IAPP-GDPR Web Banners-300x250-FINAL

By Janet Steinman, CIPP/US

Canadian data protection law is essentially a combination of the laws of the rest of the world. It has strict definitions of personally identifiable information (PII), as the EU does, but it has more opt-out than opt-in requirements, the way the U.S. does. Like the U.S., it has local laws that govern data security and privacy; in Canada’s case, provincial laws. Of course, Quebec law is based on European code law while the rest of the provinces are based on English common law. When a provincial law should be applied rather than the federal law varies. Canadian courts have ruled that Canadian companies must be subject to the laws of other countries when its data is resident or processed in a foreign country. But Canada has been granted equivalency status by the EU. Canada has some of the lengthiest data protection laws in the world and, as in all common law countries, a large amount of diverse case law. Part of the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the commercial sector, solely addresses electronic documents separate from any issues of data privacy. Plus there are laws regarding the public sector. Any applicable transactions, including drafting privacy policies and employee policies, regarding these laws are bound to be complicated.

Publications by the IAPP and Canada’s websites offer excellent places for a practitioner to begin. A Guide to the Personal Information Protection and Electronic Documents Act 2013 by Colin H. H. McNairn (published by Lexis/Nexis Canada, 2013, ISBN 978-0-433-47400-5) is unique in providing this vital information in an academic, scholarly format. The text of this book begins with explaining the background, purpose and structure of PIPEDA, an introductory factor that is too often lacking in many law books. A Guide to PIPEDA contains the full text of PIPEDA Parts 1 through 5, which include amendments current to February 21, 2013, and Regulations Pursuant to PIPEDA are current to the Canada Gazette of February 27, 2013. There is a table of cases before the text begins, as well as thorough footnotes, which point the reader in useful directions for more detailed sources and reasoning.

PIPEDA applies to the commercial private sector, with some exceptions being labor unions, federal work projects and banks. The Canadian Privacy Act regulates government and public sector organizations. The two laws have differing definitions of essential privacy law terms. The Canadian Standards Association prepared the Model Code for the Protection of Information (Model Code), which was presented to Parliament and passed as PIPEDA. McNairn’s book explains the anomalous situation where the Model Code was intended to be a voluntary national standard to provide a framework for industry groups. It was intended that businesses would adopt their own company codes. That hasn’t always happened. Enabling regulations have not been promulgated for much of PIPEDA despite the fact that the privacy commissioner, who handles complaints, enforces the law as mandatory. There is no definition of a “government institution.” Does it include provincial or foreign governments? Certain terms can only apply to the federal government, such as those regarding international relationships and the defense of Canada. A privacy practice can be investigated if there is even a small suspicion of a minor lack of compliance. A complaint can be pursued while civil litigation is in process. It has a strong commitment to openness for the owner of PII and well-reasoned case law, but PIPEDA is full of traps for the unwary.

Data protection laws by necessity intersect with many other laws, including child pornography laws, evidence, freedom of information laws, terrorist financing and a patient’s right to access. This book does an exceptional job of explaining these and the inevitable divergence for the enforcement of PIPEDA.

The electronic documents part of PIPEDA relates to the electronic means to record an action or a communication. It does not apply to data privacy. Its stated purpose is “to provide the use of electronic alternatives … where federal laws contemplate the use of paper to record or communicate information or transactions.” A consultation paper by the Department of Justice shows the intent to amend literally hundreds of laws at once so they did not have to be amended piecemeal. Like the earlier sections of PIPEDA, it began as advisory—in this case, as part of Canada’s Electronic Commerce Strategy. It clearly impacts many other laws, including contracts, property and other areas, that are governed by provincial law.

McNairn’s book sets forth a comprehensive, systematic explanation of PIPEDA, its real-world applications and the reasoning behind the interpretations of the law. As stated earlier, this book does an impressive job of listing and organizing laws, court opinions, advisory papers, rulings from the privacy commissioner, websites and the like, including in the footnotes. It is a more intellectual work than needed for practitioners beginning in the field of Canadian data protection. Strangely, there are a number of terms used in the book that are not listed in the index. If you are seeking to write a privacy statement or challenge a privacy ruling, while this will be useful to lawyers, you are much better off starting with IAPP publications and the Canadian government websites rather than with McNairn’s otherwise exemplary book.

Janet Steinman, JD, CIPP/US, is a member of the Harvard Law School Online Media Legal network and the American Bar Association Advisory Panel. She is experienced in laws on information technology, data licensing, e-commerce, computer technology, software development and licensing, U.S. and foreign data privacy and security laws including HIPAA and GLBA, among others.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»