	Global Data Privacy Guide
	Canada (Federal Law)
	(Canada) Firm McInnes Cooper Contributors David Fraser Updated 01 Mar 2022
What is the key legislation?	At the federal level, private-sector privacy is governed by the Personal Information Protection and Electronic Documents Act ("PIPEDA") while public-sector handling of personal information in Canada is governed by the Privacy Act (Canada) and its provincial equivalents. Some provinces also have private-sector legislation. Those of Quebec, Alberta and British Columbia are deemed to be substantially similar to PIPEDA and therefore are the applicable law to private-sector businesses in those provinces, other than “federal works, undertakings or businesses”. The relevant statutes are the Alberta Personal Information Protection Act ("AB PIPA"), the British Columbia Personal Information Protection Act ("BC PIPA") and the Quebec Act respecting the protection of personal information in the private sector ("QC Act"), (together, the “provincial private sector Acts”). All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province they are based in. Entities seeking to do business in Canada should familiarize themselves with the application (which may be concurrent) of other legislation in relation to *PIPEDA* and the Privacy Act. Note: For entities doing business in Canada, the key privacy legislation is the Personal Information Protection and Electronic Documents Act ("PIPEDA"). If the collection, use or disclosure of personal information occurs wholly within the provinces of Alberta, British Columbia or Quebec, the private sector privacy statutes in those provinces *(AB PIPA, BC PIPA* and the QC Act, respectively), will apply in place of PIPEDA. PIPEDA is centered on a model of informed consent to give individuals control over how commercial entities collect, use or disclose their personal information. Certain exceptions have been carved out of the general knowledge and consent requirements to reflect some practical realities and the need to balance privacy with other important societal interests. PIPEDA incorporates the fair information principles with the adoption of the Canada Standards Association’s Model Privacy Code for Protection of Personal Information (CAN/CSA-Q830-96). The Privacy Act, which governs the public-sector handling of info personal information in Canada, may also be important for interactions and communications that private-sector entities may have with the federal government. Complaints arising from *PIPEDA* and the Privacy Act may be taken to the Privacy Commissioner, who is an Officer of Parliament. The Privacy Commissioner is empowered to make information public and to bring matters before the Federal Court of Canada, which can enjoin organizations from certain practices and award damages for contraventions of the privacy laws. Entities seeking to do business in Canada should familiarize themselves with the application of other federal and provincial legislation in relation to *PIPEDA* and the Privacy Act. Reflecting the complexities of the constitutional divisions of power in a federal state. Each province and territory in Canada has public-sector privacy legislation. Also, Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador’s privacy statutes that apply to health information being handled by health information custodians have been deemed substantially similar to PIPEDA. Additionally, there are other federal and provincial sector-specific privacy laws.
What data is protected?	PIPEDA protects information about an identifiable individual. It explicitly excludes business contact information. AB PIPA and *BC PIPA* also regulate the collection, use and disclosure of personal employee information. Note: PIPEDA and the Privacy Act protect “personal information”. It defines “personal information” broadly as “information about an identifiable individual” and has generally been understood to include information that will itself identify an individual or information that can be when combined with other information reasonably available, identify the individual. PIPEDA explicitly excludes business contact information. AB PIPA defines “personal employee information” as personal information in respect of a potential, current or former employee that is reasonably required by the organization for the purposes of establishing, managing or terminating an employee or volunteer-work relationship, or managing a post-employment or volunteer relationship, but does not include information that is unrelated to that relationship. BC PIPA’s definition of “employee personal information” is similar: it is personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment.
Who is subject to privacy obligations?	Generally speaking, PIPEDA applies to private-sector organizations and the Privacy Act applies to the public sector. Certain exceptions may apply – depending on the province of operation, whether an industry is federally regulated, whether the data is moved across borders, or – in the case of the public sector – the level of government involved. As mentioned above, other federal and provincial legislation may also operate concurrently. Provincially-regulated private sector organizations in Alberta, British Columbia and Quebec are subject to AB PIPA, BC PIPA and the QC Act, respectively. Note: PIPEDA governs the collection, use or disclosure of personal information by private-sector organizations in the course of commercial activities, except for businesses in Quebec, Alberta and British Columbia, where substantially similar provincial legislation apply. A private-sector organization carrying on business anywhere in Canada, however, is subject to PIPEDA if the personal information that is collected, used or disclosed crosses provincial or national borders. PIPEDA also applies across Canada to federally-regulated works, undertakings or businesses (e.g., banks, airlines, telecommunications companies), including their handling of health information and employee information. PIPEDA does not apply to employee information for organizations that are not federally regulated. Note that PIPEDA does not, however, apply to non-commercial activities of not-for-profit or charity groups and political parties. PIPEDA governs the collection, use or disclosure of personal information by private-sector organizations in the course of commercial activities, except for businesses in Quebec, Alberta and British Columbia, where substantially similar provincial legislation applies. A private-sector organization carrying on business anywhere in Canada, however, is subject to PIPEDA if the personal information that is collected, used or disclosed crosses provincial or national borders. PIPEDA also applies across Canada to federally-regulated works, undertakings or businesses (e.g., banks, airlines, telecommunications companies), including their handling of health information and employee information. PIPEDA does not apply to employee information for organizations that are not federally regulated. Note that PIPEDA does not, however, apply to non-commercial activities of not-for-profit or charity groups and political parties. Under PIPEDA, an “organization” includes an association, a partnership, a person and a trade union. Note that under BC PIPA, “organization” also includes a trust or not-for-profit organization.
What are the principles applicable to personal data processing?	Generally, under PIPEDA (as well as under the provincial private sector Acts), the collection of personal information requires collection for a reasonable purpose, along with the knowledge and consent of the person to whom the organization’s activities are directed. PIPEDA provides statutory exceptions where knowledge or knowledge and consent are not required, as well as a carve-out for the employment relationship. Under AB PIPA and BC PIPA, employee personal information can be collected without consent, provided that the employee is notified about the collection and the purposes for collection. Note: The general rule in *PIPEDA* is the collection for an appropriate purpose with the consent of the individual. While allowing for different methods of consent, PIPEDA states that for consent to be valid it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Consent of the individual must be “meaningful”, in that individuals must be provided with clear information explaining what organizations are doing with their information. The Privacy Commissioner of Canada has prepared guidelines for obtaining meaningful consent that can be read here. Exceptions to the rule of knowledge or consent relate include the collection of personal information where: it is clearly in the interests of the individual and consent cannot be obtained in a timely way; it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim; it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced; the collection is solely for journalistic, artistic or literary purposes; the information is publicly available and is specified by the regulations; or the collection is made for the purpose of making a disclosure to a government institution for suspected national security issues or with reasonable grounds to believe that an offense has been, is being or is about to be committed, or that is required by law. PIPEDA also includes certain consent exceptions or presumed consent for personal information collected by federally-regulated entities in the context of an employment relationship (i.e., to establish, manage or terminate that relationship) as long as the individual has knowledge that the information is or may be collected and for what purpose. Under AB PIPA and BC PIPA, employee personal information can be collected without consent of the individual where the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual (or in Alberta, managing a post-employment or post-volunteer-work relationship with the individual), and the individual is notified of the collection and the purposes for it.
How is the processing of personal data regulated?	Generally, under PIPEDA (as well as under the provincial private sector Acts), the use (and disclosure) of personal information requires collection for a relevant purpose, along with the knowledge and consent of the person to whom the organization’s activities are directed. PIPEDA provides statutory exceptions where knowledge or knowledge and consent are not be required. Carve-outs for business transactions and the employment relationship. Under AB PIPA and BC PIPA, employee personal information can be used or disclosed without the consent of the individual, provided that the employee is notified about the use or disclosure and the purposes for such use/disclosure are related to the work relationship as outlined in the statutes. Note: The general rule in PIPEDA (as well as under the provincial private sector Acts), is to use for an appropriate purpose with the consent of the individual. While allowing for different methods of consent, PIPEDA states that for consent to be valid it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Exceptions to the rule of knowledge or consent relate include the use of personal information where: in the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention; it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual; the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim; the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced; it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used; it is publicly available and is specified by the regulations; or it was collected in accordance with certain statutory exemptions for knowledge and consent for the collection of personal information. These exceptions also relate to use without consent if personal information has been collected by an organization for another purpose. Organizations may also use personal information without the knowledge or consent of individuals in certain circumstances related to prospective and completed business transactions, including information that was collected for another purpose. This exception, however, does not apply to transactions for the purchase, sale or other acquisition or disposition, or lease of personal information. PIPEDA also includes a carve-out for personal information collected by federally-regulated entities in the context of an employment relationship (i.e., to establish, manage or terminate that relationship) as long as the individual has knowledge that the information is or may be collected and for what purpose. This includes information that was collected for another purpose. Similarly, AB PIPA and BC PIPA allow for use and disclosure of employee personal information without consent in the context of an employment relationship, provided the employee is made aware of the use and disclosure prior to any such use/disclosure.
How are storage, security and retention of personal data regulated?	Under *PIPEDA, and the provincial private sector Acts,* personal information shall only be used or disclosed for the purposes which it was collected, except with the consent of the individual or as required by law. Note: Under PIPEDA, and the provincial private sector Acts, personal information shall only be used or disclosed for the purposes which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes but should be maintained long enough to allow an individual to exhaust any recourse in relation to access or correction. PIPEDA also requires the establishing organizational guidelines for use, disclosure and retention, as well as destruction or anonymization of personal information once the stated purpose has been met.
What are the data subjects' rights?	PIPEDA and the provincial private sector Acts provide for rights of access to and correction of personal data. Note: PIPEDA and the provincial private sector Acts provide for rights of access to and correction of personal data. PIPEDA requires that businesses assist with and respond to requests from individuals within 30 days of the request, with the possibility of extending the time limit in certain instances. (note that in Alberta, the time-frame for response is 45 days). Refusals to requests must be made in writing and accompanied with reasons. Refusals may be made for the following reasons: the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries; to do so would reveal confidential commercial information; to do so could reasonably be expected to threaten the life or security of another individual; the information was collected under paragraph 7(1)(b); the information was generated in the course of a formal dispute resolution process; or the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act. Generally, access is prohibited if it would likely reveal the personal information of a third party, but the organization shall sever from the record such information if possible.
Are there restrictions on cross-border data transfers?	PIPEDA does not include any restrictions on international transfers of personal data. Note: PIPEDA does not include any restrictions on international transfers of personal data. The relevant substantially similar provincial privacy laws should also be reviewed with regards to a cross-border transfer of personal data. Quebec, for instance, includes requirements relating to cross-border transfers of data. Under AB PIPA, when an organization uses a service provider outside of Canada to collect personal information, it must notify the individual at or before the time of collection who they can contact with any questions, and how they can obtain written information about the organization’s policies and practices with respect to service providers outside of Canada. In addition, the organization’s privacy notice must include in its privacy notice the countries in which collection, use, disclosure or storage of personal information will take place and the purposes for which such service provider is authorized to do these acts on the organization’s behalf.
Are there any notification requirements for data breaches?	There are formal breach notification requirements under PIPEDA, as amended by the Digital Privacy Act, as well as under AB PIPA. Note: As of November 1, 2018, organizations in Canada that are subject to *PIPEDA* (as amended by the Digital Privacy Act), have breach response obligations with respect to any data security safeguard breach. These new obligations are set out in the Breach of Security Safeguard Regulations¹. The requirements include disclosures to the Office of the Privacy Commissioner as well as notification to individuals where there is a reasonable expectation of significant harm. AB PIPA includes this kind of requirement along with a penalty for non-notification. The notice requirements are set out in AB PIPA's Personal Information Protection Act Regulations². Many provincial health privacy laws similarly require formal breach responses. ¹ Available here: http://gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/sor-dors64-eng.html ² Available here: https://www.canlii.org/en/ab/laws/regu/alta-reg-366-2003/latest/alta-reg-366-2003.html
Who is the privacy regulator?	The federal privacy regulator is the Privacy Commissioner of Canada. Each province and territory also have a commissioner of privacy or ombudsperson responsible for overseeing the provincial and territorial legislation. In Alberta, the regulator is the Information and Privacy Commissioner of Alberta. In British Columbia, the regulator is the Information and Privacy Commissioner for B.C., and in Quebec, it is the Commission d’accès à l'information du Québec. Note: The federal privacy regulator is the Privacy Commissioner of Canada, who is an Officer of Parliament: https://www.priv.gc.ca/en/ The Privacy Commissioner is empowered to make information public and to bring matters before the Federal Court of Canada, which can enjoin organizations from certain practices and award damages for contraventions of the privacy laws. Each province and territory also have a commissioner of privacy or ombudsperson responsible for overseeing the provincial and territorial legislation. Each is an independent officer of the legislature who works independently of the government to protect the information access and privacy rights of those in the province. See https://www.oipc.ab.ca/, https://www.oipc.bc.ca/ and http://www.cai.gouv.qc.ca/english/.
What are the consequences of a privacy breach?	There are formal record-keeping and notice obligations relating to privacy breaches under PIPEDA, as amended by the Digital Privacy Act. Non-compliance with these obligations can result in fines of up to $100,000. Under AB PIPA, failure to report a breach in accordance with the legislation can result in fines of up to $10,000 for individuals, and up to $100,000 for organizations. Note: As of November 1, 2018, there are formal obligations and consequences relating to privacy breaches under *PIPEDA, as amended by the Digital Privacy Act*. These new obligations are set out in the Breach of Security Safeguard Regulations. These obligations and consequences include keeping records of all breaches of security safeguards, disclosures to the Office of the Privacy Commissioner, and notification to individuals where there is a reasonable expectation of significant harm. The relevant substantially similar provincial privacy laws should also be reviewed with regards to a privacy breach. As noted above, Alberta, for instance, includes this kind of requirement along with a penalty for non-notification.
How is electronic marketing regulated?	The primary legislation for regulating electronic marketing is Canada’s anti-spam law, generally known as ("CASL"). Consumer protection legislation may also come into play, depending on the province or the sector involved. Note: The primary legislation for regulating electronic marketing is Canada’s anti-spam law, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act ("CASL"). *CASL* is jointly implemented by the Office of the Privacy Commissioner, the Competition Bureau, and the Canadian Radio-television and Telecommunications Commission. CASL is a complicated opt-in regime with significant penalties for non-compliance. It applies to all commercial electronic messages that make use of computer or device in Canada for sending, receiving or processing. Consumer protection legislation may also come into play, depending on the province or the sector involved.
Are there any recent developments or expected reforms?	In 2020, Bill C-11 was introduced and would replace PIPEDA with the proposed Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, more simply referred to as the Digital Charter Implementation Act, 2020, (“*CPPA”). The new law would bring Canadian privacy law closer to the GDPR, including new penalties and enforcement mechanisms, consent requirements and exceptions, algorithmic transparency, clearer guidelines regarding de-identification, and the right to data portability. While it seemed the Bill would take effect in 2021 or 2022, a federal election in 2021 has created uncertainty regarding when a new privacy law will be enacted, and if the law will in fact look like Bill C-11 or not. Amendments to the QC Act, meant to modernize the law and to be more in line with requirements under the GDPR, will be coming into force in three stages: September 2022, September 2023, and September 2024. The 2022 amendments include the mandatory reporting of ‘confidentiality incidents’, consent exceptions for commercial transactions and research, and new declaration obligations related to the use of biometric information. The 2023 amendments to the QC Act* will include new enforcement provisions, the right to be forgotten, rules about automated decision-making, as well as new consent requirements and exceptions, and privacy by default provisions. The 2024 amendments will add the individual right to data portability. A private right of action for non-compliance with anti-spam legislation which was scheduled to take effect on July 1, 2017, has been suspended indefinitely. Note: Amendments to PIPEDA introduced under the Digital Privacy Act are in force as of November 1, 2018. These amendments establish a more robust framework around security and privacy breach, including notification requirements. A private right of action for non-compliance with the anti-spam law, CASL, was scheduled to come into force on July 1, 2017, which would make class action suits possible. However, in mid-2017, the Government announced that these provisions would be delayed. There is no known date or plan for when the provisions may come into force. The province of Manitoba has enacted private sector privacy legislation, the Personal Information Protection and Identity Theft Prevention Act, but it has yet to come into force.

Global Data Privacy Guide

Back XLS

What is the key legislation?

At the federal level, private-sector privacy is governed by the Personal Information Protection and Electronic Documents Act ("PIPEDA") while public-sector handling of personal information in Canada is governed by the Privacy Act (Canada) and its provincial equivalents.

Some provinces also have private-sector legislation. Those of Quebec, Alberta and British Columbia are deemed to be substantially similar to PIPEDA and therefore are the applicable law to private-sector businesses in those provinces, other than “federal works, undertakings or businesses”. The relevant statutes are the Alberta Personal Information Protection Act ("AB PIPA"), the British Columbia Personal Information Protection Act ("BC PIPA") and the Quebec Act respecting the protection of personal information in the private sector ("QC Act"), (together, the “provincial private sector Acts”).
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province they are based in.

Entities seeking to do business in Canada should familiarize themselves with the application (which may be concurrent) of other legislation in relation to PIPEDA and the Privacy Act.

Note:

For entities doing business in Canada, the key privacy legislation is the Personal Information Protection and Electronic Documents Act ("PIPEDA"). If the collection, use or disclosure of personal information occurs wholly within the provinces of Alberta, British Columbia or Quebec, the private sector privacy statutes in those provinces (AB PIPA, BC PIPA and the QC Act, respectively), will apply in place of PIPEDA.

PIPEDA is centered on a model of informed consent to give individuals control over how commercial entities collect, use or disclose their personal information. Certain exceptions have been carved out of the general knowledge and consent requirements to reflect some practical realities and the need to balance privacy with other important societal interests. PIPEDA incorporates the fair information principles with the adoption of the Canada Standards Association’s Model Privacy Code for Protection of Personal Information (CAN/CSA-Q830-96).

The Privacy Act, which governs the public-sector handling of info personal information in Canada, may also be important for interactions and communications that private-sector entities may have with the federal government.
Complaints arising from PIPEDA and the Privacy Act may be taken to the Privacy Commissioner, who is an Officer of Parliament. The Privacy Commissioner is empowered to make information public and to bring matters before the Federal Court of Canada, which can enjoin organizations from certain practices and award damages for contraventions of the privacy laws.

Entities seeking to do business in Canada should familiarize themselves with the application of other federal and provincial legislation in relation to PIPEDA and the Privacy Act. Reflecting the complexities of the constitutional divisions of power in a federal state.

Each province and territory in Canada has public-sector privacy legislation. Also, Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador’s privacy statutes that apply to health information being handled by health information custodians have been deemed substantially similar to PIPEDA. Additionally, there are other federal and provincial sector-specific privacy laws.

What data is protected?

PIPEDA protects information about an identifiable individual. It explicitly excludes business contact information.

AB PIPA and BC PIPA also regulate the collection, use and disclosure of personal employee information.

Note:

PIPEDA and the Privacy Act protect “personal information”. It defines “personal information” broadly as “information about an identifiable individual” and has generally been understood to include information that will itself identify an individual or information that can be when combined with other information reasonably available, identify the individual.

PIPEDA explicitly excludes business contact information.

AB PIPA defines “personal employee information” as personal information in respect of a potential, current or former employee that is reasonably required by the organization for the purposes of establishing, managing or terminating an employee or volunteer-work relationship, or managing a post-employment or volunteer relationship, but does not include information that is unrelated to that relationship.

BC PIPA’s definition of “employee personal information” is similar: it is personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment.

Who is subject to privacy obligations?

Generally speaking, PIPEDA applies to private-sector organizations and the Privacy Act applies to the public sector.

Certain exceptions may apply – depending on the province of operation, whether an industry is federally regulated, whether the data is moved across borders, or – in the case of the public sector – the level of government involved. As mentioned above, other federal and provincial legislation may also operate concurrently.

Provincially-regulated private sector organizations in Alberta, British Columbia and Quebec are subject to AB PIPA, BC PIPA and the QC Act, respectively.

Note:

PIPEDA governs the collection, use or disclosure of personal information by private-sector organizations in the course of commercial activities, except for businesses in Quebec, Alberta and British Columbia, where substantially similar provincial legislation apply.

A private-sector organization carrying on business anywhere in Canada, however, is subject to PIPEDA if the personal information that is collected, used or disclosed crosses provincial or national borders.
PIPEDA also applies across Canada to federally-regulated works, undertakings or businesses (e.g., banks, airlines, telecommunications companies), including their handling of health information and employee information.
PIPEDA does not apply to employee information for organizations that are not federally regulated.
Note that PIPEDA does not, however, apply to non-commercial activities of not-for-profit or charity groups and political parties.

PIPEDA governs the collection, use or disclosure of personal information by private-sector organizations in the course of commercial activities, except for businesses in Quebec, Alberta and British Columbia, where substantially similar provincial legislation applies.

PIPEDA also applies across Canada to federally-regulated works, undertakings or businesses (e.g., banks, airlines, telecommunications companies), including their handling of health information and employee information.

PIPEDA does not apply to employee information for organizations that are not federally regulated.

Note that PIPEDA does not, however, apply to non-commercial activities of not-for-profit or charity groups and political parties.

Under PIPEDA, an “organization” includes an association, a partnership, a person and a trade union.

Note that under BC PIPA, “organization” also includes a trust or not-for-profit organization.

What are the principles applicable to personal data processing?

Generally, under PIPEDA (as well as under the provincial private sector Acts), the collection of personal information requires collection for a reasonable purpose, along with the knowledge and consent of the person to whom the organization’s activities are directed.

PIPEDA provides statutory exceptions where knowledge or knowledge and consent are not required, as well as a carve-out for the employment relationship. Under AB PIPA and BC PIPA, employee personal information can be collected without consent, provided that the employee is notified about the collection and the purposes for collection.

Note:

The general rule in PIPEDA is the collection for an appropriate purpose with the consent of the individual. While allowing for different methods of consent, PIPEDA states that for consent to be valid it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Consent of the individual must be “meaningful”, in that individuals must be provided with clear information explaining what organizations are doing with their information. The Privacy Commissioner of Canada has prepared guidelines for obtaining meaningful consent that can be read here.

Exceptions to the rule of knowledge or consent relate include the collection of personal information where:

it is clearly in the interests of the individual and consent cannot be obtained in a timely way;
it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;
it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;
the collection is solely for journalistic, artistic or literary purposes;
the information is publicly available and is specified by the regulations; or
the collection is made for the purpose of making a disclosure
- to a government institution for suspected national security issues or with reasonable grounds to believe that an offense has been, is being or is about to be committed, or
- that is required by law.

PIPEDA also includes certain consent exceptions or presumed consent for personal information collected by federally-regulated entities in the context of an employment relationship (i.e., to establish, manage or terminate that relationship) as long as the individual has knowledge that the information is or may be collected and for what purpose.

Under AB PIPA and BC PIPA, employee personal information can be collected without consent of the individual where the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual (or in Alberta, managing a post-employment or post-volunteer-work relationship with the individual), and the individual is notified of the collection and the purposes for it.

How is the processing of personal data regulated?

Generally, under PIPEDA (as well as under the provincial private sector Acts), the use (and disclosure) of personal information requires collection for a relevant purpose, along with the knowledge and consent of the person to whom the organization’s activities are directed.

PIPEDA provides statutory exceptions where knowledge or knowledge and consent are not be required. Carve-outs for business transactions and the employment relationship. Under AB PIPA and BC PIPA, employee personal information can be used or disclosed without the consent of the individual, provided that the employee is notified about the use or disclosure and the purposes for such use/disclosure are related to the work relationship as outlined in the statutes.

Note:

The general rule in PIPEDA (as well as under the provincial private sector Acts), is to use for an appropriate purpose with the consent of the individual. While allowing for different methods of consent, PIPEDA states that for consent to be valid it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

Exceptions to the rule of knowledge or consent relate include the use of personal information where:

in the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention;
it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual;
the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;
the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced;
it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used;
it is publicly available and is specified by the regulations; or
it was collected in accordance with certain statutory exemptions for knowledge and consent for the collection of personal information.

These exceptions also relate to use without consent if personal information has been collected by an organization for another purpose.

Organizations may also use personal information without the knowledge or consent of individuals in certain circumstances related to prospective and completed business transactions, including information that was collected for another purpose. This exception, however, does not apply to transactions for the purchase, sale or other acquisition or disposition, or lease of personal information.

PIPEDA also includes a carve-out for personal information collected by federally-regulated entities in the context of an employment relationship (i.e., to establish, manage or terminate that relationship) as long as the individual has knowledge that the information is or may be collected and for what purpose. This includes information that was collected for another purpose.

Similarly, AB PIPA and BC PIPA allow for use and disclosure of employee personal information without consent in the context of an employment relationship, provided the employee is made aware of the use and disclosure prior to any such use/disclosure.

How are storage, security and retention of personal data regulated?

Under PIPEDA, and the provincial private sector Acts, personal information shall only be used or disclosed for the purposes which it was collected, except with the consent of the individual or as required by law.

Note:

Under PIPEDA, and the provincial private sector Acts, personal information shall only be used or disclosed for the purposes which it was collected, except with the consent of the individual or as required by law.

Personal information shall be retained only as long as necessary for the fulfillment of those purposes but should be maintained long enough to allow an individual to exhaust any recourse in relation to access or correction.

PIPEDA also requires the establishing organizational guidelines for use, disclosure and retention, as well as destruction or anonymization of personal information once the stated purpose has been met.

What are the data subjects' rights?

PIPEDA and the provincial private sector Acts provide for rights of access to and correction of personal data.

Note: PIPEDA and the provincial private sector Acts provide for rights of access to and correction of personal data.

PIPEDA requires that businesses assist with and respond to requests from individuals within 30 days of the request, with the possibility of extending the time limit in certain instances. (note that in Alberta, the time-frame for response is 45 days). Refusals to requests must be made in writing and accompanied with reasons. Refusals may be made for the following reasons:

the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries;
to do so would reveal confidential commercial information;
to do so could reasonably be expected to threaten the life or security of another individual;
the information was collected under paragraph 7(1)(b);
the information was generated in the course of a formal dispute resolution process; or
the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

Generally, access is prohibited if it would likely reveal the personal information of a third party, but the organization shall sever from the record such information if possible.

Are there restrictions on cross-border data transfers?

PIPEDA does not include any restrictions on international transfers of personal data.

Note: PIPEDA does not include any restrictions on international transfers of personal data.

The relevant substantially similar provincial privacy laws should also be reviewed with regards to a cross-border transfer of personal data. Quebec, for instance, includes requirements relating to cross-border transfers of data. Under AB PIPA, when an organization uses a service provider outside of Canada to collect personal information, it must notify the individual at or before the time of collection who they can contact with any questions, and how they can obtain written information about the organization’s policies and practices with respect to service providers outside of Canada. In addition, the organization’s privacy notice must include in its privacy notice the countries in which collection, use, disclosure or storage of personal information will take place and the purposes for which such service provider is authorized to do these acts on the organization’s behalf.

Are there any notification requirements for data breaches?

There are formal breach notification requirements under PIPEDA, as amended by the Digital Privacy Act, as well as under AB PIPA.

Note: As of November 1, 2018, organizations in Canada that are subject to PIPEDA (as amended by the Digital Privacy Act), have breach response obligations with respect to any data security safeguard breach. These new obligations are set out in the Breach of Security Safeguard Regulations¹.

The requirements include disclosures to the Office of the Privacy Commissioner as well as notification to individuals where there is a reasonable expectation of significant harm.

AB PIPA includes this kind of requirement along with a penalty for non-notification. The notice requirements are set out in AB PIPA's Personal Information Protection Act Regulations².

Many provincial health privacy laws similarly require formal breach responses.

¹ Available here: http://gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/sor-dors64-eng.html

² Available here: https://www.canlii.org/en/ab/laws/regu/alta-reg-366-2003/latest/alta-reg-366-2003.html

Who is the privacy regulator?

The federal privacy regulator is the Privacy Commissioner of Canada.

Each province and territory also have a commissioner of privacy or ombudsperson responsible for overseeing the provincial and territorial legislation. In Alberta, the regulator is the Information and Privacy Commissioner of Alberta. In British Columbia, the regulator is the Information and Privacy Commissioner for B.C., and in Quebec, it is the Commission d’accès à l'information du Québec.

Note: The federal privacy regulator is the Privacy Commissioner of Canada, who is an Officer of Parliament: https://www.priv.gc.ca/en/

The Privacy Commissioner is empowered to make information public and to bring matters before the Federal Court of Canada, which can enjoin organizations from certain practices and award damages for contraventions of the privacy laws.

Each province and territory also have a commissioner of privacy or ombudsperson responsible for overseeing the provincial and territorial legislation. Each is an independent officer of the legislature who works independently of the government to protect the information access and privacy rights of those in the province. See https://www.oipc.ab.ca/, https://www.oipc.bc.ca/ and http://www.cai.gouv.qc.ca/english/.

What are the consequences of a privacy breach?

There are formal record-keeping and notice obligations relating to privacy breaches under PIPEDA, as amended by the Digital Privacy Act. Non-compliance with these obligations can result in fines of up to $100,000.

Under AB PIPA, failure to report a breach in accordance with the legislation can result in fines of up to $10,000 for individuals, and up to $100,000 for organizations.

Note: As of November 1, 2018, there are formal obligations and consequences relating to privacy breaches under PIPEDA, as amended by the Digital Privacy Act. These new obligations are set out in the Breach of Security Safeguard Regulations. These obligations and consequences include keeping records of all breaches of security safeguards, disclosures to the Office of the Privacy Commissioner, and notification to individuals where there is a reasonable expectation of significant harm.

The relevant substantially similar provincial privacy laws should also be reviewed with regards to a privacy breach. As noted above, Alberta, for instance, includes this kind of requirement along with a penalty for non-notification.

How is electronic marketing regulated?

The primary legislation for regulating electronic marketing is Canada’s anti-spam law, generally known as ("CASL").

Consumer protection legislation may also come into play, depending on the province or the sector involved.

Note: The primary legislation for regulating electronic marketing is Canada’s anti-spam law, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act ("CASL"). CASL is jointly implemented by the Office of the Privacy Commissioner, the Competition Bureau, and the Canadian Radio-television and Telecommunications Commission.

CASL is a complicated opt-in regime with significant penalties for non-compliance. It applies to all commercial electronic messages that make use of computer or device in Canada for sending, receiving or processing.

Consumer protection legislation may also come into play, depending on the province or the sector involved.

Are there any recent developments or expected reforms?

In 2020, Bill C-11 was introduced and would replace PIPEDA with the proposed Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, more simply referred to as the Digital Charter Implementation Act, 2020, (“CPPA”). The new law would bring Canadian privacy law closer to the GDPR, including new penalties and enforcement mechanisms, consent requirements and exceptions, algorithmic transparency, clearer guidelines regarding de-identification, and the right to data portability. While it seemed the Bill would take effect in 2021 or 2022, a federal election in 2021 has created uncertainty regarding when a new privacy law will be enacted, and if the law will in fact look like Bill C-11 or not.

Amendments to the QC Act, meant to modernize the law and to be more in line with requirements under the GDPR, will be coming into force in three stages: September 2022, September 2023, and September 2024. The 2022 amendments include the mandatory reporting of ‘confidentiality incidents’, consent exceptions for commercial transactions and research, and new declaration obligations related to the use of biometric information.

The 2023 amendments to the QC Act will include new enforcement provisions, the right to be forgotten, rules about automated decision-making, as well as new consent requirements and exceptions, and privacy by default provisions.

The 2024 amendments will add the individual right to data portability.

A private right of action for non-compliance with anti-spam legislation which was scheduled to take effect on July 1, 2017, has been suspended indefinitely.

Note: Amendments to PIPEDA introduced under the Digital Privacy Act are in force as of November 1, 2018. These amendments establish a more robust framework around security and privacy breach, including notification requirements.

A private right of action for non-compliance with the anti-spam law, CASL, was scheduled to come into force on July 1, 2017, which would make class action suits possible. However, in mid-2017, the Government announced that these provisions would be delayed. There is no known date or plan for when the provisions may come into force.

The province of Manitoba has enacted private sector privacy legislation, the Personal Information Protection and Identity Theft Prevention Act, but it has yet to come into force.

Global Data Privacy Guide

Canada (Federal Law)

Global Data Privacy Guide

Canada (Federal Law)

Members