Data protection in Canada: overview

A Q&A guide to data protection in Canada.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.

This article is part of the multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

Christopher Oates, Gowling Lafleur Henderson LLP
Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The collection, use and disclosure of personal information in the private sector is governed by a number of federal, provincial and sectoral laws. The laws applicable to an organisation depend on all of the following:

  • Where the organisation is located.

  • In which Canadian jurisdictions the organisation collects, uses and discloses personal information.

  • Whether the organisation transfers personal information across provincial, territorial or national borders.

  • The sector in which the organisation operates.

At the federal level, the collection, use and disclosure of personal information in the course of commercial activities is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies:

  • To "personal information", which is defined as "information about an identifiable individual".

  • In all provinces where the federal government does not consider the provincial legislation to be "substantially similar" to PIPEDA.

To date, the following provinces have enacted general purpose privacy legislation that applies to the private sector and has been declared "substantially similar" to PIPEDA:

  • British Columbia: Personal Information Protection Act (BCPIPA).

  • Alberta: Personal Information Protection Act (ABPIPA).

  • Québec: An Act Respecting the Protection of Personal Information in the Private Sector (QBPIPA).

In these provinces, the provincial legislation applies to the use of personal information by private sector organisations in place of PIPEDA. However, PIPEDA will continue to apply to the activities of "federal undertakings" within these provinces (such as banks, airlines and radio broadcasters). Furthermore, organisations transferring personal information across provincial borders, or outside Canada, are subject to PIPEDA as well as the provincial legislation.

Organisations operating at a national or international level may be subject to several different legislative schemes. As "substantial similarity" is required before a provincial statute is declared to apply within the province in place of PIPEDA, there are broad similarities between PIPEDA and the provincial acts.

Subject to prescribed exceptions, PIPEDA and each provincial act only allow the collection of personal information with the knowledge and consent of the individual, and through fair and lawful means. However, there are key differences of which organisations operating in these provinces should be aware, including:

  • The BCPIPA and the ABPIPA apply more broadly to employee information than the PIPEDA.

  • Alberta law is currently the only Canadian privacy legislation of general application to impose data breach reporting obligations on organisations, though reporting obligations also exist in several legislative schemes applicable to health information, and amendments to PIPEDA have been proposed that would make breach reporting mandatory at the federal level.

For transfers of personal information to recipients in Canada subject to PIPEDA, individuals in countries that have implemented Directive 95/46/EC on data protection should consult Decision 2002/2/EC pursuant to Directive 95/46/EC on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA Decision).

Sectoral laws

In specific industry sectors, additional provincial legislation may apply in addition to, or in place of, PIPEDA. In particular, organisations involved in the use, collection, and disclosure of health information must be aware of provincial statutes in this area, which include:

  • Alberta's Health Information Act.

  • Saskatchewan's Health Information Protection Act.

  • Manitoba's Personal Health Information Act.

  • Ontario's Personal Health Information Protection Act (declared "substantially similar" to PIPEDA in respect of health information custodians).

  • New Brunswick's Personal Health Information Privacy and Access Act (declared "substantially similar" to PIPEDA in respect of health information custodians).

  • Newfoundland and Labrador's Personal Health Information Act.

Furthermore, an organisation may be subject to industry-specific legislation or industry standards (such as those that apply to the payment cards industry and federally regulated financial institutions).

This article does not cover:

  • Provincial health information legislation.

  • Industry specific legislation or standards.

  • Legislation applicable to the public sector.

Scope of legislation

2. To whom do the laws apply?

PIPEDA applies to organisations that collect, use or disclose personal information in the course of commercial activities (including the sale of donor and fundraising lists). At the provincial level, the legislation of British Columbia, Alberta and Québec applies to the activities of organisations and enterprises that collect, use or disclose personal information. Both federal and provincial "organisations" include natural and legal persons (such as corporations, partnerships, trade unions and unincorporated associations).

The treatment of employee personal information depends on the applicable legislation. PIPEDA generally applies to employees' personal information that is collected, used or disclosed in connection with the operation of a federal work, undertaking or business.

In British Columbia and Alberta, the provincial legislation applies to and has specific provisions regarding employee personal information.

 
3. What data is regulated?

The various data protection and privacy laws governing the private sector generally apply to "personal information", which includes any information regarding an identifiable individual. However, the precise definition of "personal information" will vary depending on the legislation that applies:

  • Federal. Personal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organisation (s.2(1), PIPEDA). An amendment to PIPEDA is currently before the federal parliament that, if enacted, will:

    • remove the exclusion of "business contact information"; and

    • create a narrower exception that removes business contact information from the requirements of PIPEDA only when used to communicate with the individual in relation to their employment, business or profession.

  • British Columbia. Personal information means information about an identifiable individual and includes employee personal information but does not include business contact information or work product information (s.1, BCPIPA).

  • Alberta. Personal information means information about an identifiable individual (s.1(1), ABPIPA). There is an exception for business contact information only when used to contact an individual in relation to their business responsibilities.

  • Québec. Personal information is any information that relates to a natural person and allows that person to be identified (s.2, QBPIPA).

 
4. What acts are regulated?

Canadian privacy and data protection legislation generally applies to the collection, use, and/or disclosure of personal information. These broad terms capture the majority of commercial uses for personal information, including data processing, storage and the transfer or sale of personal information to third parties.

Additional obligations are placed on organisations in relation to particular aspects of their collection, use, and/or disclosure of personal information (for example, to observe the rights of data subjects (see Questions 12 to 14) and in relation to security requirements (see Questions 15 and 16)).

 
5. What is the jurisdictional scope of the rules?

PIPEDA applies to organisations that collect, use or disclose personal information in Canada or transfer personal information across the Canadian border. Judicial decisions have determined that the Office of the Privacy Commissioner of Canada has the jurisdiction to investigate complaints brought against entities based outside Canada, which involve the cross-border flow of personal information, or the collection, use or disclosure of personal information by the entity in Canada.

With the exception of federal works or undertakings, private sector organisations in British Columbia, Alberta or Québec will be subject to provincial privacy legislation rather than PIPEDA. However, these organisations will be subject to PIPEDA where they transfer personal information across provincial or international borders.

 
6. What are the main exemptions (if any)?

General exemptions under PIPEDA

PIPEDA does not apply to (s.4(2), PIPEDA):

  • Individuals that collect, use or disclose personal information solely for personal or domestic purposes.

  • Organisations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes.

Exemption from consent under PIPEDA

Consent is not required from the data subjects in any of the following circumstances (s.7, PIPEDA):

  • Use of data in reaction to an emergency that threatens the life, health or security of an individual.

  • Disclosure to a lawyer representing the organisation.

  • Disclosure for collection of a debt owed by an individual.

  • Disclosure under a subpoena, warrant or order issued by a court with the jurisdiction to compel production of the information.

  • Disclosure to a government institution on a request by that institution for purposes of:

    • national security;

    • the defence of Canada;

    • the conduct of international affairs;

    • enforcing the law of Canada, a province or a foreign jurisdiction; or

    • administering the law of Canada or a province.

  • Disclosure made after the earlier of:

    • 100 years following the creation of the record containing the information; or

    • 20 years following the death of the individual to whom the information pertains.

  • Disclosure required by law.

Limited publically available information exemption under PIPEDA

PIPEDA generally applies to personal information that is "publically available". In narrow, prescribed circumstances, publically available personal information can be collected, used and disclosed without the data subjects' knowledge or consent, for example:

  • Where the name, address or telephone number of an individual appears in a public telephone directory, provided the individual can refuse to have their information disclosed in the directory.

  • Where the name, title, address or telephone number of an individual appears in a professional or business directory, provided the information is used for the purpose for which it appears in the directory.

Overall, similar exceptions exist in the provincial privacy legislation in British Columbia, Alberta and Québec. However, the nature and extent of the available exceptions varies by jurisdiction. Organisations are advised to consult the legislation specifically applicable to their operations when seeking to rely on an exemption to the requirements of Canadian privacy legislation.

Business transaction exemption

British Columbia and Alberta permit the transfer of personal information in the context of defined "business transactions", such as the sale, lease, merger, or amalgamation of the organisation or its assets. Specific requirements for these transactions differ between the provinces. However, both provinces expressly state that the exception will not apply to transactions that do not involve assets other than personal information or where the primary goal of the transaction is the disposal of personal information, as follows:

  • A transaction that does not involve substantial assets other than personal information (BCPIPA).

  • Where the primary purpose is the sale or disposal of personal information (ABPIPA).

Currently, PIPEDA does not contain a similar provision. However, a bill currently before the federal parliament would amend PIPEDA to include a broadly analogous provision.

Notification

7. Is notification or registration required before processing data?

There is no general requirement to register or notify a Canadian regulatory body before collecting, using, processing or disclosing personal information in the private sector. Narrow exceptions exist in Québec and Alberta for organisations seeking to act without the consent of the individual for statistical or scholarly purposes.

The notification of data subjects before collection, use or disclosure of their personal information is an essential component of obtaining informed consent. The specific purposes for which personal information is collected, used or disclosed must be identified to the individual at or before the time of collection. Additional purposes that arise only after the consent of the individual has been obtained may require the organisation to seek additional consent.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Canadian privacy legislation permits the use, collection and disclosure of personal information only:

  • With the knowledge and consent of the individual.

  • For purposes that were disclosed and which a reasonable person would consider appropriate in the circumstances.

These requirements are based on the following ten overarching principles originally derived from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data:

  • Accountability. Organisations are responsible for information under their control. The organisation must designate an individual responsible for compliance with the legislation. An organisation remains accountable for information transferred to a third party and contractual means must be used to ensure adequate protection.

  • Identifying purposes. The purpose(s) for which personal information is collected must be specified at the time of or before the collection.

  • Consent. An individual's consent must be obtained for the collection, use, or disclosure of personal information. For consent to be meaningful, the purposes for which the information may be used must be disclosed so that the individual can reasonably understand the use of their information.

  • Limiting collection. The collection of personal information must be limited to that which is necessary for the purposes disclosed by the organisation. Collection must be through fair and lawful means.

  • Limiting use, disclosure and retention. Personal information cannot be used or disclosed for a purpose other than that for which it was collected, without consent, unless required by law. Personal information can be retained only as long as necessary for the disclosed purpose.

  • Accuracy. Organisations must keep personal information accurate, complete and up-to-date as necessary for the purposes for which it will be used.

  • Safeguards. Personal information must be protected by safeguards appropriate to its sensitivity. These safeguards are to include physical, organisational and technological measures.

  • Openness. Organisations must make their policies and practices regarding personal information available to individuals. This information must include contact information for the person accountable for compliance.

  • Individual access. On request, individuals must be informed of the existence, use and disclosure of their personal information, and must be granted access to it. Narrow exceptions to individual access exist, such as information that includes the personal information of another individual or material subject to solicitor-client privilege. Individuals can correct their personal information.

  • Challenging compliance. Organisations must have policies in place to receive and respond to complaints and challenges of their compliance with these principles. These policies must be made known on inquiry.

 
9. Is the consent of data subjects required before processing personal data?

Canadian privacy legislation requires the informed consent of the individual to the collection, use or disclosure of their personal information.

Form and content of consent

PIPEDA recognises both express and implied consent, the use of which depends on the sensitivity of information and the circumstances surrounding its collection and use.

Express consent. This is required for the collection, use or disclosure of sensitive personal information. PIPEDA does not provide a prescribed form for express consent. However, the individual must be informed of the purposes for which their information will be used.

See Question 19 for prescribed disclosure when seeking express consent to send commercial electronic messages.

Implied consent. This may be appropriate where the personal information is not particularly sensitive and where it is reasonable to infer consent from an individual's actions or inactions. For example, principle 4.3.5 of Schedule 1 to PIPEDA states that a subscriber to a magazine would reasonably expect the publisher to use their address to solicit a renewal.

The federal Privacy Commissioner has recently provided guidelines on implied consent through an opt-out mechanism in the context of online behavioural advertising. The Commissioner indicated that opt-out consent may be acceptable where all of the following apply:

  • Individuals are made aware of the organisation's purposes in a clear and understandable manner at or before the collection of their information.

  • Individuals are provided with an easy to use opt-out mechanism that is immediate and persistent.

  • The collection is limited to non-sensitive information.

  • The information is destroyed or de-identified as soon as possible.

Minors

PIPEDA and the provincial privacy laws differ in their treatment of minors:

  • Under PIPEDA, consent from a minor is not expressly prohibited, or deemed sufficient. However, consent can also be provided by an authorised representative such as a legal guardian (Principle 4.3.6 of Schedule 1 to PIPEDA). Further, a note to PIPEDA indicates that in some cases it is impossible or inappropriate to seek the consent of a minor. Therefore, it is often preferable to seek consent from a parent or legal guardian.

  • The ABPIPA provides that minors are able to exercise their legal rights under the Act if they are able to understand their nature and consequences. If not, a legal guardian can do so on their behalf. Similarly, the BCPIPA provides that a guardian can exercise the rights of a minor who is incapable of doing so on their own.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

Consent will not be required if an organisation is able to establish that its collection, use or disclosure of personal information is subject to an exemption (see Question 6). Other, situation-specific exceptions may exist, depending on the particular Canadian legislation that applies.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Sensitive personal data includes health and financial information, and is subject to more stringent legal requirements, such as the following:

  • Security measures must be appropriate for the sensitivity of the information.

  • It is essential to be able to demonstrate that the data subject has provided informed consent to the use of his sensitive information. Therefore, it is typically necessary to obtain clear express consent to the collection, use or disclosure of sensitive information.

  • An organisation must take additional precautions to ensure that its collection, use and disclosure of sensitive information is:

    • reasonable in the circumstances; and

    • limited to that which is necessary to achieve the purposes disclosed to the individual.

The classification of personal information as sensitive may depend on the context. For example, a list of the subscribers to a general interest magazine is not likely to be sensitive; however, a similar list of the patients of a medical specialist would be. Some classes of personal information, such as health or financial information would be sensitive in almost any context.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

Informed consent is required for the collection, use and disclosure of personal information. Therefore, individuals must be informed of:

  • Exactly what information is collected.

  • The precise purposes for which information is collected, used and/or disclosed. (It is generally not permissible to use information for purposes not disclosed to the data subject at the time of collection, unless further consent is obtained, so organisations should carefully consider the purposes they disclose at the point of collection to ensure legal compliance and allow for, specified, anticipated future uses of the information. Overly broad consent language that does not adequately inform the individual of the organisation's actual purposes may be deemed invalid. Disclosure in a lengthy privacy policy document alone may not be sufficient to inform an individual. This is particularly true where the information concerned is highly sensitive.)

  • Information regarding privacy practices, along with the name or title and contact information of a person able to answer the individual's questions about the collection (Principle 4.8.2, Schedule 1 to PIPEDA; see also s.10, BCPIPA and s.13, ABPIPA). This contact information is often provided in a privacy policy.

Products and services cannot be offered on condition that the customer consents to the use of his personal information beyond the use necessary to supply the product or service (Principle 4.3.3, Schedule 1 to PIPEDA; see also s.7(2), BCPIPA and ABPIPA).

In 2013, additional disclosure requirements are expected to come into force for consent to send electronic messages. See Question 19.

 
13. What other specific rights are granted to data subjects?

Requesting access

Individuals have the right to request access to their personal information. While the precise access requirements vary depending on the applicable legislation, organisations must usually respond to a request within either 30 or 45 calendar days.

Québec prohibits charging an access fee, as opposed to a minimal fee in respect of the transcription, reproduction or transmission of the personal information of which the organisation informs the individual in advance. British Columbia and Alberta permit minimal, reasonable fees provided the information is not employee personal information, and the applicant is provided with a written estimate of the fee. PIPEDA requires the organisation to respond to an access request at "minimal or no cost to the individual". If there is a cost to the individual, PIPEDA requires the individual to be informed of the approximate cost.

Organisations can refuse access to personal information only in certain circumstances, set out by law, which usually include where:

  • Information is inseparable from the personal information of other individuals.

  • Information subject to solicitor-client privilege.

  • Disclosure would reveal confidential commercial information.

Withdrawal of consent

Individuals can subsequently withdraw their consent to the collection, use or disclosure of their personal information, but:

  • An individual is not able to withdraw their consent to avoid their legal obligations.

  • Consent is not required in some cases (see Question 6).

Organisations must usually inform data subjects of the consequences of withdrawing consent.

Other

Additionally, individuals have the rights to:

  • Be informed of the purposes for which data is being collected, used and disclosed.

  • Complain to the Privacy Commissioner if their rights are not respected.

  • Request the correction of incomplete, inaccurate or out-of-date data.

 
14. Do data subjects have a right to request the deletion of their data?

PIPEDA does not expressly provide a right to require the deletion of personal information. However, principle 4.5 of Schedule 1 to PIPEDA provides that organisations shall retain personal information only as long as necessary for the fulfilment of the identified purposes, and must have policies in place regarding the destruction of personal information.

In some cases, organisations may be subject to statutory requirements to retain certain classes of information. It is essential for an organisation to be aware of any applicable sector-specific record keeping requirements.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

Organisations must implement security safeguards to protect personal information from loss, theft, and unauthorised access, disclosure, copying, use or modification (Principle 4.7, Schedule 1 to PIPEDA; see also s.34, BCPIPA and ABPIPA, and s.10, QBPIPA). The nature and extent of these safeguards varies with the nature of the personal information in question, with more sensitive information requiring a greater level of security.

These protection mechanisms should include (Principle 4.7.3, Schedule 1 to PIPEDA):

  • Physical protection. These include locked or restricted access storage locations.

  • Organisational measures. These include security clearances for employees, with personal information disclosed on a "need-to-know" basis.

  • Technological measures. These include encryption keys and passwords.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Current law

Alberta is the only jurisdiction in Canada with a generally applicable mandatory data breach reporting requirement. (Other jurisdictions apply mandatory data breach reporting rules in the health information sector only.) When a data breach occurs, the organisation must notify the Privacy Commissioner if the breach presents a "real risk of significant harm" to the individual (s.34.1, ABPIPA). The Commissioner can then require the organisation to notify individuals affected by the breach in a prescribed manner, which includes:

  • The date and circumstances of the breach.

  • Identifying the information affected by the breach.

  • Any steps the organisation has taken to reduce the risk of harm.

  • Contact information for a person who can answer questions regarding the breach on behalf of the organisation.

Proposed amendment

Amendments to PIPEDA (currently before Parliament) would create mandatory data breach reporting at the federal level. If adopted, the proposed legislation will require organisations to report "material" breaches of their security safeguards to the Privacy Commissioner. In determining whether a breach is material, the organisation will be required to consider:

  • The sensitivity of the information involved.

  • The number of individuals affected.

  • Whether the breach is indicative of a systemic problem.

In addition, the organisation will also be required to consider whether the breach represents a real risk of significant harm to the individual. Where it does, the breach must be reported to the individual.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Consent

Personal information can only be transferred or disclosed for purposes that were disclosed to the individual at the time the information was collected. The federal Privacy Commissioner considers a "transfer" of personal information for processing to be a "use" of the personal information, rather than a disclosure of personal information. Separate consent for a transfer of information for processing is not required apart from the consent required for the actual "use" of the personal information. However, to comply with the principle of openness, organisations should disclose that personal information may be transferred to third party service providers. Consent from the individual is required for the "disclosure" of personal information to a third party.

Liability

Organisations remain accountable for personal information they transfer to a third party for processing. Therefore, organisations transferring information to third parties for processing must ensure that it will be adequately protected by the third party. PIPEDA expressly contemplates the use of contractual terms to ensure the provision of a comparable level of protection.

In entering an agreement with a third-party information processor, organisations must also ensure that they will remain able to meet their legal obligations with respect to the personal information. Therefore, transfer agreements must include, among other things:

  • A requirement to comply with the applicable privacy legislation.

  • A requirement to maintain adequate safeguards and inform the organisation of a breach of those safeguards.

If the agreement permits subcontracting, these obligations must also be placed on subcontractors.

Finally, it is advisable for the agreement to provide the organisation with a right to audit the information processor's privacy practices.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

PIPEDA requires the knowledge and consent of the data subject for the collection, use or disclosure of their personal information (Principle 4.3, Schedule 1 to PIPEDA). PIPEDA is a law of general application that applies to personal information regardless of the technology used; therefore, wherever an electronic device such as a cookie, web beacon, or similar technology collects personal information about an individual, it will be subject to privacy legislation, including the requirement to obtain informed consent, and disclose the purposes for which personal information is collected, used or disclosed. For this reason, an organisation's privacy policy should accurately describe its use of cookies and equivalent electronic devices.

More specific legislation that will, in most cases, require express consent for the installation of a program onto a person's computer is expected to come into force in 2013.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

New Canadian anti-spam legislation (CASL) is expected to come into force in Canada in early 2013. It will:

  • Bar sending commercial electronic messages to electronic addresses, unless the sender has the express or implied consent of the recipient.

  • Create a system that requires express, opt-in consent in most cases.

  • Limit implied consent to narrow classes of defined "existing business relationships" or "existing non-business relationships".

  • Apply to all commercial electronic messages accessed or sent from a computer system in Canada.

  • Place specific disclosure requirements on persons seeking consent to send commercial electronic messages and on the messages themselves. The required disclosure will include:

    • for requests for consent, the name or business name of the person seeking consent and, if different, on whose behalf consent is sought;

    • for electronic messages, the name or business name of the person sending the message and, if different, on whose behalf the message is sent;

    • if applicable, a statement indicating which person is seeking consent or sending the messages, and on whose behalf this is done;

    • the mailing address of either the person requesting consent or sending the message, or the person on whose behalf these are done; and

    • at least one of an e-mail address, telephone number or web address for either the person requesting consent or sending the message, or the person on whose behalf these are done.

  • Require commercial electronic messages to include an unsubscribe mechanism, in prescribed form.

  • Require unsubscribe requests to be given effect within ten business days.

  • Introduce high penalties for violations, including:

    • a maximum administrative fine of Can$10 million as determined by the Canadian Radio-television and Telecommunications Commission, but subject to appeal to the Federal Court of Appeal; and

    • a private right of action backed by statutory penalties of Can$200 per offence to a maximum of Can$1 million per day on which an offence occurred

(As of 1 August 2012, US$1 was about Can$1.)

Due to the high potential penalties and stringent consent and disclosure requirements, organisations that send commercial electronic messages to Canadians should now be bringing their practices into compliance.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

Accountability

Organisations remain accountable for information transferred to third parties for processing, including third parties outside Canada (Principle 4.1.3, Schedule 1 to PIPEDA). Therefore, before transferring data outside Canada, an organisation must ensure that it is able to meet its obligations under Canadian law by using contractual means to require the recipient to provide comparable protection for the information while it is being processed.

Notification

The privacy legislation of Alberta specifically requires individuals to be notified of the countries in which their personal information can be collected, used, disclosed, transferred or stored (ss.6(2) and 13.1, ABPIPA).

Similarly, the federal Privacy Commissioner has held that the principle of "openness" under Principle 9.8 of Schedule 1 to PIPEDA includes a requirement to inform data subjects if their information may be transferred to another jurisdiction for processing and, while in that jurisdiction, their information may be subject to lawful access requests by the authorities in that country.

Data transfer agreements

21. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

As described in Question 17, data transfer agreements are used to:

  • Provide adequate security for personal information.

  • Allow organisations to meet their privacy obligations.

However, the Privacy Commissioners have not approved precedents for these agreements.

 
22. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Data transfer agreements should provide for compliance with the applicable privacy legislation, by requiring the third party service provider to provide a comparable level of protection for the personal information. The Privacy Commissioner of Canada treats the transfer of personal information for processing as a "use" of the information, so consent is not required for the transfer for processing in addition to the consent required for the actual use of the information. However, consent is required for a use, disclosure or sale of personal information (see Question 9). Furthermore, any use or disclosure of information must be for a reasonable purpose that the individual was informed of or consented to, unless a specific exception to the need for consent applies.

See also Question 20.

 
23. Does the relevant national regulator need to approve the data transfer agreement?

Data transfer agreements do not need approval from governmental regulatory authorities.

 

Enforcement and sanctions

24. What are the enforcement powers of the national regulator?

The federal Privacy Commissioner (currently Jennifer Stoddart) can:

  • Investigate complaints from individuals.

  • Initiate an investigation of her own volition where she has reason to believe that PIPEDA has been violated.

  • Exercise discretion to refuse to initiate an investigation:

    • where the complainant should first pursue other review procedures; or

    • if the complaint was not brought within a reasonable period.

  • Discontinue an investigation if:

    • it is found to be frivolous or vexatious; or

    • the organisation has already provided a fair and reasonable response.

In the course of an investigation, the Commissioner can:

  • Summon and compel witnesses to give testimony or produce records.

  • Enter premises (other than a dwelling house) on satisfying the security requirements of the organisation.

  • Converse with persons.

  • Obtain copies or extracts from records from the premises relevant to the investigation.

It is not necessary for evidence accepted by the Commissioner to be admissible in court (s.12.1(1)(c), PIPEDA).

On the conclusion of an investigation, the Commissioner may release a report that includes her findings and any recommendations. If a complainant is not satisfied with the report, he can apply for a court hearing.

The Federal Court can:

  • Order the offending organisation to take corrective measures.

  • Publish a notice of their corrective measures.

  • Award damages to the complainant.

The provincial Privacy Commissioners generally have similar powers to the federal Privacy Commissioner. In particular, they can:

  • Receive complaints and begin an investigation.

  • Initiate an investigation of their own volition.

  • Issue rulings on an organisation's privacy practices following an investigation.

  • Order compliance with the applicable privacy legislation. (Provincial commissioners have a greater power in this regard than that of the federal Commissioner.)

 
25. What are the sanctions and remedies for non-compliance with data protection laws?

PIPEDA and the provincial privacy legislation are actively enforced in Canada.

Federal sanctions

A fine of up to Can$10,000 is available on summary conviction, with a fine of up to Can$100,000 available on indictment for any of the following (PIPEDA):

  • Violation of the provisions related to the retention of information subject to an access request.

  • Retaliating against an employee for:

    • co-operating with the commissioner;

    • refusing to violate PIPEDA; or

    • complying in good faith with the legislative requirements.

  • Obstructing the Commissioner in the investigation of a complaint or audit.

The Federal Court can order an organisation to:

  • Correct its practices.

  • Publish a corrective notice.

  • Pay damages to a complainant, including damages for "humiliation".

Provincial sanctions

Alberta. A contravention of the ABPIPA may result in a fine of up to Can$10,000 for an individual or up to Can$100,000 for an organisation (other than an individual).

British Columbia. A person or organisation that commits an offence under the BCPIPA is liable to a fine of up to Can$10,000 for an individual and up to Can$100,000 for an organisation (other than an individual).

Québec. Most violations of the QBPIPA are subject to a maximum fine of Can$10,000, doubling to Can$20,000 on a subsequent offence. A violation of the requirement to provide adequate protection for information transferred outside of Québec is subject to a fine of Can$50,000, doubling to Can$100,000 on a subsequent offence.

 

The regulatory authorities

Office of the Privacy Commissioner of Canada

W www.priv.gc.ca

Main areas of responsibility. The office's duties include:

  • Investigating complaints, conducting audits and pursuing court action under PIPEDA and the federal Privacy Act.

  • Publicly reporting on the personal information-handling practices of public and private sector organisations.

  • Providing advice, public information, and recommendations regarding the Acts.

Office of the Information and Privacy Commissioner for Alberta

W www.oipc.ab.ca

Main areas of responsibility. The office's duties include:

  • Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, the Freedom of Information and Protection of Privacy Act, and the Health Information Act.

  • Providing advice, public information and recommendations regarding the Acts.

Office of the Information and Privacy Commissioner for British Columbia

W www.oipc.bc.ca

Main areas of responsibility. The office's duties include:

  • Conducting investigations, audits or enquiries to ensure compliance under the Personal Information Protection Act, and the Freedom of Information and Protection of Privacy Act.

  • Providing advice, public information, and recommendations regarding the Acts.

Québec Access to Information Commission (Commission d'accès à l'information du Québec)

W www.cai.gouv.qc.ca

Main areas of responsibility. The Commission is responsible for:

  • The enforcement of QBPIPA, in relation to the granting of access to documents held by public bodies.

  • The protection of personal information under QBPIPA, in relation to the protection of personal information in the private sector.



Contributor details

Christopher Oates

Gowling Lafleur Henderson LLP

T +1 416 369 7333
F +1 416 862 7661
E chris.oates@gowlings.com
W www.gowlings.com

Qualified. Ontario, Canada, 2010

Areas of practice. Privacy and information law; advertising and marketing law; electronic commerce; electronic marketing; regulatory affairs, including packaging and labelling.

Recent transactions

  • Advising on privacy and data protection in consumer directed marketing including drafting privacy policies and terms of use.
  • Advising on trans-border transfers of personal information.
  • Reviewing and drafting policies for direct to consumer marketing, including social media campaigns.
  • Drafting terms of use for electronic commerce websites.
  • Advising on Canada's new anti-spam legislation.
  • Advising on packaging requirements for food, drug and cosmetic products.
  • Contest design and review.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247352472305", "objName" : "Data protection in Canada overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/6-502-0556?source=relatedcontent", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-5de69ee8:14837274f75:492", "analyticsSessionCookie" : "2-5de69ee8:14837274f75:493", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }