Data Protected - Canada

Contributed by McCarthy Tétrault LLP

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Canadian Federal Law Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (the “PIPEDA”) which contains similar provisions to those in the GDPR and the Data Protection Directive.

In addition, several Canadian provinces (British Columbia, Alberta, Manitoba, Quebec) have adopted substantially similar data protection laws applicable in the private sector which partly displace PIPEDA in relation to personal information collected within each of these provinces. However, the analysis below is limited to a treatment of the provisions of PIPEDA.

Entry into force

PIPEDA entered partially into force in 2001 and fully into force in 2004.  The Digital Privacy Act, which introduced a number of amendments to PIPEDA, including a new consent standard and a breach notification obligation, partially entered into force in 2015; the new breach notification obligations are not currently in force as of December 2017.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Office of the Privacy Commissioner
112 Kent Street
Place de Ville
Tower B, 3rd Floor
Ottawa, Ontario
K1A 1H3

www.priv.gc.ca

Notification or registration scheme and timing

No. PIPEDA does not contain a registration requirement.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

PIPEDA applies in all provinces and territories in Canada, except to the extent that a province has adopted substantially similar data protection legislation (namely British Columbia, Alberta, Manitoba and Quebec). Even in these latter provinces, PIPEDA applies to the collection, use and disclosure of personal information by any “federal work, undertaking or business”, a legally defined category of undertaking (such as banks, radio broadcasting undertakings, and inter-provincial transportation companies) that is within the legislative authority of the federal Parliament of Canada.

Moreover, a Federal Court has held that, while PIPEDA does not have extra-territorial application, the Canadian Privacy Commissioner has jurisdiction to investigate compliance by a foreign entity as regards its collection and processing of personal information about a Canadian resident.

Is there a concept of a controller and a processor?

Canadian data protection legislation does not contain the legally defined concepts of controller and processor. In general, the data protection provisions of PIPEDA apply to every organisation in respect of personal information that: (i) the organisation collects, uses or discloses in the course of commercial activities; or (ii) is about an employee of the organisation which the organisation collects, uses or discloses in connection with the operation of any federal work, undertaking or business.

PIPEDA includes provisions in relation to the concept of “accountability” pursuant to which an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.  The “accountable” organisation in this context is subject to obligations that are somewhat analogous to those imposed on a “controller” under the GDPR and the Data Protection Directive.

Are both manual and electronic records subject to data protection legislation?

Yes. PIPEDA applies to both manual (paper-based) and electronic records. Specifically, a “record” includes “any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things”.

Are there any national derogations?

The PIPEDA data protection provisions do not apply to: (i) any government institution to which the federal Privacy Act applies; (ii) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or (iii) any organisation in respect of personal information that the organisation collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

In addition, several Canadian provinces have adopted substantially similar data protection laws applicable in the private sector which partly displace PIPEDA (see above).

_____________________________________________________________________ Top

Personal Data

What is personal data?

“Personal information” is defined in PIPEDA as “information about an identifiable individual.”

Is information about legal entities personal data?

No, although information about individual partners or individual entrepreneurs (sole proprietors) may be treated as personal data.

What are the rules for processing personal data?

PIPEDA contains a series of fair information processing obligations that are set out in Schedule 1 to that Act. The principal obligations related to processing personal information are: (i) Identifying Purposes: The purposes for which personal information is collected shall be identified by the organisation at or before the time the information is collected (see below); (ii) Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except as otherwise authorised by law; (iii) Limited Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organisation. Information shall be collected by fair and lawful means; (iv) Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used; and (v) Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Are there any formalities to obtain consent to process personal data?

No. The way in which an organisation seeks consent may vary, depending on the circumstances and the type of information collected. An organisation should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorised representative (such as a legal guardian or a person having power of attorney). However, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organisation’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

Are there any special rules when processing personal data about children?

No.  Under laws of general application, however, minors may not be able to provide enforceable consent to the collection of their personal information.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

“Sensitive personal information” is not a legally defined term under PIPEDA. However, some personal information is regarded as being “sensitive” in the non-technical sense and requires additional care. This includes medical records, income records and information about sexual orientation.

Are there additional rules for processing sensitive personal data?

There are no additional rules for processing sensitive personal information under PIPEDA, although the intensity of the obligation may vary depending on the sensitivity of the personal information in question. For example, according to PIPEDA, an organisation should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Similarly, the nature of information security safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information must be safeguarded by a higher level of protection.

Are there additional rules for processing information about criminal offences?

 

Under PIPEDA, the rules for processing information about criminal offences are the same as for sensitive personal data.

 

Are there any formalities to obtain consent to process sensitive personal data?

No, although an organisation should generally seek express consent when the information is likely to be considered sensitive. However, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organisation’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Under PIPEDA, an organisation must make publicly available the name or title, and the address, of the person who is accountable for the organisation’s privacy policies and practices and to whom complaints or inquiries can be forwarded.

What are the duties of a data protection officer?

Accountability for the organisation’s compliance with the principles rests with the designated individual(s), even though other individuals within the organisation may be responsible for the day-to-day collection and processing of personal information.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The “accountability” principle under PIPEDA states that an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. 

Organisations shall implement policies and practices to give effect to the principles, including: (i) implementing procedures to protect personal information; (ii) establishing procedures to receive and respond to complaints and inquiries; (iii) training staff and communicating to staff information about the organisation’s policies and practices; and (iv) developing information to explain the organisation’s policies and procedures.

Are privacy impact assessments mandatory?

PIPEDA does not include mandatory provisions related to privacy impact assessments. However, certain provincial personal health information protection acts include provisions related to mandatory privacy impact assessments.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The purposes for which personal information is collected must be identified by the organisation at or before the time the information is collected.

Rights to access information

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An organisation shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Rights to data portability

There are no specific rights to data portability under PIPEDA other than the general right of access.

Right to be forgotten

Data subjects do not have a right to be forgotten under PIPEDA, other than pursuant to the general “limited retention” principle, which states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous.

Objection to direct marketing and profiling

PIPEDA does not contain specific provisions related to direct marketing. However, an individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. Moreover, organisations are prohibited from requiring, as a condition of the supply of a product or service, an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Generally speaking, therefore, an organisation cannot require an individual to consent to use of personal information for secondary marketing purposes as a condition of receiving the principal service.

Canada adopted a strict “anti-spam” law in 2014 that requires organisations to obtain consent prior to sending a “commercial electronic message” to any individual (see below).

Other rights

Organisations may only retain personal information for so long as necessary for the fulfilment of those purposes. An individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. If an individual withdraws consent to the collection, use and disclosure of personal information and/or if the purpose of collection has been fulfilled, then the organisation should delete such information, in particular, where requested by the individual in question.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

According to PIPEDA, personal information must be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.

More sensitive information should be safeguarded by a higher level of protection. The methods of protection should include: (i) physical measures, for example, locked filing cabinets and restricted access to offices; (ii) organisational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (iii) technological measures, for example, the use of passwords and encryption.

In addition, according to PIPEDA, organisations must make their employees aware of the importance of maintaining the confidentiality of personal information.

Specific rules governing processing by third party agents (processors)

An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Notice of breach laws

In 2015, mandatory breach notification requirements were added to PIPEDA. Pursuant to these new requirements: an organisation must report any breach of security safeguards involving personal information under its control to the Privacy Commissioner if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Unless otherwise prohibited by law, an organisation shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organisation’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Moreover, an organisation shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control. These mandatory breach notification requirements and security breach record-keeping requirements are expected to come into force in 2018.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

PIPEDA does not contain any specific restrictions related to cross-border data flows. However, all transfers of personal information to a third-party processor, whether within Canada or cross-border, are subject to the “accountability” principle under PIPEDA. Specifically, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Notification and approval of national regulator (including notification of use of Model Contracts)

No. Under PIPEDA it is not necessary to notify or obtain approval from a national regulator for transborder dataflow.

Use of binding corporate rules

PIPEDA does not recognise the concept of binding corporate rules as such. However, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. If the information is transferred to another entity within the same corporate group, this is still considered a transfer that is subject to the accountability principle. To the extent that all members of the same corporate group are subject to the same policies related to the protection of personal information and those policies are PIPEDA-compliant, the Privacy Commissioner has accepted that the related parties do not need to put in place a separate data processing agreement as between them in order to comply with the accountability principle.

_____________________________________________________________________ Top

Enforcement

Fines

In 2015, PIPEDA was amended to introduce certain administrative monetary penalties applicable to the violation of the breach notification and breach record keeping requirements referred to above. Violations of such provisions are considered an indictable offence and liable to a fine not exceeding C$100,000. Moreover, a complainant may, after receiving the Commissioner’s report or being notified that the investigation of the complaint has been discontinued, apply to a court for a hearing in respect of any matter in respect of which the complaint was made. The Court may then award damages.

Criminal liability

None.

Compensation

While individuals do not have a direct right of compensation under PIPEDA, PIPEDA states that a complainant may, after receiving the Commissioner’s report or being notified that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in certain specifically identified provisions of PIPEDA. The Court may then, in addition to any other remedies it may give, award damages to the complainant, including damages for any humiliation that the complainant has suffered.

Other powers

The Privacy Commissioner holds powers of investigation. Specifically, when a privacy complaint is filed against a business, the Privacy Commissioner may choose to investigate the business’s data protection practices. Such investigations can be time and resource consuming for the business involved (since the investigations may go beyond a mere review of the business’s privacy policies to include a more detailed review of how/whether such policies are implemented in practice).

Practice

Up until the 2015 amendments to PIPEDA (which introduced new breach notification requirements and administrative monetary penalties), the Privacy Commissioner had been primarily interested in encouraging compliance and did not issue fines. We have yet to see how the Privacy Commissioner will exercise its new sanctioning powers. The Privacy Commissioner’s decisions are published and several have been widely reported on in the media. Certain cases have led to class actions before the courts.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Canada recently adopted an “anti-spam” law called: “an act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act”. It has no official “short title”, but is commonly referred to as “Canada’s Anti-Spam Law” (“CASL”). It was adopted on 15 December 2010, and came into force on July 1, 2014. Commencing on July 1, 2017, individuals and organisations that are affected by a violation of CASL will be able to seek legal redress through civil actions (a private right of action).

In addition, unsolicited commercial telecommunications (calls, faxes) are regulated under regulations adopted pursuant to the federal Telecommunications Act. Specifically, the Canadian Radio-television and Telecommunications Commission Unsolicited Telecommunications Rules (“UTR”) have three main components: (i) National Do-Not-Call List (“DNCL”) Rules creating a registry for consumers; (ii) Telemarketing Rules setting out a basic code of conduct for telemarketing to residential and business consumers; and (iii) Automatic Dialling-Announcing Devices (“ADAD”) Rules.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

Neither CASL nor the Telecommunications Act specifically regulate the use of cookies. However, PIPEDA’s provisions regarding the collection, use and disclosure of personal information (summarised above) apply to cookies to the extent that cookies are used to collect or disclose personal information.

Regulatory guidance on the use of cookies

Not applicable. See above summary of the PIPEDA regulation of the collection, use and disclosure of personal information.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

CASL prohibits businesses from sending commercial electronic messages unless the recipient has given express or implied consent. A “commercial electronic message” (“CEM”) is an electronic message where any of its purposes is to encourage participation in commercial activity. An “electronic message” is defined broadly to include any “message sent by any means of telecommunication, including a text, sound, and voice or image message.” This definition covers both emails and text messages, for example.

The notions of “express consent” and “implied consent” are specifically (and narrowly) defined under CASL. For example, in order to obtain valid “express consent” to send CEMs, such consent must be “sought separately” from other types of consent and must include a statement indicating that the person whose consent is sought can withdraw their consent. As regards “implied consent”, CASL sets out an exhaustive list of circumstances under which “implied consent” to the sending of CEMs is deemed to have been obtained. For example, CASL contains a provision pursuant to which a business is deemed to have obtained the requisite “implicit consent” to send a commercial electronic message to any recipient with whom the sender has an “existing business relationship” (as defined in CASL) during the previous two years. “Implied consent” is also deemed to exist where the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity. The CRTC has narrowly interpreted whether or not a CEM is “relevant to the person’s business, role, functions or duties.”

The CEM must include information (specified by regulation) that identifies the sender of the CEM, as well as an unsubscribe mechanism that may be “readily performed”, so that recipients can easily opt out of receiving future CEMs if they so choose.

Conditions for direct marketing by e-mail to corporate subscribers

The above-mentioned conditions for direct-marketing by e-mail to individual subscribers also apply to direct marketing by e-mail to corporate subscribers, subject to the following exception: the prohibition against sending a CEM without prior consent does not apply does not apply to a CEM that is sent by an employee, representative, consultant or franchisee of an organisation to an employee, representative, consultant or franchisee of another organisation if the organisations have a relationship and the message concerns the activities of the organisation to which the message is sent. This exemption has been narrowly applied thus far by the CRTC and there remains considerable uncertainty as to whether and when the sending and recipient organisations “have a relationship” and whether and when the “the message concerns the activities of the organisation to which the message is sent.”

Similarly, the above-mentioned prohibitions against false or misleading messages also apply to messages sent to corporate subscribers.

Exemptions and other issues

CASL amends the federal Competition Act to prohibit false or misleading representations in the sender description, subject matter field or message field of an electronic message, in the URL or other locator on a webpage.

CASL also includes prohibitions against the installation of a computer program on any other person’s computer system without their prior consent.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

If a Canadian business engages in telemarketing it must: (i) register with the National DNCL (even telemarketers who are exempt from the National DNCL Rules must register); (ii) maintain and act in accordance with an internal (not a “national”) “do not call” list; and (iii) comply with various rules set out in the UTR, including identifying itself and the purpose of the call to the consumer, and respecting call time limitations. Upon request, a telemarketer must provide a local or toll-free number allowing the customer access to a representative of the telemarketer or, where applicable, its client.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The DNCL Rules do not apply to calls to businesses.

Exemptions and other issues

There are a number of other specific rules concerning telemarketing calls published by the CRTC. These include rules about the times at which calls can be made, the provision of caller line identification, controls over sequential and random diallers and restrictions on silent calls resulting from the use of predictive dialling devices.

_____________________________________________________________________ Top