in my personal opinion, potentially unconstitutional.
This November, a new Canadian Data Privacy Law went into effect, called PIPEDA. (The Personal Information Protection and Electronic Documents Act).
PIPEDA is similar to other privacy laws in that organizations "must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy." Personal information—including identifiers such as name and age, medical records, financial data and even opinions and evaluations—that is collected under a commercial activity (business transactions, fundraising activities or memberships, for example) falls under PIPEDA protection. Personal information collected for government or by an employer are not covered.
Penalties are much lighter for PIPEDA than other privacy regulations. Data breaches are to be reported to the Office of the Privacy Commissioner (OPC). Failure to report a breach to both the OPC and to the affected customers or no record of total data breaches is kept can cost organizations fines as much as $100,000. One thing that makes PIPEDA stand out from other privacy regulations with a national or global scope is that it may not cover all of Canada.
It is important to note, that organizations that already meet the standards of GDPR and any U.S. laws are considered to be compliant with PIPEDA.
For more information, click here!