Canada - Data Protection Overview
Data protection law in Canada is comprised of a complex set of federal and provincial statutes. These laws include federal and provincial data protection statutes of general application, as well as sector-specific statutes, such as health privacy laws, and related laws such as anti-spam and consumer protection laws. Some of these statutes include mandatory notification and reporting requirements in the case of a breach of personal information. There is a large and growing body of regulator and court findings and guidance at the provincial and federal levels.
1. GOVERNING TEXTS
The key data protection statutes in Canada are:
- Federal: Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA');
- British Columbia: Personal Information Protection Act, SBC 2003 c 63 ('BC PIPA');
- Alberta: Personal Information Protection Act, SA 2003 c P-6.5 ('AB PIPA'); and
- Quebec: Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 ('Quebec Private Sector Act').
In addition, Canadian anti-spam law, Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL'), frequently comes into play in relation to electronic marketing activities and there are numerous other statutes relating to personal health information, consumer protection, and the public sector.
Please note that on 17 November 2020, Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') was introduced to the House of Commons, and would reform Canada's federal private sector privacy laws by enacting the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. The DCIA must now go through both Houses of Parliament for consideration.
The following are the primary authorities that issue data protection guidance pursuant to the private sector privacy statutes listed above:
- Office of the Privacy Commissioner of Canada ('OPC');
- Office of the Information and Privacy Commissioner for British Columbia;
- Office of the Information and Privacy Commissioner of Alberta ('AB OIPC'); and
- Quebec Commission on Access to Information.
Below is a sample of available guidance published by the OPC:
- Privacy and the COVID-19 Outbreak;
- Preventing and Responding to a Privacy Breach;
- Guidelines for Obtaining Meaningful Consent;
- Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3);
- Recording of Customer Telephone Calls;
- Guidelines for Identification and Authentication; and
- Guidelines on Privacy and Online Behavioural Advertising.
The OPC and the Canadian Radio-television and Telecommunications Commission ('CRTC') issue documents in relation to CASL.
1.3. Case law
The following findings and decisions are among the recent and notable privacy cases in Canada:
- PIPEDA Report of Findings #2020-004 - Joint investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia;
- PIPEDA Report of Findings #2019-002 - Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia;
- PIPEDA Report of Findings #2019-001 - Investigation into Equifax Inc. and Equifax Canada Co.'s compliance with PIPEDA in light of the 2017 breach of personal information;
- PIPEDA Report of Findings #2015-001 - Results of Commissioner Initiated Investigation into Bell's Relevant Ads Program;
- Jones v. Tsige, 2012 ONCA 32 (landmark case recognising common law privacy tort claims which are now at the heart of privacy class action litigation); and
- Eastmond v. Canadian Pacific Railway, 2004 FC 852 (seminal case regarding appropriate purposes under PIPEDA).
2. SCOPE OF APPLICATION
PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activities in Canada. The provinces of Alberta, British Columbia, and Quebec have enacted private sector privacy laws of general application which are applicable to the collection, use, and disclosure of personal information within those provinces: AB PIPA, BC PIPA, and the Quebec Private Sector Act. Unlike PIPEDA, these statutes apply irrespective of whether an activity is commercial in nature, as well as applying to employee personal information. Questions frequently arise in respect of whether a provincial statute, or PIPEDA, or both, may apply to a given activity.
CASL regulates, among other things, the sending of commercial electronic messages such as promotional and marketing messages, to and from Canada, irrespective of whether the recipient is an individual or an organisation.
PIPEDA does not apply to the collection, use, or disclosure of personal information within the provinces of Alberta, British Columbia, or Quebec, unless:
- the organisation is a federal work, undertaking, or business as defined in PIPEDA, e.g. banks, telecommunications companies, etc.; or
- the personal information is disclosed outside of a province in the course of a commercial activity.
PIPEDA also does not apply within certain provinces in respect of personal health information collected, used, or disclosed by health information custodians and other entities governed by certain provincial health laws.
PIPEDA is silent with respect to its extraterritorial application. However, the Federal Court of Canada ('the Federal Court') has found that PIPEDA will apply to businesses established in other jurisdictions if there is a 'real and substantial connection' between the organisation's activities and Canada (see A.T. v. Globe24h.com, 2017 FC 114). For example, with respect to websites, relevant connecting factors include where promotional efforts are being targeted, the location of end-users, the source of the content on the website, the location of the website operator, and the location of the host server.
The breach notification and reporting requirements in AB PIPA have been applied where the personal information affected in a breach was about an individual located in Alberta.
PIPEDA applies to every organisation that collects, uses, or discloses personal information in the course of commercial activities. Commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.
Many organisations may be subject to PIPEDA in respect of certain aspects of their operations, and the provincial laws in respect of other aspects. Although the requirements of PIPEDA and the provincial laws are substantially similar, there are a number of important differences which can arise in certain circumstances.
PIPEDA does not apply to:
- personal information handled by federal government organisations listed under the Privacy Act, RSC 1985 c P-21 ('the Privacy Act');
- the collection, use, or disclosure of employee personal information, unless the organisation is a federal work, undertaking or business;
- an individual's collection, use, or disclosure of personal information strictly for personal purposes; or
- an organisation's collection, use, or disclosure of personal information solely for journalistic purposes.
Certain provisions in Canadian data protection laws, such as safeguards and the appropriate form of consent, depend on whether the personal information in issue is considered sensitive (which generally will include matters such as health and financial information, among others). However, the data protection laws do not prescribe what information types are considered sensitive.
Different privacy rules apply in respect of personal health information in some cases, and for public sector entities in Canada. However, private sector service providers to the health sector and public sector need to be aware of such requirements as they often inform requirements imposed on such parties through contract.
CASL is an opt-in regime in respect of commercial electronic messages. It prohibits the sending of commercial electronic messages, unless express or implied consent, or an applicable exception, is applicable and prescribed requirements are met. Substantial monetary penalties and other consequences can flow from violations of CASL, including extended liability for directors and officers.
3.1. Main regulator for data protection
PIPEDA is administered by the OPC. Provincial privacy commissioners administer provincial privacy laws. While these provincial and territorial commissioners have their own unique mandates and powers under provincial laws, including order-making power, they often work collaboratively with the OPC and one another on investigations and policy matters.
CASL is administered by the CRTC, the Competition Bureau Canada, and the OPC. Each regulatory authority has jurisdiction over particular aspects of CASL requirements and enforcement.
3.2. Main powers, duties and responsibilities
One of the main roles of the OPC is to investigate and attempt to resolve complaints, make findings, and issue non-binding recommendations. The OPC is an ombudsperson and, as such, does not have the power to issue binding orders or fines, although such powers are being considered and were recently proposed by the federal government (in November 2020). It is notable that, unlike the OPC, the provincial commissioners do have certain order-making powers.
Following the completion of an OPC investigation, individuals and the OPC may seek binding enforcement and related relief in the Federal Court. The OPC also initiates investigations, audits, and related enforcement activity even in the absence of a third-party complaint.
In addition, the OPC's mandate includes an important public education and guidance role. The OPC has published many guidance documents, summaries of findings, and other resources for individuals and organisations.
4. KEY DEFINITIONS
Data controller: Data controller' is not expressly defined under PIPEDA or provincial data protection laws. Canadian statutes refer to 'organisations' which are considered to be in control of, and accountable for, compliance with privacy law requirements.
Data subject: 'Data subject' is not defined under PIPEDA or provincial data protection laws. These laws refer to 'individuals.'
Personal data: In general terms, 'personal data' means information about an identifiable individual. This definition is given a broad interpretation. Information is generally considered to fit the definition of 'personal information' where there is a serious possibility that an individual could be identified through the use of the information, alone or in combination with other available information. Identifiability is an important concept in Canadian data protection laws.
Sensitive data: 'Sensitive data' is not defined under PIPEDA or provincial data protection statutes. PIPEDA provides that 'any information can be sensitive depending on the context' and also stipulates that the collection of sensitive information generally requires express consent. Sensitive information is also required to be safeguarded by a higher level of protection.
Health data: 'Health data' is not defined under PIPEDA, BC PIPA, AB PIPA, or the Quebec Private Sector Act. There are varying definitions of 'personal health information' under provincial health privacy laws which generally relate to identifying information about an individual related to physical and mental health.
Biometric data: 'Biometric data' is not defined under PIPEDA or provincial data protection laws, although in at least one province, biometric information is regulated under a statute specifically addressed to this type of information.
5. LEGAL BASES
Except where an exemption is applicable as described below, consent is required prior to the collection, use, and disclosure of personal information. Consent may be express or implied, depending on the circumstances, the intended collections, uses, and disclosures, and the level of sensitivity of the information. Implied consent is generally not appropriate for sensitive personal information, such as health information and financial information.
Moreover, consent under PIPEDA is only valid if it is reasonable to expect that an individual to whom the organisation's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. In order to meet the requirement for valid consent, organisations must give consideration to, among other things, the disclosures which they make to individuals at the point of obtaining consent, which has been emphasised in OPC guidance regarding obtaining meaningful consent. These considerations are particularly important in respect of potentially vulnerable groups such as minors and seniors.
Please see section 5.1., above regarding express and implied consent. Contracts may include or incorporate express consent, or give rise to a basis for implied consent, depending on the circumstances.
PIPEDA permits organisations to collect, use, and disclose personal information without consent where required by law and to disclose information, for example: investigate a breach of an agreement or a law that has been, or is about to be, committed; or detect or suppress fraud, or to prevent fraud that is likely to be committed. These exemptions apply only where it is reasonable to expect that obtaining consent would compromise the investigation or the ability to prevent, detect or suppress the fraud, and are permissive only; they do not require an organisation to disclose personal information.
Under PIPEDA, consent is not required if the collection and use of information is clearly in the interests of the individual and consent cannot be obtained in a timely way. This exemption, however, has limited application in practice as there is a paucity of guidance regarding the meaning of what is in the interests of the individual (except in situations involving threats to health or safety).
Under PIPEDA, consent is not required where it is reasonable to expect that the collection with the consent of the individual would compromise the availability of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the Canada's federal or provincial laws.
Further, consent is not required if the collection of the information is for the purpose of disclosing the information as required by law or made to a government/government institution that has identified its lawful authority and has indicated that it suspects the information relates to national security, the defence of Canada, or the conduct of international affairs.
Under PIPEDA, consent is not required in a range of circumstances as listed in Section 7 of the law, a number of which are mentioned above.
Publicly Available Information
Regulations under PIPEDA provide that consent is not required for the collection, use, and disclosure of certain publicly available information, e.g. published information, court decisions, although some restrictions apply. In general terms, for the exemption to apply, the collection, use, or disclosure must be related to the purpose for which the information is publicly available.
Canadian privacy statutes governing the private sector generally allow for the collection, use, and disclosure of employee personal information without consent if solely for the purposes reasonably required to establish, manage, or terminate an employment relationship between the organisation and that individual.
While the statutes allow for the collection of personal information without consent within the bounds of reasonableness, they nonetheless require the employer to be transparent. Accordingly, organisations must generally notify employees that such data collection is occurring and explain the purpose(s) for the collection (such as employee safety).
In addition to the data protection statutes that can apply to employee personal information, workplace privacy issues have long been addressed in the labour and employment context by arbitrators and the courts. A significant body of law has been built up in that context in respect of privacy-based limitations on management rights, e.g. drug and alcohol testing, workplace surveillance, investigations etc.
PIPEDA requires organisations to comply with a set of legal obligations that are based on the following ten principles:
- identifying purposes;
- limiting collection;
- limiting use, disclosure, and retention;
- individual access; and
- challenging compliance.
The provincial statutes contain similar requirements.
PIPEDA and provincial laws hold organisations accountable for information under their control and require the appointment of an individual or individuals who are responsible for the organisation's compliance with the law.
Organisations are also required to implement policies and practices to address compliance, including:
- implementing procedures to protect personal information;
- establishing procedures to receive and respond to complaints and inquiries;
- training staff and communicating to staff information about the organisation's policies and practices; and
- developing information to explain the organisation's policies and procedures.
PIPEDA contains an over-arching requirement that organisations may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In other words, even with consent, there are certain activities which may be prohibited under PIPEDA. A similar restriction is applicable under provincial laws.
In assessing whether a reasonable person would find a purpose for collecting, using, and disclosing personal information to be appropriate, the OPC and the Federal Court have applied the following four-part test in a number of cases:
- is the activity demonstrably necessary to meet a specific need;
- is the activity likely to be effective in meeting that need;
- is the loss of privacy proportional to the benefit gained; and
- is there a less privacy-invasive way of achieving the same end.
Although the test will not be applicable in every case, it provides a useful guide for assessing activities, and has often been applied in the workplace and surveillance contexts in particular.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
Organisations are required to use security safeguards in order to protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use, or modification.
Canadian data protection laws do not specify particular security safeguards that must be used. However, they do require that the nature of the safeguards must be appropriate to the level of sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. Organisations must consider and implement, as appropriate:
- physical measures, such as locked cabinets and doors;
- organisational measures, such as access on a 'need to know' basis and clean desk policies; and
- technological measures, such as passwords and encryption.
Commissioner decisions and guidance materials provide additional direction regarding appropriate safeguards in particular circumstances.
Canadian data protection laws also require that organisations make their employees aware of the importance of maintaining the confidentiality of personal information, and that care be used in the disposal or destruction of personal information to prevent unauthorised parties from gaining access to the information.
Organisations are not required to notify or register with the regulatory authorities under privacy laws in Canada.
An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. In general terms, organisations must use contractual or other means, which usually include technical measures, to provide a comparable level of protection while the information is being processed by a third-party service provider or other entity. The OPC has also suggested that consent may be required for transfers to service providers, although this view is controversial, and no legislative amendment has been made. Additional considerations, including notice to individuals, are applicable regarding the use of service providers located outside of Canada. Certain provincial privacy laws impose additional obligations in relation to cross-border transfers.
For further information on cross-border transfers and outsourcing requirements in Canada, please see our Data Transfers Cross-Border Chart.
Organisations are not specifically required to maintain general data processing records under private sector data protection law. However, in order to demonstrate compliance, consent, and other requirements, if challenged by a complainant, commissioner, or the court, it can be crucial to maintain records. Certain record keeping is specifically required in relation to CASL. Certain record keeping is specifically required in respect of breaches under PIPEDA in certain circumstances as noted below.
Organisations are not specifically required to carry out a Data Protection Impact Assessment or Privacy Impact Assessment under the private sector data protection laws, but this can represent a best practice and due diligence.
Under PIPEDA and the privacy laws in British Columbia and Alberta in particular, organisations are required to designate an individual or individuals responsible for privacy compliance. This individual is conventionally known as the 'Privacy Officer,' although PIPEDA does not specify any particular nomenclature or that the individual be a corporate officer. However, there is no such requirement in Quebec. Unlike the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which provides extensive guidance for the position of a data protection officer, PIPEDA and the privacy laws of British Columbia and Alberta do not specifically describe the duties of a Privacy Officer.
Yes, there is a general obligation for data breach notification. Alberta's laws require notice to the AB OIPC in the event that a breach gives rise to a real risk of significant harm, and the AB OIPC may require notification to individuals (although in practice notification is often provided to the AB OIPC and individuals simultaneously).
Under PIPEDA, notification of a privacy breach must be given to individuals, the OPC, and potentially other organisations (e.g. another organisation, a government institution, or a part of a government institution) if that organisation, government institution, or part concerned may be able to reduce the risk of the harm that could result from it or mitigate that harm, in the event of a breach of security safeguards if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Notification must be given as soon as feasible. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
A person that contravenes PIPEDA's breach notification provisions may be found guilty of an offence punishable on summary conviction and liable to a fine not exceeding CAD 10,000 (approx. €6,467), or an indictable offence and liable to a fine not exceeding CAD 100,000 (approx. €64,670).
A number of sectoral statutes contain relevant provisions. For example, under Ontario's Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ('PHIPA') and its related regulation, health information custodians ('custodians') must notify the Information and Privacy Commissioner of Ontario about certain privacy breaches. Privacy breaches that require notification include situations where:
- there has been use or disclosure without authority;
- information has been stolen;
- there has been further use without authority after a breach;
- there has been a similar pattern of breaches;
- disciplinary action has been taken against a college member;
- disciplinary action has been taken against a non-college member; and
- there has been a significant breach, even if none of the above have occurred (for instance, where a healthcare practitioner accidentally discloses a patient's mental health assessment to other practitioners on a group email distribution list, rather than to just the patient's physician).
Ontario custodians are also required to notify individuals whose privacy has been breached where there has been a theft or loss of the individual's health information. Similarly, health care providers in New Brunswick are required, under New Brunswick's Personal Health Information Privacy and Access Act 2009 ('PHIPAA'), to notify their patients or clients as well as the Office of the Integrity Commissioner for New Brunswick if there is a privacy breach of their patients' or clients' personal health information.
PIPEDA requires that certain records be kept in relation to breaches for a period of two years after the breach is discovered.
PIPEDA states that personal information must be retained only for as long as is necessary to fulfil the purposes for which it was collected, after which it should be securely destroyed, erased, or rendered anonymous. However, there are exceptions to this: an organisation must retain information that is the subject of a request for access for as long as necessary to allow the individual to exhaust any recourse open to them in relation to the request; and information that has been used to make a decision about an individual must be retained long enough to allow the individual access to that information following the decision.
A specifically identified purpose is often a clear indicator of how long information needs to be retained. In some cases, determining the appropriate retention period may be complex as there is no 'one-size-fits-all' retention period. For some organisations, there is a legislative requirement to keep information for a certain amount of time. In other instances, there may be no such requirement, and an organisation needs to determine the appropriate retention period.
Private sector privacy laws do not address children's data specifically. However, the processing of children's data will require consideration of the sensitivity of the information, whether consent can be obtained from minors, and the requirements of the OPC's guidance regarding meaningful consent, among other considerations.
Private sector privacy laws do not contain specific provisions regarding the processing of special categories of information. However, as noted above, these laws will vary in their application depending on whether information is sensitive, whether the information is of a 'publicly available' type listed in regulations to PIPEDA, and whether there are other statutes that may permit or restrict the processing of such information.
Yes. For example, Principle 1 of PIPEDA states that, 'An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.' The OPC has interpreted this provision as requiring, among other things, a contract which includes:
- a requirement for the processor to have privacy policies and processes in place, including training for its staff and effective security measures;
- a requirement that the information is properly safeguarded at all times; and
- a right to audit and inspect how the third party handles and stores personal information.
8. DATA SUBJECT RIGHTS
Canadian private sector privacy laws generally require the knowledge and consent of the individual, except in certain circumstances where consent is not required, and organisations must be open and transparent about their practices, and inform individuals about the information collected, used, and disclosed, as well as the purposes for such activities, among other requirements.
Under Canadian data protection laws, individuals have a general right to obtain access to their personal information held by organisations. Access requests must be processed in accordance with the applicable statute, within prescribed timeframes. Organisations are permitted to refuse access only in enumerated circumstances, and generally must sever exempt information from non-exempt information where possible. For example, under PIPEDA, organisations may refuse access to personal information where, among other exceptions, the information is protected by solicitor-client privilege or would reveal confidential commercial information.
Requests for access to personal information under data protection statutes are relatively infrequent in Canada but are on the rise. They are often attempts to use such requests as a form of early litigation discovery by individual litigants and prospective litigants, including former employees. Organisations generally must process such requests, notwithstanding whether parallel litigation proceedings are in existence.
Under PIPEDA, when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, an organisation must amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
The OPC has taken the position, in the Draft OPC Position on Online Reputation, that under PIPEDA, individuals should have the ability to remove information that they have posted online and has suggested that PIPEDA currently includes this right in relation to the right to withdraw consent. It is unsettled whether this right currently exists in Canada, or to what extent it exists. The OPC has asked the Federal Court in a case reference to clarify the law on this point.
Individuals have the right to submit complaints to organisations, to withdraw consent (subject to some limitations), and to file complaints with the OPC. Based on guidance from the OPC, opt-out consents are permissible under PIPEDA in limited circumstances involving non-sensitive information provided that a set of requirements are met.
There is no specific right to data portability under the private sector privacy statutes.
There is no specific right not to be subject to automated decision-making under the private sector privacy statutes.
Individuals have a range of rights pursuant to private sector privacy laws in Canada, many of which are linked to the rights of access, correction, and withdrawal of consent, and others which flow from the right to seek redress for violations of other requirements in the laws.
The OPC and the provincial privacy commissioners have issued many findings, touching on virtually every aspect of data protection law, including those described above. The OPC has also recommended that in some cases an organisation undertake an independent third-party audit to demonstrate that the organisation is in compliance with PIPEDA. The OPC now has the ability to enter into compliance agreements with organisations in the wake of investigations and complaints. However, the OPC does not currently have the power to issue fines or penalties.
While historically privacy matters have less frequently been pursued in the courts, in recent years the landscape has changed dramatically in Canada. Courts have awarded damages for violations of privacy laws and privacy rights in a number of cases, and there has been a sharp increase in tort claims and related civil litigation and class action proceedings. Claimants now frequently forgo complaints privacy commissioners and proceed directly to court to seek damages and other relief in respect of privacy matters or pursue both avenues of relief simultaneously. In a number of cases, claimants have obtained damages for privacy breaches, and certification of class actions, even in the absence of any pecuniary loss flowing from a breach. The current volume of privacy-related litigation, and certifications of class proceedings, is unprecedented in Canada.
As mentioned above, data protection issues are increasingly being addressed in the courts in Canada. British Columbia, Manitoba, Newfoundland and Labrador, and Saskatchewan have enacted statutory torts for invasion of privacy. Common law privacy torts have also been recognised in other provinces. With the potential to obtain damages for breaches of privacy even in the absence of any pecuniary loss, claimants and class action counsel increasingly turn to the courts, not the privacy commissioners, for recourse in respect of privacy matters. In addition to torts of invasion of privacy, claimants also claim liability in contract, negligence, misrepresentation, waiver of tort, and other claims.
See above list of notable decisions.