April 1, 2022
INFORMATION PROTECTION AND PRIVACY LEGISLATION IN CANADA
INFORMATION PROTECTION AND PRIVACY LEGISLATION IN CANADA
Jill Shore
April 2022
Contact Lawyer
Jill Shore |
604.891.0390 |
[email protected] |
The laws applicable to information protection and privacy in Canada vary across the provinces and territories, and there is a combination of provincial and federal laws that apply. There are numerous different personal information protection, health information protection and privacy statutes in force across Canada, which can be subdivided into four main types:
(1) personal information protection laws applicable to private sector organizations;
(2) personal information protection laws applicable to government and public bodies;
(3) provincial personal health information laws; and
(4) provincial privacy laws.
Not all provinces and territories have enacted one of the four types of statutes. Additionally, each jurisdiction has drafted slightly different wordings for these statutes. As a result, a thorough review of all of them is required to fully understand Canada’s legal landscape applicable to information protection and privacy.
This paper briefly summarizes the Canadian information protection and privacy laws as they apply across the country.
I. The Application of Federal Laws within the Provinces and Territories:
The federal government has legislative power over personal information in the possession or control of federal government entities and over federally regulated entities (entities that are considered to be federal works, undertakings or businesses (“FWUB”)), located anywhere in Canada. Provincial governments have legislative power over personal information in the possession or control of provincial government entities and provincially regulated entities (all commercial activities within a province, excluding inter-provincial or international activities, or FWUBs).
The federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5, (“PIPEDA”), also applies to personal information held by private sector organizations in some but not all provinces. It applies in the provinces and territories as follows:
- to organizations in industries such as telecommunications, broadcasting, inter-provincial or international transportation (i.e., trucking, railways, and aviation), banking, military, nuclear energy, maritime navigation and shipping, which are subject to federal legislative jurisdiction;
- to organizations in the Yukon, Northwest Territories and Nunavut, which are considered to be FWUBs;
- to employee information of FWUBs; and
- to personal information (excluding employee information) collected, used or disclosed in the course of commercial activities by provincially regulated private organizations in those provinces which do not have their own provincial personal information protection legislation applicable to the private sector in a format that has been deemed to be substantially similar to the federal PIPEDA (PIPA BC, PIPA Alberta, and the Quebec Privacy Act have been deemed ‘substantially similar’).
To clarify, the federal PIPEDA does not apply to:
- employee information of provincially regulated private organizations in any province, even if PIPEDA applies to commercial activities of such private organizations;
- commercial activities of provincially regulated private sector organizations in the provinces of Alberta, British Columbia, and Quebec, which have their own provincial personal information protection legislation that has been deemed by regulation to be substantially similar to the federal PIPEDA;
- health information custodians operating in the private sector in Ontario, New Brunswick, Newfoundland and Labrador, and Ontario because their four provincial health information laws have been considered substantially similar to PIPEDA;
- any federal government institution to which the federal Privacy Act applies;
- information collected, used or disclosed for personal or domestic (family and home) purposes; and
- information collected by organizations for exclusively journalistic, artistic or literary purposes.
II. Personal Information Protection Laws that Apply to Private Sector Organizations:
Federal | Personal Information Protection and Electronic Documents Act, SC 2000, c.5, (“PIPEDA”) |
Federal | An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c. 23 [usually referred to as the “Canadian Anti-Spam Law”, or “CASL”] |
Alberta | Personal Information Protection Act, S.A. 2003, c. P-6.5 |
British Columbia | Personal Information Protection Act, SBC 2003, c. 63 |
Manitoba | Personal Information Protection and Identity Theft Prevention Act, S.M. 2013, c. 17, s. 34(2) [referred to as “PIPITPA” not yet in force as of April 2022] |
Quebec | An Act Respecting the Protection of Personal Information in the Private Sector, RSQ, c. P-39.1 |
These Acts govern the collection, use, and disclosure of personal information by the private sector.
As noted above, the federal PIPEDA applies to:
- every “organization” in respect of “personal information” that the organization collects, uses or discloses in the course of “commercial activities”, unless provinces or territories have enacted substantially similar legislation (i.e., Alberta, British Columbia, Quebec, and health organizations in Ontario, in which case the provincial Acts apply and PIPEDA does not); and
- employees of organizations that operate a federal work, undertaking or business (“FWUB”) (but not to employee information of non-FWUBs).
The terms “organization”, “personal information” and “commercial activities” are defined very broadly, which gives PIPEDA a wide-reaching scope of application. The federal PIPEDA does not apply to: any federal government institution to which the federal Privacy Act applies; information collected, used or disclosed for personal or domestic (family and home) purposes; or information collected by organizations for exclusively journalistic, artistic or literary purposes.
It is expected that the federal PIPEDA will be significantly amended or replaced by a new federal statute within the next several years. In 2020 Bill C-11 was introduced, which would have replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’), but it did not pass the second reading.
The CPPA would have provided additional rights to Canadians regarding their data, such as sharing information between organizations or the right to withdraw consent for the use of data. It may have required affected organizations to provide more transparency for the use of algorithms and artificial intelligence and set out significant penalties based on annual global revenue. While the Bill was not passed before the dissolution of parliament because of the 2021 federal election, privacy reform is likely in upcoming years and the CPPA will likely be the starting point for such reform.
The provincial personal information protection Acts govern the collection, use and disclosure of personal information by private organizations (including businesses, charities, unincorporated associations, trusts, trade unions and labour organizations, and not-for-profit associations) within the enacting province. The provincial Acts typically do not apply to the collection, use or disclosure of personal information for personal or domestic (home or family) purposes.
Personal information is defined in these Acts in a substantially similar manner to the Acts that apply to protect personal information in the possession or control of public bodies. Personal information typically does not include business contact information or work product information.
Organizations subject to private sector personal information protection Acts must comply with the minimum personal information protection measures contained in the Acts. All of them impose a duty to protect personal information within their possession or control. Although the duty to protect sections are all worded differently, they typically require that personal information be protected:
- by security safeguards appropriate to the sensitivity of the information;
- against loss or theft; and
- against unauthorized access, disclosure, or use.
The Alberta PIPA has unique provisions which set out minimum standards for notification requirements in the event of security breaches that pose a real risk of significant harm (organizations must notify the Commissioner, and upon receipt of such notice, the Commissioner may require the organization to give notice to affected individuals). The purpose of the notification requirements is to avoid or mitigate harm to individuals that might result from the breach.
None of the other general personal information protection Acts currently contain an express duty to notify, but Manitoba’s PIPITPA will, if it comes into force, require organizations to notify individuals “as soon as practicable” about the theft or loss of, or unauthorized access to, their personal information. As of April 2022, this statute has not yet come into effect.
Like the personal information protection Acts that apply to the public sector, these Acts establish a Commissioner with similar powers to hear and investigate complaints, initiate their own complaints and audits, write reports of their conclusions, and make orders following an investigation. Many of these Acts give the complainant a right to apply to the Court for a hearing following an investigation.
The federal PIPEDA authorizes a complainant to bring an action in Court following a report of a Commissioner and authorizes the Court to order organizations to comply with the Act and award damages for breach of privacy. The provincial Acts provide the Commissioner with the power to make orders and establish offences under the Act for failing to comply with the order of a Commissioner. None of these provincial Acts provide for a right to seek damages from the Commissioner for breach of privacy. However, the Quebec Act provides the Commissioner with broad powers to make remedial orders. Complainants may try to seek damages under this provision.
The BC and Alberta acts create a statutory cause of action for damages resulting from a breach of the Act found by the Commissioner, or resulting from an offence committed under the Act, if an individual has suffered loss or injury due as a result of the breach or offence. These Acts do not provide for a right of appeal of a Commissioner’s decision, but judicial review is available to the local courts.
Actions filed by individual claimants arising from data and other privacy breaches are most commonly commenced by filing a pleading known as a “Notice of Civil Claim”, “Statement of Claim”, or something similar. Defendants (known in some jurisdictions as respondents) file a responsive pleading. After an exchange of documents, and usually examinations for discovery or an equivalent form of deposition under oath, the matter is set down for trial. The result is binding only on the individual parties involved.
PIPEDA specifies that parties who wish to rely on a breach of that statute must file their claims in the Federal Court of Canada, a Court that only addresses matters involving issues of federal jurisdiction, including the interpretation of Federal statutes. Claimants relying on equivalent personal information statutes, upon Provincial privacy statutes, or the common law right to privacy may commence proceedings in Provincial Supreme Courts (known in some jurisdictions as Superior Court). Under PIPEDA, s. 14, an action must be filed in Federal Court within 45 days of the report, decision, or notification issued by the Federal Privacy Commissioner; Alberta’s personal information statute contains the same deadline, whereas the window is only 30 days in British Columbia.
III. Personal Information Protection Laws that Apply to Government and Public Bodies:
These Acts protect the privacy of individuals with respect to personal information held by public bodies. The scope of coverage of these Acts varies across the jurisdictions, but they typically include (unless a separate local or municipal Act applies) the following:
- the applicable federal, provincial or territorial government institutions;
- crown corporations;
- provincial agencies, boards, and commissions;
- health care, social services, and educational bodies;
- professional and occupational governing bodies; and
- local public bodies, including municipal governments, agencies, boards and commissions;
These acts are all located within the jurisdiction of the enacting government. These Acts also provide individuals with a right of access to information held by these public bodies.
Personal information is typically defined as “…information about an identifiable individual that is recorded in any form…”. This definition is sometimes followed by a non-exhaustive list of the types of information specifically included as personal information.
These Acts prohibit the collection, use and disclosure of personal information without consent, other than as authorized by the Acts. Most of them impose on the public body a duty to protect personal information in its custody or control by making reasonable security arrangements against risks such as the unauthorized access, collection, use, disclosure, or disposal of personal information.
None of these Acts specifically provide for a duty to notify affected individuals in the event of a breach of privacy, but such an order would likely fall within the general jurisdiction of the Commissioner under most Acts.
These Acts establish Privacy Commissioners in the respective jurisdictions, with powers to receive and investigate complaints from individuals relating to breaches of the Acts and to initiate its own investigations and audits. The Acts typically do not create a statutory cause of action giving rise to damages for breach of privacy. Instead, they give the Commissioners various powers, which vary in degree among the jurisdictions. At the low end of the spectrum, the Commissioner can make recommendations to offending organizations and request that the organizations report back to the Commissioner to confirm either that the recommendations have been implemented or explain why they have not been implemented (federal Privacy Act). At the high end of the spectrum, the Commissioner has the power to make orders following an investigation to, among other things, require a duty imposed under the Act to be performed, require a public body to stop collecting, using or disclosing personal information in contravention of the Act, or require terms and conditions to be met (British Columbia).
Most of the Acts provide for a right of judicial review by or appeal to the local courts from the decision of the Commissioner, and make it an offence under the Act for an organization to fail to comply with the orders made by the Commissioner. The Quebec Act enables a person injured by a public body to bring an action in Court to seek damages as compensation for injury, including punitive damages.
IV. Provincial Personal Health Information Laws:
Alberta | Health Information Act, RSA 2000, c. H-5 |
British Columbia | E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c. 38 |
Manitoba | Personal Health Information Act, CCSM, c. P33.5 |
New Brunswick | Personal Health Information Privacy and Access Act, SNB 2009, c. P-7.05 |
Nova Scotia | Personal Health Information Act, SNS 2010, c. 41 |
Newfoundland & Labrador | Personal Health Information Act, SNL 2008, c. P-7.01 |
Ontario | Personal Health Information Protection Act, 2004, SO 2004, c. 3 |
Quebec | An Act Respecting the Sharing of Certain Health Information, CQLR C. P-9.0001 |
Saskatchewan | Health Information Protection Act, S.S. 1999, c. H-0.021 |
Yukon | Health Information Privacy and Management Act, S.Y. 2013, c. 16 |
The provincial health information Acts apply to collecting, using, and disclosing personal health information held by “health information custodians” within the enacting provinces. Health information custodians are typically defined to include, among others, health care practitioners (doctors, dentists, physiotherapists, etc.), home care service providers, hospitals, independent health facilities, retirement and long-term care homes, pharmacies, and ambulances services. Most of these Acts (all but British Columbia) impose on custodians a duty to protect against unauthorized use or disclosure of personal health information in its possession or control. Most empower the provincial Privacy Commissioner to hear complaints, make investigations, conduct inquiries and issue orders, like under the other provincial personal information protection Acts, and appeal orders to the courts. These Acts also create offences for certain breaches of the Acts, punishable by monetary penalties.
Several of the provinces including New Brunswick, Newfoundland and Labrador, and Yukon and Ontario, their PHIPA contains a duty to notify the individual affected if personal health information is stolen, lost, or accessed by unauthorized persons. The Ontario PHIPA also creates a statutory cause of action for damages resulting from a breach of the Act found by the Commissioner or resulting from an offence committed under the Act.
The Saskatchewan Act empowers the Court to make any order it considers appropriate if found that a breach of the act has occurred. Complainants could try to seek damages under this section.
V. Provincial Laws that Create a Statutory Cause of Action for Breach of Privacy:
British Columbia | Privacy Act, RSBC 1996, c. 373 |
Manitoba | Privacy Act, CCSM, c. P125 |
Newfoundland & Labrador | Privacy Act, RSNL 1990, c. P-22 |
Saskatchewan | Privacy Act, RSS 1978, c. P-24 |
The statutory cause of action under PIPEDA and equivalent Provincial statutes is premised specifically upon the loss, misuse, or unauthorized access to personal information held by an organization. However, the Privacy Acts in several Provinces (British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador) have created a separate statutory cause of action premised upon a breach of a right to privacy. This cause of action may overlap with the PIPEDA and similar statutory causes of action; specific factual scenarios might give rise to claims under both the personal information and statutory privacy regimes, e.g., where an employee accesses private customer information without authority, but it can arise in situations not covered under the personal information statutes (e.g., where an employee is alleged to have spied on customers in a business’ restroom).
Finally, in Provinces that have not adopted statutes equivalent to the Privacy Acts of British Columbia, et al., the Courts have developed a broadly similar common law cause of action for breach of privacy, known as the tort of intrusion upon seclusion. This was first recognized by Ontario’s Court of Appeal in Jones v. Tsige, 2012 ONCA 32. The test for liability is whether the invasion of privacy was intentional, lacked legal justification, and would be considered offensive to the reasonable person. It will typically relate to particularly personal subjects, such as financial matters, sexual orientation, diaries and private correspondence, etc. It is a live issue whether British Columbia courts will recognize some version of the tort of this tort. In Tucci v Peoples Trust Co., 2020 BCCA 246 at paras 64-68, the Court of Appeal stated that they have yet to decide whether a common law tort of breach of privacy exists in this province.
In addition to the provincial laws, CASL also provides a statutory cause of action and the opportunity to recover damages.
Litigation surrounding the area of personal information and privacy law is a rapidly developing area, and to learn more about personal information and privacy liability, we direct you to our article titled: Current Landscape of Personal Information and Privacy Liability in Canada.
Personal information and privacy law is a rapidly developing area.
VI. Conclusion:
Information protection and privacy laws in Canada vary from province to province. There are 38 different statutes that apply in various jurisdictions, as of the date of this paper. Both federal laws and provincial and territorial laws apply, although in some provinces, some of the federal laws have been replaced with similar provincial laws. This is a rapidly developing area of the law, with legislative amendments pending and new cases being tried. This paper summarizes the key provisions of these various statutes, the jurisdictions in which they apply.