The Personal Information Protection and Electronic Documents Act (PIPEDA) governs the information-handling practices of private-sector organizations everywhere in Canada except British Columbia, Alberta, Quebec, and the health-care sector of Ontario. (Comparable laws apply to organizations conducting business wholly within those jurisdictions.) Even in those provinces, PIPEDA continues to apply to the federally regulated private sector, such as telecommunications, banking and transportation, as well interprovincial and international transactions. PIPEDA applies to the personal information handling practices of private-sector organizations engaged in such practices as online tracking, targeting, profiling, and cloud computing.
PIPEDA is intended to “support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances. . . .” PIPEDA is an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement.
The fair information practices, found in Schedule 1 of PIPEDA, are: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, and individual access.
PIPEDA does not distinguish between domestic and international transfers of data.