Trends and climate Would you consider your national data protection laws to be ahead or behind of the international curve? Canada’s national and provincial data protection laws are principle-based and provide a pragmatic, flexible framework that balances the right of an individual to control the collection, use and retention of his or her personal data with the legitimate business interests of organisations that seek to use such personal data. In general, Canadian private sector data protection laws (usually called ‘privacy laws’ or ‘personal information protection laws’) contain functionally similar provisions to those in the European Union. A significant difference between the two regimes is that Canadian data protection legislation does not contain a concept of ‘adequate’ jurisdiction. Instead, the focus is on the protection of personal data through contractual or other means.
Although Canada has been declared by the European Union as an adequate jurisdiction, this designation is limited. It applies only to transfers to organisations that are subject to Canada’s federal legislation, the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA). As a rule, transfers of employee data within a corporate group are not subject to PIPEDA, unless the transfer is to a federal work, undertaking or business (eg, a bank, railway or airline). Therefore, expert advice should be sought when transferring data of EU citizens to Canada to ensure that there is compliance with EU rules.
The national privacy regulator – the Office of the Privacy Commissioner of Canada (OPC) – is active in its investigative and educational initiatives, and frequently collaborates with its international counterparts. However, the OPC has limited enforcement powers and cannot make orders or administer penalties.
Alberta, British Columbia and Quebec have private sector privacy laws that are substantially similar to PIPEDA. Most Canadian provinces have personal health information protection laws that govern the collection, use, retention and disclosure of personal health data by regulated health professionals (eg, physicians, nurses, dentists and chiropractors) and other participants in the healthcare sector.
Like many countries, Canada also has federal, provincial and (in some cases) municipal public sector privacy laws. These laws provide a baseline of privacy protections to individuals interacting with public sector organisations. Notably, in Canada these laws may extend to publicly funded institutions in what is known as the ‘MUSH’ sector, which encompasses municipalities, universities, schools and hospitals.
Are any changes to existing data protection legislation proposed or expected in the near future? The Digital Privacy Act (SC 2015, c 32) was enacted on June 18 2015. The Digital Privacy Act contained the first major amendments to PIPEDA since that statute came into force in 2002. In particular, the Digital Privacy Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. Once the data breach provisions come into force, organisations will be required to:
- report certain data breaches to the OPC;
- notify individuals of data breaches in certain cases;
- notify third parties of data breaches where those third parties could assist in the mitigation of harm; and
- keep records of data breaches, even if they do not meet the threshold for reporting to the OPC and notification to individuals.
These new data breach provisions will come into force once the government passes regulations regarding the form and content of the required notices. The government has begun consulting with stakeholders regarding the content of the regulations. The consultation will close on May 31 2016. Following this consultation process, the government will publish draft regulations for public comment and further consultation. Therefore, it is unlikely that breach reporting will come into force in Canada before the last quarter of 2016.
There are a number of other developments in Canada that could lead to upcoming changes. The British Columbia Personal Information Protection Act (SBC 2003, c 63) is under review as mandated by the act. It is possible that the standing committee reviewing this legislation could recommend mandatory breach reporting for that province. The Alberta Personal Information Protection Act (SA 2003, c P-6.5) is also under review as mandated by the act. Although the Alberta legislation already contains mandatory data breach provisions, it is possible that these provisions could be amended as a result of the review.
Legislation What legislation governs the collection, storage and use of personal data? In Canada, there are separate laws regarding the collection, storage and use of personal data in the private sector, the healthcare sector and the public sector.
Private sector organisations are also subject to personal data protection obligations. The Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA) applies to the collection, use and disclosure of personal data (referred to as ‘personal information’ in Canadian legislation) by private sector organisations in the course of commercial activities. PIPEDA also applies to personal data of employees and federally regulated works, undertakings and businesses (eg, banks, airlines and telecoms companies).
PIPEDA does not apply to organisations that operate wholly within a province that has legislation that has been deemed by the federal government as substantially similar to PIPEDA, unless the personal data crosses provincial or national borders of organisations that are federal works, undertakings or businesses. Organisations that are subject to provincial legislation deemed substantially similar to PIPEDA are exempt from PIPEDA with respect to the collection, use and disclosure of personal data occurring within the respective province. PIPEDA continues to apply to the collection, use and disclosure of personal data outside the province.
The following provincial statutes of general private sector application have been deemed substantially similar to PIPEDA:
- British Columbia – the Personal Information Protection Act (SBC 2003, c 63);
- Alberta – the Personal Information Protection Act (SA 2003, c P-6.5); and
- Quebec – the Act Respecting the Protection of Personal Information in the Private Sector (CQLR c P-39.1).
In addition, the following provincial statutes governing personal health information have been deemed substantially similar to PIPEDA:
- Ontario – the Personal Health Information Protection Act 2004 (SO 2004, c 3, Sch A);
- New Brunswick – the Personal Health Information Privacy and Access Act (SNB 2009, c P-7.05); and
- Newfoundland and Labrador – the Personal Health Information Act (SNL 2008, c P-7.01).
Although only the latter three provinces have personal health information protection legislation that has been declared substantially similar to PIPEDA, most provinces have some form of personal health information protection legislation.
In addition to private sector laws, every jurisdiction in Canada has enacted public sector privacy legislation. At the federal level, the Privacy Act (RSC, 1985, c P-21) governs the collection, storage and use of personal data by federal public sector organisations. This legislation applies to government ministries and institutions and agencies of the federal government, such as the Bank of Canada, the Canada Revenue Agency, the Canadian Air Transport Security Agency and numerous others.
Each province has similar legislation governing the collection, storage and use of personal data in the provincial public sector, which includes municipalities, universities, schools and hospitals.
Scope and jurisdiction Who falls within the scope of the legislation? To determine which legislation applies to an organisation, it is necessary to consider:
- the types of activity undertaken by the organisation;
- the location in which the collection, use and disclosure of personal data occur; and
- whether those activities cross provincial boundaries.
For example, the mere fact that the organisation collecting and using personal data of Canadians is outside Canada does not mean that PIPEDA does not apply. The Federal Court of Canada has said that the Office of the Privacy Commissioner of Canada (OPC) can investigate foreign entities, including those whose collection activities occur outside Canada if there is a real and substantial connection between those activities and Canada.
PIPEDA applies to personal data collected, used or disclosed by an organisation in the course of a commercial activity. The term ‘organisation’ includes associations, partnerships, persons and trade unions. ‘Commercial activity’ is any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. PIPEDA also applies to information about employees or applicants for employment that the organisation collects, uses or discloses in connection with the operation of a federal work, undertaking or business (eg, a bank, airline, railway and certain other businesses under the exclusive jurisdiction of Parliament or the operations of businesses in the three northern territories).
PIPEDA does not apply to any government institution to which the Privacy Act applies. Organisations that collect, use or disclose personal data solely for journalistic, artistic or literary purposes are not subject to PIPEDA.
In addition, PIPEDA contains a method by which it can be pre-empted by provincial laws that are declared by the government to be substantially similar. The following laws have been declared to be substantially similar:
- British Columbia – the Personal Information Protection Act (SBC 2003, c 63);
- Alberta – the Personal Information Protection Act (SA 2003, c P-6.5);
- Quebec – the Act Respecting the Protection of Personal Information in the Private Sector (CQLR c P-39.1);
- Ontario – the Personal Health Information Protection Act 2004 (SO 2004, c 3, Sch A);
- New Brunswick – the Personal Health Information Privacy and Access Act (SNB 2009, c P-7.05); and
- Newfoundland and Labrador – the Personal Health Information Act (SNL 2008, c P-7.01).
However, if information travels across provincial borders – such as from Quebec to Alberta or from British Columbia to the United States – it will be subject to PIPEDA in addition to being subject to the provincial law, even though the provincial law has been declared to be substantially similar.
In many respects, the scope of the Alberta, British Columbia and Quebec legislation is broader than that of PIPEDA. These statutes do not limit application of the legislation to information collected in the course of commercial activities; non-commercial activities also fall within the purview of the legislation. This means, among other things, that the legislation can apply to charities. In addition, the private sector legislation of these provinces protects all employees other than those to which PIPEDA applies.
What kind of data falls within the scope of the legislation? Generally speaking, ‘personal information’ in the federal and provincial public sector legislation includes information about an identifiable individual, but excludes business contact information. For example, PIPEDA defines ‘personal information’ broadly to include any information about an identifiable individual. However, the statute generally excludes ‘business contact information’ from the application of the protections of the statute if it is used solely for the purpose of communicating or facilitating communication with the individual in relation to his or her employment, business or profession. ‘Business contact information’ is defined as any information that is used for the purpose of communicating or facilitating communication with an individual in relation to his or her employment, business or profession, such as the individual’s name, position name or title, work address, work telephone number, work fax number and work email address.
The British Columbia and Alberta private sector statutes contain a functionally similar definition of ‘personal information’. In Quebec, although the term is not defined, the scope of ‘personal information’ is effectively as broad as in these other provinces.
The following types of information have been held to be personal information under PIPEDA:
- contact information;
- financial and tax information;
- voiceprints, fingerprints and other biometric data;
- location information collected by GPS;
- IP addresses if used to target an individual;
- health information; and
- criminal convictions.
Are data owners required to register with the relevant authority before processing data? In the private sector, there is generally no requirement for data owners to register with a regulator. However, organisations that act as consumer reporting agencies (also known as ‘personal information agents’ in Quebec) must be licensed in certain provinces (eg, Ontario and Quebec) if they operate in those provinces.
A ‘consumer reporting agency’ is an organisation that establishes a file for the purpose of providing a report on credit or personal data in connection with specified purposes. For example, in Ontario a consumer reporting agency is an organisation that provides reports in connection with applications for credit, insurance, employment, housing and other specified matters under the Consumer Reporting Act (RSO 1990, c C.33).
In the public sector, federal and provincial privacy legislation may require publication of details of personal information banks maintained by the government institution or governmental agency.
Is information regarding registered data owners publicly available? PIPEDA and the private sector laws of Alberta, British Columbia and Quebec require that organisations make available information about their practices regarding the collection, use, retention and disclosure of personal data. Licensed or registered consumer reporting agencies are listed in publicly available databases.
In addition, federal and provincial public sector legislation may require information regarding personal information banks to be publicly available.
Is there a requirement to appoint a data protection officer? The obligation to appoint a data protection officer varies across Canada. PIPEDA requires an organisation to appoint a person or persons who are accountable for the organisation’s compliance with PIPEDA. The private sector legislation of British Columbia and Alberta contain a similar requirement. The private sector legislation of Quebec does not contain this requirement.
Generally in Canada, private sector organisations will appoint a privacy officer as the person who is accountable under PIPEDA and the substantially similar provincial privacy legislation of British Columbia and Alberta. The privacy officer need not be a corporate officer, but is typically a senior person within the organisation. Sometimes this person may be known as a ‘privacy ombudsperson’.
Public sector legislation typically does not require the appointment of a privacy officer. However, organisations will have privacy and access coordinators responsible for compliance with federal public sector legislation. In some cases, public sector organisations will voluntarily appoint privacy officers. Similarly, in the healthcare sector, institutions such as hospitals may appoint privacy officers, although this may not specifically be required under health information protection legislation.
Enforcement Which body is responsible for enforcing data protection legislation and what are its powers? At the federal level, the OPC oversees compliance with PIPEDA and the federal public sector Privacy Act. The OPC has the power to investigate – including summoning witnesses – on its own initiative or following a complaint. Under PIPEDA, the OPC may also commence applications in the Federal Court of Canada to require an organisation to comply with PIPEDA if, following an investigation and a report of findings, the organisation fails or refuses to amend its practices. In addition to these powers, the Digital Privacy Act has amended PIPEDA to provide that the OPC may enter into compliance agreements with organisations. These compliance agreements may be enforced in the Federal Court of Canada.
The Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner for British Columbia and the Commission d’accès à l’information du Québec each have private sector oversight responsibilities within their respective provinces. Each has similar powers to those of the OPC, including the power to conduct investigations, audits and inquiries, as well as to apply and participate in litigation with their respective provincial courts. However, unlike the OPC, the provincial regulators also have order-making powers.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed? Under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), there are two prerequisites for the collection, storage and processing of personal data:
- The data must be collected, stored or processed for purposes that a reasonable person would consider to be appropriate in the circumstances.
- The organisation must have express or implied consent.
The appropriateness criterion ensures that the collection of personal data is rationally connected to the stated purpose for collection and is not overbroad or contrary to societal values. The Office of the Privacy Commissioner of Canada (OPC) uses a four-part test to consider appropriateness. This test requires the organisation to show that:
- the collection, storage or processing is related to a specific need of the organisation;
- the collection, storage or processing is likely to be effective in meeting a need;
- the loss of privacy is proportional to the benefit gained; and
- there is no less privacy-invasive way of meeting the need.
The private sector legislation of Alberta and British Columbia both contain a similar concept of appropriateness. Public sector legislation limits collection, storage and processing to purposes for which there is statutory authority and other consistent purposes.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records? Canadian privacy legislation requires organisations to retain personal data only as long as necessary to fulfil the purpose for which it was collected. PIPEDA recommends that organisations develop retention guidelines, which should include minimum and maximum periods as well as procedures for the safe and secure destruction of data.
Personal data that has been used to make a decision about an individual must be retained long enough to allow the individual to access the information after the decision has been made. Under the British Columbia Personal Information Protection Act, an organisation must retain that information for at least one year if it uses an individual's personal data to make a decision that directly affects the individual. Organisations may also be subject to data retention periods under other legislative requirements, such as tax, employment standards, occupational health and safety and human rights legislation. These statutes may require that certain types of data be retained for minimum periods.
Do individuals have a right to access personal information about them that is held by an organisation? Under private sector, public sector and sectoral personal data protection legislation, individuals have a right to access the information held about them. The maximum period that organisations have to respond varies. Under PIPEDA, responses must be made within 30 days. This timeline can be extended in certain cases.
All access provisions contain exceptions. For example, under PIPEDA, access may be refused if:
- the disclosure would include the data of another individual that cannot be severed from the disclosure;
- the personal data is protected by solicitor-client privilege (or in Quebec by professional secrecy of lawyers and notaries);
- providing access would reveal confidential commercial information;
- providing access could reasonably be expected to threaten the life or security of another individual;
- the data was collected without the individual's consent in order not to compromise the availability or the accuracy of the information and the collection was reasonable for the purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; and
- the data was generated in the course of a formal dispute resolution process.
Do individuals have a right to request deletion of their data? Canadian legislation does not contain an express right to erasure. However, an individual may withdraw consent to the processing of his or her personal data under Canadian private sector legislation. If there is no further purpose for which the personal data can be lawfully retained, this may involve a requirement to delete the personal data. In addition, individuals have a right to correct data under most Canadian privacy laws. The right to correction may also include the right to have incorrect data deleted or noted as being in dispute. The rights are subject to any statutory requirements that may impose retention periods, preventing a request for deletion. Notably, data that has been aggregated or anonymised does not need to be deleted.
Consent obligations Is consent required before processing personal data? Subject to defined exceptions, personal data may be collected only with an individual’s knowledge and informed consent. The individual must also be notified of the purpose for which his or her personal data is being collected before obtaining consent. The information must be sufficient to enable the individual to make an informed decision. Express or implied consent should be obtained before or at the time of collecting personal data. Express consent is required for sensitive personal data or sensitive uses of personal data. If it is impractical to obtain consent before collection or if consent to additional uses is sought, consent may be obtained after collection but before use.
If consent is not provided, are there other circumstances in which data processing is permitted? There are numerous situations in which personal data may be collected without consent.
Under PIPEDA and the private sector legislation in British Columbia and Alberta, employers may collect, use and disclose personal data without the consent of the data subject if:
- the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the organisation and the individual; and
- the employer has informed the individual that the personal data will be or may be collected, used or disclosed for these purposes.
In addition, under PIPEDA organisations may collect personal data without the knowledge or consent of the individual for a number of specified purposes connected to important public policy objectives – for example, if:
- the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- the collection of the data with the knowledge or consent of the individual would compromise the availability or accuracy of the information and such collection is related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
- the data is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;
- the data was produced by the individual in the course of his or her employment, business or profession and the collection is consistent with the purpose of the information produced;
- the data is collected solely for journalistic, artistic or literary purposes;
- the data is collected in response to a request by a government institution or other lawful authority and such information relates to national security, the defence of Canada or the conduct of international affairs;
- the organisation has reasonable grounds to believe that the information relates to national security, the defence of Canada or the conduct of international affairs; or
- the collection is required by law.
In certain narrowly defined cases, personal data may be collected from public sources without consent. For example, if an individual has consented to his or her data being published in a directory, the information may be collected without his or her consent.
Provincial private sector legislation contains similar provisions. Personal health information protection legislation and public sector legislation also contain exceptions to consent.
What information must be provided to individuals when personal data is collected? In the private sector, individuals must be given sufficient information to make an informed decision with respect to whether to give consent. This involves providing an individual with information on what personal data is collected and how it will be used and disclosed and the consequences of providing or refusing consent if those consequences are not obvious. Organisations must also make available information on their policies and practices relating to personal data. Under PIPEDA, the following information is expected to be available from organisations:
- the name or title and address of the privacy officer or equivalent;
- instructions on how to access personal data held by the organisation;
- a description of the types of personal data collected and the uses made of that personal data;
- an explanation of the organisation’s policies, standards or codes; and
- a description of what personal data is shared with related organisations (eg, subsidiaries).
In Alberta, if the organisation uses a third party outside Canada to collect personal data, or directly or indirectly transfers personal data to a third party outside Canada, the data controller must, before or at the time of collecting or transferring, notify the data subject orally or in writing of:
- the way in which the data subject may obtain access to written data about the organisation's policies and practices with respect to service providers outside Canada; and
- the name or position name or title of a person who can answer on behalf of the organisation the data subject's questions about the collection, use, disclosure or storage of personal data by service providers outside Canada for or on behalf of the organisation.
These are also best practices to fulfil transparency requirements in other jurisdictions in Canada.
Data security and breach notification
Security obligations Are there specific security obligations that must be complied with? Under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), organisations must implement safeguards that are appropriate to the sensitivity of the personal data. Safeguards should include physical, technical and administrative controls to prevent loss or unauthorised access to or modification or disclosure of personal data. Some regulatory and self-regulatory bodies have published additional guidance, particularly with respect to cybersecurity. For example, the Office of the Superintendent of Financial Institutions and the Investment Industry Regulatory Organisation have published cybersecurity guidance. It is possible that the federal government may, in the future, enact legislation mandating security measures for critical infrastructure.
Breach notification Are data owners/processors required to notify individuals in the event of a breach? Parliament recently enacted the Digital Privacy Act, which amends PIPEDA to introduce mandatory data breach notification requirements. These provisions are not yet in force. When these provisions come into force, organisations that are subject to PIPEDA will be required to notify individuals if there is a real risk of significant harm as a result of a breach of an organisation’s safeguards.
‘Significant harm’ includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records and damage to or loss of property. In determining whether the risk threshold is met, the organisation must consider:
- the sensitivity of the personal data that has been exposed;
- the probability that the personal data has been, is being or will be misused; and
- any other factors that the government prescribes.
As mentioned previously, these data breach provisions are not yet in force. They are expected to come into force no earlier than the end of 2016.
Data controllers subject to Alberta’s Personal Information Protection Act must notify individuals of a breach if the Office of the Information and Privacy Commissioner of Alberta orders notification. The commissioner must make a notification order if, in the opinion of the commissioner, there is a real risk of significant harm as a result of the personal data security breach. The commissioner considers similar factors as enumerated under the Digital Privacy Act.
Provincial personal health information protection legislation generally requires notification of the loss of or unauthorised access to personal health information. Public sector legislation does not generally require notification of breaches. Newfoundland is a notable exception.
Are data owners/processors required to notify the regulator in the event of a breach? Under the amendments to PIPEDA contained in the Digital Privacy Act, organisations will be required to notify the Office of the Privacy Commissioner of Canada (OPC) if there is a breach of safeguards that may result in a real risk of significant harm to an individual. In addition, organisations will be required to log all breaches of safeguards and to produce those logs to the OPC on request. The government is consulting on the content of the mandatory reports and data breach logs. These provisions are not expected to come into force until the end of 2016 at the earliest.
Organisations subject to Alberta’s Personal Information Protection Act must notify the Office of the Information and Privacy Commissioner of Alberta of personal data security breaches. Similar obligations will be required in the near future on a national level under PIPEDA, requiring notification to the OPC.
Electronic marketing and internet use
Electronic marketing Are there rules specifically governing unsolicited electronic marketing (spam)? Canada has one of the most restrictive regimes governing unsolicited electronic marketing. The law is known as Canada’s anti-spam legislation (SC 2010, c 23) (CASL).
CASL regulates the sending of commercial electronic messages. Subject to limited exceptions, organisations are subject to CASL when sending commercial electronic messages either:
- from Canada to anywhere in the world; or
- from outside Canada to a person in Canada.
CASL is stricter than similar laws in other jurisdictions.
A ‘commercial electronic message’ is any business email, text or social media direct message that promotes a company, product or person, or invites the recipient to engage in a transaction.
Certain messages are exempt under CASL, including:
- internal messages relating to the business of an organisation, such as messages sent by an employee, representative, consultant or franchisee to another employee, representative, consultant or franchisee which concern the business activities of the recipient;
- messages between businesses that are in a business relationship; and
- messages responding to inquiries or complaints.
There are three preconditions to sending a commercial electronic message, as follows.
Consent or an exception to consent Organisations require express or implied consent to send a commercial electronic message. Express consent is generally the default and preferred consent and requires a positive action on the part of the recipient. Express consent cannot be bundled with other agreements. When obtaining express consent, there are specific disclosure requirements including (but not necessarily limited to) the name of the entity seeking consent, the address of that entity and a telephone number, email address or website through which the entity can be contacted. The individual must also be told expressly that he or she may withdraw consent.
Implied consent may be relied on only in limited circumstances, such as where there is an ‘existing business relationship’ between the sender of the message and the recipient. An ‘existing business relationship’ is defined to include (among other things):
- the purchase or lease of a product, goods, a service, land or an interest or right in land within two years before sending the message;
- the acceptance of a business, investment or gaming opportunity within two years before sending the message;
- a written contract currently in existence or expired within two years before sending the message; and
- an inquiry or application within six months before sending a message.
Identification requirements Organisations must include prescribed information identifying the sender and the person on whose behalf the message has been sent. This information must include a mailing address for the sender and the person on whose behalf the message has been sent as well as one alternate method to communicate with the sender and, if applicable, the person on whose behalf the message was sent. This alternative contact information must include either an email address, phone number or website contact form address.
A valid and working unsubscribe mechanism Each commercial electronic message sent must include a clear and prominent unsubscribe mechanism that enables the recipient to indicate that he or she no longer wants to receive specific types of or all commercial electronic messages from the organisation. CASL requires the unsubscribe to take effect as soon as possible, but no later than 10 business days after the request is made.
Violations of the provisions governing commercial electronic messages could lead to administrative monetary penalties of up to C$10 million per offence. The Canadian Radio-television and Telecommunications Commission is the primary government body tasked with enforcing CASL and has been doing so aggressively, announcing several investigations and fines in 2015. Further, as of July 1 2017 it will be possible to bring a private action (including class actions) to sue for violations of the provisions governing commercial electronic messages.
Data transfer and third parties
Cross-border data transfer What rules govern the transfer of data outside your jurisdiction? Organisations are responsible for the personal data in their control, including information that has been transferred to third parties, whether within the same jurisdiction or outside Canada’s jurisdiction. Organisations must ensure that a third-party processor is handling the information in a legal and secure manner. Canadian data controllers must do so by contractual or other means with third parties to require third parties to provide a comparable level of protection as the Canadian data controller. Further, the third party must process the personal data only for or on behalf of the data controller (the same purpose disclosed to the data subject) and not process it for any other purposes.
Individuals must be notified that their personal data may be disclosed to a third party to process on or behalf of the data controller. This is generally disclosed to the data subject through the organisation’s privacy notices.
Are there restrictions on the geographic transfer of data? Personal data collected by an organisation subject to the public sector privacy legislation in British Columbia or Nova Scotia may not transfer that personal data outside Canada or otherwise allow access to that personal data from outside Canada, subject to certain exceptions. A similar restriction regarding personal health information applies in New Brunswick. Canadian tax legislation also requires that data remain in Canada (although copies may be stored elsewhere). Similar requirements are included in other regulations. Therefore, an organisation transferring data or using a cloud-based service should seek legal advice.
Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing? Data owners must ensure that the third-party processor processes the personal data only for or on behalf of the data controller (the same purpose disclosed to the data subject) and not process it for any other purposes. In addition, data owners must ensure that a third-party processor is handling the information in a legal and secure manner.
Penalties and compensation
Penalties What are the potential penalties for non-compliance with data protection provisions? Penalties for certain offences under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA) and the private sector legislation in British Columbia and Alberta (eg, using deception or coercion to collect personal data, disposing of personal data in an attempt to evade a request for access to personal data and obstructing the privacy commissioner) may result in a fine of up to C$10,000 for an individual or up to C$100,000 for an organisation. Fines for similar offences under Quebec legislation are from a minimum of C$1,000 to a maximum of C$50,000 (C$100,000 for some subsequent offences).
Compensation Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner? Individuals may seek redress for a privacy breach through a number of means. Under PIPEDA, a complainant may initiate an application to the Federal Court of Canada to review an investigation under PIPEDA, in which the court has the power to order an organisation to correct its practices, publish a notice of any corrected practices taken and award damages. In addition, individuals may seek compensation pursuant to tort law, such as intrusion upon seclusion (invasion of privacy) or the intentional publication of private facts. In some provinces, there is also a statutory tort of invasion of privacy.
Cybersecurity legislation, regulation and enforcement Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity? Canada has not yet enacted cybersecurity legislation. However, the government has been active in promoting cybersecurity. Public Safety Canada is mandated to keep Canadians safe from a range or risks and manage the Canadian Cyber Incident Response Centre. The Communications Security Establishment is Canada’s cryptologic agency. The Office of the Privacy Commissioner of Canada (OPC) is responsible for compliance with both the Privacy Act, which covers the personal information-handling practices of federal organisations, and the Personal Information Protection and Electronic Documents Act (SC 2000, c 5), the federal private sector privacy law. In accordance with Treasury Board policy, the OPC receives data breach reports from departments and agencies and reviews and advises on privacy impact assessments of new and existing government initiatives. The security of federal technological infrastructure is often at the heart of privacy impact assessments and the OPC works with departments and agencies to advise on appropriate safeguards.
Canada has longstanding provisions in the Criminal Code (RSC 1985, c C-46) relating to various criminal activities relating to computers. For example, it is illegal to access a computer system or intercept a computer function without a colour of right. The wilful destruction or alteration of another person’s data is also a criminal offence. In 2015 the Protecting Canadians from Online Crime Act (SC 2014, c 31) came into force. This legislation amended the Criminal Code to provide law enforcement agencies with additional investigative powers to help them to take action against online crime, including online child sexual exploitation.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)? Many Canadian regulators and self-regulatory organisations have cybersecurity at the top of their agendas. However, no regulator has published prescriptive standards or guidance. The Canadian Securities Administrators has stated that public issuers and other participants in Canada’s capital markets must consider cybersecurity risks. In 2015 the Investment Industry Regulatory Organisation of Canada (IIROC) published two resources to help IIROC-regulated firms to address cybersecurity threats: the Cybersecurity Best Practices Guide for IIROC Dealer Members and the Cyber Incident Management Planning Guide for IIROC Dealer Members. The resources are aimed in particular at small and medium-sized securities dealers. Although developed for dealer members of IIROC, the resources are useful for all small and medium-sized enterprises in the extended financial industry. The Office of the Superintendent of Financial Institutions published a cybersecurity self-assessment guide in 2013. Organisations should seek legal advice on particular standards that may govern their industry.
Which cyber activities are criminalised in your jurisdiction? The following activities (among others) are criminalised in Canada:
- unauthorised interception of communications;
- unauthorised use of a computer;
- possession of a device to obtain unauthorised use of a computer system or to commit mischief;
- wilful destruction of computer data;
- unauthorised use of credit card data;
- distribution or publication of an intimate image without consent;
- distribution or publication of child pornography; and
- distribution or publication of terrorist propaganda.
Which authorities are responsible for enforcing cybersecurity rules? Many government agencies are responsible for enforcing cybersecurity rules within their jurisdiction, including (but not limited to) law enforcement, Public Safety Canada, the Communications Security Establishment, the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, Industry Canada and the OPC. In addition, there are numerous other regulatory and self-regulatory bodies that enforce cybersecurity governance principles. For example, securities commissions and self-regulatory bodies enforce cybersecurity as part of the governance of participants in the capital markets. Professional regulatory bodies require regulated professionals to adhere to minimum standards of care regarding cybersecurity.
Cybersecurity best practice and reporting Can companies obtain insurance for cybersecurity breaches and is it common to do so? Cybersecurity insurance is widely available from insurance carriers in Canada. This insurance will respond to:
- expenses in making breach reports to regulators and notifying affected individuals, including expenses to provide identity theft or credit monitoring;
- expenses relating to crisis management, public relations and call centres;
- extortion payments to unlock data that has been encrypted by a hacker’s ransomware or to end other e-commerce attacks;
- costs of data recovery;
- expenses relating to business continuity and losses resulting from business interruption;
- defence costs and the cost of settlements or judgments in proceedings brought by affected individuals or business partners; and
- costs of regulatory investigations, audits or proceedings brought by governmental or self-regulatory bodies, and any associated fines or penalties.
It is becoming more common for organisations to arrange for cybersecurity insurance.
Are companies required to keep records of cybercrime threats, attacks and breaches? Generally, there is no requirement for an organisation to keep records of cybercrime threats, attacks and breaches. However, under the recently enacted Digital Privacy Act, companies will be required to record and log all data breaches. This requirement is not expected to come into force until the end of 2016 at the earliest. The details of what types of information will be required to be kept have not yet been determined by the government.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities? There are mandatory data breach reporting obligations with respect to some incidents relating to personal data. However, there is generally no obligation to report cybercrime threats and attacks to law enforcement or regulatory authorities. Organisations are nonetheless encouraged to report cybercrimes to Public Safety Canada’s Canadian Cyber Incident Response Centre and to responsible law enforcement agencies.
Are companies required to report cybercrime threats, attacks and breaches publicly? Organisations are not required to report cybercrime threats, attacks and breaches publicly apart from any requirements to provide individual notification for breaches involving personal data.
Criminal sanctions and penalties What are the potential criminal sanctions for cybercrime? The penalties vary for different types of cybercrime. Below is a sample of maximum terms of imprisonment for various offences:
- unauthorised interception of communications – up to five years’ imprisonment;
- unauthorised use of a computer – up to 10 years’ imprisonment;
- possession of a device to obtain unauthorised use of a computer system or to commit mischief – up to two years’ imprisonment;
- wilful destruction of computer data – up to five years’ imprisonment;
- unauthorised use of credit card data – up to 10 years’ imprisonment;
- distribution or publication of an intimate image without consent – up to five years’ imprisonment; and
- distribution or publication of child pornography – up to 14 years’ imprisonment.
These offences may also have alternate monetary penalties. Certain provisions, such as those relating to terrorist propaganda, may permit the court to order the seizure and destruction of material.
What penalties may be imposed for failure to comply with cybersecurity regulations? Penalties may vary for failure to abide by an appropriate standard of care with respect to cybersecurity. These may include discipline and sanctions by regulatory or self-regulatory bodies. There is no specific cybersecurity legislation of general application that specifies a penalty for non-compliance.