Contributed By Fasken
Laws and Regulations
There are no private sector laws of general application focused primarily on the provision of cloud services to the private sector in Canada, but other Canadian laws apply to the provision of such cloud services. Applicable laws include those relating to the processing and protection of personal information and some which impose industry-specific requirements, such as requirements governing the use of cloud services by federally regulated financial organisations, requirements that certain records of federally regulated financial organisations be located in Canada, and laws regarding personal health information.
The Office of the Superintendent of Financial Institutions (OSFI) is the Canadian federal regulator that supervises and regulates federally registered banks and insurers, trust and loan companies and private pension plans subject to federal oversight. OSFI has issued Guideline B-10, "Outsourcing of Business Activities, Functions and Processes", which specifies certain OSFI expectations for federally regulated entities (FREs) that outsource one or more of their business activities to a service provider. OSFI has advised that these expectations also apply in respect of cloud services. While this section refers to cloud services and agreements in particular, the Guideline applies to all outsourcing arrangements. Under this Guideline, FREs are expected to:
The Guideline also contains a list of specific terms that OSFI expects an FRE to address in a cloud service contract. While Guideline B-10 is directed to federal entities, it has also been voluntarily adopted by many provincially regulated entities in the financial sector. In 2012, OSFI released a memorandum that confirmed that B-10 applies to cloud computing and that FREs should pay particular attention to: (i) confidentiality and security; (ii) contingency planning; (iii) location of records; (iv) audit and access rights; (v) subcontractors; and (vi) monitoring material outsourcing arrangements.
Under the Bank Act (Canada), the Trust and Loan Companies Act (Canada), the Insurance Companies Act (Canada) and the Cooperative Credit Associations Act (Canada), certain records of federally regulated financial organisations carrying on business in Canada must be maintained in Canada. In addition, an FRE is expected to ensure that OSFI can access, in Canada, any records necessary to enable OSFI to fulfil its mandate.
In 2019, OSFI released an advisory on Technology and Cybersecurity Incident Reporting, which sets out OSFI’s expectations in relation to the immediate and ongoing reporting of cybersecurity incidents. These expectations are in addition to the mandatory breach-notification requirements under Canadian privacy laws.
Personal Data Processing
In Canada, privacy and personal information are regulated by both federal and provincial legislation.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private sector organisations. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with PIPEDA. The OPC has issued a number of guidelines and case summaries that provide non-binding guidance on the OPC’s interpretation of PIPEDA’s obligations.
PIPEDA applies in all provinces and territories in Canada, except where a province or territory has enacted substantially similar private-sector legislation (though PIPEDA continues to apply in those provinces in connection with federal “works, undertakings, and businesses” such as airlines, banks, and telecommunications companies). British Columbia, Alberta and Quebec have their own legislation that regulates the collection, use and disclosure of personal information in those provinces. In addition, Ontario, New Brunswick, Nova Scotia and Newfoundland have provincial legislation that regulates the collection, use and disclosure of personal health information. Each of these provinces has a regulator that oversees compliance with the provincial legislation. There are also public sector privacy laws that apply to the federal public sector and provincial laws that apply to the provincial public sector in each province.
Every aspect of privacy legislation might have some impact on the provision or use of cloud services. A comprehensive review of all privacy obligations is beyond the scope of this summary. Some key principles and cloud service issues are discussed below. The comments are based on PIPEDA and OPC guidance. A review of provincial laws and related guidance is beyond the scope of this summary.
PIPEDA became law in 2000. It is intended to protect the privacy of Canadians, and was originally designed to enable Canada to obtain an adequacy ruling under the 1995 European Union Data Protection Directive. Practitioners who are familiar with the Directive and now the GDPR will find similar concepts in PIPEDA (as of this writing, the adequacy decision issued in connection with the Directive remains in effect in relation to the GDPR).
Under PIPEDA, personal information means information about an identifiable individual. PIPEDA exempts from its requirements, business contact information that an organisation uses solely for the purpose of communicating with the individual in relation to the individual’s employment, business or profession.
The essence of PIPEDA is that, with some limited exceptions, the knowledge and meaningful consent of the individual are required for the collection, use or disclosure of their personal information. The purposes for which personal information is collected must be identified at or before the time of collection. The collection must be limited to only the personal information which is necessary for the identified purposes. Personal information can be retained only for as long as necessary for the fulfilment of those purposes. Personal information must be accurate, complete and up to date. Personal information must be protected by appropriate security safeguards. An organisation must be open about its policies and practices with respect to the management of personal information. Individuals have rights to access and correct their personal information, and to challenge an organisation’s compliance with these obligations.
It is a principle of PIPEDA that an organisation is responsible for personal information in its control, or its possession or custody, including information that has been transferred to a third party for processing. An organisation that transfers personal information to a cloud service provider remains primarily responsible for that personal information, and will want to ensure that the cloud services contract contains appropriate provisions to address all of the organisation’s responsibilities in relation to the personal information transferred to and processed by the cloud service provider.
In its guidance, the OPC states that: “Regardless of where the information is being processed – whether in Canada or in a foreign country – the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. It should also have the right to audit and inspect how the third party handles and stores personal information, and exercise the right to audit and inspect when warranted.”
PIPEDA requires that personal information be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected; the amount, distribution, and format of the information; and the method of storage. More sensitive information should be safeguarded by a higher level of protection, particularly where large volumes of information are involved. The methods of protection should include:
PIPEDA case summaries provide some non-binding guidance on the OPC’s interpretation of these obligations.
An organisation will want to address the detail of a service provider’s security safeguards in the cloud services contract. When it investigates security breaches, the OPC will closely examine the safeguards in place at the time of the breach and the contractual requirements to implement and maintain safeguards in the cloud services contract.
Under PIPEDA, if there is any breach of security safeguards involving personal information under an organisation’s control, and if it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to an individual, then the organisation must report the breach:
An organisation is also required to keep a record of every breach of security safeguards involving personal information under its control, even if the breach does not create a real risk of significant harm to an individual (the Alberta privacy legislation also has its own separate data breach notification obligations).
An organisation will want to address the possibility of a breach of security safeguards within a service provider’s environment in the cloud services contract.
In Canada, there is some sensitivity to the possibility that foreign governments may be able to obtain access to personal information that is transferred outside Canada. For example, under the USA Patriot Act, the US government might be able to access the personal information of Canadians that is transmitted to the United States.
PIPEDA does not prohibit private sector organisations in Canada from transferring personal information to an organisation in another jurisdiction for processing. However, the OPC expects that organisations must assess the risks to the integrity, security and confidentiality of personal information when it is transferred to third-party service providers operating outside Canada. The OPC also expects that organisations will advise their customers that their personal information may be sent to another jurisdiction for processing and that, while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities of that jurisdiction.
(Alberta has additional specific notice requirements if personal information is transferred to a service provider outside Canada).
In 2019, the OPC launched consultations regarding its interpretation of PIPEDA’s requirements on transfers of personal information for processing, including transfers across borders. Ultimately, the OPC maintained the status quo but noted that PIPEDA’s protections are “clearly insufficient” and that the OPC will make recommendations "to strengthen the protections in a future law".
Risk and Liability
The main legal challenges for our clients when launching or using blockchain technology in Canada are broadly similar to those legal challenges of other software research and development companies (ie, fundraising; intellectual property strategies and protection; and the recruitment, retention and incentivisation of talent).
One key distinction are the legal challenges that surround a blockchain company seeking to sell cryptographic tokens to raise proceeds to fund the development of the project, to create a captive economy of native digital assets or to connect with and establish a community of would-be users of the to-be-developed blockchain protocol. In many cases the purpose of the sale of the tokens is all three outcomes, although that is becoming less common as the ecosystem of Canadian blockchain companies continues to adapt to the evolving regulatory and commercial environments surrounding Canadian blockchain projects.
When called upon to advise a Canadian blockchain company on its proposed sale of cryptographic tokens, our advice has principally focused on the question of whether or not the token will be considered a "security" for the purposes of Canadian securities laws. In order to provide such advice, we have concentrated primarily on:
To properly determine whether or not a specific token is a security for the purposes of the Securities Act (British Columbia) (the Securities Act), it is necessary to apply the test laid out in the Supreme Court of Canada in Pacific Coast Coin Exchange of Canada Ltd v Ontario Securities Commission  2 SCR 112, (1977) 2 BLR 212, 80 DLR (3d) 529 (SCC) (the Pacific Coast Coin Test). The Pacific Coast Coin Test is also used by the Canadian securities regulators (such as the British Columbia Securities Commission) to determine whether or not an instrument issued to a purchaser by an issuer is an "investment contract" within the definition of a security under the BC Securities Act and other Canadian securities laws.
The specific matters to be determined under the Pacific Coast Coin Test as to whether or not an investment contract exists for the purposes of the British Columbia Securities Act and other Canadian securities laws are as follows: there is an investment of money; in a common enterprise; with the expectation of profit; and the expectation of profit comes significantly from the efforts of others. If only one of the limbs of the Pacific Coast Coin Test is definitely not satisfied, then the Canadian securities regulators should (emphasis on should) determine that the token in question is not a security, and they will have no jurisdiction.
In addition, making such a determination with respect to the tokens in question requires consideration of CSA Staff Notice 46-307 – Cryptocurrency Offerings (SN 46-307) and CSA Staff Notice 46-308 – Securities Law Implications for Offerings of Tokens (SN 46-308) (the CSA is an organisation made up of all of Canada’s provincial and territorial securities regulators).
With respect to the guidance set forth in SN 46-307 and SN 46-308, we have frequently been called upon to review specific tokens and blockchain projects to make a determination on the particular characteristics of that token in the light of the guidance set forth in SN 46-307. The primary purpose of such a review is typically to determine which characteristics of the token in question would set it apart from what is considered a security (as the term is defined in the Securities Act and considered by members of the BCSC staff and other Canadian securities regulators in conjunction with the Pacific Coast Coin Test). An example of a token that might be distinguishable from a security, in reliance on the guidance set forth in SN 46-307, is a token which is effectively an application programming interface key allowing token holders to access and consume the application services on a blockchain platform (similar to a coin or token that allows a token holder to access and pay for a video game on a platform).
Furthermore, when considering the guidance set forth in SN 46-308 in respect of specific tokens, there is a list of 14 indicators of the existence (or not) of a security that has become something of a companion test to the Pacific Coast Coin Test. We are frequently called up to assess each individual token, the proposed token sale mechanics and the blockchain protocol in line with the guidelines set forth in SN 46-308 and have found that as the Canadian blockchain industry has evolved, there are more and more examples of tokens that do not appear to be securities.
By contrast, many more Canadian blockchain companies are voluntarily invoking the Securities Act and self-selecting as a security in the hopes of treading a more certain regulatory path. Such companies are proposing to conduct what they are calling an STO (or a Securities Token Offering). The reality is that the industry and its participants are quickly realising that a token with a singular or even a binary purpose is less attractive to purchasers and less useful in the long run, and does not realise the full capabilities of what a cryptographic asset on the blockchain could represent.
If a token proposed to be issued to a purchaser is determined to be an investment contract within the definition of a security under the Securities Act, the issuer would have to issue the security in connection with a filed prospectus or in connection with an exemption from the requirement to prepare and file a prospectus. If there is no prospectus filed or exemption from the requirement to prepare and file a prospectus in connection with such a distribution of tokens, it would be considered an unlawful distribution of securities by the relevant Canadian securities regulators.
Unlawful distributions of securities by a company are considered to be a breach under Section 155(1)(b) of the Securities Act and the company – and the employees, officers, directors or agents of that company – who authorise, permit or acquiesce in any unlawful distribution will be deemed to have committed the same breach pursuant to Section 155(4) of the Securities Act. Section 155(2) of the Securities Act states that the maximum liability for such a breach is a fine of not more than CAD3 million, or up to three years’ imprisonment, or both.
Notwithstanding the maximum liability under the Securities Act and depending on the severity of the breach, the British Columbia Securities Commission will more typically seek an Enforcement Order which, among other things, will result in the sanctioning and banning of directors and officers involved in the breach from acting as directors, officers or being engaged in investment activities, the cessation of trading of the securities of the company and some form of disgorgement of the proceeds of the sale of the securities in question (typically involving the rescission and/or associated refund of the token sales).
In a decentralised network where intellectual property is contributed by the "community" users and participants in a particular blockchain’s ecosystem, the ownership of such intellectual property can definitely be called into question. In particular, the ownership with respect to the data sets shared by the community and for the development work conducted on the network is difficult to ascertain. Further, given the transparent nature of blockchain technology, the availability of the data stored on a particular blockchain or the access points to internally developed code with respect to a particular network will open up the opportunity for the infringement of intellectual property on the blockchain.
At its core, blockchain technology is the concept of decentralisation which enables the "trustless" sharing of data. One of the key advantages of blockchain technology is that once the data gathered is stored on a particular chain, it cannot be altered. On the other hand, a key disadvantage is that such data may contain personal information or sufficient data to identify an individual, and because of the nature of blockchain, that data is available to all the contributors to the blockchain. The key legal challenge in the data-privacy space with respect to blockchain technology is that the inherent decentralisation and transparency of transactions on any one chain are not easily compatible with data privacy laws.
Blockchain is an immature technology. Consistent with the nascent nature of such technology, service levels and performance standards are improving. However, transaction speeds still remain relatively slow and the computing power required to process such transactions remains relatively high and, therefore, more costly. For blockchain to achieve the level of ubiquity it is thought by some to be destined for in the business world and financial services industry, blockchain will require a higher degree of confidence in the quality and stability of the services.
Blockchain will also need to evolve and develop to a stage where it can offer the appropriate level of data security and protection to customers and participants in its ecosystem (similar to that provided by cloud providers).
Blockchain is inherently cross-jurisdictional. The decentralised nature of the technology requires participating nodes spread around the world. In most transactions by blockchain companies, simply identifying the governing law of such transactions might be a challenge. However, the majority of advice we give on jurisdictional issues to Canadian blockchain companies relates to proposed sales of cryptographic tokens to Canadians or from Canada to non-Canadians.
Rather than be subject to the scrutiny of the Canadian securities regulators, many Canadian blockchain companies decide to adopt an offshore corporate structure to conduct the sale of their cryptographic tokens. The Canadian securities regulators will have a say in this. For example, the British Columbia Securities Commission bases its jurisdictional determination on the location of a token issuer’s "mind and management" in applying the test contained in BC Instrument 72-702 – Distribution of Securities to Persons Outside of British Columbia (BCI 72-702). The following passage from BCI 72-702 is critical to any assertion of jurisdiction over sales of cryptographic tokens:
“A distribution of securities by an issuer with connections to British Columbia may, depending on the facts and circumstances surrounding the transaction, be subject to the Securities Act even if the initial purchaser is not located in British Columbia. There are two primary circumstances where an issuer must comply with the requirements of the Securities Act in making a distribution to a person outside the province. These are:
1. A Distribution from the Province – Where an issuer distributes securities from British Columbia, it must comply with the registration and prospectus requirements of the Securities Act or rely on exemptions from those requirements;”
The following passages from BCI 72-702 are also critical to a determination that a sale of cryptographic tokens would represent a "distribution of securities from the Province":
“The onus is on an issuer and its counsel to determine whether a distribution of securities to a person outside British Columbia is made from the province, based on the facts and circumstances of each particular transaction. The existence of any of the following factors would generally indicate that the distribution is made from British Columbia:
(i) the issuer’s mind and management is primarily located within British Columbia. This may be indicated if, for example, the issuer's head office or the residences of the issuer’s key officers and directors are located in the province;
(ii) the business of the issuer is administered from, and the operations of the issuer are conducted in, British Columbia; or
(iii) acts, advertisements, solicitations, conduct or negotiations in furtherance of the distribution take place in British Columbia (including any underwriting or investor relations activities).
The above examples are indicative of the types of factors that an issuer should consider in determining whether it is making a distribution from British Columbia. However, they should not be viewed as an exhaustive list.”
If the client company does decide to incorporate offshore and if we determine that that company’s token sale is likely to be considered an offering from British Columbia for the purposes of BCI 72-702 (ie, mind and management of the offshore company is still considered to be primarily resident in Canada), there are applicable prospectus exemptions for the that token sale. In particular, BCI 72-702 contains the following relevant passage:
“Where an issuer makes a distribution from the province, it may rely on the general registration and prospectus exemptions in the Securities Act and Securities Rules. In certain circumstances, an issuer may also rely on special exemptions provided under BCI 72-503 and BCI 72-504.”
We have had success in such a context when employing the prospectus exemption contained in British Columbia Instrument 72-503 – Distribution of Securities Outside British Columbia (BCI 72-503) to offer cryptographic tokens to purchasers resident outside of Canada. The prospectus exemption contained in BCI 72-503 applies to issuers located in British Columbia (or outside British Columbia, but whose mind and management is inside British Columbia for the purposes of BCI 72-702) seeking to distribute securities outside of the province.
In order to rely on the prospectus exemption contained in section 3 of BCI 72-503 to effect a token sale, the client company would be required to fulfil the following conditions (which have been edited for relevancy):
In order to comply with the conditions set forth above and the filing requirements, the client company will need to determine with a commercially reasonable degree of comfort that the sale of a token into a particular jurisdiction complies with the securities laws of that jurisdiction.
In addition to the conditions set forth above, the client company would also have to ensure that, no later than ten days after the token sale is closed, it files with the British Columbia Securities Commission a report of exempt distribution in Form 45-106F1 and delivers to the British Columbia Securities Commission any offering material that the client company is required to file with the securities regulatory authority in any of the jurisdictions where the purchasers of tokens are located.
Big Data initiatives in Canada must balance the need to maximise the value of large data sets with the requirements of Canadian privacy laws. Holding large amounts of personal information can lead to challenges surrounding consent, transparency, accountability, and the requirement under Canadian privacy laws to limit the collection of personal information to that required for the purposes identified by the collecting organisation. Additionally, holding large volumes of personal information requires organisations to implement more stringent safeguards in order for them to be considered appropriate under Canadian privacy laws. Holding greater amounts of personal information about a greater number of individuals also increases the risks of a class action in the event of a data breach and the liability that would result from a breach.
To limit these risks, organisations are increasingly using de-identified and (in the case of big data using machine learning) synthetic data. De-identified and synthetic data that contains no personal information and where there is no “serious possibility” that the information, alone or in combination with other information, can identify an individual (ie, be re-identified) are not subject to Canadian privacy laws. Using de-identified data, however, only reduces but does not eliminate risk, and the potential for re-identification increases as data sets grow and other data sets become available for matching. Further, statistical and programming methods that can re-identify data are becoming increasingly sophisticated and capable.
Machine Learning and Artificial Intelligence
The issues under Canadian privacy laws surrounding Big Data also apply to artificial intelligence (AI) and machine learning (ML), as both typically rely on the use of large data sets. In particular, Canadian privacy law requirements regarding consent, openness, and transparency are areas of concern with AI and ML. Meaningful consent and transparency require that organisations identify the purposes for the collection and use of personal information. This is more difficult in the case of AI and ML, as those purposes can evolve over time as ML algorithms and models, in the words of Ian Kerr in his testimony to the The House Standing Committee on Access to Information, Privacy and Ethics, April 4, 2017 “make discoveries in the data that human decision-makers would neither see nor understand”. The fact that ML is concerned with predicting relationships in data rather than explaining them further complicates transparency and the obtaining the meaningful consent of individuals.
As the Canadian government seeks to establish Canada’s expertise and leadership in AI and ML, a growing body of directives and regulatory initiatives are being enacted and considered. For example, in 2019 the federal government issued its Directive on Automated Decision-Making (the Directive) aimed at the use of automated decision-making by the federal public sector in providing services to the public (compliance with the Directive will be required by April 2020). The Directive is meant to ensure that the federal government’s use of AI is compatible with principles of transparency and accountability. It requires federal departments to conduct algorithmic impact assessments, to include a quality assurance process to ensure testing and the monitoring of outcomes, and to adhere to transparency requirements including the use of open source standards and the release of custom source code by default when using automated decision-making. One of the key concerns that an algorithmic impact assessment confronts is the risks of discrimination caused by biases in algorithms and data.
Canada’s private-sector privacy laws do not specifically reference AI, ML, or automated decision-making, though the general principles of those laws will apply to AI and ML where they implicate personal information. Specific reforms may be forthcoming. The federal government’s Digital Charter, released in 2019, includes proposals to “strengthen privacy for the digital age” by reforming federal privacy laws, and highlights concerns over transparency in AI and the biases that automated decision-making can introduce as imperatives for reform.
Similarly, in early 2020 the federal privacy regulator, the Office of the Privacy Commissioner of Canada (OPC), initiated a consultation regarding its proposals to the federal government for ensuring appropriate regulation of artificial intelligence. The regulator’s proposals are far-reaching, some of which will be familiar to European readers such as a proposed right to object to decisions arising from automatic processing. The comment period for the consultation is set to close on 13 March 2020.
Organisations that use ML might also encounter issues with Canadian intellectual property laws. Notably, Canadian copyright law does not protect databases where the compilation of a database or compilation is not an exercise of “skill and judgement”, and it does not protect individual data elements removed from a database or collection (for example, of those data elements are mere facts such as street addresses). Furthermore, an ML algorithm or model is not considered an “inventor” under the Patent Act or an “author” under Canada’s Copyright Act. In the case of Canadian copyright law, the choice of the ML algorithm, training data, and the conduct of the training would have to be an exercise of skill and judgement for the ML model and its output to be an original work eligible for copyright protection (subject to the limitations on the proper subject matter of copyright, as partially described above).
There are no laws that specifically address Internet of Things (IoT) services and devices in Canada. As a result, any legal considerations regarding IoT arise from the application of general laws to IoT services and devices.
Canada’s private-sector privacy laws will apply to the use of IoT devices and services by individuals where they collect personal information. In Alberta, British Columbia (BC), and Quebec, provincial private-sector privacy laws will also apply to the use of IoT in the workplace (see 7 Monitoring and Limiting of Employee Use of Computer Resources), while the federal law (PIPEDA) will apply to federally-regulated workplaces (ie, to federal works, undertakings, and businesses) across Canada. Alberta, BC, and federal privacy laws are notice-based in connection with employee personal information and the employee-employer relationship, and employers must provide notice to employees of the use of IoT devices that collect employee personal information and the subsequent use and disclosure of that information. Even where employers give notice, however, the processing of personal information must also be for purposes a reasonable person would consider appropriate in the circumstances. Thus, the use of IoT devices to collect employee personal information for inappropriate purposes, for example location tracking or video surveillance where less intrusive measures could be used, would likely run afoul of Canadian laws even if employees were provided notice of the tracking.
Outside of the workplace (and in the workplace in Quebec), Canada’s private-sector privacy laws are consent-based. From a privacy perspective (and as with artificial intelligence and machine learning), IoT poses a challenge in obtaining meaningful consent as it allows passive information collection that may be less obvious to individuals and more difficult to explain. Transparency is particularly important if the IoT service provider is contemplating secondary uses of personal information (ie, uses in addition to use to provide the services), for example marketing or advertising uses. Also, IoT’s ability to collect large amounts of useful data must be weighed against requirements to limit the collection of personal information. Finally, wearable devices can enable the collection of health information and IoT devices often operate in the home where they can collect personal information that reveals facts regarding an individual’s habits, beliefs, and lifestyle. These types of personal information are likely to be considered sensitive information subject to heightened requirements, including regarding consent and safeguards for its protection.
IoT devices and services are also seeing growing use in the health care sector. Many Canadian provinces have enacted health privacy legislation regulating the use of personal health information. Depending on the province and the organisation deploying IoT devices and services to process personal health information, health privacy legislation may apply to the health care provider, or to both the health care provider and its service provider.
As with cloud services, there are no private sector laws of general application focused primarily on the provision of IT services to the private sector in Canada, but other Canadian laws will apply to the provision of such services.
Applicable laws include those relating to the processing and protection of personal information (both in the public and private sectors) and some which impose industry-specific requirements, such as requirements governing the use of IT services (and outsourcing generally) by federally regulated financial organisations, and requirements that certain records of federally regulated financial organisations be located in Canada, and laws regarding personal health information.
The issues discussed in 1 Cloud Computing regarding cloud services also apply to IT services generally.
Core Rules Regarding Data Protection
The core data protection laws in Canada for private-sector organisations are the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the federal privacy law, and the provincial private-sector privacy laws in the provinces of Alberta, British Columbia (BC), and Quebec. Canadian private-sector privacy laws regulate the collection, use, and disclosure of personal information and not data or information generally. PIPEDA applies to commercial activities within the provinces that have not enacted their own privacy laws, to federally regulated works, undertakings, or businesses in all provinces (such as telecommunications providers, airlines, and banks), and to the processing of personal information between provinces and across borders where there is real and substantial connection to Canada. Indicators of a real and substantial connection to Canada include targeting the Canadian market, offering goods or services to Canadians, and having affiliates that have operations in Canada.
In general, PIPEDA only applies to the collection, use, and disclosure of personal information in the course of commercial activities. Except in the case of federally regulated works, undertakings, or businesses, PIPEDA does not apply to the collection, use, and disclosure of employee personal information in the context of an employment relationship. Provincial private-sector privacy laws apply to the collection, use, and disclosure of personal information in the province (including in the employment context).
In addition to private-sector privacy laws, public sector privacy and access to information laws exist federally and in each province. Many provinces have also enacted health privacy laws regulating the collection, use, and disclosure of personal health information. Depending on the province, health privacy legislation may regulate the public sector, private-sector health care providers, and certain related service providers. Where it applies, health privacy legislation in Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia will displace the application of PIPEDA.
Distinction Between Companies/Individuals
There is no private-sector legislation of general application focused primarily on the regulation of data regarding companies in Canada. Data regarding companies is regulated by contract, by common law rules and doctrines (eg, breach of confidence or breach of a fiduciary duty), and intellectual property laws.
In contrast, data regarding individuals is subject to federal and provincial privacy legislation. The definition of personal information under the federal private-sector law (PIPEDA) and the common law provinces that have private-sector privacy laws (Alberta and British Columbia) is the same, with personal information defined as "information about an identifiable individual". The definition of personal information under Quebec private-sector legislation differs somewhat and is "any information which relates to a natural person and allows that person to be identified".
Processing of Data
There is no private sector legislation of general application in Canada focused on the processing of data generally. The processing of personal data, however, is another matter, as Canada has both private and public-sector laws that regulate the collection, use, and disclosure of personal information. Many Canadian provinces have also enacted health privacy legislation regulating the use of personal health information, which depending on the province may apply to the public sector, private sector health care providers, and certain service providers.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private sector organisations. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with PIPEDA, and the OPC has issued a number of guidelines and case summaries that provide non-binding guidance on the OPC’s interpretation of PIPEDA’s obligations.
PIPEDA applies in all provinces and territories in Canada, except where a province or territory has enacted substantially similar private-sector legislation (though PIPEDA continues to apply in those provinces in connection with federally regulated works, undertakings, and business such as airlines, banks, and telecommunications companies). British Columbia, Alberta and Quebec have their own legislation regulating the processing of personal information in the private sector. In addition, many provinces have provincial legislation that regulates the collection, use and disclosure of personal health information. A comprehensive review of all privacy obligations is beyond the scope of this summary.
In general, Canada’s private-sector privacy laws are consent-based. This means that, with some limited exceptions, the meaningful consent of the individual is required for the collection, use or disclosure of their personal information. PIPEDA requires that the purposes for which personal information is collected must be identified at or before the time of collection and that the collection be limited to only that personal information which is necessary for the identified purposes.
PIPEDA also imposes other requirements in addition to those surrounding consent. PIPEDA only allows for the collection, use, and disclosure of personal information for purposes that a reasonable person would consider appropriate in the circumstances. PIPEDA mandates that personal information may only be retained for as long as necessary for the fulfilment of the purposes for which it was collected. It requires that personal information be accurate, complete and up to date, and that it be protected by appropriate security safeguards considering its sensitivity. Organisations must be open about their policies and practices with respect to the management of personal information. PIPEDA also grants individuals the right to access and correct their personal information, and to challenge an organisation’s compliance with these obligations.
Alberta’s Personal Information Protection Act (PIPA) and PIPEDA impose notification obligations surrounding data breaches of personal information under an organisation’s control. Under PIPEDA, if there is any breach of security safeguards involving personal information under an organisation’s control, and if it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to an individual, then the organisation must report the breach:
An organisation is also required to keep a record of every security breach involving personal information under its control, even if the breach does not create a real risk of significant harm to an individual. Alberta privacy legislation requires that organisations notify the Alberta regulator where there is unauthorised access to, or loss of, personal information that results where a reasonable person would consider that there exists a real risk of significant harm to an individual.
There are no specific prohibitions that restrict an employer’s ability to limit employees’ use of or access to company computer resources.
Where the monitoring of employee use of company computer resources implicates the collection, use, or disclosure of personal information, Canadian private-sector privacy laws may apply. Where the monitoring of computer resources does not identify the employee, the information would not be personal information and Canadian privacy laws would not apply. Similarly, information that identifies an employee but is about the computer systems rather than the employees may not be personal information where the information does "not reveal anything about that person" and is not "collected, used, or disclosed for a purpose related to the individual".
The federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not apply to the collection, use, and disclosure of employee personal information in the context of an employment relationship except in the case of federally regulated works, undertakings, or businesses. The provincial private-sector privacy laws in the provinces of Alberta, British Columbia, and Quebec apply to employee personal information in those provinces.
While generally consent-based, the federal (in the case of federal works, undertaking, and businesses), Alberta, and British Columbia (BC) privacy laws only require notice for the collection, use, and disclosure of employee personal information for the purposes of managing, establishing, or terminating an employment relationship. Where those laws apply and where the monitoring of company computer resources is related to the employment relationship with employees, organisations must provide notice of the monitoring to employees.
The Quebec law, in contrast, does not provide for an exception in the employment context to the legislation’s general consent requirements and has a relatively stringent requirement for informed and free employee consent. This is often challenging for employers who operate in Quebec and other provinces, as their privacy practices must comply with the more stringent Quebec standard or differ between Quebec and the other provinces.
The Telecommunications Act regulates telecommunications common carriers and telecommunications service providers. It does not regulate technologies. The Radiocommunication Act regulates spectrum and the Minister of Innovation, Science and Economic Development the (Minister) is empowered to issue radio or spectrum licences, or to exempt frequencies from the requirement for a licence. The Minister is empowered to charge fees for radio or spectrum licences or to hold competitive bidding auctions.
The Telecommunications Act defines a telecommunications common carrier as a person who owns or operates a transmission facility used by that person or another person to provide telecommunications services to the public for compensation.
A transmission facility means “any wire, cable, radio, optical or other electromagnetic system, or any similar technical system for the transmission of intelligence between network termination points, but does not include an exempt transmission apparatus” (defined to include switches, routers, etc).
A telecommunications service means a service provided by means of telecommunications facilities, which in turn is broadly defined to include any facility or thing that is used or capable of being used for telecommunications or for any operation directly connected with telecommunications, including a transmission facility.
The Telecommunications Act is therefore technology-agnostic. There are no restrictions on the use of new technologies by carriers or service providers. Certain services are however subject to compliance with regulatory requirements, and registration requirements. For example, non-dominant carriers and resellers must register with the Canadian Radio-television and Telecommunications Commission (CRTC), international service providers must obtain a Basic International Telecommunications Services licence which is available as of right from the CRTC, providers of Voice over Internet Protocol (VoIP) services must obtain approval of their 911 emergency calling arrangements and Competitive Local Exchange Carriers (CLECs) must obtain approval of their interconnection arrangements with other carriers, as well as their provision of certain services to persons with disabilities, and privacy and consumer protection provisions, all of which have been standardised.
If the provider of the radio-frequency identification (RFID) tag service requires licensed spectrum to provide the service, a spectrum licence will have to be obtained from the Minister. If the spectrum is used to provide the service, registration with the CRTC as a non-dominant carrier will be required. An application is required to obtain licensed spectrum and a licence fee applies. No licence or licence fee is required if licence-exempt spectrum is used, such as certain WiFi frequencies. Radio apparatus must be certified to meet specified standards. Certifications from specified countries can be used as the basis for the Canadian certification. The CRTC does not charge for registering a non-dominant carrier but it operates a “contribution fund” to which carriers and telecommunications service providers (TSPs) are required to contribute based on a percentage of their Canadian telecommunications revenues once they are generating CAD10 million or more in revenues. Money from this fund is used to finance video relay services and the extension of broadband facilities to rural and remote parts of Canada. A subsidy of telephone service in high-cost service areas is being phased out.
VoIP service providers that provide access or egress to or from the public switched telephone network (PSTN), and that use North American Numbering Plan (NANP) telephone numbers to route calls, require CRTC approval of their 911 emergency services. They also need to register with the CRTC as a non-dominant carrier or reseller depending on whether they own a transmission facility. A Basic International Telecommunications Services (BITS) licence is also required which entails an application to the CRTC. No fees are applicable for these registrations, approvals or licences other than contribution to the fund referenced above. If the VoIP service does not provide access to or egress from the PSTN, and does not use NANP telephone numbers for routing calls, it is not subject to regulation.
The provision of instant messaging will be regulated if it involves the use of telecommunications transmission facilities owned or leased by the carrier or TSP. Registration as a reseller or non-dominant carrier will be required. A BITS licence will also be required. No fees are applicable other than contribution to the fund referenced above. If the service simply uses the Internet for transmission purposes and if a third party provides the Internet access, the instant messaging service will not be subject to regulation. The provision of an App without transmission services is not regulated.
All traditional audio-visual services (television, radio, cable, etc) operating in Canada are required to be licensed or exempt from licensing by the (CRTC) under the Broadcasting Act. The CRTC issues licences for terms not exceeding seven years and makes those licences subject to conditions related to the circumstances of the licensee that it deems appropriate for the implementation of Canada’s broadcasting policy. Licensees are generally subject to a variety of Canadian content, programme expenditure and/or contribution obligations. Television and radio stations that use radio spectrum are also required to obtain authorisation from the Department of Innovation, Science and Economic Development Canada (ISED) in accordance with the Radiocommunication Act. Applications to obtain a broadcasting licence must be filed with the CRTC and the CRTC is required to hold a public hearing to consider the application. The process typically takes between eight and eighteen months to conclude. In order to be eligible to hold a broadcasting licence, a company must be owned and effectively controlled by Canadians. Broadcasting licensees are generally required to pay two types of licence fees (Part 1 and Part 2 fees) under the Broadcasting Licence Fee Regulations. The Part 1 fee is a licensee’s pro rata share of the annual cost of the CRTC’s operations. The Part 2 fee is established by the Canadian government using a complex formula and paid on a pro rata basis by each licensee.
The CRTC also has the authority to exempt classes of broadcasting undertakings from holding a licence and has exercised this authority in number of circumstances, including with respect to small satellite-to-cable (discretionary) services and small cable distributors. The exemption order issued by the CRTC contains terms and conditions that apply to an entire class of broadcasting undertaking and does not require a company to pay any licence fee or to obtain any further authorisation from the CRTC.
Online Video Channels
Individuals and companies that operate online video channels (including user-generated content) in Canada do so in accordance with a CRTC exemption order called the exemption order for digital media broadcasting undertakings. To operate under this exemption order, an online video channel must comply with minimal obligations, which include a prohibition on granting undue preferences or disadvantages and a requirement to submit to the CRTC’s dispute resolution process. There are no licence fees or Canadian ownership and control requirements applicable to online video channels.
In general, federal and provincial private-sector privacy laws require that organisations implement and maintain safeguards to protect personal information that are appropriate given the sensitivity of the information. The federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), states that safeguards should include physical, organisational, and technical measures, and specifically references encryption as a technical measure to be used in safeguarding personal information. The federal privacy regulator makes reference to industry standards in determining whether safeguards are appropriate. It is likely that in almost all cases Canadian privacy regulators would require the use of industry standard encryption to safeguard personal information, and its use would clearly be required in connection with sensitive personal information.
In the public sector, various government security programmes will invariably require that certain government information must be encrypted. For example, Public Services and Procurement Canada (PSPC), the central purchasing agency for federal departments, has established information technology security requirements that apply to any vendor that produces, processes, or stores protected or classified information electronically under government contract. Organisations must undergo an IT security assessment by PSPC, including to obtain document safeguarding capability for protected and classified information. Completing this process will require organisations to make proper use of encryption in the circumstances (among other requirements).
Canadian law places restriction on the export of certain cryptography and information security goods, and an export permit is required to export restricted cryptography and information security goods to any country other than the United States.
The use of encryption does not exempt an organisation from the application of private-sector privacy laws (rather it is often a required safeguard). Encryption may reduce the harm associated with a security breach, but a security breach of encrypted data is not an exemption from the requirements surrounding data breaches under privacy laws or consideration of the harms that could arise from the breach.