Why charities and not-for-profits should comply with PIPEDA

  • January 16, 2019
  • Esther Shainblum

There is a growing global emphasis on and regulation of privacy, as well as increasing stakeholder awareness and expectation with respect to how organizations handle their personal information. For example, the General Data Protection Regulation1, which harmonizes data protection and privacy laws across all European Union jurisdiction, was implemented across the EU on May 25, 2018. Further, on Sept. 30, 2018, the negotiations were completed for the US-Mexico-Canada Agreement2, which contains significant provisions on the transfer of personal information and data localization.3

As well, in May 2018, the Office of the Privacy Commissioner of Canada published two guidances for organizations subject to the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy legislation – one regarding the concept of meaningful consent4 (which was to come into effect on Jan. 1, 2019) and one on inappropriate data practices5 (which came into effect on July 1, 2018). And on Nov. 1, 2018, the new data breach reporting and record-keeping regime under PIPEDA came into force.

In light of these changes, many charities and not-for-profits have asked whether, and how, PIPEDA affects them. As such, this bulletin provides a brief discussion on the intersection between PIPEDA and these groups, and recommends that they bring their policies and procedures into compliance with PIPEDA’s breach reporting and record-keeping rules, even in circumstances where compliance may be voluntary.

Does PIPEDA apply?

PIPEDA applies to any organization that collects, uses, or discloses personal information in the course of commercial activities.6 While PIPEDA clearly applies to commercial entities, it is important to understand that the nature of the organization is not determinative of whether PIPEDA applies. Rather, it is the nature of the specific activity undertaken by the organization that may attract the requirements of PIPEDA. That is, if a particular activity is determined to be a “commercial activity,” then even charities and not-for-profits could be caught within its scope. The term “commercial activities” is defined in section 2 of the Act:

… any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.7

The Office of the Privacy Commissioner itself has stated that “[w]hether or not an organization operates on a non-profit basis is not conclusive in determining the application of the Act.”8

Charities and not-for-profits are not automatically exempt from PIPEDA. The fact that an organization is non-profit for purposes of taxation does not determine whether its collection, use or disclosure of personal information is carried out in the course of commercial activity.9 Whether an organization can be said to collect, use or disclose personal information in the course of a commercial activity will vary depending on the facts of each case.10 

In one case, the OPC found that a non-profit daycare organization was caught by PIPEDA because payment for child-care services was seen as a commercial activity.11 In another case, the non-profit Law School Admission Council, which administers law school entrance exams, was found to be engaged in commercial activity. The OPC stated that the organization’s status as a non-profit, non-stock, membership-based organization was not determinative and that there is no exemption for non-profit or member-oriented organizations.12

Therefore, the answer to the question of whether PIPEDA applies to charities and not-for-profits in Canada is “maybe.”

Further, charities and not-for-profits in certain provinces may be subject to provincial legislation that has been declared to be substantially similar to PIPEDA. Pursuant to paragraph 26(2)(b) of PIPEDA, if a province has enacted privacy legislation that is “substantially similar” to PIPEDA, an organization operating in that province will be exempted from PIPEDA and will be subject to the substantially similar legislation instead. Alberta and British Columbia, in particular, have passed substantially similar private sector privacy legislation and therefore that legislation operates in those provinces in respect of all personal information, although PIPEDA continues to operate in those provinces in respect of personal information that crosses provincial boundaries.13

British Columbia’s Personal Information Protection Act is that province’s private-sector privacy legislation and applies with respect to the collection, use or disclosure of personal information within its borders. Subject to certain limitations, the Act applies to “every organization” and as such includes corporations, unincorporated associations, co-operative associations, societies, churches and other religious organizations, charities and sports clubs.14

Some types of non-profit organizations are fully subject to Alberta’s Personal Information Protection Act, while others are only subject to it in respect of information collected, used or disclosed for commercial activity.15 Religious societies, housing cooperatives, unincorporated associations, federally incorporated not-for-profits, and organizations incorporated by private Acts are fully subject to the Act and have the same obligations in respect of privacy as do other organizations in Alberta.16

Charities and not-for-profits in those provinces may therefore be subject to the substantially similar provincial legislation.

Why charities and not-for-profits should comply with PIPEDA

As discussed above, PIPEDA does not generally apply to charities and not-for-profits because most of the activities these groups regularly engage in do not qualify as “commercial activities.” Examples of activities that generally do not fall under the category of commercial activity include the collection of membership fees, fundraising, organizing club events, compiling a lists of member information, and mailing out newsletters.17 As we have seen, whether an activity constitutes a commercial activity will vary with the facts of each case, leading to uncertainty in predicting whether PIPEDA compliance is required. In that regard, prudence would seem to dictate that charities and not-for-profits should assume that, regardless of their tax status, the OPC or a court might find that they are engaged in commercial activity and that they are subject to PIPEDA.

In addition to the risk that certain activities of charities and not-for-profits might be seen as commercial in nature, thus bringing them within the scope of PIPEDA, it is difficult to come up with a convincing justification for excluding charities and not-for-profits from the requirements of privacy law. 

The General Data Protection Regulation applies to charities and not-for-profits, as does B.C.’s privacy law, and many charities and not-for-profits are also subject to Alberta’s law. Many health information custodians under the Ontario Personal Health Information Protection Act, 201418 and its counterparts in other provinces, are charities. Charities and not-for-profits can and do comply with privacy legislation throughout Canada and elsewhere.

The fact that PIPEDA only applies to organizations to the extent that they are engaged in commercial activities does not reflect the reality that many charities across Canada are in control of a great deal of personal information, particularly relating to donors, clients and volunteers. 

There are increasing stakeholder awareness and expectations around privacy, transparency and accountability. Donors, clients and other stakeholders expect charities and not-for-profits to safeguard their personal information, protect it from misuse and be transparent and accountable for how it is used.

Charities and not-for-profits should take these expectations into account when developing and adopting their privacy practices. There are also greater risks associated with privacy breaches and violations, including the risk of court action, class action litigation, court-awarded damages and reputational injury.

By moving toward alignment with PIPEDA, charities and not-for-profits can maintain the trust and confidence of their donors, clients and other stakeholders, and minimize the risk of reputational damage.

By complying voluntarily with PIPEDA, charities and not-for-profits can also avoid accidentally breaching PIPEDA requirements if certain of their activities are later held to be commercial in nature, thereby also avoiding possible fines and penalties under the legislation.

Charities and not-for-profits should bear in mind that the standards set out in PIPEDA will shape stakeholder expectations, and possibly court expectations, regarding how an organization should handle the collection, use, disclosure, and safeguarding of personal information. As such, in order to effectively manage legal and reputational liability with respect to misuse of personal information, charities and not-for-profits should seriously consider PIPEDA requirements as a basis for building and implementing their privacy policies.

Conclusion

With the growing emphasis on proper handling of privacy information as well as stakeholder awareness of privacy issues, charities and not-for-profits are facing increasing risk with respect to privacy matters. As such, charities and not-for-profits should consider voluntary compliance with PIPEDA and other applicable legislation. Doing so will help to manage legal and reputational liability, and maintain stakeholder confidence in the organization.

Esther Shainblum, B.A., LL.B., LL.M., CRM, practices in the areas of charity and not-for-profit law, privacy law and health law with the Carters Ottawa office. The author would like to thank Christina Shum, B.M.T., J.D., Student-at-Law for her assistance in preparing this bulletin.

End Notes

1. Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), L119, 4/5/2016, p. 1–88.

2. Government of Canada, “A New United States-Mexico-Canada Agreement” (30 September 2018), online: <https://international.gc.ca/trade-commerce/trade-agreements-accords-commerciaux/agr-acc/usmca-aeumc/index.aspx?lang=eng>.

3. Office of the United States Trade Representative, “United States-Mexico-Canada Agreement Text” (accessed 26 November 2018) online (pdf): Chapter 19 Digital Trade <https://ustr.gov/sites/default/files/files/agreements/FTA/USMCA/19%20Digital%20Trade.pdf>.

4. Office of the Privacy Commissioner of Canada, “Guidelines for obtaining meaningful consent” (May 24, 2018), online: <https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/>. For further information, see Esther Shainblum, Charity & NFP Law Bulletin No. 422, “New Online Guidelines from the Office of the Privacy Commissioner of Canada”, 31 May 2018, online: Carters Professional Corporation <http://www.carters.ca/pub/bulletin/charity/2018/chylb422.pdf>.

5. Office of the Privacy Commissioner of Canada, “Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)”, online: <https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805/>. For further information, see Esther Shainblum, Charity & NFP Law Bulletin No. 422, “New Online Guidelines from the Office of the Privacy Commissioner of Canada”, 31 May 2018, online: Carters Professional Corporation <http://www.carters.ca/pub/bulletin/charity/2018/chylb422.pdf>.

6. Office of the Privacy Commissioner of Canada, “The Application of PIPEDA to Charitable and Non-Profit Organizations” online: <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/> [PIPEDA Application].

7. SC 2000, c 5, s 2 [PIPEDA]. See also Office of the Privacy Commissioner of Canada, “Commercial Activity” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_03_ca/

8. Supra note 6.

9. Office of the Privacy Commissioner of Canada, supra note 7.

10. Ibid.

11. Office of the Privacy Commissioner of Canada, “PIPEDA Case Summary #2005-309” online: <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2005/pipeda-2005-309/>.

12. Office of the Privacy Commissioner of Canada, “PIPEDA Report of Findings #2008-389” online: <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2008/389_rep_080529/>.

13. PIPEDA, supra note 7.

14. Personal Information Protection Act, SBC 2003, c 63, at s 3(1) [“BC PIPA”]. For further information, see also Office of the Information & Privacy Commissioner for British Columbia, “A Guide to B.C.’s Personal Information Protection Act for Businesses

15. Personal Information Protection Act, SA 2003, c P-6.5 at s 56 [“AB PIPA”].

16. Office of the Information and Privacy Commissioner, “Review of the Personal Information Protection Act” online: <https://www.oipc.ab.ca/media/686362/PIPA_Review_Submission_Web_Feb2016.pdf> at 5.

17. PIPEDA Application, supra note 6.

18. SO 2004, c 3.