The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private-sector privacy law. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. It received royal assent on April 13, 2000, and came into force in three stages: federally regulated industries (banking, airlines, telecoms) in 2001, the health sector in 2002, and all private-sector commercial activity nation-wide on January 1, 2004 — except in provinces with “substantially similar” laws (Quebec, British Columbia, and Alberta each have their own).
PIPEDA is built around ten fair information principles, taken from the CSA Model Code: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. The principles map onto what data subjects can expect — to be told why their data is being collected, to consent meaningfully (see Informed consent), to access and correct their data, and to challenge how it’s being handled.
Since November 1, 2018 (a consequence of the Digital Privacy Act passed in 2015), PIPEDA requires organizations to report any breach of security safeguards that creates a “real risk of significant harm” to the Office of the Privacy Commissioner and to notify affected individuals, and to maintain records of all breaches regardless of severity.
Enforcement is by the Office of the Privacy Commissioner of Canada (OPC). The OPC investigates complaints, issues findings, and can take organizations to Federal Court, which has the authority to award damages and order corrective action. Current penalties are modest compared to GDPR — knowingly contravening certain provisions (mostly around breach reporting) carries fines up to CAD $100,000 per violation — but the proposed Consumer Privacy Protection Act (CPPA, part of federal Bill C-27, still pending at time of writing) would raise the ceiling dramatically, to the greater of CAD $25 million or 5% of global revenue, putting Canada closer to the GDPR enforcement regime.
PIPEDA’s scope is commercial activity specifically — non-profits and government agencies are covered by other laws (the federal Privacy Act for federal institutions). Health-care contexts in Canada are typically covered by provincial health-information laws (Ontario’s PHIPA, for instance), which play roughly the role that HIPAA plays in the U.S.
For engineers working in Canada on data systems involving real people, PIPEDA is the federal baseline. Whether the project is also covered by a provincial law, a sector-specific law, or GDPR (if any of the data subjects are in the EU) depends on the specifics.