The PIPEDA Foundation
Canada's approach to privacy is principles-based rather than prescriptive. The Personal Information Protection and Electronic Documents Act (PIPEDA), in force since January 1, 2004, sets out 10 fair information principles that organizations must follow when collecting, using, and disclosing personal information in the course of commercial activities.
Unlike the EU's GDPR with its detailed articles and hefty fines, PIPEDA focuses on accountability and reasonableness. The Office of the Privacy Commissioner (OPC) investigates complaints and can recommend remedies, but cannot directly impose fines (though courts can after OPC findings).
This principles-based approach makes PIPEDA flexible but also creates uncertainty. Organizations must interpret broad principles in their specific contexts.
The 10 Fair Information Principles
Schedule 1 of PIPEDA sets out the following principles:
- Accountability: Designate someone responsible for compliance
- Identifying Purposes: Identify why you collect personal information before collection
- Consent: Obtain meaningful consent for collection, use, and disclosure
- Limiting Collection: Collect only information necessary for identified purposes
- Limiting Use, Disclosure, and Retention: Use information only for collected purposes; retain only as long as necessary
- Accuracy: Keep personal information accurate, complete, and up-to-date
- Safeguards: Protect personal information with appropriate security
- Openness: Make policies and practices readily available
- Individual Access: Allow individuals to access their personal information
- Challenging Compliance: Allow individuals to challenge your compliance
The Consent Requirement
Principle 3 requires 'meaningful consent' for the collection, use, and disclosure of personal information. The OPC has issued detailed guidance on what constitutes valid consent:
- Knowledge: Individuals must understand what they are consenting to
- Voluntary: Consent must be freely given, not coerced
- Specific: Consent should be obtained for specific purposes, not blanket authorization
- Current: Consent should be refreshed when purposes change
- Documented: Organizations should maintain records of consent
Zero-knowledge tools simplify this dramatically. When you do not collect personal information, you do not need consent for collection. The user's browser processes their data locally; they maintain full control. This is the ultimate form of user-centric privacy—no data leaves their device without their explicit action.
Provincial Privacy Laws
While PIPEDA is federal law, three provinces have their own substantially similar private sector privacy laws that supersede PIPEDA:
- Alberta: Personal Information Protection Act (PIPA) - Covers private sector organizations in Alberta
- British Columbia: Personal Information Protection Act (PIPA) - Similar to Alberta's law with BC-specific provisions
- Quebec: Act Respecting the Protection of Personal Information in the Private Sector (Law 25) - Recently modernized with GDPR-like requirements including breach notification and privacy by design
Organizations operating in these provinces must comply with provincial law rather than PIPEDA. However, the principles remain consistent: minimize collection, obtain consent, protect data, and provide access. Zero-knowledge architecture satisfies these requirements by eliminating data collection entirely.
Breach Notification Requirements
In November 2018, PIPEDA was amended to include mandatory breach notification requirements. Organizations must report breaches to the OPC and notify affected individuals if the breach creates a real risk of significant harm.
Key breach notification requirements:
- Real Risk of Significant Harm: Breaches must be reported if they could cause bodily harm, humiliation, damage to reputation, identity theft, financial loss, or other significant harms
- 72-Hour OPC Notification: Organizations must report to the OPC as soon as feasible after discovering the breach
- Individual Notification: Affected individuals must be notified directly unless impossible or prohibited by law
- Record Keeping: All breaches must be recorded, even those not meeting the notification threshold
Zero-knowledge architecture eliminates breach notification obligations for tool processing. With no personal data stored, there is nothing to breach. This reduces both compliance burden and reputational risk.
Frequently Asked Questions
Does PIPEDA apply to my organization?
PIPEDA applies to private sector organizations engaged in commercial activities across Canada, with exceptions for provinces with substantially similar legislation (Alberta, British Columbia, Quebec). It does not apply to federal government institutions (covered under the Privacy Act) or provincial government bodies. If you use ZeyroVault's client-side tools, PIPEDA compliance for those tools is simplified because no personal information collection occurs.
What powers does the OPC have?
The Privacy Commissioner can investigate complaints, conduct audits, and make findings. While the Commissioner cannot directly impose fines, they can refer matters to the Federal Court, which can order compliance and award damages. Since 2018, the OPC can also require organizations to report breaches. For willful violations, courts can impose fines up to $100,000 CAD. Zero-knowledge tools reduce OPC complaint risk because there is no personal information to mishandle.
How does Quebec's Law 25 differ from PIPEDA?
Quebec's Law 25 (formerly Bill 64) modernized the province's privacy law with requirements similar to GDPR: mandatory breach notification (72 hours to regulator), privacy impact assessments for high-risk processing, privacy by design principles, and enhanced consent requirements. Unlike PIPEDA, Law 25 includes administrative monetary penalties up to $25 million CAD or 4% of worldwide turnover. Zero-knowledge architecture helps comply with Law 25's privacy by design requirement by embedding privacy into the tool's architecture.
What counts as a 'commercial activity' under PIPEDA?
PIPEDA defines commercial activity as 'any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.' This includes selling, bartering, or leasing information; marketing; and providing services. Non-commercial activities like personal or domestic use, journalism, and artistic/literary purposes are exempt. If you provide free tools without collecting data, the commercial activity analysis becomes nuanced. Consult legal counsel if this applies to your situation.
References
This guide is based on Canadian federal and provincial privacy legislation: