Charities and not-for-profits often inquire about their obligation to adhere to Canadian privacy laws. Given that these organizations typically do not participate in commercial endeavors, they are usually not required to adhere to the federal private sector privacy legislation known as the Personal Information Protection and Electronic Documents Act (PIPEDA). Nonetheless, it is crucial to understand that being classified as a charity or not-for-profit does not automatically exempt an organization from PIPEDA or other comparable privacy laws.
As the Canadian privacy landscape undergoes significant changes, numerous charities and not-for-profits are grappling with the question of whether they must adhere to Canadian privacy laws. In this post, we aim to present a summary of how privacy laws in Canada are applicable to charities and not-for-profit organizations.
Are charities and not-for-profit organizations required to adhere to PIPEDA regulations?
Determining whether PIPEDA applies to Canadian charities and not-for-profit organizations can be described as uncertain. PIPEDA is applicable to organizations involved in commercial activities that entail the gathering, utilization, or dissemination of personal information. It is essential to emphasize that an organization's classification alone does not determine its coverage under PIPEDA. Instead, the nature of the activity being conducted by the organization determines whether it falls within the scope of PIPEDA. In simpler terms, if the activity can be classified as a "commercial activity," charities and not-for-profits may potentially be subject to the provisions of PIPEDA.
According to section 2 of PIPEDA, "commercial activities" are defined as specific transactions, acts, conduct, or regular courses of conduct that possess a commercial character. This includes activities such as the selling, trading, or renting of donor, membership, or similar fundraising lists.
Simply being classified as a not-for-profit for tax purposes does not inherently signify that an organization's collection, use, or disclosure of personal information falls within non-commercial activities. The determination of whether an activity is commercial or non-commercial is contingent upon the individual circumstances of each case.
Despite the substantial modernization introduced by Bill C-27, also referred to as the Digital Charter Implementation Act, 2022, the definition of "commercial activities" has remained unchanged. Consequently, the assessment to determine the applicability of Bill C-27 to charities and not-for-profit organizations will be akin to the existing evaluation under PIPEDA.
Do provincial privacy legislations apply to charities and not-for-profit organizations?
In addition to PIPEDA, charities and not-for-profit organizations in certain provinces may be regulated by provincial legislation that is considered to be largely similar to PIPEDA. Alberta, British Columbia, and Québec have enacted their own private sector privacy laws, which apply within their respective provinces concerning personal information. However, it's important to note that PIPEDA still applies to personal information that crosses provincial boundaries in these provinces. Let's briefly examine each of these provincial legislations below:
The private sector privacy legislation in British Columbia is known as the Personal Information Protection Act (BC PIPA). This legislation is applicable to the gathering, utilization, and sharing of personal information within the boundaries of British Columbia. It covers a very wide range of organizations subject to certain limitations.
In British Columbia, charities and not-for-profit organizations must adhere to the BC PIPA. Unlike PIPEDA, the scope of BC PIPA extends to cover the entire private sector, including both commercial and non-commercial endeavors such as fundraising. Therefore, not-for-profits and charities in British Columbia are subject to the legislation for all their activities, not just those that involve commercial activity. However, there are exemptions outlined in section 3(2) that may apply to certain organizations.
It's important to note that the BC PIPA applies to all organizations operating within the province, regardless of where they are headquartered or incorporated. Hence, if an organization gathers, utilizes, and shares personal information in British Columbia, the BC PIPA acts as the governing legislation, regardless of the non-applicability of PIPEDA.
Similar to the BC PIPA, Alberta's Personal Information Protection Act (AB PIPA) is a privacy law that applies to the private sector and regulates the gathering, utilization, and sharing of personal information within the province's jurisdiction. Like the BC PIPA, the AB PIPA encompasses "every organization" with specific restrictions. However, unlike the BC PIPA, the AB PIPA has separate provisions for not-for-profit organizations.
Certain not-for-profit organizations are fully governed by the AB PIPA, while others are subject to its provisions solely concerning the collection, utilization, or sharing of personal information for commercial purposes. Not-for-profit organizations that are incorporated or registered under specific legislation in Alberta (namely, the Societies Act, the Agricultural Societies Act, or Part 9 of the Companies Act) are obligated to comply with the AB PIPA solely with regard to personal information associated with commercial activities.
Québec has enacted the Act to Modernize Legislative Provisions respecting the Protection of Personal Information, commonly known as "Bill 64," which has led to significant amendments to the province's legislation governing the private sector. This includes the legislation known as the "New Québec Privacy Law," which is formally referred to as the Act Respecting the Protection of Personal Information in the Private Sector. The New Québec Privacy Law is applicable to individuals or entities who collect, possess, use, or disclose personal information while conducting an enterprise as stipulated in Article 1525 of the Civil Code. According to Article 1525, an "enterprise" is defined as the organized economic activity carried out by one or more individuals, regardless of its commercial nature, involving the production, administration, or disposal of property, or the provision of a service. Unlike PIPEDA, this New Québec Privacy Law applies to all individuals engaged in an economic activity, even if it is non-commercial, thereby necessitating compliance from both for-profit and not-for-profit organizations.
Is it advisable for charities and not-for-profit organizations to voluntarily adhere to PIPEDA?
Considering the points discussed earlier, although PIPEDA may not be applicable to charities and not-for-profit organizations due to the non-commercial nature of their activities, it is highly likely that the BC PIPA, AB PIPA, or New Québec Privacy Law would apply if they operate in British Columbia, Alberta, or Québec, respectively.
The degree of effort necessary for charities and not-for-profits to adhere to the applicable provincial privacy legislation is comparable to the level of voluntary compliance required for PIPEDA. It would be counterproductive for these organizations to establish privacy compliance programs solely to adhere to provincial laws while neglecting PIPEDA, which applies to the rest of Canada.
Furthermore, the fact that PIPEDA exclusively applies to organizations engaged in commercial activities fails to acknowledge the increasing stakeholder expectations regarding privacy, transparency, and accountability. Stakeholders anticipate that not-for-profits will safeguard their personal information, prevent its misuse, and demonstrate transparency and accountability in its usage. When devising and implementing privacy practices and compliance programs, charities and not-for-profits should take into account these expectations.
Additionally, privacy breaches and violations entail greater risks, including potential legal actions, class-action lawsuits, court-awarded damages, and damage to reputation. To uphold the trust and confidence of their stakeholders while reducing the likelihood of reputational damage, charities and not-for-profits in every jurisdiction can ensure alignment between their privacy policies and procedures and the applicable provincial privacy legislation. Additionally, voluntarily adhering to PIPEDA further strengthens their commitment to privacy and data protection.
By voluntarily complying with PIPEDA, charities and not-for-profits can proactively prevent unintended violations of the legislation's requirements in case certain activities are retrospectively classified as commercial. This approach helps them avoid potential fines and penalties that could arise from such breaches.
Given the escalating significance of effective privacy information management and the heightened awareness among stakeholders regarding privacy matters, it is advisable for charities and not-for-profits to seriously consider the option of voluntary compliance with PIPEDA.