Data protection in Canada: overview
A Q&A guide to data protection in Canada.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The collection, use and disclosure of personal information in the private sector is governed by a number of federal, provincial and sectoral laws. The laws applicable to an organisation depend on all of the following:
Where the organisation is located.
In which Canadian jurisdictions the organisation collects, uses and discloses personal information.
Whether the organisation transfers personal information across provincial, territorial or national borders.
The sector in which the organisation operates.
At the federal level, the collection, use and disclosure of personal information in the course of commercial activities is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies:
To "personal information", which is defined as "information about an identifiable individual".
In all provinces where the federal government does not consider the provincial legislation to be "substantially similar" to PIPEDA.
To date, the following provinces have enacted general purpose privacy legislation that applies to the private sector and has been declared "substantially similar" to PIPEDA:
British Columbia: Personal Information Protection Act (BCPIPA).
Alberta: Personal Information Protection Act (ABPIPA).
Québec: An Act Respecting the Protection of Personal Information in the Private Sector (QBPIPA).
In these provinces, the provincial legislation applies to the use of personal information by private sector organisations in place of PIPEDA. However, PIPEDA will continue to apply to the activities of "federal undertakings" within these provinces (such as banks, airlines and radio broadcasters). Furthermore, organisations transferring personal information across provincial borders, or outside Canada, are subject to PIPEDA as well as the provincial legislation.
Organisations operating at a national or international level may be subject to several different legislative schemes. As "substantial similarity" is required before a provincial statute is declared to apply within the province in place of PIPEDA, there are broad similarities between PIPEDA and the provincial acts.
Subject to prescribed exceptions, PIPEDA and each provincial act only allow the collection of personal information with the knowledge and consent of the individual, and through fair and lawful means. However, there are key differences of which organisations operating in these provinces should be aware, including:
The BCPIPA and the ABPIPA apply more broadly to employee information than the PIPEDA.
Alberta law is currently the only Canadian privacy legislation of general application to impose data breach reporting obligations on organisations, though reporting obligations also exist in several legislative schemes applicable to health information, and amendments to PIPEDA have been proposed that would make breach reporting mandatory at the federal level.
For transfers of personal information to recipients in Canada subject to PIPEDA, individuals in countries that have implemented Directive 95/46/EC on data protection should consult Decision 2002/2/EC pursuant to Directive 95/46/EC on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA Decision).
In specific industry sectors, additional provincial legislation may apply in addition to, or in place of, PIPEDA. In particular, organisations involved in the use, collection, and disclosure of health information must be aware of provincial statutes in this area, which include:
Alberta's Health Information Act.
Saskatchewan's Health Information Protection Act.
Manitoba's Personal Health Information Act.
Ontario's Personal Health Information Protection Act (declared "substantially similar" to PIPEDA in respect of health information custodians).
New Brunswick's Personal Health Information Privacy and Access Act (declared "substantially similar" to PIPEDA in respect of health information custodians).
Newfoundland and Labrador's Personal Health Information Act.
Furthermore, an organisation may be subject to industry-specific legislation or industry standards (such as those that apply to the payment cards industry and federally regulated financial institutions).
This article does not cover:
Provincial health information legislation.
Industry specific legislation or standards.
Legislation applicable to the public sector.
Scope of legislation
PIPEDA applies to organisations that collect, use or disclose personal information in the course of commercial activities (including the sale of donor and fundraising lists). At the provincial level, the legislation of British Columbia, Alberta and Québec applies to the activities of organisations and enterprises that collect, use or disclose personal information. Both federal and provincial "organisations" include natural and legal persons (such as corporations, partnerships, trade unions and unincorporated associations).
The treatment of employee personal information depends on the applicable legislation. PIPEDA generally applies to employees' personal information that is collected, used or disclosed in connection with the operation of a federal work, undertaking or business.
In British Columbia and Alberta, the provincial legislation applies to and has specific provisions regarding employee personal information.
The various data protection and privacy laws governing the private sector generally apply to "personal information", which includes any information regarding an identifiable individual. However, the precise definition of "personal information" will vary depending on the legislation that applies:
Federal. Personal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organisation (s.2(1), PIPEDA). An amendment to PIPEDA is currently before the federal parliament that, if enacted, will:
remove the exclusion of "business contact information"; and
create a narrower exception that removes business contact information from the requirements of PIPEDA only when used to communicate with the individual in relation to their employment, business or profession.
British Columbia. Personal information means information about an identifiable individual and includes employee personal information but does not include business contact information or work product information (s.1, BCPIPA).
Alberta. Personal information means information about an identifiable individual (s.1(1), ABPIPA). There is an exception for business contact information only when used to contact an individual in relation to their business responsibilities.
Québec. Personal information is any information that relates to a natural person and allows that person to be identified (s.2, QBPIPA).
Canadian privacy and data protection legislation generally applies to the collection, use, and/or disclosure of personal information. These broad terms capture the majority of commercial uses for personal information, including data processing, storage and the transfer or sale of personal information to third parties.
Additional obligations are placed on organisations in relation to particular aspects of their collection, use, and/or disclosure of personal information (for example, to observe the rights of data subjects (see Questions 12 to 14) and in relation to security requirements (see Questions 15 and 16)).
PIPEDA applies to organisations that collect, use or disclose personal information in Canada or transfer personal information across the Canadian border. Judicial decisions have determined that the Office of the Privacy Commissioner of Canada has the jurisdiction to investigate complaints brought against entities based outside Canada, which involve the cross-border flow of personal information, or the collection, use or disclosure of personal information by the entity in Canada.
With the exception of federal works or undertakings, private sector organisations in British Columbia, Alberta or Québec will be subject to provincial privacy legislation rather than PIPEDA. However, these organisations will be subject to PIPEDA where they transfer personal information across provincial or international borders.
General exemptions under PIPEDA
PIPEDA does not apply to (s.4(2), PIPEDA):
Individuals that collect, use or disclose personal information solely for personal or domestic purposes.
Organisations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes.
Exemption from consent under PIPEDA
Consent is not required from the data subjects in any of the following circumstances (s.7, PIPEDA):
Use of data in reaction to an emergency that threatens the life, health or security of an individual.
Disclosure to a lawyer representing the organisation.
Disclosure for collection of a debt owed by an individual.
Disclosure under a subpoena, warrant or order issued by a court with the jurisdiction to compel production of the information.
Disclosure to a government institution on a request by that institution for purposes of:
the defence of Canada;
the conduct of international affairs;
enforcing the law of Canada, a province or a foreign jurisdiction; or
administering the law of Canada or a province.
Disclosure made after the earlier of:
100 years following the creation of the record containing the information; or
20 years following the death of the individual to whom the information pertains.
Disclosure required by law.
Limited publically available information exemption under PIPEDA
PIPEDA generally applies to personal information that is "publically available". In narrow, prescribed circumstances, publically available personal information can be collected, used and disclosed without the data subjects' knowledge or consent, for example:
Where the name, address or telephone number of an individual appears in a public telephone directory, provided the individual can refuse to have their information disclosed in the directory.
Where the name, title, address or telephone number of an individual appears in a professional or business directory, provided the information is used for the purpose for which it appears in the directory.
Overall, similar exceptions exist in the provincial privacy legislation in British Columbia, Alberta and Québec. However, the nature and extent of the available exceptions varies by jurisdiction. Organisations are advised to consult the legislation specifically applicable to their operations when seeking to rely on an exemption to the requirements of Canadian privacy legislation.
Business transaction exemption
British Columbia and Alberta permit the transfer of personal information in the context of defined "business transactions", such as the sale, lease, merger, or amalgamation of the organisation or its assets. Specific requirements for these transactions differ between the provinces. However, both provinces expressly state that the exception will not apply to transactions that do not involve assets other than personal information or where the primary goal of the transaction is the disposal of personal information, as follows:
A transaction that does not involve substantial assets other than personal information (BCPIPA).
Where the primary purpose is the sale or disposal of personal information (ABPIPA).
Currently, PIPEDA does not contain a similar provision. However, a bill currently before the federal parliament would amend PIPEDA to include a broadly analogous provision.
There is no general requirement to register or notify a Canadian regulatory body before collecting, using, processing or disclosing personal information in the private sector. Narrow exceptions exist in Québec and Alberta for organisations seeking to act without the consent of the individual for statistical or scholarly purposes.
The notification of data subjects before collection, use or disclosure of their personal information is an essential component of obtaining informed consent. The specific purposes for which personal information is collected, used or disclosed must be identified to the individual at or before the time of collection. Additional purposes that arise only after the consent of the individual has been obtained may require the organisation to seek additional consent.
Main data protection rules and principles
Main obligations and processing requirements
Canadian privacy legislation permits the use, collection and disclosure of personal information only:
With the knowledge and consent of the individual.
For purposes that were disclosed and which a reasonable person would consider appropriate in the circumstances.
These requirements are based on the following ten overarching principles originally derived from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data:
Accountability. Organisations are responsible for information under their control. The organisation must designate an individual responsible for compliance with the legislation. An organisation remains accountable for information transferred to a third party and contractual means must be used to ensure adequate protection.
Identifying purposes. The purpose(s) for which personal information is collected must be specified at the time of or before the collection.
Consent. An individual's consent must be obtained for the collection, use, or disclosure of personal information. For consent to be meaningful, the purposes for which the information may be used must be disclosed so that the individual can reasonably understand the use of their information.
Limiting collection. The collection of personal information must be limited to that which is necessary for the purposes disclosed by the organisation. Collection must be through fair and lawful means.
Limiting use, disclosure and retention. Personal information cannot be used or disclosed for a purpose other than that for which it was collected, without consent, unless required by law. Personal information can be retained only as long as necessary for the disclosed purpose.
Accuracy. Organisations must keep personal information accurate, complete and up-to-date as necessary for the purposes for which it will be used.
Safeguards. Personal information must be protected by safeguards appropriate to its sensitivity. These safeguards are to include physical, organisational and technological measures.
Openness. Organisations must make their policies and practices regarding personal information available to individuals. This information must include contact information for the person accountable for compliance.
Individual access. On request, individuals must be informed of the existence, use and disclosure of their personal information, and must be granted access to it. Narrow exceptions to individual access exist, such as information that includes the personal information of another individual or material subject to solicitor-client privilege. Individuals can correct their personal information.
Challenging compliance. Organisations must have policies in place to receive and respond to complaints and challenges of their compliance with these principles. These policies must be made known on inquiry.
Canadian privacy legislation requires the informed consent of the individual to the collection, use or disclosure of their personal information.
Form and content of consent
PIPEDA recognises both express and implied consent, the use of which depends on the sensitivity of information and the circumstances surrounding its collection and use.
Express consent. This is required for the collection, use or disclosure of sensitive personal information. PIPEDA does not provide a prescribed form for express consent. However, the individual must be informed of the purposes for which their information will be used.
See Question 19 for prescribed disclosure when seeking express consent to send commercial electronic messages.
Implied consent. This may be appropriate where the personal information is not particularly sensitive and where it is reasonable to infer consent from an individual's actions or inactions. For example, principle 4.3.5 of Schedule 1 to PIPEDA states that a subscriber to a magazine would reasonably expect the publisher to use their address to solicit a renewal.
The federal Privacy Commissioner has recently provided guidelines on implied consent through an opt-out mechanism in the context of online behavioural advertising. The Commissioner indicated that opt-out consent may be acceptable where all of the following apply:
Individuals are made aware of the organisation's purposes in a clear and understandable manner at or before the collection of their information.
Individuals are provided with an easy to use opt-out mechanism that is immediate and persistent.
The collection is limited to non-sensitive information.
The information is destroyed or de-identified as soon as possible.
PIPEDA and the provincial privacy laws differ in their treatment of minors:
Under PIPEDA, consent from a minor is not expressly prohibited, or deemed sufficient. However, consent can also be provided by an authorised representative such as a legal guardian (Principle 4.3.6 of Schedule 1 to PIPEDA). Further, a note to PIPEDA indicates that in some cases it is impossible or inappropriate to seek the consent of a minor. Therefore, it is often preferable to seek consent from a parent or legal guardian.
The ABPIPA provides that minors are able to exercise their legal rights under the Act if they are able to understand their nature and consequences. If not, a legal guardian can do so on their behalf. Similarly, the BCPIPA provides that a guardian can exercise the rights of a minor who is incapable of doing so on their own.
Consent will not be required if an organisation is able to establish that its collection, use or disclosure of personal information is subject to an exemption (see Question 6). Other, situation-specific exceptions may exist, depending on the particular Canadian legislation that applies.
Sensitive personal data includes health and financial information, and is subject to more stringent legal requirements, such as the following:
Security measures must be appropriate for the sensitivity of the information.
It is essential to be able to demonstrate that the data subject has provided informed consent to the use of his sensitive information. Therefore, it is typically necessary to obtain clear express consent to the collection, use or disclosure of sensitive information.
An organisation must take additional precautions to ensure that its collection, use and disclosure of sensitive information is:
reasonable in the circumstances; and
limited to that which is necessary to achieve the purposes disclosed to the individual.
The classification of personal information as sensitive may depend on the context. For example, a list of the subscribers to a general interest magazine is not likely to be sensitive; however, a similar list of the patients of a medical specialist would be. Some classes of personal information, such as health or financial information would be sensitive in almost any context.
Rights of individuals
Informed consent is required for the collection, use and disclosure of personal information. Therefore, individuals must be informed of:
Exactly what information is collected.
Products and services cannot be offered on condition that the customer consents to the use of his personal information beyond the use necessary to supply the product or service (Principle 4.3.3, Schedule 1 to PIPEDA; see also s.7(2), BCPIPA and ABPIPA).
In 2013, additional disclosure requirements are expected to come into force for consent to send electronic messages. See Question 19.
Individuals have the right to request access to their personal information. While the precise access requirements vary depending on the applicable legislation, organisations must usually respond to a request within either 30 or 45 calendar days.
Québec prohibits charging an access fee, as opposed to a minimal fee in respect of the transcription, reproduction or transmission of the personal information of which the organisation informs the individual in advance. British Columbia and Alberta permit minimal, reasonable fees provided the information is not employee personal information, and the applicant is provided with a written estimate of the fee. PIPEDA requires the organisation to respond to an access request at "minimal or no cost to the individual". If there is a cost to the individual, PIPEDA requires the individual to be informed of the approximate cost.
Organisations can refuse access to personal information only in certain circumstances, set out by law, which usually include where:
Information is inseparable from the personal information of other individuals.
Information subject to solicitor-client privilege.
Disclosure would reveal confidential commercial information.
Withdrawal of consent
Individuals can subsequently withdraw their consent to the collection, use or disclosure of their personal information, but:
An individual is not able to withdraw their consent to avoid their legal obligations.
Consent is not required in some cases (see Question 6).
Organisations must usually inform data subjects of the consequences of withdrawing consent.
Additionally, individuals have the rights to:
Be informed of the purposes for which data is being collected, used and disclosed.
Complain to the Privacy Commissioner if their rights are not respected.
Request the correction of incomplete, inaccurate or out-of-date data.
PIPEDA does not expressly provide a right to require the deletion of personal information. However, principle 4.5 of Schedule 1 to PIPEDA provides that organisations shall retain personal information only as long as necessary for the fulfilment of the identified purposes, and must have policies in place regarding the destruction of personal information.
In some cases, organisations may be subject to statutory requirements to retain certain classes of information. It is essential for an organisation to be aware of any applicable sector-specific record keeping requirements.
Organisations must implement security safeguards to protect personal information from loss, theft, and unauthorised access, disclosure, copying, use or modification (Principle 4.7, Schedule 1 to PIPEDA; see also s.34, BCPIPA and ABPIPA, and s.10, QBPIPA). The nature and extent of these safeguards varies with the nature of the personal information in question, with more sensitive information requiring a greater level of security.
These protection mechanisms should include (Principle 4.7.3, Schedule 1 to PIPEDA):
Physical protection. These include locked or restricted access storage locations.
Organisational measures. These include security clearances for employees, with personal information disclosed on a "need-to-know" basis.
Technological measures. These include encryption keys and passwords.
Alberta is the only jurisdiction in Canada with a generally applicable mandatory data breach reporting requirement. (Other jurisdictions apply mandatory data breach reporting rules in the health information sector only.) When a data breach occurs, the organisation must notify the Privacy Commissioner if the breach presents a "real risk of significant harm" to the individual (s.34.1, ABPIPA). The Commissioner can then require the organisation to notify individuals affected by the breach in a prescribed manner, which includes:
The date and circumstances of the breach.
Identifying the information affected by the breach.
Any steps the organisation has taken to reduce the risk of harm.
Contact information for a person who can answer questions regarding the breach on behalf of the organisation.
Amendments to PIPEDA (currently before Parliament) would create mandatory data breach reporting at the federal level. If adopted, the proposed legislation will require organisations to report "material" breaches of their security safeguards to the Privacy Commissioner. In determining whether a breach is material, the organisation will be required to consider:
The sensitivity of the information involved.
The number of individuals affected.
Whether the breach is indicative of a systemic problem.
In addition, the organisation will also be required to consider whether the breach represents a real risk of significant harm to the individual. Where it does, the breach must be reported to the individual.
Processing by third parties
Personal information can only be transferred or disclosed for purposes that were disclosed to the individual at the time the information was collected. The federal Privacy Commissioner considers a "transfer" of personal information for processing to be a "use" of the personal information, rather than a disclosure of personal information. Separate consent for a transfer of information for processing is not required apart from the consent required for the actual "use" of the personal information. However, to comply with the principle of openness, organisations should disclose that personal information may be transferred to third party service providers. Consent from the individual is required for the "disclosure" of personal information to a third party.
Organisations remain accountable for personal information they transfer to a third party for processing. Therefore, organisations transferring information to third parties for processing must ensure that it will be adequately protected by the third party. PIPEDA expressly contemplates the use of contractual terms to ensure the provision of a comparable level of protection.
In entering an agreement with a third-party information processor, organisations must also ensure that they will remain able to meet their legal obligations with respect to the personal information. Therefore, transfer agreements must include, among other things:
A requirement to comply with the applicable privacy legislation.
A requirement to maintain adequate safeguards and inform the organisation of a breach of those safeguards.
If the agreement permits subcontracting, these obligations must also be placed on subcontractors.
Finally, it is advisable for the agreement to provide the organisation with a right to audit the information processor's privacy practices.
More specific legislation that will, in most cases, require express consent for the installation of a program onto a person's computer is expected to come into force in 2013.
New Canadian anti-spam legislation (CASL) is expected to come into force in Canada in early 2013. It will:
Bar sending commercial electronic messages to electronic addresses, unless the sender has the express or implied consent of the recipient.
Create a system that requires express, opt-in consent in most cases.
Limit implied consent to narrow classes of defined "existing business relationships" or "existing non-business relationships".
Apply to all commercial electronic messages accessed or sent from a computer system in Canada.
Place specific disclosure requirements on persons seeking consent to send commercial electronic messages and on the messages themselves. The required disclosure will include:
for requests for consent, the name or business name of the person seeking consent and, if different, on whose behalf consent is sought;
for electronic messages, the name or business name of the person sending the message and, if different, on whose behalf the message is sent;
if applicable, a statement indicating which person is seeking consent or sending the messages, and on whose behalf this is done;
the mailing address of either the person requesting consent or sending the message, or the person on whose behalf these are done; and
at least one of an e-mail address, telephone number or web address for either the person requesting consent or sending the message, or the person on whose behalf these are done.
Require commercial electronic messages to include an unsubscribe mechanism, in prescribed form.
Require unsubscribe requests to be given effect within ten business days.
Introduce high penalties for violations, including:
a maximum administrative fine of Can$10 million as determined by the Canadian Radio-television and Telecommunications Commission, but subject to appeal to the Federal Court of Appeal; and
a private right of action backed by statutory penalties of Can$200 per offence to a maximum of Can$1 million per day on which an offence occurred
(As of 1 August 2012, US$1 was about Can$1.)
Due to the high potential penalties and stringent consent and disclosure requirements, organisations that send commercial electronic messages to Canadians should now be bringing their practices into compliance.
International transfer of data
Transfer of data outside the jurisdiction
Organisations remain accountable for information transferred to third parties for processing, including third parties outside Canada (Principle 4.1.3, Schedule 1 to PIPEDA). Therefore, before transferring data outside Canada, an organisation must ensure that it is able to meet its obligations under Canadian law by using contractual means to require the recipient to provide comparable protection for the information while it is being processed.
The privacy legislation of Alberta specifically requires individuals to be notified of the countries in which their personal information can be collected, used, disclosed, transferred or stored (ss.6(2) and 13.1, ABPIPA).
Similarly, the federal Privacy Commissioner has held that the principle of "openness" under Principle 9.8 of Schedule 1 to PIPEDA includes a requirement to inform data subjects if their information may be transferred to another jurisdiction for processing and, while in that jurisdiction, their information may be subject to lawful access requests by the authorities in that country.
Data transfer agreements
As described in Question 17, data transfer agreements are used to:
Provide adequate security for personal information.
Allow organisations to meet their privacy obligations.
However, the Privacy Commissioners have not approved precedents for these agreements.
Data transfer agreements should provide for compliance with the applicable privacy legislation, by requiring the third party service provider to provide a comparable level of protection for the personal information. The Privacy Commissioner of Canada treats the transfer of personal information for processing as a "use" of the information, so consent is not required for the transfer for processing in addition to the consent required for the actual use of the information. However, consent is required for a use, disclosure or sale of personal information (see Question 9). Furthermore, any use or disclosure of information must be for a reasonable purpose that the individual was informed of or consented to, unless a specific exception to the need for consent applies.
See also Question 20.
Enforcement and sanctions
The federal Privacy Commissioner (currently Jennifer Stoddart) can:
Investigate complaints from individuals.
Initiate an investigation of her own volition where she has reason to believe that PIPEDA has been violated.
Exercise discretion to refuse to initiate an investigation:
where the complainant should first pursue other review procedures; or
if the complaint was not brought within a reasonable period.
Discontinue an investigation if:
it is found to be frivolous or vexatious; or
the organisation has already provided a fair and reasonable response.
In the course of an investigation, the Commissioner can:
Summon and compel witnesses to give testimony or produce records.
Enter premises (other than a dwelling house) on satisfying the security requirements of the organisation.
Converse with persons.
Obtain copies or extracts from records from the premises relevant to the investigation.
It is not necessary for evidence accepted by the Commissioner to be admissible in court (s.12.1(1)(c), PIPEDA).
On the conclusion of an investigation, the Commissioner may release a report that includes her findings and any recommendations. If a complainant is not satisfied with the report, he can apply for a court hearing.
The Federal Court can:
Order the offending organisation to take corrective measures.
Publish a notice of their corrective measures.
Award damages to the complainant.
The provincial Privacy Commissioners generally have similar powers to the federal Privacy Commissioner. In particular, they can:
Receive complaints and begin an investigation.
Initiate an investigation of their own volition.
Issue rulings on an organisation's privacy practices following an investigation.
Order compliance with the applicable privacy legislation. (Provincial commissioners have a greater power in this regard than that of the federal Commissioner.)
PIPEDA and the provincial privacy legislation are actively enforced in Canada.
A fine of up to Can$10,000 is available on summary conviction, with a fine of up to Can$100,000 available on indictment for any of the following (PIPEDA):
Violation of the provisions related to the retention of information subject to an access request.
Retaliating against an employee for:
co-operating with the commissioner;
refusing to violate PIPEDA; or
complying in good faith with the legislative requirements.
Obstructing the Commissioner in the investigation of a complaint or audit.
The Federal Court can order an organisation to:
Correct its practices.
Publish a corrective notice.
Pay damages to a complainant, including damages for "humiliation".
Alberta. A contravention of the ABPIPA may result in a fine of up to Can$10,000 for an individual or up to Can$100,000 for an organisation (other than an individual).
British Columbia. A person or organisation that commits an offence under the BCPIPA is liable to a fine of up to Can$10,000 for an individual and up to Can$100,000 for an organisation (other than an individual).
Québec. Most violations of the QBPIPA are subject to a maximum fine of Can$10,000, doubling to Can$20,000 on a subsequent offence. A violation of the requirement to provide adequate protection for information transferred outside of Québec is subject to a fine of Can$50,000, doubling to Can$100,000 on a subsequent offence.
The regulatory authorities
Office of the Privacy Commissioner of Canada
Main areas of responsibility. The office's duties include:
Investigating complaints, conducting audits and pursuing court action under PIPEDA and the federal Privacy Act.
Publicly reporting on the personal information-handling practices of public and private sector organisations.
Providing advice, public information, and recommendations regarding the Acts.
Office of the Information and Privacy Commissioner for Alberta
Main areas of responsibility. The office's duties include:
Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, the Freedom of Information and Protection of Privacy Act, and the Health Information Act.
Providing advice, public information and recommendations regarding the Acts.
Office of the Information and Privacy Commissioner for British Columbia
Main areas of responsibility. The office's duties include:
Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, and the Freedom of Information and Protection of Privacy Act.
Providing advice, public information, and recommendations regarding the Acts.
Québec Access to Information Commission (Commission d'accès à l'information du Québec)
Main areas of responsibility. The Commission is responsible for:
The enforcement of QBPIPA, in relation to the granting of access to documents held by public bodies.
The protection of personal information under QBPIPA, in relation to the protection of personal information in the private sector.
Gowling Lafleur Henderson LLP
Qualified. Ontario, Canada, 2010
Areas of practice. Privacy and information law; advertising and marketing law; electronic commerce; electronic marketing; regulatory affairs, including packaging and labelling.
- Advising on trans-border transfers of personal information.
- Reviewing and drafting policies for direct to consumer marketing, including social media campaigns.
- Advising on Canada's new anti-spam legislation.
- Advising on packaging requirements for food, drug and cosmetic products.
- Contest design and review.