Shibley Righton LLP
What law(s) specifically govern personal data / information?
The private-sector privacy statutes in force in Canada (other than health privacy statutes) are:
- Personal Information Protection and Electronic Documents Act (Canada), SC 2000, c 5 ('PIPEDA');
- Personal Information Protection Act (Alberta), SA 2003, c P-6.5;
- Personal Information Protection Act (British Columbia), SBC 2003, c 63; and
- Act respecting the protection of personal information in the private sector (Quebec), CQLR c P-39.1.
(Collectively, “Canadian Privacy Laws”)
PIPEDA applies in Canada's provinces that are not listed above and in its territories, as well as to inter-provincial and international commercial activities.
PIPEDA also applies to all federally regulated undertakings (such as banks and telecommunications service providers) regardless of their province of operation.
What are the key data protection principles in this jurisdiction?:
The Canadian Privacy Laws apply the following key principles to personal data protection:
- Accountability. Organizations are responsible for protecting personal information under their control.
- Consent. Organizations must obtain consent for the collection, use and disclosure of personal information, subject to limited exceptions.
- Identifying Purposes. In order for consent to be valid, the affected individuals must be reasonably expected to understand the nature, purpose and consequences of the collection, use and disclosure of the subject information.
- Limiting Collection. Generally, organizations are required to identify the purposes for which personal information is collected during, or before, its collection.
- Limiting Use, Disclosure and Retention. Organizations may not use or disclose personal information for purposes other than for which it was collected or for purposes that a reasonable person would not consider appropriate in the circumstances, and may not retain the information longer than is necessary for those purposes.
- Accuracy. Organizations must ensure the personal information in their control is accurate, complete and up to date.
- Safeguarding. Generally, organizations must implement reasonable technical, physical and administrative measures to protect personal information in their control against loss or unauthorized access, disclosure, copying, use, modification or destruction.
- Openness. Organizations must make their personal information policies and practices readily available to individuals.
- Individual Access. Organizations must give individuals access to their personal information on request and correct or amend information in cases where accuracy and completeness are deficient.
- Challenging Compliance. Organizations must enable individuals to address challenges concerning non-compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.
What is the supervisory authority / regulator in charge of data protection?
Each jurisdiction in Canada has its own independent privacy commissioner who oversees its data protection laws. For example, The Office of the Privacy Commissioner of Canada ('PCC') oversees Canada's federal private-sector and federal public-sector privacy laws.
Is there a requirement to register with a supervisory authority / regulator?
Generally, Canadian Privacy Laws do not require organizations to register with privacy commissioners in Canada. Very limited exceptions apply. For example, persons in Quebec who prepare and communicate credit reports must register with Quebec's privacy commission and pay a prescribed fee.
Is there a requirement to notify the supervisory authority / regulator?
Generally, Canadian Privacy Laws do not require organizations to notify privacy commissioners before information processing or data transfers are carried out. Very limited exceptions apply. For example, organizations that wish to use or disclose personal information without consent for statistical or scholarly research must give advance notice to the PCC.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
What are the key data subject rights under the data protection laws of this jurisdiction?
Under Canadian Privacy Laws, individuals have the following key rights:
- Right of access to personal information.
- Right to rectify personal information errors.
- Right to withdraw consent to the collection, use and disclosure of personal information. In jurisdictions other than Quebec, this right is subject to legal, contractual and notice restrictions.
- Right to complain to the organization's designated individual who is responsible for privacy, and to the relevant data protection authority.
- Right to data portability (in Quebec only, effective September 22, 2024).
Is there a requirement to appoint a data protection officer (or equivalent)?
Most Canadian Privacy Laws require organizations to appoint an individual who is accountable for ensuring compliance with the organization's data protection obligations. Under Québec’s current privacy law framework, the person with the highest authority in the organization is automatically appointed as the privacy officer unless this responsibility is assigned to another designated officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Generally, Canadian Privacy Laws do not require data protection impact assessments. Québec's private-sector privacy law requires organizations to conduct a privacy impact assessment that considers the potential risks involved before transferring personal information outside of Québec or to a service provider that will be responsible for storing or processing the data. Québec also requires organizations to conduct an impact assessment when acquiring, developing, or significantly modifying an information system or electronic service delivery platform. Canadian public-sector privacy laws also require privacy impact assessments in a number of circumstances.
Does this jurisdiction have any specific data breach notification requirements?
PIPEDA requires organizations that experience a data breach to report the incident to the PCC and to notify affected individuals and any other organizations or governments that may reduce the risk of harm, where it is reasonable to believe the breach creates a 'real risk of significant harm to the individual'. The notice must be given as soon as feasible after the organization determines that a breach has occurred and organizations must keep records of all breaches. The private sector privacy laws in force in Alberta and Québec have similar notice requirements. Most health information protection statutes in force in Canada's provinces also contain breach notification requirements.
What restrictions apply to the international transfer of personal data / information?
In general, Canadian Privacy Laws do not restrict the transfer of personal data to third-party processors outside of Canada, provided the transferor uses contractual or other means to require the processor to afford the information a comparable level of protection in the foreign jurisdiction. The PCC has held that notice must be given to the affected individuals of the transfer – this is also a requirement of Alberta's private-sector privacy law. Québec's private-sector privacy law requires organizations to complete a privacy impact assessment that considers the potential risks involved before transferring personal information outside of Québec, and to refrain from the transfer if the information will not receive adequate protection. Additional restrictions on foreign transfers apply under the public sector privacy legislation in British Columbia and Nova Scotia.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Federal Court of Canada has held that PIPEDA applies to organizations outside of Canada if there is a real and substantial connection between Canada and that organization's activities.
What rules specifically deal with marketing?
An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 (CASL) and related regulations apply to promotional email and SMS text messages in Canada. The Competition Act, RSC 1985, c C-34 prohibits misleading advertising, and the Canadian Radio-Television and Telecommunications Commission's (CRTC's) Unsolicited Telecommunications Rules established under Telecom Decision CRTC 2007-48 apply to telemarketing. Canadian Privacy Laws and a number of consumer protection laws and regulations also apply.
Do different rules apply to business-to-business and business-to-consumer marketing?
CASL applies to business-to-business and business-to-consumer electronic promotional messages in different ways – for example, CASL's consent requirements do not apply to commercial electronic messages sent by an organization to an organization where the message concerns the activities of the organization, or where the organizations have a relationship and the messages concern the activities of the organization to which they are sent.
Business-to-consumer marketing is subject to the various consumer protection laws and regulations in force in Canada.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
CASL and its related regulations specifically apply to promotional electronic messages in Canada. Certain provincial consumer protection laws and regulations also specifically deal with electronic marketing. The CRTC's Unsolicited Telecommunications Rules established under Telecom Decision CRTC 2007-48 apply to telemarketing.
What rules specifically deal with cookies?
In Québec, the use of tracking cookies mandates organizations to provide prior notice and obtain an individual’s consent. Apart from Québec, Canadian Privacy Laws do not have rules that specifically apply to cookies. However, cookies are subject to the general requirements of Canadian Privacy Laws where they involve the collection of personal information.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Any person who contravenes certain limited statutory provisions in PIPEDA is liable to a fine of $10,000 (CDN) for an offence punishable on summary conviction or $100,000 (CDN) for an indictable offence. Fines in this amount or less may be issued under Alberta's and British Columbia's private-sector privacy laws.
In Québec, contravention of the private sector privacy law may result in administrative monetary penalties of up to $25,000,000 (CDN) or 4% of the worldwide turnover for the offending party's preceding fiscal year, whichever is greater.
More generally, the PCC may investigate PIPEDA non-compliance, and issue reports of findings and recommendations for compliance. While the reports are non-binding, they may be made public by the PCC. At this point the complaint may be brought before the Federal Court, which has broad remedial powers to award damages to the complainant and to order the organization to correct its practices. The private sector privacy statues in Alberta and British Columbia have similar provisions. Québec's private sector privacy statute permits individuals to apply directly to civil court to seek damages for loss or injury resulting from a breach of the law.
The Privacy Commissioners responsible for enforcement of Canada's provincial private-sector privacy laws are able to conduct inquires and issue enforceable orders.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
PIPEDA has extra-territorial reach to organizations in other jurisdictions if there is a 'real and substantial connection' between the organizations’ activities and Canada. In addition, CASL covers all commercial electronic messages sent to Canadian recipients, even if the messages were sent from outside of Canada. Applicable Canadian laws are constantly changing and contravention of them may result in severe penalties.
What upcoming data protection developments should multinational organisations be aware of?
Bill C-27, introduced in June 2022, aimed to overhaul Canada’s privacy laws by enacting the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. The Bill was debated across two parliamentary sessions and advanced as far as the committee stage, yet it was never passed into law. On January 6, 2025, following a change in government, Parliament was prorogued and the Bill died on the Order Paper. If enacted, the Bill would have expanded data rights, increased accountability for organizations and implemented a tribunal system to manage complaints. To date, Bill C-27 has not been revived, and no new federal privacy or provincial legislation has been introduced as a replacement.