Canadian Data Protection Laws Overview
Chapter 1
In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.
The summary below focuses on Canada’s private sector privacy statutes:
- Personal Information Protection and Electronic Documents Act (‘PIPEDA’)
- Personal Information Protection Act (Alberta) (‘PIPA Alberta’)
- Personal Information Protection Act (British Columbia) (‘PIPA BC’)
- An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively, ‘Canadian Privacy Statutes’)
On June 16, 2022, the federal Government introduced Bill C-27, a wide-reaching piece of legislation that is intended to modernize and strengthen privacy protection for Canadian consumers and provide clear rules for private-sector organizations. It is the second attempt to modernize federal private-sector privacy legislation, after a previous proposal died on the order paper in 2021. If adopted, Bill C-27 will replace PIPEDA with legislation specific to consumer privacy rights (the Consumer Privacy Protection Act) and electronic documents (the Electronic Documents Act). Bill C-27 will also introduce the Artificial Intelligence and Data Act, which aims to create rules around the deployment of AI technologies.
Key elements of Bill C-27 include:
- Clarified consent requirements for the collection, use and disclosure of personal information
- Expanded enforcement powers for the Office of the Privacy Commissioner of Canada, including stiff penalties for serious offenses of up to 5% of annual gross global revenue or CA$25 million
- New rules governing de-identified information
- The creation of a specialized Personal Information and Data Protection Tribunal
C-27 is still in the early stages of the legislative process, but it is currently expected to be adopted some time in 2023.
PIPEDA applies to all of the following:
- Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work, undertaking or business’ (eg, banks, telecommunications companies, airlines, railways, and other interprovincial undertakings)
- Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec Privacy Act have been deemed ‘substantially similar’)
- Inter provincial and international collection, use and disclosure of personal information in connection with commercial activity
PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.
Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received Royal Assent on September 22, 2021. A first set of amendments came into force on September 22, 2022, with additional modifications set to come into force on September 22, 2023, and September 22, 2024. With Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.