Support Centre

Canada Federal

Summary

Law: Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA') and Privacy Act 1985 ('the Privacy Act')

Regulator: Office of the Privacy Commissioner of Canada ('OPC')

Summary: PIPEDA and the Privacy Act 1985 (the Privacy Act) are the main statutes regulating privacy and data protection at a federal level in Canada. PIPEDA only applies to organizations that conduct commercial activities whilst the Privacy Act applies to federal government bodies. PIPEDA sets out ten principles to which organizations must abide, including principles of accountability, consent, accuracy, and safeguards, as well as limiting collection, use, disclosure, and retention. In addition, individuals have the right to submit complaints to organizations and the OPC and can also withdraw their consent regarding certain processing activities. The OPC is a very active regulator, often issuing guidelines, public consultations and advice regarding current and future legislation; however, it cannot issue fines or take any other type of binding enforcement action against organizations. Other relevant laws include the Bank Act 1991, Canada's Anti-Spam Legislation, 2010, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2000. Data protection requirements also vary between the provinces and territories.

Please note that after Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') failed to pass on August 15, 2021, a new bill to reform Canada's private sector privacy law was introduced, on June 16, 2022, in the House of Commons. Bill C-27 for the Digital Charter Implementation Act 2022 is divided into three parts, with each aimed at enacting a new Act, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Bill C-27 is now under consideration in the Canadian Parliament.

Insights

Dustin Moores, Counsel at nNovation LLP, explores the updated Third-Party Risk Management Guideline (the Guideline) for Canadian financial institutions. The Guideline addresses increasing supply chain vulnerabilities and sets out best practices for Federally Regulated Financial Institutions (FRFIs) to manage third-party risks effectively.

If passed into law, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26), would enact the Critical Cyber Systems Protection Act (CCSPA), amend the Telecommunications Act, and make consequential amendments to several other laws. Dustin Moores, Counsel at nNovation LLP, discusses these amendments and its enforcement.

On September 27, 2023, Innovation, Science and Economic Development Canada (ISED) published a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems (the Code). In this Insight article, Christopher Ferguson and Anagha Nandakumaran, from Fasken, discuss the different measures of the Code and what this would mean for organizations. 

Artificial intelligence (AI) is transforming the way we work, learn, and communicate. The rapid development and adoption of new AI-based technologies have prompted regulators around the world to create policies and regulations governing its use, in an effort to ensure that AI is used in a responsible and ethical manner. Canada and the EU are among the many jurisdictions that have recently recognized the need for AI-specific regulation.

In April 2021, the European Commission published its proposed Artificial Intelligence Act (AI Act) as a framework for a coordinated European approach to addressing the challenges and concerns raised by the increasing use of AI. The following year, in June 2022, the Canadian government introduced Bill C-27 for the Digital Charter Implementation Act 2022 (Bill C-27), which aims to update existing federal private-sector privacy laws. In addition to privacy law reform, Bill C-27 also includes the Artificial Intelligence and Data Act (AIDA), Canada's first attempt to regulate AI through standalone legislation.

Both AIDA and the AI Act seek to encourage the responsible development and use of AI systems through a single regulatory framework. In this Insight article, Heather Whiteside, from Fasken, examines the similarities and differences between these legislative proposals, as currently drafted, in Canada and the EU.

In this Insight article, Sarah Nasrullah, from Norton Rose Fulbright LLP, delves into Canada's AI regulatory landscape, examining key aspects of the AI Act, enforcement mechanisms, penalties, and implications for organizations and individuals. It provides valuable insights into the evolving governance of AI technologies in the Canadian context.

On 16 June 2022, the Government of Canada introduced in the House of Commons the Artificial Intelligence and Data Act ('AIDA') as part of Bill C-27, for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022').

In this Insight article, OneTrust DataGuidance Research provides an overview of the AIDA, which is currently undergoing second reading in the House of Commons, and the wider perceptions of artificial intelligence ('AI') at a federal level in Canada. For an analysis of the DCIA 2022, you may read our Insight article Canada: Digital Charter Implementation Act 2022 - What you need to know.

Canada has an existing comprehensive federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), which became law in 2000. Recently, changes to PIPEDA have been proposed via the draft language of Bill C-27 for the Digital Charter Implementation Act 20221 ('Bill C-27'). Kirsten Thompson, Partner at Dentons, takes a look into the proposed changes, and what impact Bill C-27 would have in areas such as penalties, artificial intelligence ('AI'), and data portability.

Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance. Jasmine Samra and Antoine Guilmain, from Gowling WLG, focus on the accountability of organisations under both privacy regimes.

On 16 June 2022, Bill C-27 for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022'), was introduced in the House of Commons, where it passed first reading. This comes after a similar bill, Bill C-11 for the Digital Charter Implementation Act, 2020, failed to pass in 2021. The DCIA 2022 is divided into three main parts, with the aim of enacting three new Acts, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.

In this article, OneTrust DataGuidance Research provides an overview of each part of the DCIA 2022 and its main provisions, focusing on the key developments and considerations for businesses.

Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data. In this three-part series, OneTrust DataGuidance provides an overview of key trends in data localisation and data residency, outlining underlining approaches to the same, as well as common trends associated with sector and categories of data.

The Interactive Advertising Bureau of Canada ('IAB Canada') released, on 24 November 2021, a guide on Understanding Bias in AI for Marketing: A Comprehensive Guide to Avoiding Negative Consequences with Artificial Intelligence1. In particular, IAB Canada stated that the guide provides an excellent starting point for organisations to develop frameworks for better artificial intelligence ('AI') solutions. OneTrust DataGuidance discusses the guide in this article.

Autonomous vehicles ('AVs') have been described as being capable of gathering and communicating huge swaths of information about the vehicle, its occupants, and non-users (e.g. pedestrians). However, vehicles that leverage mass amounts of data to automate driving processes might be better viewed as robots because they can make decisions without an individual's explicit input.1 As consumer interest and demand for these vehicles grows across Canada, companies operating in this space need to understand their obligations for protecting privacy interests related to the data they handle. Further, as Canada's approach to regulating privacy evolves to include automated decision-making ('ADM') systems and artificial intelligence ('AI'), it may be prudent to take recent trends from other jurisdictions into account. Ellie Marshall, Associate at Blake, Cassels & Graydon LLP, discusses these regulatory issues and the privacy implications of autonomous vehicles from a Canadian perspective.