Shibley Righton LLP

 

What law(s) specifically govern personal data / information?

The private-sector privacy statutes in force in Canada (other than health privacy statutes) are:

  • Personal Information Protection and Electronic Documents Act (Canada), SC 2000, c 5 ("PIPEDA");
  • Personal Information Protection Act (Alberta), SA 2003, c P-6.5;
  • Personal Information Protection Act, (British Columbia), SBC 2003, c 63; and
  • Act respecting the protection of personal information in the private sector, CQLR c P-39.1; (Canadian Privacy Laws).

PIPEDA applies in Canada's provinces that are not listed above and in its territories, as well as to inter-provincial and international commercial activities.

PIPEDA also applies to all federally regulated undertakings (such as banks and telecommunications service providers) regardless of their province of operation.

 

What are the key data protection principles in this jurisdiction?:

The Canadian Privacy Laws apply the following key principles to personal data protection:

  • Accountability. Organizations are responsible for protecting personal information under their control.
  • Consent. Organizations must obtain consent for the collection, use and disclosure of personal information, subject to limited exceptions.
  • Identifying Purposes. In order for consent to be valid, the affected individuals must be reasonably expected to understand the nature, purpose and consequences of the collection, use and disclosure of the subject information.
  • Limiting Collection. Generally, organizations are required to identify the purposes for which personal information is collected during, or before, its collection.
  • Limiting Use, Disclosure and Retention. Organizations may not use or disclose personal information for purposes other than for which it was collected or for purposes that a reasonable person would not consider appropriate in the circumstances, and may not retain the information longer than is necessary for those purposes.
  • Accuracy. Organizations must ensure the personal information in their control is accurate, complete and up to date.
  • Safeguarding. Generally, organizations must implement reasonable technical, physical and administrative measures to protect personal information in their control against loss or unauthorized access, disclosure, copying, use, modification or destruction.
  • Openness. Organizations must make their personal information policies and practices readily available to individuals.
  • Individual Access. Organizations must give individuals access to their personal information on request.
  • Challenging Compliance. Organizations must enable individuals to address challenges concerning non-compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

 

What is the supervisory authority / regulator in charge of data protection?

Each jurisdiction in Canada has its own independent privacy commissioner who oversees its data protection laws. For example, The Office of the Privacy Commissioner of Canada ("PCC") oversees Canada's federal private-sector and federal public-sector privacy laws.

 

Is there a requirement to register with a supervisory authority / regulator?

Generally, Canadian Privacy Laws do not require organizations to register with privacy commissioners in Canada. Very limited exceptions apply. For example, persons in Quebec who prepare and communicate credit reports must register with Quebec's privacy commission and pay a prescribed fee.

 

Is there a requirement to notify the supervisory authority / regulator?

Generally, Canadian Privacy Laws do not require organizations to notify privacy commissioners before information processing or data transfers are carried out. Very limited exceptions apply. For example, organisations that wish to use or disclose personal information without consent for statistical or scholarly research must give advance notice to the PCC.

 

Is it possible to register with / notify the supervisory authority / regulator online?

N/A.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Under Canadian Privacy Laws, individuals have the following key rights:

  • Right of access to personal information.
  • Right to rectify personal information errors.
  • Right to withdraw consent to the collection, use and disclosure of personal information. In jurisdictions other than Quebec, this right is subject to legal, contractual and notice restrictions.
  • Right to complain to the organization's designated individual who is responsible for privacy, and to the relevant data protection authority.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Most Canadian Privacy Laws require organizations to appoint an individual who is accountable for ensuring compliance with the organization's data protection obligations.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Generally, Canadian Privacy Laws do not require data protection impact assessments. Québec's private-sector privacy law requires organizations to conduct a privacy impact assessment that considers the potential risks involved before transferring personal information outside of Québec. Canadian public-sector privacy laws require privacy impact assessments in a number of circumstances.

 

Does this jurisdiction have any specific data breach notification requirements?

PIPEDA requires organizations that experience a data breach to report the incident to the PCC and to notify affected individuals and any other organizations or governments that may reduce the risk of harm, where it is reasonable to believe the breach creates a "real risk of significant harm to the individual". The notice must be given as soon as feasible after the organization determines that a breach has occurred. The private sector privacy laws in force in Alberta and Québec have similar notice requirements. Most health information protection statutes in force in Canada's provinces also contain breach notification requirements.

 

What restrictions apply to the international transfer of personal data / information?

In general, Canadian Privacy Laws do not restrict the transfer of personal data to third-party processors outside of Canada, provided the transferor uses contractual or other means to require the processor to afford the information a comparable level of protection in the foreign jurisdiction. The PCC has held that notice must be given to the affected individuals of the transfer – this is also a requirement of Alberta's private-sector privacy law. Québec's private-sector privacy law requires organizations to complete a privacy impact assessment that considers the potential risks involved before transferring personal information outside of Québec, and to refrain from the transfer if the information will not receive adequate protection. Additional restrictions on foreign transfers apply under the public sector privacy legislation in British Columbia and Nova Scotia.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

The Federal Court of Canada has held that PIPEDA applies to organizations outside of Canada if there is a real and substantial connection between Canada and that organization's activities.

 

What rules specifically deal with marketing?

An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 (CASL) and related regulations apply to promotional email and SMS text messages in Canada. The Competition Act, RSC 1985, c C-34 prohibits misleading advertising, and the Canadian Radio-Television and Telecommunications Commission's (CRTC's) Unsolicited Telecommunications Rules established under Telecom Decision CRTC 2007-48 apply to telemarketing. Canadian Privacy Laws and a number of consumer protection laws and regulations also apply.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

CASL applies to business-to-business and business-to-consumer electronic promotional messages in different ways – for example, CASL's consent requirements do not apply to commercial electronic messages sent by an organization to an organization where the message concerns the activities of the organization, or where the organizations have a relationship and the messages concern the activities of the organization to which they are sent.

Business-to-consumer marketing is subject to the various consumer protection laws and regulations in force in Canada.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

CASL and its related regulations specifically apply to promotional electronic messages in Canada. Certain provincial consumer protection laws and regulations also specifically deal with electronic marketing. The CRTC's Unsolicited Telecommunications Rules established under Telecom Decision CRTC 2007-48 apply to telemarketing.

 

What rules specifically deal with cookies?

Canadian Privacy Laws do not have rules that specifically apply to cookies. However, cookies are subject to the general requirements of Canadian Privacy Laws where they involve the collection of personal information.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Any person who contravenes certain limited statutory provisions in PIPEDA is liable to a fine of $10,000 for an offence punishable on summary conviction or $100,000 for an indictable offence. Fines in this amount or less may be issued under Alberta's and British Columbia's private-sector privacy laws.

In Québec, contravention of the private sector privacy law may result in administrative monetary penalties of up to $25,000,000 (CDN) or 4% of the worldwide turnover for the offending party's preceding fiscal year, whichever is greater.

More generally, the PCC may investigate PIPEDA non-compliance, and issue reports of findings and recommendations for compliance. While the reports are non-binding, they may be made public by the PCC. At this point the complaint may be brought before the Federal Court, which has broad remedial powers to award damages to the complainant and to order the organization to correct its practices. The private sector privacy statues in Alberta and British Columbia have similar provisions. Québec's private sector privacy statute permits individuals to apply directly to civil court to seek damages for loss or injury resulting from a breach of the law.

The Privacy Commissioners responsible for enforcement of Canada's provincial private-sector privacy laws are able to conduct inquires and issue enforceable orders.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

PIPEDA has extra-territorial reach to organizations in other jurisdictions if there is a “real and substantial connection” between the organisations' activities and Canada. In addition, CASL covers all commercial electronic messages sent to Canadian recipients, even if the messages were sent from outside of Canada. Applicable Canadian laws are constantly changing and contravention of them may result in severe penalties.

 

What upcoming data protection developments should multinational organisations be aware of?

Bill C-27 has been tabled to enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. If enacted, the proposed CPPA would replace PIPEDA’s data protection provisions and the proposed Personal Information and Data Protection Tribunal Act would establish a data protection tribunal to hear recommendations of, and appeals from decisions of, the PCC. Bill C-27 is not yet law and may change during the legislative process.

 

Search by:

Need more information?
Contact a member firm:
Peter Murphy
Shibley Righton LLP
Canada


Bill L. Northcote
Shibley Righton LLP
Canada