Personal Information Protection and Electronic Documents AcT

PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws). See our FAQs on PIPEDA for more information.


PIPEDA was scheduled for Parliamentary review in 2006 (five years after coming into force). In September 2006, CIPPIC filed comments with the federal Privacy Commissioner on a variety of issues regarding PIPEDA, in response to her call for input regarding the upcoming Parliamentary review. Parliament began its review of PIPEDA on November 20, 2006, via the House of Commons Standing Committee on Access to Information, Privacy and Ethics.  CIPPIC filed a "written submission": with the Parliamentary committee in November, 2006, making 20 recommendations for legislative amendments, and appeared before the Committee on Dec.6th, 2006. The Committee heard from numerous stakeholders, and issued its report on May 2nd, 2007.

The federal government responded to the Committee report in October 2007, and then issued a public notice inviting comment on the specifics of implementating a data breach notification provision, as well as on the concepts of "work product" and "lawful authority". Other issues on which public input is being sought include witness statements, consent by minors, investigative bodies and the extent to which elements contained in the health-related PIPEDA Awareness Raising Tools (PARTs) document may be set out in legislative form.  Comments are due by January 15th, 2008, and can be sent by email to

Submissions to Industry Canada on PIPEDA Review (Jan 2008)

-    Privacy Commissioner of Canada submission

-    PIAC submission

-    Adam Shostack submission

-    Other submissions (posted on Industry Canada website)

Regulations exempting organizations subject to "substantially similar" provincial laws

In response to Industry Canada's February 2005 call for comments on its proposed exemption order under PIPEDA for health information custodians in Ontario, CIPPIC filed comments pointing out a substantial difference between the federal and provincial privacy regimes, in respect of permitted disclosures of personal health information for research purposes, without the patient's consent. Under PIPEDA, certain important criteria must be met. Under the Ontario legislation, such criteria need only be "considered" by a research ethics board.

Regulations specifying "Investigative Bodies" under PIPEDA

Protection of Personal Information and Electronic Documents Act ("PIPEDA") - Regulations Specifying Investigative Bodies: In November 2003, CIPPIC submitted [comments](uploads/CIPPIC PIPEDA submission 24-11-03.pdf) on proposed amendments to the regulation designating "investigative bodies" under PIPEDA. Under the Act, designated "investigative bodies" can receive and disclose personal information without the knowledge or consent of the individuals concerned. CIPPIC's comments focused on the need for more rigour in the granting of this status, as well as specific concerns regarding the application by Teranet Services Inc.