Legal and regulatory framework

Government approach

How can the government’s attitude and approach to internet issues best be described?

Digital businesses in Canada are treated similarly to other businesses: they are regulated by the same agencies and are subject to the same laws. Canadian e-commerce legislation imposes a media-neutral approach to commercial information, and electronic communications and documents are considered functionally equivalent to their paper counterparts.

Legislation

What legislation governs business on the internet?

In Canada legislative jurisdiction is divided between the federal government and the 10 provinces (with three northern territories also having some of the powers of provinces). Many areas of law that relate to e-commerce (eg, employment, property, consumer protection, securities and contract law) are governed predominantly by provincial legislation, which means that businesses must often deal with multiple provincial regulatory regimes.

Areas of federal jurisdiction include:

  • competition;
  • misleading advertising;
  • broadcasting;
  • intellectual property; and
  • anti-spam legislation.

Privacy falls under both federal and provincial jurisdiction. The federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), governs federally regulated businesses and any other business in respect of transferring personal information across a border. As a default rule, PIPEDA also applies to transfers occurring entirely within a province unless and until that province enacts its own substantially similar legislation, as Alberta, British Columbia and Quebec have done.

Federally regulated businesses – including banks, interprovincial transport companies, broadcasters and telecoms companies – are not subject to direct regulation by the provinces. For example, federal employment and labour laws supplant the equivalent provincial laws in this narrow range of industries.

Regulatory bodies

Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

Canadian digital businesses are regulated by the same agencies that regulate other businesses. They can expect to engage with federal agencies such as the Competition Bureau, the Canadian Radio-Television and Telecommunications Commission (notably with respect to anti-spam laws), the Canadian Intellectual Property Office and the Office of the Privacy Commissioner of Canada, as well as authorities at the provincial level, such as provincial privacy commissioners (where provincial privacy laws apply) and securities commissions.

Jurisdiction

What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

In the absence of a forum selection clause, the Canadian courts will usually assert jurisdiction if a real and substantial connection exists between the forum and either the proceeding or the defendant. Historically, the Canadian courts have used one of the following tests to determine jurisdiction relating to online and digital transactions and disputes:

  • Passive versus active test – the Canadian courts examine the level of interaction available to individuals in their jurisdiction. If interaction with the website is possible, the court will generally find a sufficient connection to its jurisdiction. This test has become obsolete with the growth of interactive websites.
  • Purposeful direction test – if an internet presence is purposefully directed towards individuals in a jurisdiction, a real and substantial connection will generally exist.
  • Foreseeability test – if the parties would have reasonably foreseen that they would become answerable to a foreign court, a real and substantial connection may be found.

Recent decisions have most frequently applied the foreseeability test.

However, even where a forum selection clause does exist, the Canadian courts may apply equitable doctrines to overturn it if it requires a consumer to litigate in a foreign jurisdiction and such clause was essentially imposed on them. This principle was most prominently affirmed by the Supreme Court of Canada in its 2017 ruling in Douez v Facebook. There, the court refused to enforce an otherwise valid forum selection clause in Facebook’s terms of use agreement which would have required the plaintiff to sue Facebook for an alleged privacy breach in California rather than in British Columbia. The court held that the parties’ unequal bargaining power and the quasi-constitutional nature of privacy rights provided strong cause not to enforce the clause. Going forward, it is unclear whether the Supreme Court will simply expand or clarify the application of Douez or create a new approach to forum selection clauses entirely.

Establishing a business

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

No special legal requirements apply to the establishment of a digital business in Canada. Like all businesses, digital businesses must:

  • register their business name;
  • comply with regulations; and
  • obtain licences and permits relating to the goods that they sell.

If they wish to incorporate, they may do so under any federal, provincial or territorial business corporations act.

Contracting on the internet

Contract formation

Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

Each Canadian province (except Quebec) has an e-commerce statute that is based on the United Nations Model Law on Electronic Commerce. Quebec’s statute is broadly consistent with the model law but was developed independently. Under the functional equivalence principle, electronic contracts are valid where there is offer and acceptance. Both web-wrap and click-wrap agreements are enforceable by the Canadian courts if the offer and acceptance requirements are met.

Case law has established rules for valid electronic consent that are similar to those in many other jurisdictions. In the leading case of Rudder v Microsoft (1999), it was held that clicking on an ‘I agree’ icon served as valid acceptance of an offer. In Kanitz v Rogers Cable Inc (2002), the court recognised a party’s ability to unilaterally change the terms of a paper agreement by posting the changes on a website in accordance with the terms of the original agreement.

Applicable laws

Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

Each Canadian province (except Quebec) has an e-commerce statute that is based on the United Nations Model Law on Electronic Commerce. Quebec’s law is similar to the model law but was developed independently. Under the functional equivalence principle, an electronic contract (like any other contract) is valid where there is offer and acceptance. Thus, both web-wrap and click-wrap agreements can be binding contracts where the offer and acceptance requirements are met. Consumer protection legislation at the provincial level provides various protections in the case of business-to-consumer online contracts, including a cooling-off period in some cases, that might not exist in the case of a business-to-consumer contract.

Electronic signatures

How does the law recognise or define digital or e-signatures?

Provincial e-commerce acts provide that the legal requirement of a signature is satisfied by a signature produced electronically, with a few exceptions (eg, wills, powers of attorney, negotiable instruments and affidavits).

E-signature best practices include:

  • giving proper notice that e-signatures will be used;
  • ensuring that the method of collecting the e-signatures complies with privacy requirements; and
  • keeping records that demonstrate consent.
Data retention

Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

Electronic contracts are functionally equivalent to paper contracts and are thus subject to identical retention requirements (eg, a six-year minimum retention period for tax purposes). Electronic records are equivalent to paper originals if there is a reliable assurance of their integrity and they are retainable for future reference by the person to whom they are provided.

Breach

Are any special remedies available for the breach of electronic contracts?

No.        

Security

Security measures

What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?

A company or an ISP’s security obligations in respect of internet transactions are generally determined by contract. Encryption may also be an aspect of compliance with industry standards. For example, financial institutions or third-party payment processors may comply with Payment Card Industry Data Security (PCI-DSS) standards, which contain encryption requirements. CyberSecure Canada, a voluntary federal cyber certification programme launched in 2019, certifies small and medium-sized businesses that meet certain security benchmarks, including with respect to encryption.

Privacy laws also require the implementation of appropriate security safeguards to protect personal information from unauthorised access, use or disclosure, including in the course of internet transactions.

Government intervention and certification authorities

As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

Canada has no general laws that empower regulatory authorities to require private keys to be made available. Licence conditions imposed on wireless telecoms carriers require them to configure their networks to facilitate authorised interceptions by law enforcement and national security agencies. This includes providing decryption for signals that the provider itself has encrypted, but not encryption technology used by a customer.

Electronic payments

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Provincial privacy legislation applies to electronic payment systems that retain consumer data. There are also industry best practices standards (eg, the PCIDSS rules) that are designed to safeguard consumer information in the electronic payment process. Some of these rules include ensuring that:

  • only necessary consumer data is available to acceptors during a transaction;
  • the acquirer or acceptor cannot access a consumer’s account balance;
  • a firewall configuration is maintained; and
  • any transmission of data across open public networks is encrypted.

Financial institutions offering mobile wallet services agree to abide by the Code of Conduct for the Credit and Debit Card Industry in Canada, including allowing consumers to:

  • select the payment source that they want to use for each transaction;
  • easily change electronic payment settings; and
  • clearly see each payment source on the app.

Requirements relating to mobile wallets are enforced by the Financial Consumer Agency of Canada. 

Are there any rules or restrictions on the use of digital currencies?

Canadian businesses dealing in virtual currencies must now register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s federal financial transactions analysis unit. However, the necessary regulatory framework is likely to be in place only as of late 2019. The new regime will require FINTRAC registration and establishment of an anti-money laundering compliance programme, led by a chief anti-money laundering officer.

Domain names

Registration procedures

What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

The Canadian Internet Registration Authority (CIRA) manages the ‘.ca’ country code through accredited registrars. CIRA has established several rules for the registration of ‘.ca’ domain names, including the Canadian presence requirements, which limit registration to individuals and organisations that are sufficiently connected to Canada (including corporate entities, if certain conditions are met). Any holder of a trademark that is registered under Canada’s Trademarks Act may apply to register the exact word component of the mark as a ‘.ca’ domain.

There is no requirement to use ‘.ca’ domain names in Canada. Many businesses use ‘.com’ or other top-level domains in place of or in addition to ‘.ca’. Registration of a ‘.com’ domain name is effected in the same way as in other countries and does not involve CIRA.

Rights

Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?

A domain name may be registerable as a trademark under the Trademarks Act and may accrue common-law trademark rights if it:

  • is also used as a trademark as required by the federal Trademarks Act (ie, the domain name is marked on goods or packaging of goods or used in the performance or advertising of services); and
  • meets other registrability requirements under the Trademarks Act (eg, inherent distinctiveness, non-descriptiveness and not being confusingly similar to prior registrations or pending applications).

Such trademark rights can be used to support claims for trademark infringement and passing off. They may also assist in domain-name dispute resolution proceedings.

Trademark ownership

Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

Yes. In a recent case, the global messaging platform Whatsapp was able to secure the ‘whatsapp.ca’ domain name from a cybersquatter that was found to have registered the name without a legitimate interest and in bad faith. The fact that Whatsapp, a US company, had registered its trademark in Canada satisfied the Canadian presence requirements that apply to ‘.ca’ registrations.

Dispute resolution

How are domain name disputes resolved in your jurisdiction?

In the case of ‘.ca’ domain names, the registrant must submit to a proceeding under the CIRA Dispute Resolution Rules if a complainant has asserted that:

  • the registrant’s ‘.ca’ domain name is confusingly similar to a mark in which the complainant had rights prior to the date of registration of the domain name and continues to have such rights;
  • the registrant has no legitimate interest in the domain name as described; or
  • the registrant has registered the domain name in bad faith.

The British Columbia International Commercial Arbitration Centre and Resolution Canada Inc are the two designated dispute resolution service providers in Canada.

Disputes involving ‘.com’ and other generic top-level domains are handled under generally applicable processes established by the Internet Corporation for Assigned Names and Numbers.

Advertising

Regulation

What rules govern advertising on the internet?

Canada has general competition laws and specific anti-spam laws that apply to digital advertising.

The misleading advertising provisions of Canada’s Competition Act apply to all online representations, including those that relate to online sales. If an ad originates outside Canada but may influence the Canadian public, the Competition Act may apply.

Canada’s anti-spam legislation applies to the sending of commercial electronic messages, including ads sent to an electronic address, such as an email address, or direct messages to a social network address. Businesses cannot send commercial electronic messages without the explicit consent of the recipient. Commercial electronic messages must also be in a prescribed form, including information such as sender identification and contract details and a no-cost, easy unsubscribe mechanism. There are some exceptions to these new rules. For example, ‘existing business relationships’ (as narrowly defined in the law) may not have to adhere to the stricter requirements outlined above.

Under privacy laws, privacy commissioners have also imposed restrictions requiring notice and consent with respect to the use of cookies and other internet-tracking technologies for the purpose of behaviourally targeted online advertising.

Other sectoral laws that restrict advertising may also apply to internet-based advertising, such as those that apply to pharmaceuticals, alcohol and tobacco products.

Definition

How is online advertising defined? Could online editorial content be caught by the rules governing advertising?

Laws that include broad restrictions on promotions – such as with respect to alcohol and cannabis products – could potentially apply to editorial content on a website.

Misleading advertising

Are there rules against misleading online advertising?

The Competition Act prohibits misleading representations and deceptive marketing practices, including in electronic communications.

To contravene the Competition Act, either the general impression or the literal meaning of a representation must be materially false or misleading. Materiality is determined by considering whether the representation could influence consumers to buy a product or service and is generally held to extend to representations that influence buyers’ conduct (eg, by inducing consumers to visit one website rather than another).

Ads relating to political campaigns are subject to new regulations that came into effect in 2018. A significant onus is placed on major online platforms to maintain records of those that purchase political ads and to avoid accepting such advertising from foreign actors.

Restrictions

Are there any products or services that may not be advertised on the internet?

Goods and services sold online are generally subject to the same restrictions that apply to advertising in general. The advertising of medications, alcoholic beverages, tobacco products and cannabis is heavily regulated.

Hosting liability

What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?

Liability of ISPs for defamation is a complex issue in Canada, with no specific legislation in place to provide a safe harbour for website owners that remove libellous content within a reasonable period. However, it is possible that the Canadian courts would be influenced in some circumstances by a good-faith effort to remove such content. In addition, the defence of innocent dissemination has been recognised as applying to ISPs that are passive actors, although not necessarily to website owners (see Roy v Ottawa Capital Area Crime Stoppers (2018), an interlocutory ruling from Ontario).

The Copyright Act does not attribute liability to third-party conduits such as ISPs that act as neutral intermediaries. However, these conduits may be liable or have obligations imposed on them if a party holding a copyright provides them with a notice of infringement. Under the ‘notice and notice’ provisions of the Copyright Act, an ISP must forward such a notice to the infringing user and create appropriate records.

There is no similar legislation for trademarks, although ISPs may have to remove infringing content pursuant to any injunction that may be obtained.

Financial services

Regulation

Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

Responsibility in this area is divided between federal and provincial authorities. Federal laws focus on ensuring consumers a safe, fair and competitive marketplace (eg, by regulating deceptive marketing) and regulating consumer transactions entered into by financial institutions that fall within federal authority (eg, banks). In addition to applying provincial jurisdiction over contract law to consumer contracts, provincial laws also provide for the regulation and licensing of businesses that deal with consumers, particularly where consumer credit is involved. For example, Quebec’s Insurers Act, which came into force in 2019, creates specific requirements for the online sale of insurance in Quebec.

Defamation

ISP liability

Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?

Liability of ISPs for defamation is a complex issue in Canada, with no specific legislation in place to provide a safe harbour for website owners that remove libellous content within a reasonable period. However, it is possible that the Canadian courts would be influenced by a good-faith effort to remove such content. In addition, the defence of innocent dissemination has been recognised as applying to ISPs that are passive actors, although not necessarily to website owners (see Roy v Ottawa Capital Area Crime Stoppers (2018), an interlocutory ruling from Ontario).

Shutdown and takedown

Can an ISP shut down a web page containing defamatory material without court authorisation?

The common law of injunctions governs content takedowns. Therefore, parties must obtain a court order to take down content infringing on their rights. There is no legislation requiring ISPs to take down content once they have received notice that the content infringes copyright, trademark rights or other IP rights. 

Intellectual property

Third-party links, content and licences

Can a website owner link to third-party websites without permission?

Yes.

Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?

It depends on whether an infringement of copyright would occur. In general, it must first be determined whether the use would be a substantial taking under Canadian copyright law (this depends on various quantitative and qualitative factors). If there would be a substantial taking, then a fair-dealing exemption might apply (eg, if the purpose of the taking were research or private study). The fair-dealing analysis would look at quantitative factors as well as at the existence of alternatives, the nature of the work in question and the effect of the taking on the work, among other considerations.

The Copyright Act includes civil consequences (awards of damages) for infringement, while also creating criminal offences, the infringement of which can lead to fines (up to C$1 million) and imprisonment (up to two years). These criminal consequences typically arise in the context of unauthorised commercial exploitation of copyrighted works.  

Can a website owner exploit the software used for a website by licensing the software to third parties?

Not as a matter of course. It would need to have the legal right to create such a licence.

Are any liabilities incurred by links to third-party websites?

It depends. If third-party links lead to malware or otherwise causes users’ data, personal or otherwise, to be compromised, the presence of the links is treated as if it were a data breach and is accordingly governed by the Digital Privacy Act, the Personal Information Protection and Electronic Documents Act and the Criminal Code. Recent guidance released by the Canadian Radio-Television and Telecommunications Commission (CRTC) further signals that links to third-party websites may establish a basis for liability under Canada’s anti-spam legislation for failing to do enough to stop the non-compliant activities of third parties, even if the business did not intend to do so or was unaware that its activities enabled or facilitated contraventions of the law. Canada’s anti-spam legislation allows penalties of up to C$10 million per violation.

In Crookes v Newton (2011) the Supreme Court of Canada held that hyperlinks to defamatory content do not constitute defamation. In Warman v Fournier (2012) the Federal Court held that a hyperlink to a copyrighted work is not copyright infringement where the owners of the linked work essentially authorised the work’s telecommunication to the public by posting it online.

Video content

Is video content online regulated in the same way as TV content or is there a separate regime?

Video content online is not currently regulated in the same way as video content distributed through conventional over-the-air signals or closed distribution channels, such as cable and satellite distributors. 

Although internet-delivered video content is viewed as ‘broadcasting’ under the broad definition contained in the Broadcasting Act, the CRTC has issued a broad exemption order for digital media broadcasting undertakings, such that such services are neither subject to licensing nor the prescriptive regulations that apply to more conventional television content. Rather, digital media broadcasting undertakings are subject only to certain conditions, such as the requirement that such undertakings not give undue preferences (eg, by providing services that favour a particular internet service provider).

However, there is increasing pressure on the Canadian government to make fundamental changes to the regulatory framework for broadcasting in Canada. The government initiated a broad broadcasting and telecoms legislative review in June 2018, appointing an expert panel to examine issues such as:

  • the challenges of ensuring Canadian content creation and distribution in the digital age; and
  • issuing recommendations to the government with respect to potential changes to the regulatory framework.

A 2019 summary of written comments received by the panel indicate that most interested parties from the cultural sector advocated the extension of TV-like regulation to online content. Others proposed that online streaming services be treated in a manner analogous to more traditional broadcasting services, including with respect to Canadian content requirements. The panel’s report is expected in 2020.

IP rights enforcement and remedies

Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?

Police forces investigating criminal offences under the Copyright Act or the Criminal Code may apply to court for, and then execute, search warrants and may seize and cause the forfeiture of assets in accordance with the law.

What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?

Civil remedies available to IP owners that successfully sue for infringement have access to a wide range of remedies, including:

  • injunctions;
  • damages;
  • an accounting of profits;
  • destruction of infringing goods;
  • cost awards; and
  • statutory damages for copyright infringement. 

In non-criminal matters, Canadian jurisdictions recognise the Anton Piller order – essentially a civil search warrant pursuant to which a plaintiff may search a target premises and remove evidence for the purpose of preserving it. A strict test must be met before a court will issue such an order, the execution of which must be supervised by an impartial lawyer appointed for that purpose.

Also available are Mareva injunctions, which are interlocutory court orders that freeze a defendant’s assets pending final resolution of a matter. Due to their potential effects, Mareva injunctions are also subject to a strict test that includes consideration of the seriousness of the risk that the defendant would remove or dissipate the assets.

Data protection and privacy

Definition of ‘personal data’

How does the law in your jurisdiction define ‘personal data’?

Generally speaking, privacy laws apply to ‘personal information’, which is defined to include all information about a reasonably identifiable individual. The Canadian courts have interpreted this concept broadly and expansively. According to the Office of the Privacy Commissioner of Canada, information such as tracking information collected from GPS and radio-frequency identification tags may be considered personal information. Further, IP addresses and persistent device identifiers (and associated data) may be personal information, on the assumption that in many cases, in combination with other available information, such addresses and identifiers can be associated with an identifiable individual. This includes cookies and other tracking technologies, the use of which accordingly requires that the subject’s knowledge and consent (which may be implied).

Aggregated data and data that has been reliably and irreversibly de-identified is not considered to be personal information, although there is no defined standard for reliable de-identification. In general, information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.

‘Sensitive personal data’ is not explicitly defined under Canadian privacy statutes governing the private sector. However, these laws generally include explicit consent requirements and more robust security safeguards for certain types of sensitive information. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) specifically states that while ‘any information can be sensitive depending on the context’, financial information and health-related information is almost always sensitive.

Registration requirements

Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?

No, although Canadian privacy laws generally require organisations to appoint an individual to be accountable for compliance, often under the title chief privacy officer.

Cross-border issues

Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?

PIPEDA applies to both the handling of personal information by organisations operating in Canada (ie, with a tangible presence in Canada) and the collection, use and disclosure of personal information relating to individuals who are resident. Accordingly, the act generally applies to organisations outside Canada that collect and use the personal information of Canadian residents. While, from a practical perspective, Canadian authorities cannot directly enforce orders against foreign organisations with no tangible presence in Canada, extraterritorial enforcement is possible through treaties and memoranda of understanding with foreign counterparts. The Office of the Privacy Commissioner of Canada has conducted several investigations in cooperation with the US Federal Trade Commission and other foreign regulators.

While PIPEDA is silent on its territorial reach, the Canadian courts have applied the common law real and substantial connection test to determine whether PIPEDA should apply and whether the Office of the Privacy Commissioner of Canada has jurisdiction to address a privacy complaint arising outside Canada. In AT v Globe24h.com (2017) the Federal Court determined that it had jurisdiction to make an extraterritorial order with worldwide effect requiring a foreign resident to remove from the Internet documents containing personal information about Canadian citizens in violation of PIPEDA requirements (the ability of the court to enforce such an order would be subject to principles of international law and comity).

While Canada’s private-sector privacy laws do not prohibit the transfer of personal data outside Canada, PIPEDA requires organisations that transfer data outside Canada to clearly explain to consumers that their information may be processed in a foreign country when their personal information is collected. This requirement is significant in many outsourcing situations. It is usually permissible to rely on implied consent for such purposes (eg, by posting a notice or including appropriate disclosure in an organisation’s privacy policy).

Certain sectors can be subject to specific requirements:

  • For digital businesses that serve enterprise and institutional clients, it should be noted that a number of sector-specific laws (eg, federal laws respecting banking and insurance) require that certain records be retained in Canada.
  • Legislation in British Columbia and Nova Scotia generally prohibits the storage or processing outside Canada of personal information held or under the control of government agencies and public institutions (including universities and hospitals).
  • Provincial health information privacy laws may prohibit transfers of personal health information outside Canada (or the province) without explicit consent in many circumstances. While these laws apply directly only to healthcare providers and supporting organisations such as laboratories, they can indirectly affect electronic service providers that work with the healthcare sector.
Customer consent

Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?

Unlike European laws that allow processing on grounds such as ‘legitimate interests’ or ‘necessary for the performance of a contract’, Canadian private sector laws are generally consent based, subject to certain limited exceptions. Consent is generally required for any collection, use or disclosure of personal information, although the laws generally allow for both implied and express forms of consent, depending on the sensitivity of the personal information in question. For example, PIPEDA requires express (ie, opt-in) consent when the personal information collected, used or disclosed is sensitive (eg, in the case of a person’s health or financial information). Implied (ie, opt-out) consent is permissible under PIPEDA where the personal information is not sensitive (eg, a person’s mailing address in the case of a mainstream magazine subscription). The federal, British Columbia and Alberta commissioners have issued joint guidance indicating that explicit consent should be obtained for any collection, use or disclosure of personal information that:

  • involves sensitive information;
  • would be outside the reasonable expectations of the individual; or
  • would create a meaningful residual risk of significant harm.

Under Quebec’s provincial legislation, consent must be manifest, free, enlightened and given for a specific purpose.

Canadian private sector laws also generally provide that any collection, use or disclosure of personal information must be only for purposes that a reasonable person would consider appropriate in the circumstances. Even where consent has been obtained, privacy commissioners have found violations where personal information was used to profile individuals in a way that led to unfair or discriminatory treatment, or where it was used for purposes of conducting surveillance on individuals.

Private sector privacy laws set out a limited range of circumstances where consent is not required for the collection, use or disclosure of personal information. Examples of such exceptions include circumstances where the processing is:

  • clearly in the interest of the individual and consent cannot be obtained in a timely way;
  • for journalistic, artistic or literary purposes; or
  • required by law.
Sale of data to third parties

May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?

The general requirement of consent under Canada’s private sector privacy laws applies to the sale or other disclosure of personal information to third parties for their own purposes. In such a scenario, a website provider must obtain the consent of the individuals whose information would be disclosed. Whether implied consent suffices will depend on:

  • the sensitivity of the personal information to be sold or disclosed;
  • the intended uses of that information; and
  • the reasonable expectations of the individuals in question.

Moreover, any sale or other disclosure to a third party for its own purposes must be appropriate in the circumstance (on a reasonable person analysis).

To the extent that the website provider is not the controller of the personal data, its ability to sell or otherwise disclose such data to third parties for their own purposes would be governed by the terms of its contract with the controller. Under Canadian privacy laws, organisations generally remain responsible under the law for the appropriate handling of personal information under their custody or control, even where such information has been transferred to third parties for processing. In such cases, organisations must use contractual and other means to provide a comparable level of protection while the information is in the hands of the third party. Privacy commissioners require outsourcing organisations to:

  • select vendors tasked with processing and handling personal information with care;
  • bind vendors contractually to use transferred personal information only for the intended purposes;
  • keep personal information confidential; and
  • protect personal information with appropriate security safeguards.

Periodic audits of the third party and privacy training of third-party personnel are also required in some circumstances.   

Under health information privacy laws, disclosure of personal information to a third party for its own purposes would require the express consent of the individuals to whom the information relates.

Purchasers of personal information from third parties must be aware that Canadian private sector privacy laws provide that a buyer may receive and use such information only with the consent of the individuals to whom the information relates. Accordingly, since the purchaser would have no direct relationship with the individuals in question, it would have to confirm (and is responsible at law for confirming) that the seller obtained all necessary consents, in the required form, to enable the transfer of the information to the buyer for the buyer’s intended purposes. The individuals to whom the information relates should have been clearly and accurately informed at the point of collection about how their information would be used and should have consented to the collection and use of their personal data for marketing purposes.

Any use of acquired personal information for direct marketing communications, either through electronic messages or by telephone, would require the consent of the individuals to whom the information relates as per Canada’s anti-spam law and may also be subject to the National Do Not Call List or the consent requirements under the Unsolicited Telecommunications Rules.

Customer profiling

If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?

Canada does not have specific regulations on the use of targeted advertising, but privacy laws apply to the collection, use and disclosure of personal information for the purpose of online targeted advertising.

For example, the Office of the Privacy Commissioner of Canada has released a policy position stating that, under the federal private sector privacy law (ie, PIPEDA), organisations must obtain meaningful consent for the collection, use and disclosure of personal information, including personal information used for targeted advertising. The Office of the Privacy Commissioner of Canada generally takes the position that any cookies or other internet-tracking technologies that collect information tied to IP addresses, device IDs or other permanent identifiers will be considered personal information. Accordingly, website operators, ad networks and advertisers must obtain consent in order to use these technologies for targeted advertising, individual profiling and analytics. Tracking technologies and techniques that do not allow for consumer control through browser preferences or other tools (eg, so-called ‘zombie cookies’, ‘supercookies’ and third-party cookies disguised as first-party cookies) are not permitted.

Implied consent (with an opt-out) is generally acceptable for such purposes, provided that adequate and reasonably prominent notice is provided to users (eg, via online banners, layered approaches and interactive tools). Many businesses also comply through participation in digital advertising services that allow users to obtain information about behavioural advertising and opt-out of targeted advertising from all or some advertisers. The Digital Advertising Alliance Canada is perhaps the most widely used service in this regard.

The Office of the Privacy Commissioner of Canada has also indicated that regardless of the notional receipt of consent, the use of certain types of personal information for the purposes of targeted advertising and profiling are not compliant with privacy law. For example, medical information and other sensitive information cannot be used to target advertising and children under 13 must not be targeted using personal information, whether sensitive or not. Profiling that could lead individuals to be discriminated against on grounds prohibited in human rights legislation is also prohibited, as is any other form of profiling that is unethical or illegal.

Data breach and cybersecurity

Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?

The federal and Alberta private sector privacy laws require mandatory reporting to the applicable privacy commissioner of any breaches of security safeguards involving personal information where it is reasonable in the circumstances to believe that the breach has created a real risk of significant harm to an individual. Such reports must be made as soon as feasible after it is determined that a breach occurred. The federal law requires that organisations also notify affected individuals of such breaches, whereas the Alberta law gives the Alberta information and privacy commissioner the power to order an organisation to notify affected individuals, following receipt of the report to the commissioner required by Alberta’s law. 

Under federal law, organisations experiencing a breach giving rise to a real risk of significant harm must also notify other organisations that may be able to mitigate the harm to affected individuals. There is also a two-year record-retention requirement, even where the incident need not be reported to the Office of the Privacy Commissioner of Canada.

Canadian privacy laws impose obligations on organisations handling personal information to protect such information using technological, organisational and physical security safeguards appropriate to the sensitivity of the information in question. When it comes to e-commerce specifically, statutes that deal with cybercrime include:

  • the Criminal Code, which applies in all provinces and contains a range of general provisions that would apply to e-commerce environments, such as prohibitions regarding:
    • hacking;
    • the interception of communications;
    • fraud;
    • theft;
    • forgery;
    • the unauthorised use of a credit card; and
    • identity theft; and
  • the federal anti-spam law, which prohibits non-consensual software installation on computer systems, including malware.

The Canadian Securities Administrators also provide guidance to Canadian businesses on how to prevent cybercrime as part of their members’ mandates to regulate the capital markets across Canada’s 13 provinces and territories.

What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?

To avoid a breach of proprietary, sensitive or personal data, employers could consider:

  • adopting a comprehensive documented information management and security policy, including certification against recognised security standards;
  • implementing access controls, firewalls, encryption, containerisation and tracking systems to prevent external intrusions into the system;
  • implementing internal processes and controls (preferably hardwired) to limit internal access to proprietary, sensitive and personal data;
  • restricting or prohibiting the storage of such data on portable devices, unless protected by robust encryption;
  • implementing scanning technology to avoid the potential spread of malware into internal networks via portable digital media;
  • tracking internal system use by employees and contractors;
  • monitoring third-party vendors that could access personal information or financial data;
  • implementing filtering and scanning solutions to stop the spread of malware via email and other electronic communications;
  • training employees about data breach risks and best practices relating to passwords, encryption keys and software updates, and creating awareness of common phishing scams and other fraudulent schemes that may target individual employees; and
  • testing incident response plans and other security measures through periodic vulnerability scans and penetration tests.
Insurance

Is cybersecurity insurance available and commonly purchased?

Cybersecurity policies are increasingly common in Canada. A 2018 FICO survey found that only 40% of Canadian firms had cybersecurity insurance against all likely risks, while 22% had no coverage at all. 

Right to be forgotten

Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

Canada does not recognise a right to be forgotten as such. However, a 2018 Draft Position Paper on Online Reputation, issued by the Office of the Privacy Commissioner of Canada, suggested that the rights granted to individuals under PIPEDA extend to requiring websites to take down content and search engines to de-index (ie, remove from search results) links to online content that could damage an individual’s reputation, subject to other considerations, including freedom of expression rights under the Charter of Rights and Freedoms. Based on objections raised by Google with respect to this interpretation, in October 2018 the Office of the Privacy Commissioner of Canada filed a reference with the Federal Court of Canada, seeking a ruling on whether PIPEDA applies to the operation of Google’s search engine. The court’s decision on that reference is still pending and existing investigations into complaints relating to de-indexing requests have been stayed pending the results of the reference, as has the finalisation of the Office of the Privacy Commissioner of Canada’s Draft Position Paper.

Email marketing

What regulations and guidance are there for email and other distance marketing?

Canada’s anti-spam legislation imposes strict limitations on the use of commercial electronic messages. Businesses cannot send commercial electronic messages without the prior explicit consent of the recipient, subject to certain narrow exceptions. Electronic messages requesting consent to the receipt of commercial electronic messages are themselves considered to be commercial electronic messages. Commercial electronic messages must also be in a prescribed form, including information such as sender identification and contract details and a no-cost, easy unsubscribe mechanism. Businesses must give effect to unsubscribe requests within 10 business days. Exceptions to the general consent requirement include cases where there is an ‘existing business relationship’ (as narrowly defined) between the sender and the intended recipient of a commercial electronic message. The anti-spam legislation rules are extremely detailed.

The Unsolicited Telecommunications Rules, which encompass the National Do Not Call List (DNCL), apply to unsolicited marketing communications by telephone, fax and automated robocall devices. The use of robocall technology for the purpose of solicitation is not permitted without the prior explicit consent of the call recipient. Telemarketing is generally permitted unless the target is listed on the DNCL or has previously asked the organisation not to call.

Consumer rights

What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?

Private sector privacy laws generally require that any collection, use or disclosure of personal information requires the consent of the individuals to whom the information relates. Individuals also have a broad right to withdraw consent to the continued use, retention or disclosure of their personal information, subject to legal and contractual requirements.

Private sector privacy laws also provide consumers with a general right to be informed of the existence, use and disclosure of their personal information by an organisation and to be given access to that information on request. Individuals may challenge the accuracy and completeness of such information and request that it be corrected, augmented or deleted as appropriate. Consumers with privacy concerns about an organisation can complain to the appropriate privacy commissioner and request an investigation into the organisation’s practices. Following the issuance of a report of findings by the commissioner, the complainant or the commissioner may request consideration of the matter by a court, which may make mandatory or injunctive orders or award damages.   

These rights may be available to individuals who are resident outside Canada with respect to the practices of private sector organisations operating from Canada.

Taxation

Online sales

Is the sale of online products subject to taxation?

Yes, the sale of online products is subject to taxation, even if a product has no tangible equivalent. Pursuant to the federal Excise Tax Act, businesses must charge and collect the 5% goods and services tax (GST) from customers on taxable goods and services supplied in Canada in the course of a business carried on in Canada. All provinces except Alberta also levy a comparable tax at the provincial level:

  • In Quebec and the Western provinces (other than Alberta), the provincial tax is distinct from GST.
  • In Ontario and the Atlantic provinces, the provincial tax has essentially been amalgamated with the GST to form a single harmonised sales tax (HST). For example, in Ontario the federal tax (5%) and provincial tax (8%) are combined into a single HST of 13%. The HST is collected by the federal government, which then remits the provincial portion to the appropriate provincial government.

The GST, HST and Quebec’s provincial tax are value-added taxes, while the provincial taxes of Manitoba, Saskatchewan and British Columbia are sales taxes that do not generally apply to services. Each tax regime includes exemptions (eg, for groceries in the case of GST and HST).

Whether online sales will be taxed depends on where the vendor carries on business and where the customer is located. Whether a person is carrying on business in Canada will depend on a consideration of all relevant facts. Some of the relevant factors in the GST and HST context include:

  • the place where agents or employees of the non-resident are located;
  • the place of delivery;
  • the place of payment;
  • the place where purchases are made or assets are acquired;
  • the place from which transactions are solicited;
  • the location of assets or an inventory of goods;
  • the place where business contracts are made;
  • the location of a bank account;
  • the place where the non-resident’s name and business are listed in a directory;
  • the location of a branch or office;
  • the place where the service is performed; and
  • the place of manufacture or production.

Similar factors are considered for provincial sales tax.

Online sales into Canada are generally subject to the payment of amounts equivalent to the taxes that would have been payable had the sales occurred in Canada, although a remission (essentially a waiver) is granted for most shipments valued (in their entirety) under C$20. As a result of the renegotiation of the North American Free Trade Agreement as the new United States-Mexico-Canada Agreement, the remission is expected to apply to courier shipments valued under C$40. These figures are not deductions; for example, under the current limit, a shipment valued at C$21 will be subject to tax on the entire C$21, not merely on the C$1 by which it exceeds the C$20 exemption.

Server placement

What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

N/A.

Company registration

When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

N/A.

Returns

If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

N/A.

Gambling

Legality

Is it permissible to operate an online betting or gaming business from the jurisdiction?

The Criminal Code creates several gambling-related criminal offences, which have not been updated to reflect the emergence of the Internet. Thus, online betting or gaming businesses that facilitate betting or gaming may contravene relevant sections of the Criminal Code. However, online versions of gaming, such as fantasy sports, have yet to be specifically addressed by any federal or provincial regulations or policies. Until Canadian authorities clarify their approach to online betting or gaming, any proposal to operate such a business would need to be considered carefully in light of its specific facts.

Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

The Criminal Code sets out various prohibitions against gambling and makes little if any distinction between traditional and online gambling. One significant exception to the broad prohibition on gaming permits provinces to conduct and manage gaming activities that would otherwise be illegal under the Criminal Code. Under this exception, many government-sponsored lotteries and casinos have been established in Canada in recent decades. In the online sphere, this includes a sports betting site. While use of offshore online gaming sites is undoubtedly also fairly widespread, given the uncertainty of the law it is not possible to comment definitively on the legalities involved.

Outsourcing

Key legal and tax issues

What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

Issues arising on a transfer of assets to a supplier and the transfer of operations overseas can include the following:

  • labour and employment issues;
  • data protection;
  • assignment of intellectual property;
  • customers’ contractual rights or, if the company engages in business-to-consumer transactions, consumer protection regulation-related issues;
  • real estate;
  • general liability overseas; and
  • ease of enforcing contractual rights against the supplier in the foreign jurisdiction.

Federal and provincial tax liabilities can arise on a transfer of assets to a supplier, based on the proceeds of the disposition of the assets, the nature of the assets and the cost of the transferred assets. If employees are transferred to a supplier, the supplier is generally responsible for withholding and paying certain payroll taxes from the compensation paid to the employees.

Withholding tax can arise on payments to non-residents in respect of services performed in Canada and non-resident suppliers can be subject to tax if they carry on business in Canada. Tax treaties may limit applicable taxes in certain circumstances.

Asset transfers and the provision of services can also raise sales tax issues, which may vary from province to province.

Employee rights

What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?

N/A.

Online publishing

Content liability

When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?

The Competition Act prohibits misleading representations and deceptive marketing practices, including on websites and in electronic communications. To contravene the Competition Act, either the general impression or literal meaning of a representation must be false or misleading in a material respect. Materiality is determined on the basis of whether the representation could influence a consumer to buy a product or service but is also interpreted by Canada’s competition authorities to include influence over a consumer’s conduct more broadly.

Databases

If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

The rights of the website provider would be governed by contract, through the website’s terms of use, as well as by privacy and copyright law and possibly other applicable statutes. Any specific situation must be considered on its facts.

Dispute resolution

Venues

Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?

No, although the Canadian Internet Registration Authority requires that ‘.ca’ domain name disputes be resolved by one of its designated arbitration service providers.

ADR

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

ADR methods include negotiated settlements, mediated settlements and arbitration.

Negotiated settlements are the most popular form of ADR. Arbitration and mediation are also common, in the latter case partly because the courts may recommend or even require mediation before parties can go to trial. The Federal Court of Canada, which has jurisdiction over IP disputes, recommends mediation. Online forums, such as British Columbia’s Civil Resolution Tribunal and the eBay Resolution Centre, are gaining a foothold in Canada.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?(EU JURISDICTIONS ONLY: How do you anticipate the General Data Protection Regulation and the e-Privacy Regulation will impact e-commerce?)

On 21 May 2019 the government announced a new Digital Charter that sets out the 10 general principles that will guide the government as it develops policies and implements legislation. The principles emphasise privacy, transparency and security, as well as competitive fairness in the digital marketplace.

Law stated date

Correct on

Give the date on which the information above is accurate.

1 October 2019.