 that underlined the importance of an effective legal framework for the protection of personal information in Canada. In its report, the Committee observed that major changes to the Act are not needed, but that the legislation could benefit from some minor changes to "fine-tune" some of its provisions and increase harmonization with provincial privacy laws. With this goal in mind, the Committee made 25 recommendations that addressed key issues raised by stakeholders during the review.

Q5. What was the process for developing the proposed amendments?

A. The Government Response to the Parliamentary Report agreed with the Committee that radical changes to the legislation are not warranted at this time. The government further agreed with the Committee on the need and benefit of "fine-tuning" the legislation and committed to working with stakeholders to ensure that the changes to PIPEDA were the most effective possible. The amendments being proposed benefit from stakeholder input obtained both formally through a Canada Gazette process and informally through a series of bilateral and multilateral stakeholder consultations.

Q6. What are the objectives of the proposed amendments?

A. Taking into consideration the recommendations made by the Committee and the results of Industry Canada's consultations, the proposed amendments are aimed at better protecting and empowering consumers, clarifying and streamlining rules for business, enabling effective investigations by law enforcement and security agencies and making linguistic and other technical drafting corrections.

Return to Top of Page
Top of Page


Q7. Are there major amendments being proposed?

A. The majority of the proposed amendments seek to "fine-tune" the legislation and update it to reflect changes in markets and technology. However, a key change will require organizations to report data breaches (referred to in the Bill as "breaches of security safeguards") involving personal information to the Privacy Commissioner and to notify affected individuals when there is a risk of significant harm such as identity theft or fraud.

Q8. Who will decide if a consumer should be notified of a data breach?

A. Industry Canada worked extensively with stakeholders to develop an effective and practical approach for data breach reporting in Canada. The proposed amendments reflect agreement that a risk-based model should be used, and that the organization that has control of the data at the time of the breach should have responsibility for determining whether consumers should be notified. It was felt that the organization would be in the best position to assess the extent of potential harm to individuals arising from the breach.

Q9. How will Canadian businesses be impacted by the new data breach notification requirements?

A. The majority of businesses already notify affected individuals of a data breach that presents a risk of harm to their customers, and as such will not find the new notification requirements overly burdensome. A legislative requirement will create a "level playing field" by holding all organizations to this standard.

The new requirements will rely on the existing framework of PIPEDA and the existing ombudsman approach to the Act. This will encourage organizations to continue seeking advice and assistance from the Office of the Privacy Commissioner of Canada in their efforts to comply with the Act.

Return to Top of Page
Top of Page


Q10. How will the Privacy Commissioner become involved?

A. Organizations suffering a breach of data involving personal information will also be responsible for reporting data breaches to the Privacy Commissioner of Canada. The determination of whether to report a breach will be based on factors related to the particular circumstances of the data breach, such as the sensitivity of the information involved and the number of individuals affected.

Q11. How will the new data breach measures be enforced?

A. The government's new data breach regime will rely on the current framework of PIPEDA and the existing ombudsman approach to the Act.

The Privacy Commissioner of Canada currently has the ability to publicly name organizations that have contravened the Act if she believes that it is in the public interest to do so.

The second statutory parliamentary review of PIPEDA, expected to take place once these amendments have been passed, offers an opportunity for a thorough discussion of the Act's compliance regime as a whole.

Q12. Do the amendments address consumer concerns respecting identity theft?

A. The new requirements for reporting data breaches will complement the new identity theft-related provisions of the Criminal Code, as they will give consumers the information they need to protect themselves against identity theft and other fraud arising from the loss or theft of their personal information. They will also give the Privacy Commissioner of Canada the information she needs to continue to assess the extent of the problem.

Return to Top of Page
Top of Page


Q13. How do the amendments increase harmonization with provincial laws?

A. As many of the proposed amendments to the Act draw upon approaches taken by provincial privacy laws, they increase the alignment of the federal and provincial privacy protection laws. The new data breach reporting requirements are also in line with new provisions added to Alberta's privacy law.

Q14. How will the changes affect the alignment of privacy laws across the country?

A. As the new measures do not drastically alter the overall scheme of PIPEDA, they do not affect the "substantially similar" designation of the provincial statutes in Alberta, British Columbia, Ontario and Quebec.

Q15. How do the new amendments aid in streamlining rules for business?

A. The government is committed to supporting business by providing greater clarity and certainty with respect to key provisions of PIPEDA, and in ensuring that the Act can accommodate the legitimate needs of business for personal information. The bill proposes exceptions to consent for the collection, use and disclosure of information needed for, among others, managing the employment relationship, information produced for work purposes ("work product"), and information used for due diligence in business transactions. Organizations will also be able to share and use business contact information that is required to conduct day-to-day business.

In addition, a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-sized organizations.

Return to Top of Page
Top of Page


Q16. How do the proposed amendments support effective law enforcement?

A. Another key thrust of the bill is supporting effective law enforcement. The government considers the safety and security of Canadian citizens to be of utmost importance. Proposed amendments will reaffirm the view that the information needs of law enforcement and security agencies can be met while respecting the privacy rights of Canadians. Proposed amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order, in accordance with the circumstances set out in the Act. Furthermore, to avoid jeopardizing investigations, new provisions would prohibit organizations from notifying an individual about the disclosure of his or her personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

Q17. When will the Act be reviewed again?

A. PIPEDA requires that the legislation be reviewed every five years, so it would be up for review again in 2011. However, it is anticipated that the next review will begin only once the current amendments are passed. The current amendments will provide a solid basis on which the second parliamentary review can be launched. The second review will be an opportunity to identify additional areas for further refinement and to take a closer look at more fundamental issues such as the effectiveness of the enforcement of the Act.