Contributed By Gowling WLG LLP
In Canada, the protection of personal information is governed by a myriad of federal, provincial and sectoral legislation. There are two privacy laws in Canada at a federal level, which are:
British Columbia (BC), Alberta and Québec have enacted privacy legislation that applies to the private sector and has been declared substantially similar to PIPEDA. PIPEDA continues to apply to the activities of federal undertakings within these provinces, as well as to the transfer of personal information across national, provincial or territorial boundaries. There are additional privacy regimes for specific sectors, including personal health information and public-sector organisations.
Canadian privacy law requirements generally reflect the Organization for Economic Co-operation and Development (OECD) privacy framework, applying principles such as:
Canada’s federal privacy legislation is overseen and enforced by the Office of the Privacy Commissioner of Canada (OPC). The provincial privacy legislation in BC, Alberta and Québec have provincial privacy commissioners that enforce the provinces’ respective privacy laws. In addition, each of the provinces has an Information and Privacy Commissioner that administers and enforces the freedom of information and protection of privacy laws applicable to public-sector bodies within those provinces, as well as the health information laws in those jurisdictions.
In the private sector, PIPEDA and the provincial legislation require organisations to have procedures and policies in place to receive and respond to these complaints, as well as other privacy-related enquiries. With respect to more formal administrative processes, privacy legislation outlines the rights of individuals to make complaints to the applicable privacy commissioners. The OPC can investigate complaints, initiate an investigation, make public any information if it is in the public interest to do so, enter into enforceable compliance agreements with organisations and exercise discretion to refuse to initiate or discontinue an investigation. Under PIPEDA, organisations may be fined up to CAD10,000 on summary conviction, and up to CAD100,000 on indictment.
An organisation in Canada may be bound by provincial and federal privacy legislation, as well as privacy legislation in other jurisdictions. For example, the General Data Protection Regulation (GDPR) in the European Union is applicable to many Canadian organisations, while at the same time these organisations continue to be bound by Canadian privacy requirements.
The European Commission (EC) has recognised PIPEDA as providing adequate privacy protection (ie, conferring adequacy status) since the promulgation of the law in 2001 and that status has since been reaffirmed.
Canada is a member of the APEC Cross-Border Privacy Rules System, along with Singapore, Japan, Korea, Mexico and the United States. Under the System, member countries voluntarily follow a set of commonly agreed rules based on the APEC privacy framework.
Canada has several industry self-regulatory bodies that primarily regulate advertising and marketing, but address data protection issues in this context. The Advertising Standards Canada (ASC) is a self-regulatory body for the advertising industry that maintains the Canadian Code of Advertising Standards (the ‘ASC Code’). The Canadian Marketing Association (CMA) is a national non-profit corporation that has as its members companies within major business sectors and marketing channels. The Digital Advertising Alliance of Canada (DAAC) is a consortium of national advertising and marketing trade associations. Many non-governmental organisations in Canada, including the International Association of Privacy Professionals (IAPP) and the Privacy and Access Council of Canada, provide education and advocacy on data protection issues.
The Canadian privacy framework generally reflects the OECD’s Guidelines for the Protection of Privacy and Transborder Flows of Personal Data (the ‘OECD Guidelines’). The OECD Guidelines embody the ‘fair information practices’ that underpin European data protection laws. Enforcement in the privacy sphere in Canada has been less aggressive than in some jurisdictions; however, Canada’s anti-spam laws are vigorously enforced with the potential for high fines.
Mandatory Data Breach Reporting under PIPEDA
Effective from 1 November 2018, organisations must report breaches of their security safeguards to the OPC where the breach presents a real risk of significant harm to an individual. In addition, the mandatory data breach provisions include a record-keeping requirement for all breaches including those that do not meet the harm threshold. A failure to report a breach could result in a fine of up to CAD100,000.
Guidelines on Meaningful Consent
Effective from 1 January 2019, the OPC published two guidance documents in relation to consent and data practices under PIPEDA, which outline seven principles of consent:. These can be found here:
The case of R v Reeves, 2018 SCC 56, highlighted the principle that an individual can maintain a reasonable expectation of privacy on a shared device (in this case, a computer).
Commentary and decisions from the OPC directly referencing the Guidelines on Meaningful Consent are anticipated, as well as increased notices to the public of privacy breaches under PIPEDA. Organisations are likely to face increased questions and scrutiny around their handling of personal information. More privacy complaints around the security and treatment of personal information in social media are also expected. With the legalisation of cannabis in Canada in 2018, privacy is likely to become a major focal point in employment-related litigation involving cannabis in the workplace. Public-sector privacy legislation, as well as Québec’s private-sector privacy legislation, are also being considered for review.
PIPEDA and the provincial privacy laws in BC, Alberta and Québec require that organisations designate responsibility for compliance with applicable privacy legislation to one or more individuals and make their contact information available.
Data-collection, use and processing must meet an overarching standard of reasonableness and organisations generally must have express or implied consent of the individual in order to process personal information. Consent must be knowledgeable, and collection must be by fair and lawful means and limited to what is necessary for identified purposes.
There has been no major integration of privacy by design or by default into privacy legislation to date; however, Canadian Privacy Commissioners frequently reference the concept and express the view that regard for data protection should form part of an organisation’s default mode of operation.
Privacy impact analyses are recommended for private sector organisations, and are mandatory in the public sector and in certain provincial health information laws.
Private-sector privacy laws in Canada require organisations to develop internal and external policies and procedures with respect to the collection, use, disclosure and protection of personal information.
Individuals have the right to access and correct personal information, withdraw consent to the collection, use and disclosure of their personal information, and make complaints to the organisation.
There are no omnibus laws or general requirements specifically focused on anonymisation, de-identification or pseudonymisation. Some health information laws define ‘de-identified’ data. The OPC has suggested that pseudonymised data may remain personal information under PIPEDA and be subject to the Act.
Big Data analysis and the use of artificial intelligence are permitted subject to PIPEDA’s guiding principles. Canadian Privacy Commissioners have warned that profiling and automated decision-making may stigmatise individuals and violate human rights legislation.
The OPC participated in the 21 November 2018 ‘Declaration on Ethics and Data Protection in Artificial Intelligence’ adopted at the International Conference of Data Protection and Privacy Commissioners, which acknowledges that artificial intelligence can present challenges to privacy rights.
The OPC has issued Guidelines on Privacy and Online Behavioural Advertising (OBA), defined as the tracking of consumers’ online activities, across sites and over time in order to deliver advertisements targeted to their inferred interests. The Guidelines require an ‘opt out’ option, and prohibit tracking using ‘sensitive’ information and tracking of children.
Signatories to the Montreal Declaration for Responsible Development of Artificial Intelligence include the Quebec privacy commission.
The concept of ‘injury’ or ‘harm’ is directly relevant to privacy-breach reporting. In addition, organisations must generally obtain express consent of the individual when the collection, use or disclosure or personal information creates a meaningful residual risk of significant harm.
Canadian privacy legislation typically requires organisations to obtain clear express consent to the collection, use or disclosure of sensitive data and to adopt heightened security. An organisation must take additional precautions to ensure that the collection, use and disclosure of sensitive information is reasonable in the circumstances and limited to that which is necessary to achieve the purposes disclosed to the individual. There is no definition of ‘sensitive’ data – the definition depends on the context, however, certain categories of information, including health or financial, generally will be considered sensitive. Collection of specific types of sensitive information (eg, social insurance numbers) may be limited.
Financial data is generally considered sensitive and therefore requires express consent for its collection, use and disclosure.
The collection, use and disclosure of health data by prescribed organisations (‘custodians’ or ‘trustees’) is governed by provincial legislation. The following provinces have adopted health-information legislation – Alberta, Saskatchewan, Manitoba, Ontario, Québec, New Brunswick, Newfoundland and Labrador, Nova Scotia, Prince Edward Island, and Yukon.
The jurisprudence and decisions of Canadian Privacy Commissioners apply a broad definition of personal information that includes IP addresses and other forms of meta data when this information can be associated with an identifiable individual. As with other categories of personal information, the organisation must obtain the individual’s informed consent before collecting, using or disclosing such data. Implied consent of the individual may be sufficient for certain activities, such as internet traffic management, while other more sensitive uses of data, such as profiling and targeting, may require express consent.
There is no specific privacy legislation that governs other categories of sensitive data, eg, union membership, sexual orientation, political or philosophical beliefs, etc; however, increased consent requirements and heightened security measures may be applicable and organisations must be mindful of human-rights law requirements, including charter requirements. The collection, use and disclosure of genetic information is governed by the Genetic Non-Discrimination Act.
The creation of a database of biometric characteristics and measurements must be disclosed beforehand to the Québec privacy commission (‘Commission d’accès à l’information’). In addition, the existence of such a database, whether or not it is in service, must be disclosed to that commission.
Text messaging is governed by Canada’s Anti-Spam Law (CASL), which creates a restrictive regime for the sending of commercial electronic messages, including requirements for prior consent and prescribed message contents. The use of telephone numbers also continues to be governed by consent requirements and other requirements of privacy laws.
The Federal Court of Appeal has determined that collection of employee voiceprint data to facilitate the use of voice-command software is reasonable for that purpose, but consent must be obtained prior to collection of the data and may be withheld by the employee.
Canadian law does not require implementation of a ‘do not track' feature; however, website operators must allow visitors to opt out of online behavioural advertising. Technologies that do not provide an opt-out ability (eg, zombie cookies, super cookies, device fingerprinting) are prohibited.
‘Opt-out’ consent is sufficient for behavioural advertising and it is strongly recommended that cookie banners or similar technologies be used to inform the website user of tracking. Express consent is required for tracking using ‘sensitive’ information such as health or financial data. Behavioural advertising cannot be used on websites aimed at children.
Internet search history is considered ‘personal information’ for the purposes of Canadian privacy law.
Video and Television
Video images are ‘personal information’ for which consent is required. The OPC’s ‘Guidelines for Overt Video Surveillance in the Private Sector’ require organisations to:
Separate guidelines for covert video surveillance focus on the limited circumstances in which such surveillance may be used and emphasise secure storage and disposal. The guidelines for video surveillance in public places by law enforcement stress that use must be limited to situations where it is required to ‘address a real, pressing and substantial problem’ in the absence of ‘a less privacy-invasive alternative.’
Radio and television broadcasting is governed by laws and regulations administered by the Canadian Radio-Television and Telecommunications Commission (CRTC) and by standards administered by the Canadian Broadcast Standards Council.
Social Media, Search Engines, Large Online Platforms
There is no specific federal regulation of social media, search engines, or other large online platforms in Canada. The Québec Act to Establish a Legal Framework for Information Technology provides some liability protection for intermediaries regarding content posted or shared by their users.
Right to Be Forgotten (or of Erasure)
It is unclear whether Canadian law includes a ‘right to be forgotten’ as the concept is understood and enshrined in Europe. In October 2018, the OPC directed a reference to the Federal Court to seek clarity on whether a search engine is subject to federal privacy law when it indexes web pages and presents search results in response to queries of a person’s name. The OPC has taken the view that PIPEDA provides for a right to de-indexing in certain cases, including web pages that contain inaccurate, incomplete or outdated information.
Addressing Hate-Speech, Disinformation, Abusive Material, Political Manipulation, etc
Hate-speech, disinformation, abusive materials and political manipulation are not specifically addressed in privacy legislation but may be prohibited by other laws. Hate propaganda is prohibited by sections 318 to 320.1 of the Criminal Code. The glorification of terrorism is a criminal offence under section 83.221 of the Criminal Code. It is a crime knowingly to publish, distribute or transmit an ‘intimate image’ of a person without their consent (section 162.1 of the Criminal Code). In late 2018, amendments to the Canada Elections Act were passed that, once in force, will make it illegal to transmit or publish material falsely purporting to be from a political party or candidate, or the chief electoral officer.
Canadian privacy law does not currently mandate a right to data portability; however, in 2018 the federal Standing Committee on Access to Information, Privacy and Ethics recommended PIPEDA be amended to provide such a right.
In 2018 the federal Standing Committee on Access to Information, Privacy and Ethics recommended that the government consider amending PIPEDA to include a right to de-indexing, broader audit and enforcement powers, and clear obligations to destroy personal information.
Under PIPEDA, consent for the collection, use and disclosure of personal information must be meaningful, and valid consent requires a reasonable expectation that the consenting individual can understand the nature, purpose and consequences of the personal information collection, use or disclosure. Children may be unable to provide meaningful consent and parent/guardian consent, therefore is generally considered to be required for children under the age of 13. Consent of both the child and the parent/guardian may be required for ages 14 and 15. Collection of children’s information must be limited to information necessary for the service offering and notices directed at older children must explain practices in an age-appropriate manner. Organisations that incorporate privacy consents into terms and conditions should consider that agreements entered by minors may not be enforceable. Further, organisations cannot use ad tracking/behavioural advertising technologies on websites aimed at children.
Educational or school data
Educational institutions are generally subject to provincial legislation applicable to the public sector, as well as various Education Acts governing student records.
In July 2014, Canada established a separate regime for regulating commercial electronic messages (CEMs), which is enforced primarily by the CRTC. The Act is referred to as Canada’s Anti-Spam Law (SC 2010, c. 23) (CASL). CASL establishes a restrictive consent-based regime for CEMs, including email, text, SMS and direct messages to electronic accounts. CASL prohibits sending CEMs in the absence of express or implied consent. Express opt-in consent must be obtained using a prescribed format. Implied consent is only valid if it falls within the scope of narrow classes of defined ‘existing business relationships’ or ‘existing non-business relationships,’ or other defined classes. The law imposes specific disclosure requirements within messages including a prescribed form of unsubscribe. Penalties may be up to CAD10 million. The CRTC has vigorously enforced the law and levied significant fines. The Unsolicited Telecommunications Rules apply to unsolicited telephone calls made for the purpose of solicitation. These rules include registration, call script and do-not-call-list requirements.
Due to constitutional limitations, PIPEDA only applies to the personal information of employees of federally regulated organisations such as banks, airlines and telecommunications companies. Provincial privacy legislation in Québec, Alberta and BC applies to personal employee information of all organisations within the province. The statutes generally permit employers to collect, use or disclose ‘personal employee information’ without the consent of the employee if it is reasonably required for the purposes of establishing, managing or terminating an employment relationship, and if notice is provided to the employee of the collection, use and disclosure. PIPEDA, BC and Alberta establish business-contact information used for business purposes from the scope of the law, but the Québec Private Sector Act does not expressly exclude information relating to ‘professional/employment status’ such as an individual's name, title or business address, or work telephone number. Human-rights laws also restrict the manner in which organisations conduct and use background checks and govern the collection and use of personal characteristics for hiring and employment decisions.
PIPEDA does not establish a legal standard to be met to find a privacy complaint ‘well-founded’. Section 14 of PIPEDA allows a complainant to pursue an alleged breach of PIPEDA in the Federal Court. This is a de novo procedure and the burden is on the complainant to file evidence to show a breach of the PIPEDA, which is assessed on the balance of probabilities.
Warrantless access to personal information is generally unlawful.
Section 8 of Canada’s ‘Charter of Rights and Freedoms’ protects the citizen’s right to a reasonable expectation of privacy. If a reasonable expectation of privacy exists, including informational privacy (patterns about how one thinks, financial habits, race, gender, viewpoints, etc), then a search by authorities may breach section 8 if it is unauthorised by law, unreasonable or carried out unreasonably. Part VI of the Criminal Code criminalises the interception, retention and use of personal communications except in defined circumstances.
The Canadian Security Intelligence Service (CSIS) is Canada's domestic security intelligence agency, the activities of which are governed by the Canadian Security Intelligence Service Act (CSIS Act). Prior judicial authorisation is required for CSIS to use investigative techniques that engage an individual's reasonable expectation of privacy under section 8 of the Charter.
CSIS is required to conduct its activities in accordance with the Privacy Act and the Charter, and the CSIS Act contains certain requirements relating to collection, use, retention and disclosure of information. To obtain a warrant under the CSIS Act, the standard of ‘reasonable grounds to believe’ must be met.
Foreign government requests are not a legitimate basis for organisations to collect personal data. However, private-sector privacy laws may allow disclosure of personal information without consent under specified circumstances. For example, section 7(3)(c) of PIPEDA permits disclosure without consent if the organisation is “required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records”.
Some public-sector legislation address disclosure of personal information pursuant to a foreign request. For example, BC and Nova Scotia provide that the public body must notify the Minister of Justice of foreign demands for disclosure. Alberta’s public sector law prohibits disclosure pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information, or pursuant to a rule of court that is not binding in Alberta.
The proposed Bill C-59, an Act respecting national security matters (otherwise referred to as the ‘Communications Security Establishment Act’) would “allow Canada’s cybersecurity agency to conduct offensive and defeasance cyber operations as a way to mitigate or neutralize attaches against Canada.” There is opposition to the Bill on the grounds that it would expand the limited mandate of the Communications Security Establishment Canada (CSEC) in a manner that would permit the agency to direct its activities at Canadians or persons in Canada, although the agency rejects this contention.
Private-sector privacy laws do not generally prohibit the transfer of personal information outside of Canada. However, organisations must notify the individual of the transfer and that law enforcement and other authorities in the foreign jurisdiction may access their personal information, as well as contractually obliging the recipient to provide comparable protection for the data. Alberta’s law contains specific notification requirements relating to the jurisdiction of the transfer. Government bodies in BC and Nova Scotia are subject to statutory prohibitions on transfers and many government bodies’ specific industry requirements may also apply. For example, the Superintendent of Financial Institutions can require a bank to retain information in Canada in certain cases, such as where an international transfer would be incompatible with the fulfilment of the superintendent's responsibilities.
There is no one set of contractual provisions or corporate rules applicable to international data transfers. Canadian privacy law generally does not distinguish between transfers of personal information within a corporate group, or between unrelated companies. Organisations remain accountable to information they transfer to third parties for processing, including outside Canada, and normally use contractual means to require the recipient to provide comparable protection for the information while it is being processed.
Data transfer agreements do not need approval from governmental regulatory authorities. Such agreements are used to provide adequate security for personal information and allow organisations to meet their privacy obligations. However, the OPC has not approved precedents for these agreements.
Restrictions on the transfer of personal information outside of Canada may exist in certain sectors or situations. The most commonly encountered statutory prohibitions on transferring personal information outside of Canada apply to government bodies in the provinces of British Columbia and Nova Scotia. Government bodies in these provinces must retain information in Canada, unless they obtain the written consent of the data subject.
Other industry-specific requirements may also apply. For example, the Superintendent of Financial Institutions can require a bank to retain information in Canada in certain cases, such as where an international transfer would be incompatible with the fulfilment of the superintendent's responsibilities.
In the government procurement context, many public bodies impose contractual restrictions on service-providers that require the service-provider to store and access personal information under the custody and control of the public body from within Canada only.
Canadian privacy laws do not create any requirements to share code or algorithms with the government, outside of what may be part of another valid legal process (eg, subpoena in the course of a public inquiry). There are discussions in academia about creating a regulatory authority responsible for the oversight of algorithms, but no policy or legislation has yet been set forth.
Foreign government access requests are not among the purposes for which organisations are permitted to collect personal data. Canada’s privacy laws are premised on the need for consent of the individual to collection of data about him or her; collection at the request of foreign governments is antithetical to the principle requiring consent. That said, Canadian government institutions may request the disclosure of personal information from organisations subject to PIPEDA where such information is required for the enforcement of foreign laws.
Disclosure of information for the purposes of foreign civil proceedings, generally speaking, requires letters rogatory from a foreign court, supported by an order from the appropriate Canadian court. Canadian courts have the power to issue orders to compel the production of information, including for the purposes of discovery in civil proceedings.
Canada has several blocking statutes intended to prevent the removal of documents from Canada. These include Ontario’s Business Records Protection Act and Evidence Act, and the federal Foreign Extraterritorial Measures Act and Evidence Act.
Big Data analytics are permitted, but are subject to PIPEDA’s guiding principles (including consent, limiting collection and use of data and transparency in the purpose for which data is collected and used). Information used to track and/or profile individuals has been found to constitute personal information that is subject to privacy law.
While the practice of profiling and automated decision-making (including autonomous vehicles) is not illegal in itself, Canadian privacy commissioners have warned of the danger that this practice may stigmatise individuals and affect their access to services. This could violate other laws, including human rights' legislation.
The use of artificial intelligence is permitted, subject to PIPEDA’s guiding principles (including consent, limiting collection and use of data and transparency in the purpose for which data is collected and used).
Canadian privacy legislation does not expressly address the Internet of Things (IoT). Personal information collected by devices connected to the IoT is subject to PIPEDA’s guiding principles (including consent, limiting collection and use of data and transparency in the purpose for which data is collected and used).
A recent report by the Canadian Senate’s Standing Senate Committee on Banking, Trade and Commerce called on the Government of Canada to develop standards to protect consumers, businesses and governments from threats related to Internet of Things devices.
Canadian privacy legislation does not expressly address facial recognition technology, but the images collected by such technology are subject to PIPEDA’s guiding principles (including consent, limiting collection and use of data and transparency in the purpose for which data is collected and used). In 2018, the OPC opened an investigation into whether the use of such technology in Canadian shopping malls complies with PIPEDA.
Biometric data, including fingerprints and voiceprints, has been found to constitute personal information for the purposes of PIPEDA. It is therefore subject to PIPEDA’s guiding principles (including consent, limiting collection and use of data and transparency in the purpose for which data is collected and used).
Geolocation data has been found to create personal information as defined by PIPEDA, to the extent that it links location data to particular individuals. It is therefore subject to PIPEDA’s guiding principles (including consent, limiting collection and use of data and transparency in the purpose for which data is collected and used).
Drone surveillance is permitted by Canadian privacy law but the collection and use of the data captured by drones is subject to privacy-law requirements. See the ‘Video and Television’ sections in 2.2 Sectoral Issues.
Canada does not have national or subnational cyber-security laws per se, though data-privacy laws require organisations to protect personal information with appropriate security measures, and several sector- and industry-specific regulatory bodies in Canada impose requirements relating to cyber-security. Several Canadian data privacy laws impose mandatory data breach reporting and notification requirements, including PIPEDA, the federal law applicable to private sector organisations. Mandatory breach reporting and notification requirements federally under PIPEDA have been in force since 1 November 2018, and Alberta has comparable provisions under PIPA. Organisations that are subject to regulation under provincial health information laws in several jurisdictions are also required to report breaches and notify individuals of breaches involving personal health information, including in Ontario, New Brunswick and Newfoundland and Labrador.
Additionally, federal legislation of general application addressing certain aspects of cyber-security includes:
Cyber-security in Canada is generally addressed by the federal and provincial privacy laws applicable to private, public and health sector organisations, which require organisations to take measures to safeguard personal information that is under the custody and control of the organisation.
In late 2018, the federal government launched the Canadian Centre for Cyber Security (CCCS). This agency consolidates prior government cyber-security operational units and its mandate includes:
The CCCS replaced Public Safety Canada as the governmental portal for Canadians seeking information on cyber-security, identity theft and related issues. The CCCS will also assert the government’s leadership role in cyber-security, collaborating with owners of critical infrastructure, industry and other levels of government, and playing the role of technical authority.
The IPC administers and enforces PIPEDA as well as the federal Privacy Act applicable to federal public bodies. Each of the provinces and territories has an applicable privacy commissioner that administers and enforces the public sector, private-sector and health-sector laws applicable to organisations operating within the province or territory, where such laws exist within the province. Under PIPEDA and Alberta PIPA, the IPC and Alberta Information and Privacy Commissioner administers and enforces mandatory breach reporting and notification requirements under those laws, and failure to report and notify in accordance with the law is an offence subject to penalties. Decisions issued by the privacy commissioners federally and in the provinces may also assess whether an organisation has breached the accountability principle or the requirement to safeguard personal information as a result of having inadequate security measures.
Financial regulators within Canada have issued framework documents, notices, guidance and memoranda to address cyber-security requirements to be addressed by the entities whom they regulate.
The Bank of Canada, which is the country’s national bank, having regulatory oversight of financial market infrastructures (FMIs), applies to FMIs the G7 Fundamental Elements for Effective Assessment of Cybersecurity in the financial sector in order to assess whether FMIs are taking appropriate measures to address cyber-security threats.
The Office of the Superintendent of Financial Institutions (OSFI), an independent federal government agency that regulates and supervises federal regulated financial institutions, including all banks in Canada as well as various trust and loan companies, insurance companies and pension plans, issued a memorandum in October 2013 that provided ‘cyber-security self-assessment guidance.’ The OFSI may review the cyber-security practices of institutions subject to its regulation during its supervisory assessments.
Other financial services self-regulatory entities, including the Canadian Securities Administrators (CSA), the Investment Industry Regulatory Organization of Canada (IIROC) and the Mutual Fund Dealers Association of Canada (MFDA), have published guidance on cyber-security and reporting.
Energy is another sector within Canada that has taken measures to address cyber-security. The Ontario Energy Board has mandated licensed electricity transmitters and distributors in Ontario to use an industry-developed Ontario Cyber Security Framework through a Notice of Amendments to the Ontario Transmission System Code and Distribution System Code. As of June 2018, transmitters and distributors were required to report to the OEB on their cyber-security readiness and to provide self-certification to the OEB on an annual basis.
In 2012, the Canadian Nuclear Safety Commission initiated the development of Canadian Standards Association (CSA) N290.7-14, ‘Cyber Security for Nuclear Power Plants and Small Reactor Facilities.’ This standard requires Canadian nuclear operators to adopt cyber-security measures for specifically identified IT systems.
Federal government departments and agencies in Canada are required to ensure the security of information and information technology assets by virtue of ‘The Operational Security Standard: Management of Information Technology Security.’
There are also numerous regulatory bodies in specific sectors that have enacted mandatory and/or voluntary guidelines and standards for cyber-security protection (financial sector guidelines are addressed in the next section), as follows:
Federal Government – ‘The Operational Security Standard: Management of Information Technology Security’ (MITS).
The standard defines baseline security requirements that federal government departments must fulfil to ensure the security of information and information technology (IT) assets under their control. IT security is defined to include the "safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information" as well as the “safeguards applied to the assets used to gather, process, receive, display, transmit, reconfigure, scan, store or destroy information electronically.”
Ontario Energy Board – ‘Notice of Amendments to the Ontario Transmission System Code and Distribution System Code’ to require licensed electricity transmitters and distributors in Ontario to use an industry-developed Ontario Cyber Security Framework
The Code amendments require licensed electricity transmitters and distributors to use the Ontario Cyber Security Framework to report on their cyber-security readiness and to provide self-certification to the OEB on an annual basis, beginning in June 2018.
Canadian Nuclear Safety Commission – ‘CSA N290.7-14 Cyber Security for Nuclear Power Plants and Small Reactor Facilities’
The Canadian Nuclear Safety Commission (CNSC) is the federal body that regulates the use of nuclear energy and materials to protect the health, safety and security of Canadians and the environment and implement Canada's international commitments on the peaceful use of nuclear energy. In 2012, the CNSC initiated the development of Industrial Control Systems (ICS) cyber-security requirements through the Canadian Standards Association, a Canadian standards development organisation that develops consensus-based standards with representation from government, industry and other stakeholders.
The ‘CSA N290.7-14 Cyber Security for Nuclear Power Plants and Small Reactor Facilities’ standard is mandatory for the Canadian nuclear operators to whom it applies, and may provide non-mandatory guidance for other nuclear facilities. It addresses cyber-security for specific computer systems and components, including systems important to nuclear safety, nuclear security, emergency preparedness, production reliability and safeguards. It also addresses auxiliary assets or systems which, if compromised, exploited, or failed, could adversely impact all of the above.
There are no de jure technical standards around cyber-security in Canada. Public Safety Canada endorses the NIST framework developed by the United States’ Department of Homeland Security and the National Institute for Standards and Technology. Other commonly used standards are ISO 27001, COBIT and ITIL.
Canadian private sector privacy laws require organisations to provide security for the personal information they hold, and to protect such information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. Security safeguards must be appropriate to the sensitivity of the information, such that highly sensitive information, such as financial or health information, will require higher security.
While Canada’s private-sector privacy laws impose an obligation to provide appropriate security to personal information, including physical, organisational and technological protection measures, they do not prescribe specific security measures. Rather, organisations must determine the appropriate protection based on the nature of the information they hold. Appropriate security may include the implementation of protection measures such as the use of firewalls, hashing and encryption of sensitive information, and intrusion detection systems. Certain information classes may also require compliance with relevant industry standards, such as the Payment Card Industry Data Security Standard.
The relevant data privacy regulators direct organisations to assess periodically the personal information they hold, their security measures, and potential and emerging threats, to ensure they meet their statutory obligation to provide appropriate security to personal information. Appropriate security measures also require that organisations establish a process to respond to security incidents.
There are no formal legal requirements governing the content of incident-response plans. Various industry regulators and advisory bodies provide advice to members on the content of plans. In general, while the content is not regulated, it is necessary and important for organisations to have incident-response plans.
As discussed above, while Canadian law does not have a concept of the data protection officer per se, PIPEDA and the provincial privacy laws in British Columbia and Alberta deemed substantially similar to PIPEDA, require that organisations designate responsibility for compliance with applicable privacy legislation to one or more individuals.
There are no formal legal requirements requiring or governing board-level involvement in cyber-security planning or incident response per se. It is generally accepted in the Canadian cyber-security community that board-level awareness and involvement is necessary and important. The Investment Industry Regulatory Organization of Canada, for example, has advised its members that it views board and senior management-level involvement in members’ cyber-security programmes as critical.
There is no general legal requirement that private-sector organisations take these steps.
All federal government institutions subject to the federal Privacy Act are required to conduct privacy impact assessments (PIAs). Heads of such institutions are required to establish a PIA development and approval process that:
Ontario’s Information and Privacy Commissioner (IPC) provides detailed guidance for institutions subject to the province’s Freedom of Information and Protection of Privacy Act (FIPPA), Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and Personal Health Information Protection Act 2004 (PHIPA). While these institutions are not required to file PIAs with the regulator, the IPC notes that with respect to institutions governed by PHIPA, their PIAs may be used by the IPC as a starting point for investigations into privacy breaches.
Various other provincial statutes (for example, British Columbia’s Freedom of Information and Protection of Privacy Act and Alberta’s Health Information Act) mandate conducting PIAs.
There are no formal legal requirements with respect to insider-threat programmes. Public Safety Canada identifies the insider threat as one of five categories of threats responsible for the majority of cyber incidents.
There are no formal legally binding requirements with respect to vendor and service-provider due diligence, oversight and monitoring.
There are no formal legally binding requirements with respect to training.
Canada is one of 55 countries (as of May 2017) that have signed and ratified the Budapest Convention (Council of Europe 2017), a multilateral treaty focused specifically on cyber-crime. Canada also belongs to the Global Forum on Cyber Expertise, a platform for countries and companies to exchange best practices and expertise in cyber-security.
Canada is also a member of the Organisation for Economic Co-operation and Development (OECD). The development of Canadian privacy law has been heavily influenced by the OECD’s ‘Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.’
Canadian privacy legislation requires organisations to take reasonable steps to safeguard personal information in their custody or control from risks such as unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction.
Canadian privacy law does not contain any requirements specific to material business data, networks or systems.
Public Safety Canada identifies as integral to the protection of critical infrastructure federal statutes, including the:
None of these Acts contains provisions unique or specific to critical infrastructure.
The Access to Information Act and the federal Privacy Act list the Office of Infrastructure Canada as one of the government institutions subject to those Acts’ requirements.
The Emergency Management Act tasks the Minister with identifying risks to critical infrastructure and to prepare, test and conduct training related to emergency management plans.
Canadian privacy law does not contain any requirements specific to service attacks.
Canadian privacy law does not contain any specific requirements in respect of other data or systems.
Amendments to PIPEDA that came into force on 1 November 2018 create mandatory data-breach reporting at the federal level. These amendments require organisations to report breaches of their security safeguards to the IPC where the breach presents a real risk of significant harm to an individual. In addition, mandatory data-breach provisions include a record-keeping requirement for breaches of their security safeguards in circumstances where the breach is not reportable.
Prior to the amendments to PIPEDA, Alberta was the only province obliging mandatory notification of breaches. However, a failure to notify appropriately data subjects of a breach in other jurisdictions may be investigated by the applicable privacy commissioners and may form the basis for a conclusion that a privacy complaint is well-founded.
Organisations subject to health information legislation in applicable provinces are required to report breaches to provincial privacy commissioners.
The IIROC has also proposed amendments to the Dealer Member Rules and a Dealer Rules Members’ Plain Language Rule Book to require mandatory reporting of a cybersecurity incident to the IIROC.
A breach of security safeguards is defined in PIPEDA as the loss of, unauthorised access to, or unauthorised disclosure of personal information resulting from a breach of an organisation’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
PIPEDA’s breach-reporting and notification requirements do not cover specific data elements but rather are defined by reference to ‘personal information,’ which is broadly defined to include any information about an identifiable individual. The requirements to report and notify are, however, subject to the standard of a ‘real risk of significant harm.’
PIPEDA’s breach-reporting and notification requirements do not apply to specific systems.
Currently there are no requirements in force specific to medical-device security. However, on 7 December 2018, Health Canada issued a ‘Draft Guidance Document – Pre-market Requirements for Medical Device Cyber-security,’ which was distributed for comment purposes. The guidance notes that medical devices may be vulnerable to unauthorised access, and that Health Canada considers cyber-security vulnerabilities in medical devices as a potential risk to patients that must be mitigated or eliminated by manufacturers of medical devices.
Canadian privacy law does not contain any requirements specific to the IoT. Incidents involving IoT devices are subject to the general requirements with respect to incidents concerning personal information.
Canadian privacy law requires the reporting of cyber-incidents under defined circumstances to the applicable federal or privacy commissioner.
Canadians are encouraged to report cyber-crimes to local law-enforcement agencies or the Royal Canadian Mounted Police, and to report cyber-incidents to the Canadian Centre for Cyber Security.
Canadian privacy law requires the reporting of cyber-incidents under defined circumstances to the individual whose personal information has or may have been compromised.
Where an incident merits reporting to the OPC pursuant to PIPEDA, PIPEDA requires organisations to report incidents to other organisations or government institutions where notification may reduce risks or mitigate harm.
Under PIPEDA, breach-reporting and notification obligations are triggered where there is a ‘real risk of significant harm’ (RROSH) to an individual. To assess whether RROSH exists, the organisation will be required to consider:
As outlined previously, sensitive information is not defined in PIPEDA. However, the concept is discussed in Principle 4.3.4 of PIPEDA, as follows:
“Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”
A number of factors will be considered in assessing the probability of the information being misused, including:
Canadian privacy law does not deal specifically with tools for network-monitoring.
Sharing of cyber-security information with the government is encouraged in Canada. The Canadian Centre for Cyber Security (CCCS) collaborates with private-sector organisations and shares threat information with private organisations through the Canadian Cyber Threat Exchange (CCTX).
i) Discuss any significant audits, investigations or penalties imposed for alleged cyber-security violations or data security incidents or breaches.
A joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner found, with respect to the pre-breach state of an online dating website:
As the company was on the way to improving its security by the time the report came out, the OPC resolved the complaint via a compliance agreement requiring the company to take significant further steps to bring itself into compliance.
Several data-breach class actions are underway in Canada, often in parallel with similar US actions. These are at various procedural stages. For instance, Yahoo has been named in three Canadian class actions relating to cyber-breaches; a Quebec action survived a stay motion and awaits certification; a BC action awaits a hearing on both certification and a stay in favour of an Ontario action; and the Ontario action awaits certification.
One such case has proceeded to the stage of a court-approved settlement. In Lozanski v The Home Depot Inc (2016) ONSC 5447 (CanLII), the court approved the settlement of a CAD5 million action on the basis of:
The settlement was approved because there was no evidence of class members suffering actual losses, the company had responded to the breach in a “responsible, prompt, generous, and exemplary fashion,” and, despite the fact that a breach had occurred, there appeared to be no evidence of actual wrongdoing by Home Depot.
Privacy as it relates to immigration has become a hot topic. There is broad information-sharing between various countries and within government departments in Canada. For example, Canada and the US have a treaty that permits systematic information-sharing between the countries, including sensitive biometrics and biographic data. Canada also shares biometric information with country partners including Australia, New Zealand and the UK. Canada’s extended biometrics programme has resulted in increased personal information being collected from citizens around the world coming to Canada on a temporary or permanent basis, with limited exceptions.
Canada Border Services Agency (CBSA) officers have broad discretion and inspection and examination powers at ports of entry. The security and safety priorities at the border results in a lowered expectation of privacy, including the ability of CBSA officers to search personal information contained on electronic devices, collecting personal information of travellers, and reviewing physical documents. Although there are directives in place regarding the ability of a CBSA officer to conduct basic and advanced searches of electronic devices, precautions should be taken by travellers if concerned about the collection, use and disclosure of their personal information.