Data Protected - Canada
Last updated June 2022
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
The Canadian Federal Law Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (the “PIPEDA”) which contains similar provisions to those in the GDPR and the Data Protection Directive.
In addition, several Canadian provinces (British Columbia, Alberta and Quebec) have adopted substantially similar data protection laws applicable in the private sector which partly displace PIPEDA in relation to personal information collected within each of these provinces. Note that Quebec’s Bill 64, passed in September 2021, represents a major reform to the province’s privacy regime. Changes worth highlighting include new requirements for the transfer of personal information from Quebec to third parties outside of the province, greater accountability obligations (such as requirements to conduct privacy impact assessments), and more substantial penalties for non-compliance (up to $25 million CAD or 4% of worldwide revenue). Navigating provincial regulation may be necessary to ensure compliance with all applicable data protection laws. However, the analysis below is limited to a treatment of the provisions of PIPEDA.
Entry into force
PIPEDA entered fully into force in 2004. The Digital Privacy Act, which introduced a number of amendments to PIPEDA, including a new consent standard and a breach notification obligation entered into force as of November 2018. In June 2022, the federal government introduced a bill titled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Act.” If adopted, this new bill will fundamentally amend the privacy compliance regime in Canada, aligning it much more closely with requirements and penalties found under Quebec’s Bill 64 and the EU GDPR.
National Supervisory Authority
Details of the competent national supervisory authority
Office of the Privacy Commissioner (the "Privacy Commissioner")
30 Victoria Street
Notification or registration scheme and timing
No. PIPEDA does not contain a registration requirement.
Exemptions to notification
Scope of Application
What is the territorial scope of application?
PIPEDA applies in all provinces and territories in Canada, except to the extent that a province has adopted substantially similar data protection legislation (namely British Columbia, Alberta and Quebec). Even in these latter provinces, PIPEDA applies to the collection, use and disclosure of personal information by any “federal work, undertaking or business”, a legally defined category of undertaking (such as banks, radio broadcasting undertakings, and inter-provincial transportation companies) that is within the legislative authority of the federal Parliament of Canada.
Moreover, a Federal Court has held that, while PIPEDA does not have extra-territorial application, the Canadian Privacy Commissioner has jurisdiction to investigate compliance by a foreign entity as regards its collection and processing of personal information about a Canadian resident.
Is there a concept of a controller and a processor?
Canadian data protection legislation does not contain the legally defined concepts of controller and processor. In general, the data protection provisions of PIPEDA apply to every organisation in respect of personal information that: (i) the organisation collects, uses or discloses in the course of commercial activities; or (ii) is about an employee of the organisation which the organisation collects, uses or discloses in connection with the operation of any federal work, undertaking or business.
PIPEDA includes provisions in relation to the concept of “accountability” pursuant to which an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The “accountable” organisation in this context is subject to obligations that are somewhat analogous to those imposed on a “controller” under the GDPR and the Data Protection Directive.
Are both manual and electronic records subject to data protection legislation?
Yes. PIPEDA applies to both manual (paper-based) and electronic records. Specifically, a “record” includes “any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things”.
Are there any national derogations?
The PIPEDA data protection provisions do not apply to: (i) any government institution to which the federal Privacy Act applies; (ii) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or (iii) any organisation in respect of personal information that the organisation collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
In addition, several Canadian provinces have adopted substantially similar data protection laws applicable in the private sector which partly displace PIPEDA (see above).
What is personal data?
“Personal information” is defined in PIPEDA as “information about an identifiable individual.”
Is information about legal entities personal data?
No, although information about individual partners or individual entrepreneurs (sole proprietors) may be treated as personal data.
What are the rules for processing personal data?
PIPEDA contains a series of fair information processing obligations that are set out in Schedule 1 to that Act. The principal obligations related to processing personal information are: (i) Identifying Purposes: The purposes for which personal information is collected shall be identified by the organisation at or before the time the information is collected (see below); (ii) Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except as otherwise authorised by law; (iii) Limited Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organisation. Information shall be collected by fair and lawful means; (iv) Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used; and (v) Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Are there any formalities to obtain consent to process personal data?
The way in which an organisation seeks consent may vary, depending on the circumstances and the type of information collected. However, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organisation’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
An organisation should generally seek express consent when the information is likely to be considered sensitive. Implied consent may be sufficient if the information is not sensitive. Consent can also be given by an authorised representative (such as a legal guardian or a person having power of attorney).
In January 2019, the Privacy Commissioner published guidelines that set out seven guiding principles to obtain meaningful consent. While most of the steps are merely recommendations of best practice, the Privacy Commissioner has indicated that the first principle (i.e. emphasizing key elements) is required for PIPEDA compliance. Pursuant to this principle, in order for the consent to be meaningful, organizations that seek consent should highlight the following details: (i) what personal information is collected, (ii) with which parties personal information is being shared, (iii) the purpose of data processing, usage, or disclosure, and (iv) any risk of harm or other consequences to the individual. There is no prescribed form in which these elements should be emphasized. The remaining six principles provide guidance for organisations to create their own innovative consent processes.
Are there any special rules when processing personal data about children?
No. Under laws of general application, however, minors may not be able to provide enforceable consent to the collection of their personal information. Furthermore, while PIPEDA does not differentiate between the data of adults and youth, the Privacy Commissioner tends to view children’s personal information as being particularly sensitive.
Are there any special rules when processing personal data about employees?
As regards the processing of personal information about employees, PIPEDA only applies to personal information about an employee of, or an applicant for employment with, organisations that collect, use or disclose in connection with the operation of a federal work, undertaking or business (such as banks and telcos).
The privacy laws of Alberta and British Columbia contain certain specific provisions regarding the processing of employee personal information. Pursuant to these provisions, organisations may collect, use and disclose employee personal information that is relevant to managing the employment relationship without consent, so long as the organisation has provided the employee with reasonable notification about such collection, use or disclosure.
Sensitive Personal Data
What is sensitive personal data?
“Sensitive personal information” is not a legally defined term under PIPEDA. However, some personal information is regarded as being “sensitive” in the non-technical sense and requires additional care. This includes medical records, income records and information about sexual orientation. It is worth noting that the Privacy Commissioner has found biometric information as being sensitive in almost all circumstances, with facial biometric information being particularly sensitive.
Are there additional rules for processing sensitive personal data?
There are no additional rules for processing sensitive personal information under PIPEDA, although the intensity of the obligation may vary depending on the sensitivity of the personal information in question. For example, according to PIPEDA, an organisation should generally seek express consent when the information is likely to be considered sensitive. Similarly, the nature of information security safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information must be safeguarded by a higher level of protection.
Are there additional rules for processing information about criminal offences?
Under PIPEDA, the rules for processing information about criminal offences are the same as for sensitive personal data.
Are there any formalities to obtain consent to process sensitive personal data?
No, although an organisation should generally seek express consent when the information is likely to be considered sensitive. However, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organisation’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
Data Protection Officers
When must a data protection officer be appointed?
Under PIPEDA, an organisation must make publicly available the name or title, and the address, of the person who is accountable for the organisation’s privacy policies and practices and to whom complaints or inquiries can be forwarded.
What are the duties of a data protection officer?
Accountability for the organisation’s compliance with the principles rests with the designated individual(s), even though other individuals within the organisation may be responsible for the day-to-day collection and processing of personal information. In particular, the data protection officer is responsible for following PIPEDA’s ten fair information principles that determine the collection, use and disclosure of personal information. Quebec’s Bill 64 imposes more specific obligations on a data protection officer, including the obligation to maintain a confidentiality incident log, to report confidentiality incidents, to conduct privacy impact assessments and to conduct adequacy assessments in certain circumstances.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
The “accountability” principle under PIPEDA states that an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Organisations shall implement policies and practices to give effect to the principles, including: (i) implementing procedures to protect personal information; (ii) establishing procedures to receive and respond to complaints and inquiries; (iii) training staff and communicating to staff information about the organisation’s policies and practices; and (iv) developing information to explain the organisation’s policies and procedures.
Are privacy impact assessments mandatory?
PIPEDA does not include mandatory provisions related to privacy impact assessments. However, certain provincial personal health information protection acts include provisions related to mandatory privacy impact assessments. As of September 22, 2023, Bill 64 will require a mandatory privacy impact assessment prior to the transfer of any Personal Information outside of Quebec (including other Canadian provinces).
Rights of Data Subjects
The purposes for which personal information is collected must be identified by the organisation at or before the time the information is collected.
Rights to access information
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An organisation shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Rights to data portability
There are no specific rights to data portability under PIPEDA other than the general right of access. Note that in Quebec as of September 22, 2024, organisations will be required to give effect to individuals’ data portability requests as per Bill 64.
Right to be forgotten
Data subjects do not have a right to be forgotten under PIPEDA, other than pursuant to the general “limited retention” principle, which states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Note that Quebec’s Bill 64 enables individuals to request an organisation de-index or cease disseminating information about them if the information is illegal or meets certain conditions.
Objection to direct marketing
PIPEDA does not contain specific provisions related to direct marketing. However, an individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. Moreover, organisations are prohibited from requiring, as a condition of the supply of a product or service, an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Generally speaking, therefore, an organisation cannot require an individual to consent to use of personal information for secondary marketing purposes as a condition of receiving the principal service.
Canada adopted a strict “anti-spam” law in 2014 that requires organisations to obtain consent prior to sending a “commercial electronic message” to any individual (see below).
Organisations may only retain personal information for so long as necessary for the fulfilment of those purposes. An individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. If an individual withdraws consent to the collection, use and disclosure of personal information and/or if the purpose of collection has been fulfilled, then the organisation should delete such information, in particular, where requested by the individual in question.
Security requirements in order to protect personal data
According to PIPEDA, personal information must be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.
More sensitive information should be safeguarded by a higher level of protection. The methods of protection should include: (i) physical measures, for example, locked filing cabinets and restricted access to offices; (ii) organisational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (iii) technological measures, for example, the use of passwords and encryption.
In addition, according to PIPEDA, organisations must make their employees aware of the importance of maintaining the confidentiality of personal information.
Specific rules governing processing by third party agents (processors)
An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Notice of breach laws
Pursuant to mandatory breach notification requirements under PIPEDA, an organisation must report any breach of security safeguards involving personal information under its control to the Privacy Commissioner if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Unless otherwise prohibited by law, an organisation shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organisation’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Moreover, an organisation shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control. These mandatory breach notification requirements and security breach record-keeping requirements came into force in November 2018.
Mandatory breach notification obligations also exist under Alberta provincial privacy law. Moreover, as of September 2022, new mandatory breach notification obligations will enter into force in Quebec pursuant to Bill 64.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
PIPEDA does not contain any specific restrictions related to cross-border data flows. However, all transfers of personal information to a third-party processor, whether within Canada or cross-border, are subject to the “accountability” principle under PIPEDA. Specifically, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The Privacy Commissioner requires that organisations be transparent about their personal information handling practices, including advising customers that their personal information may be sent to another jurisdiction. It is best practice to include a description of any cross-jurisdictional transfer of data. Note that there are further restrictions to cross-jurisdictional personal data transfers in Alberta and Quebec.
Notification and approval of national regulator (including notification of use of Model Contracts)
No. Under PIPEDA it is not necessary to notify or obtain approval from a national regulator for transborder dataflow.
Use of binding corporate rules
PIPEDA does not recognise the concept of binding corporate rules as such. However, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. If the information is transferred to another entity within the same corporate group, this is still considered a transfer that is subject to the accountability principle. To the extent that all members of the same corporate group are subject to the same policies related to the protection of personal information and those policies are PIPEDA-compliant, the Privacy Commissioner has accepted that the related parties do not need to put in place a separate data processing agreement as between them in order to comply with the accountability principle.
PIPEDA was amended to introduce certain administrative monetary penalties applicable to the violation of the breach notification and breach record keeping requirements referred to above. Violations of such provisions are considered an indictable offence and liable to a fine not exceeding C$100,000. Moreover, a complainant may, after receiving the Commissioner’s report or being notified that the investigation of the complaint has been discontinued, apply to a court for a hearing in respect of any matter in respect of which the complaint was made. The Court may then award damages.
Quebec’s Bill 64 provides for penalties of up to $25,000,000 or 4% of worldwide revenue in the event of non-compliance. These fines may be doubled the event of a subsequent violation. These fining powers will take effect in September 2023.
While individuals do not have a direct right of compensation under PIPEDA, PIPEDA states that a complainant may, after receiving the Commissioner’s report or being notified that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in certain specifically identified provisions of PIPEDA. The Court may then, in addition to any other remedies it may give, award damages to the complainant, including damages for any humiliation that the complainant has suffered.
The Privacy Commissioner holds powers of investigation. Specifically, when a privacy complaint is filed against a business, the Privacy Commissioner may choose to investigate the business’s data protection practices. Such investigations can be time and resource consuming for the business involved (since the investigations may go beyond a mere review of the business’s privacy policies to include a more detailed review of how/whether such policies are implemented in practice).
Historically, the Privacy Commissioner had been primarily interested in encouraging compliance and did not issue fines. We have yet to see how the Privacy Commissioner will exercise its new sanctioning powers. The Privacy Commissioner’s decisions are published and several have been widely reported on in the media. Certain cases have led to class actions before the courts.
ePrivacy | Marketing and cookies
Canada has an “anti-spam” law commonly referred to as “Canada’s Anti-Spam Law” (“CASL”). It was adopted on 15 December 2010 and came into force on 1 July 2014.
In addition, unsolicited commercial telecommunications (calls, faxes) are regulated under regulations adopted pursuant to the federal Telecommunications Act. Specifically, the Canadian Radio-television and Telecommunications Commission Unsolicited Telecommunications Rules (“UTR”) have three main components: (i) National Do-Not-Call List (“DNCL”) Rules creating a registry for consumers; (ii) Telemarketing Rules setting out a basic code of conduct for telemarketing to residential and business consumers; and (iii) Automatic Dialling-Announcing Devices (“ADAD”) Rules.
Not applicable. See above summary of the PIPEDA regulation of the collection, use and disclosure of personal information.
Conditions for direct marketing by e-mail to individual subscribers
CASL prohibits businesses from sending commercial electronic messages unless the recipient has given express or implied consent. A “commercial electronic message” (“CEM”) is an electronic message where any of its purposes is to encourage participation in commercial activity. An “electronic message” is defined broadly to include any “message sent by any means of telecommunication, including a text, sound, and voice or image message.” This definition covers both emails and text messages, for example.
The notions of “express consent” and “implied consent” are specifically (and narrowly) defined under CASL. For example, in order to obtain valid “express consent” to send CEMs, such consent must be “sought separately” from other types of consent and must include a statement indicating that the person whose consent is sought can withdraw their consent. As regards “implied consent”, CASL sets out an exhaustive list of circumstances under which “implied consent” to the sending of CEMs is deemed to have been obtained. For example, CASL contains a provision pursuant to which a business is deemed to have obtained the requisite “implicit consent” to send a commercial electronic message to any recipient with whom the sender has an “existing business relationship” (as defined in CASL) during the previous two years. “Implied consent” is also deemed to exist where the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity. The CRTC has narrowly interpreted whether or not a CEM is “relevant to the person’s business, role, functions or duties.”
The CEM must include information (specified by regulation) that identifies the sender of the CEM, as well as an unsubscribe mechanism that may be “readily performed”, so that recipients can easily opt out of receiving future CEMs if they so choose.
Conditions for direct marketing by e-mail to corporate subscribers
The above-mentioned conditions for direct-marketing by e-mail to individual subscribers also apply to direct marketing by e-mail to corporate subscribers, subject to the following exception: the prohibition against sending a CEM without prior consent does not apply does not apply to a CEM that is sent by an employee, representative, consultant or franchisee of an organisation to an employee, representative, consultant or franchisee of another organisation if the organisations have a relationship and the message concerns the activities of the organisation to which the message is sent. This exemption has been narrowly applied thus far by the CRTC and there remains considerable uncertainty as to whether and when the sending and recipient organisations “have a relationship” and whether and when the “the message concerns the activities of the organisation to which the message is sent.”
Similarly, the above-mentioned prohibitions against false or misleading messages also apply to messages sent to corporate subscribers.
Exemptions and other issues
CASL amends the federal Competition Act to prohibit false or misleading representations in the sender description, subject matter field or message field of an electronic message, in the URL or other locator on a webpage.
CASL also includes prohibitions against the installation of a computer program on any other person’s computer system without their prior consent.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
If a Canadian business engages in telemarketing it must: (i) register with the National DNCL (even telemarketers who are exempt from the National DNCL Rules must register); (ii) maintain and act in accordance with an internal (not a “national”) “do not call” list; and (iii) comply with various rules set out in the UTR, including identifying itself and the purpose of the call to the consumer, and respecting call time limitations. Upon request, a telemarketer must provide a local or toll-free number allowing the customer access to a representative of the telemarketer or, where applicable, its client.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The DNCL Rules do not apply to calls to businesses.
Exemptions and other issues
There are a number of other specific rules concerning telemarketing calls published by the CRTC. These include rules about the times at which calls can be made, the provision of caller line identification, controls over sequential and random diallers and restrictions on silent calls resulting from the use of predictive dialling devices.