Contributed By Fasken
Laws and Regulations
There are no private sector laws of general application focused primarily on the provision of cloud services to the private sector in Canada, but other Canadian laws apply to the provision of such cloud services. Applicable laws include those relating to the processing and protection of personal information and some which impose industry-specific requirements, such as requirements governing the use of cloud services by federally regulated financial organisations, requirements that certain records of federally regulated financial organisations be located in Canada, and laws regarding personal health information.
The Office of the Superintendent of Financial Institutions (OSFI) is the Canadian federal regulator that supervises and regulates federally registered banks and insurers, trust and loan companies and private pension plans subject to federal oversight. OSFI has issued Guideline B-10, "Outsourcing of Business Activities, Functions and Processes", which specifies certain OSFI expectations for federally regulated financial institutions (FRFIs) that outsource one or more of their business activities to a service provider. This Guideline applies to all outsourcing arrangements, including cloud services, under which FRFIs are expected to:
The Guideline also contains a list of specific terms that OSFI expects an FRFI to address in a cloud service contract. While Guideline B-10 is directed to federal entities, it has also been voluntarily adopted by many provincially regulated entities in the financial sector. In 2012, OSFI released a memorandum that confirmed that Guideline B-10 applies to cloud computing and that FRFIs should pay particular attention to the following in connection with cloud services: (i) confidentiality and security; (ii) contingency planning; (iii) location of records; (iv) audit and access rights; (v) subcontractors; and (vi) monitoring material outsourcing arrangements.
Under the Bank Act (Canada), the Trust and Loan Companies Act (Canada), the Insurance Companies Act (Canada) and the Cooperative Credit Associations Act (Canada), certain records of federally regulated financial organisations carrying on business in Canada must be maintained in Canada. In addition, an FRFI is expected to ensure that OSFI can access, in Canada, any records necessary to enable OSFI to fulfil its mandate.
In addition to Guideline B-10, OSFI has also released an advisory on Technology and Cybersecurity Incident Reporting, which sets out OSFI’s expectations in relation to the immediate and ongoing reporting of cybersecurity incidents, which FRFIs should account for in their agreements with cloud providers. These expectations are in addition to the mandatory breach-notification requirements under Canadian privacy laws.
On 15 September 2020, OSFI released a discussion paper outlining its most recent analysis of technology and related risks to stimulate discussion and to solicit comments from stakeholders. The discussion paper specifically identifies cybersecurity, advanced analytics, and “third party ecosystems” as areas of priority, with the latter priority outlining the adoption of cloud computing as being of interest to OSFI. In the paper OSFI identifies the following key risk areas associated with cloud computing:
OSFI indicated its intent to engage in a separate consultation process relating to Guideline B-10, and identified the principles of transparency, reliability, and substitutability as key considerations in the selection of cloud service providers. Comments on the initial discussion paper were due to OSFI on 15 December 2020, and as of this writing (February 2021), OSFI has not yet launched the separate consultation relating to Guideline B-10.
Personal Data Processing
In Canada, privacy and personal information are regulated by both federal and provincial legislation.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private sector organisations. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with PIPEDA. The OPC has issued a number of guidelines and case summaries that provide non-binding guidance on the OPC’s interpretation of PIPEDA’s obligations. As of this writing (February 2021), PIPEDA continues to be subject to an adequacy decision by the European Commission.
PIPEDA applies in all provinces and territories in Canada, except where a province or territory has enacted substantially similar private-sector legislation and is subject to an exemption under PIPEDA (though PIPEDA continues to apply in those provinces in connection with federal “works, undertakings, and businesses” such as airlines, banks, and telecommunications companies). British Columbia, Alberta and Quebec have their own legislation that regulates the collection, use and disclosure of personal information by private sector organisations in those provinces. In addition, most provinces have provincial legislation that regulates the collection, use and disclosure of personal health information. There are also federal and provincial public sector privacy laws that apply to the public sector.
Every aspect of privacy legislation might have some impact on the provision or use of cloud services. A comprehensive review of all privacy obligations is beyond the scope of this summary. Some key principles and cloud service issues are discussed below. The comments are based on PIPEDA and OPC guidance. A review of provincial laws and related guidance is beyond the scope of this summary. For a more general discussion of PIPEDA, please see 6 Key Data Protection Principles.
The Personal Information Protection and Electronic Documents Act
Under PIPEDA, personal information means information about an identifiable individual.
PIPEDA provides that an organisation is responsible for personal information in its control, or its possession or custody, including information that has been transferred to a third party for processing. An organisation that transfers personal information to a cloud service provider remains primarily responsible for that personal information, and will want to ensure that the cloud services contract contains appropriate provisions to address all of that organisation’s responsibilities in relation to the personal information transferred to and processed by the cloud service provider.
In its guidance, the OPC clarifies that: “Regardless of where the information is being processed – whether in Canada or a foreign country – the organisation must take all reasonable steps to protect it from unauthorised uses and disclosures while it is in the hands of the third party processor. The organisation must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. It should also have the right to audit and inspect how the third party handles and stores personal information, and exercise the right to audit and inspect when warranted.”
PIPEDA requires that personal information be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss and theft, as well as unauthorised access, disclosure, copying, use or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected; the amount, distribution, and format of the information; and the method of storage. More sensitive information should be safeguarded by a higher level of protection, particularly where large volumes of information are involved. The methods of protection should include physical, organisational, and technical measures.
PIPEDA case summaries provide some non-binding guidance on the OPC’s interpretation of these obligations.
An organisation will want to address the detail of a service provider’s security safeguards in the cloud services contract. When it investigates security breaches, the OPC will closely examine the safeguards in place at the time of the breach and the contractual requirements to implement and maintain safeguards in the cloud services contract.
PIPEDA imposes notice and other obligations if there is any breach of security safeguards involving personal information under an organisation’s control, and if it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to an individual (please see 6 Key Data Protection Principles for a summary of these obligations).
An organisation will want to address the cloud provider’s obligations in the case of a breach of security safeguards in the cloud services contract.
The Consumer Privacy Protection Act
In November 2020, the Canadian government introduced proposed legislation (Bill C-11) to replace PIPEDA's personal information provisions with a new law, the Consumer Privacy Protection Act (CPPA).
The CPPA would largely codify the existing OPC framework on the use of service providers (including cloud service providers). When transferring personal information to service providers, the CPPA would require that organisations ensure substantially the same protection for personal information (by contract or otherwise) that they are required to provide under the CPPA. Service providers would be required to safeguard personal information and provide notice of any breach of security safeguards to the organisation which controls the personal information. Otherwise, provided that a service provider only uses the transferred personal information for the purposes for which it was transferred, service providers would be exempt from the obligations of the CPPA with respect to that personal information. Additionally, where an organisation disposes of personal information at the request of an individual, and it has transferred such information to any service provider, the CPPA would require the organisation to inform the service provider of the request for disposal and obtain from the service provider confirmation that the information has been disposed of. Note that, as proposed legislation, Bill C-11 may not be enacted or may undergo changes before it is enacted.
In Canada, there is some sensitivity to the possibility that foreign governments may be able to obtain access to personal information that is transferred outside Canada.
PIPEDA does not prohibit an organisation transferring personal information to an organisation outside Canada for processing. However, the OPC expects that organisations must assess the risks to the integrity, security and confidentiality of personal information when it is transferred to third-party service providers operating outside Canada. The OPC expects that organisations will advise their customers that their personal information may be sent to another jurisdiction for processing and that, while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities of that jurisdiction. (Note that Alberta’s law has additional specific notice requirements if personal information is transferred to a service provider outside Canada.)
The CPPA would largely codify the existing OPC framework on transfers of personal information outside Canada and would require that an organisation's “readily available” and “plain language” policies include a description of interprovincial and international transfers of personal information and the reasonably foreseeable privacy implications of those transfers.
Risk and Liability
The main legal challenges for launching blockchain technology in Canada are broadly similar to those of other software companies (ie, fundraising, IP, and the recruitment and retention of talent).
One key distinction is the legal challenges that surround a blockchain company seeking to sell cryptographic tokens to raise capital, to create a captive economy of native digital assets or to connect with and establish a community of would-be users of the to-be-developed blockchain protocol. In Canada, securities regulation falls under provincial jurisdiction. This summary is written from the perspective of British Columbia law and a comprehensive review of all Canadian jurisdictions is beyond the scope of this summary.
Determining whether a token is a security
When considering the proposed sale of cryptographic tokens, the inquiry is typically focused on whether the token will be considered a "security" for the purposes of Canadian securities laws. In considering the question, we have concentrated primarily on:
To properly determine whether or not a specific token is a security for the purposes of the Securities Act (British Columbia) (the Securities Act), it is necessary to apply the test laid out in the Supreme Court of Canada in Pacific Coast Coin Exchange of Canada Ltd v Ontario Securities Commission  2 SCR 112 (the Pacific Coast Coin Test). The Pacific Coast Coin Test is used by Canadian securities regulators to determine whether an instrument issued to a purchaser by an issuer is an "investment contract" within the definition of a security under the Securities Act and other Canadian securities laws.
The Pacific Coast Coin Test, in determining whether an investment contract exists for the purposes of Canadian securities laws, considers:
If only one of these considerations is not satisfied, then the token in question should (emphasis on should) not be considered a security.
Making such a determination also requires consideration of CSA Staff Notice 46-307 – Cryptocurrency Offerings (SN 46-307) and CSA Staff Notice 46-308 – Securities Law Implications for Offerings of Tokens (SN 46-308) (the CSA is an organisation made up of all of Canada’s provincial and territorial securities regulators).
With respect to the guidance set forth in SN 46-307, the primary purpose of such a review is typically to determine which characteristics of the token in question would set it apart from what is considered a security under the Securities Act. An example of a token that might be distinguishable from a security, in reliance on the guidance set forth in SN 46-307, is a token which is effectively an application programming interface key allowing token holders to access and consume the application services on a blockchain platform (similar to a coin or token that allows a token holder to access and pay for a video game on a platform). However, the purported use and function of a token are not determinative. Canadian security regulators have adopted the “substance over form” approach which takes both the characteristics and economic reality into consideration when determining whether a token is a security.
SN 46-308 offers further guidance by listing 14 indicators of the existence of a security and has become something of a companion test to the Pacific Coast Coin Test.
Prospectus requirements and enforcement
If a token is determined to be a security, the issuer must then issue the security in connection with a filed prospectus or in connection with an exemption to the prospectus requirements. If there is no prospectus filed or exemption from the requirement to prepare and file a prospectus in connection with such a distribution of tokens, the offering would be considered an unlawful distribution of securities by Canadian securities regulators.
Unlawful distributions of securities by a company are an offence under Section 155(1)(b) of the Securities Act (British Columbia) and the company – and the employees, officers, directors or agents of that company – who authorise, permit or acquiesce in any unlawful distribution will be deemed to have committed the same pursuant to Section 155(4) of the Securities Act. Under the Securities Act (British Columbia), the maximum liability for such an offence is a fine of not more than CAD3 million, or up to three years’ imprisonment, or both.
Depending on the severity of the breach, the British Columbia Securities Commission will more typically seek:
In addition to regulations applicable to issuers, CSA Staff Notice 21-327 clarifies that entities that facilitate transactions relating to crypto-assets can also be subject to securities legislation. However, the notice states that entities that meet both of the following conditions would generally not be subject to Canadian securities legislation: (i) the underlying crypto-asset itself is not a security or derivative; and (ii) the contract for the purchase, sale or delivery of a crypto-asset results in an obligation for, and is settled by, the immediate delivery of the crypto-assets to the user. Both the economic realities of the relationship and intentions of the parties will be considered by regulators in determining whether an “immediate delivery” has occurred. SN 21-327 also references the CSA Regulatory Sandbox, which is an initiative to support “fintech businesses seeking to offer innovative products, services and applications in Canada” by allowing such businesses to “to register and/or obtain exemptive relief from securities law requirements, under a faster and more flexible process than through a standard application, in order to test their products, services and applications throughout the Canadian market, generally on a time-limited basis”.
In addition, the CSA and Investment Industry Regulatory Organization of Canada (IIROC) have proposed a regulatory framework for crypto-asset trading platforms in their joint Consultation Paper 21-402. The proposed framework contemplates that existing regulatory requirements applicable to investment dealers, IIROC dealers, and marketplace members will also apply to crypto-asset trading platforms. The paper also suggests that these platforms may be recognised as exchanges under provincial securities regulation.
In a decentralised network, where intellectual property is contributed by "community" users and participants, the ownership of such intellectual property is more difficult to determine and validate, particularly the ownership of the data shared by the community and of the development work conducted on the network. This openness and uncertainty raise the prospect of the infringement of intellectual property on the blockchain.
At the core of blockchain technology is the concept of decentralisation which enables the "trustless" sharing of data. One of the key advantages of blockchain technology is that once the data is stored on a particular chain, it cannot be altered. However, such data may contain personal information, and because of the nature of the blockchain, that data is available to all the contributors to the blockchain. The decentralisation and transparency of transactions on blockchains are not easily compatible with Canadian private-sector privacy laws, which centre around the accountability of organisations in connection with personal information.
Blockchain is an immature technology. Consistent with the nascent nature of such technology, service levels and performance standards are improving. However, transaction speeds remain relatively slow and the computing power required to process such transactions remains high. For blockchain technology to achieve ubiquity, blockchain will require a higher degree of confidence in the quality and stability of the services.
Blockchain is inherently cross-jurisdictional. The decentralised nature of the technology requires participating nodes spread around the world. In most transactions by blockchain companies, simply identifying the governing law of such transactions might be a challenge.
A significant jurisdictional issue with blockchain relates to proposed sales of cryptographic tokens to Canadians or from Canada to non-Canadians. Rather than be subject to the scrutiny of Canadian securities regulators, many Canadian blockchain companies decide to adopt an offshore corporate structure to conduct the sale of their cryptographic tokens. Canadian securities regulators will still have a say in this. For example, the British Columbia Securities Commission bases its jurisdictional determination on the location of a token issuer’s "mind and management" in applying the test outlined in BC Instrument 72-702 – Distribution of Securities to Persons Outside of British Columbia (BCI 72-702). BCI 72-702 is critical in determining whether British Columbia (BC) law applies to sales of cryptographic tokens. BCI 72-702 provides that the existence of any of the following generally indicates a distribution from BC:
“(i) the issuer’s mind and management is primarily located within British Columbia. This may be indicated if, for example, the issuer's head office or the residences of the issuer’s key officers and directors are located in the province;
(ii) the business of the issuer is administered from, and the operations of the issuer are conducted in British Columbia; or
(iii) acts, advertisements, solicitations, conduct or negotiations in furtherance of the distribution take place in British Columbia (including any underwriting or investor relations activities).”
However, BCI 72-702 goes on to note that:
“The above examples are indicative of the types of factors that an issuer should consider in determining whether it is making a distribution from British Columbia. However, they should not be viewed as an exhaustive list.”
Even if an offering by an offshore company is likely to be considered an offering from British Columbia for the purposes of BCI 72-702 (ie, the mind and management of the offshore company is still considered to be primarily resident in Canada), there may be applicable prospectus exemptions for the token sale. In particular, BCI 72-702 notes that the issuer “may rely on the general registration and prospectus exemptions in the Securities Act and Securities Rules. In certain circumstances, an issuer may also rely on special exemptions provided under [BC Instrument 72-503 – Distribution of Securities Outside British Columbia (BCI 72-503)]” .
The prospectus exemption in BCI 72-503 applies to issuers located in British Columbia (or outside British Columbia, but whose mind and management is inside British Columbia for the purposes of BCI 72-702) seeking to distribute securities outside of the province.
To rely on the prospectus exemption contained in Section 3 of BCI 72-503 to effect a token sale, a company and offering would be required to fulfil the following conditions (which have been edited for relevancy):
In order to comply with the conditions set forth above and the filing requirements, a company will need to determine with a commercially reasonable degree of comfort that the sale of a token into a particular jurisdiction complies with the securities laws of that jurisdiction.
In addition to the above, a company would also have to ensure that, no later than ten days after the token sale is closed, it files with the British Columbia Securities Commission a report of exempt distribution in Form 45-106F1 and delivers to the British Columbia Securities Commission any offering material that the company is required to file with the securities regulatory authority in any of the jurisdictions where the purchasers of the relevant tokens are located.
Big data initiatives in Canada must balance the need to maximise the value of large data sets with the requirements of Canadian privacy laws. Holding large amounts of personal information can lead to issues surrounding consent, transparency, accountability, and the requirement to limit the collection of personal information to that required for the purposes identified by the collecting organisation. Additionally, holding large volumes of personal information requires organisations to implement more stringent safeguards in order for them to be considered appropriate under Canadian privacy laws. Holding greater amounts of personal information about a greater number of individuals also increases the risks of a class action in the event of a data breach and the liability that would result from a breach.
To limit these risks, organisations are increasingly using de-identified and (in the case of machine learning) synthetic data. De-identified and synthetic data where there is no “serious possibility” that the information, alone or in combination with other information, can identify an individual (ie, be reidentified) is not personal information and thus not subject to Canadian privacy laws. However, the potential for reidentification increases as data sets grow and other data sets become available for matching, and statistical and other methods that can reidentify data are becoming increasingly sophisticated.
Canada’s federal privacy law does not currently include a definition of de-identified data or define what it means to de-identify data. As of this writing (February 2021), the Canadian government’s proposal to revise federal privacy law would define de-identifying personal information as modifying or creating information using technical processes to ensure that it cannot be used "in reasonably foreseeable circumstances" to identify an individual, either alone or in combination with other information. Under the proposed new Consumer Privacy Protection Act (CPPA), where an organisation de-identifies information, it would have to use technical and administrative measures proportionate to the purposes of de-identification and the sensitivity of the personal information being de-identified. The CPPA would also prohibit organisations from using de-identified information to identify an individual except to test the organisation's safeguards to protect the information. Finally, the CPPA would allow organisations to use personal information without consent to de-identify that information.
Machine Learning and Artificial Intelligence
The issues surrounding big data also apply to artificial intelligence (AI) and machine learning (ML), as both typically rely on large data sets. Canadian privacy law requirements regarding consent, openness, and transparency are areas of concern with regard to AI and ML. Meaningful consent and transparency require that organisations identify the purposes of the collection and use of personal information. This is more difficult in the case of AI and ML, as those purposes can evolve over time as ML algorithms and models, in the words of Ian Kerr in his testimony to a committee of Parliament on 4 April 2017 “make discoveries in the data that human decision-makers would neither see nor understand.” The fact that ML is concerned with predicting relationships in data rather than explaining them further complicates transparency and obtaining the meaningful consent of individuals.
Canada’s current private-sector privacy laws do not specifically reference AI, ML, or automated decision-making, though the general principles of those laws will apply to AI and ML where they implicate personal information. However, reform appears imminent.
The proposed Consumer Privacy Protection Act (CPPA) referenced above in the discussion on big data includes specific provisions on automated decision-making and defines an “automated decision system” as any technology that “assists or replaces the judgement of human decision-makers using techniques such as rule-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets.” The proposed CPPA further expands on the openness, transparency and access principles of its predecessor legislation, and provides that organisations must make available a general account of their use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them. Organisations must also, on request, provide an individual with an explanation of the prediction, recommendation, or decision, and an explanation of how the personal information that was used to make that prediction, recommendation or decision was obtained.
Organisations that use ML might also encounter issues with Canadian intellectual property laws. Canadian copyright law does not protect databases where the creation of a database or other compilation is not an exercise of “skill and judgement”, and it does not protect individual data elements removed from a database or other compilation (for example, where those data elements are mere facts such as street addresses). Furthermore, an ML algorithm or model is not considered an “inventor” under the Patent Act or an “author” under Canada’s Copyright Act. In the case of Canadian copyright law, the choice of the ML algorithm, training data, and the conduct of the training would have to be an exercise of skill and judgement for the ML model and its output to be potentially considered an original work eligible for copyright protection (subject to the output or model otherwise being the proper subject matter of copyright).
There are no laws that specifically address internet of things (IoT) services and devices in Canada. As a result, any legal considerations regarding the IoT arise from the application of general laws to IoT services and devices.
Canada’s private-sector privacy laws will apply to the use of IoT devices and services by individuals where they collect personal information. In Alberta, British Columbia (BC), and Quebec, provincial private-sector privacy laws will also apply to the use of IoT in the workplace (see 7 Monitoring and Limiting of Employee Use of Computer Resources), while the federal law (PIPEDA) will apply to federally regulated workplaces (ie, to federal works, undertakings, and businesses) across Canada. Alberta, BC, and federal privacy laws are notice-based in connection with employee personal information and the employee-employer relationship, and employers must provide notice to employees of the use of IoT devices that collect employee personal information and the subsequent use and disclosure of that information. Even where employers give notice, however, the processing of personal information must also be for purposes a reasonable person would consider appropriate in the circumstances. Thus, the use of IoT devices to collect employee personal information for inappropriate purposes, for example location tracking or video surveillance where less intrusive measures could be used, may still run afoul of Canadian laws even if employees were provided notice of the tracking.
Other than with limited exceptions (including the above), Canada’s private-sector privacy laws are consent-based. From a privacy perspective, the IoT poses a challenge in obtaining meaningful consent as it allows passive information collection that may be less obvious to individuals and more difficult to explain. Transparency is particularly important if the IoT service provider is contemplating secondary uses of personal information (ie, uses in addition to providing the services), for example marketing or advertising. Also, the IoT’s ability to collect large amounts of useful data must be weighed against requirements to limit the collection of personal information. Finally, wearable devices can enable the collection of health information and IoT devices often operate in the home where they can collect personal information that reveals facts regarding an individual’s habits, beliefs, and lifestyle. These types of personal information are likely to be considered sensitive information subject to heightened requirements, including regarding consent and safeguards for their protection.
IoT devices and services are also seeing growing use in the healthcare sector. Most Canadian provinces have enacted health privacy legislation regulating the use of personal health information by healthcare providers. Depending on the province, health privacy legislation may apply to the healthcare provider, or to both the healthcare provider and its service provider.
On 20 August 2020, the Office of the Privacy Commissioner of Canada (OPC) released guidance targeted towards manufacturers of IoT devices. In particular, the guidance recommends as a best practice that organisations perform a privacy impact assessment before releasing IoT products.
As with cloud services, there are no private sector laws of general application focused primarily on the provision of IT services to the private sector in Canada, but other Canadian laws will apply to the provision of such services.
Applicable laws include those relating to the processing and protection of personal information (both in the public and private sectors) and some which impose industry-specific requirements, such as requirements governing the use of IT services (and outsourcing generally) by federally regulated financial institutions (FRFIs), and requirements that certain records of FRFIs be located in Canada, as well as laws regarding personal health information.
The issues discussed in 1 Cloud Computing regarding cloud services also apply to IT services generally.
Core Rules Regarding Data Protection
The core data protection laws in Canada for private-sector organisations are the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the federal privacy law, and the provincial private-sector privacy laws in the provinces of Alberta, British Columbia (BC), and Quebec. Canadian private-sector privacy laws regulate the collection, use, and disclosure of personal information, and not data or information generally. PIPEDA applies to commercial activities within the provinces that have not enacted their own privacy laws, to federally regulated works, undertakings, or businesses in all provinces (such as telecommunications providers, airlines, and banks), and to the processing of personal information between provinces and across borders where there is a real and substantial connection to Canada. Indicators of a real and substantial connection to Canada include targeting the Canadian market, offering goods or services to Canadians, and having affiliates that have operations in Canada.
Except in the case of federally regulated works, undertakings, or businesses, PIPEDA generally does not apply to the collection, use, and disclosure of employee personal information in the context of an employment relationship. Provincial private-sector privacy laws apply to the collection, use, and disclosure of personal information in the province (including in the employment context).
Public sector privacy and access to information laws exist federally and in each province. Most provinces have also enacted health privacy laws regulating personal health information. Depending on the province, health privacy legislation may regulate the public sector, private-sector healthcare providers, and certain related service providers. Where it applies, the health privacy legislation in Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia will displace the application of PIPEDA.
In November 2020, the Canadian government introduced proposed legislation (Bill C-11) to replace PIPEDA with a new Consumer Privacy Protection Act (CPPA).
Distinction between Companies/Individuals
There is no private-sector legislation of general application focused primarily on the regulation of data regarding companies in Canada. Data regarding companies is regulated by contract, by common law rules and doctrines (eg, breach of confidence or breach of fiduciary duty), and intellectual property laws.
As above, data regarding individuals is subject to federal and provincial privacy legislation.
Processing of Data
There is no private sector legislation of general application in Canada focused on the processing of data generally. The processing of personal data, however, is another matter, as Canada has both private and public-sector laws that regulate the collection, use, and disclosure of personal information. Most Canadian provinces have also enacted health privacy legislation regulating the use of personal health information, which – depending on the province – may apply to the public sector, private sector healthcare providers, and certain service providers.
The Personal Information Protection and Electronic Documents Act
The definition of personal information – under both PIPEDA and the private-sector privacy laws of the common law provinces that have them (Alberta and British Columbia) – is the same, with personal information defined as "information about an identifiable individual". The definition of personal information under Quebec private-sector legislation differs somewhat and is "any information which relates to a natural person and allows that person to be identified". PIPEDA exempts from its requirements business contact information that an organisation uses solely for the purpose of communicating with the individual in relation to the individual’s employment, business or profession (the Alberta and BC legislation have similar exceptions).
The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with PIPEDA, and the OPC has issued a number of guidelines and case summaries that provide non-binding guidance on the OPC’s interpretation of PIPEDA’s obligations.
PIPEDA applies in all provinces and territories in Canada, except where a province or territory has enacted substantially similar private-sector legislation, though PIPEDA continues to apply in those provinces in connection with federally regulated works, undertakings, and business such as airlines, banks, and telecommunications companies. PIPEDA also applies to the interprovincial or international processing of personal information in the course of commercial activities. British Columbia, Alberta and Quebec have their own legislation regulating the processing of personal information in the private sector within those provinces. In addition, most provinces have provincial legislation that regulates the collection, use and disclosure of personal health information. There are also federal and provincial public sector privacy laws that apply to the public sector. A comprehensive review of all privacy obligations is beyond the scope of this summary, and the comments below centre on PIPEDA and OPC guidance.
PIPEDA became law in 2000. It is intended to protect the privacy of Canadians, and was originally designed to enable Canada to obtain an adequacy ruling under the 1995 European Union Data Protection Directive. As of this writing (February 2021), the adequacy decision issued in connection with the Directive remains in effect in relation to the GDPR.
In general, Canada’s private-sector privacy laws are consent-based. This means that, with some limited exceptions, the knowledge and meaningful consent of the individual is required for the collection, use or disclosure of their personal information. PIPEDA requires that the purposes for which personal information is collected must be identified at or before the time of collection and that the collection be limited to only that personal information which is necessary for the identified purposes.
PIPEDA also imposes other requirements in addition to those surrounding consent. PIPEDA only allows for the collection, use, and disclosure of personal information for purposes that a reasonable person would consider appropriate in the circumstances. PIPEDA mandates that personal information may only be retained for as long as necessary for the fulfilment of the purposes for which it was collected. It requires that personal information be accurate, complete and up to date, and that it be protected by appropriate security safeguards considering its sensitivity. Sensitive information should be safeguarded by a higher level of protection, particularly where large volumes of information are involved. The methods of protection should include physical, organisational, and technical measures. Organisations must be open about their policies and practices with respect to the management of personal information. PIPEDA also grants individuals the right to access and correct their personal information, and to challenge an organisation’s compliance with these obligations.
PIPEDA (along with Alberta’s private-sector privacy law) imposes notification and other obligations surrounding data breaches of personal information under an organisation’s control. Under PIPEDA, if there is any breach of security safeguards involving personal information under an organisation’s control, and if it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to an individual, then the organisation must report the breach:
An organisation is also required to keep a record of every security breach involving personal information under its control, even if the breach does not create a real risk of significant harm to an individual.
The Consumer Privacy Protection Act
In November 2020, the Canadian government introduced proposed legislation (Bill C-11) to revamp and replace PIPEDA with a new Consumer Privacy Protection Act (CPPA). As of this writing (February 2021), the CPPA would maintain and extend the principles-based approach of PIPEDA and would introduce:
Bill C-11 would also introduce a new tribunal to review the decisions of the OPC (Tribunal).
While PIPEDA has similar provisions with respect to fines, the potential amount of the fines would be much higher under the CPPA. The penalty provisions, for their part, would be entirely new. The CPPA provides that, where the OPC has recommended a penalty, the Tribunal can impose a penalty in the amounts set out above. The OPC can recommend a penalty for the contravention of certain sections of the CPPA, including in relation to certain consent provisions, limiting the collection, use, and disclosure of personal information, the retention and disposal of personal information, and security safeguards for personal information.
The CPPA would also provide a private right of action against organisations for damages for loss or injury in certain limited circumstances. Specifically, where the OPC makes a finding that an organisation has contravened the CPPA and the organisation does not appeal to the Tribunal or the appeal is dismissed, or the Tribunal itself makes a finding that the organisation has contravened the CPPA, an individual affected by the contravention has a cause of action for damages.
There are no specific prohibitions that restrict an employer’s ability to limit employees’ use of or access to company computer resources.
Where the monitoring of employee use of company computer resources involves the collection, use, or disclosure of personal information, Canadian private-sector privacy laws may apply. Where the monitoring of computer resources does not identify the employee, the information would not be personal information and Canadian privacy laws would not apply. Similarly, information that identifies an employee but is about the computer systems rather than the employees may not be personal information where the information does "not reveal anything about that person" and is not "collected, used, or disclosed for a purpose related to the individual".
Federal private-sector privacy law does not apply to the collection, use, and disclosure of employee personal information in the context of an employment relationship except in the case of federally regulated works, undertakings, or businesses. The provincial private-sector privacy laws in the provinces of Alberta, British Columbia, and Quebec apply to employee personal information in those provinces.
While generally consent-based, the federal (in the case of federal works, undertaking, and businesses), Alberta, and British Columbia (BC) privacy laws only require notice for the collection, use, and disclosure of employee personal information for the purposes of managing, establishing, or terminating an employment relationship. Where those laws apply and where the monitoring of company computer resources is related to the employment relationship with employees, organisations must provide notice of such monitoring to employees.
The Quebec law does not provide for an exception in the employment context to the legislation’s general consent requirements and has a relatively stringent requirement for informed and free employee consent. This is often challenging for employers who operate in Quebec and other provinces, as their privacy practices must comply with the more stringent Quebec standard or differ between Quebec and the other provinces.
The Telecommunications Act regulates telecommunications common carriers and telecommunications service providers. It does not regulate technologies. The Radiocommunication Act regulates spectrum and the Minister of Innovation, Science and Industry (the Minister) is empowered to issue radio or spectrum licences, or to exempt frequencies from the requirement for a licence. The Minister is empowered to charge fees for radio or spectrum licences or to hold competitive bidding auctions.
The Telecommunications Act defines a telecommunications common carrier as a person who owns or operates a transmission facility used by that person or another person to provide telecommunications services to the public for compensation.
A transmission facility means “any wire, cable, radio, optical or other electromagnetic system, or any similar technical system for the transmission of intelligence between network termination points, but does not include an exempt transmission apparatus” (defined to include switches, routers, etc).
A telecommunications service means a service provided by means of telecommunications facilities, which in turn is broadly defined to include any facility or thing that is used or capable of being used for telecommunications or for any operation directly connected with telecommunications, including a transmission facility.
The Telecommunications Act is therefore technology agnostic. There are no restrictions on the use of new technologies by carriers or service providers. Certain services are, however, subject to compliance with regulatory requirements, and registration requirements. For example, non-dominant carriers and resellers must register with the Canadian Radio-television and Telecommunications Commission (CRTC), international service providers must obtain a Basic International Telecommunications Services licence which is available as of right from the CRTC, providers of Voice over Internet Protocol (VoIP) services must obtain approval of their 911 emergency calling arrangements and Competitive Local Exchange Carriers (CLECs) must obtain approval of their interconnection arrangements with other carriers, as well as their provision of certain services to persons with disabilities, and privacy and consumer protection provisions, all of which have been standardised.
If the provider of the radio-frequency identification (RFID) tag service requires licensed spectrum to provide the service, a spectrum licence will have to be obtained from the Minister. If the spectrum is used to provide the service, registration with the CRTC as a non-dominant carrier will be required. An application is required to obtain licensed spectrum and a licence fee applies. No licence or licence fee is required if licence-exempt spectrum is used, such as certain Wi-Fi frequencies. Radio apparatus must be certified to meet specified standards. Certifications from specified countries can be used as the basis for Canadian certification. The CRTC does not charge for registering a non-dominant carrier but it operates a “contribution fund” to which carriers and telecommunications service providers (TSPs) are required to contribute based on a percentage of their Canadian telecommunications revenues once they are generating CAD10 million or more in revenues. Money from this fund is used to finance video relay services and the extension of broadband facilities to rural and remote parts of Canada. A subsidy of telephone service in high-cost service areas is being phased out.
VoIP service providers that provide access or egress to or from the public switched telephone network (PSTN), and that use North American Numbering Plan (NANP) telephone numbers to route calls, require CRTC approval of their 911 emergency services. They also need to register with the CRTC as a non-dominant carrier or reseller depending on whether they own a transmission facility. A Basic International Telecommunications Services (BITS) licence is also required which entails an application to the CRTC. No fees are applicable for these registrations, approvals or licences other than contribution to the fund referenced above. If the VoIP service does not provide access to or egress from the PSTN, and does not use NANP telephone numbers for routing calls, it is not subject to regulation.
The provision of instant messaging will be regulated if it involves the use of telecommunications transmission facilities owned or leased by the carrier or TSP. Registration as a reseller or non-dominant carrier will be required. A BITS licence will also be required. No fees are applicable other than contribution to the fund referenced above. If the service simply uses the Internet for transmission purposes and if a third party provides the Internet access, the instant messaging service will not be subject to regulation. The provision of an App without transmission services is not regulated.
All traditional audio-visual services (television, radio, cable, etc) operating in Canada are required to be licensed or exempt from licensing by the (CRTC) under the Broadcasting Act. The CRTC issues licences for terms not exceeding seven years and makes those licences subject to conditions related to the circumstances of the licensee that it deems appropriate for the implementation of Canada’s broadcasting policy. Licensees are generally subject to a variety of Canadian content, programme expenditure and/or contribution obligations. Television and radio stations that use radio spectrum are also required to obtain authorisation from the Department of Innovation, Science and Economic Development Canada (ISED) in accordance with the Radiocommunication Act. Applications to obtain a broadcasting licence must be filed with the CRTC and the CRTC is required to hold a public hearing to consider the application. The process typically takes between eight and eighteen months to conclude. In order to be eligible to hold a broadcasting licence, a company must be owned and effectively controlled by Canadians. Broadcasting licensees are generally required to pay two types of licence fees (Part 1 and Part 2 fees) under the Broadcasting Licence Fee Regulations. The Part 1 fee is a licensee’s pro rata share of the annual cost of the CRTC’s operations. The Part 2 fee is established by the Canadian government using a complex formula and paid on a pro rata basis by each licensee.
The CRTC also has the authority to exempt classes of broadcasting undertakings from holding a licence and has exercised this authority in number of circumstances, including with respect to small satellite-to-cable (discretionary) services and small cable distributors. The exemption order issued by the CRTC contains terms and conditions that apply to an entire class of broadcasting undertaking and does not require a company to pay any licence fee or to obtain any further authorisation from the CRTC.
Online Video Channels
Individuals and companies that operate online video channels (including user-generated content) in Canada do so in accordance with a CRTC exemption order called the exemption order for digital media broadcasting undertakings. To operate under this exemption order, an online video channel must comply with minimal obligations, which include a prohibition on granting undue preferences or disadvantages and a requirement to submit to the CRTC’s dispute resolution process. There are no licence fees or Canadian ownership and control requirements applicable to online video channels.
On 3 November 2020, the Canadian government introduced legislation in Parliament to amend the Broadcasting Act (Bill C-10, An act to amend the Broadcasting Act). Among the amendments being proposed are provisions granting the CRTC the express authority to regulate online video and audio channels/services that are provided in Canada. The amendments are expected to be enacted into law during the second quarter of 2021. Following that, the CRTC will be mandated to establish the regulatory conditions under which online channels/services operate in Canada.
In general, federal and provincial private-sector privacy laws require that organisations implement and maintain safeguards to protect personal information that are appropriate given the sensitivity of the information. The federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), states that safeguards should include physical, organisational, and technical measures, and specifically references encryption as a technical measure to be used in safeguarding personal information. The federal privacy regulator makes reference to industry standards in determining whether safeguards are appropriate. It is likely that in almost all cases Canadian privacy regulators would require the use of industry standard encryption to safeguard personal information, and its use would clearly be required in connection with sensitive personal information.
In the public sector, various government security programmes will invariably require that specified government information must be encrypted. For example, the federal government information technology security requirements apply to any vendor, and any of its subcontractors, that receive, access, produce, transmit, process, or store protected information under government contract. Organisations must undergo an IT security assessment by Public Services and Procurement Canada, and must obtain personnel security clearances and document safeguarding capability approval for protected information, with a further facility security clearance being required for classified information. Obtaining approvals will require organisations to make proper use of encryption in the circumstances (among other requirements) but companies should note that even when using encryption, cross-border transmission of federal data or information may still be prohibited.
Canadian law places restrictions on the export of certain cryptography and information security goods and services (including goods that can be described as “dual use”), and an export permit is required for goods and services of this nature leaving Canada. While certain exceptions exist for the requirement of export permits for the USA, this is not an absolute exemption.
The use of encryption does not exempt an organisation from the application of private-sector privacy laws (rather it is often a required safeguard). Encryption may reduce the harm associated with a security breach, but a security breach of encrypted data is not an exemption from the requirements surrounding data breaches under privacy laws or consideration of the harms that could arise from the breach.
The Canadian government has adopted a number of initiatives to address the impact of the COVID-19 pandemic. In the TMT sector, these include waiving the obligation for licensed broadcasting services to pay Part 1 and Part 2 licence fees, which are imposed under the Broadcasting Act. The government also announced a CAD500 million COVID-19 Emergency Support Fund for Cultural, Heritage and Sport Organisations that provided support to various cultural, heritage and sport organisations, including those operating in the Canadian audio-visual sector.
Other relief programmes provided by the Canadian federal government that may be of interest to organisations in the TMT sector include: