Data protection in Canada: overview

A Q&A guide to data protection in Canada.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.

This article is part of the multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

Christopher Oates and Wendy J Wagner, Gowling Lafleur Henderson LLP
Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The collection, use and disclosure of personal information in the private sector is governed by federal, provincial and sectoral laws. The laws applicable to an organisation depend on all of the following:

  • Where the organisation is located.

  • In which Canadian jurisdictions the organisation collects, uses and discloses personal information.

  • Whether the organisation transfers personal information across provincial, territorial or national borders.

  • The sector in which the organisation operates.

At the federal level, the collection, use and disclosure of personal information in the course of commercial activities is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies in all provinces that do not have their own substantially similar legislation, to "personal information", which is defined as "information about an identifiable individual". This definition requires the person to be "identifiable" from the information, not "identified". As such, information will be personal information where there is a serious possibility it may identify a person, either alone or in combination with other information.

To date, the following provinces have enacted general purpose privacy legislation that applies to the private sector and has been declared "substantially similar" to PIPEDA:

  • British Columbia: Personal Information Protection Act (BCPIPA).

  • Alberta: Personal Information Protection Act (ABPIPA).

  • Quebec: An Act Respecting the Protection of Personal Information in the Private Sector (QBPIPA).

In these provinces, the provincial legislation applies to the collection, use and disclosure of personal information by private sector organisations instead of PIPEDA. However, PIPEDA will continue to apply to the activities of "federal undertakings" within these provinces (such as banks, airlines and radio broadcasters). Furthermore, organisations transferring personal information across provincial borders, or outside Canada, are subject to PIPEDA as well as any applicable provincial legislation.

As a result, organisations operating across Canada may be subject to the laws of several Canadian jurisdictions. However, as "substantial similarity" is required before a provincial statute is declared to apply within the province in place of PIPEDA, there are broad similarities between PIPEDA and the provincial laws.

Subject to prescribed exceptions, both PIPEDA and the provincial legislation only allow the collection of personal information with the knowledge and consent of the individual, and such collection must be through fair and lawful means. However, there are key differences of which organisations operating in these provinces should be aware, including:

  • The BCPIPA, ABPIPA and QBPIPA apply more generally to employee information than PIPEDA.

  • Alberta law is currently the only Canadian privacy legislation of general application to include mandatory data breach reporting obligations, though reporting obligations also exist in several legislative schemes applicable to health information, and amendments to PIPEDA have been proposed that would make breach reporting mandatory at the federal level.

For transfers of personal information to recipients in Canada subject to PIPEDA, individuals in countries that have implemented Directive 95/46/EC on data protection should consult Commission Decision 2002/2/EC on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA Decision).

As of the date of writing, the province of Manitoba has also enacted a general purpose privacy law, The Personal Information Protection and Identity Theft Prevention Act. While this law is similar to the provincial laws in place in British Columbia and Alberta, it has not yet been declared in force, and it remains uncertain whether it will be deemed "substantially similar" to PIPEDA.

Sectoral laws

In specific industry sectors, additional provincial legislation may apply in addition to, or in place of, PIPEDA. In particular, organisations involved in the use, collection and disclosure of health information must be aware of provincial statutes in this area, which include:

  • Alberta's Health Information Act.

  • Saskatchewan's Health Information Protection Act.

  • Manitoba's Personal Health Information Act.

  • Ontario's Personal Health Information Protection Act (declared "substantially similar" to PIPEDA in respect of health information custodians).

  • Quebec's An Act Respecting the Sharing of Certain Health Information.

  • New Brunswick's Personal Health Information Privacy and Access Act (declared "substantially similar" to PIPEDA in respect of health information custodians).

  • Newfoundland and Labrador's Personal Health Information Act.

  • Nova Scotia's Personal Health Information Act.

Furthermore, an organisation may be subject to industry-specific legislation or industry standards (such as those that apply to public sector entities, the payment cards industry and federally regulated financial institutions).

This article does not cover:

  • Provincial health information legislation.

  • Industry specific legislation or standards.

  • Legislation applicable to the public sector.

Scope of legislation

 
2. To whom do the laws apply?

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to organisations that collect, use or disclose personal information in the course of commercial activities (including the sale of donor and fundraising lists). At the provincial level, the legislation of British Columbia, Alberta and Quebec applies to the activities of organisations and enterprises that collect, use or disclose personal information. Both federal and provincial "organisations" include natural and legal persons (such as corporations, partnerships, trade unions and unincorporated associations).

The treatment of employee personal information depends on the applicable legislation. PIPEDA applies to employee personal information that is collected, used or disclosed in connection with the operation of a "federal work, undertaking or business". However, the Commissioner does not consider the law to apply to employee information in the general private sector, as this is a matter of provincial jurisdiction. In British Columbia, Alberta and Quebec, the provincial legislation applies to employee information, and in British Columbia and Alberta, the law has specific provisions regarding employee information.

 
3. What data is regulated?

The privacy laws governing the private sector apply to "personal information", which includes any information regarding an identifiable individual. However, the precise definition of "personal information" will vary depending on the legislation that applies:

  • Federal. Personal information means information "about an identifiable individual", but does not include the "name, title or business address or telephone number of an employee of an organisation" (section 2(1), PIPEDA). An amendment to PIPEDA is currently before the federal parliament that, if enacted, will:

    • remove the exclusion of "business contact information" from the definition of personal information; and

    • create a narrower exception that removes business contact information from the requirements of PIPEDA only when used to communicate with the individual in relation to their employment, business or profession.

  • British Columbia. Personal information means information about an identifiable individual and includes employee personal information but does not include business contact information or work product information (section 1, BCPIPA).

  • Alberta. Personal information means information about an identifiable individual (section 1(1), ABPIPA). There is an exception for business contact information only when used to contact an individual in relation to their business responsibilities.

  • Quebec. Personal information is any information that relates to a natural person and allows that person to be identified (section 2, QBPIPA).

 
4. What acts are regulated?

Canadian privacy legislation generally applies to the collection, use and/or disclosure of personal information. These broad terms capture the majority of commercial uses for personal information, including data collection, processing, storage, the transfer or sale of personal information to third parties, and disclosure of personal information to third parties.

Additional obligations are placed on organisations in relation to particular aspects of their collection, use, and/or disclosure of personal information (for example, knowledge and consent requirements and retention periods) (see Questions 12 to 14)) and in relation to security requirements (see Questions 15 and 16)). The sending of commercial electronic messages is subject to additional consent requirements (see Question 19).

 
5. What is the jurisdictional scope of the rules?

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to organisations that collect, use or disclose personal information in Canada or transfer personal information across the Canadian border. Judicial decisions have determined that the Office of the Privacy Commissioner of Canada has the jurisdiction to investigate complaints brought against entities based outside Canada, which involve the cross-border flow of personal information, or the collection, use or disclosure of personal information in Canada.

With the exception of federal works or undertakings, private sector organisations in British Columbia, Alberta or Quebec will be subject to provincial privacy legislation rather than PIPEDA. However, these organisations will be subject to PIPEDA in addition to the provincial law where they transfer personal information across provincial or international borders.

 
6. What are the main exemptions (if any)?

General exemptions under PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not apply to (section 4(2), PIPEDA):

  • Individuals that collect, use or disclose personal information solely for personal or domestic purposes.

  • Organisations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes.

Exemptions from PIPEDA Consent Requirements

Consent is not required from the data subjects in any of the following circumstances (section 7, PIPEDA):

  • Use of data in reaction to an emergency that threatens the life, health or security of an individual.

  • Disclosure to a lawyer representing the organisation.

  • Disclosure for the collection of a debt owed by an individual.

  • Disclosure required under a subpoena, warrant or order issued by a court with the jurisdiction to compel production of the information.

  • Disclosure to a government institution on a request by an institution that has identified its lawful authority for purposes of:

    • national security;

    • the defence of Canada;

    • the conduct of international affairs;

    • enforcing the law of Canada, a province or a foreign jurisdiction; or

    • administering the law of Canada or a province.

  • Disclosure made after the earlier of:

    • 100 years following the creation of the record containing the information; or

    • 20 years following the death of the individual to whom the information pertains.

  • Disclosure required by law.

Limited publically available information exemption under PIPEDA

PIPEDA generally applies to personal information that is "publically available" (information that can simply be obtained from a public source does not avoid the requirement to obtain consent for its collection or use). However, in narrow, prescribed circumstances, publicly available personal information can be collected, used and disclosed without the data subjects' knowledge or consent, for example:

  • Where the name, address or telephone number of an individual appears in a public telephone directory, provided the individual can refuse to have their information disclosed in the directory.

  • Where the name, title, address or telephone number of an individual appears in a professional or business directory, provided the information is used for the purpose for which it appears in the directory.

Overall, similar exceptions exist in the provincial privacy legislation in British Columbia, Alberta and Quebec. However, the nature and extent of the available exceptions varies by jurisdiction. Organisations are advised to consult the legislation specifically applicable to their operations when seeking to rely on an exemption to the requirements of Canadian privacy legislation.

Business transaction exemption

British Columbia and Alberta permit the transfer of personal information in the context of defined "business transactions", such as the sale, lease, merger or amalgamation of the organisation or its assets. Specific requirements for these exceptions apply, and differ between the provinces. In both provinces, the exception will not apply to transactions that do not involve assets other than personal information or where the primary goal of the transaction is the disposal of personal information.

Currently, both PIPEDA and the Quebec legislation do not contain a similar provision. However, a bill currently before the federal parliament would amend PIPEDA to include an exception that is broadly analogous to that in British Columbia and Alberta.

Notification

 
7. Is notification or registration required before processing data?

There is no requirement to register or notify a Canadian regulatory body before collecting, using, processing or disclosing personal information in the private sector. Narrow exceptions exist in Quebec and at the federal level for organisations seeking to act without the consent of the individual for statistical or scholarly purposes.

The notification of data subjects before collection, use or disclosure of their personal information is an essential component of obtaining informed consent. The specific purposes for which personal information is collected, used or disclosed must be identified to the individual at or before the time of collection (if the purpose is not identified, then the consent would not be informed and may be impaired). Additional purposes that arise only after the consent of the individual has been obtained may require the organisation to seek further consent to the new purposes.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Subject to certain exceptions (see Question 6), Canadian privacy legislation permits the use, collection and disclosure of personal information only:

  • With the knowledge and consent of the individual.

  • For purposes that were disclosed and which a reasonable person would consider appropriate in the circumstances.

These requirements are further developed in ten overarching principles that inform organisational obligations pursuant to Schedule 1 to the Personal Information Protection and Electronic Documents Act (PIPEDA):

  • Accountability. Organisations are responsible for information under their control, and must designate an individual responsible for compliance with the legislation. Organisations remain accountable for information transferred to a third party and contractual means must be used to ensure adequate protection.

  • Identifying purposes. The purpose(s) for which personal information is collected must be specified at the time of or before the collection.

  • Consent. An individual's informed consent must be obtained for the collection, use or disclosure of their personal information. For consent to be meaningful, the purposes for which the information may be used must be disclosed so that the individual can reasonably understand the use of their information.

  • Limiting collection. The collection of personal information must be limited to that which is necessary for the purposes disclosed by the organisation. Collection must be through fair and lawful means.

  • Limiting use, disclosure and retention. Personal information cannot be used or disclosed for a purpose other than that for which it was collected, without consent, unless permitted or required by law. Personal information can be retained only as long as necessary for the disclosed purposes.

  • Accuracy. Organisations must keep personal information as accurate, complete and up-to-date as necessary for the purposes for which it will be used.

  • Safeguards. Personal information must be protected by safeguards appropriate to its sensitivity. These safeguards must include physical, organisational and technological security measures.

  • Openness. Organisations must make their policies and practices regarding personal information available to individuals. This information must include contact information for the person accountable for compliance.

  • Individual access. On request, individuals must be informed of the existence, use and disclosure of their personal information, and must be granted access to it. Narrow exceptions to individual access exist, such as information that includes the personal information of another individual or material subject to solicitor-client privilege. Individuals can request the correction of their personal information.

  • Challenging compliance. Organisations must have policies in place to receive and respond to complaints and challenges to their compliance with these principles. These policies must be made known on request.

 
9. Is the consent of data subjects required before processing personal data?

Canadian privacy legislation requires the informed consent of the individual to the collection, use or disclosure of their personal information.

Form and content of consent

The Personal Information Protection and Electronic Documents Act (PIPEDA) recognises both express and implied consent. The appropriate form of consent depends on the intended use of the information, its sensitivity, as well as the circumstances surrounding its collection and use.

Express consent. This is required for the collection, use or disclosure of sensitive personal information. PIPEDA does not provide a prescribed form for express consent, for example, consent may be obtained through written, verbal or electronic means. In each case, the individual must be informed of the purposes for which their information will be used.

See Question 19 for prescribed disclosure when seeking express consent to send commercial electronic messages.

Implied consent. This may be appropriate where the personal information is not particularly sensitive and where it is reasonable to infer consent from an individual's actions or inactions. For example, principle 4.3.5 of Schedule 1 to PIPEDA states that a magazine subscriber would reasonably expect the publisher to use their address to solicit a subscription renewal.

The office of the federal Privacy Commissioner (OPC) has provided guidelines on using implied consent through an opt-out mechanism in the context of online behavioural advertising. The OPC indicates that opt-out consent may be acceptable for behavioural advertising where all of the following apply:

  • Individuals are made aware of the organisation's purposes in a clear and understandable manner at or before the collection of their information.

  • Individuals are provided with an easy to use opt-out mechanism that is immediate and persistent.

  • The collection is limited to non-sensitive information.

  • The information is destroyed or de-identified as soon as possible.

Minors

PIPEDA and the provincial privacy laws differ in their treatment of minors:

  • Under PIPEDA, consent from a minor is not expressly prohibited. However, obtaining a minor's consent may not be considered to be sufficient in all cases. In some cases, PIPEDA recognises that consent can be provided by an authorised representative such as a legal guardian (Principle 4.3.6 of Schedule 1, PIPEDA). Further, a note to PIPEDA indicates that in some cases it is impossible or inappropriate to seek the consent of a minor. Therefore, it is often preferable to seek consent from a parent or legal guardian as well as the minor.

  • The ABPIPA provides that minors are able to exercise their rights under the Act if they are able to understand their nature and consequences. If not, a legal guardian can do so on their behalf. Similarly, the BCPIPA provides that a guardian can exercise the rights of a minor who is incapable of doing so on their own.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

Consent will not be required if an organisation is able to establish that its collection, use or disclosure of personal information is subject to an exemption (see Question 6). Other, situation-specific exceptions may exist, depending on the particular Canadian legislation that applies.

Special rules

 
11. Do special rules apply for certain types of personal data, such as sensitive data?

Sensitive personal data includes health and financial information, and is subject to more stringent legal requirements, such as the following:

  • Security measures must be appropriate for the sensitivity of the information, therefore, a higher standard of protection is required for sensitive information.

  • It is essential to be able to demonstrate that the data subject has provided informed consent to the use of his sensitive information. Therefore, it is typically necessary to obtain clear express consent to the collection, use or disclosure of sensitive information.

  • An organisation must take additional precautions to ensure that the collection, use and disclosure of sensitive information is:

    • reasonable in the circumstances; and

    • limited to that which is necessary to achieve the purposes disclosed to the individual.

The classification of personal information as sensitive may depend on the context. For example, a list of the subscribers to a general interest magazine is not likely to be sensitive; however, a similar list of the patients of a medical specialist would be. Some classes of personal information, such as health or financial information, would be sensitive in any context. Collection of specific types of sensitive information may be restricted. For example, social insurance numbers (SINs) can only be collected where required by law and not for general identification purposes.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

Informed consent is required for the collection, use and disclosure of personal information. Therefore, it is important to inform individuals of how their information is collected and how it will be used, in a manner that can be easily understood. Individuals must be informed of:

  • Exactly what information is collected.

  • The precise purposes for which information is collected, used and/or disclosed. It is generally not permissible to use information for purposes not disclosed to the data subject at the time of collection, unless further consent is obtained, so organisations should carefully consider the purposes they disclose at the point of collection to ensure legal compliance and allow for anticipated future uses of the information. Overly broad consent language that does not adequately inform the individual of the organisation's actual purposes may be deemed invalid. Disclosure in a lengthy privacy policy document alone may not be sufficient to inform an individual. This is particularly true where the information concerned is highly sensitive, or the use of the information would not be obvious in the context.

  • Information regarding privacy practices, along with the name or title and contact information of a person able to answer the individual's questions about the collection (Principle 4.8.2, Schedule 1, Personal Information Protection and Electronic Documents Act (PIPEDA); see also s.10, BCPIPA and s.13, ABPIPA). This contact information is often provided in a privacy policy.

Products and services cannot be offered on condition that the customer consents to the collection or use of his personal information beyond the use necessary to supply the product or service (Principle 4.3.3, Schedule 1, PIPEDA; see also s.7(2), BCPIPA and ABPIPA).

Additional disclosure requirements apply where an organisation seeks consent to send commercial electronic messages. See Question 19.

 
13. What other specific rights are granted to data subjects?

Requesting access

Individuals have the right to request access to their personal information. While the precise access requirements vary depending on the applicable legislation, organisations must usually respond to a request within either 30 or 45 calendar days.

Quebec prohibits charging an access fee. However, a reasonable charge in respect of the transcription, reproduction or transmission of the personal information is permitted if the organisation informs the individual in advance. British Columbia and Alberta permit minimal, reasonable fees, provided the information is not employee personal information, and the applicant is provided with a written estimate of the fee. The Personal Information Protection and Electronic Documents Act (PIPEDA) requires the organisation to respond to an access request at "minimal or no cost to the individual". If there is a cost to the individual, PIPEDA requires the individual to be informed of the approximate cost.

Organisations can refuse access to personal information only in certain circumstances, set out by law, which usually include:

  • Information inseparable from the personal information of other individuals.

  • Information subject to solicitor-client privilege.

  • Disclosure that would reveal confidential commercial information.

Withdrawal of consent

Individuals can withdraw their consent to the collection, use or disclosure of their personal information, but:

  • An individual is not able to withdraw their consent to avoid their legal obligations.

  • Consent is not required in some cases (see Question 6).

Organisations must usually inform data subjects of the consequences of withdrawing consent.

Other

Additionally, individuals have the right to:

  • Be informed of the purposes for which data is being collected, used and disclosed.

  • Complain to the Privacy Commissioner if their rights are not respected.

  • Request the correction of incomplete, inaccurate or out-of-date data.

 
14. Do data subjects have a right to request the deletion of their data?

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not provide a direct right to demand the deletion of personal information. However, principle 4.5 of Schedule 1 to PIPEDA provides that organisations will retain personal information only as long as necessary for the fulfilment of the identified purposes, and must have policies in place regarding the destruction of personal information.

In some cases, organisations may be subject to statutory requirements to retain certain classes of information, for example, under tax law. It is essential for an organisation to be aware of any applicable sector-specific record keeping requirements.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

Organisations must implement security safeguards to protect personal information from loss, theft, and unauthorised access, disclosure, copying, use or modification (Principle 4.7, Schedule 1, Personal Information Protection and Electronic Documents Act (PIPEDA); see also s.34, BCPIPA and ABPIPA, and s.10, QBPIPA). The nature and extent of these safeguards varies with the nature of the personal information in question, with more sensitive information requiring a greater level of security.

These protection mechanisms should include (Principle 4.7.3, Schedule 1, PIPEDA):

  • Physical protection measures. These include locked or restricted access storage locations.

  • Organisational measures. These include security clearances for employees, with personal information disclosed on a "need-to-know" basis.

  • Technological measures. These include encryption keys and passwords.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Current law

Alberta is the only jurisdiction in Canada with a generally applicable mandatory data breach reporting requirement. (Other jurisdictions apply mandatory data breach reporting rules in the health information sector only.) When a data breach occurs, the organisation must notify the Alberta Privacy Commissioner if the breach presents a "real risk of significant harm" to the individual (s.34.1, ABPIPA). The Commissioner can then require the organisation to notify individuals affected by the breach in a prescribed notice, which includes:

  • The date and circumstances of the breach.

  • The nature of the information affected by the breach.

  • Any steps the organisation has taken to reduce the risk of harm to the individuals.

  • Contact information for a person who can answer questions regarding the breach on behalf of the organisation.

In practice, the Alberta Commissioner typically requires notification of the affected individuals in the case of a security breach.

Proposed amendment

Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) (currently before Parliament) would create mandatory data breach reporting at the federal level. If adopted, the proposed legislation will require organisations to report breaches of their security safeguards to the federal Privacy Commissioner where the breach presents a real risk of significant harm to an individual. In determining whether there is a "real risk of significant harm", the organisation will be required to consider:

  • The sensitivity of the information involved.

  • The probability the information will be misused.

  • Any prescribed factors.

It should be noted that while only Alberta has mandatory notification of breaches to a regulator and data subjects, a failure to appropriately notify data subjects of a breach in other jurisdictions may be investigated by the Privacy Commissioners and form the basis for a conclusion that a privacy complaint is well-founded.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Consent

Personal information can only be transferred or disclosed for purposes that were disclosed to the individual at the time the information was collected. The federal Privacy Commissioner considers a "transfer" of personal information for processing to be a "use" of the personal information, rather than a “disclosure” of personal information. Separate consent for a transfer of information to a service provider for previously disclosed processing is not required apart from the consent required for the actual "use" of the personal information. However, to comply with the principle of openness, organisations should disclose that personal information may be transferred to third party service providers. Where personal information is disclosed to a third party for another purpose, consent from the individual is required.

Liability

Organisations remain accountable for personal information they transfer to a third party for processing. Therefore, when organisations transfer information, they must ensure the information will be adequately protected. The Personal Information Protection and Electronic Documents Act (PIPEDA) expressly contemplates the use of contractual terms to ensure the provision of an appropriate level of protection.

In entering an agreement with a third-party information processor, organisations must also ensure that they will remain able to meet their legal obligations with respect to the personal information. Therefore, transfer agreements must include, among other things:

  • A requirement to comply with the applicable privacy legislation.

  • A requirement to maintain adequate safeguards and inform the transferring organisation of a breach of those safeguards.

If the agreement permits subcontracting, these obligations must also be placed on subcontractors.

Finally, it is advisable for the agreement to provide the transferring organisation with a right to audit the information processor's privacy practices.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

The Personal Information Protection and Electronic Documents Act (PIPEDA) requires the knowledge and consent of the data subject for the collection, use or disclosure of their personal information (Principle 4.3, Schedule 1, PIPEDA). PIPEDA is a law of general application that applies to personal information regardless of the technology used; therefore, wherever an electronic device such as a cookie, web beacon, or similar technology collects personal information about an individual, it will be subject to privacy legislation, including the requirement to obtain informed consent, and disclose the purposes for which personal information is collected, used or disclosed. For this reason, an organisation's privacy policy should accurately describe its use of cookies and equivalent electronic devices.

More specific legislation that will (in most cases) require express consent for the installation of a "computer program" onto a person's computer will come into force on 15 January 2015. Under this law, a request for express consent to the installation of a computer program must state:

  • The purpose for which you are seeking consent and the function of the computer program.

  • The name of the entity seeking consent.

  • If consent is sought by another entity, the name of that entity and on whose behalf it is requesting consent.

  • The mailing address and either a telephone number or e-mail address for the entity seeking consent.

  • That consent can be withdrawn.

The new legislation includes an exception that a person will be deemed to agree to the installation of a cookie, HTML code, or Java Script, where it is reasonable to believe they do based on their conduct.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?
 

Canadian anti-spam legislation (CASL) is extremely prescriptive and punitive. CASL:

  • Bars sending commercial electronic messages to electronic addresses, unless the sender has the express or implied consent of the recipient.

  • Requires express, opt-in consent in most cases.

  • Limits implied consent to narrow classes of defined "existing business relationships" or "existing non-business relationships".

  • Applies to all commercial electronic messages accessed or sent from a computer system in Canada.

  • Places specific disclosure requirements on persons seeking consent to send commercial electronic messages and on the content of the messages. For requests for consent, the required disclosure includes:

    • the purpose of the consent, and the name or business name of the person seeking consent and, if different, on whose behalf consent is sought;

    • if applicable, a statement indicating which person is seeking consent and on whose behalf this is done;

    • the mailing address of either the person requesting consent, or the person on whose behalf consent is requested, and at least one of either an e-mail address, telephone number or web address of the person requesting consent or the person on behalf of whom consent is requested;

    • a statement that consent can be withdrawn.

  • The prescribed content of electronic messages includes:

    • the name or business name of the person sending the message and, if different, on whose behalf the message is sent;

    • if applicable, a statement indicating the person sending the messages, and on whose behalf this is done;

    • the mailing address of either the person sending the message, or the person on whose behalf these are done;

    • at least one of either an e-mail address, telephone number or web address for either the person sending the message, or the person on whose behalf the message is sent;

    • an unsubscribe mechanism that is given effect within ten business days.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

Canadian private sector privacy law does not prohibit the transfer of personal information outside of Canada. However, organisations remain liable for information they transfer outside of the country, and individuals must be notified of such transfers.

Accountability

Organisations remain accountable for information transferred to third parties for processing, including third parties outside Canada (Principle 4.1.3, Schedule 1, Personal Information Protection and Electronic Documents Act (PIPEDA)). Therefore, before transferring data outside Canada, an organisation must ensure that it is able to meet its obligations under Canadian law by using contractual means to require the recipient to provide comparable protection for the information while it is being processed.

Notification

The privacy legislation of Alberta specifically requires individuals to be notified of the countries in which their personal information may be collected, used, disclosed, transferred or stored by a service provider (subsection 6(2) and 13.1, ABPIPA).

Similarly, the federal Privacy Commissioner has held that the principle of "openness" under Principle 9.8 of Schedule 1 to PIPEDA includes a requirement to inform data subjects if their information may be transferred to another jurisdiction for processing and, while in that jurisdiction, their information may be subject to lawful access requests by the authorities in that country.

Data transfer agreements

 
21. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

See Question 17.

Data transfer agreements are used to:

  • Provide adequate security for personal information.

  • Allow organisations to meet their privacy obligations.

However, the Privacy Commissioners have not approved precedents for these agreements.

 
22. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Data transfer agreements are considered sufficient to comply with the applicable privacy legislation if the agreement requires the third party service provider to provide a comparable level of protection for the personal information, and restricts the service provider to only use the information as instructed by the data controller. The Privacy Commissioner of Canada treats the transfer of personal information for processing as a "use" of the information (rather than a "disclosure"), so consent is not required for the transfer for processing separately from that which was obtained for the actual use of the information. However, consent is required for a use, disclosure or sale of personal information (see Question 9). In addition, any use or disclosure of information must be for a reasonable purpose that the individual has been informed of and consented to, unless a specific exception to the need for consent applies.

See also Question 20.

 
23. Does the relevant national regulator need to approve the data transfer agreement?

Data transfer agreements do not need approval from governmental regulatory authorities.

 

Enforcement and sanctions

24. What are the enforcement powers of the national regulator?

The federal Privacy Commissioner (Commissioner) (currently Daniel Therrien) can:

  • Investigate complaints from individuals.

  • Initiate an investigation of his own volition where he has reason to believe that the Personal Information Protection and Electronic Documents Act (PIPEDA) has been violated.

  • Exercise discretion to refuse to initiate an investigation:

    • where the complainant should first pursue other review procedures; or

    • if the complaint was not brought within a reasonable period.

  • Discontinue an investigation if:

    • it is found to be frivolous or vexatious; or

    • the organisation has already provided a fair and reasonable response.

In the course of an investigation, the Commissioner can:

  • Summon and compel witnesses to give testimony or produce records.

  • Enter premises (other than a dwelling house) on satisfying the security requirements of the organisation.

  • Converse with persons.

  • Obtain copies or extracts from records from the premises relevant to the investigation.

It is not necessary for evidence accepted by the Commissioner to be admissible in court (section 12.1(1)(c), PIPEDA).

On the conclusion of an investigation, the Commissioner may release a report that includes findings and recommendations. If a complainant is not satisfied with the report, he can apply for a court hearing.

The Federal Court can:

  • Order the offending organisation to take corrective measures.

  • Publish a notice of their corrective measures.

  • Award damages to the complainant.

The provincial Privacy Commissioners generally have similar powers to the federal Privacy Commissioner. In particular, they can:

  • Receive complaints and begin an investigation.

  • Initiate an investigation of their own volition.

  • Issue rulings on an organisation's privacy practices following an investigation.

  • Order compliance with the applicable privacy legislation. (Provincial commissioners have a greater power in this regard than that of the federal Commissioner.)

 
25. What are the sanctions and remedies for non-compliance with data protection laws?

The Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial privacy legislation are actively enforced in Canada.

Federal sanctions under PIPEDA

A fine of up to Can$10,000 is available on summary conviction, with a fine of up to Can$100,000 available on indictment for any of the following (PIPEDA):

  • Violation of the provisions related to the retention of information subject to an access request.

  • Retaliating against an employee for:

    • co-operating with the commissioner;

    • refusing to violate PIPEDA; or

    • complying in good faith with the legislative requirements.

  • Obstructing the Commissioner in the investigation of a complaint or audit.

The Federal Court can order an organisation to:

  • Correct its practices.

  • Publish a corrective notice.

  • Pay damages to a complainant, including damages for humiliation.

Provincial sanctions

Alberta. A contravention of the ABPIPA may result in a fine of up to Can$10,000 for an individual or up to Can$100,000 for an organisation (other than an individual).

British Columbia. A person or organisation that commits an offence under the BCPIPA is liable to a fine of up to Can$10,000 for an individual and up to Can$100,000 for an organisation (other than an individual).

Quebec. Most violations of the QBPIPA are subject to a maximum fine of Can$10,000, doubling to Can$20,000 on a subsequent offence. A violation of the requirement to provide adequate protection for information transferred outside of Quebec is subject to a fine of Can$50,000, doubling to Can$100,000 on a subsequent offence.

Sanctions under CASL. Violations of CASL in relation to the sending of commercial electronic messages, or the installation of computer programs, may be punished by:

  • A maximum administrative fine of Can$10 million as determined by the Canadian Radio-television and Telecommunications Commission, but subject to appeal to the Federal Court of Appeal.

  • A private right of action backed by statutory penalties of Can$200 per offence to a maximum of Can$1 million per day on which an offence occurred (as of 1 July 2017).

 

Regulator details

Office of the Privacy Commissioner of Canada

W www.priv.gc.ca

Main areas of responsibility. The office's duties include:

  • Investigating complaints, conducting audits and pursuing court action under PIPEDA and the federal Privacy Act.

  • Publicly reporting on the personal information-handling practices of public and private sector organisations.

  • Providing advice, public information and recommendations regarding the Acts.

Office of the Information and Privacy Commissioner for Alberta

W www.oipc.ab.ca

Main areas of responsibility. The office's duties include:

  • Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, the Freedom of Information and Protection of Privacy Act, and the Health Information Act.

  • Providing advice, public information and recommendations regarding the Acts.

Office of the Information and Privacy Commissioner for British Columbia

W www.oipc.bc.ca

Main areas of responsibility. The office's duties include:

  • Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, and the Freedom of Information and Protection of Privacy Act.

  • Providing advice, public information and recommendations regarding the Acts.

Quebec Access to Information Commission (Commission d'accès à l'information du Québec)

W www.cai.gouv.qc.ca

Main areas of responsibility. The Commission is responsible for:

  • The enforcement of QBPIPA, in relation to the granting of access to documents held by public bodies.

  • The protection of personal information under QBPIPA, in relation to the protection of personal information in the private sector.

The Canadian Radio-television and Telecommunications Commission

W www.crtc.gc.ca/eng/home-accueil.htm

Main areas of responsibility. The CRTC's duties include:

  • Enforcing Canada's anti-spam law in relation to the sending of commercial electronic messages and the installation of computer programs.

  • Regulating telecommunications, including telemarketing.



Online resources

W http://laws.justice.gc.ca/eng/acts/P-8.6/index.html

Description. Information about the Personal Information Protection and Electronic Documents Act. Website maintained by the Canadian Government. Official and up-to-date.

W http://laws-lois.justice.gc.ca/eng/acts/E-1.6/index.html

Description. Information about Canada's anti-spam law. Website maintained by the Canadian Government. Official and up-to-date.

W www.bclaws.ca/Recon/document/ID/freeside/00_03063_01

Description. Information about the British Columbia Personal Information Protection Act. Website maintained by the Queen's Printer British Columbia. Unofficial but up-to-date.

W www.qp.alberta.ca/570.cfm?frm_isbn=9780779773930&search_by=link

Description. Information about the Alberta Personal Information Protection Act. Website maintained by the Alberta Queen's Printer. Unofficial but up-to-date.

W www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html

Description. Information about the Quebec Act respecting the Protection of Personal Information in the Private Sector. Website maintained by the Official Publisher of Quebec (Éditeur officiel du Québec). Official and up-to-date.

W www.priv.gc.ca/cf-dc/index_e.asp

Description. Consolidated decisions of the Federal Privacy Commissioner. Website maintained by the Office of the Federal Privacy Commissioner. Unofficial but up-to-date.



Contributor profiles

Christopher Oates

Gowling Lafleur Henderson LLP

T +1 416 369 7333
F +1 416 862 7661
E chris.oates@gowlings.com
W www.gowlings.com

Professional qualifications. Ontario, Canada, 2010

Areas of practice. Privacy and information law; advertising and marketing law; electronic commerce; electronic marketing; regulatory affairs, including packaging and labelling.

Recent transactions

  • Advising on privacy and data protection in the context of corporate acquisitions.

  • Advising on privacy and data protection in consumer directed marketing including drafting privacy policies and terms of use.

  • Advising on Canada's anti-spam legislation.

  • Advising on trans-border transfers of personal information.

  • Reviewing and drafting policies for direct to consumer marketing, including social media campaigns.

  • Drafting terms of use for electronic commerce websites.

  • Advising on packaging requirements for food, drug and cosmetic products.

  • Contest design and review.

Languages. English

Publications

  • "Canadian Privacy Law, the Internet and Social Media," Social Media and Internet Law – Forms and Precedents, LexisNexis, May 2014.

  • Webinar – Canada's New Anti-Spam Legislation: What You Need to Know to Comply; May 2014.

  • "Advertising Law in Canada", Fourth Edition, B. Pritchard and S. Vogt. October 2012, Contributor of Chapter 19, Privacy Law in Canada.

Wendy J Wagner

Gowling Lafleur Henderson LLP

T +1 613 786 0213
F +1 613 788 3642
E wendy.wagner@gowlings.com
W www.gowlings.com

Professional qualifications. Ontario, Canada, 2002

Areas of practice. Privacy and freedom of information; defamation and media law; international trade and customs.

Recent transactions

  • Advising multinational corporations on data breaches, including a theft of credit data, a loss of hardware storage equipment, and a loss of employee data due to computer hacking.

  • Creating anti-spam compliance policies and programmes for life science companies, retail corporations and not for profit associations.

  • Drafting consents and disclosure agreements for the collection, use and disclosure of health information by a community care organisation.

  • Providing opinion to a manufacturer on disclosure/production of personal information of Canadians in the context of foreign product liability litigation.

Languages. English

Publications

  • Webinar – Canada's New Anti-Spam Legislation: What You Need to Know to Comply; May 2014.

  • An Overview of Canada's Anti-Spam Legislation, May 2014.

  • Canada's Privacy and New Anti-spam Laws: What You need to Know to Comply, March 2013.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247352472305", "objName" : "Data protection in Canada overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/6-502-0556?source=relatedcontent", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2532e3fa8:14a67eaf9f2:381c", "analyticsSessionCookie" : "2532e3fa8:14a67eaf9f2:381d", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }