Canada has comprehensive federal privacy legislation that applies to the private sector. In addition, certain provinces have enacted both comprehensive and sector-specific private-sector privacy legislation.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies generally to all collection, use or disclosure of personal information by organizations in the course of a commercial activity. “Personal information” is broadly defined in PIPEDA, and includes any “information about an identifiable individual,” whether or not that information is publicly available, with limited exceptions.
All organizations subject to PIPEDA must comply with a range of obligations when collecting, using, disclosing and otherwise handling personal information, summarized in the following 10 principles:
Accountability: Organizations must appoint an individual (or individuals) to be responsible for the organization’s compliance and to develop and implement personal information policies and procedures. Organizations are accountable for personal information transferred to third-party service providers (including affiliated companies) for processing on their behalf, and must use contractual or other means to protect personal information while being handled by those third parties.
Identifying Purposes: Organizations must identify the purposes for collecting personal information before or at the time of collection.
Consent: Knowledge and consent of the individual are required for collection, use and disclosure of personal information, with limited statutory exceptions. Consent cannot be made a condition for supplying a product or service unless use of the personal information is required to fill an explicitly specified and “legitimate” purpose. Individuals may withdraw their consent at any time, subject to contractual or statutory limitations.
Limiting Collection: Organizations are required to limit collection to the amount and type of information necessary for the identified purposes. Information must be collected by “fair and lawful means,” and cannot be collected indiscriminately.
Limiting Use, Disclosure and Retention: Personal information may not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or pursuant to certain limited statutory exceptions. Personal information is to be retained only as long as necessary for the fulfilment of those purposes.
Accuracy: Personal information must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
Safeguards: Organizations must use appropriate security safeguards to protect personal information against loss or theft, and unauthorized access, disclosure, copying, use or modification, and must train staff on security and information protection, among other matters.
Openness: Privacy policies and practices of the organization must be open, understandable and easily available.
Individual Access: Organizations must give individuals access to their personal information upon request, subject to certain statutory limits and, in appropriate circumstances, individuals must be given an opportunity to correct their information.
Challenging Compliance: Organizations must have a simple and easily accessible complaint procedure
In addition to the foregoing principles, compliance with PIPEDA is subject to an overriding reasonableness standard whereby organizations may only collect, use and disclose personal information for the purposes that a “reasonable person would consider are appropriate in the circumstances.” This reasonableness requirement applies even if the individual has consented to the collection, use or disclosure of their personal information.
In the context of personal information about employees of organizations, given the constitutional limits placed on federal legislation, PIPEDA applies only to the employment information of employees of federally regulated organizations such as banks, airlines and telecommunications companies. However, in the provinces that have enacted provincial privacy legislation, this legislation applies to employee information outside those sectors.
Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act) is similar in principle to PIPEDA, but there are important differences in detail and more onerous compliance obligations, such as required privacy impact assessments. The Quebec Privacy Act applies to all private-sector organizations doing business in Quebec with respect to collection, use and disclosure of personal information (not just with respect to commercial activities) and to employee information. As of September 2023, the Quebec Privacy Act allows for the imposition of administrative monetary penalties for certain contraventions of the law. The penalty’s maximum amount is C$10-million or the amount corresponding to 2% of worldwide turnover for the preceding year, whichever is higher.
PIPEDA permits the federal Cabinet, by order, to exempt an organization or class of organizations or an activity or class of activities from its application if the collection, use or disclosure of personal information occurs within a province that has enacted legislation that is substantially similar. The Quebec Privacy Act and the PIPA legislation in Alberta and British Columbia have each been designated as substantially similar to PIPEDA. In addition, in Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador, the legislation governing the collection, use and disclosure of personal health information by certain designated entities (e.g., physicians, nurses, hospitals, etc.) has been designated as substantially similar to PIPEDA and therefore these entities are exempt from PIPEDA with respect to the activities covered by the provincial legislation. Given that many organizations operate in more than one province and inter-provincially, businesses are often required to deal with a “patchwork” of provincial and federal privacy legislation.
PIPEDA requires organizations to notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals of a breach of security safeguards involving personal information if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. Other organizations and government institutions must also be notified where appropriate to reduce or mitigate harm. Organizations are required to keep records of all breaches, including those that do not meet the threshold for reporting, and to provide the records to the OPC upon request.
The Alberta PIPA and Quebec Privacy Act also contain mandatory data breach notification requirements. Organizations subject to the Alberta PIPA must notify Alberta’s Information and Privacy Commissioner, without delay, of a loss of or unauthorized access to or disclosure of personal information if a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss, access or disclosure. The Commissioner can direct the organization to notify individuals of the loss, access or disclosure. Organizations are also able to notify individuals on their own initiative. As of September 2022, organizations subject to the Quebec Privacy Act must notify the Commission d’acces a l’information du Quebec (CAI) and affected individuals of any “confidentiality incident” involving personal information presenting a serious risk of harm. Organizations subject to the Quebec Privacy Act must also keep a register of all confidentiality incidents, including those that do not meet the threshold for reporting, and provide the records to the CAI upon request.
In addition, the personal health information protection legislation in Alberta, Ontario, Newfoundland and Labrador, Nova Scotia, Yukon Territory, Northwest Territories, Prince Edward Island and New Brunswick also contain mandatory breach notification obligations.
Considerable attention has been given in Canada to cross-border transfers and outsourcing of Canadian personal information to foreign jurisdictions. PIPEDA and the related provincial legislation do not prohibit the transfer of personal information outside Canada. However, PIPEDA’s “openness” principle has been held by privacy regulators to require that notice of such transfers be provided to affected individuals.
In addition, the Alberta PIPA requires an organization that uses a service provider outside Canada to collect, use or disclose personal information to notify individuals as to how they can obtain information about the organization’s policies and practices with respect to the use of service providers outside Canada, including the name, position or title of a person who is able to answer questions on behalf of the organization.
Under the Quebec Privacy Act, as of September 2023, an organization may not communicate personal information outside Quebec unless it conducts a privacy impact assessment taking into account the sensitivity of the information, the purposes for which it is to be used, the protection measures that would apply, and the legal framework applicable in the State in which the information would be communicated. The information may be communicated if the assessment establishes that it would receive adequate protection, particularly in light of generally recognized principles regarding the protection of personal information. The communication of the information must be the subject of a written agreement taking into account, in particular, the results of the assessment and, if applicable, the terms agreed upon to mitigate the risks identified in the assessment. This requirement also applies where an enterprise shares personal information with a third-party service provider.
Somewhat different rules apply to personal information that is collected by federal, provincial or municipal public-sector organizations. This information is covered by federal, provincial and municipal legislation that limits the use and disclosure of such information to purposes related to a valid public purpose. In Nova Scotia, the Personal Information International Disclosure Protection Act prohibits storing and accessing personal information from locations outside Canada unless the individual consents or another exemption applies. This restriction applies to public-sector organizations as well as any service providers to public-sector organizations. As a result, private-sector organizations that provide services to government agencies or other public-sector organizations in Nova Scotia will be directly subject to restrictions on foreign storage of, and access to, personal information collected by public-sector organizations.
In addition, it is an offence under the public sector privacy legislation in British Columbia, Nova Scotia and Alberta to disclose personal information pursuant to foreign legal requirements (e.g., court orders, USA PATRIOT Act disclosure notices). Organizations that perform contracted services for federal public bodies should also be aware of federal government contracting guidelines that address privacy risks of contracting with foreign-based or foreign-affiliated service providers.