This article is written by Aristotle Gottumukkala, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Data Protection Laws in Canada are unlike any other data laws in the world, as they are composed of a complex structure of 28 federal & provincial data privacy statutes. Canada has also enacted statutory torts, federal anti-spam legislation, criminal code and privacy requirements under various other legislations that specifically initiates protection to the sensitive/personal information of users in public, private and even in health sectors. Each statute differs from the other as the scope, objective, remedies and requirements vary, but the common point in all these statutes is to set out rules and mandates over the collection of data, usage of data, processing of data and disclosure of personal information. Canada is also known as the forefront runner in the field of data protection laws with the “Personal Information Protection and Electronic Documents Act (PIPEDA)” way back in the year 2000. The legislation was staged on the core principles of accountability, consent and limiting of collecting data from data subjects. Fast forward from 2000 to 2021, many countries, even the EU GDPR have adapted these core principles to enact some world-class data privacy laws.
List of data protection laws in Canada
The data protection laws are varied based on federal laws and provincial laws, they are;
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Consumer Privacy Protection Act
- The Personal Information and Data Protection Tribunal Act
- Electronic Documents Act
- The Digital Charter Implementation Act, 2020
- Personal Information Protection Act – British Columbia
- Personal Information Protection Act – Alberta
- Act Respecting the Protection of Information in the Private Sector – Quebec
- Freedom of Information and Protection of Privacy Act
- Municipal Freedom of Information and Protection of Privacy Act
- Personal Health Information Protection Act, 2004
Though the statutes differ, the basic principles of these data protection laws are purely based on accountability, consent, limiting collection, use, retention, disclosure and purpose of use, accuracy, openness, safeguards and compliance. Due to this, the Canadian data protection laws are called complex robust privacy compliance watchdogs.
Data protection authorities in Canada
- Office of the Privacy Commissioner– Receive reports of privacy breaches, monitoring and enforcing compliance with the data privacy laws.
- Competition Bureau of Canada– Independent law enforcement agency which ensures that businesses and their consumers prosper in a competitive marketplace.
- Data Protection Tribunal– Hear Appeals or orders issued by the Privacy Commissioner
Rights rendered to data subjects under Canadian Data Privacy Laws
- Right To Be Informed – All the laws in the Canadian private sector usually mandate the need for consent and transparency when collecting the data, except in rare circumstances where the consent is not required and in this case the organizations must be transparent and vocal about their practices and have the legal obligation upon them to communicate the same to its customers.
- Right To Access – Data subjects under applicable data privacy laws have the right to access their data. In order to access their data, they must apply for an access request according to that applicable statute subject to the prescribed time limit. Only if there are any enumerating circumstances, organizations can refuse this access request.
- Right To Rectification – This right has been exclusively prescribed under “PIPEDA”, where a data subject has managed to demonstrate any incompleteness of his/her personal information then the organization must amend the information as required. The amendment basically revolves around the nature of the information that has been challenged and that involves correction, addition and deletion of the personal information and also if appropriate, the information that has been amended may be transmitted to third parties who are having access to the personal information.
- Right To Erasure – At the moment, there is a lot of controversy regarding this right as it is unsettled whether this right exists or not and even the Office of the Privacy Commissioner asked the Federal Court in a case to clarify the same in this context.
- Right To Object/Opt-Out – The data subjects will be given the right to complain to organizations, to withdraw their consent for the reasons prescribed and also to file complaints before the Office of the Privacy Commissioner. Only under limited circumstances, the opt-out consents are permissible where non-sensitive information is involved.
- Right To Data Portability – Under the private sector privacy laws in Canada, there are no accurate rights rendered for data portability.
- Right Not To Be Subject To Automated Decision Making – Under the private sector privacy laws in Canada, there are no accurate rights rendered for automated decision making.
Scope of application
PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activities in Canada. The provinces of Alberta, British Columbia, and Quebec have enacted private sector privacy laws of general application which are applicable to the collection, use, and disclosure of personal information within those provinces: AB PIPA, BC PIPA, and the Quebec Private Sector Act. Unlike PIPEDA, these statutes apply irrespective of whether an activity is commercial in nature, as well as applying to employee personal information. Questions frequently arise in respect of whether a provincial statute, or PIPEDA, or both, may apply to a given activity.
CASL regulates, among other things, the sending of commercial electronic messages such as promotional and marketing messages, to and from Canada, irrespective of whether the recipient is an individual or an organisation.
PIPEDA does not apply to the collection, use, or disclosure of personal information within the provinces of Alberta, British Columbia, or Quebec, unless:
- The organisation is a federal work, undertaking, or business as defined in PIPEDA, e.g. banks, telecommunications companies, etc.; or
- The personal information is disclosed outside of a province in the course of commercial activity.
PIPEDA also does not apply within certain provinces in respect of personal health information collected, used, or disclosed by health information custodians and other entities governed by certain provincial health laws.
PIPEDA is silent with respect to its extraterritorial application. However, the Federal Court of Canada (‘the Federal Court’) has found that PIPEDA will apply to businesses established in other jurisdictions if there is a ‘real and substantial connection’ between the organisation’s activities and Canada (see A.T. v. Globe24h.com, 2017 FC 114). For example, with respect to websites, relevant connecting factors include where promotional efforts are being targeted, the location of end-users, the source of the content on the website, the location of the website operator, and the location of the host server.
The breach notification and reporting requirements in AB PIPA have been applied where the personal information affected in a breach was about an individual located in Alberta.
PIPEDA applies to every organisation that collects, uses, or discloses personal information in the course of commercial activities. Commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.
Many organisations may be subject to PIPEDA in respect of certain aspects of their operations, and the provincial laws in respect of other aspects. Although the requirements of PIPEDA and the provincial laws are substantially similar, there are a number of important differences which can arise in certain circumstances.
PIPEDA does not apply to:
- Personal information handled by federal government organisations listed under the Privacy Act, RSC 1985 c P-21 (‘the Privacy Act’);
- The collection, use, or disclosure of employee personal information, unless the organisation is a federal work, undertaking or business;
- An individual’s collection, use, or disclosure of personal information strictly for personal purposes; or
- An organization’s collection, use, or disclosure of personal information solely for journalistic purposes.
Certain provisions in Canadian data protection laws, such as safeguards and the appropriate form of consent, depending on whether the personal information in issue is considered sensitive (which generally will include matters such as health and financial information, among others). However, the data protection laws do not prescribe what information types are considered sensitive.
Different privacy rules apply in respect of personal health information in some cases, and for public sector entities in Canada. However, private sector service providers to the health sector and public sector need to be aware of such requirements as they often inform requirements imposed on such parties through contract.
CASL is an opt-in regime in respect of commercial electronic messages. It prohibits the sending of commercial electronic messages, unless express or implied consent, or an applicable exception, is applicable and prescribed requirements are met. Substantial monetary penalties and other consequences can flow from violations of CASL, including extended liability for directors and officers.
If an organization fails to comply with the privacy laws then monetary penalties and fines shall be imposed with up to 5% of the global revenue or 25 Million Dollars, whichever is higher, subject to most serious privacy offences. At the moment only the Personal Information Protection and Electronic Documents Act (PIPEDA), is authorized enough to impose fines and penalties for any breach of the Digital Privacy Act. The maximum fine for the breach is $100,000 per breach and in case of multiple breaches all the fines might add up.
With the inclusion of the 10 core principles such as accountability, consent, accuracy, safeguards, identifying purposes, limiting collection, limiting use, disclosure and retention, openness, individual access and challenging compliance, the privacy laws in Canada were enacted with a sole objective to protect the rights and interests of its citizens. Canada is continuing its journey in introducing, improving and amending privacy laws which are stated to be world-class standards and it is way ahead of the curve in the privacy laws.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: