PIPEDA (Personal Information Protection and Electronic Documents Act)

PIPEDA is Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. Enacted in 2000, PIPEDA applies to all organizations engaged in commercial activities in Canada, except in provinces with substantially similar provincial privacy legislation (Quebec, Alberta, and British Columbia have their own laws for provincially-regulated sectors). PIPEDA is built on ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Key requirements include obtaining meaningful consent for collection, use and disclosure of personal information; limiting collection to what's necessary for identified purposes; protecting personal information with appropriate security safeguards; and being transparent about information practices. Individuals have the right to access their personal information, challenge its accuracy, and file complaints with the Privacy Commissioner of Canada. PIPEDA applies to cross-border data transfers—Canadian organizations remain responsible for personal information even after transferring it to third parties. Violations can result in findings by the Privacy Commissioner and, in some cases, Federal Court orders and damages.