Canada is a complex patchwork of federal and provincial-level privacy laws governing the private and public sectors.

Federal Privacy Laws

There are two federal privacy laws in Canada:

• the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA); and
• the Privacy Act, R.S.C., 1985, c. P-21.

The Privacy Commissioner of Canada (the Commissioner) oversees both PIPEDA and the Privacy Act. Although an agent of the Parliament of Canada, the Commissioner is an independent authority leading the Office of the Privacy Commissioner of Canada (OPC).

PIPEDA applies Canada-wide, except within provinces that have enacted legislation that is deemed substantially similar to PIPEDA. Additionally, PIPEDA applies to non-Canadian organisations if they have a real and substantial connection to Canada.

In the private sector, PIPEDA governs the collection, use and disclosure of personal information in the context of commercial activities. PIPEDA’s purpose is to balance individual privacy rights with an organisation’s need to collect, use and disclose personal information in the course of their activities. PIPEDA does not apply to the personal information of employees and potential employees of private sector organisations. Regardless of the technology used to collect, use or disclose personal information, PIPEDA’s “technology neutral” nature means that it applies.

Federally regulated entities (FWUBs) are also within the purview of PIPEDA. FWUBs include airlines, banks, airports, transportation companies (both interprovincial and international), telecommunications companies, and radio and television broadcasters. PIPEDA also applies to the personal information of FWUBs’ employees and potential employees.

In addition to private sector organisations generally, PIPEDA (Schedule 4) includes a specific list of organisations that are covered under PIPEDA. Currently, the World Anti-Doping Agency is the only organisation listed in Schedule 4.

Charities and non-profit organisations engaged in a commercial activity fall within the scope of PIPEDA, for example, if they engage in selling or leasing membership lists or other fundraising lists. Otherwise, PIPEDA does not apply to charities and non-profit organisations.

The Privacy Act is a limited statute in that it only applies to government institutions and Crown corporations.

Provincial Private Sector Privacy Laws

Three provinces have private sector privacy laws considered substantially similar to PIPEDA:

• Alberta – Personal Information Protection Act, SA 2003, c P-6.5 (AB PIPA);
• British Columbia – Personal Information Protection Act, SBC 2003, c 63 (BC PIPA); and
• Québec – An Act to modernize legislative provisions regarding the protection of personal information, SQ 2021, c 25 (Québec’s Private Sector Privacy Act, recently updated with the passing of Law 25) (Law 25). See 1.7 Key Developments.

Provincial Personal Health Information Laws

The following four provincial personal health information laws are deemed substantially similar to PIPEDA:

• Ontario – Personal Health Information Protection Act, 2004, S.O. 2004, c 3, Sched. A, overseen by the Office of the Information and Privacy Commissioner of Ontario (IPC ON);
• Newfoundland and Labrador – Personal Health Information Act, SNL 2008, c P-7.01, overseen by the Office of the Information and Privacy Commissioner for Newfoundland and Labrador (OIPC NFL);
• Nova Scotia – Personal Health Information Act, SNS 2010, c 41 administered by the Information and Privacy Commissioner of Nova Scotia (IPC Nova Scotia); and
• New Brunswick – Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05, overseen by New Brunswick Office of the Ombud (NB Ombud).

The provinces and territories of Alberta, Manitoba, Saskatchewan, Yukon and the Northwest Territories have their own personal health information laws; however, they are not deemed substantially similar to PIPEDA. Nevertheless, these laws generally replace PIPEDA with respect to personal health information to the extent they impose stricter obligations on organisations handling personal health information and must therefore be complied with in their respective jurisdictions.

Provincial Public Sector Privacy Laws

Privacy and/or access to information laws applicable to provincial-level government institutions or public bodies exist in all provinces and territories.

Privacy Commissioner of Canada

At the federal level, the Privacy Commissioner of Canada is appointed by the Governor in Council under the federal Privacy Act and is an agent of Parliament, acting independently from Parliament.

Provincial Privacy Authorities

The privacy authorities at the federal and territorial level are the following:

• Office of the Information and Privacy Commissioner of Alberta (OIPC AB);
• Office of the Information and Privacy Commissioner of British Columbia (OIPC BC);
• Office of the Ombudsman Manitoba;
• Office of the Ombud for New Brunswick;
• Office of the Information and Privacy Commissioner for Newfoundland and Labrador;
• Information and Privacy Commissioner of the Northwest Territories;
• Information and Privacy Commissioner of Nova Scotia;
• Information and Privacy Commissioner of Nunavut;
• Information and Privacy Commissioner of Ontario;
• Information and Privacy Commissioner of Prince Edward Island;
• Commission d’accès à l’information du Québec (CAI);
• Information and Privacy Commissioner of Saskatchewan; and
• Ombudsman and Information and Privacy Commissioner of the Yukon.

PIPEDA

The OPC investigates complaints under PIPEDA under the following circumstances:

• where an individual files a complaint with the OPC alleging a violation; or
• where the Commissioner initiates an investigation where there are reasonable grounds upon which to open an investigation.

The OPC can decline or discontinue complaints. Reasons to do so include, but are not limited to:

• the appropriateness of jurisdiction if the complaint could be more appropriately dealt with by another procedure under Canadian law;
• the organisation has a fair and reasonable response to the complaint; or
• the matter is already subject to any ongoing investigation.

Further grounds for declining or discontinuing an investigation are listed in Section 12 of PIPEDA.

Notably, despite the Commissioner’s investigative powers, it cannot, under PIPEDA, impose administrative monetary penalties (AMPs). Instead, upon the conclusion of an investigation, the Commissioner may make recommendations in a public Report of Findings.

Appeal routes through the Federal Court of Canada are available to both investigation respondents and complainants. While the Commissioner cannot order AMPs, the courts have awarded damages for breaches of PIPEDA in some cases. However, in comparison to the penalties issued in Europe under the General Data Protection Regulation (GDPR) or in the United States under various statutes, these awards have been much smaller in scope.

Some violations of PIPEDA, such as if an organisation fails to report a privacy breach to the Commissioner or obstructs an investigation or audit, are subject to PIPEDA’s offence provisions. Under PIPEDA (as well as AB PIPA and BC PIPA), organisations that are found to be in violation of the applicable statutes may be imposed fines of up to CAD100,000.

Privacy Act

Section 29 of the Privacy Act authorises the OPC to carry out impartial investigations of complaints against federal government institutions for matters within scope of the OPC’s powers.

The complaint procedure is as follows:

• complaint is screened and triaged to an investigator; and
• investigators proceed with their investigation once they are assigned the complaint. Investigators can receive evidence, enter premises where appropriate, and examine or obtain copies of records found on any premises during an investigation.

The OPC employs a variable approach to carrying out investigations. This includes encouraging early resolution of the complaint if the facts warrant it, or expediting proceedings in the absence of issuing formal findings.

When a case is of higher complexity, the OPC will conduct an investigation and issue a Report of Findings at its conclusion, which is made public on the OPC’s website.

The OPC usually issues a set of non-binding recommendations stemming from the investigation for the purpose of assisting with achieving compliance with the Privacy Act. However, the OPC does not possess order-making powers and therefore cannot force organisations to carry out specific actions to remedy any violations.

In terms of recourse for denials of access to personal information requests, a review can be requested from the Federal Court under the Privacy Act.

Please see 1.1 Laws for how the federal privacy regime interacts with the provincial regime across Canada.

Canada participates in several international organisations related to privacy:

• Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Enforcement Arrangement (CPEA);
• Global Privacy Assembly (GPA);
• Asia Pacific Privacy Authorities (APPA);
• Association francophone des autorités de protection des données personelles (AFAPDP);
• Global Privacy Enforcement Network (GPEN);
• Organisation for Economic Co-operation and Development (OECD)’s Working Party on Security and Privacy in the Digital Economy (SPDE); and
• Commission for the Control of INTERPOL’s Files (CCF).

NGOs

The key Canadian privacy or data protection NGOs include, but are not limited to:

• Canadian Civil Liberties Association (CCLA) – an independent, national, non-governmental human rights organisation. CCLA appears before courts, before legislative committees and in classrooms, and participates in lawful protests to protect the dignity and rights of people in Canada. CCLA advocates for several rights, including advocating for privacy to be recognised as a fundamental human right.
• Public Interest Advocacy Centre (PIAC) – a national not-for-profit corporation and a federally registered charity. PIAC strives to protect consumers’ interests in regulated industries, including privacy.
• Centre for Digital Rights (CDR) – a Canadian non-partisan, not-for-profit organisation that strives to promote awareness of digital issues related to the data-driven economy by (i) advancing the public’s understanding of their rights, (ii) raising policymakers’ understanding of advanced technology, and (iii) promoting best practices, laws and regulations that protect both the civic values and the rights of individuals in the 21st century economy, driven by the mass collection, use and disclosure of data.
• Digital Governance Council (formerly the CIO Strategy Council) – a not-for-profit organisation that works to build Canadians’ trust in digital economy by collaboratively identifying, prioritising and responding to digital governance opportunities and challenges.
• The Citizen Lab – an interdisciplinary laboratory created by the University of Toronto that focuses on research, development, and strategic policy and legal engagement at the intersection of information and communication technologies, human rights and global security.
• Canadian Internet Policy and Public Interest Clinic (CIPPIC) – a public-interest technology law clinic based at the University of Ottawa which works to advance the public interest on privacy and technology issues, such as copyright, telecommunications policy, electronic surveillance and open information.

Self-Regulatory Organisations

Some of the key Canadian industry self-regulatory organisations and trade associations include the following:

• Digital Advertising Alliance of Canada (DAAC) – an alliance of industry associations responsible for administering AdChoices, a programme to provide notice, transparency and accountability from the advertising sector to online consumers. AdChoices allows Canadians to opt out of “interest-based advertising” and requires participants to hold themselves to specific standards.
• Ad Standards – an independent national non-profit advertising self-regulatory organisation. Ad Standards administers the Canadian Code of Advertising Standards, which sets the criteria for acceptable advertising in Canada. Ad Standards oversees the compliance of participants in the DAAC’s AdChoices Program. Ad Standards reviews participating companies’ online interest-based advertising practices, ensuring they meet the requirements set out in the DAAC’s Canadian Self-Regulatory Principles for Interest-Based Advertising (revised October 2022). As an independent compliance partner, Ad Standards audits compliance and accepts complaints from the public about potential violations of the DAAC Principles under the AdChoices Accountability Program.
• Interactive Advertising Bureau of Canada (IAB Canada) – a national trade association dedicated exclusively to the development and promotion of the digital marketing and advertising sector in Canada. As a not-for-profit association, IAB Canada represents over 250 of Canada’s advertisers, ad agencies, media companies, service providers, educational institutions and government associations.
• Canadian Marketing Association (CMA) – a community-based industry association that encourages its members to comply with the Canadian Marketing Code of Ethics and Standards and other best practices and guidance for marketers. CMA advocates for legislation and regulations, at both the federal and provincial levels, to protect consumer rights in Canada through submissions developed by the CMA’s Privacy and Data Committee.
• Canadian Anonymization Network (CANON) – an organisation whose objectives include advocating for legislative and policy standards for effective anonymisation that allow for innovative and beneficial uses of data, while accounting for protections against foreseeable privacy risks.

Québec (under Law 25) and Ontario (under the Personal Health Information Protection Act (PHIPA)) are currently the only provinces with legislation that empowers privacy commissioners to impose AMPs.

With privacy law reform on the horizon, the limited AMP powers are likely to change. For example, if Bill C-27 is enacted, the OPC will have powers to impose significant AMPs. That said, the status quo around AMPs sets Canada apart from its G7 counterparts with respect to enforcement consequences.

Notwithstanding the relative lack of enforcement consequences, Canadian privacy commissioners are known to act jointly pursuant to an ombuds model, where the commissioners can make practical recommendations for privacy compliance. Overall, it would appear that the model is effective given that organisations are more amenable to adhering to such recommendations as opposed to being subject to an action in the Federal Court.

As noted in 1.4 Multilateral and Subnational Issues, both Canada’s federal and provincial regimes govern the area of privacy, and the application of one law does not necessarily preclude the other, depending on the particular circumstances.

Canada’s privacy law reform efforts are significant, with increased activity in recent years, for example:

• the Federal Government tabled Bill C-27, which introduced a new federal privacy law (which, if enacted, will replace PIPEDA), a privacy tribunal, and a framework for regulating artificial intelligence (AI). Bill C-27 completed second reading in the House of Commons on 24 April 2023, and is currently being reviewed by the Standing Committee on Industry and Technology;
• Québec passed Law 25 (formerly referred to as Bill 64), strengthening privacy protection and increasing compliance obligations within Québec. In September 2023, the majority of Law 25’s reforms came into effect, with some parts of the statute expected to come into force in September 2024;
• the privacy tort of intrusion upon seclusion has been limited in “database defendant” class actions involving data breaches by third-party hackers;
• the Federal Government tabled Bill C-26, which, among other things, aims to prevent cybersecurity incidents. Bill C-26 has finished second reading in the House of Commons and is currently being reviewed by the Standing Committee on Public Safety and National Security; and
• provincial privacy law reform initiatives in Ontario, British Columbia and Alberta are ongoing, with some implementations – see 1.8 Significant Pending Changes, Hot Topics and Issues (Provincial-Level Privacy Law Reform).

Bill C-27

Bill C-27, also known as the Digital Charter Implementation Act, was tabled on 16 June 2022. If enacted, the legislation would:

• replace the PIPEDA with the Consumer Privacy Protection Act (CPPA);
• introduce the Data Protection Tribunal Act (DPTA); and
• introduce the Artificial Intelligence Data Act (AIDA).

Bill C-27 would repeal Part 1 of PIPEDA and change its short title to the Electronic Documents Act.

Consumer Privacy Protection Act (CPPA)

If enacted, the CPPA will replace PIPEDA and will contain the following notable differences:

• AMPs of up to CAD10 million or 3% of an organisation’s gross global revenue for certain privacy contraventions;
• fines of up to CAD25 million or 5% of an organisation’s gross global revenue for offences;
• requiring all organisations to implement and maintain a privacy management programme, including policies, practices and procedures put in place to fulfil the obligations of the CPPA. The CPPA would also allow the Privacy Commissioner to request access to an organisation’s privacy management programme and recommend corrective measures;
• deeming personal information relating to minors as sensitive;
• bringing de-identified personal information within the scope of the CPPA and prohibiting re-identification;
• explicitly stating that it does not apply to personal information that has been anonymised;
• new and updated consent requirements – making express consent the default form of consent and significantly limiting the ability to rely on implied consent in the context of business activities;
• clarification of service provider obligations with respect to privacy law;
• ability for organisations and entities to establish codes of practice and certification programmes;
• allowing individuals to request that their personal information be disclosed directly to other organisations under Data Mobility Frameworks subject to regulations;
• a private right of action for individuals affected by certain violations of the CPPA;
• permitted disclosure of data without consent for public-interest purposes, such as “socially beneficial purposes”, and statistics, study or research under certain circumstances;
• requiring the de-identification of personal information shared in prospective business transactions except if the de-identification would undermine the objectives for carrying out the transaction;
• giving the Commissioner new order-making powers and the ability to conduct an Inquiry; and
• increasing openness and transparency requirements, including with respect to the use of any automated decision systems used to make predictions, recommendations or decisions about individuals that could have a significant impact on them.

Data Protection Tribunal Act (DPTA)

The DPTA would establish the federal Personal Information and Data Protection Tribunal (the Tribunal).

The Tribunal would be made of three to six members, with at least three with experience in information and privacy law.

The functions of the Tribunal would include:

• hearing appeals of certain findings, orders or decisions made by the Commissioner; and
• imposing AMPs on organisations of up to CAD10 million or 3% of the organisation’s gross global revenue in the financial year before the one in which the penalty is imposed, whichever is higher.

Tribunal decisions would be final and binding, except for judicial review under the Federal Courts Act, RSC 1985, c F-7, and would not be subject to appeal or review by any court.

Artificial Intelligence and Data Act (AIDA)

If enacted, the AIDA would regulate AI systems in the private sector. The AIDA’s purpose would be to determine common requirements for the design, development and use of AI systems and to prohibit ADS conduct that could result in serious harm to individuals. The AIDA’s aim would be to establish measures that mitigate the risk of harm or biased output against the use of high-impact systems, and impose AI system monitoring, communication, notification and record-keeping requirements. As it stands, the details of how the AIDA would be administered would be informed by its regulations.

The Minister of Innovation, Science and Economic Development would be responsible for the AIDA’s administration. This Minister would have the authority to audit and issue orders. AMPs to be established by regulations would accompany violations, and fines of up to CAD25 million or 5% of an organisation’s gross global revenues in the preceding financial year for certain offences might be imposed.

The AIDA would also establish an “Artificial Intelligence and Data Commissioner” to support the Minister in the administration and enforcement of the AIDA.

Law 25

Québec passed Law 25 (An Act to modernise legislative provisions as regards the protection of personal information, SQ 2021, c 25) in 2021, which was formerly known as “Bill 64”. It is commonly recognised as being one of the strictest privacy regimes in Canada. Law 25 brought about a significant overhaul of Québec’s previous privacy framework, by the way in which it strengthened privacy protection through increasing compliance obligations within Québec.

The first provisions of Law 25 came into force on 22 September 2022, and most of the remaining provisions of Law 25 came into force on 22 September 2023. The new right to portability is set to come into force in September 2024.

Law 25 reformed and amended Québec’s pre-existing privacy statutes, including Québec’s Private Sector Act (the Act respecting the protection of personal information in the private sector, CQLR c P-39.1) and Québec’s Public Sector Act (Act respecting access to documents held by public bodies and the protection of personal information, CQLR c A-2.1).

Some of the more notable provisions of Law 25 include: significant AMPs for violations; increased requirements to conduct privacy impact assessments; new consent exceptions; mandatory confidentiality incident (ie, privacy breach) reporting; increased accountability and data retention obligations; and requirements for cross-border data transfers, personal information anonymisation, data portability, de-indexing, automated decision-making and biometric data.

The following Law 25 provisions came into effect in 2022:

• requirement to designate a person in charge of privacy compliance – this would be the individual with the highest authority in an organisation (for example, the chief executive officer) who can delegate in writing all or part of the role to any person;
• new consent exceptions, such as allowing disclosures of personal information in the context of business transactions without prior consent, or the communication of personal information for statistical, study or research purposes if an assessment indicates that certain privacy-related conditions are met;
• the notion of “confidentiality incident”, similar to a privacy breach under PIPEDA, which Law 25 defines as:
1. unauthorised access to personal information;
2. unauthorised use or communication of personal information; or
3. a loss of personal information or any other breach in the protection of such information.

Law 25 makes it mandatory to report confidentiality incidents to the CAI and the impacted individual if there is a “risk of serious injury” stemming from the incident. Factors for assessing the risk of injury are similar to those used to assess “risk of harm” under PIPEDA, and include:

• the sensitivity of the information involved;
• the anticipated consequences of its use; and
• the likelihood that such information will be used for injurious purposes.

Additionally, organisations must maintain a register of confidentiality incidents, which must be produced for the CAI upon request.

In December 2022, the Regulation respecting confidentiality incidents (A-2.1, r. 3.1)came into force, which outlines the rules for reporting confidentiality incidents to the CAI. The CAI has also issued guidance documents on its website, including a form to be used for confidentiality incident reporting.

The following Law 25 provisions came into effect in 2023:

• sanctions for non-compliance;
• privacy framework and transparency requirements;
• requirement to conduct Privacy Impact Assessments (PIAs) in certain circumstances;
• privacy by default and design;
• rights for de-indexation;
• updated consent requirements;
• cross-border transfers of personal information;
• new rules for the secondary uses of personal information;
• stringent retention and destruction rules for personal information;
• new rules regarding automated decisions made using an individual’s personal information; and
• new rules for business contract information.

The right to data portability will come into force in September 2024.

Anonymisation of personal information

On 20 December 2023, a draft Regulation respecting the anonymisation of personal information was published in the Gazette Official du Québec. The aim of the Regulation is to protect individuals by requiring that personal information is anonymised through a “rigorous process that will significantly reduce the re-identification risks associated with anonymization”.

Restricted Scope of Intrusion Upon Seclusion (“Database Defendants”)

The Court of Appeal of Ontario decided a set of cases in 2022 establishing that database holders who suffered a cyber-attack by unauthorised external actors are not liable for the tort of intrusion upon seclusion. The reasoning noted that database holders may still be liable for breach of contract, breach of confidence and negligence, requiring proof of actual damage, instead of the symbolic/moral damages available for intrusion upon seclusion. The Court of Appeal of Ontario upheld the limited scope of the tort of intrusion upon seclusion in a recent decision rendered in January 2024.

The tort of intrusion upon seclusion continues to remain available where the unauthorised access resulted from the actions of internal actors (ie, a company’s employees), in instances where the plaintiff succeeds in establishing, among other things, that a database holder behaved in an offensive manner that resulted in distress, humiliation or anguish to a reasonable person. 

Bill C-26 – An Act Respecting Cybersecurity

In 2022, the federal government tabled Bill C-26, which would enact the Critical Cyber Systems Protection Act (CCSPA). The Standing Committee on Public Safety and National Security began its review of the CCSPA on 1 February 2024. In order to be enacted, Bill C-26 must complete the current Committee review, and pass its third reading in the House of Commons and three readings in the Senate.

The CCSPA would impose obligations related to cybersecurity on private sector entities in the following federally regulated sectors: telecommunications, finance, energy and transportation.

If passed, Bill C-26 would impose five key cybersecurity obligations on designated operators:

• implementation of cybersecurity programmes;
• identification of cybersecurity risks in their supply chain or through third-party products and services;
• reporting of cybersecurity incidents;
• complying with measures outlined in directions from the Governor in Council with respect to protecting critical cyber systems; and
• keeping records, within Canada, with respect to how cybersecurity programmes were implemented, as well as reports of any cybersecurity incidents.

Bill C-26 would also impact the Telecommunications Act with respect to cybersecurity. The changes could prohibit a telecommunications service provider from using all products and services if it is necessary to secure the Canadian telecommunications system, in certain circumstances.

Finally, Bill C-26 contains AMPs for violations, with a penalty of up to CAD1 million in the case of an individual and up to CAD15 million in any other case.

The most significant pending changes are described above, in 1.7 Key Developments. There are two further significant pending changes.

Provincial-Level Privacy Law Reform

British Columbia, Alberta and Ontario have hinted at impending private sector privacy law reform.

In British Columbia, a Special Committee was appointed to review BC PIPA. The Committee made recommendations to the British Columbian legislature with respect to amending and strengthening BC PIPA. Since 1 February 2023, public bodies in British Columbia are subject to mandatory data breach reporting requirements and are required to implement privacy management programmes. There are no mandatory breach reporting obligations in British Columbia that apply to private sector organisations.

Ontario does not presently have its own private sector privacy legislation. In 2020, the province held a public consultation on modernising privacy in Ontario with the intent to establish a comprehensive provincial privacy regime. However, no such privacy regime legislation has been tabled.

Reform of the Privacy Act

Consultations led by Justice Canada were held on modernising the Privacy Act in 2021, which resulted in a report demonstrating appetite for reform. The goals outlined in the report include using technology to modernise government processes and granting the OPC a larger and more proactive and educational mandate for effective support and oversight, while balancing individuals’ expectations of privacy and data protection laws in other jurisdictions.

In 2022, Justice Canada invited Indigenous partners to provide input on modernising the Privacy Act, building on the 2021 report. The latest report following Justice Canada’s engagement with Indigenous partners included emphasising the importance of aligning the Privacy Act with the United Nations’ Declaration on the Rights of Indigenous Peoples and that decisions about Indigenous peoples’ personal information should be made in partnership with the Government of Canada and those representing the interest of Indigenous peoples.

PIPEDA Requirements

PIPEDA is based on the following fair information principles:

1. accountability;

2. identifying purposes;

3. consent;

4. limiting collection;

5. limiting use, disclosure and retention;

6. accuracy;

7. safeguards;

8. openness;

9. access; and

10. challenging compliance.

Principle 1 – accountability

Organisations must:

• designate persons responsible for privacy law compliance;
• ensure a comparable level of protection is applied to personal information that is transferred to third parties for processing, for example, through contractual or other means; and
• institute privacy policies and procedures, including measures and procedures to protect personal information, providing training to employees, and outlining the process for responding to complaints or inquiries.

Principle 2 – identifying purposes

PIPEDA mandates organisations to record the purposes for which personal information is collected. The purposes should be specified at or before the time of collection. If a new purpose is identified, fresh consent will be required.

Principle 3 – consent

Valid consent is consent that would be understood by a reasonable individual who is subject to the organisation’s activities, and would comprehend the nature, purpose and consequences of the collection, use or disclosure of the personal information for which consent is being obtained.

The OPC, OIPC BC and OIPC AB have provided joint Guidelines for Obtaining Meaningful Consent, which outline the principles of meaningful consent, the suitable form of consent, and consent in the context of minors.

PIPEDA is a consent-based model, requiring valid consent for the collection, use and disclosure of personal information, unless a limited exception applies.

Principle 4 – limiting collection

PIPEDA limits the collection of personal information to what is necessary to fulfil the identified purposes. PIPEDA does not allow indiscriminate purposes for collecting personal information and mandates that personal information can only be collected through fair and lawful means.

Principle 5 – limiting use, disclosure and retention

PIPEDA imposes several obligations on organisations with respect to this principle, including:

• organisations must develop guidelines and implement procedures for the retention of personal information and include minimum and maximum retention periods;
• organisations must destroy, erase or anonymise personal information that is no longer required to fulfil an identified purpose; and
• organisations may only retain personal information used to make a decision about an individual for as long as the individual can access it after the decision has been made.

Principle 6 – accuracy

PIPEDA requires that personal information be accurate, complete and up to date, to minimise the possibility that incorrect or otherwise inappropriate information may be used to make a decision about an individual. However, PIPEDA does not allow routine updating, unless this process is necessary to fulfil the purposes for which the information was collected.

Principle 7 – safeguards

Organisations must:

• secure personal information against loss or theft, unauthorised access, disclosure, copying, use or modification;
• protect personal information with safeguards responsive to the sensitivity of the information, meaning that more sensitive information requires a higher level of protection; and
• ensure employees are aware of the importance of maintaining the confidentiality of personal information.

Organisations should also implement physical, organisational and technological safeguards.

Principle 8 – openness

PIPEDA requires organisations to be transparent about their privacy practices, policies and procedures, for example:

• ensuring individuals understand and know how to access information about the organisation’s privacy policies and practices;
• providing the name or title and address of the person responsible for the organisation’s privacy policies and practices; and
• publicising the process for access to personal information held by the organisation, as well as the contact person for complaints or enquiries.

Principle 9 – access

Individuals have a right to be informed of, and to access, the personal information held by organisations about them.

Individuals also have the right to challenge the accuracy and completeness of the personal information held, and the right to amend the information as appropriate (with exceptions). If requested, organisations must provide an account of the third parties with whom personal information was shared. PIPEDA also states that access must be provided for free or at a minimal fee, within a reasonable time.

There are also provisions in PIPEDA (Sections 8 and 9) beyond the principles concerning access pertaining to time limits, costs, and exceptions to access.

Principle 10 – challenging compliance

Organisations must have procedures in place to receive and process complaints or enquiries from individuals about their personal information and how this personal information is handled. PIPEDA requires that all complaints are investigated and, if a complaint is justified, the organisation is required to adopt appropriate measures to address the situation.

Other Requirements

Supplementing the fair information principles are compliance requirements found in the body of PIPEDA:

• Section 5(3) contains requirements for the collection, use or disclosure of personal information to be for an appropriate purpose, namely, one that a reasonable person would consider appropriate in the circumstances.
• PIPEDA has mandatory breach reporting to both individuals and the OPC where there is a real risk of significant harm to individuals (RROSH); it also requires organisations to keep records of all breaches that the Commissioner is authorised to inspect, and not just RROSH breaches. PIPEDA makes it an offence to knowingly contravene the requirements to:
1. report a breach to the Commissioner that creates a real risk of significant harm to individuals; or
2. keep and maintain a record of every breach of security safeguards involving personal information under an organisation’s control.

PIPEDA also includes anti-spam provisions targeting email address harvesting, such as prohibiting the use of computer programs to collect email addresses and the subsequent use of such email addresses collected by the programs. PIPEDA also prohibits illicit access of another person’s computer systems to collect personal information, for example, through spyware.

De-identified Information

PIPEDA does not explicitly address personal information that has been de-identified. However, if enacted, Bill C-27 will define and regulate de-identified personal information (see 1.7 Key Developments).

Sensitive Information

PIPEDA does not define sensitive information. However, sensitivity overlaps with the consent and safeguarding principles, and factors into whether a breach meets the RROSH test. The OPC has also released an Interpretation Bulletin on Sensitive Information.

Some personal information can be sensitive, such as health or financial information, but sensitivity can be context-dependent, for example, if the combination of personal information with other information makes the personal information sensitive.

Sensitive information can include information such as a person’s sexual orientation, ethnic and racial origins, children’s information, religious information, political affiliations, genetic and biometric data, drug and alcohol references, and/or information affecting a person’s reputation.

Québec’s Law 25 provides examples of sensitive personal information such as medical, biometric or intimate information. As noted above, information can also be sensitive depending on the context of its use.

Children

While PIPEDA does not have specific provisions applicable to minors, Principle 3 states that “seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated”.

In light of the above, the OPC has interpreted and enforced PIPEDA to protect the privacy of children. For example, the OPC has guidance stating that information related to children will be considered “particularly sensitive”. The OPC also operates under the general rule that meaningful consent cannot be obtained from children under the age of 13. If enacted, Bill C-27 will categorise personal information of minors as sensitive (see 1.7 Key Developments).

In October 2023, the OPC issued two guidance documents in support of its joint resolution aimed at strengthening privacy protection for young people.

Additionally, Law 25 mandates parental consent for processing the information of children (defined as being under the age of 14), unless the processing of information is explicitly for the child’s benefit.

In August 2022, the CAI issued a report on children’s privacy, titled ‘Ensuring a Better Protection for Young People’s Personal Information in the Digital Age’. The report found that children warrant additional protective measures beyond those included in Law 25, to better protect them.

Right to Be Forgotten

PIPEDA gives individuals the right to withdraw consent, the right to access their personal information, and the right to ensure their information is accurate, complete and up to date. In 2021, a Federal Court Reference decision found that PIPEDA applied to Google’s search engine. Google appealed the decision to the Federal Court of Appeal in 2023, which upheld the Federal Court’s decision.

Financial Information

In 2022, the Office of the Superintendent of Financial Institutions (OSFI) issued guidelines pertaining to technology and cyber-risk management by federally regulated financial institutions. The guidelines outlined obligations for cyber-governance and risk management with the aim of enhancing cybersecurity. The guidelines came into force in January 2024.

In 2023, OSFI released two draft guidelines for consultations building on the previous year’s guidelines.

Federal banking legislation contains provisions for regulating personal financial data, and certain provincial consumer credit reporting laws also contain compliance obligations with respect to personal information.

Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation (CASL) prohibits the distribution of commercial electronic messages (CEMs), such as emails, without consent. CASL requires CEMs to meet identification and unsubscribe requirements. CASL also targets more nefarious conduct, such as malware, viruses, spyware and botnets resulting when certain computer programs are installed without consent or through altering transmission data. CASL also provides that consent is required in order to install tracking tools such as cookies.

Telemarketing

The Canadian Radio-television and Telecommunications Commission (CRTC) administers telemarketing rules that telemarketers may be caught by, such as:

• requirements for telemarketers to register with the national do-not-call list;
• explicit requirements for calls made with automatic dialling-announcing devices;
• record-keeping obligations; and
• specific registration requirements for telephone calls during an election period.

In terms of enforcement, the CRTC has broad enforcement powers, such as the power to execute regulatory inspections, issue orders, compel the disclosure of information, and impose AMPs of up to CAD5,000 under the Telecommunications Act and up to CAD10 million under CASL.

Online Behavioural Advertising

The OPC has guidance and a policy position on online behavioural advertising (OBA) (also known as interest-based advertising/personalised advertising). This guidance notes that relying on opt-out consent for OBA requires:

• the personal information not be sensitive;
• the purpose of consent be outlined in a way that is clear, understandable and obvious;
• the opt-out be readily available, ideally at the time of collection, be persistent and take effect immediately; and
• the tracking of children be avoided.

Additionally, the DAAC released self-regulatory principles for OBA, which include transparency, consumer control, data security, sensitive data, education and accountability (see 1.5 Major NGOs and Self-Regulatory Organisations for a description of the DAAC). In October 2022, the DAAC refreshed these principles and officially adopted the term “interest-based advertising” instead of “online behavioural advertising”.

Ontario Employee Electronic Monitoring Policy

In 2023, Ontario’sElectronic Monitoring Policy came into effect, which requires employers with over 25 employees to have a written policy on the electronic monitoring of their employees. The policy must contain:

• a description of the monitoring;
• the purposes behind the monitoring; and
• how employees are electronically monitored.

This policy must be provided to all employees for review.

It is important to note that these changes stem from the Employment Standards Act, 2000, S.O. 2000, c. 41 (ESA), as opposed to privacy legislation, and do not introduce any new privacy rights for individuals and do not provide for enforcement mechanisms for non-compliance.

Employee Privacy Rights Afforded Under Privacy Statutes

PIPEDA extends privacy protections to employees of federally regulated organisations and FWUBs. Employees working for private sector organisations are generally not protected under PIPEDA. However, BC PIPA, AB PIPA and Québec’s Law 25 include employee privacy rights.

Whistle-Blowing

PIPEDA contains “whistle-blowing” provisions, and allows the OPC to be the recipient of information from a whistle-blower. The OPC is also required to keep the identity of the whistle-blower confidential.

Employee Privacy in the Courts

In a seminal 2022 decision, Elementary Teachers Federation of Ontario v York Region District School Board, 2022 ONCA 476, the Court of Appeal for Ontario upheld employees’ reasonable expectation of privacy in the workplace and found that they are protected from unreasonable search and seizure under Section 8 of the Canadian Charter of Rights and Freedoms. The issue in this case was whether private password-protected teacher communications were subject to a reasonable expectation of privacy, even if they were accessed through a web browser on a workplace computer but not saved on any workplace network. On 18 October 2023, the Supreme Court of Canada heard arguments in this case; however, as of February 2024, the decision has yet to be rendered.

Remedies and penalties for non-compliance with privacy legislation may include administrative remedies, private litigation and criminal penalties. See 1.3 Administration and Enforcement Process.

Recent Updates

As of 1 January 2024, the IPC ON can issue AMPs for non-compliance with PHIPA or its regulations. The AMPs range from a maximum of CAD50,000 for a natural person to CAD500,000 for organisations. The IPC also has the discretion to issue AMPs over the maximum amounts in cases involving economic gain.

Additionally, the OPC announced public consultations on draft guidance documents on the use of biometric data, which closed on 16 February 2024.

Leading Regulatory Enforcement Cases

Investigation into ChatGPT

The OIPC BC, OIPC AB and CAI joined the OPC in launching a formal investigation into OpenAI, the company behind ChatGPT. While the investigation is under way, the privacy authorities are investigating whether OpenAI obtained valid and meaningful consent of individuals based in Canada through ChatGPT, whether OpenAI respected its obligations with respect to openness, transparency, access, accuracy and accountability, and whether it has collected, used and/or disclosed personal information for purposes that would be considered reasonable or legitimate and whether this collection is limited to information that is necessary for these purposes.

Investigation into Agronomy’s privacy practices related to safeguards, accountability and valid consent for the collection and use of personal information

Agronomy Company of Canada Ltd. (Agronomy) experienced a privacy breach resulting in the compromise of 845 individuals’ information. Agronomy initially did not know of the breach and refused to pay a ransom to the threat actor when one was requested. As a result, the compromised information was published on the dark web and the OPC found that Agronomy breached its obligations under PIPEDA by having inadequate safeguards in place and failing to take accountability.

Investigation into Home Depot’s use of Meta’s offline conversions tool

The OPC noted that Home Depot, the American company, failed to obtain meaningful consent from its customers when it disclosed their non-sensitive information. The impacted customers were those who opted to receive e-receipts with Meta for online marketing. Despite the information being non-sensitive, the OPC found opt-in consent was not present pursuant to PIPEDA and this consent is required because customers do not typically expect to have their transaction information shared with Meta.

Investigation into the TikTok app

In February 2023, four Canadian privacy offices announced a joint investigation into the application TikTok. As of February 2024, the investigation is ongoing and will include an analysis of the company’s privacy compliance and how TikTok’s privacy procedures interact with younger users of the platform.

Investigation into the Tim Hortons app

A joint investigation by the OPC, OIPC BC, OIPC AB and CAI found that the Tim Hortons app permissions with respect to collecting its users’ location while the app was in use was in violation of Canadian privacy laws. Additionally, the privacy regulators found that Tim Hortons did not have adequate protections in place for personal information and also failed to take appropriate accountability. The privacy regulators recommended that Tim Hortons develop a privacy management programme to ensure that any future collection is necessary and proportional to its use.

Private Litigation

Private litigation is another avenue for individuals to bring actions against organisations that breach statutes. While PIPEDA does not include a private right of action, non-compliance with PIPEDA can result in claims under contract law, as well as under torts such as negligence, breach of contract, and privacy torts. Ontario recognises four privacy torts:

• intrusion upon seclusion;
• public disclosure of embarrassing private facts;
• appropriation of a person’s name or likeness; and
• publicity placing a person in a false light.

Privacy class actions are a common type of action in Canada. The threshold for certification of class actions is fairly low, but Canadian courts have been known to impose limits to avoid a floodgate of class actions.

For example, in 2022, the Court of Appeal for Ontario denied certification on a series of “database defendant” class actions and found that organisations are not liable for the tort of intrusion upon seclusion when a database is breached by external actors such as hackers.

On the other hand, the Federal Court certified a class action against the government of Canada stemming from a cybersecurity attack by hackers into a government database in the context of a negligence claim.

With respect to merit decisions, a 2021 Québec Court of Appeal case upheld a merits decision that dismissed a privacy class action noting that plaintiffs need to establish a causal link between a privacy breach and resulting incidents of fraud and theft. This case is currently being appealed to the Supreme Court of Canada.

Otherwise, most decisions on the merits in privacy class actions tend to end in settlement with a low level of per person compensation.

Law enforcement and national security agencies are permitted to use lawful access technologies to support their investigation of serious crimes, such as child pornography, human trafficking, money laundering, murder and national security threats.

Technologies that intercept communications can be accessed by law enforcement for investigating serious crimes, and law enforcement can seize any computer data through these means. However, these investigative techniques are limited by a warrant issued by a judge in specific circumstances, for example, under the Criminal Code, RSC 1985, c C-46.

Law enforcement access is also limited and subject to the Canadian Charter of Rights and Freedoms.

Canada has numerous laws with respect to government access to data for intelligence, anti-terrorism or other national security purposes, including the Security of Canada Information Disclosure Act (SCIDA), the Criminal Code, the Canadian Security Intelligence Service Act (the CSIS Act), and other laws involving a national security mandate or responsibility.

The application of these laws is subject to the Canadian Charter of Rights and Freedoms and the federal Privacy Act. Warrants, for example, may require independent judicial approval in the absence of any exigent circumstances. Additionally, SCIDA contains a framework for how information is shared between federal departments for national security purposes. SCIDA has oversight in the form of the National Security and Intelligence Review Agency, established in 2019, which reviews information shared under SCIDA and the government of Canada’s national security and intelligence activities.

PIPEDA, under exceptions to consent, allows organisations to disclose personal information without the knowledge or consent of the individual if the disclosure is to a government institution or part of a government institution whose request is lawful, identifies the lawful authority to obtain the information, and connects the applicable information to national security, the defence of Canada, or the conduct of international affairs. Similarly, a request by law enforcement to disclose information on a voluntary basis will likely not be adequate and a lawful authority would be required.

Additionally, in 2022, the United States and Canada formally announced bilateral negotiations on the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, targeting access to electronic information for investigating serious crimes.

In December 2023, the OPC, OIPC BC, OIPC AB and CAI jointly released the Principles for responsible, trustworthy and privacy-protective generative AI technologies. These principles are not binding but signal the direction that future policy and regulation of AI may take in Canada.

The nine principles apply to both public and private sector organisations and were developed to align with public and private sector privacy laws. The principles lay out how key privacy principles apply when developing, providing or using generative AI models, tools, products and services.

In February 2024, the House of Commons Standing Committee on Access to Information, Privacy and Ethics initiated a study on the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers. The Commissioner appeared before the Committee to take part in the study. The Commissioner’s remarks noted the importance of ensuring that government institutions carefully consider and assess the privacy implications of their activities to determine if and when PIAs are required.

In November 2022, the House of Commons Standing Committee on Information, Privacy and Ethics issued a report on its study of device investigation tools used by the Royal Canadian Mounted Police (RCMP). The study examined spyware and technology-based investigative tools utilised by the RCMP in its investigations.

The report’s purpose was to examine the benefits and risks of using investigative tools and how the federal government could better regulate the use of such tools in Canada. The report offered nine recommendations, one of which was to amend the federal Privacy Act to include an explicit obligation on the part of government institutions to conduct PIAs before resorting to high-risk technological tools that collect personal information.

Finally, Canadian privacy commissioners have issued joint guidance for police agencies on using facial recognition technology, noting deficiencies in the current legislative scheme, to adequately address the concerns associated with such technology.

PIPEDA

PIPEDA does not prohibit the transfer of personal information across borders. However, any transfers of personal information outside of Canada must provide a comparable level of protection to PIPEDA. OPC guidance also states that individuals must be provided with notice of cross-border data transfers, and that organisations should disclose that personal information could be subject to the laws of a foreign jurisdiction.

The OPC has the authority to investigate complaints related to transfers of personal information and conduct audits on an organisation’s process with respect to dealing with personal information.

Alberta

AB PIPA does not restrict transfers of personal information outside Canada for processing. Under AB PIPA, the transferring organisation is required to indicate the country to which the information will be transferred and the purposes for which the information may be used.

Organisations are required to notify individuals in writing or orally and must provide details on how individuals can access the policies and practices of the service provider, and must provide contact information for someone at the organisation who can respond to questions related to the service provider.

British Columbia

BC PIPA only applies to personal information collected, used or disclosed within British Columbia. PIPEDA applies to personal information that is being transferred outside of British Columbia, whether to another province or outside of Canada.

Under British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA), public bodies are permitted to store and access personal information outside of Canada. There are additional requirements for sensitive personal information, discussed in more detail below.

Québec

Under the amendments brought to Québec’s Private Sector Privacy Act by Law 25, organisations transferring personal information outside Québec must first conduct a PIA that takes into account: (i) the sensitivity of the information, (ii) the purposes for which the information will be used, (iii) the protection measures (including contractual provisions) that will apply, and (iv) the privacy laws of the jurisdiction which receives the information.

Organisations are also required to inform individuals that their personal information may be transferred outside of Québec.

Finally, any risks identified in the PIA should be mitigated by contractual clauses with the receiving organisation.

PIPEDA

PIPEDA permits the use of any mechanism that ensures a comparable level of protection. However, the OPC encourages transferring organisations to implement privacy protections through written contracts. Among other things, contractual provisions should require third parties to have policies in place to protect personal information (eg, training staff and having effective security measures), and allow transferring organisations to audit the third party’s handling and storing of personal information.

Organisations must give individuals notice of any potential transfer of their personal information outside of Canada, but their consent to the transfer is not required.

G7 DPAs Action Plan

Canada, as part of the G7 Data Protection and Privacy Authorities’ (DPAs) Roundtable, endorsed an action plan that established three pillars: data free flow with trust, emerging technologies, and enforcement cooperation. The commitments of the DPAs’ action plan include, among other things, developing data free flow with trust, improving and collaborating on transfer tools, developing and using emerging technologies while reinforcing trust and respecting privacy, and increasing dialogue and supporting enforcement cooperation activities.

APEC

Canada participates in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system, which is designed to streamline the transfer of data between member countries. The CBPR system requires that participating countries have enforceable standards, accountability, risk-based protections, consumer-friendly complaint handling, consumer empowerment and consistent protections. The CBPR also provides regulatory authorities with the ability to co-operatively enforce the requirements of the system.

There are generally no requirements to notify government or obtain approval to transfer data internationally.

Private Sector

As noted in section 4.1 Restrictions on International Data Issues, Canadian private sector privacy legislation generally does not impose any data localisation requirements, but does require consent from, and/or notification to, the individuals whose personal information will be transferred outside of Canada or Québec.

Public Bodies

Under British Columbia’s FIPPA, organisations are permitted to store and access personal information outside of Canada. For sensitive personal information, FIPPA requires that a PIA with a satisfactory risk assessment be conducted prior to transfers outside of Canada. This involves considering factors that increase the risk of the unauthorised collection, use and disclosure of sensitive personal information, and risk mitigation strategies that are proportionate to the risk.

Public bodies under Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) are generally prohibited from disclosing, storing or allowing information to be accessed from locations outside of Canada unless the head of a public body determines that the foreign storage, access or disclosure meets the necessary requirements. PIIDPA also allows the disclosure of information outside of Canada in the context of law enforcement agreements, treaties, debt collection, dangerous situations or certain research purposes.

CRA

The Canada Revenue Agency (CRA) requires that records are generally kept at a place of business or residence in Canada, and must be made available to the CRA for audit upon request. The CRA does not consider records that are kept outside of Canada and accessed electronically from Canada to be records in Canada. However, the CRA may accept copies of records maintained electronically outside of Canada if the records are made available in Canada in an electronically readable and usable format with adequate details for tax filing.

USMCA

The United States-Mexico-Canada Agreement (USMCA), which replaced the North American Free Trade Agreement (NAFTA) in 2020, contains new requirements for data localization. The USMCA includes a chapter on the digital economy, which was not contemplated by NAFTA, originally signed in 1994.

The USMCA prohibits organisations from requiring, as a condition of doing business, that computing facilities be used or located in their local jurisdiction. In addition, the USMCA provides that foreign financial institutions are not required to maintain computing facilities in Canada, but are required to provide Canadian regulatory authorities with access to information stored in facilities outside of Canada.

CPTPP

The Canada Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) is a free trade agreement between Canada and several countries in the Indo-Pacific region. While recognising that each party may have its own regulatory scheme relating to the security and use of computing facilities, the CPTPP prohibits a party from requiring that computing facilities are used or located in its jurisdiction as a condition for conducting business.

Public Safety Canada recently published an international statement received from several countries and Canadian MPs, encouraging governments and technology companies to develop mechanisms that would allow law enforcement to access encrypted content for the purpose of identifying illegal content. At the time of writing, Canada does not require software code, algorithms, encryption or similar technical details to be shared with government.

PIPEDA provides an exception to obtaining consent for the disclosure of personal information when such disclosure is made to a government institution for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction that is carrying out an investigation or gathering intelligence for the purpose of enforcing the law. PIPEDA also provides an exception to obtaining consent for disclosure to government institutions that are set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Canada’s Foreign Extraterritorial Measures Act (FEMA) allows the Canadian government to deal with unacceptable extraterritorial assertions made by a foreign jurisdiction. Under FEMA, the Attorney General of Canada may prohibit or restrict the production of records to foreign tribunals. For example, FEMA protects Canadians and Canadian organisations from judgments issued under the Helms-Burton Act, the United States federal law that prevents foreign countries from engaging with Cuba in international trade.

Artificial Intelligence

If enacted, the AIDA will regulate interprovincial and international trade and commerce in AI systems by establishing common requirements for the design, development and use of AI systems applicable across Canada. The AIDA would also prohibit certain AI system conduct that could result in serious harm to individuals or their interests.

Biometric Data

In 2023, the OPC published draft guidance for organisations that intend to process biometric data. This guidance includes specific requirements and suggestions for identifying an appropriate purpose for collecting biometric data, obtaining express consent, limiting collection of biometric data to that which is necessary for the stated purpose, limiting use, disclosure and retention, appropriate safeguards, the use of accurate technology, accountability for the biometrics, and openness with individuals.

In Québec, Law 25 requires companies to notify the CAI if they create a database of biometric characteristics within 60 days before it is brought into service. Law 25 also lists biometric information as sensitive. Biometric data is generally considered as sensitive under PIPEDA.

Geolocation

The OPC announced in May 2023 that it received several complaints regarding the collection of geolocation data by the Public Health Agency of Canada (PHAC). In concluding that PHAC did not contravene the Privacy Act, the OPC emphasised that consent is generally required for the collection of phone geolocation information and any related disclosures of personally identifiable data, particularly for organisations subject to Canadian private sector privacy laws that collected and disclosed phone geolocation information to PHAC.

Deepfakes

The Canadian government is considering how to regulate deepfakes in a fast-paced digital environment and in view of a significant regulatory gap in the area. Deepfakes present complex issues, including the ability to generate disinformation, misleading material and other problematic content. Deepfakes can be used to mimic politicians and world leaders, resulting in serious implications for democratic processes. Deepfakes have also been used to create sexually explicit material of individuals without their consent.

At the time of writing, privacy legislation in Canada does not require the establishment of any Fair Data Practice Review Boards or protocols for digital governance.

See reference to the Digital Governance Council and its work in 1.5 Major NGOs and Self-Regulatory Organisations.

See 2.5 Enforcement and Litigation.

Québec’s Law 25 provides individuals in Québec with a statutory right of action to claim damages against organisations that violate a right conferred by Québec’s Private Sector Privacy Legislation or by Articles 35 to 40 of the Civil Code of Québec. The violation must have caused injury, and it must have been intentional or have resulted from a gross fault.

Under both PIPEDA and provincial private sector privacy law acts, there are carve-outs for the use of personal information in the context of business transactions. Personal information can be shared in the context of business transactions without consent if certain conditions are met, such as a binding agreement, security safeguards, use solely for the purpose of the transaction, and notification following completion of the transaction.

As part of its continuous disclosure regime, Canadian securities legislation requires that publicly traded companies disclose instances of cybersecurity incidents that represent a material change or material fact. What constitutes a material change or fact depends on the nature and scope of a given cybersecurity incident, but is generally understood as something that could have a significant effect on a publicly listed company’s market price.

The United States Securities and Exchange Commission has also created new cybersecurity requirements that may affect some publicly traded companies in Canada.

See the discussion on Bill C-27 in 1.7 Key Developments.

See the discussion in 1.7 Key Developments.