Helping businesses understand their privacy obligations

In a nutshell

The CBA’s Privacy and Access Law Section is supporting the guidance processes issued by the Office of the Privacy Commissioner (OPC). This regulatory guidance is a vital touchstone for the legal profession, helping businesses and other organizations understand and comply with their privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). OPC guidance documents clarify how and when privacy laws apply, identify best practices for protecting privacy, highlight key risks, and clarify regulatory expectations.

Key recommendations

Responding to a consultation, the CBA recommends the OPC consider the following when finalizing its guidance:

• Improved Integration of Other Resources: The guidance should clearly connect and integrate all relevant OPC resources, including prior findings, decisions, and interpretations, so that organizations can understand how principles are applied in real contexts. It should provide concrete case-based examples and scenarios—not only broad principles—to help organizations operationalize their obligations.
• Accessibility of Previous Versions: A robust archiving system should be established for previous versions of the guidance. As new updates are released, older versions should not be removed but moved to a dedicated, easily accessible archive on the OPC website.
• Disclaimer Statements, Obligations and Recommendations: To keep the guidance credible and ensure they are used as intended by organizations, disclaimer statements accompanying the guidance must be sufficiently clear, practical, and comprehensive to enable businesses to rely on them with confidence. Guidance should clearly distinguish between legal obligations and what the OPC views as best practice.  
• New Guidance: In circumstances where newly issued guidance may conflict with, supersede, or otherwise alter the interpretation of existing guidance, the CBA recommends that a consultation be undertaken, ensuring stakeholders can contribute.
• Additional Tailored Consultations: When an organization has adhered to this guidance in good faith but is still found to be non-compliant, it should be viewed as an opportunity to update guidance, potentially with the organization and/or industry’s input.

Why this matters

The guidance produced by the OPC is highly valued for its expertise and practical utility. The CBA’s submission enables the OPC to better consult and provide guidance to help organizations comply with privacy rules under PIPEDA. As the regulatory and technical landscape continues to evolve, maintaining the availability of these documents is essential for consistent implementation by organizations and public understanding.

Read the full submission (disponible uniquement en anglais).