Charities and Not-for-Profits: Obligations for Compliance with Privacy Legislation
Overview
We often get asked by charities and not-for-profits whether they need to comply with the various privacy laws in Canada. Because charities and not-for-profits do not typically engage in commercial activities, they are usually not subject to the federal private sector privacy legislation, Personal Information Protection and Electronic Documents Act (“PIPEDA”). However, having status as a charity or not-for-profit does not automatically exempt an organization from PIPEDA or other similar privacy laws.
With the significant changes coming to the Canadian privacy landscape, many charities and not-for-profits are trying to figure out whether they need to comply with the Canadian privacy laws. This article provides an overview of how privacy laws in Canada apply to charities and not-for-profits.
Is PIPEDA applicable to charities and not-for-profit organizations?
The answer to the question of whether PIPEDA applies to charities and not-for-profits in Canada is “maybe.” PIPEDA applies to any organization that collects, uses or discloses personal information during commercial activities.[1] Although it is evident that PIPEDA applies to commercial organizations, it is crucial to note that an organization's classification does not determine its coverage under PIPEDA. Rather, it is the type of activity being carried out by the organization that may fall under PIPEDA's purview. In other words, if the activity is considered a "commercial activity," then charities and not-for-profits may be subject to its provisions.
“Commercial activities” are defined in section 2 of PIPEDA as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”[2]
The fact that an organization is a not-for-profit for tax purposes does not automatically mean that the organization’s collection, use or disclosure of personal information is carried out during non-commercial activities. The question of whether an activity is non-commercial or commercial will vary depending on the facts of each case.
Despite the substantive changes that Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act, 2022 (“Bill C-27” or the “Bill”), makes to modernize PIPEDA, the definition of “commercial activities” remains the same, which means that the question of whether Bill C-27 will apply to charities and not-for-profits will follow a similar analysis to that under the current PIPEDA.
Is the provincial privacy legislation applicable to charities and not-for-profit organizations?
In addition to PIPEDA, charities and not-for-profits in certain provinces may be subject to provincial legislation that has been declared to be substantially similar to PIPEDA. Alberta, British Columbia, and Québec have passed substantially similar private sector privacy legislation, which operates in those provinces when dealing with matters pertaining to personal information. Despite the respective provincial legislations, PIPEDA continues to operate in those provinces regarding personal information that crosses provincial boundaries. We will briefly discuss each of these provincial legislations below.
A. British Columbia’s Personal Information Protection Act
British Columbia’s Personal Information Protection Act (the “BC PIPA”) is British Columbia’s private sector privacy legislation and applies with respect to the collection, use or disclosure of personal information within its borders. Subject to certain limitations, the BC PIPA applies to “every organization,” including corporations, unincorporated associations, co-operative associations, societies, churches and other religious organizations, charities, and sports clubs.[3]
The BC PIPA applies to not-for-profit organizations, including trade unions, charities, foundations, trusts, clubs, churches, and amateur sports organizations. Not-for-profit organizations in British Columbia (regardless of the location of the organization’s headquarters) are in the same position as for-profit organizations and subject to the legislation in respect of all their activities, not only to any potential “commercial activity.” In short, the BC PIPA applies to not-for-profits and charities, unless they fall under an exemption as set out in section 3(2).
The BC PIPA differs fundamentally from PIPEDA in that it applies to the entire private sector and applies to the collection, use and disclosure of personal information in the course of both commercial and non-commercial activities (such as fundraising or the provision of services for no consideration). In effect, the BC PIPA applies (subject to the exceptions) to all organizations operating in the province. The fact that an organization may be headquartered or incorporated elsewhere does not preclude the application of the BC PIPA, which, therefore, should be the starting point of an organization that collects, uses and discloses personal information in BC. Given the foregoing, it is clear that the BC PIPA applies even if PIPEDA does not.
B. Alberta Personal Information Protection Act
Similar to the BC PIPA, Alberta’s Personal Information Protection Act (the “AB PIPA”) is a private sector privacy legislation and applies with respect to the collection, use or disclosure of personal information within its borders. Like the BC PIPA, subject to certain limitations, the AB PIPA applies to “every organization”. However, unlike the BC PIPA, there are separate rules for not-for-profit organizations.
Certain types of not-for-profit organizations are fully subject to the AB PIPA, while others are only subject to it in respect of information collected, used or disclosed for commercial activity.[4] Not-for-profit organizations that are incorporated or registered under specific legislation in Alberta (namely, the Societies Act, the Agricultural Societies Act, or Part 9 of the Companies Act) are subject to the AB PIPA only to the extent that the organizations collect, use or disclose personal information in connection with commercial activities.[5]
C. Québec’s Privacy Law
Québec enacted the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64”), which made significant amendments to Québec’s private sector law, the Act Respecting the Protection of Personal Information in the Private Sector (the “New Québec Privacy Law”). The New Québec Privacy Law applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code. Article 1525 of the Civil Code defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.” This New Québec Privacy Law (unlike PIPEDA) will apply to anyone participating in an economic activity, even if that activity is not commercial, meaning that not-for-profit organizations will need to comply with this law, as well as for-profit organizations.
Should charities and not-for-profits voluntarily comply with PIPEDA?
As discussed above, while PIPEDA may not apply to charities and not-for-profits because most of their activities do not qualify as “commercial activities”, there is a good chance that the BC PIPA, the AB PIPA, or the New Québec Privacy Law will apply (if the charity or not-for-profit operates in British Columbia, Alberta or Québec).
The amount of effort that is necessary for charities or not-for-profits to ensure compliance with the BC PIPA, the AB PIPA or the New Québec Privacy Law is similar to the effort necessary to voluntarily comply with PIPEDA. It would make little sense for charities and not-for-profits to put together a privacy compliance program to comply with their relevant provincial privacy legislation, but not PIPEDA for the rest of Canada.
Moreover, the fact that PIPEDA only applies to organizations engaged in commercial activities does not reflect the reality that there are increasing stakeholder awareness and expectations around privacy, transparency and accountability. Stakeholders expect not-for-profits to safeguard their personal information, protect it from misuse, and be transparent and accountable for how it is used. Charities and not-for-profits should take these expectations into account when developing and adopting their privacy practices and compliance programs.
There are also greater risks associated with privacy breaches and violations, including the risk of court actions, class action litigations, court-awarded damages, and reputational injury. By aligning their respective privacy policies and/or procedures with the respective provincial privacy legislations and PIPEDA, charities and not-for-profits in each jurisdiction can maintain the trust and confidence of its stakeholders and minimize the risk of reputational damage.
By complying voluntarily with PIPEDA, charities and not-for-profits can also avoid accidentally breaching PIPEDA requirements if certain activities are later held to be commercial, thereby avoiding related fines and penalties under the legislation.
With the growing emphasis on proper handling of privacy information, as well as stakeholder awareness of privacy issues, charities and not-for-profits should consider voluntary compliance with PIPEDA.
For more information about the application of privacy law to charities and not-for-profits, please contact Roland Hung or another member of Torkin Manes’ Technology, Privacy & Data Management Group, and Nathaniel Balakumaran or another member of Torkin Manes’ Not-for-Profit & Charities Group.
[1] Office of the Privacy Commissioner of Canada, “The Application of PIPEDA to Charitable and Non-Profit Organizations” online: <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/> [PIPEDA Application].
[2] SC 2000, c 5, s 2 [PIPEDA]. See also Office of the Privacy Commissioner of Canada, “Commercial Activity” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_03_ca/
[3] Personal Information Protection Act, SBC 2003, c 63, at s 3(1) [“BC PIPA”]. For further information, see also Office of the Information & Privacy Commissioner for British Columbia, “A Guide to B.C.’s Personal Information Protection Act for Businesses
[4] Personal Information Protection Act, SA 2003, c P-6.5 at s 56 [“AB PIPA”].
[5] Office of the Information and Privacy Commissioner, “Review of the Personal Information Protection Act” online: <https://www.oipc.ab.ca/media/686362/PIPA_Review_Submission_Web_Feb2016.pdf> at 5.