Canada: Data Protection in the Automotive Sector
There are no specific statutes or regulations at the federal or provincial level that expressly regulate data generated in the automotive sector, such as geolocation data, safety event data, or driver availability data. Instead, where data generated by a vehicle and collected by a manufacturer (or other entity) is not strictly about the vehicle itself and can be associated with an identifiable individual, the data will likely constitute 'personal information' and be subject to a patchwork of Canadian privacy laws.
Privacy law in the private sector in Canada is regulated both at the federal and provincial levels. At the federal level, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA') applies to all private sector organisations collecting, using, or disclosing personal information in the course of commercial activities. In addition, three Canadian provinces, Alberta, British Columbia, and Quebec, have enacted provincial-level private sector privacy legislation, that applies to the collection, use, and disclosure of personal information by private sector organisations within those provinces. These include Alberta's Personal Information Protection Act, SA 2003 c P-6.5 ('the AB PIPA'), British Columbia's Personal Information Protection Act, SBC 2003 c 63 ('the BC PIPA'), Quebec's Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 ('the Quebec Act') and its Act to modernize legislative provisions as regards the protection of personal information, 2021, Chapter 25 ('the Amendment Act') (formerly known as Bill 64), and, to the extent a database of biometric identifiers is established, Quebec's Act to Establish a Legal Framework for Information Technology, c C-1.1 ('the Quebec Information Technology Act'). The AB PIPA, BC PIPA, and Quebec Act have been deemed substantially similar to PIPEDA.
Under these statutes, 'personal information' is defined as the mean information about an identifiable individual. Where the data generated by a vehicle and collected by a manufacturer (or other entity) is not strictly about the car itself and can be associated with an individual, the data will likely constitute 'personal information'.
There is no general cybersecurity law in Canada. In general, cybersecurity is regulated through security safeguard requirements provided for under Canadian private sector privacy laws, including data breach reporting, and through guidance from applicable regulators.
Computer program law
Additionally, Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') regulates the installation of computer programs, including updates and upgrades. Section 8(1) of CASL provides that a 'person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:
- (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5) [Section 11(5) of CASL deals with providing assistance for removing or disabling certain types of installed programs]; or
- (b) the person is acting in accordance with a court order'.
'Person' is defined broadly and includes, for example, an individual, partnership, corporation, or organisation.
CASL does not apply to computer programs installed by a person on their own computer system. This includes, for example, when an individual self-installs an app or software on their own system, or when a manufacturer installs an app or software on a system during manufacturing (although CASL may apply to any updates or upgrades pushed out by the manufacturer when they no longer own the system). Section 8(1) of CASL applies if the computer system is located in Canada or the person installing the computer program on the computer system is located in Canada at the relevant time or acting at the direction of a person who is in Canada at the time they give directions.
Automotive sector laws
Under Canadian law, the automotive sector is regulated both at the federal and provincial/territorial level. The federal Motor Vehicle Safety Act, SC 1993 c 16 ('MVSA') and its regulations establish safety rules that apply to the importation of motor vehicles and prescribed motor vehicle equipment, and the shipment of newly manufactured motor vehicles and designated equipment across provincial/territorial boundaries. The MVSA applies to companies that manufacture regulated vehicles or vehicle equipment in Canada, companies that distribute vehicles or equipment obtained from those manufacturers to other persons for the purpose of resale, importers of regulated vehicles or equipment into Canada for the purpose of sale, and persons who import regulated vehicles previously sold at the retail level in the US. The MVSA also regulates the temporary importation of non-compliant vehicles and equipment.
Each provincial government oversees various aspects of transportation in its respective province, including the establishment and maintenance of the provincial highway system, the licensing and training of vehicles and drivers, and the policing of provincial roads. For example, in Ontario (Canada's most populous province), the Ministry of Transportation has the responsibility for the administration and enforcement of the Highway Traffic Act, RSO 1990 c H.8 ('HTA'), which regulates the licensing of vehicles, classification of traffic offences, administration of loads, classification of vehicles, and other transport-related issues.
Prescribed classes of vehicles under the MVSA that are imported or sold in Canada must comply with Canada's Motor Vehicle Safety Regulations, CRC c 1038 and its associated Canadian Motor Vehicle Safety Standards ('CMVSS'), which sets out an extensive range of safety requirements that apply to vehicles, including those with connected vehicle technologies. Companies must certify that all new vehicles and equipment manufactured, shipped inter-provincially, or imported into Canada comply with the applicable safety standards set out in the CMVSS.
The Office of the Privacy Commissioner of Canada ('OPC') has not published any guidance expressly related to autonomous vehicles. However, the following resources from the OPC may be useful to the sector:
- Privacy guidance for manufacturers of Internet of Things devices;
- Captured on Camera: Street-level imaging technology, the Internet and you;
- Automated Facial Recognition in the Public and Private Sectors; and
- OPC Appearance before the Standing Committee on Transport, Infrastructure and Communities (TRAN) in relation to its study of Automated and Connected Vehicles in Canada.
In March 2020, Transport Canada published Canada's Vehicle Cyber Security Guidance ('the Cyber Guidance'), outlining risks and providing non-prescriptive guiding principles to assist automotive organisations with identifying, managing, and detecting cybersecurity risks throughout a vehicle's life cycle. The principles contained in the Cyber Guidance encourage organisations to:
- identify how they will manage cybersecurity risks;
- protect the vehicle ecosystem with appropriate safeguards;
- detect, monitor, and respond to cybersecurity events; and
- recover from cybersecurity events safely and quickly.
Transport Canada has also published its Vehicle Cyber Security Strategy objectives:
- incorporating vehicle cybersecurity considerations into policy and regulatory frameworks;
- promoting awareness and fostering a modernised, innovative approach to vehicle cybersecurity; and
- addressing emerging and adjacent issues in the vehicle cybersecurity landscape.
The voluntary Vehicle Cyber Security Assessment Tool ('VCAT') is available to help manufacturers and suppliers with their cybersecurity assessments of vehicles and vehicle parts. The VCAT is applicable to all vehicle types and levels of automation.
2. Key Definitions
Vehicle Information Number (sole or in combination with further identifiers): A number consisting of Arabic numerals, Roman letters, or both that the manufacturer assigns to the vehicle for identification purposes (Section 2(1) of the Motor Vehicle Safety Regulations). It is noteworthy that in Canada, a vehicle information number is referred to as a 'vehicle identification number'.
Geolocation data: 'Geolocation data' is not defined under Canadian privacy laws.
Telematic data: 'Telematic data' is not defined under Canadian privacy laws.
Biometric data: 'Biometric data' is not defined under Canadian privacy laws, although in Quebec, biometric information is regulated under a statute specifically addressed to this type of information. Biometric data can be considered a form of 'personal information' under PIPEDA (see 'Technological Context' under Part III of the PIPEDA Interpretation Bulletin - Personal Information ('the Personal Information Bulletin')) and provincial private sector privacy laws.
Metadata: Data that provides information about other data, for example information that is generated as somebody uses technology, including the who, what, where, when, and how of a variety of activities (see page 1 of the OPC's Metadata and Privacy: A Technical and Legal Overview).
Voice data: 'Voice data' is not defined under Canadian privacy laws. The OPC refers to this type of data as 'voice print' information. The OPC has noted that 'voiceprint is personal information even though it may not necessarily tell much about an individual. How much more it reveals about an individual will depend on how the voiceprint is used' (see 'Technological Context' under Part III of the Personal Information Bulletin).
Video data (inside/outside the vehicle): 'Video data' is not defined under Canadian privacy laws (for additional information, see the OPC's Guidelines for the Use of Video Surveillance of Public Places by Police and Law Enforcement Authorities).
Anonymisation (Please assess if data protection law applies for anonymised data in your jurisdiction): Recent amendments to the Quebec Act made pursuant to the Amendment Act will, as of September 2023, deem personal information to be 'anonymised' when it is, at all times, reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified, directly or indirectly.
Pseudonymisation (Please assess if data protection law applies for pseudonymised data in your jurisdiction): 'Pseudonymisation' is not specifically defined under Canadian privacy laws. The Quebec Act, as amended by the Amendment Act, will, as of September 2023, introduce 'de-identification' as a defined method to ensure personal information no longer allows the person to be directly identified.
Data Processing: 'Data processing' is not expressly defined under Canadian privacy laws.
Data Controller: 'Data controller' is not expressly defined under Canadian privacy laws. Canadian statutes refer to 'organisations' which are accountable for personal information in their custody and control and for compliance with privacy law requirements.
Data Processor: 'Data processor' is not defined under Canadian privacy laws, although such laws refer to 'service providers'.
Manufacturer: The definition for manufacturer was repealed under the Motor Vehicle Safety Regulations. However, 'manufacture', defined 'in relation to a vehicle, includes any process of assembling or altering the vehicle prior to its sale to the first retail purchaser' (Section 2 of the MVSA).
3. Supervisory Authority
Generally in the automotive sector, Transport Canada is the relevant supervisory authority, and can exercise investigative, compliance, and enforcement powers. For example, when a safety defect in a vehicle is suspected, including any safety defect caused by connected and automated vehicles technology, Transport Canada investigates and, if a defect is found, orders the manufacturer to take corrective action. Additionally, each provincial Ministry of Transportation regulates the provincial highway system, the licensing and training of vehicles and drivers, and the policing of provincial roads.
Where the data generated by an automated vehicle is 'personal information', Canadian privacy commissioners would be the authorities enforcing compliance with applicable privacy legislation. The relevant supervisory authority at the federal level is the OPC. Provincial privacy commissioners oversee and enforce the applicable provincial privacy statutes.
Organisations must make their policies and procedures easily available to individuals in a comprehensible form. This information must include the name or title and contact information of the person within the organisation accountable for its privacy policies and practices and to whom complaints or inquiries can be forwarded.
Companies in the automotive sector should be aware that privacy law is currently undergoing a period of significant reform in Canada. Importantly, early indications suggest that these reform efforts will likely bring automated decision making and other artificial intelligence ('AI') systems within the scope of private sector privacy laws. For instance, Quebec recently adopted the Amendment Act, which makes significant amendments to the Quebec Act. Among other changes, the amendments include new rules that require organisations to inform individuals if a decision about the individual is based exclusively on automated processing. Additionally, organisations must comply with an individual's request for the personal information that was used to make the decision and the reasons for the decision. Individuals also have a right to have the personal information used by the automated decision-making system corrected. These new obligations will come into force in September 2023.
A new federal proposal to reform PIPEDA is also expected imminently. Although the highly anticipated Bill C-11 for the Digital Charter Implementation Act, 2020 died on the order paper when the federal election was called in September 2020, it is expected that similar amendments will be introduced to bring federal private sector privacy regulations in line with the Quebec Act and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). It is expected that the new proposals will address transparency requirements that apply to automated decision-making systems, requiring businesses to explain how such systems are utilised. Further, Bill C-11 proposed rules governing how and when de-identified information derived from personal information may be created, used, and shared. Automotive companies operating in Canada should begin to prepare for the types of enhanced obligations and penalties previously proposed under Bill C-11.
Choice and consent
Meaningful consent is the main pillar of Canadian privacy law, and is the only legal basis to process personal information, except where consent exemptions apply. Given the complexities of the technology underlying connected vehicles, individuals may find it difficult to assess and make informed choices about how their personal information is handled. In order to ensure that the consent obtained from a user of the vehicle is meaningful, organisations should ensure that they describe data policies in plain and easy to understand language. Further, organisations need to provide the consumer with a real choice in terms of how their personal information is handled. Clear options to say 'yes' or 'no' need to be presented (see the OPC's Guidelines for Obtaining Meaningful Consent).
With the rise of cybersecurity threats across the world, Canadian consumers expect that their personal information will be safeguarded against unauthorised access, theft, and loss. Organisations that are subject to PIPEDA, the AB PIPA, and the Quebec Act must comply with mandatory breach reporting obligations, which require notification to privacy regulators, as well as individuals where there is a real risk of significant harm to individuals. In addition to costs incurred from cybersecurity incidents themselves, preparing these notifications can be very expensive for organisations who are not covered by adequate insurance or prepared with a comprehensive cyber incident response plan.
Both the amount and type of personal information collected must be limited to what is necessary to fulfil the identified purposes. An organisation cannot collect the information indiscriminately or through deception.
The use and disclosure of personal information must be limited to the purposes for which it was collected, except as required by law or with the consent of the individual. Retention guidelines and procedures should be developed. Personal information no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Guidelines and procedures governing the destruction of personal information are required.
An organisation is responsible for the personal information within its possession or custody, including information transferred to a third party for processing. Organisations must use contractual or other means to ensure that personal information transferred to a third party for processing receives a comparable level of protection. The organisation must appoint an individual who will be responsible for the organisation's compliance with privacy laws (namely, a privacy officer). The organisation must implement policies and practices to ensure compliance with privacy laws.
Under these laws, personal information may only be collected, used, and disclosed for purposes that a reasonable person would consider are appropriate in the circumstances. This reasonableness limitation applies even in situations where an individual has consented to the collection, use, and disclosure of their personal information. The practical implication for connected vehicles is that all data collection capabilities should be designed such that no more personal information than is reasonably necessary is collected, used, and disclosed.
Data sharing and international transfers
Generally, Canadian private sector privacy laws do not prohibit cross-border transfers of personal information. However, there are requirements that must be complied with if personal information is transferred outside of Canada. For instance, although equally applicable to transfers of personal information within Canada, PIPEDA requires organisations to use contractual or other means to ensure that personal information transferred to, or processed by, a third party on the organisation's behalf receives a comparable level of protection. To comply with these requirements, organisations typically enter into data protection agreements with their service providers.
Also, effective September 2023, a Privacy Impact Assessment ('PIA') will need to be carried out prior to communicating personal information outside of the Province of Quebec, as required by the Amendment Act.
Individuals are also entitled to be informed, subject to limited exceptions, of the existence, use, and disclosure of their personal information and to be given access to that information. All individual requests must be made in writing and must be addressed within a prescribed amount of time (typically 30 days). An individual may challenge the accuracy and completeness of the information and have the information amended as appropriate.
Privacy by Design
Effective September 2023, Quebec's Amendment Act will require private sector enterprises that collect personal information when offering a technological product or service to provide the highest level of confidentiality by default, without any intervention by the person concerned.
The same general data privacy principles for connected vehicles as outland in section 4 above would be relevant for autonomous driving.
Currently, some Canadian auto-insurers use telematic data to assess driving habits and determine savings. Insurers that collect personal information from telematic devices are subject to Canadian privacy laws. Telematics programs in the automotive insurance sector are voluntary and drivers must be fully informed of the data that the insurer will be tracking and collecting before being asked for express informed consent to the collection, use, and disclosure of this data by the insurer.
Organisations involved in the design and manufacture of connected or autonomous vehicles with telematic devices need to disclose the existence of the device to the consumer and outline the exact variables that the device will be collecting and the purposes for which the data collected will be used. In addition, the owner of the vehicle should be given the option to remove or disable the telematic device.
Geolocation information generated by vehicles for navigational purposes or for vehicle safety-related record keeping obligations could be capable of generating precise, comprehensive records of users' movements, habits, behaviours, and associations. This type of precise location data can be very challenging to fully anonymise and the potential impacts of sharing this information are well documented. Manufacturers should be aware that the Supreme Court of Canada has confirmed that individuals have legally protected privacy interests in personal information that might seem innocuous on its own, but when combined with other information can reveal intimate details about the individual.
Organisations should be very conscious of how much geolocation data they are collecting, and for how long, to ensure they meet the reasonableness standard under Canadian law. Canadian privacy regulators consider geolocation data to be a type of sensitive personal information and the use of geolocation data is currently under review by the OPC.
Privacy protections should be built into the very design of connected vehicles, as opposed to being considered as an after-thought. Therefore, manufacturers have a big role to play in the practical implementation of fair information principles. For example, it may not be possible for a company to obtain necessary consent from all involved parties, such as pedestrians whose images are captured by cameras. Manufacturers should consider automatically deleting or de-identifying this information soon after it is captured to reduce potential risks to these third parties.
The OPC recommends using a variety of communications strategies - including 'just-in-time' notices, interactive tools, and customised mobile interfaces - to explain privacy practices. Manufacturers should take heed of such recommendations and think of ways to efficiently incorporate these strategies into the vehicle design (see the OPC's Privacy guidance for manufacturers of Internet of Things devices).
- Internet connectivity and eSIM management: The federal Telecommunications Act, SC 1993 c 38 would apply to vehicles offered with embedded SIM cards and access to the internet. To the extent that these vehicles collect, use, and disclose 'personal information', they would be subject to Canadian privacy laws, as outlined above.
- Test drives (automated and non-automated vehicles): Some Canadian provinces, such as Manitoba and Ontario, have launched pilot projects, testing autonomous and connected vehicles on public roads. In Ontario, the Automated Vehicle Pilot Program allows for driverless testing of SAE Level 4 and 5 vehicles under certain safety conditions, including the presence of a driver that is able to control the car, if required. The minimum safety requirements that trial organisations need to follow when operating in Canada can be found in the Guidelines for Testing Automated Driving Systems in Canada Version 2.0.
- Vehicle smart home integration: To the extent that these integrations collect, use, and disclose 'personal information', they would be subject to Canadian privacy law, as outlined above.
- Non-car connected vehicles (e.g. connected rental bicycles and scooters): To the extent that these vehicles collect, use, and disclose 'personal information', they would be subject to Canadian privacy law, as outlined above.