Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

We consider Canada to be ahead of the curve when it comes to data protection laws. A range of generally applicable mature privacy laws establish comprehensive frameworks for the collection, use and disclosure of personal information in the public, private and health sectors. In 2001, the European Commission formally recognised Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, as providing an adequate level of protection for personal data transferred from the European Union to residents of Canada. Because Canadian privacy laws tend to be principles-based, they generally afford organisations more flexibility than the more prescriptive privacy laws that exist in some other jurisdictions, while still covering much of the same subject matter and granting similar individual rights. 

Are any changes to existing data protection legislation proposed or expected in the near future?

The Personal Information Protection and Electronic Documents Act was amended in 2015 to include new provisions requiring mandatory data breach reporting and notification. These provisions, along with the accompanying Breach of Security Safeguards Regulations, will be in force as of 1 November 2018

Looking ahead, the coming into force in May 2018 of enhanced data protection requirements under the EU General Data Protection Regulations (GDPR) may lead to revisions to Canadian privacy laws, in order to maintain Canada’s status as a country recognised as providing an adequate level of data protection, such that personal data respecting EU residents may continue to be stored and processed here without any further safeguard being necessary. The European Commission is required to reassess Canada’s adequacy status, in light of GDPR requirements, by May 2020.

Growing concern with the effectiveness and focus of Canada’s Anti-Spam Legislation (CASL) resulted in a 2017 parliamentary committee report recommending a number of material revisions to the law.  The government’s 2018 response to the report agreed with many of the recommendations, and indicated that the government would work with stakeholders to identify ways to address the concerns raised in the report.  Accordingly, reform of CASL seems likely, although the timing is uncertain.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

Privacy and data protection requirements in Canada may originate from a number of different sources, depending on the nature of the information in question and the jurisdiction from which it was collected or in which it is held.

Since Canada is a federal state, its legal framework for privacy can be somewhat complex as statutes exist at both the federal and provincial level, a consequence of a complex constitutional division of powers in this area that includes certain areas of overlap between the two levels of government. The privacy law framework is also complicated by the fact that in many Canadian provinces, private sector privacy, public sector privacy and health sector privacy are governed by distinct statutory regimes. In addition, unique legal issues arise with respect to employee privacy.

From a private sector perspective, there are four generally applicable privacy and data protection statutes in Canada, one (the Personal Information Protection and Electronic Documents Act or PIPEDA) enacted federally, and three that have been enacted by the provinces of Alberta, British Columbia and Quebec and which largely govern the handling of personal information within those provinces, subject to certain circumstances in which PIPEDA continues to apply.

Each province also has its own privacy statute governing the health services sector, as well as its own public sector privacy statute.

There are also a number of sector-specific laws that include requirements respecting the collection, use and storage of personal information, including, for example, laws respecting transportation and telecommunications, or those relating to law enforcement and national security agencies.

Scope and jurisdiction

Who falls within the scope of the legislation?

PIPEDA, the federal law, applies to organisations subject to federal regulation, and to inter-provincial and international transactions involving personal information in the course of commercial activities, as well as to commercial organisations operating wholly in a province that has not enacted its own private sector privacy legislation. However, in employment contexts, PIPEDA applies only to the employees in the relatively small number of industries that are constitutionally under federal jurisdiction (eg, airlines, banks, railroads and telecommunications carriers), leaving several provinces without employee privacy legislation.

Provincial private sector laws apply to all private sector activities within a province that involve the collection, use and disclosure of personal information, including handling of personal information by non-profit organisations and both national and international businesses. These laws also cover employee privacy.  However, these laws do not apply to inter-provincial and international transfers of personal information for consideration.  

Health sector privacy laws vary slightly from province to province, but generally apply to:

  • licensed healthcare professionals;
  • hospitals;
  • clinics;
  • laboratories; and
  • long-term care facilities.

Public sector laws apply to federal, provincial and municipal governments and agencies, as well as some crown corporations (as certain arm’s-length government-owned enterprises are known in Canada). Public sector laws can also apply to certain healthcare institutions, given that the healthcare system is largely publicly funded in Canada.

What kind of data falls within the scope of the legislation?

Generally speaking, privacy laws apply to ‘personal information’, which is defined to include all information about a reasonably identifiable individual. Health information privacy laws apply to ‘personal health information’, a subset of personal information that relates to the physical or mental health of an individual, including the provision of treatment and eligibility for healthcare coverage.

Since personal information must be about an identifiable individual, aggregated and anonymous data is not generally considered to be personal information. However, Canadian courts have held that information will be about an ‘identifiable individual’ where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.  For example, in accordance with this interpretation, Canadian privacy commissioners tend to take the view that data tied to an IP address or device identifier will generally be considered to be personal information.

Are data owners required to register with the relevant authority before processing data?

Registration with a data protection authority is not required before processing data in any jurisdiction in Canada.

Is information regarding registered data owners publicly available?

N/A, registration by data owners is not required in Canada.

Is there a requirement to appoint a data protection officer?

Canadian privacy laws generally require organisations to appoint an individual to be accountable for compliance, although they do not require that such a person be known by any particular title.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Office of the Privacy Commissioner of Canada is responsible for the enforcement of the federal private and public sector privacy laws. Information and privacy commissioners also exist in each province to enforce the public, private and health sector laws, as applicable, in that province.

Some provincial commissioners have order-making powers, but no commissioner has the power to impose financial penalties. Rather, following an investigation and report by a commissioner, the commissioner or a complainant must apply to a court of competent jurisdiction for additional relief, including monetary damages.

Failure to adhere to a limited number of specified obligations or prohibitions under private sector privacy laws also constitutes an offence, which may be prosecuted by the attorney general for the applicable federal or provincial jurisdiction. For example, a failure to report an incident or a breach to the appropriate commissioner constitutes an offence under both the federal and Alberta private sector privacy laws. Similarly, a failure to comply with an order of a provincial privacy commissioner may also constitute an offence. By contrast, in Quebec, most violations of the requirements of the private sector privacy law constitute offences, although the maximum penalties for a first offence are generally below C$10,000.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Canadian privacy laws tend not to be particularly prescriptive with respect to permitted purposes for the collection, use and disclosure of personal information; however, any such purposes must be objectively reasonable, even in cases where express consent has been obtained.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Each of the Canadian privacy laws contains a general obligation for organisations to retain personal information for only as long as is necessary to fulfil the purposes for which it was collected, subject to a general standard of reasonableness and any external legal requirements. Generally, any personal information that is the subject of a request for access, a complaint or an investigation must be retained as long as necessary to allow the affected individual to exhaust any recourse that they may have with respect to the request, complaint or investigation in question.

A variety of laws that do not specifically relate to privacy also impose, either expressly or by implication, specific retention periods for various types of record that may contain personal information.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, in all cases, individuals have a general right of access to data about them that is held by a private organisation, healthcare custodian or government institution, subject to certain limited exceptions, such as where providing such access would likely reveal personal information about a third party, or where the information is protected by solicitor-client privilege.

Do individuals have a right to request deletion of their data?

Generally speaking, individuals have the right to withdraw consent for the use or disclosure of their personal information, subject to certain legal or contractual restrictions. For example, organisations are not obligated to erase recent client credit information.

Consent obligations

Is consent required before processing personal data?

Under private sector laws, consent is required before any collection, use or disclosure of personal information, although the laws provide for both implied and express forms of consent, depending on the inherent sensitivity of the personal information in question. In health sector privacy laws, consent is generally not required for use of personal health information within the ‘circle of care’, however, explicit consent is required for certain additional uses and disclosure. Consent is not required for most uses of personal information by governments, although consent is required in some jurisdictions for certain extraordinary uses and disclosures, such as cross-border transfers.

If consent is not provided, are there other circumstances in which data processing is permitted?

Private sector privacy laws set out a limited range of circumstances where consent is not required for the collection, use or disclosure of personal information. Examples of such exceptions include, among others, circumstances where the processing is:

  • clearly in the interest of the individual and consent cannot be obtained in a timely way;
  • for journalistic, artistic or literary purposes; or
  • required by law.

Health sector privacy laws generally allow for the processing of personal information without consent where necessary for the provision of healthcare services. Similarly, consent is generally not required by governments to process information for the purpose of providing government services.

What information must be provided to individuals when personal data is collected?

Generally speaking, where consent is required, the purposes for which consent is sought must be presented in a manner where the individual in question would understand the nature, purposes and consequences of the collection, use or disclosure of the personal information to which they are consenting. 

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Canadian privacy laws are not particularly prescriptive with respect to data security obligations, instead imposing a general obligation to protect personal information by security safeguards appropriate to the sensitivity of the information in question. The methods of protection are to include physical, organisational and technological measures and should safeguard the personal information in question against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. The adequacy of security measures implemented by an organisation is often assessed by privacy commissioners with respect to implementation of recognised third-party certification and standards, as well as perceptions of prevailing security practices within the relevant industrial sector.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Aside from the federal private sector privacy law and the health sector privacy laws mentioned below, Canadian privacy laws do not currently include provisions requiring mandatory breach notification to affected individuals.

Recent amendments to the federal private sector privacy law that will come into force as of 1 November 2018 require organisations to notify affected individuals with respect to any breaches of security safeguards that are likely to result in significant direct harm to such individuals.

While notification of individuals is not required under Alberta’s private sector law, as noted below, reporting data breach incidents to the information and privacy commissioner for Alberta is required, and the commissioner may, following such a report, order the organisation to notify affected individuals.

Health sector privacy laws in the provinces of New Brunswick, Ontario, and Newfoundland and Labrador require notification to individuals with respect to certain types of data breach.

In the federal public sector, a Treasury Board of Canada directive imposes a requirement for all federal government institutions to notify affected individuals with respect to certain breaches of personal information.

In provinces in which data breach notification is not a legal requirement, there is nevertheless a strong presumption by privacy commissioners that individuals will nevertheless be notified of material data breaches.

Are data owners/processors required to notify the regulator in the event of a breach?

As of 1 November 2018, breach notification provisions in the federal private sector privacy law will also require an organisation to report breaches of security safeguards to the Office of the Privacy Commissioner of Canada where such breaches are likely to result in significant direct harm to an individual. Alberta’s private sector law requires data breach reporting to the information and privacy commissioner for that province, based on a similar reporting threshold.

The health sector privacy laws in New Brunswick, Ontario, and Newfoundland and Labrador require reporting to the relevant privacy commissioners with respect to certain types of data breach.

Within the federal public sector, a Treasury Board of Canada directive imposes a requirement for all federal government institutions to report certain breaches of personal information to both the Treasury Board Secretariat and the Office of the Privacy Commissioner and to notify affected individuals.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Canada’s Anti-Spam Legislation (CASL) generally prohibits the sending of commercial electronic messages (essentially, marketing and promotional messages) without prior explicit consent, subject to a number of exceptions. The law applies not just to mass messaging, but also to individually targeted messages, including messages sent to businesses as well as to individuals. CASL also imposes ‘form’ requirements on requests for consent, as well as on marketing and promotional messages themselves, including the requirement that such messages include an easy-to-use unsubscribe mechanism. Penalties for non-compliance can be substantial – up to C$10 million for organisations. The law also contains a private right of action, which is not yet in force.

Cookies

Are there rules governing the use of cookies?

While there are no cookie-specific laws or restrictions, existing privacy laws have been interpreted to apply to the use of cookies. Generally, cookies that are tied to a user’s IP address, device ID or other persistent identifiers will be considered to constitute personal information. Accordingly, the setting and use of cookies require consent, in line with the general requirement in Canadian private sector privacy laws for knowledge and consent to any collection, use or disclosure of personal information. While generally requiring prior express consent for the installation of computer programs on another’s computer system, CASL explicitly excludes the installation of cookies from this requirement, deeming consent to the installation of cookies in all circumstances in which the person’s conduct indicates such consent. Examples in which consent would not generally be implied in this way include situations in which a website attempts to override the consumer’s disabling of cookies or Javascript in their browser.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Private sector privacy laws generally permit the storage or processing of personal information outside of Canada, provided that consent has been obtained. In most cases, it is permissible to rely on implied consent for such purposes, such as by posting a notice or including a disclosure in an organisation’s privacy policy indicating that personal information may be transferred outside the country, where it will be subject to the local laws in the jurisdiction in which it resides.

Health sector statutes also generally allow for transfers of personal health information outside of Canada where necessary for the provision of healthcare services, but require individual consent for cross-border transfers in other circumstances.

Public sector laws in the provinces of British Columbia and Nova Scotia generally prohibit the transfer outside of Canada of personal information under the control of those respective provincial governments (including public institutions such as universities and hospitals), subject to ministerial approval (in British Columbia) or the approval of the head of the governmental body that proposes to conduct the transfer (Nova Scotia), or to other narrowly defined exceptions.

A number of sector-specific laws, such as federal laws respecting banking and insurance, require that certain records be retained in Canada.   

Are there restrictions on the geographic transfer of data?

See above.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Under Canadian privacy laws, organisations generally remain responsible under the law for the appropriate handling of personal information under their custody or control, even where such information has been transferred to third parties for processing. In such cases, organisations are required to use contractual and other means to provide a comparable level of protection while the information is in the hands of the third party. Privacy commissioners require outsourcing organisations to select vendors with care, to bind them contractually to use transferred personal information only for the intended purposes, to keep it confidential and to protect it with appropriate security safeguards. Periodic audits of the third party and privacy training of third-party personnel are also required in some circumstances.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

For the most part, Canadian privacy statutes do not provide for direct financial penalties for non-compliance, although some privacy commissioners have order-making powers. All Canadian privacy commissioners issue public findings respecting privacy investigations. Following an investigation and report by a commissioner, the commissioner or a complainant may apply to a court of competent jurisdiction for additional relief, including monetary damages.

Penalties exist in some privacy laws with respect to a narrow set of behaviours. For example, the Personal Information Protection and Electronic Documents Act creates offences with respect to the destruction of personal information that is the subject of an access request and for the disciplining of employee whistleblowers that bring non-compliant behaviours to the attention of the privacy commissioner. The new breach notification provisions add offences for failing to report a data breach, as required by the law, and for failing to retain records of data breaches. Fines for these offences can be up to C$10,000 in less serious cases and up to C$100,000 in the most serious cases.

Offence provisions also exist under provincial privacy laws, varying by jurisdiction in terms of application and maximum penalties.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

As noted above, following an investigation by a privacy commissioner, an individual may apply to a court of competent jurisdiction for monetary damages, including for humiliation.

Four provinces have created statutory torts of invasion of privacy, which may be asserted to claim damages, in some cases, even where no real damages can be proven. In Quebec, breaches of privacy rights protected by the Civil Code of Quebec and the Quebec Charter of Human Rights and Freedoms can also lead to the award of monetary damages.

Compensation is also available in several provinces to individuals through civil actions based on the common law tort of invasion of privacy, and contract-based claims for damages stemming from data breaches are common.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

No Canadian statutes currently impose direct obligations on organisations to implement cybersecurity measures; however, the threat of awards of damages through civil litigation and public loss of trust provide strong incentives to implement robust security safeguards. Privacy laws require the maintenance of appropriate security safeguards.

There are many laws in Canada that prohibit activities that would generally be viewed as cybercrimes. For example, the Criminal Code includes a number of cybercrime-related offences, including:

  • child exploitation (including child pornography and child luring);
  • the unauthorised use of a computer system;
  • the theft of telecommunications services;
  • the unlawful interception of private communications;
  • identity theft and trafficking in identity information,•
  • computer-related forgery; and
  • fraud.

Recently, Canada also enacted new criminal offences relating to cyberbullying.

Canada’s Competition Act prohibits misleading representations and deceptive marketing practices, including in electronic communications. Anti-malware provisions in Canada’s Anti-Spam Legislation (CASL) generally prohibit the unauthorised installation of a computer program on another person’s computer system.

Canada also has laws respecting the proliferation and export of controlled goods and technology, including encryption technologies.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Many federal government departments – including the Department of Justice, the Royal Canadian Mounted Police (RCMP), Public Safety Canada and Global Affairs Canada – work together to protect citizens from the threat of cybercrime. Partnerships have also been developed between international, federal and provincial law enforcement agencies. One example of this type of coordination is the Canadian Anti-Fraud Centre, which is a joint effort of the RCMP, Ontario Provincial Police and the Competition Bureau to combat internet and mass-marketing fraud.

The federal government has also launched a broad Cyber Security Strategy to enhance protection from cyber threats for Canadian individuals, industries and governments. The strategy focuses on securing government systems, partnering with vital cyber systems outside of government and educating and providing tools to Canadians to help them remain secure online.

Canada is also active in international efforts to promote cybersecurity through organisations such as the G7, the UN Office on Drugs and Crime and Organisation of American States. Canada has ratified the Council of Europe Convention on Cybercrime.

The Office of the Superintendent of Financial Institutions (OSFI) regulates federally regulated financial institutions (FRFIs), including banks, most insurance companies and federal pension plans. OSFI does not currently have in place regulations requiring specific actions by FRFIs with respect to cybersecurity. However, the FRFI issues guidance with respect to technology-based outsourcing and cybersecurity risk management and preparedness to assist in the implementation of useful cybersecurity practices.

Which cyber activities are criminalised in your jurisdiction?

See above.

Which authorities are responsible for enforcing cybersecurity rules?

Criminal offences are enforced by municipal, provincial and federal law enforcement agencies and by federal and provincial attorneys general. Other cybersecurity rules are enforced by independent agencies such as the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner of Canada.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Cybersecurity insurance in Canada is available and increasingly used, to the extent that it is now one of the fastest-growing coverage categories in the Canadian insurance marketplace. 

Are companies required to keep records of cybercrime threats, attacks and breaches?

Recent amendments to the federal private sector privacy law that will come into force on 1 November 2018 will require organisations to retain records of any breaches of security safeguards, regardless of whether such incidents would require reporting to the privacy commissioner or notification to affected individuals.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Aside from the breach notification requirements in Canadian privacy laws, as discussed above, companies are generally not required by law to report cybercrime incidents, although many share such information voluntarily through private and public sector cybersecurity and critical infrastructure protection forums. A number of formal reporting channels also exist, such as:

  • the Canadian Anti-Fraud Centre;
  • the Spam Reporting Centre;
  • the Canadian Centre for Child Protection (Cybertip); and
  • the Canadian Cyber Incident Response Centre.   

Are companies required to report cybercrime threats, attacks and breaches publicly?

Beyond notification to affected individuals of data breaches, there are no legal requirements to report cybercrime threats publicly. However, public companies are increasingly being encouraged, in guidelines and policies issued by Canada’s securities regulators, to increase disclosure of cyber threats, attacks and breaches in their public documents. In performing their assessment as to whether a cybersecurity incident must be disclosed in their public disclosure, public companies must rely on the traditional materiality tests set by Canadian securities law as well as case law to determine whether a cyber incident or breach constitutes a ‘material fact’ or a ‘material change’ and if so, when the incident should be disclosed.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Penalties for cybercrime offences vary. Criminal offences carry a range of potential penalties, including substantial fines and imprisonment. Non-compliance with CASL can result in administrative penalties of up to C$1 million for individuals or C$10 million for organisations. Violations of the misleading representation and deceptive marketing provisions of the Competition Act may be prosecuted as criminal offences, punishable on summary conviction by fines up to C$200,000 or one year’s imprisonment or (alternatively) enforced civilly, with the possibility of fines of up to C$1 million for individuals and C$15 million for corporations. Both CASL and the Competition Act provide for potential officer and director liability.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Not applicable.