Law and the regulatory authorityLegislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?
In Canada, four private sector privacy enactments provide the framework for the protection of PII. These are:
- Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA);
- the province of Québec’s An Act Respecting the Protection of Personal Information in the Private Sector (Private Sector Act (QC));
- the province of Alberta’s Personal Information Protection Act (PIPA (AB)); and
- the province of British Columbia’s Personal Information Protection Act (PIPA (BC)).
PIPEDA governs the interprovincial and international collection, use or disclosure of PII by private sector organisations in the course of carrying out commercial activities for profit. It also has application to employee PII in federally regulated organisations (such as banks, airlines, railways, and telecommunication companies).
PIPEDA also applies within all provinces and territories in Canada, except Québec, Alberta and British Columbia. The Private Sector Act (QC), PIPA (AB) and PIPA (BC) have been deemed substantially similar to PIPEDA and as such PIPEDA does not apply to private sector organisations carrying out commercial activities wholly within those provinces.
While the Private Sector Act (QC), PIPA (AB) and PIPA (BC) have each been deemed substantially similar to PIPEDA, there are differences in the details of each. These provincial laws apply, generally speaking, to all private sector organisations with respect to the collection, use and disclosure of PII in the course of carrying out commercial activities and to employees’ PII. The Private Sector Act (QC) also applies to the private sector’s collection, use and disclosure of health PII.
Health information privacy legislation in the provinces of Ontario, New Brunswick, Nova Scotia and Newfoundland, and Labrador have been deemed substantially similar to PIPEDA and apply to health PII within those provinces. In those provinces and territories where health information privacy legislation has not been deemed substantially similar to PIPEDA, both the provincial or territorial health information privacy legislation and PIPEDA may apply.
Privacy matters involving public sector institutions are governed by a variety of federal, provincial and territorial public sector privacy legislative enactments.
Certain provinces have enacted legislation recognising invasion of privacy as statutory tort, while there are also various offenses within the Criminal Code (Canada) regarding the invasion of privacy.Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
There is no single regulatory authority dedicated to overseeing and enforcing data protection laws in Canada. The applicable regulatory authority varies based upon whether the matter is appropriately covered by federal or provincial privacy laws.
While the Office of the Privacy Commissioner of Canada (OPC) oversees and enforces PIPEDA, each province and territory of Canada has a commissioner or ombudsperson responsible for overseeing and enforcing its own provincial or territorial privacy legislation. In the case of Québec, Alberta and British Columbia their privacy legislation is overseen and enforced by the Commission d’accès à l’information du Québec (CAI), the Office of the Information & Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia, respectively.
Under PIPEDA, the OPC has the power to investigate complaints made by individuals. The OPC can also initiate an investigation based on reasonable grounds to believe that a matter warrants it. Under its investigatory power, the OPC has the power to summon witnesses to give oral or written evidence, inspect documents and compel the production thereof, and inspect premises other than a dwelling house. The OPC, upon having reasonable grounds to believe that an organisation is contravening PIPEDA, has the authority to audit the organisation’s PII practices, including examining the policies, procedures and practices of an organisation, exploring the physical and security controls of an organisation, and inspecting an organisation’s incident response management protocols.
The CAI, under Québec’s An Act Respecting the Protection of Personal Information in the Private Sector, and the Commissioners, under Alberta’s Personal Information Protection Act and British Columbia’s Personal Information Protection Act, each have similar investigatory powers, and where necessary, the power to conduct an inquiry. Following an inquiry, each also has the power to issue orders.Cooperation with other data protection authorities
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
There are no legal obligations on Canadian data protection authorities to cooperate with other data protection authorities. However, the OPC has the express authority under PIPEDA to share information with provincial and territorial counterparts in the context of an ongoing or potential investigation of a complaint or audit. Canadian privacy commissioners and ombudspersons may also develop and publish joint publications or guidelines related to the protection of PII. The OPC may also share information with a foreign data protection counterpart pursuant to a written information sharing arrangement.Breaches of data protection
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
In Canada, breaches of federal and provincial privacy laws can result in sanctions or orders, or criminal penalties.
Under PIPEDA, certain breaches can, if an organisation is found guilty, result in monetary fines. However, as it currently stands, the OPC does not have the authority under PIPEDA to prosecute offences or issue fines. As such, where it believes an offence has been committed, the matter must be referred to the office of the Attorney General of Canada, who, after its investigation, determines potential prosecution.
ScopeExempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) does not cover any private sector, for profit, commercial organisation operating wholly within the provinces of Québec, Alberta and British Columbia, nor does it cover employee personally identifiable information (PII) of private sector, for profit, commercial organisations that are not federally regulated. It also does not cover organisations that are not engaged in for profit commercial activities (such as, generally speaking, not-for-profits, charities and political parties).
Organisations that collect PII solely for ‘journalistic, artistic or literary purposes’ are also exempt from PIPEDA.Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
Electronic marketing is regulated by the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act and its regulations (as amended). This legislation is commonly known as ‘Canada’s Anti-Spam Legislation’ (CASL).
PIPEDA will apply to the same activities where the processing of PII is involved.
Private sector privacy laws generally permit overt or covert video surveillance and the recoding of phone calls, but both must be balanced with an individual’s right to privacy and to achieve a specific purpose. As a general rule, organisations should consider less intrusive means of achieving the same end before conducting video surveillance. In addition, certain provinces have enacted statutory privacy torts for violation of privacy in which surveillance or the listening to, or recording of, a conversation may be a violation of an individual’s privacy.
The Criminal Code sets out privacy-related offences, specifically the interception of communications and provisions governing how law enforcement may obtain judicial authorisation to conduct electronic surveillance for criminal investigations.Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.
There are numerous federal and provincial laws that provide for specific privacy and data protection rules and laws that apply to, among other things, banking, credit unions, financial transactions, electronic commerce, consumer credit reporting, health and health records or data which contains specific confidentiality provisions concerning PII that is collected.PII formats
What forms of PII are covered by the law?
The basic concept in Canadian privacy law is that PII is any information, recorded or not, about an identifiable individual, regardless of what format it may be held. Examples of PII are:
- age, name, assigned identification numbers, income, ethnic origin, religion, marital status, fingerprints or blood type;
- opinions, evaluations, comments, social status or disciplinary actions;
- education, medical, criminal and employment histories;
- information about financial transactions; and
- employee files, credit records, loan records and medical records.
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
PIPEDA is silent as to its territorial scope. However, the Federal Court of Canada has held that, in the absence of language clearly limiting its application to Canada, PIPEDA can be interpreted to apply in all circumstances in which there exists a ‘real and substantial link’ between an organisation’s activities and Canada.Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?
Under PIPEDA, the organisation that determines the purpose of collection and collects, uses and discloses the PII is in control of that information. The same organisation may also process the PII itself or transfer it to a third party (either within or outside of Canada) for processing. Even though PII may be transferred to a third party for processing, it is the controlling organisation that remains in control of, and is ultimately responsible for, the PII.
Law stated dateCorrect on
Give the date on which the information above is accurate.
5 June 2020.