January 2024

1. Governing Texts

Data protection law in Canada is comprised of a complex set of federal and provincial statutes. These laws include federal and provincial data protection statutes of general application, as well as sector-specific statutes, such as health privacy laws, and related laws such as anti-spam and consumer protection laws. Some of these statutes include mandatory notification and reporting requirements in the case of a breach of personal information. There is a large and growing body of regulator and court findings and guidance at the provincial and federal levels.

1.1. Key acts, regulations, directives, bills

The key data protection statutes in Canada are:

• Federal: Personal Information Protection and Electronic Documents Act (S.C., 2000, c. P-5) ('PIPEDA');
• British Columbia: Personal Information Protection Act (S.B.C., 2003, c. P-63) ('BC PIPA');
• Alberta: Personal Information Protection Act (SA, 2003, c. P-6.5) ('AB PIPA'); and
• Quebec: Act respecting the Protection of Personal Information in the Private Sector (CQLR, 2023, c. P-39.1) ('Quebec Private Sector Act'), recently amended by the Act To Modernize Legislative Provisions As Regards The Protection Of Personal Information (SQ, 2021, c 25) (formerly known as Bill 64) which is scheduled to come into force in phases ranging between one and three years from the date of assent on September 22, 2021; as of September 22, 2023, all provisions of the Quebec Private Sector Act have come into force, except for the right to data portability, which will come into force on September 22, 2024.

In addition, Canadian anti-spam law, Canada's Anti-Spam Legislation (SC, 2010, c 23) ('CASL'), frequently comes into play in relation to electronic marketing activities and there are numerous other statutes relating to personal health information, consumer protection, and the public sector.

Please note that after Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') failed to pass on August 15, 2021, a new bill to reform Canada's private sector privacy law was introduced, on June 16, 2022, in the House of Commons. Bill C-27 for the Digital Charter Implementation Act 2022 is divided into three parts, with each aimed at enacted a new Act, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Bill C-27 is now under consideration in the Canadian Parliament.

1.2. Guidelines

The following are the primary authorities that issue data protection guidance pursuant to the private sector privacy statutes listed above:

• Office of the Privacy Commissioner of Canada ('OPC');
• Office of the Information and Privacy Commissioner for British Columbia;
• Office of the Information and Privacy Commissioner of Alberta ('AB OIPC'); and
• Quebec Commission on Access to Information ('CAI');

Below is a sample of available guidance published by the OPC:

• Privacy and the COVID-19 Outbreak;
• Preventing and Responding to a Privacy Breach;
• Guidelines for Obtaining Meaningful Consent;
• Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3);
• Recording of Customer Telephone Calls;
• Guidelines for Identification and Authentication;
• Guidelines on Privacy and Online Behavioural Advertising;
• PIPEDA Self-Assessment Tool;
• Getting Accountability Right with a Privacy Management Program ('the PMP Guide');
• PIPEDA Fair Information Principle 1 – Accountability Guidance; and
• PIPEDA Fair Information Principle 10 – Challenging Compliance Guidance.

The OPC and the Canadian Radio-television and Telecommunications Commission ('CRTC') issue documents in relation to CASL.

1.3. Case law

The following findings and decisions are among the recent and notable privacy cases in Canada:

• PIPEDA Report of Findings #2023-001 – Investigation into Home Depot of Canada's compliance with PIPEDA;
• Setoguchi v Uber BV, 2023 ABCA 45 (appeal decision affirming that the loss of personal information without any subsequent harm or negative impact on affected individuals does not entitle those individuals to "baseline" damages in a data breach class action; leave to appeal to the Supreme Court of Canada (the Supreme Court) was denied on July 12, 2023);
• Owsianik v. Equifax Canada Co., 2022 ONCA 813; Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814; Winder v. Marriott International, Inc., 2022 ONCA 815 (landmark appeal decision of three companion cases recognizing that in privacy class action litigation, the tort of intrusion upon seclusion is generally not a viable cause of action where a defendant has failed to prevent a cyberattack, but was not the attacker; leave to appeal to the Supreme Court of Canada was denied on July 12, 2023);
• Stewart v. Demme, 2022 ONSC 1790 (Div. Ct.) (establishing that the tort of intrusion upon seclusion is unavailable where the access to information was limited, fleeting, and incidental to the purpose of the access);
• PIPEDA Report of Findings #2022-001 – Joint investigation into location tracking by the Tim Hortons App by the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia;
• PIPEDA Report of Findings #2022-005 – Hotel chain discovers breach of customer database following acquisition of a competitor;
• PIPEDA Report of Findings #2021-001 - Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l'information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information and Privacy Commissioner of Alberta;
• PIPEDA Report of Findings #2020-004 - Joint investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia;
• PIPEDA Report of Findings #2019-002 - Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia;
• PIPEDA Report of Findings #2019-001 - Investigation into Equifax Inc. and Equifax Canada Co.'s compliance with PIPEDA in light of the 2017 breach of personal information;
• PIPEDA Report of Findings #2015-001 - Results of Commissioner Initiated Investigation into Bell's Relevant Ads Program;
• Jones v. Tsige, 2012 ONCA 32 (landmark case recognizing common law privacy tort claims which are now at the heart of privacy class action litigation); and
• Eastmond v. Canadian Pacific Railway, 2004 FC 852 (seminal case regarding appropriate purposes under PIPEDA).

2. Scope of Application

2.1. Personal scope

PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activities in Canada. The provinces of Alberta, British Columbia, and Quebec have enacted private sector privacy laws of general application which are applicable to the collection, use, and disclosure of personal information within those provinces: AB PIPA, BC PIPA, and the Quebec Private Sector Act. Unlike PIPEDA, these statutes apply irrespective of whether an activity is commercial in nature and apply to employee personal information. Questions frequently arise in respect of whether a provincial statute, or PIPEDA, or both, may apply to a given activity.

CASL regulates, among other things, the sending of commercial electronic messages such as promotional and marketing messages, to and from Canada, irrespective of whether the recipient is an individual or an organization.

2.2. Territorial scope

PIPEDA does not apply to the collection, use, or disclosure of personal information within the provinces of Alberta, British Columbia, or Quebec, unless:

• the organization is a federal work, undertaking, or business as defined in PIPEDA, e.g., banks, telecommunications companies, etc.; or
• the personal information crosses provincial borders in the course of a commercial activity.

PIPEDA also does not apply within the provinces of New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario in respect of personal health information collected, used, or disclosed by health information custodians and other entities governed by certain provincial health laws.

PIPEDA is silent with respect to its extraterritorial application. However, the Federal Court of Canada ('the Federal Court') has found that PIPEDA will apply to businesses established in other jurisdictions if there is a 'real and substantial connection' between the organization's activities and Canada (see A.T. v. Globe24h.com, 2017 FC 114). For example, with respect to websites, relevant connecting factors include where promotional efforts are being targeted, the location of end-users, the source of the content on the website, the location of the website operator, and the location of the host server.

The breach notification and reporting requirements in AB PIPA have been applied where the personal information affected in a breach was about an individual located in Alberta.

2.3. Material scope

PIPEDA applies to every organization that collects, uses, or discloses personal information in the course of commercial activities. Commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.

Many organizations may be subject to PIPEDA in respect of certain aspects of their operations, and the provincial laws in respect of other aspects. Although the requirements of PIPEDA and the provincial laws are substantially similar, there are a number of important differences which can arise in certain circumstances.

PIPEDA does not apply to:

• personal information handled by Federal Government organizations listed under the Privacy Act (R.S.C., 1985, c. P-21) ('the Privacy Act');
• the collection, use, or disclosure of employee personal information, unless the organization is a federal work, undertaking or business;
• an individual's collection, use, or disclosure of personal information strictly for personal purposes; or
• an organization's collection, use, or disclosure of personal information solely for journalistic purposes.

Certain provisions in Canadian data protection laws, such as safeguards and the appropriate form of consent, depend on whether the personal information in issue is considered sensitive (which generally will include matters such as health and financial information, among others). However, the data protection laws do not generally prescribe what information types are considered sensitive.

Different privacy rules apply in respect of personal health information in some cases, and for public sector entities in Canada. However, private sector service providers to the health sector and public sector need to be aware of such requirements as they often inform requirements imposed on such parties through contract.

CASL is an opt-in regime in respect of commercial electronic messages. It prohibits the sending of commercial electronic messages, unless express or implied consent, or an applicable exception, is applicable and prescribed requirements are met. Substantial monetary penalties and other consequences can flow from violations of CASL, including extended liability for directors and officers.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

PIPEDA is administered by the OPC. Provincial privacy commissioners administer provincial privacy laws. While these provincial and territorial commissioners have their own unique mandates and powers under provincial laws, including order-making power, they often work collaboratively with the OPC and one another on investigations and policy matters.

CASL is administered by the CRTC, the Competition Bureau Canada, and the OPC. Each regulatory authority has jurisdiction over particular aspects of CASL requirements and enforcement.

3.2. Main powers, duties and responsibilities

One of the main roles of the OPC is to investigate and attempt to resolve complaints, make findings, and issue non-binding recommendations. The OPC is an ombudsperson and, as such, does not have the power to issue binding orders or fines, although such powers are being considered and were proposed by the Government of Canada ('the Federal Government') in November 2020. It is notable that, unlike the OPC, the provincial commissioners do have certain order-making and enforcement powers.

Following the completion of an OPC investigation, individuals and the OPC may seek binding enforcement and related relief in the Federal Court. The OPC also initiates investigations, audits, and related enforcement activity even in the absence of a third-party complaint. In addition, the OPC's mandate includes an important public education and guidance role. The OPC has published many guidance documents, summaries of findings, and other resources for individuals and organizations.

4. Key Definitions

Data controller: 'Data controller' is not expressly defined under PIPEDA or provincial data protection laws. Canadian statutes refer to 'organizations' which are considered to be in control of, and accountable for, compliance with privacy law requirements.

Data processor: 'Data processor' is not defined under PIPEDA or provincial data protection laws, although such laws refer to 'third party' processors and 'service providers.'

Data subject: 'Data subject' is not defined under PIPEDA or provincial data protection laws. These laws refer to 'individuals.'

Personal data: In general terms, 'personal data' means information about an identifiable individual. This definition is given a broad interpretation. Information is generally considered to fit the definition of 'personal information' where there is a serious possibility that an individual could be identified through the use of the information, alone or in combination with other available information. Identifiability is an important concept in Canadian data protection laws.

Sensitive data: 'Sensitive data' is not defined under PIPEDA, AB PIPA, or BC PIPA. PIPEDA provides that 'any information can be sensitive depending on the context' and also stipulates that the collection of sensitive information generally requires express consent. Sensitive information is also required to be safeguarded by a higher level of protection. The amended Quebec Private Sector Act provides that personal information is sensitive if, due to its nature or the context of its use or communication, it entails a high level of reasonable expectation of privacy. The collection of sensitive information in Quebec requires consent that is manifest, free, and enlightened, and must be given for specific purposes.

Health data: 'Health data' is not defined under PIPEDA, BC PIPA, AB PIPA, or the Quebec Private Sector Act. There are varying definitions of 'personal health information' under provincial health privacy laws which generally relate to identifying information about an individual related to physical and mental health.

Biometric data: 'Biometric data' is not defined under PIPEDA or provincial data protection laws, although in at least one province, biometric information is regulated under a statute specifically addressed to this type of information. The Quebec Private Sector Act makes explicit that biometric data is included in the definition of sensitive information.

Pseudonymization: 'Pseudonymization' is not specifically defined under PIPEDA or provincial data protection laws. The amended Quebec Private Sector Act deems personal information to be 'anonymized' when it is, at all times, reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified, directly or indirectly.

Privacy Impact Assessment | Data Protection Impact Assessment: A Privacy Impact Assessment ('PIA') is a policy process for identifying, assessing, and mitigating privacy risks. Government institutions are to develop and maintain PIAs for all new or modified programs and activities that involve the use of personal information for an administrative purpose (Appendix A of the Policy).

The OPC's Guide to the Privacy Impact Assessment Process defines PIA as a risk management process that helps institutions ensure they meet legislative requirements and identify the impacts their programs and activities will have on individuals' privacy.

5. Legal Bases

5.1. Consent

Except where an exemption is applicable as described below, consent is required prior to the collection, use, and disclosure of personal information. Consent may be express or implied, depending on the circumstances, the intended collections, uses, and disclosures, and the level of sensitivity of the information. Implied consent is generally not appropriate for sensitive personal information, such as health information and financial information.

Moreover, consent under PIPEDA is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. In order to meet the requirement for valid consent, organizations must give consideration to, among other things, the disclosures which they make to individuals at the point of obtaining consent, which has been emphasized in OPC guidance regarding obtaining meaningful consent. These considerations are particularly important in respect of potentially vulnerable groups such as minors and seniors.

Under the amended Quebec Private Sector Act, consent to the collection, communication, or use of personal information must be manifest, free, and enlightened, and must be given for specific purposes. Consent is only valid for the length of time needed to achieve the purposes for which the consent was requested. The amended Quebec Private Sector Act provides an exception to the consent requirement if the information is used for the purposes of study or research, or the production of statistics, so long as the information is de-identified.

5.2. Contract with the data subject

Please see section on consent above regarding express and implied consent. Contracts may include or incorporate express consent, or give rise to a basis for implied consent, depending on the circumstances. The amended Quebec Private Sector Act; however, requires that written consent be collected separately from other information provided to the individual.

5.3. Legal obligations

PIPEDA permits organizations to collect, use, and disclose personal information without consent where required by law and to disclose information, for example: to investigate a breach of an agreement or a law that has been, or is about to be, committed; or to detect or suppress fraud, or to prevent fraud that is likely to be committed. These exemptions apply only where it is reasonable to expect that obtaining consent would compromise the investigation or the ability to prevent, detect, or suppress the fraud, and are permissive only; they do not require an organization to disclose personal information.

5.4. Interests of the data subject

Under PIPEDA, consent is not required if the collection and use of information is clearly in the interests of the individual and consent cannot be obtained in a timely way. This exemption, however, has limited application in practice as there is a paucity of guidance regarding the meaning of what is in the interests of the individual (except in situations involving threats to health or safety).

5.5. Public interest

Under PIPEDA, consent is not required where it is reasonable to expect that the collection with the consent of the individual would compromise the availability of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the Canada's federal or provincial laws.

Further, consent is not required if the collection of the information is for the purpose of disclosing the information as required by law or made to a Federal Government/government institution that has identified its lawful authority and has indicated that it suspects the information relates to national security, the defense of Canada, or the conduct of international affairs.

5.6. Legitimate interests of the data controller

Under PIPEDA, consent is not required in a range of circumstances as listed in the section on controller and processor obligations, a number of which are mentioned above.

5.7. Legal bases in other instances

Publicly available information

Regulations under PIPEDA provide that consent is not required for the collection, use, and disclosure of certain publicly available information, e.g., published information and court decisions, although some restrictions apply. In general terms, for the exemption to apply, the collection, use, or disclosure must be related to the purpose for which the information is publicly available.

Employment

Canadian privacy statutes governing the private sector generally allow for the collection, use, and disclosure of employee personal information without consent if solely for the purposes reasonably required to establish, manage, or terminate an employment relationship between the organization and that individual.

While the statutes allow for the collection of personal information without consent within the bounds of reasonableness, they nonetheless require the employer to be transparent. Accordingly, organizations must generally notify employees that such data collection is occurring and explain the purpose(s) for the collection (such as employee safety).

In addition to the data protection statutes that can apply to employee personal information, workplace privacy issues have long been addressed in the labor and employment context by arbitrators and the courts. A significant body of law has been built up in that context in respect of privacy-based limitations on management rights, e.g. drug and alcohol testing, workplace surveillance, investigations among others.

6. Principles

PIPEDA requires organizations to comply with a set of legal obligations that are based on the following ten principles:

• accountability;
• identifying purposes;
• consent;
• limiting collection;
• limiting use, disclosure, and retention;
• accuracy;
• safeguards;
• openness;
• individual access; and
• challenging compliance.

The provincial statutes contain similar requirements.

Accountability

PIPEDA and provincial laws hold organizations accountable for information under their control and require the appointment of an individual(s) who are responsible for the organization's compliance with the law.

Organizations are also required to implement policies and practices to address compliance, including:

• implementing procedures to protect personal information;
• establishing procedures to receive and respond to complaints and inquiries;
• training staff and communicating to staff information about the organization's policies and practices; and
• developing information to explain the organization's policies and procedures.

Appropriate purpose

PIPEDA contains an over-arching requirement that organizations may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In other words, even with consent, there are certain activities which may be prohibited under PIPEDA. A similar restriction is applicable under provincial laws.

In assessing whether a reasonable person would find a purpose for collecting, using, and disclosing personal information to be appropriate, the OPC and the Federal Court have applied the following four-part test in a number of cases:

• is the activity demonstrably necessary to meet a specific need;
• is the activity likely to be effective in meeting that need;
• is the loss of privacy proportional to the benefit gained; and
• is there a less privacy-invasive way of achieving the same end.

Although the test will not be applicable in every case, it provides a useful guide for assessing activities, and has often been applied in the workplace and surveillance contexts in particular.

7. Controller and Processor Obligations

Safeguards

Organizations are required to use security safeguards in order to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

Canadian data protection laws do not specify particular security safeguards that must be used. However, they do require that the nature of the safeguards must be appropriate to the level of sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. Organizations must consider and implement, as appropriate:

• physical measures, such as locked cabinets and doors;
• organizational measures, such as access on a 'need to know' basis and clean desk policies; and
• technological measures, such as passwords and encryption.

Commissioner decisions and guidance materials provide additional direction regarding appropriate safeguards in particular circumstances.

The amended Quebec Private Sector Act requires organizations that collect personal information when offering a technological product or service to ensure that the security parameters of the product or service provide the highest level of confidentiality, by default.

Canadian data protection laws also require that organizations make their employees aware of the importance of maintaining the confidentiality of personal information, and that care be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.

7.1. Data processing notification

Organizations are not required to notify or register with the regulatory authorities under privacy laws in Canada.

However, an organization is required to notify the OPC if it uses personal information without the knowledge or consent of the individual to whom the personal information relates for statistical, scholarly study, or research purposes that cannot be achieved without using the information, it would be impractical to obtain consent, and the data's confidentiality is maintained (Section 7(2)(c) of PIPEDA).

7.2. Data transfers

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. In general terms, organizations must use contractual or other means, which usually include technical measures, to provide a comparable level of protection while the information is being processed by a third-party service provider or other entity. The OPC has also suggested that consent may be required for transfers to service providers, although this view is controversial, and no legislative amendment has been made. Additional considerations, including notice to individuals, are applicable regarding the use of service providers located outside of Canada.

Certain provincial privacy laws impose additional obligations in relation to cross-border transfers. The amended Quebec Private Sector Act, for example, requires that cross-border communication of personal information be preceded by a PIA, regardless of the destination jurisdiction.

For further information on cross-border transfers and outsourcing requirements in Canada, please see OneTrust DataGuidance's Data Transfers Portal.

7.3. Data processing records

Organizations are not specifically required to maintain general data processing records under private sector data protection law. However, in order to demonstrate compliance, consent, and other requirements if challenged by a complainant, Commissioner, or the court, it can be crucial to maintain records. Certain record keeping is specifically required in respect of breaches under PIPEDA or provincial privacy laws in certain circumstances as noted below. Certain record keeping is also required in relation to CASL.

7.4. Data protection impact assessment

Organizations are not specifically required to carry out a Data Protection Impact Assessment or PIA under PIPEDA, AB PIPA, or BC PIPA, but this can represent a best practice and due diligence.

The amended Quebec Private Sector Act requires that organizations conduct a PIA for any project involving the acquisition, development, or redesign of an information system or electronic service delivery involving personal information, and whenever personal information is transferred outside of Quebec.

Please note there is a mandatory requirement to undertake a PIA under Section 6.3.1 of the Directive on Privacy Impact Assessment ('the Directive') for Government Institutions. For further information on the public sector please see Section 6.3.1 and Appendix C of the Directive.

7.5. Data protection officer appointment

Under PIPEDA and the provincial privacy laws, organizations are required to designate an individual(s) responsible for privacy compliance. This individual is conventionally known as the 'privacy officer', although PIPEDA does not specify any particular nomenclature or that the individual be a corporate officer.

The PIPEDA Self-Assessment Tool outlines that the data privacy officer (DPO) should (Page 6 of the PIPEDA Self-Assessment Tool):

• be a senior decision-maker who is clearly supported in their role by senior management in promoting privacy as a corporate value;
• be able to intervene on privacy issues across the organization when needed; and
• ensure that sufficient and appropriate resources are allocated for implementing privacy policies, managing privacy risks, and ensuring that periodic assessments are done to see if privacy policies are being met and that the organization is complying with PIPEDA.

Unlike the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which provides extensive guidance for the position of a data protection officer, PIPEDA, AB PIPA, and BC PIPA do not specifically describe the duties of a privacy officer. Under the amended Quebec Private Sector Act, the privacy officer (by default the CEO, unless otherwise delegated in writing) is responsible for ensuring the organization complies with the obligations imposed by the Act and responding to requests, questions, or complaints relating to personal information. The title and contact details of its privacy officer must be available on the organization's website.

However, the PIPEDA Self-Assessment Tool outlines that a DPO responsibilities should include (Page 8 of the PIPEDA Self-Assessment Tool):

• demonstrating knowledge of the organization's personal information handling policies and procedures;
• demonstrating knowledge of the organization's responsibilities under PIPEDA;
• explaining the procedures for requesting personal information and filing complaints; and
• conducting or supervising complaint investigations.

Furthermore, the DPO would be responsible for the privacy management program, recommended by the OPC in order to comply with Schedule 1, Principle 4.1.1 of PIPEDA, which involves (Page 7 of the PMP Guide):

• establishing and implementing program controls;
• coordinating with other appropriate persons responsible for related disciplines and functions within the organization;
• being responsible for the ongoing assessment and revision of program controls;
• representing the organization in the event of a complaint investigation by a Privacy Commissioner's Office; and
• advocating privacy within the organization itself.

In addition, the OPC has stated that organizations should ensure that the DPO is supported by senior management and has the authority to intervene on privacy issues relating to any of the organization's operations (Page 8 of the PIPEDA Self-Assessment Tool). The OPC also stated that the DPO must review any new purpose(s) for which personal information is collected to determine if they are appropriate, and to consider and mitigate any potential privacy risks stemming from the new uses (Page 11 of the PIPEDA Self-Assessment Tool).

Furthermore, the OPC has stated that the DPO should develop an oversight and review plan annually that sets out how and when they will monitor and assess the organization's privacy management program's effectiveness. The plan should establish performance measures and include a schedule of when all policies and other program controls will be reviewed (Page 16 of the PMP Guide).

Importantly, other individuals within the organization may be delegated to act on behalf of the DPO as their representative (Schedule 1, Principle 4.1.1 of PIPEDA).

In addition, the identity of the DPO must be made known upon request and their name or title and the address of the DPO who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded, must be made readily available (Schedule 1, Principle 4.1.2 and Principle 4.8.2(a) of PIPEDA). Moreover, the OPC recommends that where appropriate, an organization publish the name or title and business address of the DPO internally and externally (for example on websites and in company literature), as well as be prepared to identify the DPO upon this information being requested (Page 7 of the PIPEDA Self-Assessment Tool).

7.6. Data breach notification

There is a general obligation for data breach notification. Under PIPEDA, notification of a privacy breach must be given to individuals, the OPC, and potentially other organizations (e.g. another organization, a government institution, or a part of a government institution) if that organization, government institution, or part concerned may be able to reduce the risk of the harm that could result from it or mitigate that harm, in the event of a breach of security safeguards where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Notification must be given as soon as feasible. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

A person that contravenes PIPEDA's breach notification provisions may be found guilty of an offence punishable on summary conviction and liable to a fine not exceeding CAD 10,000 (approx. $7,420), or an indictable offence and liable to a fine not exceeding CAD 100,000 (approx. $74,207).

Alberta's laws require notice to the AB OIPC in the event that a breach gives rise to a real risk of significant harm, and the AB OIPC may require notification to individuals (although in practice notification is often provided to the AB OIPC and individuals simultaneously).

The amended Quebec Private Sector Act requires notice to the CAI and to affected individuals in cases where there is a risk of serious injury.

A number of sectoral statutes also contain relevant provisions. For example, under Ontario's Personal Health Information Protection Act (S.O., 2004, c. 3) Schedule A ('PHIPA') and its related regulation, health information custodians ('custodians') must notify the Information and Privacy Commissioner of Ontario about certain privacy breaches. Privacy breaches that require notification include situations where:

• there has been use or disclosure without authority;
• information has been stolen;
• there has been further use without authority after a breach;
• there has been a similar pattern of breaches;
• disciplinary action has been taken against a college member;
• disciplinary action has been taken against a non-college member; and
• there has been a significant breach, even if none of the above have occurred (for instance, where a healthcare practitioner accidentally discloses a patient's mental health assessment to other practitioners on a group email distribution list, rather than to just the patient's physician).

Ontario custodians are also required to notify individuals whose privacy has been breached where there has been a theft or loss of the individual's health information. Similarly, health care providers in New Brunswick are required, under New Brunswick's Personal Health Information Privacy and Access Act (SNB, 2009, c P-7.05) ('PHIPAA'), to notify their patients or clients as well as the Office of the Integrity Commissioner for New Brunswick if there is a privacy breach of their patients' or clients' personal health information.

PIPEDA requires that certain records be kept in relation to breaches for a period of two years after the breach is discovered.

7.7. Data retention

PIPEDA states that personal information must be retained only for as long as is necessary to fulfil the purposes for which it was collected, after which it should be securely destroyed, erased, or rendered anonymous. However, there are exceptions to this: an organization must retain information that is the subject of a request for access for as long as necessary to allow the individual to exhaust any recourse open to them in relation to the request; and information that has been used to make a decision about an individual must be retained long enough to allow the individual access to that information following the decision (or in Quebec, for at least one year following the decision).

A specifically identified purpose is often a clear indicator of how long information needs to be retained. In some cases, determining the appropriate retention period may be complex as there is no 'one-size-fits-all' retention period. For some organizations, there is a legislative requirement to keep information for a certain amount of time. In other instances, there may be no such requirement, and an organization needs to determine the appropriate retention period.

The amended Quebec Private Sector Act requires organizations to establish and implement governance policies and practices which provide a framework applicable to the retention and destruction of personal information. Organizations must publish detailed information about these policies and practices on their websites. The Act also requires organizations to destroy or anonymize data when the purposes for which it was collected or used have been achieved.

7.8. Children's data

PIPEDA and most private sector privacy laws do not address children's data specifically. The processing of children's data will require consideration of the sensitivity of the information, whether consent can be obtained from minors, and the requirements of the OPC's guidance regarding meaningful consent, among other considerations. The amended Quebec Private Sector Act prohibits the collection of personal information from a minor under the age of 14 years without the consent of the person having parental authority, unless collecting the information is clearly for the minor's benefit.

7.9. Special categories of personal data

Private sector privacy laws do not contain specific provisions regarding the processing of special categories of information. However, as noted above, these laws will vary in their application depending on whether information is sensitive, whether the information is of a 'publicly available' type listed in regulations to PIPEDA, and whether there are other statutes that may permit or restrict the processing of such information.

7.10. Controller and processor contracts

Privacy sector privacy laws require that organizations enter into contractual agreements which take into account privacy considerations when outsourcing the processing of personal information. Principle 1 of PIPEDA states that, 'An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.' The OPC has interpreted this provision as requiring, among other things, a contract which includes:

• a requirement for the processor to have privacy policies and processes in place, including training for its staff and effective security measures;
• a requirement that the information is properly safeguarded at all times; and
• a right to audit and inspect how the third-party handles and stores personal information.

Under the amended Quebec Private Sector Law, organizations also need to contractually specify limits on the use of personal information, retention limits, and requirements for the third party to provide notification of security incidents.

8. Data Subject Rights

8.1. Right to be informed

Canadian private sector privacy laws generally require the knowledge and consent of the individual, except in certain circumstances where consent is not required. Organizations must be open and transparent about their practices and inform individuals about the information collected, used, and disclosed, as well as the purposes for such activities, among other requirements. One way that organizations meet this obligation is through a public-facing privacy policy; this will soon be a statutory requirement for all organizations collecting personal information using technological means in Quebec.

The amended Quebec Private Sector Act also includes more specific disclosure obligations for organizations, including requirements to indicate whether there is a possibility that an individual's personal information will be communicated outside of Quebec, and to provide individuals with the names of the third parties or categories of third parties to whom it is necessary to communicate their personal information.

8.2. Right to access

Under Canadian data protection laws, individuals have a general right to obtain access to their personal information held by organizations. Access requests must be processed in accordance with the applicable statute, within prescribed timeframes. Organizations are permitted to refuse access only in enumerated circumstances, and generally must sever exempt information from non-exempt information where possible. For example, under PIPEDA, organizations may refuse access to personal information where, among other exceptions, the information is protected by solicitor-client privilege or would reveal confidential commercial information.

Requests for access to personal information under data protection statutes are relatively infrequent in Canada but are on the rise. They are often attempts to use such requests as a form of early litigation discovery by individual litigants and prospective litigants, including former employees. Organizations generally must process such requests, notwithstanding whether parallel litigation proceedings are in existence.

8.3. Right to rectification

The OPC has taken the position, in the Draft OPC Position on Online Reputation, that under PIPEDA, individuals should have the ability to remove information that they have posted online and has suggested that PIPEDA currently includes this right in relation to the right to withdraw consent. The amended Quebec Private Sector Act gives individuals the right to demand that an organization cease dissemination of their personal information or de-index any hyperlink that provides access to their information by a technological means. In most other Canadian provinces, it is unsettled whether the right to erasure currently exists, or to what extent it exists. The OPC has asked the Federal Court in a case reference to clarify the law on this point.

8.4. Right to erasure

The OPC has taken the position, in the Draft OPC Position on Online Reputation, that under PIPEDA, individuals should have the ability to remove information that they have posted online and has suggested that PIPEDA currently includes this right in relation to the right to withdraw consent. The amended Quebec Private Sector Act gives individuals the right to demand that an organization cease dissemination their personal information or de-index any hyperlink that provides access to their information by a technological means. In most other Canadian provinces, it is unsettled whether the right to erasure currently exists, or to what extent it exists.

8.5. Right to object/opt-out

Individuals have the right to submit complaints to organizations, to withdraw consent (subject to some limitations), and to file complaints with the OPC. Based on guidance from the OPC, opt-out consents are permissible under PIPEDA in limited circumstances involving non-sensitive information provided that a set of requirements are met.

8.6. Right to data portability

There is no specific right to data portability under PIPEDA, AB PIPA, or BC PIPA. The amended Quebec Private Sector Act will give individuals a right to data portability by providing that individuals may request that their personal information be communicated or transferred to the person or a third-party organization in a structured and commonly used format, subject to certain limits. The Quebec Private Sector Act's data portability rights will come into force on September 22, 2024.

8.7. Right not to be subject to automated decision-making

There is no specific right not to be subject to automated decision-making under PIPEDA, AB PIPA, or BC PIPA. The amended Quebec Private Sector Act requires organizations that make decisions based exclusively on the automated processing of personal information to notify the person concerned that the decision was made in this manner, and to provide the individual with certain additional information concerning the decision-making process upon request.

8.8. Other rights

Individuals have a range of rights pursuant to private sector privacy laws in Canada, many of which are linked to the rights of access, correction, and withdrawal of consent, and others which flow from the right to seek redress for violations of other requirements in the laws.

9. Penalties

The OPC and the provincial privacy commissioners have issued many findings, touching on virtually every aspect of data protection law, including those described above. The OPC has also recommended that in some cases an organization undertake an independent third-party audit to demonstrate that the organization is in compliance with PIPEDA. The OPC now has the ability to enter into compliance agreements with organizations in the wake of investigations and complaints. However, the OPC does not currently have the power to issue fines or penalties. The amended Quebec Private Sector Act gives the CAI new investigative and enforcement powers, including the authority to impose administrative monetary penalties for certain violations, up to the greater of CAD 10 million (approx. $7.4 million) or 2% of the organization’s worldwide turnover for the preceding fiscal year.

While historically privacy matters have less frequently been pursued in the courts, in recent years the landscape has changed dramatically in Canada. Courts have awarded damages for violations of privacy laws and privacy rights in a number of cases, and there has been a sharp increase in tort claims and related civil litigation and class action proceedings. Claimants now frequently forgo complaints to privacy commissioners and proceed directly to court to seek damages and other relief in respect of privacy matters or pursue both avenues of relief simultaneously. In a number of cases, claimants have obtained damages for privacy breaches, and certification of class actions, even in the absence of any pecuniary loss flowing from a breach. The current volume of privacy-related litigation, and certifications of class proceedings, is unprecedented in Canada.

As mentioned above, data protection issues are increasingly being addressed in the courts in Canada. British Columbia, Manitoba, Newfoundland and Labrador, Quebec, and Saskatchewan have enacted statutory torts or rights of private action for invasion of privacy. Common law privacy torts have also been recognized in other provinces. With the potential to obtain damages for breaches of privacy even in the absence of any pecuniary loss, claimants and class action counsel increasingly turn to the courts, not the privacy commissioners, for recourse in respect of privacy matters. In addition to torts of invasion of privacy, claimants also claim liability in contract, negligence, misrepresentation, waiver of tort, and other claims.

9.1 Enforcement decisions

See above list in 'Case Law' of notable decisions.