Data Protection & Privacy 2024

Last Updated February 13, 2024

Canada

Law and Practice

Authors



Norton Rose Fulbright provides a full scope of legal services to the world’s pre-eminent corporations and financial institutions. The global law firm has more than 3,000 lawyers advising clients across more than 50 locations worldwide, including London, Houston, New York, Toronto, Mexico City, Hong Kong, Sydney and Johannesburg, covering Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. With its global business principles of quality, unity and integrity, Norton Rose Fulbright is recognised for its client service in key industries, including financial institutions; energy, infrastructure and resources; technology; transport; life sciences and healthcare; and consumer markets. Norton Rose Fulbright Verein, a Swiss verein, helps coordinate the activities of Norton Rose Fulbright members but does not itself provide legal services to clients. For more information, see nortonrosefulbright.com/legal-notices.

Canada is a complex patchwork of federal and provincial-level privacy laws governing the private and public sectors.

Federal Privacy Laws

There are two federal privacy laws in Canada:

The Privacy Commissioner of Canada (the Commissioner) oversees both PIPEDA and the Privacy Act. Although an agent of the Parliament of Canada, the Commissioner is an independent authority leading the Office of the Privacy Commissioner of Canada (OPC).

PIPEDA applies Canada-wide, except within provinces that have enacted legislation that is deemed substantially similar to PIPEDA. Additionally, PIPEDA applies to non-Canadian organisations if they have a real and substantial connection to Canada.

In the private sector, PIPEDA governs the collection, use and disclosure of personal information in the context of commercial activities. PIPEDA’s purpose is to balance individual privacy rights with an organisation’s need to collect, use and disclose personal information in the course of their activities. PIPEDA does not apply to the personal information of employees and potential employees of private sector organisations. Regardless of the technology used to collect, use or disclose personal information, PIPEDA’s “technology neutral” nature means that it applies.

Federally regulated entities (FWUBs) are also within the purview of PIPEDA. FWUBs include airlines, banks, airports, transportation companies (both interprovincial and international), telecommunications companies, and radio and television broadcasters. PIPEDA also applies to the personal information of FWUBs’ employees and potential employees.

In addition to private sector organisations generally, PIPEDA (Schedule 4) includes a specific list of organisations that are covered under PIPEDA. Currently, the World Anti-Doping Agency is the only organisation listed in Schedule 4.

Charities and non-profit organisations engaged in a commercial activity fall within the scope of PIPEDA, for example, if they engage in selling or leasing membership lists or other fundraising lists. Otherwise, PIPEDA does not apply to charities and non-profit organisations.

The Privacy Act is a limited statute in that it only applies to government institutions and Crown corporations.

Provincial Private Sector Privacy Laws

Three provinces have private sector privacy laws considered substantially similar to PIPEDA:

  • Alberta – Personal Information Protection Act, SA 2003, c P-6.5 (AB PIPA);
  • British Columbia – Personal Information Protection Act, SBC 2003, c 63 (BC PIPA); and
  • Québec – An Act to modernize legislative provisions regarding the protection of personal information, SQ 2021, c 25 (Québec’s Private Sector Privacy Act, recently updated with the passing of Law 25) (Law 25). See 1.7 Key Developments.

Provincial Personal Health Information Laws

The following four provincial personal health information laws are deemed substantially similar to PIPEDA:

  • Ontario – Personal Health Information Protection Act, 2004, S.O. 2004, c 3, Sched. A, overseen by the Office of the Information and Privacy Commissioner of Ontario (IPC ON);
  • Newfoundland and Labrador – Personal Health Information Act, SNL 2008, c P-7.01, overseen by the Office of the Information and Privacy Commissioner for Newfoundland and Labrador (OIPC NFL);
  • Nova Scotia – Personal Health Information Act, SNS 2010, c 41 administered by the Information and Privacy Commissioner of Nova Scotia (IPC Nova Scotia); and
  • New Brunswick – Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05, overseen by New Brunswick Office of the Ombud (NB Ombud).

The provinces and territories of Alberta, Manitoba, Saskatchewan, Yukon and the Northwest Territories have their own personal health information laws; however, they are not deemed substantially similar to PIPEDA. Nevertheless, these laws generally replace PIPEDA with respect to personal health information to the extent they impose stricter obligations on organisations handling personal health information and must therefore be complied with in their respective jurisdictions.

Provincial Public Sector Privacy Laws

Privacy and/or access to information laws applicable to provincial-level government institutions or public bodies exist in all provinces and territories.

Privacy Commissioner of Canada

At the federal level, the Privacy Commissioner of Canada is appointed by the Governor in Council under the federal Privacy Act and is an agent of Parliament, acting independently from Parliament.

Provincial Privacy Authorities

The privacy authorities at the federal and territorial level are the following:

  • Office of the Information and Privacy Commissioner of Alberta (OIPC AB);
  • Office of the Information and Privacy Commissioner of British Columbia (OIPC BC);
  • Office of the Ombudsman Manitoba;
  • Office of the Ombud for New Brunswick;
  • Office of the Information and Privacy Commissioner for Newfoundland and Labrador;
  • Information and Privacy Commissioner of the Northwest Territories;
  • Information and Privacy Commissioner of Nova Scotia;
  • Information and Privacy Commissioner of Nunavut;
  • Information and Privacy Commissioner of Ontario;
  • Information and Privacy Commissioner of Prince Edward Island;
  • Commission d’accès à l’information du Québec (CAI);
  • Information and Privacy Commissioner of Saskatchewan; and
  • Ombudsman and Information and Privacy Commissioner of the Yukon.

PIPEDA

The OPC investigates complaints under PIPEDA under the following circumstances:

  • where an individual files a complaint with the OPC alleging a violation; or
  • where the Commissioner initiates an investigation where there are reasonable grounds upon which to open an investigation.

The OPC can decline or discontinue complaints. Reasons to do so include, but are not limited to:

  • the appropriateness of jurisdiction if the complaint could be more appropriately dealt with by another procedure under Canadian law;
  • the organisation has a fair and reasonable response to the complaint; or
  • the matter is already subject to any ongoing investigation.

Further grounds for declining or discontinuing an investigation are listed in Section 12 of PIPEDA.

Notably, despite the Commissioner’s investigative powers, it cannot, under PIPEDA, impose administrative monetary penalties (AMPs). Instead, upon the conclusion of an investigation, the Commissioner may make recommendations in a public Report of Findings.

Appeal routes through the Federal Court of Canada are available to both investigation respondents and complainants. While the Commissioner cannot order AMPs, the courts have awarded damages for breaches of PIPEDA in some cases. However, in comparison to the penalties issued in Europe under the General Data Protection Regulation (GDPR) or in the United States under various statutes, these awards have been much smaller in scope.

Some violations of PIPEDA, such as if an organisation fails to report a privacy breach to the Commissioner or obstructs an investigation or audit, are subject to PIPEDA’s offence provisions. Under PIPEDA (as well as AB PIPA and BC PIPA), organisations that are found to be in violation of the applicable statutes may be imposed fines of up to CAD100,000.

Privacy Act

Section 29 of the Privacy Act authorises the OPC to carry out impartial investigations of complaints against federal government institutions for matters within scope of the OPC’s powers.

The complaint procedure is as follows:

  • complaint is screened and triaged to an investigator; and
  • investigators proceed with their investigation once they are assigned the complaint. Investigators can receive evidence, enter premises where appropriate, and examine or obtain copies of records found on any premises during an investigation.

The OPC employs a variable approach to carrying out investigations. This includes encouraging early resolution of the complaint if the facts warrant it, or expediting proceedings in the absence of issuing formal findings.

When a case is of higher complexity, the OPC will conduct an investigation and issue a Report of Findings at its conclusion, which is made public on the OPC’s website.

The OPC usually issues a set of non-binding recommendations stemming from the investigation for the purpose of assisting with achieving compliance with the Privacy Act. However, the OPC does not possess order-making powers and therefore cannot force organisations to carry out specific actions to remedy any violations.

In terms of recourse for denials of access to personal information requests, a review can be requested from the Federal Court under the Privacy Act.

Please see 1.1 Laws for how the federal privacy regime interacts with the provincial regime across Canada.

Canada participates in several international organisations related to privacy:

  • Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Enforcement Arrangement (CPEA);
  • Global Privacy Assembly (GPA);
  • Asia Pacific Privacy Authorities (APPA);
  • Association francophone des autorités de protection des données personelles (AFAPDP);
  • Global Privacy Enforcement Network (GPEN);
  • Organisation for Economic Co-operation and Development (OECD)’s Working Party on Security and Privacy in the Digital Economy (SPDE); and
  • Commission for the Control of INTERPOL’s Files (CCF).

NGOs

The key Canadian privacy or data protection NGOs include, but are not limited to:

  • Canadian Civil Liberties Association (CCLA) – an independent, national, non-governmental human rights organisation. CCLA appears before courts, before legislative committees and in classrooms, and participates in lawful protests to protect the dignity and rights of people in Canada. CCLA advocates for several rights, including advocating for privacy to be recognised as a fundamental human right.
  • Public Interest Advocacy Centre (PIAC) – a national not-for-profit corporation and a federally registered charity. PIAC strives to protect consumers’ interests in regulated industries, including privacy.
  • Centre for Digital Rights (CDR) – a Canadian non-partisan, not-for-profit organisation that strives to promote awareness of digital issues related to the data-driven economy by (i) advancing the public’s understanding of their rights, (ii) raising policymakers’ understanding of advanced technology, and (iii) promoting best practices, laws and regulations that protect both the civic values and the rights of individuals in the 21st century economy, driven by the mass collection, use and disclosure of data.
  • Digital Governance Council (formerly the CIO Strategy Council) – a not-for-profit organisation that works to build Canadians’ trust in digital economy by collaboratively identifying, prioritising and responding to digital governance opportunities and challenges.
  • The Citizen Lab – an interdisciplinary laboratory created by the University of Toronto that focuses on research, development, and strategic policy and legal engagement at the intersection of information and communication technologies, human rights and global security.
  • Canadian Internet Policy and Public Interest Clinic (CIPPIC) – a public-interest technology law clinic based at the University of Ottawa which works to advance the public interest on privacy and technology issues, such as copyright, telecommunications policy, electronic surveillance and open information.

Self-Regulatory Organisations

Some of the key Canadian industry self-regulatory organisations and trade associations include the following:

  • Digital Advertising Alliance of Canada (DAAC) – an alliance of industry associations responsible for administering AdChoices, a programme to provide notice, transparency and accountability from the advertising sector to online consumers. AdChoices allows Canadians to opt out of “interest-based advertising” and requires participants to hold themselves to specific standards.
  • Ad Standards – an independent national non-profit advertising self-regulatory organisation. Ad Standards administers the Canadian Code of Advertising Standards, which sets the criteria for acceptable advertising in Canada. Ad Standards oversees the compliance of participants in the DAAC’s AdChoices Program. Ad Standards reviews participating companies’ online interest-based advertising practices, ensuring they meet the requirements set out in the DAAC’s Canadian Self-Regulatory Principles for Interest-Based Advertising (revised October 2022). As an independent compliance partner, Ad Standards audits compliance and accepts complaints from the public about potential violations of the DAAC Principles under the AdChoices Accountability Program.
  • Interactive Advertising Bureau of Canada (IAB Canada) – a national trade association dedicated exclusively to the development and promotion of the digital marketing and advertising sector in Canada. As a not-for-profit association, IAB Canada represents over 250 of Canada’s advertisers, ad agencies, media companies, service providers, educational institutions and government associations.
  • Canadian Marketing Association (CMA) – a community-based industry association that encourages its members to comply with the Canadian Marketing Code of Ethics and Standards and other best practices and guidance for marketers. CMA advocates for legislation and regulations, at both the federal and provincial levels, to protect consumer rights in Canada through submissions developed by the CMA’s Privacy and Data Committee.
  • Canadian Anonymization Network (CANON) – an organisation whose objectives include advocating for legislative and policy standards for effective anonymisation that allow for innovative and beneficial uses of data, while accounting for protections against foreseeable privacy risks.

Québec (under Law 25) and Ontario (under the Personal Health Information Protection Act (PHIPA)) are currently the only provinces with legislation that empowers privacy commissioners to impose AMPs.

With privacy law reform on the horizon, the limited AMP powers are likely to change. For example, if Bill C-27 is enacted, the OPC will have powers to impose significant AMPs. That said, the status quo around AMPs sets Canada apart from its G7 counterparts with respect to enforcement consequences.

Notwithstanding the relative lack of enforcement consequences, Canadian privacy commissioners are known to act jointly pursuant to an ombuds model, where the commissioners can make practical recommendations for privacy compliance. Overall, it would appear that the model is effective given that organisations are more amenable to adhering to such recommendations as opposed to being subject to an action in the Federal Court.

As noted in 1.4 Multilateral and Subnational Issues, both Canada’s federal and provincial regimes govern the area of privacy, and the application of one law does not necessarily preclude the other, depending on the particular circumstances.

Canada’s privacy law reform efforts are significant, with increased activity in recent years, for example:

  • the Federal Government tabled Bill C-27, which introduced a new federal privacy law (which, if enacted, will replace PIPEDA), a privacy tribunal, and a framework for regulating artificial intelligence (AI). Bill C-27 completed second reading in the House of Commons on 24 April 2023, and is currently being reviewed by the Standing Committee on Industry and Technology;
  • Québec passed Law 25 (formerly referred to as Bill 64), strengthening privacy protection and increasing compliance obligations within Québec. In September 2023, the majority of Law 25’s reforms came into effect, with some parts of the statute expected to come into force in September 2024;
  • the privacy tort of intrusion upon seclusion has been limited in “database defendant” class actions involving data breaches by third-party hackers;
  • the Federal Government tabled Bill C-26, which, among other things, aims to prevent cybersecurity incidents. Bill C-26 has finished second reading in the House of Commons and is currently being reviewed by the Standing Committee on Public Safety and National Security; and
  • provincial privacy law reform initiatives in Ontario, British Columbia and Alberta are ongoing, with some implementations – see 1.8 Significant Pending Changes, Hot Topics and Issues (Provincial-Level Privacy Law Reform).

Bill C-27

Bill C-27, also known as the Digital Charter Implementation Act, was tabled on 16 June 2022. If enacted, the legislation would:

  • replace the PIPEDA with the Consumer Privacy Protection Act (CPPA);
  • introduce the Data Protection Tribunal Act (DPTA); and
  • introduce the Artificial Intelligence Data Act (AIDA).

Bill C-27 would repeal Part 1 of PIPEDA and change its short title to the Electronic Documents Act.

Consumer Privacy Protection Act (CPPA)

If enacted, the CPPA will replace PIPEDA and will contain the following notable differences:

  • AMPs of up to CAD10 million or 3% of an organisation’s gross global revenue for certain privacy contraventions;
  • fines of up to CAD25 million or 5% of an organisation’s gross global revenue for offences;
  • requiring all organisations to implement and maintain a privacy management programme, including policies, practices and procedures put in place to fulfil the obligations of the CPPA. The CPPA would also allow the Privacy Commissioner to request access to an organisation’s privacy management programme and recommend corrective measures;
  • deeming personal information relating to minors as sensitive;
  • bringing de-identified personal information within the scope of the CPPA and prohibiting re-identification;
  • explicitly stating that it does not apply to personal information that has been anonymised;
  • new and updated consent requirements – making express consent the default form of consent and significantly limiting the ability to rely on implied consent in the context of business activities;
  • clarification of service provider obligations with respect to privacy law;
  • ability for organisations and entities to establish codes of practice and certification programmes;
  • allowing individuals to request that their personal information be disclosed directly to other organisations under Data Mobility Frameworks subject to regulations;
  • a private right of action for individuals affected by certain violations of the CPPA;
  • permitted disclosure of data without consent for public-interest purposes, such as “socially beneficial purposes”, and statistics, study or research under certain circumstances;
  • requiring the de-identification of personal information shared in prospective business transactions except if the de-identification would undermine the objectives for carrying out the transaction;
  • giving the Commissioner new order-making powers and the ability to conduct an Inquiry; and
  • increasing openness and transparency requirements, including with respect to the use of any automated decision systems used to make predictions, recommendations or decisions about individuals that could have a significant impact on them.

Data Protection Tribunal Act (DPTA)

The DPTA would establish the federal Personal Information and Data Protection Tribunal (the Tribunal).

The Tribunal would be made of three to six members, with at least three with experience in information and privacy law.

The functions of the Tribunal would include:

  • hearing appeals of certain findings, orders or decisions made by the Commissioner; and
  • imposing AMPs on organisations of up to CAD10 million or 3% of the organisation’s gross global revenue in the financial year before the one in which the penalty is imposed, whichever is higher.

Tribunal decisions would be final and binding, except for judicial review under the Federal Courts Act, RSC 1985, c F-7, and would not be subject to appeal or review by any court.

Artificial Intelligence and Data Act (AIDA)

If enacted, the AIDA would regulate AI systems in the private sector. The AIDA’s purpose would be to determine common requirements for the design, development and use of AI systems and to prohibit ADS conduct that could result in serious harm to individuals. The AIDA’s aim would be to establish measures that mitigate the risk of harm or biased output against the use of high-impact systems, and impose AI system monitoring, communication, notification and record-keeping requirements. As it stands, the details of how the AIDA would be administered would be informed by its regulations.

The Minister of Innovation, Science and Economic Development would be responsible for the AIDA’s administration. This Minister would have the authority to audit and issue orders. AMPs to be established by regulations would accompany violations, and fines of up to CAD25 million or 5% of an organisation’s gross global revenues in the preceding financial year for certain offences might be imposed.

The AIDA would also establish an “Artificial Intelligence and Data Commissioner” to support the Minister in the administration and enforcement of the AIDA.

Law 25

Québec passed Law 25 (An Act to modernise legislative provisions as regards the protection of personal information, SQ 2021, c 25) in 2021, which was formerly known as “Bill 64”. It is commonly recognised as being one of the strictest privacy regimes in Canada. Law 25 brought about a significant overhaul of Québec’s previous privacy framework, by the way in which it strengthened privacy protection through increasing compliance obligations within Québec.

The first provisions of Law 25 came into force on 22 September 2022, and most of the remaining provisions of Law 25 came into force on 22 September 2023. The new right to portability is set to come into force in September 2024.

Law 25 reformed and amended Québec’s pre-existing privacy statutes, including Québec’s Private Sector Act (the Act respecting the protection of personal information in the private sector, CQLR c P-39.1) and Québec’s Public Sector Act (Act respecting access to documents held by public bodies and the protection of personal information, CQLR c A-2.1).

Some of the more notable provisions of Law 25 include: significant AMPs for violations; increased requirements to conduct privacy impact assessments; new consent exceptions; mandatory confidentiality incident (ie, privacy breach) reporting; increased accountability and data retention obligations; and requirements for cross-border data transfers, personal information anonymisation, data portability, de-indexing, automated decision-making and biometric data.

The following Law 25 provisions came into effect in 2022:

  • requirement to designate a person in charge of privacy compliance – this would be the individual with the highest authority in an organisation (for example, the chief executive officer) who can delegate in writing all or part of the role to any person;
  • new consent exceptions, such as allowing disclosures of personal information in the context of business transactions without prior consent, or the communication of personal information for statistical, study or research purposes if an assessment indicates that certain privacy-related conditions are met;
  • the notion of “confidentiality incident”, similar to a privacy breach under PIPEDA, which Law 25 defines as:
    1. unauthorised access to personal information;
    2. unauthorised use or communication of personal information; or
    3. a loss of personal information or any other breach in the protection of such information.

Law 25 makes it mandatory to report confidentiality incidents to the CAI and the impacted individual if there is a “risk of serious injury” stemming from the incident. Factors for assessing the risk of injury are similar to those used to assess “risk of harm” under PIPEDA, and include:

  • the sensitivity of the information involved;
  • the anticipated consequences of its use; and
  • the likelihood that such information will be used for injurious purposes.

Additionally, organisations must maintain a register of confidentiality incidents, which must be produced for the CAI upon request.

In December 2022, the Regulation respecting confidentiality incidents (A-2.1, r. 3.1)came into force, which outlines the rules for reporting confidentiality incidents to the CAI. The CAI has also issued guidance documents on its website, including a form to be used for confidentiality incident reporting.

The following Law 25 provisions came into effect in 2023:

  • sanctions for non-compliance;
  • privacy framework and transparency requirements;
  • requirement to conduct Privacy Impact Assessments (PIAs) in certain circumstances;
  • privacy by default and design;
  • rights for de-indexation;
  • updated consent requirements;
  • cross-border transfers of personal information;
  • new rules for the secondary uses of personal information;
  • stringent retention and destruction rules for personal information;
  • new rules regarding automated decisions made using an individual’s personal information; and
  • new rules for business contract information.

The right to data portability will come into force in September 2024.

Anonymisation of personal information

On 20 December 2023, a draft Regulation respecting the anonymisation of personal information was published in the Gazette Official du Québec. The aim of the Regulation is to protect individuals by requiring that personal information is anonymised through a “rigorous process that will significantly reduce the re-identification risks associated with anonymization”.

Restricted Scope of Intrusion Upon Seclusion (“Database Defendants”)

The Court of Appeal of Ontario decided a set of cases in 2022 establishing that database holders who suffered a cyber-attack by unauthorised external actors are not liable for the tort of intrusion upon seclusion. The reasoning noted that database holders may still be liable for breach of contract, breach of confidence and negligence, requiring proof of actual damage, instead of the symbolic/moral damages available for intrusion upon seclusion. The Court of Appeal of Ontario upheld the limited scope of the tort of intrusion upon seclusion in a recent decision rendered in January 2024.

The tort of intrusion upon seclusion continues to remain available where the unauthorised access resulted from the actions of internal actors (ie, a company’s employees), in instances where the plaintiff succeeds in establishing, among other things, that a database holder behaved in an offensive manner that resulted in distress, humiliation or anguish to a reasonable person. 

Bill C-26 – An Act Respecting Cybersecurity

In 2022, the federal government tabled Bill C-26, which would enact the Critical Cyber Systems Protection Act (CCSPA). The Standing Committee on Public Safety and National Security began its review of the CCSPA on 1 February 2024. In order to be enacted, Bill C-26 must complete the current Committee review, and pass its third reading in the House of Commons and three readings in the Senate.

The CCSPA would impose obligations related to cybersecurity on private sector entities in the following federally regulated sectors: telecommunications, finance, energy and transportation.

If passed, Bill C-26 would impose five key cybersecurity obligations on designated operators:

  • implementation of cybersecurity programmes;
  • identification of cybersecurity risks in their supply chain or through third-party products and services;
  • reporting of cybersecurity incidents;
  • complying with measures outlined in directions from the Governor in Council with respect to protecting critical cyber systems; and
  • keeping records, within Canada, with respect to how cybersecurity programmes were implemented, as well as reports of any cybersecurity incidents.

Bill C-26 would also impact the Telecommunications Act with respect to cybersecurity. The changes could prohibit a telecommunications service provider from using all products and services if it is necessary to secure the Canadian telecommunications system, in certain circumstances.

Finally, Bill C-26 contains AMPs for violations, with a penalty of up to CAD1 million in the case of an individual and up to CAD15 million in any other case.

The most significant pending changes are described above, in 1.7 Key Developments. There are two further significant pending changes.

Provincial-Level Privacy Law Reform

British Columbia, Alberta and Ontario have hinted at impending private sector privacy law reform.

In British Columbia, a Special Committee was appointed to review BC PIPA. The Committee made recommendations to the British Columbian legislature with respect to amending and strengthening BC PIPA. Since 1 February 2023, public bodies in British Columbia are subject to mandatory data breach reporting requirements and are required to implement privacy management programmes. There are no mandatory breach reporting obligations in British Columbia that apply to private sector organisations.

Ontario does not presently have its own private sector privacy legislation. In 2020, the province held a public consultation on modernising privacy in Ontario with the intent to establish a comprehensive provincial privacy regime. However, no such privacy regime legislation has been tabled.

Reform of the Privacy Act

Consultations led by Justice Canada were held on modernising the Privacy Act in 2021, which resulted in a report demonstrating appetite for reform. The goals outlined in the report include using technology to modernise government processes and granting the OPC a larger and more proactive and educational mandate for effective support and oversight, while balancing individuals’ expectations of privacy and data protection laws in other jurisdictions.

In 2022, Justice Canada invited Indigenous partners to provide input on modernising the Privacy Act, building on the 2021 report. The latest report following Justice Canada’s engagement with Indigenous partners included emphasising the importance of aligning the Privacy Act with the United Nations’ Declaration on the Rights of Indigenous Peoples and that decisions about Indigenous peoples’ personal information should be made in partnership with the Government of Canada and those representing the interest of Indigenous peoples.

PIPEDA Requirements

PIPEDA is based on the following fair information principles:

1. accountability;

2. identifying purposes;

3. consent;

4. limiting collection;

5. limiting use, disclosure and retention;

6. accuracy;

7. safeguards;

8. openness;

9. access; and

10. challenging compliance.

Principle 1 – accountability

Organisations must:

  • designate persons responsible for privacy law compliance;
  • ensure a comparable level of protection is applied to personal information that is transferred to third parties for processing, for example, through contractual or other means; and
  • institute privacy policies and procedures, including measures and procedures to protect personal information, providing training to employees, and outlining the process for responding to complaints or inquiries.

Principle 2 – identifying purposes

PIPEDA mandates organisations to record the purposes for which personal information is collected. The purposes should be specified at or before the time of collection. If a new purpose is identified, fresh consent will be required.

Principle 3 – consent

Valid consent is consent that would be understood by a reasonable individual who is subject to the organisation’s activities, and would comprehend the nature, purpose and consequences of the collection, use or disclosure of the personal information for which consent is being obtained.

The OPC, OIPC BC and OIPC AB have provided joint Guidelines for Obtaining Meaningful Consent, which outline the principles of meaningful consent, the suitable form of consent, and consent in the context of minors.

PIPEDA is a consent-based model, requiring valid consent for the collection, use and disclosure of personal information, unless a limited exception applies.

Principle 4 – limiting collection

PIPEDA limits the collection of personal information to what is necessary to fulfil the identified purposes. PIPEDA does not allow indiscriminate purposes for collecting personal information and mandates that personal information can only be collected through fair and lawful means.

Principle 5 – limiting use, disclosure and retention

PIPEDA imposes several obligations on organisations with respect to this principle, including:

  • organisations must develop guidelines and implement procedures for the retention of personal information and include minimum and maximum retention periods;
  • organisations must destroy, erase or anonymise personal information that is no longer required to fulfil an identified purpose; and
  • organisations may only retain personal information used to make a decision about an individual for as long as the individual can access it after the decision has been made.

Principle 6 – accuracy

PIPEDA requires that personal information be accurate, complete and up to date, to minimise the possibility that incorrect or otherwise inappropriate information may be used to make a decision about an individual. However, PIPEDA does not allow routine updating, unless this process is necessary to fulfil the purposes for which the information was collected.

Principle 7 – safeguards

Organisations must:

  • secure personal information against loss or theft, unauthorised access, disclosure, copying, use or modification;
  • protect personal information with safeguards responsive to the sensitivity of the information, meaning that more sensitive information requires a higher level of protection; and
  • ensure employees are aware of the importance of maintaining the confidentiality of personal information.

Organisations should also implement physical, organisational and technological safeguards.

Principle 8 – openness

PIPEDA requires organisations to be transparent about their privacy practices, policies and procedures, for example:

  • ensuring individuals understand and know how to access information about the organisation’s privacy policies and practices;
  • providing the name or title and address of the person responsible for the organisation’s privacy policies and practices; and
  • publicising the process for access to personal information held by the organisation, as well as the contact person for complaints or enquiries.

Principle 9 – access

Individuals have a right to be informed of, and to access, the personal information held by organisations about them.

Individuals also have the right to challenge the accuracy and completeness of the personal information held, and the right to amend the information as appropriate (with exceptions). If requested, organisations must provide an account of the third parties with whom personal information was shared. PIPEDA also states that access must be provided for free or at a minimal fee, within a reasonable time.

There are also provisions in PIPEDA (Sections 8 and 9) beyond the principles concerning access pertaining to time limits, costs, and exceptions to access.

Principle 10 – challenging compliance

Organisations must have procedures in place to receive and process complaints or enquiries from individuals about their personal information and how this personal information is handled. PIPEDA requires that all complaints are investigated and, if a complaint is justified, the organisation is required to adopt appropriate measures to address the situation.

Other Requirements

Supplementing the fair information principles are compliance requirements found in the body of PIPEDA:

  • Section 5(3) contains requirements for the collection, use or disclosure of personal information to be for an appropriate purpose, namely, one that a reasonable person would consider appropriate in the circumstances.
  • PIPEDA has mandatory breach reporting to both individuals and the OPC where there is a real risk of significant harm to individuals (RROSH); it also requires organisations to keep records of all breaches that the Commissioner is authorised to inspect, and not just RROSH breaches. PIPEDA makes it an offence to knowingly contravene the requirements to:
    1. report a breach to the Commissioner that creates a real risk of significant harm to individuals; or
    2. keep and maintain a record of every breach of security safeguards involving personal information under an organisation’s control.

PIPEDA also includes anti-spam provisions targeting email address harvesting, such as prohibiting the use of computer programs to collect email addresses and the subsequent use of such email addresses collected by the programs. PIPEDA also prohibits illicit access of another person’s computer systems to collect personal information, for example, through spyware.

De-identified Information

PIPEDA does not explicitly address personal information that has been de-identified. However, if enacted, Bill C-27 will define and regulate de-identified personal information (see 1.7 Key Developments).

Sensitive Information

PIPEDA does not define sensitive information. However, sensitivity overlaps with the consent and safeguarding principles, and factors into whether a breach meets the RROSH test. The OPC has also released an Interpretation Bulletin on Sensitive Information.

Some personal information can be sensitive, such as health or financial information, but sensitivity can be context-dependent, for example, if the combination of personal information with other information makes the personal information sensitive.

Sensitive information can include information such as a person’s sexual orientation, ethnic and racial origins, children’s information, religious information, political affiliations, genetic and biometric data, drug and alcohol references, and/or information affecting a person’s reputation.

Québec’s Law 25 provides examples of sensitive personal information such as medical, biometric or intimate information. As noted above, information can also be sensitive depending on the context of its use.

Children

While PIPEDA does not have specific provisions applicable to minors, Principle 3 states that “seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated”.

In light of the above, the OPC has interpreted and enforced PIPEDA to protect the privacy of children. For example, the OPC has guidance stating that information related to children will be considered “particularly sensitive”. The OPC also operates under the general rule that meaningful consent cannot be obtained from children under the age of 13. If enacted, Bill C-27 will categorise personal information of minors as sensitive (see 1.7 Key Developments).

In October 2023, the OPC issued two guidance documents in support of its joint resolution aimed at strengthening privacy protection for young people.

Additionally, Law 25 mandates parental consent for processing the information of children (defined as being under the age of 14), unless the processing of information is explicitly for the child’s benefit.

In August 2022, the CAI issued a report on children’s privacy, titled ‘Ensuring a Better Protection for Young People’s Personal Information in the Digital Age’. The report found that children warrant additional protective measures beyond those included in Law 25, to better protect them.

Right to Be Forgotten

PIPEDA gives individuals the right to withdraw consent, the right to access their personal information, and the right to ensure their information is accurate, complete and up to date. In 2021, a Federal Court Reference decision found that PIPEDA applied to Google’s search engine. Google appealed the decision to the Federal Court of Appeal in 2023, which upheld the Federal Court’s decision.

Financial Information

In 2022, the Office of the Superintendent of Financial Institutions (OSFI) issued guidelines pertaining to technology and cyber-risk management by federally regulated financial institutions. The guidelines outlined obligations for cyber-governance and risk management with the aim of enhancing cybersecurity. The guidelines came into force in January 2024.

In 2023, OSFI released two draft guidelines for consultations building on the previous year’s guidelines.

Federal banking legislation contains provisions for regulating personal financial data, and certain provincial consumer credit reporting laws also contain compliance obligations with respect to personal information.

Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation (CASL) prohibits the distribution of commercial electronic messages (CEMs), such as emails, without consent. CASL requires CEMs to meet identification and unsubscribe requirements. CASL also targets more nefarious conduct, such as malware, viruses, spyware and botnets resulting when certain computer programs are installed without consent or through altering transmission data. CASL also provides that consent is required in order to install tracking tools such as cookies.

Telemarketing

The Canadian Radio-television and Telecommunications Commission (CRTC) administers telemarketing rules that telemarketers may be caught by, such as:

  • requirements for telemarketers to register with the national do-not-call list;
  • explicit requirements for calls made with automatic dialling-announcing devices;
  • record-keeping obligations; and
  • specific registration requirements for telephone calls during an election period.

In terms of enforcement, the CRTC has broad enforcement powers, such as the power to execute regulatory inspections, issue orders, compel the disclosure of information, and impose AMPs of up to CAD5,000 under the Telecommunications Act and up to CAD10 million under CASL.

Online Behavioural Advertising

The OPC has guidance and a policy position on online behavioural advertising (OBA) (also known as interest-based advertising/personalised advertising). This guidance notes that relying on opt-out consent for OBA requires:

  • the personal information not be sensitive;
  • the purpose of consent be outlined in a way that is clear, understandable and obvious;
  • the opt-out be readily available, ideally at the time of collection, be persistent and take effect immediately; and
  • the tracking of children be avoided.

Additionally, the DAAC released self-regulatory principles for OBA, which include transparency, consumer control, data security, sensitive data, education and accountability (see 1.5 Major NGOs and Self-Regulatory Organisations for a description of the DAAC). In October 2022, the DAAC refreshed these principles and officially adopted the term “interest-based advertising” instead of “online behavioural advertising”.

Ontario Employee Electronic Monitoring Policy

In 2023, Ontario’sElectronic Monitoring Policy came into effect, which requires employers with over 25 employees to have a written policy on the electronic monitoring of their employees. The policy must contain:

  • a description of the monitoring;
  • the purposes behind the monitoring; and
  • how employees are electronically monitored.

This policy must be provided to all employees for review.

It is important to note that these changes stem from the Employment Standards Act, 2000, S.O. 2000, c. 41 (ESA), as opposed to privacy legislation, and do not introduce any new privacy rights for individuals and do not provide for enforcement mechanisms for non-compliance.

Employee Privacy Rights Afforded Under Privacy Statutes

PIPEDA extends privacy protections to employees of federally regulated organisations and FWUBs. Employees working for private sector organisations are generally not protected under PIPEDA. However, BC PIPA, AB PIPA and Québec’s Law 25 include employee privacy rights.

Whistle-Blowing

PIPEDA contains “whistle-blowing” provisions, and allows the OPC to be the recipient of information from a whistle-blower. The OPC is also required to keep the identity of the whistle-blower confidential.

Employee Privacy in the Courts

In a seminal 2022 decision, Elementary Teachers Federation of Ontario v York Region District School Board, 2022 ONCA 476, the Court of Appeal for Ontario upheld employees’ reasonable expectation of privacy in the workplace and found that they are protected from unreasonable search and seizure under Section 8 of the Canadian Charter of Rights and Freedoms. The issue in this case was whether private password-protected teacher communications were subject to a reasonable expectation of privacy, even if they were accessed through a web browser on a workplace computer but not saved on any workplace network. On 18 October 2023, the Supreme Court of Canada heard arguments in this case; however, as of February 2024, the decision has yet to be rendered.

Remedies and penalties for non-compliance with privacy legislation may include administrative remedies, private litigation and criminal penalties. See 1.3 Administration and Enforcement Process.

Recent Updates

As of 1 January 2024, the IPC ON can issue AMPs for non-compliance with PHIPA or its regulations. The AMPs range from a maximum of CAD50,000 for a natural person to CAD500,000 for organisations. The IPC also has the discretion to issue AMPs over the maximum amounts in cases involving economic gain.

Additionally, the OPC announced public consultations on draft guidance documents on the use of biometric data, which closed on 16 February 2024.

Leading Regulatory Enforcement Cases

Investigation into ChatGPT

The OIPC BC, OIPC AB and CAI joined the OPC in launching a formal investigation into OpenAI, the company behind ChatGPT. While the investigation is under way, the privacy authorities are investigating whether OpenAI obtained valid and meaningful consent of individuals based in Canada through ChatGPT, whether OpenAI respected its obligations with respect to openness, transparency, access, accuracy and accountability, and whether it has collected, used and/or disclosed personal information for purposes that would be considered reasonable or legitimate and whether this collection is limited to information that is necessary for these purposes.

Investigation into Agronomy’s privacy practices related to safeguards, accountability and valid consent for the collection and use of personal information

Agronomy Company of Canada Ltd. (Agronomy) experienced a privacy breach resulting in the compromise of 845 individuals’ information. Agronomy initially did not know of the breach and refused to pay a ransom to the threat actor when one was requested. As a result, the compromised information was published on the dark web and the OPC found that Agronomy breached its obligations under PIPEDA by having inadequate safeguards in place and failing to take accountability.

Investigation into Home Depot’s use of Meta’s offline conversions tool

The OPC noted that Home Depot, the American company, failed to obtain meaningful consent from its customers when it disclosed their non-sensitive information. The impacted customers were those who opted to receive e-receipts with Meta for online marketing. Despite the information being non-sensitive, the OPC found opt-in consent was not present pursuant to PIPEDA and this consent is required because customers do not typically expect to have their transaction information shared with Meta.

Investigation into the TikTok app

In February 2023, four Canadian privacy offices announced a joint investigation into the application TikTok. As of February 2024, the investigation is ongoing and will include an analysis of the company’s privacy compliance and how TikTok’s privacy procedures interact with younger users of the platform.

Investigation into the Tim Hortons app

A joint investigation by the OPC, OIPC BC, OIPC AB and CAI found that the Tim Hortons app permissions with respect to collecting its users’ location while the app was in use was in violation of Canadian privacy laws. Additionally, the privacy regulators found that Tim Hortons did not have adequate protections in place for personal information and also failed to take appropriate accountability. The privacy regulators recommended that Tim Hortons develop a privacy management programme to ensure that any future collection is necessary and proportional to its use.

Private Litigation

Private litigation is another avenue for individuals to bring actions against organisations that breach statutes. While PIPEDA does not include a private right of action, non-compliance with PIPEDA can result in claims under contract law, as well as under torts such as negligence, breach of contract, and privacy torts. Ontario recognises four privacy torts:

  • intrusion upon seclusion;
  • public disclosure of embarrassing private facts;
  • appropriation of a person’s name or likeness; and
  • publicity placing a person in a false light.

Privacy class actions are a common type of action in Canada. The threshold for certification of class actions is fairly low, but Canadian courts have been known to impose limits to avoid a floodgate of class actions.

For example, in 2022, the Court of Appeal for Ontario denied certification on a series of “database defendant” class actions and found that organisations are not liable for the tort of intrusion upon seclusion when a database is breached by external actors such as hackers.

On the other hand, the Federal Court certified a class action against the government of Canada stemming from a cybersecurity attack by hackers into a government database in the context of a negligence claim.

With respect to merit decisions, a 2021 Québec Court of Appeal case upheld a merits decision that dismissed a privacy class action noting that plaintiffs need to establish a causal link between a privacy breach and resulting incidents of fraud and theft. This case is currently being appealed to the Supreme Court of Canada.

Otherwise, most decisions on the merits in privacy class actions tend to end in settlement with a low level of per person compensation.

Law enforcement and national security agencies are permitted to use lawful access technologies to support their investigation of serious crimes, such as child pornography, human trafficking, money laundering, murder and national security threats.

Technologies that intercept communications can be accessed by law enforcement for investigating serious crimes, and law enforcement can seize any computer data through these means. However, these investigative techniques are limited by a warrant issued by a judge in specific circumstances, for example, under the Criminal Code, RSC 1985, c C-46.

Law enforcement access is also limited and subject to the Canadian Charter of Rights and Freedoms.

Canada has numerous laws with respect to government access to data for intelligence, anti-terrorism or other national security purposes, including the Security of Canada Information Disclosure Act (SCIDA), the Criminal Code, the Canadian Security Intelligence Service Act (the CSIS Act), and other laws involving a national security mandate or responsibility.

The application of these laws is subject to the Canadian Charter of Rights and Freedoms and the federal Privacy Act. Warrants, for example, may require independent judicial approval in the absence of any exigent circumstances. Additionally, SCIDA contains a framework for how information is shared between federal departments for national security purposes. SCIDA has oversight in the form of the National Security and Intelligence Review Agency, established in 2019, which reviews information shared under SCIDA and the government of Canada’s national security and intelligence activities.

PIPEDA, under exceptions to consent, allows organisations to disclose personal information without the knowledge or consent of the individual if the disclosure is to a government institution or part of a government institution whose request is lawful, identifies the lawful authority to obtain the information, and connects the applicable information to national security, the defence of Canada, or the conduct of international affairs. Similarly, a request by law enforcement to disclose information on a voluntary basis will likely not be adequate and a lawful authority would be required.

Additionally, in 2022, the United States and Canada formally announced bilateral negotiations on the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, targeting access to electronic information for investigating serious crimes.

In December 2023, the OPC, OIPC BC, OIPC AB and CAI jointly released the Principles for responsible, trustworthy and privacy-protective generative AI technologies. These principles are not binding but signal the direction that future policy and regulation of AI may take in Canada.

The nine principles apply to both public and private sector organisations and were developed to align with public and private sector privacy laws. The principles lay out how key privacy principles apply when developing, providing or using generative AI models, tools, products and services.

In February 2024, the House of Commons Standing Committee on Access to Information, Privacy and Ethics initiated a study on the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers. The Commissioner appeared before the Committee to take part in the study. The Commissioner’s remarks noted the importance of ensuring that government institutions carefully consider and assess the privacy implications of their activities to determine if and when PIAs are required.

In November 2022, the House of Commons Standing Committee on Information, Privacy and Ethics issued a report on its study of device investigation tools used by the Royal Canadian Mounted Police (RCMP). The study examined spyware and technology-based investigative tools utilised by the RCMP in its investigations.

The report’s purpose was to examine the benefits and risks of using investigative tools and how the federal government could better regulate the use of such tools in Canada. The report offered nine recommendations, one of which was to amend the federal Privacy Act to include an explicit obligation on the part of government institutions to conduct PIAs before resorting to high-risk technological tools that collect personal information.

Finally, Canadian privacy commissioners have issued joint guidance for police agencies on using facial recognition technology, noting deficiencies in the current legislative scheme, to adequately address the concerns associated with such technology.

PIPEDA

PIPEDA does not prohibit the transfer of personal information across borders. However, any transfers of personal information outside of Canada must provide a comparable level of protection to PIPEDA. OPC guidance also states that individuals must be provided with notice of cross-border data transfers, and that organisations should disclose that personal information could be subject to the laws of a foreign jurisdiction.

The OPC has the authority to investigate complaints related to transfers of personal information and conduct audits on an organisation’s process with respect to dealing with personal information.

Alberta

AB PIPA does not restrict transfers of personal information outside Canada for processing. Under AB PIPA, the transferring organisation is required to indicate the country to which the information will be transferred and the purposes for which the information may be used.

Organisations are required to notify individuals in writing or orally and must provide details on how individuals can access the policies and practices of the service provider, and must provide contact information for someone at the organisation who can respond to questions related to the service provider.

British Columbia

BC PIPA only applies to personal information collected, used or disclosed within British Columbia. PIPEDA applies to personal information that is being transferred outside of British Columbia, whether to another province or outside of Canada.

Under British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA), public bodies are permitted to store and access personal information outside of Canada. There are additional requirements for sensitive personal information, discussed in more detail below.

Québec

Under the amendments brought to Québec’s Private Sector Privacy Act by Law 25, organisations transferring personal information outside Québec must first conduct a PIA that takes into account: (i) the sensitivity of the information, (ii) the purposes for which the information will be used, (iii) the protection measures (including contractual provisions) that will apply, and (iv) the privacy laws of the jurisdiction which receives the information.

Organisations are also required to inform individuals that their personal information may be transferred outside of Québec.

Finally, any risks identified in the PIA should be mitigated by contractual clauses with the receiving organisation.

PIPEDA

PIPEDA permits the use of any mechanism that ensures a comparable level of protection. However, the OPC encourages transferring organisations to implement privacy protections through written contracts. Among other things, contractual provisions should require third parties to have policies in place to protect personal information (eg, training staff and having effective security measures), and allow transferring organisations to audit the third party’s handling and storing of personal information.

Organisations must give individuals notice of any potential transfer of their personal information outside of Canada, but their consent to the transfer is not required.

G7 DPAs Action Plan

Canada, as part of the G7 Data Protection and Privacy Authorities’ (DPAs) Roundtable, endorsed an action plan that established three pillars: data free flow with trust, emerging technologies, and enforcement cooperation. The commitments of the DPAs’ action plan include, among other things, developing data free flow with trust, improving and collaborating on transfer tools, developing and using emerging technologies while reinforcing trust and respecting privacy, and increasing dialogue and supporting enforcement cooperation activities.

APEC

Canada participates in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system, which is designed to streamline the transfer of data between member countries. The CBPR system requires that participating countries have enforceable standards, accountability, risk-based protections, consumer-friendly complaint handling, consumer empowerment and consistent protections. The CBPR also provides regulatory authorities with the ability to co-operatively enforce the requirements of the system.

There are generally no requirements to notify government or obtain approval to transfer data internationally.

Private Sector

As noted in section 4.1 Restrictions on International Data Issues, Canadian private sector privacy legislation generally does not impose any data localisation requirements, but does require consent from, and/or notification to, the individuals whose personal information will be transferred outside of Canada or Québec.

Public Bodies

Under British Columbia’s FIPPA, organisations are permitted to store and access personal information outside of Canada. For sensitive personal information, FIPPA requires that a PIA with a satisfactory risk assessment be conducted prior to transfers outside of Canada. This involves considering factors that increase the risk of the unauthorised collection, use and disclosure of sensitive personal information, and risk mitigation strategies that are proportionate to the risk.

Public bodies under Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) are generally prohibited from disclosing, storing or allowing information to be accessed from locations outside of Canada unless the head of a public body determines that the foreign storage, access or disclosure meets the necessary requirements. PIIDPA also allows the disclosure of information outside of Canada in the context of law enforcement agreements, treaties, debt collection, dangerous situations or certain research purposes.

CRA

The Canada Revenue Agency (CRA) requires that records are generally kept at a place of business or residence in Canada, and must be made available to the CRA for audit upon request. The CRA does not consider records that are kept outside of Canada and accessed electronically from Canada to be records in Canada. However, the CRA may accept copies of records maintained electronically outside of Canada if the records are made available in Canada in an electronically readable and usable format with adequate details for tax filing.

USMCA

The United States-Mexico-Canada Agreement (USMCA), which replaced the North American Free Trade Agreement (NAFTA) in 2020, contains new requirements for data localization. The USMCA includes a chapter on the digital economy, which was not contemplated by NAFTA, originally signed in 1994.

The USMCA prohibits organisations from requiring, as a condition of doing business, that computing facilities be used or located in their local jurisdiction. In addition, the USMCA provides that foreign financial institutions are not required to maintain computing facilities in Canada, but are required to provide Canadian regulatory authorities with access to information stored in facilities outside of Canada.

CPTPP

The Canada Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) is a free trade agreement between Canada and several countries in the Indo-Pacific region. While recognising that each party may have its own regulatory scheme relating to the security and use of computing facilities, the CPTPP prohibits a party from requiring that computing facilities are used or located in its jurisdiction as a condition for conducting business.

Public Safety Canada recently published an international statement received from several countries and Canadian MPs, encouraging governments and technology companies to develop mechanisms that would allow law enforcement to access encrypted content for the purpose of identifying illegal content. At the time of writing, Canada does not require software code, algorithms, encryption or similar technical details to be shared with government.

PIPEDA provides an exception to obtaining consent for the disclosure of personal information when such disclosure is made to a government institution for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction that is carrying out an investigation or gathering intelligence for the purpose of enforcing the law. PIPEDA also provides an exception to obtaining consent for disclosure to government institutions that are set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Canada’s Foreign Extraterritorial Measures Act (FEMA) allows the Canadian government to deal with unacceptable extraterritorial assertions made by a foreign jurisdiction. Under FEMA, the Attorney General of Canada may prohibit or restrict the production of records to foreign tribunals. For example, FEMA protects Canadians and Canadian organisations from judgments issued under the Helms-Burton Act, the United States federal law that prevents foreign countries from engaging with Cuba in international trade.

Artificial Intelligence

If enacted, the AIDA will regulate interprovincial and international trade and commerce in AI systems by establishing common requirements for the design, development and use of AI systems applicable across Canada. The AIDA would also prohibit certain AI system conduct that could result in serious harm to individuals or their interests.

Biometric Data

In 2023, the OPC published draft guidance for organisations that intend to process biometric data. This guidance includes specific requirements and suggestions for identifying an appropriate purpose for collecting biometric data, obtaining express consent, limiting collection of biometric data to that which is necessary for the stated purpose, limiting use, disclosure and retention, appropriate safeguards, the use of accurate technology, accountability for the biometrics, and openness with individuals.

In Québec, Law 25 requires companies to notify the CAI if they create a database of biometric characteristics within 60 days before it is brought into service. Law 25 also lists biometric information as sensitive. Biometric data is generally considered as sensitive under PIPEDA.

Geolocation

The OPC announced in May 2023 that it received several complaints regarding the collection of geolocation data by the Public Health Agency of Canada (PHAC). In concluding that PHAC did not contravene the Privacy Act, the OPC emphasised that consent is generally required for the collection of phone geolocation information and any related disclosures of personally identifiable data, particularly for organisations subject to Canadian private sector privacy laws that collected and disclosed phone geolocation information to PHAC.

Deepfakes

The Canadian government is considering how to regulate deepfakes in a fast-paced digital environment and in view of a significant regulatory gap in the area. Deepfakes present complex issues, including the ability to generate disinformation, misleading material and other problematic content. Deepfakes can be used to mimic politicians and world leaders, resulting in serious implications for democratic processes. Deepfakes have also been used to create sexually explicit material of individuals without their consent.

At the time of writing, privacy legislation in Canada does not require the establishment of any Fair Data Practice Review Boards or protocols for digital governance.

See reference to the Digital Governance Council and its work in 1.5 Major NGOs and Self-Regulatory Organisations.

See 2.5 Enforcement and Litigation.

Québec’s Law 25 provides individuals in Québec with a statutory right of action to claim damages against organisations that violate a right conferred by Québec’s Private Sector Privacy Legislation or by Articles 35 to 40 of the Civil Code of Québec. The violation must have caused injury, and it must have been intentional or have resulted from a gross fault.

Under both PIPEDA and provincial private sector privacy law acts, there are carve-outs for the use of personal information in the context of business transactions. Personal information can be shared in the context of business transactions without consent if certain conditions are met, such as a binding agreement, security safeguards, use solely for the purpose of the transaction, and notification following completion of the transaction.

As part of its continuous disclosure regime, Canadian securities legislation requires that publicly traded companies disclose instances of cybersecurity incidents that represent a material change or material fact. What constitutes a material change or fact depends on the nature and scope of a given cybersecurity incident, but is generally understood as something that could have a significant effect on a publicly listed company’s market price.

The United States Securities and Exchange Commission has also created new cybersecurity requirements that may affect some publicly traded companies in Canada.

See the discussion on Bill C-27 in 1.7 Key Developments.

See the discussion in 1.7 Key Developments.

Norton Rose Fulbright

222 Bay Street, Suite 3000, P.O. Box 53
Toronto, Ontario
M5K 1E7
Canada

+1 416 216 4000

nrfctorreception@nortonrosefulbright.com www.nortonrosefulbright.com/en-ca
Author Business Card

Trends and Developments


Authors



Norton Rose Fulbright provides a full scope of legal services to the world’s pre-eminent corporations and financial institutions. The global law firm has more than 3,000 lawyers advising clients across more than 50 locations worldwide, including London, Houston, New York, Toronto, Mexico City, Hong Kong, Sydney and Johannesburg, covering Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. With its global business principles of quality, unity and integrity, Norton Rose Fulbright is recognised for its client service in key industries, including financial institutions; energy, infrastructure and resources; technology; transport; life sciences and healthcare; and consumer markets. Norton Rose Fulbright Verein, a Swiss verein, helps coordinate the activities of Norton Rose Fulbright members but does not itself provide legal services to clients. For more information, see nortonrosefulbright.com/legal-notices.

Canada has seen a number of legislative changes in the past two years that have significantly reformed the Canadian privacy and data protection landscape. As developments in technology and artificial intelligence (AI) continue to grow, all signs point to continued reform going forward that will significantly impact how organisations do business in Canada.

Some of the biggest developments include:

I. the progression of Bill C-27 (seeking privacy reform and AI regulation) through Parliament;

II. the coming into force of the vast majority of amendments to Québec’s private and public sector privacy legislation through Law 25; and

III. the introduction of mandatory privacy management programmes and breach notification in British Columbia’s public sector.

These developments reflect Canada’s growing movement towards increased accountability, transparency and responsibility in the collection, use and disclosure of personal information by organisations in the private and public sectors. Organisations should keep a close eye on these changes and be ready to adapt to them as needed. 

I. Digital Charter Implementation Act, 2022 (Bill C-27)

Bill C-27, also known as the Digital Charter Implementation Act, 2022, was introduced on 16 June 2022 and proposes to enact three new laws:

  • the Consumer Privacy Protection Act (CPPA), which would replace Part 1 of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA);
  • the Data Protection Tribunal Act, which would create the Personal Information and Data Protection Tribunal (Tribunal) to enforce the CCPA; and
  • the Artificial Intelligence Data Act (AIDA), which proposes to regulate the design, development and use of AI systems.

Bill C-27 is a newer iteration of Bill C-11, which was the federal government’s previous attempt to reform private sector privacy law in Canada before Parliament dissolved in August 2021. Bill C-27 has completed its second reading in the House of Commons and is currently being considered by the Standing Committee on Industry and Technology (INDU).

While the proposed amendments under Bill C-27 are far-reaching, a few new and notable updates include:

1. stronger enforcement measures and penalties;

2. mandatory privacy management programmes;

3. transparency in automated decision systems; and

4. mandatory breach notification to organisations and by service providers.

1. Enforcement measures and penalties

Bill C-27 seeks to impose much harsher fines and administrative monetary penalties on organisations for offences and certain contraventions of the CPPA. Whereas PIPEDA caps fines at CAD100,000 for indictable offences, the CPPA could subject organisations to a fine the higher of:

  • CAD25 million or 5% of the organisation’s gross global revenue for indictable offences; and
  • CAD20 million or 4% of the organisation’s gross global revenue for summary conviction offences.

The CPPA also creates significant administrative monetary penalties (the higher of CAD10 million or 3% of gross global revenue) for certain contraventions of the CPPA, which would include (among others):

  • failing to ensure equivalent protection of personal information by a service provider;
  • failing to implement and maintain a privacy management programme;
  • failing to give effect to the withdrawal of consent by an individual; or
  • retaining personal information for longer than permitted.

The Office of the Privacy Commissioner of Canada (OPC) would also be given much more power under the CPPA, something it currently lacks under PIPEDA. Under the CPPA, the OPC would have the power to conduct audits and inquiries, make compliance orders, and make recommendations for the Tribunal to impose penalties for CPPA contraventions. While the purpose of the CPPA’s enforcement measures would still be to encourage compliance with the law and not to punish, they would undoubtedly give Canada’s private sector privacy regime the “teeth” it currently lacks – teeth that would notably become among the sharpest in the global privacy landscape.

2. Privacy management programme

Another significant change to PIPEDA is the obligation for organisations to implement and maintain a privacy management programme. This programme would consist of the policies, practices and procedures implemented by an organisation to comply with the CPPA. The programme would need to include, at minimum, documented policies, practices and procedures relating to (i) the protection of personal information, (ii) requests for information and complaints made by individuals, and (ii) the training and information provided to employees.

Privacy management programmes are not envisioned as a “one size fits all” exercise. They will need to be tailored to the volume and sensitivity of the personal information under the organisation’s control. In addition, upon request, organisations would be required to provide the OPC with access to their privacy management programme, following which the OPC could provide guidance on the programme or recommend that corrective measures be taken. As noted, failing to implement and maintain a privacy management programme could attract significant administrative monetary penalties in the amount of CAD10 million or 3% of a company’s gross global revenue.

3. Transparency in automated decision systems

In line with the European Union’s General Data Protection Regulation (GDPR), the CPPA seeks to introduce transparency requirements for an organisation’s use of “automated decision systems”. Under the CPPA, an organisation would be required to make readily available its privacy policies, which must include a general account of the organisation’s use of any automated decision system when making predictions, recommendations or decisions about individuals that could significantly impact those individuals. Upon request, organisations would also be required to provide the individual with an explanation of this process, including the type of personal information used to make the decision, the source of the information, and the reasons that led to the decision.

As proposed, the definition of an automated decision system under the CCPA is quite broad. It encompasses “any technology that assists or replaces the judgment of human decision-makers” through the use of various techniques. While the GDPR and Québec’s Law 25 impose similar requirements where decisions are based exclusively on an automated process, without any human involvement, the CPPA would require transparency where the technology merely “assists” with human judgement. Given advances in technology and AI, decisions rendered without the assistance of any automation will likely become fewer and farther between, and complying with these transparency requirements has the potential to become quite onerous for organisations. As Bill C-27 progresses, Canadian businesses should start keeping track of their use of such technologies to best position themselves for compliance.

Notably, the CPPA currently borrows from the GDPR by limiting transparency requirements to decisions that “could have a significant impact” on individuals. In contrast, Law 25 imposes this obligation on organisations that use personal information to make any exclusively automated decision about an individual. These differences will need to be carefully considered by organisations that conduct business across Canada.

4. Breach notification to organisations and by service providers

Breach notification and reporting obligations under the CPPA remain largely unchanged from PIPEDA. However, the CPPA proposes to add two new obligations: (i) notification to organisations and (ii) notification by service providers.

Specifically, if an organisation notifies an individual about a privacy breach under the CPPA, it will also need to notify any other organisation or government institution about the breach if it believes that the other organisation or institution could reduce the risk of harm from the breach.

The second scenario contemplates privacy breaches stemming from a service provider. Though breach notification by service providers who process personal information is often contractually stipulated in service agreements, the CPPA will make it a statutory requirement. If a service provider determines that a privacy breach has occurred, it will be required to notify the organisation that controls the personal information about the breach.

What’s next for Bill-C27?

On 26 April 2023, the OPC set out 15 key recommendations for further improving Bill C-27. Its recommendations were premised on three overarching beliefs held by the OPC:

  • privacy is a fundamental right;
  • privacy supports the public interest and innovation; and
  • privacy is an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens.

On 28 September 2023, proposed amendments to Bill C-27 (especially the CPPA and AIDA) were provided to the INDU for consideration, many of which appear to address the OPC’s recommendations. The proposed amendments to the CPPA seek to explicitly recognise a fundamental right to privacy for Canadians, further emphasise the protection of children, and provide the OPC with more flexibility to reach compliance agreements with non-compliant organisations.

The INDU’s study of Bill C-27 is ongoing, with rumblings that the Bill will be passed sometime this year or in early 2025.

II. Québec’s Law 25

On 22 September 2023, the majority of Law 25 came into effect. Also known as An Act to modernize legislative provisions regarding the protection of personal information, Law 25 (formerly known as Bill 64) amended Québec’s private and public sector privacy laws and overhauled Québec’s privacy regime.

Rolling out in a phased approach from September 2022 to September 2024, Law 25 has imposed on private and public bodies numerous new requirements for handling the personal information of Québec residents. For the most part, these requirements apply to both public bodies and private sector organisations and, notably, extend to organisations outside of Québec that collect, use or communicate the personal information of individuals in Québec.

A few key changes introduced under Law 25 include:

1. the introduction of monetary penalties and stronger enforcement mechanisms;

2. mandatory Privacy Impact Assessments (PIAs) in certain circumstances; and

3. mandatory breach notification and reporting obligations.

1. Enforcement measures and penalties

Law 25 has introduced the potential for significant penalties under Québec’s Act respecting the protection of personal information in the private sector (Québec Private Sector Act). Contravention of certain provisions under the Québec Private Sector Act can expose private sector organisations to:

  • administrative monetary penalties in the amount of CAD10 million or 2% of a company’s global gross revenue;
  • penal liability and fines in the amount of CAD25 million or 4% of a company’s global gross revenue; and
  • a private right of action by individuals to claim punitive damages against an organisation under certain circumstances. 

Public bodies subject to the Act respecting access to documents held by public bodies and the protection of personal information (Québec Public Sector Act) are subject to lower potential penalties, ranging between CAD3,000 and CAD150,000 depending on the violation.

2. Privacy Impact Assessments

Under Law 25, private sector organisations and public bodies are required to conduct PIAs in certain circumstances. A PIA is an assessment undertaken by an organisation to determine, evaluate and mitigate potential privacy risks stemming from projects that involve personal information. Organisations subject to Law 25 must conduct PIAs in three scenarios (with additional scenarios applying solely to public bodies):

  • when communicating personal information (without consent) to a third party for study, research or statistical purposes;
  • when acquiring, developing or overhauling an information or e-service systems (eg, a payroll system, virtual assistant or e-commerce platform); and
  • when communicating personal information outside Québec or entrusting a third party outside Québec to process personal information on the organisation’s behalf.

On 22 September 2023, the Commission daccès à linformation du Québec (CAI), Québec’s privacy regulator, published a guide and model report to assist with conducting PIAs. The guide provides that PIAs should:

  • clearly define the project and its goals;
  • set the scope of the PIA;
  • define the roles and responsibilities of key personnel and stakeholders involved in implementing the PIA;
  • identify and categorise the types, sensitivity, quantity and purpose of personal information that will be involved in the project;
  • assess the magnitude of the PIA relative to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information, and the medium on which it is stored; and
  • identify the privacy obligations to which the organisation may be subject in respect of the project.

Following these steps, the guide walks through the “essence” of the exercise, which is to consider the factors that could have a positive or negative impact on an individual’s privacy. These factors include (i) compliance with applicable privacy laws, (ii) the privacy risks and consequences associated with the project, and (iii) the strategies in place to prevent and reduce these risks.

Following the CAI’s guide is not mandatory. However, the document provides helpful insight into what the CAI may expect from organisations when assessing compliance with Law 25.

3. Breach reporting and notification

Prior to Law 25, breach reporting and notification were encouraged but not required. Since September 2022, public and private sector organisations subject to Law 25 are required to report “confidentiality incidents” to the CAI and notify impacted individuals. Organisations must also keep a register of confidentiality incidents for a period of five years after discovery of an incident, and make it available to the CAI upon request.

Law 25 defines a “confidentiality incident” as any unauthorised access to, use or communication of personal information, or a loss of personal information or breach in the protection of personal information.

Organisations subject to Law 25 must report confidentiality incidents to the CAI and to impacted individuals if there is a “risk of serious injury” stemming from the incident. Factors for assessing the risk of serious injury include:

  • the sensitivity of the information involved;
  • the anticipated consequences of its use; and
  • the likelihood that such information will be used for injurious purposes.

The Regulation respecting confidentiality incidents came into force in December 2022 (Regulation), and outlines the specific requirements for organisations when reporting to the CAI, notifying affected individuals and recording the facts of the incident in the confidentiality register. Under the Regulation, the report to the CAI must be in writing through the prescribed form which is available on the CAI’s website. The notice to affected individuals should preferably be made by direct rather than indirect means and must contain the prescribed information, which largely mirrors the information required under PIPEDA and its breach notification regulations. Finally, the register of confidentiality incidents must contain the information prescribed by the Regulation, which represents a significant departure from the record-keeping requirements under PIPEDA, which does not dictate the information to be included.

A failure to report confidentiality incidents risks exposing organisations to hefty administrative penalties and penal fines. For private sector organisations, the risks include: (i) penalties of up to CAD10 million or 2% of the previous year’s worldwide turnover or (ii) penal fines of up to CAD25 million or 4% of the previous year’s worldwide turnover. Public sector organisations could face penal fines of up to CAD30,000.

What next for Law 25?

The final amendments under Law 25 come into effect on 22 September 2024, which will provide individuals with the right to portability over their personal information – ie, the right for individuals to access their information, if requested, in a structured and commonly used technological format.

III. Mandatory Breach Reporting and Privacy Programs for Public Bodies in British Columbia

Privacy changes in 2023 were not limited to the private sector, and public bodies in Canada should watch for further reform in the future.

On 1 February 2023, amendments to British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) were brought into force, which require public bodies in British Columbia to:

1. develop a privacy management programme; and

2. notify affected individuals and the British Columbia privacy commissioner in the event of a privacy breach.

1. Privacy management programme

A British Columbia public body’s privacy management programme must be developed in accordance with the Privacy Management Program Direction. While a privacy programme should be tailored to the volume and sensitivity of the personal information held by the public body, it must include, at minimum:

  • the designation of an individual responsible for privacy-related matters, supporting the development, implementation and maintenance of privacy policies/procedures, and supporting the public body’s compliance with FOIPPA;
  • a process for completing and documenting privacy impact assessments and information-sharing agreements;
  • a documented process for responding to privacy complaints and privacy breaches;
  • privacy awareness and education activities;
  • privacy policies and documented processes/practices available to employees and, where appropriate, the public;
  • methods to ensure that service providers are informed of their privacy obligations; and
  • a process for regularly monitoring the privacy management programme.

2. Breach reporting and notification

FOIPPA now requires public bodies in British Columbia to, “without unreasonable delay”, notify affected individuals and the British Columbia privacy commissioner of a privacy breach where the breach could reasonably be expected to result in significant harm to the individual. This language mirrors that in Canada’s private sector privacy legislation, which generally requires notification and reporting where the breach creates a “real risk of significant harm” to individuals.

Unlike in current private sector legislation, FOIPPA explicitly lists the types of significant harm that could result from a privacy breach, which include identity theft or significant bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, negative impact on a credit record, or damage to, or loss of, property. The CPPA similarly codifies these types of harms, but with an arguably lower threshold. While, under FOIPPA, “significant harm” is defined to include “identity theft or significant bodily harm, humiliation, etc.”, the same enumerated harms in the CPPA would be significant in and of themselves: “significant harm includes bodily harm, humiliation, damage to reputation or relationships, etc.” Whether this detail will have any practical implications remains to be seen.

Notably, unlike FOIPPA, British Columbia’s private sector privacy legislation (BC PIPA) does not contain mandatory breach notification or reporting obligations, despite being deemed “substantially similar” to PIPEDA. This has resulted in a legislative gap with respect to the personal information of British Columbians collected, used or disclosed by private sector organisations in British Columbia. Under the CPPA, the Governor in Council would still be entitled to exempt an organisation from the CPPA if it is subject to provincial legislation deemed to be substantially similar. While the new requirements proposed under the CPPA would no doubt shake things up across Canada in this respect, it seems unlikely that BC PIPA would meet this threshold without (at minimum) introducing similar breach reporting requirements.

Norton Rose Fulbright

222 Bay Street, Suite 3000, P.O. Box 53
Toronto, Ontario
M5K 1E7
Canada

+1 416 216 4000

nrfctorreception@nortonrosefulbright.com www.nortonrosefulbright.com/en-ca
Author Business Card

Law and Practice

Authors



Norton Rose Fulbright provides a full scope of legal services to the world’s pre-eminent corporations and financial institutions. The global law firm has more than 3,000 lawyers advising clients across more than 50 locations worldwide, including London, Houston, New York, Toronto, Mexico City, Hong Kong, Sydney and Johannesburg, covering Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. With its global business principles of quality, unity and integrity, Norton Rose Fulbright is recognised for its client service in key industries, including financial institutions; energy, infrastructure and resources; technology; transport; life sciences and healthcare; and consumer markets. Norton Rose Fulbright Verein, a Swiss verein, helps coordinate the activities of Norton Rose Fulbright members but does not itself provide legal services to clients. For more information, see nortonrosefulbright.com/legal-notices.

Trends and Developments

Authors



Norton Rose Fulbright provides a full scope of legal services to the world’s pre-eminent corporations and financial institutions. The global law firm has more than 3,000 lawyers advising clients across more than 50 locations worldwide, including London, Houston, New York, Toronto, Mexico City, Hong Kong, Sydney and Johannesburg, covering Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. With its global business principles of quality, unity and integrity, Norton Rose Fulbright is recognised for its client service in key industries, including financial institutions; energy, infrastructure and resources; technology; transport; life sciences and healthcare; and consumer markets. Norton Rose Fulbright Verein, a Swiss verein, helps coordinate the activities of Norton Rose Fulbright members but does not itself provide legal services to clients. For more information, see nortonrosefulbright.com/legal-notices.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.