May 18, 2021

About the Author

  • Doug Tait

    Doug Tait is an experienced business lawyer focusing on corporate and commercial matters with an emphasis on information security.

    bdt@tdslaw.com
    (204) 934-2440

  • Kendall (Dell) Dyck

    Dell practices primarily in Privacy and Data Protection law, Wills and Estate Planning Administration, and Aboriginal law. She uses she/her pronouns.

    knd@tdslaw.com
    (204) 934-2473

This article appears as part of Lexology’s Getting The Deal Through series.

Law and the regulatory authority

 Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

In Canada, four private-sector privacy enactments provide the framework for the protection of PII. These are:

  • Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA);
  • the province of Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector (Private Sector Act (QC));
  • the province of Alberta’s Personal Information Protection Act (PIPA (AB)); and
  • the province of British Columbia’s Personal Information Protection Act (PIPA (BC)).

PIPEDA governs the interprovincial and international collection, use or disclosure of PII by private-sector organisations in the course of carrying out commercial activities for profit. It also has application to employee PII in federally regulated organisations (eg, banks, airlines, railways and telecommunication companies).

PIPEDA also applies within all provinces and territories in Canada, except Quebec, Alberta and British Columbia. The Private Sector Act (QC), PIPA (AB) and PIPA (BC) have been deemed substantially similar to PIPEDA and as such PIPEDA does not apply to private-sector organisations carrying out commercial activities wholly within those provinces.

While the Private Sector Act (QC), PIPA (AB) and PIPA (BC) have each been deemed substantially similar to PIPEDA, there are differences in the details of each. These provincial laws apply, generally speaking, to all private-sector organisations concerning the collection, use and disclosure of PII in the course of carrying out commercial activities and to employees’ PII. The Private Sector Act (QC) also applies to the private sector’s collection, use and disclosure of health PII.

Health information privacy legislation in the provinces of Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have been deemed substantially similar to PIPEDA and apply to health PII within those provinces. In those provinces and territories where health information privacy legislation has not been deemed substantially similar to PIPEDA, both the provincial or territorial health information privacy legislation and PIPEDA may apply.

Privacy matters involving public-sector institutions are governed by a variety of federal, provincial and territorial public-sector privacy legislative enactments.

Certain provinces have enacted legislation recognising invasion of privacy as statutory tort, while there are also various offences within the Criminal Code (Canada) regarding the invasion of privacy.

 

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

There is no single regulatory authority dedicated to overseeing and enforcing data protection laws in Canada. The applicable regulatory authority varies based upon whether the matter is appropriately covered by federal or provincial privacy laws.

While the Office of the Privacy Commissioner of Canada (OPC) oversees and enforces PIPEDA, each province and territory of Canada has a commissioner or ombudsperson responsible for overseeing and enforcing its own provincial or territorial privacy legislation. In the case of Quebec, Alberta and British Columbia their privacy legislation is overseen and enforced by the Commission d’accès à l’information du Quebec (CAI), the Office of the Information & Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia, respectively.

Under PIPEDA, the OPC has the power to investigate complaints made by individuals. The OPC can also initiate an investigation based on reasonable grounds to believe that a matter warrants it. Under its investigatory power, the OPC has the power to summon witnesses to give oral or written evidence, inspect documents and compel the production thereof, and inspect premises other than a dwelling house. The OPC, upon having reasonable grounds to believe that an organisation is contravening PIPEDA, has the authority to audit the organisation’s personally identifiable information practices, including:

  • examining the policies;
  • procedures and practices of an organisation;
  • exploring the physical and security controls of an organisation; and
  • inspecting an organisation’s incident response management protocols.

 The CAI, under Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector, and the Commissioners, under Alberta’s Personal Information Protection Act and British Columbia’s Personal Information Protection Act, each have similar investigatory powers, and where necessary, the power to conduct an inquiry. Following an inquiry, each also has the power to issue orders.

 

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

There are no legal obligations on Canadian data protection authorities to cooperate with other data protection authorities. However, the OPC has the express authority under PIPEDA to share information with provincial and territorial counterparts in the context of an ongoing or potential investigation of a complaint or audit. Canadian privacy commissioners and ombudspersons may also develop and publish joint publications or guidelines related to the protection of PII. The OPC may also share information with a foreign data protection counterpart pursuant to a written information-sharing arrangement.

 

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

In Canada, breaches of federal and provincial privacy laws can result in sanctions or orders, or criminal penalties.

Under PIPEDA, certain breaches can, if an organisation is found guilty, result in monetary fines. However, as it currently stands, the OPC does not have the authority under PIPEDA to prosecute offences or issue fines. As such, where it believes an offence has been committed, the matter must be referred to the office of the Attorney General of Canada, who, after its investigation, determines potential prosecution.

 

Scope

 Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) does not cover any private-sector, for-profit, commercial organisation operating wholly within the provinces of Quebec, Alberta and British Columbia, nor does it cover employee personally identifiable information (PII) of private-sector, for-profit, commercial organisations that are not federally regulated. It also does not cover organisations that are not engaged in for-profit commercial activities (eg, generally speaking, not-for-profits, charities and political parties).

Organisations that collect PII solely for ‘journalistic, artistic or literary purposes’ are also exempt from PIPEDA.

 

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Electronic marketing is regulated by the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act and its regulations (as amended). This legislation is commonly called Canada’s Anti-Spam Legislation (CASL).

PIPEDA will apply to the same activities where the processing of PII is involved.

Private-sector privacy laws generally permit overt or covert video surveillance and the recording of phone calls, but both must be balanced with an individual’s right to privacy and to achieve a specific purpose. As a general rule, organisations should consider less intrusive means of achieving the same end before conducting video surveillance. Also, certain provinces have enacted statutory privacy torts for violation of privacy in which surveillance or the listening to, or recording of, a conversation may be a violation of an individual’s privacy.

The Criminal Code sets out privacy related offences, specifically the interception of communications and provisions governing how law enforcement may obtain judicial authorisation to conduct electronic surveillance for criminal investigations.

 

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Numerous federal and provincial laws provide for specific privacy and data protection rules and laws that apply to, among other things, banking, credit unions, financial transactions, electronic commerce, consumer credit reporting, health and health records or data that contains specific confidentiality provisions concerning PII that is collected.

 

PII formats

What forms of PII are covered by the law?

The basic concept in Canadian privacy law is that PII is any information, recorded or not, about an identifiable individual, regardless of what format it may be held in. Examples of PII are:

  • age, name, assigned identification numbers, income, ethnic origin, religion, marital status, fingerprints or blood type;
  • opinions, evaluations, comments, social status or disciplinary actions;
  • education, medical, criminal and employment histories;
  • information about financial transactions; and
  • employee files, credit records, loan records and medical records.

 

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

PIPEDA is silent as to its territorial scope. However, the Federal Court of Canada has held that, in the absence of language clearly limiting its application to Canada, PIPEDA can be interpreted to apply in all circumstances in which there exists a ‘real and substantial link’ between an organisation’s activities and Canada.

 

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Under PIPEDA, the organisation that determines the purpose of collection and collects, uses and discloses the PII is in control of that information. The same organisation may also process the PII itself or transfer it to a third party (either within or outside of Canada) for processing. Even though PII may be transferred to a third party for processing, it is the controlling organisation that remains in control of, and is ultimately responsible for, the PII.

 

Law stated date

Correct on

Give the date on which the information above is accurate.

18 May 2021.


DISCLAIMER:
This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor client relationship. The views expressed are solely the authors’ and should not be attributed to any other party, including Thompson Dorfman Sweatman LLP (TDS), its affiliate companies or its clients. The authors make no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this article. The authors are not able to provide free legal advice. If you are seeking advice on specific matters, please contact Keith LaBossiere, CEO & Managing Partner at kdl@tdslaw.com, or 204.934.2587. Please be aware that any unsolicited information sent to the author(s) cannot be considered to be solicitor-client privileged.

While care is taken to ensure the accuracy for the purposes stated, before relying upon these articles, you should seek and be guided by legal advice based on your specific circumstances. We would be pleased to provide you with our assistance on any of the issues raised in these articles.