In Canada, there are 28 federal, provincial, and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, criminal code provisions, etc.) that govern the protection of personal information in the private, public, and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement provisions, they all set out a comprehensive regime for the collection, use, and disclosure of personal information.
On June 16, 2022, the federal Government introduced Bill C-27, a wide-reaching piece of legislation that is intended to modernize and strengthen privacy protection for Canadian consumers and provide clear rules for private-sector organizations. It is the second attempt to modernize federal private-sector privacy legislation after a previous proposal died on the order paper in 2021. If adopted, Bill C-27 will replace PIPEDA with legislation specific to consumer privacy rights (the Consumer Privacy Protection Act) and electronic documents (the Electronic Documents Act). Bill C-27 will also introduce the Artificial Intelligence and Data Act, which aims to create rules around the deployment of AI technologies.
PIPA BC, PIPA Alberta, and the Quebec Privacy Act apply to both consumer and employee personal information practices of organizations within BC, Alberta, and Quebec, respectively, that are not otherwise governed by PIPEDA.
Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received Royal Assent on September 22, 2021. A first set of amendments came into force on September 22, 2022, with additional modifications set to come into force on September 22, 2023, and September 22, 2024. With Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.
There is no general registration requirement under Canadian Privacy Statutes.
All information about an identifiable individual (business contact information is expressly “carved out” of the definition of ‘personal information’ in some Canadian privacy statutes).
The Quebec Privacy Act, as modified, has broadened the definition of “personal information” to include any information that allows an individual to be identified indirectly as well as directly.
PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the obligations under the respective statutes.
The contact information of the person responsible for protecting personal information must be published online on the organization’s website.
Privacy Statutes set out the overriding obligation that organizations only collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
All Canadian Privacy Statutes contain obligations on organizations to ensure personal information in their records is accurate and complete, particularly where the information is used to make a decision about the individual to whom the information relates or if the information is likely to be disclosed to another organization.
Each of the Canadian Privacy Statutes also provides individuals with the following:
A right of access to personal information held by an organization, subject to limited exceptions;
A right to correct inaccuracies in/update their personal information records; and
A right to withdraw consent to the use or communication of personal information.
In addition to these rights, the Quebec Privacy Act, as modified by Bill 64, will create a right for individuals to have their personal information deindexed (coming into force September 2023) and to data portability (coming into force September 2024).
Not specifically defined in Canadian Privacy Statutes, except for the Quebec Privacy Act.
The Quebec CAI defines “biometric information” as information measured from a person’s unique physical, behavioral or biological characteristics. Biometric information is, by definition, sensitive information.
When an organization transfers personal information to a third-party service provider (ie, who acts on behalf of the transferring organization — although Canadian legislation does not use these terms, the transferring organization would be the “controller” in GDPR parlance, and the service provider would be a “processor”), the transferring organization remains accountable for the protection of that personal information and ensuring compliance with the applicable legislation, using contractual or other means. In particular, the transferring organization is responsible for ensuring (again, using contractual or other means) that the third party service provider appropriately safeguards the data, and would also be required under the notice and openness/transparency provisions to reference the use of third-party service providers in and outside of Canada in their privacy policies and procedures.
Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require all organizations, before transferring personal information outside of the province of Quebec, to conduct data privacy assessments and enact appropriate contractual safeguards to ensure that the information will benefit from adequate protection in the jurisdiction of transfer. These assessments must take into account the sensitivity of the information, the purposes, the level of protection (contractual or otherwise), and the applicable privacy regime of the jurisdiction of transfer. Quebec has decided not to implement a system of adequacy decisions, and therefore assessments will likely be required prior to any cross-jurisdiction transfer.
PIPEDA, PIPA Alberta, and the Quebec Privacy Act are the only Canadian Privacy Statutes with breach notification requirements.
In Alberta, an organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result.
Electronic marketing is governed by both Canadian Privacy Statutes (as discussed above) and Canada’s Anti-Spam Legislation (CASL).
CASL contains potentially stiff penalties, including administrative penalties of up to CA$1 million per violation for individuals and CA$10 million for corporations (subject to a due diligence defense). CASL also sets forth a private right of action permitting individuals to bring a civil action for alleged violations of CASL (CA$200 for each contravention up to a maximum of CA$1 million each day for a violation of the provisions addressing unsolicited electronic messages). However, the private right of action is not yet in force, and there is currently little expectation that it will ever come into force.
Online privacy is governed by Canadian Privacy Statutes. In general, Canadian privacy regulatory authorities have been active in addressing online privacy concerns.
Bill 64 has introduced several changes to the Quebec Privacy Act that will are likely to have significant impacts on online privacy. Starting September 22, 2023, organizations collecting personal information by offering a product or service with privacy parameters must ensure that the highest privacy settings are enabled by default. Additionally, organizations collecting personal information from persons using tracking, localization, or profiling technology will have an obligation to inform the person in advance of the use of such technologies and to inform the person of the method for activating such functions: the use of such technologies will be opt-in only. “Profiling” is broadly defined as the collection and use of personal information in order to evaluate certain characteristics of a person, such as workplace performance, economic or financial situation, health, personal preferences or interest, or behavior.
Privacy regulatory authorities have an obligation to investigate complaints, as well as the authority to initiate complaints.
A failure to comply with the Quebec Privacy Act’s requirements (as currently applicable) in respect of the collection, storage, communication, or use of personal information is liable to a fine of up to CA$10,000 and, for a subsequent offense, to a fine up to CA$ 20,000. Any one who hampers an inquiry or inspection by communicating false or inaccurate information or otherwise is liable to a fine of up to CA$10,000 and, for a subsequent offence, to a fine of up to CA$20,000.
Starting September 22, 2023, the new Quebec Privacy Act, as modified by Bill 64, will introduce much more severe penalties. The maximum penalties will range between CA$5,000 and CA$100,000 in the case of individuals and up to between CA$15,000$ and CA$25 million or 4% of worldwide turnover for the preceding fiscal year for organizations.
Office of the Privacy Commissioner of Canada (‘PIPEDA’)
Office of the Information and Privacy Commissioner of Alberta (‘PIPA Alberta’)
Office of the Information and Privacy Commissioner for British Columbia (‘PIPA BC’), and
Commission d’accès à l’information du Québec (the “CAI”) (‘Quebec Privacy Act’)