Data protection in Canada: overview
A Q&A guide to data protection in Canada.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The collection, use and disclosure of personal information in the private sector is governed by federal, provincial and sectoral laws. The laws applicable to an organisation depend on:
Where the organisation is located.
In which Canadian jurisdictions the organisation collects, uses and discloses personal information.
Whether the organisation transfers personal information across provincial, territorial or national borders.
The sector in which the organisation operates.
At the federal level, the collection, use and disclosure of personal information in the course of commercial activities is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies in all provinces that do not have their own substantially similar legislation, to "personal information", which is defined as "information about an identifiable individual". This definition requires the person to be "identifiable" from the information, not "identified". As such, information will be personal information where there is a serious possibility it may identify a person, either alone or in combination with other information.
To date, the following provinces have enacted general purpose privacy legislation that applies to the private sector and has been declared "substantially similar" to PIPEDA:
British Columbia: Personal Information Protection Act (BCPIPA).
Alberta: Personal Information Protection Act (ABPIPA).
Québec: An Act Respecting the Protection of Personal Information in the Private Sector (QBPIPA).
In these provinces, the provincial legislation applies to the collection, use and disclosure of personal information by private sector organisations instead of PIPEDA. However, PIPEDA will continue to apply to the activities of "federal undertakings" within these provinces (such as banks, airlines and radio broadcasters). Furthermore, organisations transferring personal information across provincial borders, or outside Canada, are subject to PIPEDA as well as any applicable provincial legislation.
As a result, organisations operating across Canada may be subject to the laws of several Canadian jurisdictions. However, as "substantial similarity" is required before a provincial statute is declared to apply within the province in place of PIPEDA, there are broad similarities between PIPEDA and the provincial laws.
Subject to prescribed exceptions, both PIPEDA and the provincial legislation only allow the collection of personal information with the knowledge and consent of the individual, and such collection must be through fair and lawful means. However, there are key differences of which organisations operating in these provinces should be aware, including:
The BCPIPA, ABPIPA and QBPIPA apply more generally to employee information than PIPEDA.
The Alberta law is currently the only Canadian privacy legislation of general application to impose data breach reporting obligations, though reporting obligations also exist in several legislative schemes applicable to health information, and such a requirement is forthcoming under PIPEDA.
For transfers of personal information to recipients in Canada subject to PIPEDA, individuals in countries that have implemented Directive 95/46/EC on data protection should consult Commission Decision 2002/2/EC on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA Decision).
As of the date of writing, the province of Manitoba has also enacted a general purpose privacy law, The Personal Information Protection and Identity Theft Prevention Act. While this law is similar to the provincial laws in place in British Columbia and Alberta, it has not yet been declared in force, and it remains uncertain when it will be declared in force and whether it will be deemed "substantially similar" to PIPEDA.
In specific industry sectors, additional provincial legislation may apply in addition to, or in place of, PIPEDA. In particular, organisations involved in the use, collection and disclosure of health information must be aware of provincial statutes in this area, which include:
Alberta's Health Information Act.
Saskatchewan's Health Information Protection Act.
Manitoba's Personal Health Information Act.
Ontario's Personal Health Information Protection Act (declared "substantially similar" to PIPEDA in respect of health information custodians).
Québec's An Act Respecting the Sharing of Certain Health Information.
New Brunswick's Personal Health Information Privacy and Access Act (declared "substantially similar" to PIPEDA in respect of health information custodians).
Newfoundland and Labrador's Personal Health Information Act (declared "substantially similar" to PIPEDA in respect of health information custodians).
Nova Scotia's Personal Health Information Act.
The Northwest Territories' Health Information Act.
Furthermore, an organisation may be subject to industry-specific legislation or industry standards (such as those that apply to public sector entities, the payment cards industry and federally regulated financial institutions).
This article does not cover:
Provincial health information legislation.
Industry specific legislation or standards.
Legislation applicable to the public sector.
Scope of legislation
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to organisations that collect, use or disclose personal information in the course of commercial activities (including the sale of donor and fundraising lists). At the provincial level, the legislation of British Columbia, Alberta and Québec applies to the activities of organisations and enterprises that collect, use or disclose personal information. Both federal and provincial "organisations" include natural and legal persons (such as corporations, partnerships, trade unions and unincorporated associations).
The treatment of employee personal information depends on the applicable legislation. PIPEDA applies to employee personal information that is collected, used or disclosed in connection with the operation of a "federal work, undertaking or business". However, the Commissioner does not consider the law to apply to employee information in the general private sector, as this is a matter of provincial jurisdiction. In British Columbia, Alberta and Québec, the provincial legislation applies to employee information, and in British Columbia and Alberta, the law has specific provisions regarding employee information.
The privacy laws governing the private sector apply to "personal information", which includes any information regarding an identifiable individual. However, the precise definition of "personal information" will vary depending on the legislation that applies:
Federal. Personal information means information "about an identifiable individual" (section 2(1), PIPEDA). Business contact information is not subject to the requirements of PIPEDA when used solely to communicate with the individual in relation to their employment, business or profession.
British Columbia. Personal information means information about an identifiable individual and includes employee personal information but does not include business contact information or work product information (section 1, BCPIPA).
Alberta. Personal information means information about an identifiable individual (section 1(1), ABPIPA). There is an exception for business contact information only when used to contact an individual in relation to their business responsibilities.
Québec. Personal information is any information that relates to a natural person and allows that person to be identified (section 2, QBPIPA).
These laws do not include a specific definition of "sensitive information". However, they require that the security afforded personal information be "appropriate" to its sensitivity.
Canadian privacy legislation generally applies to the collection, use and/or disclosure of personal information. These broad terms capture the majority of commercial uses for personal information, including data collection, processing, storage, the transfer or sale of personal information to third parties, and disclosure of personal information to third parties.
Additional obligations are placed on organisations in relation to particular aspects of their collection, use, and/or disclosure of personal information (for example, knowledge and consent requirements and retention periods) (see Questions 12 to 14)) and in relation to security requirements (see Questions 15 and 16)). The sending of commercial electronic messages is subject to additional consent requirements under separate legislation (see Question 19).
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to organisations that collect, use or disclose personal information in Canada or transfer personal information across the Canadian border. Judicial decisions have determined that the Office of the Privacy Commissioner of Canada has the jurisdiction to investigate complaints brought against entities based outside Canada, which involve the cross-border flow of personal information, or the collection, use or disclosure of personal information in Canada.
With the exception of federal works or undertakings, private sector organisations in British Columbia, Alberta or Québec will be subject to provincial privacy legislation rather than PIPEDA. However, these organisations will be subject to PIPEDA in addition to the provincial law where they transfer personal information across provincial or international borders.
General exemptions under PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) does not apply to (section 4(2), PIPEDA):
Individuals that collect, use or disclose personal information solely for personal or domestic purposes.
Organisations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes.
Exemptions from PIPEDA Consent Requirements
Consent is not required from the data subjects in any of the following circumstances (section 7, PIPEDA):
Collection is solely for journalistic, artistic or literary purposes.
Collection and use of information that is clearly in the interests of the individual and consent cannot be obtained in a timely way.
Collection and use of information where it is reasonable to expect that the collection use with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.
Collection, use and disclosure of information that is publicly available and is specified by the regulations.
Collection, use and disclosure of information where it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim.
Collection, use and disclosure of information that was produced by the individual in the course of their employment and the information is used for purposes consistent for which it was produced.
Disclosure is made to a government institution on the initiative of the organisation, and the organisation disclosing the information has reasonable grounds to believe it relates to a contravention of the laws of Canada, a province or a foreign jurisdiction; as well as use for this purpose.
Use of data in reaction to an emergency that threatens the life, health or security of an individual.
Use and disclosure for statistical, or scholarly study or research, purposes that cannot be achieved without using/disclosure the information, if the information is used/disclosed in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organisation informs the Commissioner of the use/disclosure before the information is used.
Disclosure to a lawyer representing the organisation.
Disclosure for the collection of a debt owed to the organisation by the individual.
Disclosure required under a subpoena, warrant or order issued by a court with the jurisdiction to compel production of the information.
Disclosure is made to another organisation and reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province, or to prevent, detect or suppress fraud, and disclosure with consent would compromise the investigation.
Disclosure to a government institution on a request by an institution that has identified its lawful authority for purposes of:
the defence of Canada;
the conduct of international affairs;
enforcing the law of Canada, a province or a foreign jurisdiction;
communicating with the next of kin, or authorised representative of an injured, ill or deceased person; or
administering the law of Canada or a province.
Disclosure made after the earlier of:
100 years following the creation of the record containing the information; or
20 years following the death of the individual to whom the information pertains.
Disclosure required by law.
Limited publicly available information exemption under PIPEDA
PIPEDA generally applies to personal information that is "publically available" (information that can simply be obtained from a public source does not avoid the requirement to obtain consent for its collection or use). However, in narrow, prescribed circumstances, publicly available personal information can be collected, used and disclosed without the data subjects' knowledge or consent, for example:
Where the name, address or telephone number of an individual appears in a public telephone directory, provided the individual can refuse to have their information disclosed in the directory.
Where the name, title, address or telephone number of an individual appears in a professional or business directory, provided the information is used for the purpose for which it appears in the directory.
Overall, similar exceptions exist in the provincial privacy legislation in British Columbia, Alberta and Québec. However, the nature and extent of the available exceptions varies by jurisdiction. Organisations are advised to consult the legislation specifically applicable to their operations when seeking to rely on an exemption to the requirements of Canadian privacy legislation.
Business transaction exemption
PIPEDA, and the laws of British Columbia and Alberta permit the transfer of personal information in the context of defined "business transactions", such as the sale, lease, merger or amalgamation of the organisation or its assets. Specific requirements for these exceptions apply, and differ between PIPEDA and the provinces. These requirements must be implemented through an initial non-disclosure agreement and the final transaction agreement. The exception will not apply to transactions that do not involve assets other than personal information or where the primary goal of the transaction is the disposal of personal information.
Currently, the Québec legislation does not contain a similar provision.
There is no requirement to register or notify a Canadian regulatory body before collecting, using, processing or disclosing personal information in the private sector. Narrow exceptions exist in Québec and at the federal level for organisations seeking to act without the consent of the individual for statistical or scholarly purposes.
The notification of data subjects before collection, use or disclosure of their personal information is an essential component of obtaining informed consent. The specific purposes for which personal information is collected, used or disclosed must be identified to the individual at or before the time of collection (if the purpose is not identified, then the consent would not be informed and therefore impaired). Under PIPEDA, consent will be valid only if it is reasonable to expect that the individual with whom the organisation is dealing understands the "nature, purpose and consequences" of their consent. Additional purposes that arise only after the consent of the individual has been obtained may require the organisation to seek further consent to the new purposes.
Main data protection rules and principles
Main obligations and processing requirements
Subject to certain exceptions (see Question 6), Canadian privacy legislation permits the use, collection and disclosure of personal information only:
With the knowledge and consent of the individual.
For purposes that were disclosed and which a reasonable person would consider appropriate in the circumstances.
These requirements are further developed in ten overarching principles that inform organisational obligations pursuant to Schedule 1 to the Personal Information Protection and Electronic Documents Act (PIPEDA):
Accountability. Organisations are responsible for information under their control, and must designate an individual responsible for compliance with the legislation. Organisations remain accountable for information transferred to a third party and contractual means must be used to ensure adequate protection.
Identifying purposes. The purpose(s) for which personal information is collected must be specified at the time of or before the collection.
Consent. An individual's informed consent must be obtained for the collection, use or disclosure of their personal information. For consent to be meaningful, the purposes for which the information may be used must be disclosed so that the individual can reasonably understand the use of their information.
Limiting collection. The collection of personal information must be limited to that which is necessary for the purposes disclosed by the organisation. Collection must be through fair and lawful means.
Limiting use, disclosure and retention. Personal information cannot be used or disclosed for a purpose other than that for which it was collected, without consent, unless permitted or required by law. Personal information can be retained only as long as necessary for the disclosed purposes.
Accuracy. Organisations must keep personal information as accurate, complete and up-to-date as necessary for the purposes for which it will be used.
Safeguards. Personal information must be protected by safeguards appropriate to its sensitivity. These safeguards must include physical, organisational and technological security measures.
Openness. Organisations must make their policies and practices regarding personal information available to individuals. This information must include contact information for the person accountable for compliance.
Individual access. On request, individuals must be informed of the existence, use and disclosure of their personal information, and must be granted access to it. Narrow exceptions to individual access exist, such as information that includes the personal information of another individual or material subject to solicitor-client privilege. Individuals can request the correction of their personal information.
Challenging compliance. Organisations must have policies in place to receive and respond to complaints and challenges to their compliance with these principles. These policies must be made known on request.
Canadian privacy legislation requires the informed consent of the individual to the collection, use or disclosure of their personal information.
Form and content of consent
The Personal Information Protection and Electronic Documents Act (PIPEDA) recognises both express and implied consent. The appropriate form of consent depends on the intended use of the information, its sensitivity, as well as the circumstances surrounding its collection and use Overall, consent will be valid under PIPEDA only if it is reasonable to expect that the individual will understand the nature, purpose and consequences of their consent.
Express consent. This is required for the collection, use or disclosure of sensitive personal information. PIPEDA does not provide a prescribed form for express consent, for example, consent may be obtained through written, verbal or electronic means. In each case, the individual must be clearly informed of the purposes for which their information will be used.
See Question 19 for prescribed disclosure when seeking express consent to send commercial electronic messages.
Implied consent. This may be appropriate where the personal information is not particularly sensitive and where it is reasonable to infer consent from an individual's actions or inactions. For example, principle 4.3.5 of Schedule 1 to PIPEDA states that a magazine subscriber would reasonably expect the publisher to use their address to solicit a subscription renewal.
The office of the federal Privacy Commissioner (OPC) has provided guidelines on using implied consent through an opt-out mechanism in the context of online behavioural advertising. The OPC indicates that opt-out consent may be acceptable for behavioural advertising where all of the following apply:
Individuals are made aware of the organisation's purposes in a clear and understandable manner at or before the collection of their information.
Individuals are provided with an easy to use opt-out mechanism that is immediate and persistent.
The collection is limited to non-sensitive information and the personal information of children is not used.
The information is destroyed or de-identified as soon as possible.
PIPEDA and the provincial privacy laws differ in their treatment of minors:
Under PIPEDA, consent from a minor is not expressly prohibited. However, obtaining a minor's consent may not be considered to be sufficient in all cases. In some cases, PIPEDA recognises that consent can be provided by an authorised representative such as a legal guardian (Principle 4.3.6 of Schedule 1, PIPEDA). Further, a note to PIPEDA indicates that in some cases it is impossible or inappropriate to seek the consent of a minor. Therefore, it is often preferable to seek consent from a parent or legal guardian as well as the minor, and Commissioner decisions have required this in respect of minors under 13.
The ABPIPA provides that minors are able to exercise their rights under the Act if they are able to understand their nature and consequences. If not, a legal guardian can do so on their behalf. Similarly, the BCPIPA provides that a guardian can exercise the rights of a minor who is incapable of doing so on their own.
Consent will not be required if an organisation is able to establish that its collection, use or disclosure of personal information is subject to an exemption (see Question 6). Other, situation-specific exceptions may exist, depending on the particular Canadian legislation that applies.
Sensitive personal data includes health and financial information, and is subject to more stringent legal requirements, such as the following:
Security measures must be appropriate for the sensitivity of the information, therefore, a higher standard of protection is required for sensitive information.
It is essential to be able to demonstrate that the data subject has provided informed consent to the use of his sensitive information. Therefore, it is typically necessary to obtain clear express consent to the collection, use or disclosure of sensitive information.
An organisation must take additional precautions to ensure that the collection, use and disclosure of sensitive information is:
reasonable in the circumstances; and
limited to that which is necessary to achieve the purposes disclosed to the individual.
The classification of personal information as sensitive may depend on the context. For example, a list of the subscribers to a general interest magazine is not likely to be sensitive; however, a similar list of the patients of a medical specialist would be. Some classes of personal information, such as health or financial information, would be sensitive in any context. Collection of specific types of sensitive information may be restricted. For example, social insurance numbers (SINs) can only be required where legally necessary and not for general identification purposes.
Rights of individuals
Informed consent is required for the collection, use and disclosure of personal information. Therefore, it is important to inform individuals of how their information is collected and how it will be used and disclosed, in a manner that can be easily understood. Individuals must be informed of:
Exactly what information is collected.
Products and services cannot be offered on condition that the customer consents to the collection or use of his personal information beyond the use necessary to supply the product or service (Principle 4.3.3, Schedule 1, PIPEDA; see also s.7(2), BCPIPA and ABPIPA).
Additional disclosure requirements apply where an organisation seeks consent to send commercial electronic messages. See Question 19.
Individuals have the right to request access to their personal information. While the precise access requirements vary depending on the applicable legislation, organisations must usually respond to a request within either 30 or 45 calendar days.
Québec prohibits charging an access fee. However, a reasonable charge in respect of the transcription, reproduction or transmission of the personal information is permitted if the organisation informs the individual in advance. British Columbia and Alberta permit minimal, reasonable fees, provided the information is not employee personal information, and the applicant is provided with a written estimate of the fee. The Personal Information Protection and Electronic Documents Act (PIPEDA) requires the organisation to respond to an access request at "minimal or no cost to the individual". If there is a cost to the individual, PIPEDA requires the individual to be informed of the approximate cost.
Organisations can refuse access to personal information only in certain circumstances, set out by law, which usually include:
Information inseparable from the personal information of other individuals.
Information subject to solicitor-client privilege.
Disclosure that would reveal confidential commercial information.
Withdrawal of consent
Individuals can withdraw their consent to the collection, use or disclosure of their personal information, but:
An individual is not able to withdraw their consent to avoid their legal obligations.
Consent is not required in some cases (see Question 6).
Organisations must usually inform data subjects of the consequences of withdrawing consent.
Additionally, individuals have the right to:
Be informed of the purposes for which data is being collected, used and disclosed.
Complain to the Privacy Commissioner if their rights are not respected.
Request the correction of incomplete, inaccurate or out-of-date data.
The Personal Information Protection and Electronic Documents Act (PIPEDA) does not provide a direct right to demand the deletion of personal information. However, principle 4.5 of Schedule 1 to PIPEDA provides that organisations will retain personal information only as long as necessary for the fulfilment of the identified purposes, and must have policies in place regarding the destruction of personal information.
In some cases, organisations may be subject to statutory requirements to retain certain classes of information, for example, under tax law. It is essential for an organisation to be aware of any applicable sector-specific record keeping requirements.
Organisations must implement security safeguards to protect personal information from loss, theft, and unauthorised access, disclosure, copying, use or modification (Principle 4.7, Schedule 1, Personal Information Protection and Electronic Documents Act (PIPEDA); see also s.34, BCPIPA and ABPIPA, and s.10, QBPIPA). The nature and extent of these safeguards varies with the nature of the personal information in question, with more sensitive information requiring a greater level of security.
These protection mechanisms should include (Principle 4.7.3, Schedule 1, PIPEDA):
Physical protection measures. These include locked or restricted access storage locations.
Organisational measures. These include security clearances for employees, with personal information disclosed on a "need-to-know" basis.
Technological measures. These include encryption keys and passwords.
Data subjects must be informed of the purposes for which their personal information is collected, used, and disclosed to obtain properly informed consent to these purposes. There is requirement in the general private sector to notify the privacy commissioners of the collection, use or disclosure of personal information. The requirements in relation to data breaches are currently in a state of flux.
Alberta is the only jurisdiction in Canada with a generally applicable mandatory data breach reporting requirement. (Other jurisdictions apply mandatory data breach reporting rules in the health information sector only.) When a data breach occurs, the organisation must notify the Alberta Privacy Commissioner if the breach presents a "real risk of significant harm" to the individual (s.34.1, ABPIPA). The Commissioner can then require the organisation to notify individuals affected by the breach in a prescribed notice, which includes:
The date and circumstances of the breach.
The nature of the information affected by the breach.
Any steps the organisation has taken to reduce the risk of harm to the individuals.
Contact information for a person who can answer questions regarding the breach on behalf of the organisation.
In practice, the Alberta Commissioner typically requires notification of the affected individuals in the case of a security breach.
Changes to PIPEDA
Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) (that will come into force on a date yet to be proclaimed) will create mandatory data breach reporting at the federal level. These amendments will require organisations to report breaches of their security safeguards to the federal Privacy Commissioner where the breach presents a real risk of significant harm to an individual. In determining whether there is a "real risk of significant harm", the organisation will be required to consider:
The sensitivity of the information involved.
The probability the information will be misused.
Any prescribed factors.
It should be noted that prior to the amendments to PIPEDA coming into force, while only Alberta has mandatory notification of breaches to a regulator and data subjects, a failure to appropriately notify data subjects of a breach in other jurisdictions may be investigated by the Privacy Commissioners and form the basis for a conclusion that a privacy complaint is well-founded.
Processing by third parties
Personal information can only be transferred or disclosed for purposes that were disclosed to the individual at the time the information was collected. The federal Privacy Commissioner considers a "transfer" of personal information for processing to be a "use" of the personal information, rather than a “disclosure” of personal information. Separate consent for a transfer of information to a service provider for previously disclosed processing is not required apart from the consent required for the actual "use" of the personal information. However, to comply with the principle of openness, organisations should disclose that personal information may be transferred to third party service providers. Where personal information is disclosed to a third party for another purpose, consent from the individual is required.
Organisations remain accountable for personal information they transfer to a third party for processing. Therefore, when organisations transfer information, they must ensure the information will be adequately protected. The Personal Information Protection and Electronic Documents Act (PIPEDA) expressly contemplates the use of contractual terms to ensure the provision of an appropriate level of protection.
In entering an agreement with a third-party information processor, organisations must also ensure that they will remain able to meet their legal obligations with respect to the personal information. Therefore, transfer agreements must include, among other things:
A requirement to comply with the applicable privacy legislation.
A requirement to use/process the information only as instructed by the transferring organisation and to return or securely destroy it on the termination of the agreement.
A requirement to maintain adequate safeguards and inform the transferring organisation of a breach of those safeguards.
If the agreement permits subcontracting, these obligations must also be placed on subcontractors.
Finally, it is advisable for the agreement to provide the transferring organisation with a right to audit the information processor's privacy practices.
Canada's Anti-Spam Law (CASL) imposes an express consent requirement relating to the installation of a "computer program" onto another person's computer. Under this law, a request for express consent to install a computer program must state:
The purpose for which you are seeking consent and the function of the computer program.
The name of the entity seeking consent.
If consent is sought by another entity, the name of that entity and on whose behalf it is requesting consent.
The mailing address and either a telephone number or e-mail address for the entity seeking consent.
That consent can be withdrawn.
CASL contains various exemptions and exceptions to the requirement to obtain express consent related in the installation of a computer program. In addition, CASL includes an exception that a person will be deemed to agree to the installation of a cookie, HTML code, or Java Script, where it is reasonable to believe they consent based on their conduct.
Canadian anti-spam legislation (CASL) is extremely prescriptive and punitive and applies to commercial electronic messages, including e-mail, text messages, instant messages, and direct messages through social media. CASL:
Bars sending commercial electronic messages to electronic addresses, unless the sender has the express or implied consent of the recipient.
Requires express, opt-in consent in most cases.
Limits implied consent to narrow classes of defined "existing business relationships" or "existing non-business relationships".
Applies to all commercial electronic messages accessed or sent from a computer system in Canada.
Places specific disclosure requirements on persons seeking consent to send commercial electronic messages and on the content of the messages. For requests for consent, the required disclosure includes:
the purpose of the consent, and the name or business name of the person seeking consent and, if different, on whose behalf consent is sought;
if applicable, a statement indicating which person is seeking consent and on whose behalf this is done;
the mailing address of either the person requesting consent, or the person on whose behalf consent is requested, and at least one of either an e-mail address, telephone number or web address of the person requesting consent or the person on behalf of whom consent is requested;
a statement that consent can be withdrawn.
The prescribed content of electronic messages includes:
the name or business name of the person sending the message and, if different, on whose behalf the message is sent;
if applicable, a statement indicating the person sending the messages, and on whose behalf this is done;
the mailing address of either the person sending the message, or the person on whose behalf these are done;
at least one of either an e-mail address, telephone number or web address for either the person sending the message, or the person on whose behalf the message is sent;
an unsubscribe mechanism that is clearly and prominently set out, readily performable, and given effect within ten business days.
Separate regulations, the Unsolicited Telecommunications Rules, apply to unsolicited telephone calls made for the purpose of solicitation. These rules include registration, call script and "do not call" list requirements.
International transfer of data
Transfer of data outside the jurisdiction
Canadian privacy law does not distinguish between transfers of personal information within a corporate group, or between unrelated companies (subject to prescribed exceptions, the informed consent of the individual is needed to the collection, use, and disclosure of their personal information). Canadian private sector privacy law does not prohibit the transfer of personal information outside of Canada. However, organisations remain liable for information they transfer outside of the country, and individuals must be notified of such transfers.
Organisations remain accountable for information transferred to third parties for processing, including third parties outside Canada (Principle 4.1.3, Schedule 1, Personal Information Protection and Electronic Documents Act (PIPEDA)). Therefore, before transferring data outside Canada, an organisation must ensure that it is able to meet its obligations under Canadian law by using contractual means to require the recipient to provide comparable protection for the information while it is being processed.
The privacy legislation of Alberta specifically requires individuals to be notified of the countries in which their personal information may be collected, used, disclosed, transferred or stored by a service provider (subsection 6(2) and 13.1, ABPIPA).
Similarly, the federal Privacy Commissioner has held that the principle of "openness" under Principle 9.8 of Schedule 1 to PIPEDA includes a requirement to inform data subjects if their information may be transferred to another jurisdiction for processing and, while in that jurisdiction, their information may be subject to lawful access requests by the authorities in that country.
Data transfer agreements
See Question 17.
Data transfer agreements are used to:
Provide adequate security for personal information.
Allow organisations to meet their privacy obligations.
However, the Privacy Commissioners have not approved precedents for these agreements.
Data transfer agreements are considered sufficient to comply with the applicable privacy legislation if the agreement requires the third party service provider to provide a comparable level of protection for the personal information, and restricts the service provider to only use the information as instructed by the data controller. The Privacy Commissioner of Canada treats the transfer of personal information for processing as a "use" of the information (rather than a "disclosure"), so additional consent is not required for the transfer for processing separately from the consent which must have already been obtained for the actual use of the information by the organisation transferring it. Consent is required for a use, disclosure or sale of personal information (see Question 9). In addition, any use or disclosure of information must be for a reasonable purpose that the individual has been informed of and consented to, unless a specific exception to the need for consent applies.
See also Question 20.
Enforcement and sanctions
The federal Privacy Commissioner (Commissioner) (currently Daniel Therrien) can:
Investigate complaints from individuals.
Initiate an investigation of his own volition where he has reason to believe that the Personal Information Protection and Electronic Documents Act (PIPEDA) has been violated.
Make public any information that comes to his knowledge in performing his duties if he considers it in the public interest to do so.
Enter into an enforceable compliance agreement with an organisation he believes has or is likely to commit an offence.
Exercise discretion to refuse to initiate an investigation:
where the complainant should first pursue other review procedures; or
if the complaint was not brought within a reasonable period.
Discontinue an investigation if:
it is found to be frivolous or vexatious; or
the organisation has already provided a fair and reasonable response.
In the course of an investigation, the Commissioner can:
Summon and compel witnesses to give testimony or produce records.
Enter premises (other than a dwelling house) on satisfying the security requirements of the organisation.
Converse with persons.
Obtain copies or extracts from records from the premises relevant to the investigation.
It is not necessary for evidence accepted by the Commissioner to be admissible in court (section 12.1(1)(c), PIPEDA).
On the conclusion of an investigation, the Commissioner may release a report that includes findings and recommendations. If a complainant is not satisfied with the report, he can apply for a court hearing.
The Federal Court can:
Order the offending organisation to take corrective measures.
Publish a notice of their corrective measures.
Award damages to the complainant.
The provincial Privacy Commissioners generally have similar powers to the federal Privacy Commissioner. In particular, they can:
Receive complaints and begin an investigation.
Initiate an investigation of their own volition.
Issue rulings on an organisation's privacy practices following an investigation.
Order compliance with the applicable privacy legislation. (Provincial commissioners have a greater power in this regard than that of the federal Commissioner.)
The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL) and the provincial privacy legislation are actively enforced.
Sanctions under PIPEDA. A fine of up to Can$10,000 is available on summary conviction, with a fine of up to Can$100,000 available on indictment for any of the following:
Violation of the provisions related to the retention of information subject to an access request.
Retaliating against an employee for:
co-operating with the commissioner;
refusing to violate PIPEDA; or
complying in good faith with the legislative requirements.
Obstructing the Commissioner in the investigation of a complaint or audit.
The Federal Court can order an organisation to:
Correct its practices.
Publish a corrective notice.
Pay damages to a complainant, including damages for humiliation.
Sanctions under CASL. Violations of CASL in relation to the sending of commercial electronic messages, or the installation of computer programs, can be punishable by:
A maximum administrative fine of Can$10 million as determined by the Canadian Radio-television and Telecommunications Commission, but subject to appeal to the Federal Court of Appeal.
A private right of action backed by statutory penalties of Can$200 per offence to a maximum of Can$1 million per day on which an offence occurred (as of 1 July 2017).
Alberta. A contravention of the ABPIPA may resul t in a fine of up to Can$10,000 for an individual or up to Can$100,000 for an organisation (other than an individual).
British Columbia. A person or organisation that commits an offence under the BCPIPA is liable to a fine of up to Can$10,000 for an individual and up to Can$100,000 for an organisation (other than an individual).
Québec. Most violations of the QBPIPA are subject to a maximum fine of Can$10,000, doubling to Can$20,000 on a subsequent offence. A violation of the requirement to provide adequate protection for information transferred outside of Québec is subject to a fine of Can$50,000, doubling to Can$100,000 on a subsequent offence.
Office of the Privacy Commissioner of Canada
Main areas of responsibility. The office's duties include:
Investigating complaints, conducting audits and pursuing court action under PIPEDA and the federal Privacy Act.
Publicly reporting on the personal information-handling practices of public and private sector organisations.
Providing advice, public information and recommendations regarding the Acts.
Office of the Information and Privacy Commissioner for Alberta
Main areas of responsibility. The office's duties include:
Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, the Freedom of Information and Protection of Privacy Act, and the Health Information Act.
Providing advice, public information and recommendations regarding the Acts.
Office of the Information and Privacy Commissioner for British Columbia
Main areas of responsibility. The office's duties include:
Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, and the Freedom of Information and Protection of Privacy Act.
Providing advice, public information and recommendations regarding the Acts.
Québec Access to Information Commission (Commission d'accès à l'information du Québec)
Main areas of responsibility. The Commission is responsible for:
The enforcement of the Act respecting Access to Documents Held by Public Bodies and the Protection of Personal Information (QBPIPA), in relation to the granting of access to documents held by public bodies.
The protection of personal information under QBPIPA, in relation to the protection of personal information in the private sector.
The Canadian Radio-television and Telecommunications Commission
Main areas of responsibility. The CRTC's duties include:
Enforcing Canada's anti-spam law in relation to the sending of commercial electronic messages and the installation of computer programs.
Regulating telecommunications, including telemarketing.
Description. Information about the Personal Information Protection and Electronic Documents Act. Website maintained by the Canadian Government. Official and up-to-date.
Description. Information about Canada's anti-spam law. Website maintained by the Canadian Government. Official and up-to-date.
Description. Information about the British Columbia Personal Information Protection Act. Website maintained by the Queen's Printer British Columbia. Unofficial but up-to-date.
Description. Information about the Alberta Personal Information Protection Act. Website maintained by the Alberta Queen's Printer. Unofficial but up-to-date.
Description. Information about the Québec Act respecting the Protection of Personal Information in the Private Sector. Website maintained by the Official Publisher of Québec (Éditeur officiel du Québec). Official and up-to-date.
Description. Consolidated decisions of the Federal Privacy Commissioner. Website maintained by the Office of the Federal Privacy Commissioner. Unofficial but up-to-date.
Wendy J Wagner, Partner
Professional qualifications. Ontario, Canada, 2002
Areas of practice. Privacy and freedom of information; defamation and media law; international trade and customs.
Advising multinational corporations on data breaches, including a theft of credit data, a loss of hardware storage equipment, and a loss of employee data due to computer hacking.
Creating anti-spam compliance policies and programmes for life science companies, retail corporations and not for profit associations.
Developing privacy compliance programs for online retailers entering the Canadian market including external policies and internal standard operating procedures.
Advising on data protections obligations in the context of M&A due diligence and resulting share purchase and asset transactions.
Tower dump production orders: Restricting police access to cellular records in R v. Rogers Communications. 18 January 2016.
Nova Scotia's cyberbullying legislation a "colossal failure", declared unconstitutional, 15 January 2016.
Disclosure of personal information for the purposes of debt collection: How far can you go? 14 January 2016.
Canada's Privacy Commissioner releases annual report on government data breaches, 1 December 2015.
Is Canada safe from the Safe Harbor decision? 1 December 2015.
Christopher Oates, Associate
Professional qualifications. Ontario, Canada, 2010
Areas of practice. Privacy and information law; advertising and marketing law; electronic commerce; electronic marketing; regulatory affairs, including packaging and labelling.
Advising on privacy and data protection in the context of corporate acquisitions.
Advising on Canada's anti-spam legislation.
Advising on trans-border transfers of personal information.
Advising in the context of data breaches.
Reviewing and drafting policies for direct to consumer marketing, including social media campaigns.
Advising on packaging requirements for food, drug and cosmetic products.
Contest design and review.
"Canadian Privacy Law, the Internet and Social Media," Social Media and Internet Law – Forms and Precedents, LexisNexis, May 2014.
Webinar – Canada's New Anti-Spam Legislation: What You Need to Know to Comply; May 2014.
"Advertising Law in Canada", Fourth Edition, B. Pritchard and S. Vogt. October 2012, Contributor of Chapter 19, Privacy Law in Canada.