Shibley Righton LLP
The following law(s) specifically govern personal data / information:
The private-sector privacy statutes in force in Canada (other than health privacy statutes) are:
- Personal Information Protection and Electronic Documents Act (Canada), SC 2000, c 5 ("PIPEDA");
- Personal Information Protection Act (Alberta), SA 2003, c P-6.5;
- Personal Information Protection Act, (British Columbia), SBC 2003, c 63; and
- Act respecting the protection of personal information in the private sector, CQLR c P-39.1;
(Canadian Privacy Laws)
PIPEDA applies in Canada's provinces that are not listed above and in its territories, as well as to inter-provincial and international commercial activities.
PIPEDA also applies to all federally regulated undertakings (such as banks and telecommunications service providers) regardless of their province of operation.
The key data protection principles in this jurisdiction are:
The Canadian Privacy Laws apply the following key principles to personal data protection:
- Accountability. Organizations are responsible for protecting personal information under their control.
- Consent. Organizations must obtain consent for the collection, use and disclosure of personal information, subject to limited exceptions.
- Identifying Purposes. In order for consent to be valid, the affected individuals must be reasonably expected to understand the nature, purpose and consequences of the collection, use and disclosure of the subject information.
- Limiting Collection. Generally, organizations are required to identify the purposes for which personal information is collected during, or before, its collection.
- Limiting Use, Disclosure and Retention. Organizations may not use or disclose personal information for purposes other than for which it was collected or for purposes that a reasonable person would not consider appropriate in the circumstances, and may not retain the information longer than is necessary for those purposes.
- Accuracy. Organizations must ensure the personal information in their control is accurate, complete and up to date.
- Safeguarding. Generally, organizations must implement reasonable technical, physical and administrative measures to protect personal information in their control against loss or unauthorized access, disclosure, copying, use, modification or destruction.
- Openness. Organizations must make their personal information policies and practices readily available to individuals.
- Individual Access. Organizations must give individuals access to their personal information on request.
- Challenging Compliance. Organizations must enable individuals to address challenges concerning non-compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
The supervisory authority / regulator in charge of data protection is:
Each jurisdiction in Canada has its own independent privacy commissioner who oversees its data protection laws. For example, The Office of the Privacy Commissioner of Canada ("PCC") oversees Canada's federal private-sector and federal public-sector privacy laws.
Is there a requirement to register with a supervisory authority / regulator?
Generally, Canadian Privacy Laws do not require organizations to register with privacy commissioners in Canada. Very limited exceptions apply. For example, persons in Quebec who prepare and communicate credit reports must register with Quebec's privacy commission and pay a prescribed fee.
Is there a requirement to notify the supervisory authority / regulator?
Generally, Canadian Privacy Laws do not require organizations to notify privacy commissioners before information processing or data transfers are carried out. Very limited exceptions apply. For example, organisations that wish to use or disclose personal information without consent for statistical or scholarly research must give advance notice to the PCC.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
Under Canadian Privacy Laws, individuals have the following key rights:
- Right of access to personal information.
- Right to rectify personal information errors.
- Right to withdraw consent to the collection, use and disclosure of personal information, subject to legal, contractual and notice restrictions.
- Right to complain to the organization's designated individual who is responsible for privacy, and to the relevant data protection authority.
Is there a requirement to appoint a data protection officer (or equivalent)?
Most Canadian Privacy Laws require organizations to appoint an individual who is accountable for ensuring compliance with the organization's data protection obligations.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Generally, Canadian Privacy Laws do not require data protection impact assessments. As noted above, Québec's private-sector privacy law requires organizations to consider the potential risks involved in transferring personal information outside of Québec. Canadian public-sector privacy laws require privacy impact assessments in a number of circumstances.
Does this jurisdiction have any specific data breach notification requirements?
PIPEDA requires organizations that experience a data breach to report the incident to the PCC and to notify affected individuals and any other organizations or governments that may reduce the risk of harm, where it is reasonable to believe the breach creates a "real risk of significant harm to the individual". The notice must be given as soon as feasible after the organization determines that a breach has occurred. Alberta's private sector privacy law has a similar notice requirement. Most health information protection statutes in force in Canada's provinces also contain breach notification requirements.
The following restrictions apply to the international transfer of personal data / information:
In general, Canadian Privacy Laws do not restrict the transfer of personal data to third-party processors outside of Canada, provided the transferor uses contractual or other means to require the processor to afford the information a comparable level of protection in the foreign jurisdiction. The PCC has held that notice must be given to the affected individuals of the transfer – this is also a requirement of Alberta's private-sector privacy law. Québec's private-sector privacy law requires organizations to consider the potential risks involved in transferring personal information outside of Québec, and to refrain from the transfer if the information will not receive adequate protection. Additional restrictions on foreign transfers apply under the public sector privacy legislation in British Columbia and Nova Scotia.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Federal Court of Canada has held that PIPEDA applies to organizations outside of Canada if there is a real and substantial connection between Canada and that organization's activities.
The following rules specifically deal with marketing:
An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 (CASL) and related regulations apply to promotional email and SMS text messages in Canada. The Competition Act, RSC 1985, c C-34 prohibits misleading advertising, and the Canadian Radio-Television and Telecommunications Commission's (CRTC's) Unsolicited Telecommunications Rules established under Telecom Decision CRTC 2007-48 apply to telemarketing. Canadian Privacy Laws and a number of consumer protection laws and regulations also apply.
Do different rules apply to business-to-business and business-to-consumer marketing?
CASL applies to business-to-business and business-to-consumer electronic promotional messages in different ways – for example, CASL's consent requirements do not apply to commercial electronic messages sent by an organization to an organization where the message concerns the activities of the organization, or where the organizations have a relationship and the messages concern the activities of the organization to which they are sent.
Business-to-consumer marketing is subject to the various consumer protection laws and regulations in force in Canada.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
CASL and its related regulations specifically apply to promotional electronic messages in Canada. Certain provincial consumer protection laws and regulations also specifically deal with electronic marketing. The CRTC's Unsolicited Telecommunications Rules established under Telecom Decision CRTC 2007-48 apply to telemarketing.
The following rules specifically deal with cookies:
Canadian Privacy Laws do not have rules that specifically apply to cookies. However, cookies are subject to the general requirements of Canadian Privacy Laws where they involve the collection of personal information.
The consequences of non compliance with data protections laws (including marketing laws) are:
Any person who contravenes certain limited statutory provisions in PIPEDA is liable to a fine of $10,000 for an offence punishable on summary conviction or $100,000 for an indictable offence. Fines in this amount or less may be issued under provincial private-sector privacy laws.
More generally, the PCC may investigate PIPEDA non-compliance, and issue reports of findings and recommendations for compliance. While the reports are non-binding, they may be made public by the PCC. At this point the complaint may be brought before the Federal Court, which has broad remedial powers to award damages to the complainant and to order the organization to correct its practices.
The Privacy Commissioners responsible for enforcement of Canada's provincial private-sector privacy laws are able to conduct inquires and issue enforceable orders.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
PIPEDA has extra-territorial reach to organizations in other jurisdictions if there is a “real and substantial connection” between the organisations' activities and Canada. In addition, CASL covers all commercial electronic messages sent to Canadian recipients, even if the messages were sent from outside of Canada. Applicable Canadian laws are constantly changing and contravention of them may result in severe penalties.
Multinational organisations should be aware of the following upcoming data protection developments:
Bill C-11 has been tabled to enact the Consumer Privacy Protection Act (CPPA), replacing PIPEDA’s data protection provisions; and to enact The Personal Information and Data Protection Tribunal Act, to establish a data protection tribunal to hear recommendations of, and appeals from decisions of, the PCC. Bill C-11 is not yet law and may change during the legislative process.