published 07/27/2022
Updated for 2022
This article was first written in May 2021 as part of Lexology's Getting The Deal Through series.
Law and the regulatory authority
Legislative framework
Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?
In Canada, four private sector privacy enactments provide the framework for the protection of PI. These are:
- Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA);
- the province of Quebec's An Act Respecting the Protection of Personal Information in the Private Sector (Private Sector Act (QC));
- the province of Alberta’s Personal Information Protection Act (PIPA (AB)); and
- the province of British Columbia’s Personal Information Protection Act (PIPA (BC)).
PIPEDA governs the interprovincial and international collection, use or disclosure of PI by private sector organisations in the course of carrying out commercial activities for profit. It also has application to employee PI in federally regulated organisations (such as banks, airlines, railways and telecommunication companies).
PIPEDA also applies within all provinces and territories in Canada, except Quebec, Alberta and British Columbia. The Private Sector Act (QC), PIPA (AB) and PIPA (BC) have been deemed substantially similar to PIPEDA and, as such, PIPEDA does not apply to private sector organisations carrying out commercial activities wholly within those provinces.
While the Private Sector Act (QC), PIPA (AB) and PIPA (BC) have each been deemed substantially similar to PIPEDA, there are differences in the details of each. These provincial laws apply, generally speaking, to all private sector organisations with respect to the collection, use and disclosure of PI in the course of carrying out commercial activities and to employees’ PI.
The Private Sector Act (QC) has recently been amended by Bill 64, which introduced significant changes that will come into effect in 2022, 2023 and 2024. While it does not address territorial scope, it is drafted broadly and includes new obligations that suggest it may be applied to organisations outside of Quebec that deal with the PI of Quebec residents. For example, a new requirement to conduct a privacy impact assessment when PI of Quebec residents is being transferred outside of Quebec, or where an organisation has entrusted a third party located outside Quebec with the collecting, using, disclosing or retaining PI on its behalf.
Health information privacy legislation in the provinces of Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have been deemed substantially similar to PIPEDA and apply to health PI within those provinces. In those provinces and territories where health information privacy legislation has not been deemed substantially similar, PIPEDA may also apply.
Privacy matters involving public sector institutions are governed by a variety of federal, provincial and territorial public sector privacy legislative enactments.
Certain provinces have enacted legislation recognising the invasion of privacy as statutory tort, while there are also various offences within the Criminal Code (Canada) regarding the invasion of privacy.
Data protection authority
Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?
There is no single regulatory authority dedicated to governing data protection laws in Canada. The applicable authority varies based upon whether the matter is covered by federal or provincial privacy laws.
While the Office of the Privacy Commissioner of Canada (OPC) enforces PIPEDA, each province and territory of Canada has a commissioner or ombudsperson responsible for its own provincial or territorial privacy legislation. In the case of Quebec, Alberta and British Columbia, their privacy legislation is overseen and enforced by the Commission d’accès à l’information du Québec (CAI), the Office of the Information & Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia, respectively.
Under PIPEDA, the OPC has the power to investigate complaints made by individuals or initiate an investigation itself based on reasonable grounds to believe that a matter warrants it. The OPC has the power to summon witnesses to give oral or written evidence, inspect documents and compel the production thereof, and inspect premises other than a dwelling house. The OPC, upon having reasonable grounds to believe that an organisation is contravening PIPEDA, can audit the organisation’s personal information practices, including examining their policies, procedures and practices, exploring their physical and security controls, and inspecting an organisation’s incident response management protocols.
The CAI, under the Private Sector Act (QC), and the commissioners under PIPA (AB) and PIPA (BC) each have similar investigatory powers and, where necessary, the power to conduct an inquiry. Following an inquiry, each also has the power to issue orders.
Cooperation with other data protection authorities
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
There are no legal obligations on Canadian data protection authorities to cooperate with other data protection authorities. However, the OPC and the commissioners in the three provinces that have substantially similar legislation (Quebec, BC and Alberta) have entered into a memorandum of understanding intended to create a framework for greater collaboration between the offices, streamline investigations and promote greater harmonisation in the application of the laws. The OPC may also share information with a foreign data protection counterpart pursuant to a written information sharing arrangement.
Breaches of data protection law
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
In Canada, breaches of federal and provincial privacy laws can result in sanctions or orders, or criminal penalties.
Under PIPEDA, certain breaches can, if an organisation is found guilty, result in monetary fines. However, as it currently stands, the OPC does not have the authority under PIPEDA to prosecute offences or issue fines. As such, where it believes an offence has been committed, the matter must be referred to the office of the Attorney General of Canada, who, after its investigation, determines potential prosecution.
Effective 22 September 2023 the Private Sector Act (QC) will provide three different types of enforcement mechanisms: penal offences, administrative monetary penalties (AMPs) and a private right of action. The CAI will have the power to institute penal proceedings that may result in a fine of up to C$25 million or 4 per cent of worldwide turnover, which will be imposed by the Court of Quebec. A person designated by the CAI, but who is not a member of the CAI, will have the power to impose AMPs in certain circumstances of up to C$10 million or 2 per cent of worldwide turnover. Individuals will have the ability to claim punitive damages when organisations infringe their rights, causing an injury, either intentionally or from gross negligence.
Scope
Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies only to PI collected, used or disclosed during a commercial transaction (with some exceptions), or relating to the employee of a federally regulated industry. It does not cover any private sector, for profit, commercial organisation operating wholly within the provinces of Quebec, Alberta and British Columbia, nor does it cover the PI of employees of private sector, for profit, commercial organisations that are not federally regulated. It also generally does not cover organisations that are not engaged in for profit commercial activities (such as not-for-profits, charities and political parties). Organisations that collect PI solely for ‘journalistic, artistic or literary purposes’ are also exempt from PIPEDA.
BC’s Office of the Information and Privacy Commissioner (OIPC) recently received a complaint and conducted an investigation into whether its Personal Information Protection Act applied to the Conservative Party of Canada, the Green Party of Canada, the Liberal Party of Canada or the New Democratic Party of Canada. The OIPC found each is an organisation within the meaning of British Columbia’s Personal Information Protection Act (PIPA), and PIPA (BC) is not inapplicable. That decision is currently the subject of judicial review.
Effective 22 September 2023, Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector (the Private Sector Act (QC)) will provide that political parties, independent members and independent candidates governed by Quebec’s Election Act will be subject to the majority of the Private Sector Act (QC), with specific exceptions.
Interception of communications and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?
Electronic marketing is regulated by legislation commonly known as Canada’s Anti-Spam Legislation (CASL). PIPEDA will apply to the same activities where the processing of personal information is involved.
Private sector privacy laws generally permit overt or covert video surveillance and the recording of phone calls, but both must be balanced with an individual’s right to privacy and to achieve a specific purpose. As a general rule, organisations should consider less intrusive means of achieving the same end before conducting video surveillance. In addition, certain provinces have enacted statutory privacy torts for violation of privacy in which surveillance or the listening to, or recording of, a conversation may be a violation of an individual’s privacy.
The Criminal Code sets out privacy-related offences, specifically the interception of communications and provisions governing how law enforcement may obtain judicial authorisation to conduct electronic surveillance for criminal investigations.
Other laws
Are there any further laws or regulations that provide specific data protection rules for related areas?
Numerous federal and provincial laws provide for specific privacy and data protection rules and laws that apply to, among other things, banking, credit unions, financial transactions, electronic commerce, consumer credit reporting, health and health records or data that contains specific confidentiality provisions concerning PI that is collected.
PI formats
What categories and types of PI are covered by the law?
The basic concept in Canadian privacy law is that PI is any information, recorded or not, about an identifiable individual, regardless of what format it may be held in. Examples of PI are:
- age, name, assigned identification numbers, income, ethnic origin, religion, marital status, fingerprints or blood type;
- opinions, evaluations, comments, social status or disciplinary actions;
- education, medical, criminal and employment histories;
- information about financial transactions; and
- employee files, credit records, loan records and medical records.
Extraterritoriality
Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?
PIPEDA is silent as to its territorial scope. However, the Federal Court of Canada has held that, in the absence of language clearly limiting its application to Canada, PIPEDA can be interpreted to apply in all circumstances in which there exists a ‘real and substantial link’ between an organisation’s activities and Canada.
Covered uses of PI
Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?
Under PIPEDA, the organisation that determines the purpose of collection and collects, uses and discloses the PI is in control of that information. The same organisation may also process the PI itself or transfer it to a third party (either within or outside of Canada) for processing. Even though PI may be transferred to a third party for processing, it is the controlling organisation that remains in control of, and is ultimately responsible for, the PI.
Law stated date
Correct on
Give the date on which the information above is accurate.
24 May 2022.