The RegTech Hub
Published in

The RegTech Hub

PIPEDA: The evolution of data privacy legislation

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became law in 2000, and is the Canadian federal-level law protecting personal information. Broadly speaking, it applies to private-sector businesses that operate in or have impact across more than one province (for example, railways, banks, radio stations). As of November 2020, it’s also joined the ranks of national and local privacy laws facing major overhauls in light of the challenges our increasingly online environment poses to protecting personal data.

A few recent examples of countries and areas moving towards a more consumer rights-driven model of privacy legislation include:

While enforcement varies from region to region, recent cases like the initial $124 million fine levied against the Marriott hotel chain, Capital One’s $80 million, and British Airways’ $26.2 million indicate that governments are increasingly willing to issue fines and empower oversight bodies where self-regulation proves insufficient to protect sensitive data.

PIPEDA and Bill C-11

Canada, as one of the 12 countries benefiting from an adequacy decision under the EU’s General Data Protection Regulation (GDPR), is anticipating a reassessment of that adequacy decision by or before 2022. (An adequacy decision indicates that the EU has determined that a given country’s privacy protections are essentially equivalent to those offered in the EU, and permits cross-border transfers of personal data to that country with no further safeguards required.)

A major update to PIPEDA was announced in November 2020 with the introduction of Bill C-11, or the Digital Charter Implementation Act (DCIA). The DCIA will pave the way for a number of changes:

  • A new private-sector privacy law, the Consumer Privacy Protection Act (CPPA)
  • A Personal Information and Data Protection Tribunal
  • New powers for The Office of the Privacy Commissioner (currently only an advisory body), which will be able to:
  • Issue binding orders
  • Recommend monetary penalties of up to 5% of an organization’s global revenue or $25,000,000 to the Personal Information and Data Protection Tribunal
  • Expanded consumer rights, which include:
  • Right to deletion
  • Right to withdrawal of consent
  • Right to data mobility

Bill C-11 also adds a transparency requirement around automated decision-making, similar to that in the GDPR.

The CPPA will replace substantial portions of PIPEDA, and the parts of PIPEDA that remain will be renamed the Electronic Documents Act. It will also result in minor alterations to other acts, including the Competition Act and the Canada Business Corporations Act.

This update, with the Competition Bureau’s recent moves to enforce accuracy in privacy disclosures, is increasingly bringing Canada into alignment with global developments in privacy.

Key points for compliance

In line with other recent items of privacy legislation, Bill C-11 targets transparency, consumer rights, de-identification of personal information and consent.

Collecting, using and retaining personal information

The collection, use and retention of personal information requires express, specific and informed consent at or before collection. Personal information must be limited to the minimum required for the purpose, and retained only for as long as reasonably needed for that purpose, or as otherwise required by law.


Organizations must designate someone to be responsible for their privacy compliance, and make contact information for that person readily available on request. Organizations must provide disclosure in plain language, and maintain policies, procedures and staff training to support their compliance with the act. Organizations are responsible for personal information they control, even when that information is processed by service providers. Organizations must protect personal information through physical, organizational, and technological security safeguards.

Consumer rights

With some exceptions, organizations must respond within 30 days of receiving a request, must provide any necessary support with the request process and can’t charge for responding to requests unless the organization has notified the consumer of the cost, the cost to the consumer is minimal, and the consumer, on being advised, doesn’t withdraw their request.

  • Access — consumers may request access to any personal information an organization holds concerning them, and how that information is being used and disclosed.
  • Automated decisioning — consumers may ask organizations if a prediction, recommendation, or decision about them was made using automated decisioning, and how that prediction, recommendation, or decision was made.
  • Challenge compliance — a consumer may challenge an organization’s compliance with the act.
  • Deletion — a consumer may request deletion of their information.
  • Mobility — consumers may request that an organization disclose their personal information to another organization.
  • Withdrawal of consent — a consumer may withdraw their consent with reasonable notice to the organization.

Personal information protection in the spotlight

With the explosion in data-driven businesses enabled by the internet, personal information is a very valuable commodity. Sufficient information allows businesses to predict what consumers will want to buy, when and where they’re likely to want to buy it — and even target certain individuals to influence them to want to buy certain products.

However, that kind of insight isn’t just coveted by legitimate business. Cyberattacks are helping criminals to make more than $1.5 trillion in revenue each year (for comparison, Apple, Amazon, Facebook, Tesla, and Microsoft made a combined total of $761 billion in 2019).

To underscore the increasing priority on protecting personal data, as of 2020, 66% of countries worldwide have some form of data protection legislation in place, and a further 10% have draft legislation in progress. While a major focus of these laws is to educate and empower individuals to share their data wisely, a number of governments have been willing to put oversight bodies in place where self-regulation has proven ineffective.

All in all, organizations are facing growing pressure to be transparent about how they obtain and use personal information, ensure they secure it adequately, and treat the consumers who own that information with consideration and respect. The payoff? Consumer trust, and increased willingness to share that precious resource — personal information.

Download Canada: Identity Verification

Learn how to automate compliance with Canada’s KYC laws while still allowing businesses a large measure of flexibility to determine the identity verification method.




Your One Stop Shop For All RegTech Matters.

Recommended from Medium

DeXe and 1inch join forces for wallet-to-wallet copying

Hardware as a Service (HaaS): A Five-Point Guide

Phishing in Cryptocurrency: How to Avoid Scams and Save your Money

An Introduction to the Dark Web and Cybercrime

Rickdiculously Easy Writeup

6.5% of Earth’s Population Got Hacked! Now What?

Our Very Own Wiretap? The Insecurity of Smart Speakers

{UPDATE} Dragon Warrior Training Arena Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Trulioo is the leading global identity verification provider helping businesses meet #AML #KYC and #KYB compliance

More from Medium

Need of Data Privacy

What hides in the liner notes of your data

Transform Dark Data into Purpose-led data with Adobe Experience Platform

How to build and maintain consumer trust in a digital-first world