Guide to Doing Business in Canada: Privacy law

32 minute read
20 October 2023


View full guide »

Privacy law

Privacy is important to Canadians. With advances in technology, organizations are collecting, storing, transferring and disclosing more personal information about consumers and their employees than ever before. This accumulation of personal information increases the risks for organizations doing business in the country.

In an age of social media, cloud computing, global networks and international data flows, incidents involving data security breaches and identity theft frequently make headlines in Canada - particularly given the advent of class action lawsuits to remedy privacy breaches. As a result, privacy protection is an increasingly pressing public-policy concern.

Canada has enacted comprehensive federal privacy legislation that applies to the private sector. In addition, certain provinces have enacted both comprehensive and industry-specific private sector privacy legislation.

Québec recently made substantial changes to its provincial privacy laws, including the Act respecting the protection of personal information in the private sector, as amended by Law 25 (aka Bill 64). Beyond Quebec, there are currently many privacy laws that are in the process of being amended, including the federal private sector privacy legislation and provincial private sector privacy laws.

  1. The privacy landscape in Canada
  2. Employers
  3. Reporting privacy breaches
  4. Cross-border transfers and outsourcing
  5. Enforcement
  6. The General Data Protection Regulation

1. The privacy landscape in Canada

a. Federal

In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection, use and disclosure of personal information in the private sector. "Personal information" is broadly defined in the Act as any "information about an identifiable individual," whether public or private, with limited exceptions.

PIPEDA applies to federal works, undertakings and businesses, and to private sector organizations that collect, use or disclose personal information in the course of commercial activities in provinces that do not have substantially similar legislation and that transfer personal information across provincial or international borders. PIPEDA's application to personal employee information is limited to organizations that are federal works, undertakings and businesses. Examples of these organizations include:

  • Airlines
  • Airports
  • Banks
  • Broadcasting
  • Telecommunications
  • Interprovincial railways
  • Interprovincial or international trucking, shipping or other forms of transportation
  • Nuclear energy
  • Offshore drilling operations
  • Activities related to maritime navigation

PIPEDA is a privacy law that applies to the collection of personal information regardless of the technology used.

Compliance with PIPEDA is subject to an overriding standard of reasonableness whereby organizations may only collect, use and disclose personal information for purposes that a "reasonable person would consider appropriate in the circumstances." This requirement applies even if the individual has consented to the collection, use or disclosure of their personal information.

In provinces with privacy legislation that the federal government has deemed to be "substantially similar" to PIPEDA, the Act does not apply. Currently, only Alberta, British Columbia and Québec have "substantially similar" privacy legislation in place. However, PIPEDA continues to apply to federal works, undertakings or businesses that operate in those provinces as well as all interprovincial and international transactions by all organizations subject to PIPEDA in the course of their commercial activities.

Organizations that operate interprovincial or internationally are required to deal with both provincial and federal privacy legislation. It should be noted that other Canadian provinces also have health specific legislation that has not been deemed "substantially similar" to PIPEDA; with the effect that both the health specific legislation and PIPEDA may apply even within the province.

In addition, health information custodians - such as physicians, nurses and hospitals - in Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador are exempt from PIPEDA with respect to personal health information, as these provinces have specific health information privacy statutes that have been deemed "substantially similar" to PIPEDA.

b. Provincial

Alberta, British Columbia and Québec have enacted comprehensive private sector privacy legislation, entitled the Personal Information Protection Act (PIPA) in Alberta and British Columbia, and An Act respecting the protection of personal information in the private sector (Québec Privacy Act) in Québec.

While these provincial laws are similar in principle to PIPEDA, there are important differences in the details. These laws apply generally to all private sector organizations with respect to the collection, use and disclosure of personal information - not just with respect to commercial activities - and to employees' personal information. The Québec Privacy Act may also apply to private sector collection, use and disclosure of personal health information. However, Quebec has recently adopted An Act respecting health and social services information and amending various legislative provisions (Bill 3), which will govern the collection, use and disclosure of personal health information for public and certain private sector organizations.

The Québec Privacy Act establishes rules concerning the protection of personal information collected, used, held or communicated in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code of Québec. It is applicable to any personal information, no matter its form, defined as "any information which relates to a natural person and allows, directly or indirectly, to identify that person." The Québec Privacy Act has limited application to personal information that is by law considered to be public.

The Québec Privacy Act has recently undergone some changes due to the coming into force of certain provisions of the Act to modernize legislative provisions as regards the protection of personal information. Law 25, also known as "Bill 64", provides for several amendments to the Québec Privacy Act, most of which came into force in September 2022 and 2023.

Most notably, the Québec Privacy Act now provides that every organization is responsible for the protection of the personal information that it holds. Since September 2022, a "Privacy Officer" is responsible in each organization for ensuring compliance with the Québec Privacy Act. This position is held by the person with the highest authority in the organization or by the person to whom that person has delegated this function in writing.

In addition, since September 2023, each organization is required to implement policies ensuring the protection of the personal information it holds. Detailed information about these need to be available, either on the company's website or by any other appropriate means.

Furthermore, in order for an organization to collect personal information, there will have to be a legitimate and meaningful purpose for doing so, which will need to be identified beforehand. Additionally, the organization will have to inform the person whose information is being collected of the purpose for which it is collected, the means of collection, their rights of access and rectification provided by law, and their right to withdraw their consent. If the information is to be communicated to a third party, including outside or the province, the organization will also need to inform the person.

Finally, any organization that collects personal information via a technology offered to the public that has privacy settings will need to make sure that the default settings provide the highest level of confidentiality.

c. Legislative overview

All Canadian privacy legislation, including PIPEDA, reflects the following 10 principles set out in the Organisation for Economic Co-operation and Development Guidelines (OECD), created in the early 1980s:

  • Accountability
  • Identifying purposes
  • Consent
  • Limiting collection
  • Limiting use, disclosure and retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual access
  • Challenging compliance

As outlined in the "Federal" section above, the standard of reasonableness is considered the overarching rule in Canadian privacy legislation. One cannot avoid this standard by obtaining consent to an objectively unreasonable collection, use or disclosure of personal information. In most cases, organizations must have either the express or implied consent of the individual in order to collect, use or disclose their personal information.

All four principal private sector statutes apply similar principles:

  • Personal information may only be collected, used or disclosed with the knowledge and consent of the individual.
  • The collection of personal information must be limited to what is necessary for identified purposes.
  • Personal information must be collected by fair and lawful means.

According to the Guidelines issued by the Office of the Privacy Commissioner of Canada (the "OPC") in August 2021, obtaining meaningful consent will require greater transparency about how data is collected, used and disclosed. The OPC also has emphasized that "express consent" is the default, and that implied consent will only be appropriate in limited circumstances. Quebec's privacy commissioner, the Comission d'accès à l'information (CAI), has also released draft consent guidelines which discuss express consent, implied consent, and introduces the new concept of presumed consent. Although these guidelines are still a draft, the CAI, like the OPC, favors express consent.

Organizations are required to explain in their privacy policies what personal information is being collected; disclose third parties with whom personal information will be shared; and explain the purposes for which the information is being collected, used and/or disclosed in clear, understandable, and precise terms. Purposes that are integral to provisions of service should be distinguished from those that are not. If presented as "mandatory", the collection, use and disclosure of personal information must be integral to the provision of the product or service. The consumer must be given choices for non-integral collections, uses or disclosures of personal information. Further, organizations must explain the risks of harm and other consequences of residual risks that remain after mitigation measures are put in place.

Organizations should also allow individuals to control the level of detail they get and when. Organizations must provide clear options to say yes or no, and information must always be presented to individuals in a manageable and easily-accessible way.

Personal information must be protected by safeguards appropriate for the level of sensitivity of the information. For example, highly sensitive information, such as financial data, must be provided with a proportionately high level of security that should include physical, organizational and technological protection measures. As well, individuals must be provided with easy access to information about an organization's privacy policies and practices.

Alberta, British Columbia (with regard to certain designated databases), Manitoba, New Brunswick, Newfoundland and Labrador, Nova Scotia, Ontario, Quebec (once Bill 3 comes into force), Saskatchewan, Prince Edward Island, the Northwest Territories and Yukon have legislation specifically governing the collection, use and disclosure of personal health information. All Canadian provinces and territories have enacted legislation that regulates the collection, use and disclosure of personal information in the public sector. To the extent that private sector organizations are contracting with public bodies and obtaining or receiving personal information that is under the "custody and control" of those public bodies, the public sector legislation will apply to govern the treatment of that information, and the private sector organization should be aware of the potential for "access to information" requests that may impact the information.

In specific industry sectors, additional requirements will apply depending on the nature of the consent sought. For example, several provinces, including Ontario and Nova Scotia, impose font size requirements on requests for consent and notice prior to obtaining a credit bureau report.

2. Employers

In accordance with constitutional limits placed on federal legislation, PIPEDA applies only to the employment information of employees of, and applicants for employment with, federally regulated organizations, such as banks, airlines and telecommunications companies. The OPC released guidance on privacy in the workplace, which includes practical guidance for the collection, use, and disclosure of personal information of employees. Federally-regulated employers in the private sector may collect personal information without knowledge and consent to establish, manage and terminate the employment relationship, as well as if the information was produced by an individual in the course of their employment, business or profession, provided the collection, use or disclosure is consistent with the purposes for which the information was produced.

Provincial privacy legislation applies to employee information outside of those sectors. It is important to note that since September 2023, the first and second sections of the Québec Privacy Act will not apply to "personal information concerning the performance of duties within an enterprise by the person concerned, such as the person's name, title and duties, as well as the address, email address and telephone number of the person's place of work."

Under Alberta's PIPA and British Columbia's PIPA, employers are permitted to collect, use or disclose "personal employee information" without the consent of the employee if it is reasonably required for the purposes of establishing, managing or terminating an employment relationship. The collection must always be reasonable, and the employee must be informed beforehand about the collection and purposes for the collection.

3. Reporting privacy breaches

Canada and its provinces have introduced requirements for organizations to proactively notify individuals or the appropriate regulatory bodies of a data breach. PIPEDA, Alberta's PIPA and Health Information Act, the Quebec Privacy Act, New Brunswick's Personal Health Information Privacy and Access Act, Newfoundland and Labrador's Personal Health Information Act, Nova Scotia's Personal Health Information Act, Ontario's Personal Health Information Protection Act, Prince Edward Island's Health Information Act, and the Yukon's Health Information Privacy and Management Act all require mandatory data breach notification. Although there are no statutory provisions regarding breach notification under BC PIPA, recent OIPC BC guidelines offer organizations guidance on when they should consider notifying third parties and affected individuals of a breach.

PIPEDA requires mandatory breach notification and requires organizations to retain records of all breaches of their security safeguards.

Alberta was the first Canadian jurisdiction to require mandatory privacy-breach notification in the private (non-health-related) sector. Organizations subject to Alberta's PIPA are required to notify the province's information and privacy commissioner if personal information under the organization's control is lost, accessed or disclosed without authorization, or if it has in any way suffered a privacy breach, where a real risk of significant harm to an individual exists as a result of the breach. In those circumstances, failure to notify the commissioner of a breach is an offence.

The notification requirement is only triggered if the harm threshold is met, which is defined as being "where a reasonable person would consider that there exists a real risk of significant harm to an individual." The commissioner has interpreted "significant harm" to mean "a material harm ... [having] non-trivial consequences or effects." Examples may include possible financial loss, identity theft, physical harm, humiliation, or damage to one's professional or personal reputation.

Furthermore, the commissioner requires that a "real risk of significant harm" must be more than "merely speculative" and not simply "hypothetical or theoretical." A breach relating to highly sensitive personal information, such as financial information, is more likely to meet this standard and require reporting.

If a breach meets the threshold of being a "real risk of significant harm" and is reported appropriately, the commissioner will review the information provided by the organization to determine whether affected individuals need to be notified of the data breach. If so, the commissioner can, (and typically does), direct the organization to notify individuals in the form and manner prescribed by PIPA regulations.

PIPEDA's breach reporting and notification rules require organizations that experience a data breach to report the incident to the Office of the Privacy Commissioner of Canada and to notify affected individuals, and any other organizations or governments that may reduce the risk of harm. Reporting and notification will be required in all circumstances where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual". Under PIPEDA, "significant harm" is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The Act determines the existence of a "real risk of significant harm" by considering the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and any other factors that may be prescribed by regulation.

PIPEDA also carries offences for non-compliance with data security breach obligations. An organization that knowingly contravenes PIPEDA's requirement to report and record a breach - or that hinders the commissioner's efforts to investigate a complaint or perform an audit - may face fines of up to $10,000 for a summary offence, or up to $100,000 for an indictable offence.

The Québec Privacy Act provides that if an organization has a reason to believe that a "confidentiality incident" has occurred,it must take reasonable steps to reduce the risk of harm and to prevent recurrence. A confidentiality incident occurs in the case of an unauthorized access to or use of personal information, of the communication of personal information, of the loss of personal information or when there is any other breach in the protection of personal information. If this confidentiality incident risks causing serious injury, it must promptly be notified to the CAI and to the person whose personal information is involved.

There is no definition of "risk of serious injury" in the Québec Privacy Act, but the organizations must assess if the situation poses such risk based on certain factors, such as the sensitivity of the information, the consequences that could result from its use, the likelihood that this use will be for injurious purposes, etc. Additionally, organizations must keep a confidentiality incident log, a copy of which must be forwarded to the CAI at its request.

4. Cross-border transfers and outsourcing

Cross-border transfers and the outsourcing of Canadian personal information to foreign countries have become subjects of much focus in Canada. A great deal of this attention has focused on concerns that U.S. authorities could use the USA Patriot Act to obtain Canadians' personal information if it is located in or accessible from the U.S. Other concerns arise when data is transferred pursuant to free trade agreements (including the Trans-Pacific Partnership (TPP)), or when transfers engage foreign privacy regimes, such as Europe's General Data Protection Regulation (GDPR). As such, it is critical to understand Canada's rules for cross-border data transfers to ensure compliance and commercial efficiency in a complex global privacy landscape.

PIPEDA and related provincial legislation do not prohibit the transfer of personal information outside of Canada. However, public sector privacy legislation in British Columbia and Nova Scotia imposes restrictions on public bodies (and organizations that process personal information on their behalf) with respect to the transfer of personal information. Furthermore, privacy regulators have held that notice of such transfers must be provided to affected individuals - along with notice that such personal information may be subject to access requests from foreign governments, courts, law enforcement officials and national security authorities, according to foreign laws. Notably, British Columbia recently loosened its restrictions on cross-border transfers for the public sector. Personal information can now be transferred outside of Canada to the United States under British Columbia's public sector public law. Any disclosure of personal information outside of Canada must be in accordance with regulations under British Columbia's public sector privacy legislation.

In addition, health sector privacy legislation in Newfoundland and Labrador and Nova Scotia imposes restrictions on health information custodians (and organizations that process personal health information on their behalf) with respect to the transfer of personal health information outside the province.

PIPEDA requires an organization to provide a "comparable level of protection" when personal information is being processed by a third party through "contractual or other means." As such, if an organization transfers personal information to a third party, the transfer must be "reasonable" for the purposes for which the information was initially collected, the information must be protected using contractual means, and the organization should be transparent about its information-handling practices, including notifying individuals. This applies whether the third party processor is within Canada or overseas. In addition, the Québec Privacy Act requires organizations to consider the potential risks involved in transferring personal information outside of Québec. If the information will not receive adequate protection, it must not be transferred.

Under the Québec Privacy Act, the transfer of personal information out of Québec is allowed under certain conditions. Since September 2023, in order for an organization to transfer personal information out of Québec, it must, namely, first conduct a Privacy Impact Assessment ("PIA"), which must take into consideration:

  • The sensitivity of the information.
  • The purpose for which it will be used.
  • The applicable protection measures, including contractual ones.
  • The legal framework of the State to which the information would be communicated, including the "personal information protection principles" applicable in this State.

If the PIA establishes that the jurisdictions to which the information will be sent offers "adequate protection," the transfer may be allowed. Whether or not a jurisdiction offers adequate protection is to be assessed, "in light of generally recognized principles regarding the protection of personal information."

Finally, the transfer is conditional on the conclusion of a written agreement, which should consider the PIA's results. If both parties agreed on terms to mitigate the risks identified in the PIA, those should appear in this agreement. The above principles are applicable when an organization entrusts a person or body outside of Québec with collecting, using, communicating or keeping personal information on their behalf.

The Alberta PIPA explicitly imposes obligations on organizations that use service providers outside of Canada to collect, use, disclose or store personal information. Organizations are obligated to notify individuals that they will be transferring individuals' personal information to a service provider outside the country, and to include information on outsourcing practices in the organization's policies.

The OPC provides guidelines for processing personal data across borders.

5. Enforcement

In addition to negative publicity, there are legal and financial consequences for violating privacy legislation. An injured party, be it an individual or organization, must follow the ombudsman's procedure for filing a complaint with the respective provincial authority or the federal Office of the Privacy Commissioner (OPC).

The role of the OPC is to facilitate the resolution of such complaints through persuasion, negotiation and mediation. The OPC may decide to investigate the complaint and to issue a report setting out non-binding recommendations based on the findings. The OPC may also begin an investigation where the OPC deems it is warranted, even in the absence of a complaint. In conducting the investigation, the OPC has a variety of powers, including the power to compel the production of evidence.

Once the OPC completes its investigation and issues a report, either the OPC or the complainant may apply to the Federal Court to seek enforcement and/or damages under PIPEDA. There is also the potential for a fine to be imposed for noncompliance with certain provisions of PIPEDA.

Under Alberta's PIPA and British Columbia's PIPA, the applicable provincial privacy commissioner has the power, following an investigation, to direct the organization to remedy the situation. These orders are enforceable in court and are the basis for civil actions. In Québec, orders of the CAI can be appealed to the Québec Superior Court.

There are three main types of sanctions that can result from non-compliance to the Québec Privacy Act as of September 2023:

  • Firstly, non-compliance with the Québec Privacy Act could result in administrative monetary penalties. The maximum amount is $50,000 for individuals, and the greater amount between $10,000,000 and 2 per cent of the worldwide turnover for the preceding fiscal year for organizations;
  • Secondly, non-compliance with the Québec Privacy Act could lead to penal sanctions. Fines may range between $5, 000 and $100,000 for individuals, and the greater amount between $25,000, 000 and 4 per cent of the worldwide turnover for the preceding fiscal year for organizations; and
  • Finally, in the case of an unlawful infringement of a right conferred by the Québec Privacy Act or by sections 35 to 40 of the Civil Code of Québec that causes injuries to a person, that person has a claim for damages. If that infringement is intentional or due to a gross fault, minimum punitive damages of $1,000 will be imposed.

The OPC can enter into compliance agreements with organizations that he or she reasonably believes have violated, or are about to violate, PIPEDA provisions. Such agreements can include any terms the OPC considers necessary to ensure compliance with PIPEDA. If a counterparty organization breaches the agreement, the commissioner is authorized to apply to the Federal Court for a compliance order or a hearing. However, being party to a compliance agreement will not insulate the organization from claims made by individuals, or from the prosecution of an offence under PIPEDA.

6. The General Data Protection Regulation

The European Union's ("EU") General Data Protection Regulation ("GDPR") took effect on May 25, 2018. Companies in Canada need to determine whether or not they fall within the scope of the GDPR, and if within the scope, take steps to comply.

The GDPR applies to:

  • Those with an establishment (subsidiary or branch) in an EU (or European Economic Area (EEA)) country, in respect of all processing of personal data in that establishment (as controller or processor, as defined by the GDPR).
  • Those that do not have an establishment in the EU (or EEA), but which are processing (as controller or processor) personal data of natural persons who are in the EU (or EEA) in relation to the offering goods or services to these persons or the monitoring of their behaviour, with regard to such processing activities only.

Complying with the GDPR means, above all, ensuring that the personal data concerned is processed according to the following principles, subject to any standards adopted by the supervising authority of the relevant country:

  • Lawfulness, fairness, transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Learn more about Gowling WLG services in privacy law »

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.