Contributed By Blake, Cassels & Graydon LLP
In Canada, the collection, use and disclosure of personal information in the private sector is regulated at both the federal and provincial level. At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all private sector organisations collecting, using or disclosing personal information in the course of commercial activities in Canada. In addition, three Canadian provinces – Alberta, British Columbia and Québec – have enacted provincial-level private sector privacy legislation that applies to the collection, use and disclosure of personal information by private sector organisations within those provinces. These are Alberta’s Personal Information Protection Act (the Alberta PIPA), British Columbia’s Personal Information Protection Act (the BC PIPA, and Québec’s Act respecting the protection of personal information in the private sector (the Quebec PPIPS).
Alberta, Saskatchewan, Manitoba, Québec, Ontario, Nova Scotia, New Brunswick, Prince Edward Island, Newfoundland and Labrador, Yukon Territory and the Northwest Territories have legislation in place specifically governing the collection, use and disclosure of personal health information by healthcare providers.
The collection, use and disclosure of personal information by public bodies is governed by provincial, territorial or federal public sector privacy legislation.
Certain provinces have enacted legislation that creates a statutory tort for invasion of privacy. These statutes make it actionable to willfully violate the privacy of another individual. The Québec Civil Code contains comparable provisions. In addition, the Québec Charter of Human Rights and Freedoms provides that every person has a right to respect for his private life.
Canada’s federal privacy legislation is enforced by the Office of the Privacy Commissioner of Canada (OPC). The Privacy Commissioner is an officer of Parliament who is appointed under the Privacy Act. The OPC’s jurisdiction under PIPEDA includes:
A complaint must be initiated by an individual, by filing a written complaint with the OPC. An individual is not required to have a direct connection to the conduct of the organisation that is the subject of the complaint. The OPC must give notice of any complaint to the organisation against which the complaint has been made. The OPC may attempt to settle complaints by mediation or conciliation.
The OPC must investigate a complaint, unless it is of the opinion that the complainant ought to exhaust other reasonably available review procedures, that the complaint could more appropriately be dealt with by another procedure provided for under the laws of Canada or of a province, or that the complaint was not filed within a reasonable period after the day on which the subject matter of the complaint arose. The OPC is not required to investigate conduct that would constitute a contravention of Canada’s Anti-Spam Legislation.
The Commissioner may conduct an audit of an organisation, directly or through a delegate, if it reasonably believes the organisation is contravening PIPEDA or failing to follow any recommendation in Schedule 1 of the Act. After an audit, the Commissioner must provide the audited organisation with a report that contains the findings of the audit and any recommendations that the Commissioner considers appropriate.
The OPC is an ombudsman. It can only investigate, make recommendations, and apply to the Federal Court for a hearing. The OPC cannot order compliance with PIPEDA, assess monetary penalties, or issue a notice of violation.
The powers of the Commissioner in the conduct of an investigation include:
The OPC must prepare a report of findings from the investigation within one year of the initiation of a complaint, setting out, among other things, all findings and recommendations in the matter or any settlement that was reached by the parties. The report must be sent promptly to the organisation and the complainant, and must include notice of any possible recourse to the Federal Court. The report of findings is made public and may name the organisation.
A complainant has no right to apply to Federal Court until the OPC issues a report of findings or is notified that the investigation has been discontinued. A complainant is entitled to apply to court for a hearing, even if the OPC has responded favourably to their complaint. In addition to any other remedies it may give, the Federal Court may order an organisation to correct its practices, order an organisation to publish a notice of any action taken or proposed to be taken to correct its practices, or award damages to the complainant, including damages for any humiliation the complainant has suffered.
PIPEDA provides for a number of offences, punishable on summary conviction and as indictable offences with fines up to CAD10,000 and CAD100,000, respectively, which are generally limited to more egregious breaches of the statute, such as failing to record or report a data breach, or punishing a whistle-blower. These offences are not prosecuted by the OPC, but the OPC can disclose information relating to the commission of an offence to the Attorney General of Canada or of a province.
Canada has joined APEC’s Cross Border Privacy Rules (CBPR) system. Organisations in Canada that want to become certified under that system must implement privacy policies and practices that are consistent with the CBPR programme requirements.
PIPEDA applies to all federally and provincially regulated private sector organisations collecting, using or disclosing personal information in the course of commercial activities.
PIPEDA provides that organisations or classes of activities that are subject to “substantially similar” provincial legislation may be exempted from the application of PIPEDA. The Alberta PIPA, the BC PIPA and the Québec Act have each been designated by the federal government as “substantially similar” for the purposes of the exemption in PIPEDA, and so PIPEDA will not apply to the collection, use or disclosure of personal information that takes place wholly within those provinces. However, PIPEDA will apply (in addition to the relevant provincial statute) if the collection, use or disclosure of personal information takes place across a provincial (or international) border, including where personal information is collected in one province and stored in another.
For constitutional reasons, PIPEDA will not apply to the collection, use or disclosure of employee personal information for employment-related purposes, unless the employer is a federal work, undertaking or business. However, provincially regulated employers in Alberta, British Columbia and Québec will be subject to the Alberta PIPA, BC PIPA and Québec PPIPS, respectively, in respect of their handling of employee personal information for employment-related purposes.
The Digital Advertising Alliance of Canada is a non-profit group of trade associations responsible for administering the AdChoices self-regulatory programme for online behavioural advertising. AdChoices helps organisations meet their privacy law obligations when engaging in online behavioural advertising.
PIPEDA is similar to the General Data Protection Regulation (GDPR) in many respects. Most of PIPEDA’s ten fair information principles can also be found in the GDPR. Perhaps the most notable difference between the two statutes is that PIPEDA requires informed consent for any collection, use or disclosure of personal information, subject to very limited exceptions, whereas the GDPR provides for other lawful bases upon which personal data may be processed, including based on the organisation’s legitimate interests. PIPEDA is also less prescriptive and more principles-based, particularly in respect of cross-border data transfers and accountability requirements. While PIPEDA is actively enforced by the OPC on the basis of complaints, the OPC lacks the robust enforcement powers of its counterparts in the EU. As a result, the consequences of non-compliance are less severe.
In April 2019, the OPC launched a consultation where it proposed to reverse its long-held position that a transfer of personal information to a service provider for processing was a “use” of personal information by the transferring organisation and not a “disclosure” to the service provider, and therefore no consent for the transfer was required, and instead proposed that a transfer of personal information to a service provider for processing constituted a disclosure of personal information for which consent must be obtained. The OPC received 87 submissions from stakeholders raising concerns about the proposed shift in position. The OPC ultimately reconsidered its proposal and confirmed that its approach to transfers of personal information to service providers for processing would remain unchanged under the current law.
In April 2019, the OPC, jointly with the Information and Privacy Commissioner for British Columbia, released its report of findings into Facebook’s sharing of personal information with third party applications. The investigation was triggered by the Cambridge Analytica revelations. The report identified several deficiencies in Facebook’s personal information handling practices, including failure to obtain meaningful consent for the sharing of personal information with third party applications, and failing to meet accountability obligations (in particular, relying on third party applications to obtain consent on its behalf without exercising due diligence to ensure that such consents were actually being obtained). The OPC and BC IPC made a number of recommendations to Facebook to improve its practices, but Facebook refused. The OPC filed a Notice of Application in the Federal Court in February 2020 seeking a declaration that Facebook contravened PIPEDA and an order requiring Facebook to take certain steps to come into compliance.
In the spring of 2019, the federal government announced its intention to modernise PIPEDA. While no specific amendments have been proposed, the government has identified several potential enhancements, including more prescriptive informed consent requirements, additional exceptions from the consent requirement to allow for personal information processing for standard business purposes, a right to data portability and erasure in certain circumstances, incorporating a requirement for demonstrable accountability, including in the context of trans-border data flows, introducing algorithmic transparency requirements for automated decision-making, adding a definition of de-identified data and an exception from the consent requirement for certain prescribed purposes, introducing provisions to facilitate and promote innovation, such as the use of data trusts and the creation of codes of practice, certifications and standards, and enhancing the OPC’s enforcement powers.
PIPEDA applies to all organisations in respect of their collection, use and disclosure of personal information in the course of commercial activities in Canada.
PIPEDA is not limited in scope to organisations that are physically located in Canada, and has been found to apply to organisations located outside of Canada where there is a real and substantial connection between the organisation’s commercial activities and Canada. Whether a real and substantial connection exists will depend on all relevant factors, including whether the organisation targets its marketing efforts to Canadian residents, offers its goods and services in Canadian currency or has a bank account in Canada.
PIPEDA applies to “personal information”, which it defines broadly as “information about an identifiable individual”. According to case law, information will be about an identifiable individual if there is a serious possibility that the individual could be identified from the information alone, or in combination with other information. PIPEDA does not apply to information that is not “personal information”, so should not apply to information that has been de-identified such that there is no longer a serious possibility that the individual could be identified from the information alone or in combination with other information. The OPC has not provided any guidance on effective de-identification techniques, so this remains an area of uncertainty for organisations.
PIPEDA incorporates ten fair information principles, summarised as follows:
PIPEDA also provides an overall limitation and requirement that personal information must only be collected, used and disclosed for “purposes that a reasonable person would consider are appropriate in the circumstances”. This overriding “reasonableness standard” applies to all collection, use and disclosure of personal information, even if the individual has consented to it.
PIPEDA requires organisations to notify affected individuals and the OPC of a breach of security safeguards involving personal information under the organisation’s control, where the breach poses a “real risk of significant harm” to the affected individuals. Government institutions and other organisations must also be notified if the organisation believes that the institution or other organisation may be able to reduce or mitigate the risk of harm to the affected individuals. Organisations must keep a record of all data breaches, including those that do not meet this harm threshold for reporting, and provide those records to the OPC upon request.
PIPEDA does not specifically define sensitive personal information, but provides that some information (for example, medical records and income records) will almost always be considered sensitive, while other information may be sensitive, depending on the context.
There are no special requirements that apply to the processing of sensitive personal information. However, the sensitivity of the personal information is relevant for the purposes of determining appropriate security measures (more sensitive personal information should be protected by more robust security measures) and the nature of the consent required (express consent is generally required for the collection, use or disclosure of sensitive personal information).
PIPEDA applies to all private sector organisations in all sectors in respect of their collection, use and disclosure of personal information, with limited exceptions. PIPEDA provides that organisations or classes of activities that are subject to “substantially similar” provincial legislation may be exempted from the application of PIPEDA. The Alberta PIPA, the BC PIPA and the Québec Act have each been designated by the federal government as “substantially similar” for the purposes of the exemption in PIPEDA, and so PIPEDA will not apply to collection, use or disclosure of personal information that takes place wholly within those provinces. The collection, use and disclosure of personal health information by healthcare providers in the course of providing healthcare is regulated by provincial health privacy legislation in certain provinces. Some of these statutes have also been declared substantially similar to PIPEDA.
There are no specific laws applicable to children’s privacy. However, because PIPEDA is a consent-based regime, it may not be possible to obtain meaningful consent from a minor. The OPC recommends not collecting personal information from children to the extent possible. Where personal information must be collected, the organisation must consider how to ensure that meaningful consent is obtained, which may mean obtaining consent from a parent or guardian or tailoring consent language so that it will be understood by the minor.
Individuals have the right to request access to their personal information in the custody or control of an organisation, as well as an account of its use or disclosure. They also have the right to request that inaccurate information be corrected, and the right to withdraw their consent to the organisation's collection, use or disclosure of their personal information. Each of these rights is subject to a number of exceptions. There is currently no right of data portability or erasure in Canada. However, the right to withdraw consent combined with the obligation not to retain personal information for longer than necessary can give rise to an obligation to delete personal information in certain circumstances.
Canada’s Anti-Spam Legislation (CASL) regulates the sending of commercial electronic messages (CEMs), which are defined broadly as electronic messages (eg, text messages, email messages) that wholly or partly encourage participation in a commercial activity.
Subject to limited exceptions, CASL prohibits the sending of a CEM to an electronic address unless:
CASL applies where the computer system used to send or access the CEM is located in Canada, so will apply to messages sent from outside of Canada to recipients in Canada.
In general, consent to receive a CEM must be express (although consent is implied in certain limited circumstances, discussed below).
Express consent must be signified by an active step on the part of the recipient (eg, checking a box) and cannot be bundled with consent to general terms and conditions of use or sale. To be valid, a request for express consent must set out, clearly and simply, the purposes for which consent is sought, prescribed information about the person requesting consent, and a statement that consent can be withdrawn.
CASL deems an electronic message that requests express consent to send CEMs to itself be a CEM. Therefore, express consent cannot be requested via an electronic message unless the sender already has consent to send CEMs or an exemption applies.
Although CASL generally requires express consent, consent is implied in certain limited circumstances, including when the sender and recipient have an “existing business relationship” as defined by CASL.
In addition to the consent requirement, CASL requires each CEM to include prescribed information about the sender of the message as well as a functional unsubscribe mechanism that is able to be readily performed (at no cost) and that enables the person to unsubscribe using the same electronic means by which the CEM was sent.
CASL provides for a number of exemptions, including for CEMs that are sent in response to a specific request or to satisfy a legal obligation.
Non-compliance with CASL can lead to administrative monetary penalties (AMPs) of up to CAD1,000,000 for individuals and CAD10,000,000 for corporations.
The Unsolicited Telecommunications Rules (UTR) regulate unsolicited telephone and fax communications that are made for the purposes of solicitation (although certain provisions of the ADADR, as defined below, include restrictions that apply even if the call or fax is not made for the purposes of solicitation). The UTR consist of three different sets of rules: the National Do Not Call List Rules (NDNCLR), the Telemarketing Rules (TR) and the Automatic Dialing and Announcing Devices Rules (ADADR).
The NDNCLR require telemarketers to register with the National Do Not Call List operator, to pay certain fees and to subscribe to the National Do Not Call List (National DNCL). Telemarketers must not make any telemarketing telecommunications to consumers who have registered their telecommunications number on the National DNCL without the consumers’ express consent. The NDNCLR also require telemarketers to maintain certain records and restrict the manner in which the National DNCL may be used and shared. The NDNCLR do not apply to a telemarketing telecommunication made to a consumer with whom the person making the telecommunication, or the person or organisation on whose behalf the telecommunication is made, has an “existing business relationship”. The NDNCLR also do not apply to telemarketing telecommunications made to business consumers.
The TR apply regardless of whether or not the NDNCLR apply. The TR require telemarketers to register with the National DNCL operator, pay certain fees and maintain certain records. They also require telemarketers to provide specific information at the beginning of a telemarketing call or on the first page of a telemarketing fax. Under the TR, telemarketers are required to maintain their own do not call list and keep a consumer’s name and telephone number on that list for a period of three years and 31 days from the date of the consumer’s request to be put on that list. The TR also restrict the time during which telemarketing telecommunications may be made, among other requirements. The TR do not apply to telemarketing telecommunications made via voice mail broadcast or for purposes other than solicitation (eg, emergencies, account collection, etc).
The ADADR apply if the call is made using an auto-dialer that plays a pre-recorded message (ADAD). The ADADR apply regardless of whether or not the NDNCLR apply. The ADADR require express consent to initiate a telemarketing call using an ADAD, among other requirements. Certain restrictions under the ADADR also apply when there is no attempt to solicit.
The administrative monetary penalties under the UTR can potentially be quite large (up to CAD45,000 for a single call).
Online behavioural advertising is not specifically regulated in Canada. However, since it generally involves the collection, use and disclosure of personal information, PIPEDA will apply (in addition to the provincial privacy statutes as applicable). Accordingly, organisations must obtain meaningful consent from individuals (for example, through cookie notices) to collect, use and disclose their personal information for the purposes of online behaviour advertising, and must provide individuals with the ability to choose not to consent. Opt-out consent may be appropriate where the personal information is non-sensitive and the proposed collection, use and disclosure is consistent with the reasonable expectations of the individual. In other cases, opt-in consent should be obtained.
PIPEDA applies to employee personal information collected, used or disclosed by federal works, undertakings or businesses (federally regulated organisations) in the private sector. Federally regulated organisations include those in the banking, air transportation, cross-Canada railway and road transportation, telecommunications, and radio and television broadcasting industries. Due to Canadian constitutional constraints, PIPEDA does not generally apply to the collection, use or disclosure of employee personal information by provincially regulated employers. The provincial privacy legislation in Alberta, British Columbia and Québec governs the collection, use and disclosure of employee personal information for private sector organisations in those provinces. However, as most Canadian provinces remain without such comprehensive privacy legislation for private sector organisations, the vast majority of Canadian employees must instead rely on statutory tort or civil law remedies if they have complaints about how an employer is handling their personal information. The information provided below is based on the federal private sector requirements under PIPEDA.
Under PIPEDA, federally regulated organisations are permitted to collect, use or disclose the personal information necessary to establish, manage or terminate an employment relationship without consent of the individual, provided that the business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes. In addition, information produced by an individual in the course of employment, business or profession is also permitted to be collected, used or disclosed without consent, so long as the collection is consistent with the purposes for which the information was produced. Finally, “business contact information” is exempt from PIPEDA requirements if it is collected, used or disclosed solely for the purpose of facilitating communication with the individual in relation to their employment, business or profession.
A basic rule under PIPEDA is the overall limitation and requirement that personal information must only be collected, used and disclosed for “purposes that a reasonable person would consider appropriate in the circumstances”. This overriding “reasonableness standard” applies to all collection, use and disclosure of employee personal information, even if the individual has consented to it.
In the context of a unionised workplace, PIPEDA applies to trade unions and thus governs a union’s collection, use and disclosure of employee personal information. In addition, the Supreme Court of Canada held in Bernard v. Canada (Attorney General), 2014 SCC 13, that employers must disclose any information necessary for the union to carry out its representational duties, including any information that is necessary for the union and employer to be on equal footing with respect to information relevant to the bargaining process. In Bernard, the Court held that employees provide home contact information to their employers for the purpose of being contacted about the terms and conditions of their employment, and this purpose is consistent with the union’s intended use of that information. While the Court made this finding under public sector privacy legislation (the Privacy Act), that legislation is similar to PIPEDA in this regard – namely, that personal information may be disclosed for the purpose for which the information was obtained, or for a use consistent with that purpose.
There are no works councils in Canada.
There is no mandatory requirement to establish a whistle-blower hotline under PIPEDA or employment standards legislation in Canada. However, PIPEDA does provide protections for whistle-blowers, which include the right to complain to the OPC if the employee has reasonable grounds to believe that a person has contravened PIPEDA, and to request that the employee’s identity be kept confidential. PIPEDA further provides that no employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny an employee a benefit of employment, by reason that the employee, acting in good faith and on the basis of reasonable belief, (a) disclosed to the OPC that the employer or any other person has contravened or intends to contravene PIPEDA, or (b) has refused or stated an intention to refuse to do anything that is a contravention of, or that is required to be done to comply with, PIPEDA. An employer may also not take such adverse employment actions if the employer believes that the employee will do any of the foregoing, regardless of whether or not he or she actually does.
If a party is seeking to introduce evidence that has been collected in breach of privacy legislation, there is a risk that a Canadian court or arbitrator will refuse to admit it. However, Canadian courts have generally been more permissive about admitting such evidence, when compared to Canadian arbitrators in the labour relations context, if the evidence is of probative value.
Under Ontario and Canada’s evidence legislation, electronic evidence may be admissible when the party admitting the evidence is able to prove its authenticity. Often, parties will do this through testimony or expert evidence about the electronic system’s reliability and the document’s reliability. With the rise of social media, a question arises about whether courts can compel parties to produce pictures and postings from “private” social media pages. Generally, Canadian courts will weigh competing privacy and fairness interests in determining whether social media posts need to be produced. If a court is satisfied that the social media postings are relevant and necessary, it will order the production. However, social media postings and other electronic evidence are subject to the same rules as those surrounding hearsay evidence.
Under PIPEDA, an individual may submit a complaint against an organisation to the Privacy Commissioner, who may initiate an investigation, issue a report and make recommendations. PIPEDA does not set a legal standard to establish a privacy violation. Once the Privacy Commissioner has issued a report or discontinued its investigation, the complainant may seek damages for a PIPEDA breach in the Federal Court.
The Federal Court may also order the organisation to change its practices. In 2020, the Privacy Commissioner commenced an application in the Federal Court against Facebook, seeking, among other things, an order that Facebook contravened PIPEDA and requiring it to implement various practices.
In addition to pursuing remedies under PIPEDA, individuals may bring claims for privacy violations in contract or tort, such as negligence, intrusion upon seclusion, and breach of confidence. Several privacy class actions have been certified in Canada but none have been adjudicated on the merits.
The Canadian Charter of Rights and Freedoms guarantees the right not to be subject to unreasonable searches or seizures. This right is triggered where a person (which includes a corporation) has a reasonable expectation of privacy. A search or seizure by law enforcement without prior judicial authorisation is presumptively unreasonable under the Charter. Courts have also held that, to comply with the Charter, a search must be authorised by law, the law must be reasonable, and the search must be conducted reasonably. Under the Criminal Code, it is an offence to intercept, use or disclose private communications, except in limited circumstances.
The Canadian Security Intelligence Service (CSIS), Canada’s primary national intelligence service, requires prior judicial authorisation before carrying out a search or seizure or intercepting communications. Under CSIS’s enabling legislation, the judge must be satisfied that there are reasonable grounds that the warrant is required to enable CSIS to carry out its duties and that no other investigative procedures are available to obtain the information, among other things. CSIS is subject to the Charter.
While foreign government requests are not a basis upon which to collect or transfer personal information, under PIPEDA an organisation may disclose personal information to a government institution that has requested it, identified lawful authority to obtain it, and indicated that the disclosure is required to enforce a foreign law or carry out an investigation. Canada does not have a Cloud Act agreement with the USA.
In August 2019, the federal government announced that it intends to modernise the Privacy Act, which addresses the protection of personal information held by the federal government and federal public sector institutions. Among other things, modernisation may include amendments that reflect data protection rules and principles that exist in other jurisdictions, including the GDPR. As part of this initiative, the government has announced a comprehensive review of the Privacy Act and is seeking feedback from expert stakeholders.
PIPEDA does not require personal information to remain in Canada. However, in order to comply with PIPEDA’s “openness” principle, the OPC has stated that organisations must notify individuals when their personal information may be processed in a foreign country, and should explain that such personal information may be accessible to law enforcement and national security authorities of the relevant foreign jurisdiction(s).
The Privacy Act does not require government institutions to process personal information in Canada. However, there may be data localisation requirements under government policy.
While responses to these FAQs are limited in scope to federal laws, it is worth noting that the Québec PPIPS prohibits transferring personal information outside of the province of Québec, unless the transferring organisation is satisfied that the information will be appropriately handled, and the Alberta PIPA includes similar, though more prescriptive, notice requirements as PIPEDA when personal information is processed by service providers located outside of Canada. The public sector privacy laws in British Columbia and Nova Scotia prohibit public bodies and their service providers from storing or accessing personal information from outside of Canada. These prohibitions are subject to limited exceptions.
PIPEDA does not prescribe any formal international data transfer mechanisms. While equally applicable to transfers of personal information to service providers located within Canada, PIPEDA does require organisations to use contractual or other means to ensure that personal information transferred to or processed by a third party on the organisation’s behalf receives a comparable level of protection.
PIPEDA does not require any government notifications or approvals in order for personal information to be transferred internationally.
In addition to requirements under privacy laws, the Income Tax Act requires every person carrying on business to keep records and books of account at the person’s place of business in Canada or at such other place as may be designated by the Minister. According to Canada Revenue Agency’s Information Circular on Electronic Record Keeping (IC), records kept outside Canada and accessed electronically from Canada are not considered to be records in Canada. However, the IC goes on to say that where records are maintained electronically in a location outside of Canada, the CRA may accept a copy of the records, provided these are made available in Canada in an electronically readable and usable format for CRA officials, and contain adequate details to support the tax returns filed with the CRA. While this is not a clear designation by the Minister, it has been interpreted in this way by tax professionals. Of course, the lowest risk approach would be to seek permission from the CRA to store income tax records outside of Canada.
Certain sector-specific laws, such as the Bank Act, require organisations to maintain certain records in Canada (largely so that they are readily available to regulators). However, these laws do not typically prohibit storing a copy of those same records outside of Canada.
In the absence of a valid production order or contractual commitment, software code or algorithms or similar technical details are not required to be shared with the government.
PIPEDA permits the disclosure of personal information without consent where the disclosure is required by law, or to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records.
This exception does not allow the disclosure of personal information without consent pursuant to a voluntary/non-binding request made by a government institution or other person.
PIPEDA also permits the disclosure of personal information without consent to a government institution or part of a government institution that has made a request for the information on a voluntary basis, but only if the government institution or part thereof has identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.
Certain public sector privacy laws, including those in Alberta, British Columbia and Nova Scotia, make it an offence to provide personal information in response to a foreign demand for the information. For example, the British Columbia Freedom of Information and Protection of Privacy Act makes it an offence to disclose personal information pursuant to a requirement of a foreign court or government agency or other foreign authority, unless the disclosure is made in accordance with an enactment of BC or Canada that authorises or requires its disclosure, or in accordance with a treaty, arrangement or written agreement that authorises or requires its disclosure and is made under an enactment of BC or Canada. If a public body or service provider receives such a “foreign demand for disclosure”, it must immediately notify the responsible Minister (notwithstanding that such disclosure may violate the foreign law pursuant to which the demand is made). If a service provider complies with a foreign demand for disclosure in contravention of the Act (or otherwise discloses personal information in contravention of the Act), it must immediately notify the public body.
The Government of Canada has authority under the Foreign Extraterritorial Measures Act (FEMA) to make orders protecting Canadian interests against the extraterritorial application of foreign laws in Canada. There are currently two blocking orders issued under FEMA.
First, the Foreign Extraterritorial Measures (United States) Order, 1992 (1992 Order) blocks the extraterritorial application in Canada of the US embargo against Cuba. The 1992 Order prohibits a Canadian corporation, including its directors, officers and employees, in respect of any trade between Canada and Cuba, from complying with an extraterritorial measure of the United States. The 1992 Order also prohibits complying with any direction or communication relating to such a measure that the Canadian corporation has received from a person who is in a position to influence the policies of the Canadian corporation. There is also an obligation to notify the Attorney General of Canada of any such communications.
Second, the Certain Foreign Extraterritorial Measures (United States) Order, 2014, prohibits any person in Canada from complying with US “Buy America” requirements in relation to the redevelopment of premises in northern British Columbia that were leased by the State of Alaska.
PIPEDA is a technology-neutral law. It does not currently specifically define or regulate emerging technologies like artificial intelligence, automated decision-making, biometrics or geolocation data. However, to the extent that these emerging technologies involve the collection, use, disclosure or other processing of personal information, they must be used in compliance with all of PIPEDA’s requirements, including consent, accountability and limiting collection, use, disclosure and retention.
In addition, PIPEDA provides an overarching requirement that an organisation may only collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In assessing the appropriateness of an emerging technology, the organisation must consider the following four-part test.
Accordingly, organisations must ensure that any use of an emerging technology is necessary for a specifically identified purpose, that it is effective for that purpose and that the collection and processing of personal information is carried out in the least privacy-invasive way possible.
On 28 January 2020, the OPC launched a consultation where it set out a number of proposals to enhance PIPEDA in respect of its application to, and regulation of, artificial intelligence systems. The OPC’s proposals include a right to object to and be free from automated decisions, a right to explanation as to the reasoning underlying any automated processing and the consequences of such reasoning for the data subject’s rights and interests, a requirement to conduct Privacy Impact Assessments (PIAs), including assessments relating to the impacts of AI processing on privacy and human rights, a requirement to apply Privacy by Design and Human Rights by Design in all phases of processing, including data collection, adding alternative grounds for processing personal information (other than consent) when obtaining meaningful consent is not practicable, enhanced rules relating to de-identified data, and a requirement for organisations to ensure data and algorithmic traceability.
On 21 February 2020, the OPC (together with its provincial counterparts in Alberta, British Columbia and Québec) launched an investigation into Clearview AI and its use of facial recognition technology. The investigation was initiated in the wake of numerous media reports that raised questions and concerns about whether the company is collecting and using personal information without consent.
Privacy impact assessments are not currently required under PIPEDA. However, as a matter of corporate policy, some organisations require privacy impact assessments to be conducted prior to launching or utilising a privacy impactful technology.
Class actions are permitted in privacy cases. There have been an increasing number of privacy class actions in Canada since 2012, when the Ontario Court of Appeal first recognised the new privacy tort of intrusion upon seclusion. While many privacy class actions have been certified, there were several denials of certification over the last year. For example, in Broutzas v Rouge Valley Health System, 2018 ONSC 6315, the Ontario Superior Court of Justice refused to certify a privacy class action in which rogue hospital employees allegedly accessed patient records to sell new mothers’ contact information as sales leads. In Kaplan v Casino Rama Services Inc., 2019 ONSC 2025, the Ontario Superior Court of Justice refused to certify a class action brought following a criminal cyberattack. Certification was also denied in privacy class actions resulting from data breaches in Bourbonnière c. Yahoo! Inc., 2019 QCCS 2624, and Li c. Equifax Inc., 2019 QCCS 4340.
During the due diligence phase of a corporate transaction, counsel should request and review the target’s policies and procedures relating to privacy compliance, including externally facing privacy notices and consent forms and internal policies and procedures around information security, acceptable use, employee training, vendor management, record retention and disaster recovery. Information security audit reports should be reviewed, where available, and the target’s history of privacy breaches and privacy-related complaints and investigations should be evaluated. Additional more targeted investigations may be warranted, depending on the nature of the target’s business.
Members of the Canadian Securities Administrators (the CSA) regulate publicly traded companies in Canada, including the disclosure required of such companies under securities laws, and have largely harmonised the disclosure requirements for publicly traded companies across the provinces and territories of Canada.
Ongoing disclosure requirements for publicly traded companies include the filing of annual and quarterly financial statements and accompanying management’s discussion and analysis in narrative form and an annual information form. In general, disclosure requirements are limited to material information, including material risks. CSA guidance has emphasised that material cybersecurity risks are required to be disclosed in continuous disclosure filings, and has encouraged the use of entity-specific disclosure that helps investors distinguish between issuers in terms of their level of exposure to, level of preparedness for and potential impacts of cybersecurity risks.
If a public company determines that a cybersecurity incident would reasonably be expected to have a significant effect on the market price or value of any of its securities, the company must immediately issue and file a news release disclosing details of the incident, and must file a “material change report” in the prescribed form no later than ten days after such a determination with respect to a cybersecurity incident.
There are no other significant issues.