1. What national law(s) apply to the collection and use of personal data? If applicable, has Directive 95/46/EC on data protection (Data Protection Directive) been implemented?
Personal information protection is governed by:
- Federal law.
- Laws of the ten provinces and three territories.
- Industry practice.
Privacy laws protect:
- Personal information in the public sector.
- Personal information in the private sector (generally, such
laws apply to either sector specific activities or information or
to personal information that is collected, used or disclosed in the
course of commercial activities and, in some circumstances, in the
course of employment).
- Health information.
This chapter considers only generally-applicable legislation that regulates the commercial use of personal information in the private sector.
Specific legislation may also apply to a particular category of information or activity. Different activities and categories of information are regulated by different federal and provincial laws so that obligations can be complex, varied and sometimes overlapping, depending on the nature of the information and the location of the activities associated with it. This means that an organisation collecting, using or disclosing personal information in more than one jurisdiction may be required to comply with more than one law and should therefore analyse the nature of the information, and the nature and location of the activities relating to it, to be sure that it meets all applicable requirements.
At the federal level, personal information protection in the private sector is governed by the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA), which came fully into force on 1 January 2004. PIPEDA applies to all regulated activities, except to the extent that the federal government determines that a province has enacted substantially similar legislation. Provincial counterparts to PIPEDA which are currently in force for personal information in the private sector are the:
- Personal Health Information Protection Act, 2004, in Ontario
(limited to health information).
- Personal Information Protection Act 2003, in Alberta.
- Personal Information Protection Act 2003, in British
- Health Information Act 1999, in Alberta (different style of
legislation limited to health information, not currently subject of
a substantial similarity order. This Act is not discussed further
in this chapter).
- Act Respecting the Protection of Personal Information in the
Private Sector 1993 (as amended), in Québec.
Personal information is, at the federal level, the responsibility of the Office of the Privacy Commissioner of Canada, headed by the federal Privacy Commissioner. Some provincial equivalent authorities are:
- Office of the Information and Privacy Commissioner of
- Office of the Information and Privacy Commissioner for British
- Office of the Information and Privacy
- Québec Access to Information Commission (Commission
d'acces a l'information du Québec). (See
box, The regulatory authorities.)
2. To whom do the rules apply (EU: data controller)?
At the federal level, the personal information protection rules apply to every organisation collecting, using or disclosing personal information in the course of commercial activities. At the provincial level, the federal law applies unless the province has enacted substantially similar legislation (namely, Alberta, British Columbia, Quebec and Ontario (limited to health information)). In Alberta, British Columbia and Quebec, the legislation applies to every organisation and all personal information, unless otherwise specified. Generally, an organisation includes:
- Unincorporated associations.
- Individuals acting in a commercial capacity.
- Trade unions.
The privacy laws may also apply to employment relationships where an organisation collects, uses or discloses the personal information of its employees in one of the following circumstances:
- In connection with the operation of a federal work, undertaking
- In the course of a commercial activity.
- In Alberta or British Columbia.
Obligations vary depending on the nature of the organisation and where its activities relating to the personal information of its employees occur.
Organisations may also be held accountable for personal information in their control and for the activities of third parties undertaken on the organisation's behalf (see Question 15).
As the language used in the different federal and provincial laws varies, an organisation should take care to ensure that all necessary obligations are met under each applicable law.
3. What data is regulated (EU: personal data)?
Private sector privacy laws apply to personal information. The definition of personal information varies between the applicable legislation:
- Federal. Personal information means
information about an identifiable individual, but does not include
the name, title, business address or telephone number of an
employee of an organisation (PIPEDA).
- Alberta and British Columbia. Personal
information means information about an identifiable individual and
excludes business contact information (such as an individual's
name, title, business telephone number, address, e-mail address or
fax number) where it is used for contacting the individual in their
capacity as an employee or official of an organisation
(Personal Information Protection Acts).
- Québec. Personal information includes
any information that relates to a natural person and allows that
person to be identified (Act Respecting the Protection of
Personal Information in the Private Sector).
- Ontario. Personal health information includes
identifying information about an individual that relates to the
physical or mental health of the individual or the provision of
healthcare to the individual. It includes identifying information
contained in a record containing such information (Personal
Health Information Protection Act).
Although these definitions are very broad, each law only applies to certain categories of activities relating to personal information. Other activities may be regulated by separate legislation (for example, health information or personal information in the public sector) or not regulated at all (for example, certain non-commercial, personal or domestic activities).
4. What acts are regulated (EU: processing)?
Generally, the following activities relating to personal information are regulated:
- Disclosure (including transfer, lease or sale).
An individual has the right (subject to specific exceptions) to:
- Know what personal information is being collected.
- Know the purpose for which personal information is
- Consent to the collection, use or disclosure of personal
- Access, and request the correction of, personal information
held by an organisation.
5. What is the jurisdictional scope of the rules?
PIPEDA applies to regulated activities that occur within Canada or between Canada and another jurisdiction.
Where an activity occurs in a province that has enacted private sector privacy legislation, that activity may be governed by both PIPEDA and by provincial law, or just the provincial law if the activity occurs only in the province.
6. What are the main exemptions (if any)?
Most federal and provincial private sector privacy legislation exclude categories of, and certain activities relating to, personal information that:
- Is used in relation to an emergency that threatens an
individual's life, health or security.
- Is publicly available (this is narrowly defined by the
legislation and is not the same as being in the public
- Is collected solely for journalistic, artistic or literary
- Is disclosed to a barrister or solicitor representing an
- Is used for debt collection.
- Must be disclosed to comply with a subpoena, warrant or court
order, or court rules relating to the production of records.
- Must be disclosed to a provincial or federal government
institution if it relates to national security or defence.
- Must be disclosed to a provincial or federal government
institution if it relates to the conduct of international affairs,
law enforcement or the administration of any law.
- Is required for a statistical or scholarly study, and it is
impractical to obtain consent from the individuals concerned (or
meet other specific requirements).
- Was recorded at least 100 years before disclosure.
- Is disclosed more than 20 years after the death of the relevant
- Must be disclosed by law.
In addition, in Alberta and British Columbia, personal information can be transferred in the context of certain business transactions (such as the sale of shares in, or assets of, a business) without the need for consent from the individuals whose information is being transferred, provided the parties to the transaction have complied with the specific requirements of the applicable legislation. In British Columbia, this includes the provision of notice of such transfer. The definition of business transaction and the types of information that can be collected, used or disclosed in a business transaction varies between the jurisdictions.
7. I s notification or registration required before processing data? If so, please provide brief details.
There are no requirements to notify, or register with, a government body to collect, use or disclose personal information, except when using certain personal information for a statistical or scholarly study in Alberta or Québec (in which case, consent is required).
Consent and notification rights depend on the applicable legislation:
- Federal. Generally, an individual must consent
to the collection, use or disclosure of personal information, for a
specified purpose, by an organisation either before or at the time
- Alberta and British Columbia. Generally, an
individual must consent to an organisation collecting, using or
disclosing personal information for a specified purpose either
before, or at the time of, collection. Where personal information
is collected, used or disclosed for the purpose of establishing,
managing or terminating an employment relationship, an employer
may, in some circumstances, only be required to provide notice to
its employees of the nature of the information and the purpose for
which it is to be collected.
MAIN DATA PROTECTION RULES AND PRINCIPLES
8. What are the main obligations imposed on data controllers to ensure that data is processed properly?
An organisation can only collect, use or disclose personal information for a reasonable purpose and only to the extent that is necessary to meet that purpose. Once this threshold is met, an organisation must then ensure that it complies with all necessary obligations in relation to the information that it has collected. These are generally based on ten key privacy principles:
- Accountability. An organisation is responsible
for the personal information in its custody or under its control
and must designate an individual or individuals who are accountable
for its compliance with the applicable legislation. Organisations
are responsible for their agents and employees, including third
parties to whom they entrust personal information or who collect,
use or disclose personal information on their behalf.
- Identifying purposes. The purposes for which
personal information is collected must be identified by the
collecting organisation at or before the time the information is
collected. Organisations can only collect personal information for
- Consent. Individuals must be notified of, and
consent to, the collection, use or disclosure of their personal
information, unless a statutory exemption applies.
- Limiting collection. The collection of
personal information must be limited to that which is necessary for
the purposes identified by the organisation, and information must
be collected by fair and lawful means.
- Limiting use, disclosure and retention.
Personal information cannot be used or disclosed for purposes other
than those for which it was collected, except with the consent of
the individual or as required by law. Personal information can only
be retained for as long as necessary to fulfil the purposes for
which it was collected.
- Accuracy. Personal information must be kept as
accurate, complete and up to date as is necessary for the purposes
for which it is to be used.
- Safeguards. Personal information must be
protected by safeguards appropriate to the sensitivity of the
- Openness. Certain specific information about
the organisation's policies and practices relating to the
management of personal information must be made readily available
- Individual access. If they request,
individuals have the right (subject to certain exemptions) to be
informed of the existence, use and disclosure of, and be given
access to, their personal information. Individuals can challenge
the accuracy and completeness of their information and have it
amended as appropriate.
- Challenging compliance. Individuals must be
able to submit a complaint to the person(s) responsible for the
organisation's compliance, challenging its adherence to the
The various privacy laws may contain exceptions to these requirements, impose additional specific obligations or present the key principles in such a way that their scope varies from that set out above
9. I s the consent of data subjects required before processing personal data? If so:
- What rules are there regarding the form and content of
consent? Would online consent suffice?
- Are there any special rules regarding the giving of
consent by minors?
Form and content of consent
Depending on the sensitivity of the personal information being collected, consent can be:
- Express. Consent can be given orally,
electronically or in writing. It can also be given online but, as
with any other form of consent, must meet the requirements of the
applicable privacy legislation and, in some circumstances, the
applicable electronic commerce legislation).
- Implied. Consent can reasonably be inferred
from an individual's actions or inaction. For example, when an
individual enters into an agreement with an organisation, it can be
implied that he has consented to the collection, use and disclosure
of his personal information for purposes related to the performance
of that agreement and for any other purposes identified to him at
the relevant time.
- Deemed. Consent can be deemed using an opt-out
mechanism. The requirements for such mechanisms are either
established in the privacy laws or the Commissioners' decisions
and generally include:
- the personal information must be clearly non-sensitive in
nature and context;
- the information-sharing situation must be limited and
well-defined as to the nature of the personal information to be
used or disclosed, and the extent of the intended use or
- the organisation's purposes must be limited and
welldefined, stated in a reasonably clear and understandable
manner, and brought to the individual's attention at the time
the personal information is collected;
- the organisation must establish a convenient procedure for
easily, inexpensively and immediately opting out of, or withdrawing
consent to, secondary purposes and must notify the individual of
this procedure at the time the personal information is
The consent requirements apply to information already in the custody or control of an organisation when the applicable legislation came into force (legacy information), as well as to all future collection activities. The various laws differ in their treatment of legacy information. Some provincial laws provide for consent to be deemed so that an organisation can continue using or disclosing legacy information for the purpose for which it was collected. This is not the case under PIPEDA.
Consent by minors
Consent rules depend on the applicable legislation:
- Federal. Consent from minors is not expressly
prohibited in PIPEDA but, as consent from a guardian is described
as an acceptable form of consent for information relating to
minors, it is generally advisable to seek consent from a guardian
rather than a minor.
- Alberta. Minors can give consent provided they
understand the nature and consequences of doing so. Otherwise,
consent must be obtained from the minor's guardian.
- British Columbia. Guardians can consent on
behalf of a minor if the minor is incapable of exercising his right
10. I f there is no consent, on what other grounds (if any) can processing be justified?
There are several exemptions to the need for consent (see Question 6). In addition, in Alberta and British Columbia, certain personal information about employees that is collected, used or disclosed solely for the purposes of establishing, managing or terminating the employment relationship does not require consent provided that the required notices have been provided to the employees.
11. Do special rules apply in the case of certain types of personal data, for example sensitive data? If so, please provide brief details.
Generally, the more sensitive the personal information, the more onerous the requirements to show that:
- It is being collected, used or disclosed for a reasonable
purpose, and only to the extent necessary to meet such
- The individual has consented to the collection, use or
disclosure of their personal information (express consent is more
likely to be required and deemed consent is less likely to be
effective (see Question 9)).
Whether personal information is sensitive depends on individual circumstances (for example, the names and addresses of subscribers to periodicals are not normally considered sensitive personal information, except in the case of certain special-interest periodicals). Social insurance numbers and health and financial information are almost always considered sensitive personal information. In addition, information from which it is possible to determine an individual's beliefs and/or interests is often considered sensitive.
RIGHTS OF INDIVIDUALS
12. What information should be provided to data subjects at the point of collection of the personal data?
Before, or at the time that, personal information is collected, individuals must (unless otherwise provided by legislation) be made aware of the:
- Nature of the personal information being collected.
- Purposes for which their personal information is to be
collected, used or disclosed.
- Name of a person who is able to answer, on behalf of the
collecting organisation, the individual's questions about the
For the consent to be valid, it must be given voluntarily and without reliance on deceptive or misleading collection practices. Consent to purposes beyond what is reasonably necessary to supply a product or service cannot be a precondition to the supply of that product or service.
In Québec, consent must be manifest, free and enlightened and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.
As consent given for one purpose is not valid for other purposes, organisations should anticipate their use and disclosure requirements in advance and develop their consent practices to ensure that all eventualities are covered.
13. What other specific rights (such as a right of access to personal data or the right to object to processing) are granted to data subjects?
Right of access
Generally, individuals have the right, subject to certain exceptions and restrictions, to:
- Be informed of the existence, use and disclosure of their
- Have access to their personal information.
Organisations can, if permitted or required by the applicable legislation, refuse to grant access to some or all personal information. When this is possible depends on the applicable law but, generally, organisations can refuse access if:
- The information contains references to other individuals that
cannot reasonably be removed.
- The information is subject to a legal privilege.
- Disclosure of the information would reveal confidential
commercial information that it is reasonable to withhold.
- The information was collected for an investigation or legal
- The disclosure of the information might result in that type of
information no longer being provided to the organisation when it is
reasonable to expect that that type of information should be
- The information was collected by a mediator or arbitrator, or
created in the conduct of a mediation or arbitration, provided for
by an agreement, enactment or court appointment.
- The information may be used in the exercise of prosecutorial
- The disclosure of the information can reasonably be expected to
threaten the life or security of another individual.
- The information would reveal the identity of an individual who
has provided an opinion about another individual in confidence and
who has not consented to the disclosure of their identity.
Organisations may be required to respond to an individual's request in a relatively short time frame (between 30 and 45 days, depending on the legislation) and without any, or only a minimal, fee. Extensions of response time periods may be available depending on the circumstances and the applicable law.
If an individual can demonstrate that his information is inaccurate or incomplete, the organisation may be required to make appropriate changes and inform any third parties that have received this information of the changes. In certain circumstances an organisation can refuse to make a requested correction, but may be required to annotate the applicable records to indicate that a correction was requested but not made.
14. What security requirements are imposed in relation to personal data?
Organisations must implement safeguards to protect personal information against:
- Loss or theft.
- Unauthorised access, collection, use, disclosure, copying,
modification, disposal or destruction.
- Other similar risks.
Generally, the nature of the safeguards required varies depending on the:
- Sensitivity of the information collected (organisations must
protect personal information with safeguards appropriate to the
sensitivity of the information).
- Amount, distribution and format of the information.
- Method of storage.
When considering the nature of the safeguards to be employed, organisations should consider:
- Physical protection, such as locked cabinets and
- Organisational safeguards, such as security clearances or
limiting access on a need-to-know basis.
- Technological measures, such as passwords and encryption.
PROCESSING BY THIRD PARTIES
15. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?
Generally, an organisation is responsible for ensuring that third parties acting on its behalf comply with privacy laws if:
- The third party collects, uses, processes or discloses personal
information on behalf of the organisation.
- Personal information collected by or for the organisation is in
the custody of the third party.
This applies whether the third party is within or outside of Canada.
The risks associated with these obligations are often addressed through contractual arrangements with the third parties to ensure that they:
- Comply with all applicable laws.
- Apply the same standards and care as the organisation.
INTERNATIONAL TRANSFER OF DATA
16. What rules govern the transfer of data outside your jurisdiction?
Personal information collected in Canada and transferred to another jurisdiction is subject to the same privacy rules as personal information collected and disclosed within Canada.
Canada's privacy commissioners are likely to assert jurisdiction over foreign disclosures and require the disclosing organisation to follow all the applicable Canadian rules, particularly those relating to use and disclosure (that is, that use or disclosure must be for a reasonable purpose and limited to the extent necessary to meet this purpose, and an individual must consent to, or be notified of, the collection, use or disclosure of his personal information).
17. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?
Although data transfer or privacy compliance agreements are used in Canada, no standard forms or precedents have been approved by national authorities.
18. I s a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?
A data processing agreement should ensure that the transferee will comply with privacy laws, as the transferring organisation remains responsible for privacy obligations (see Question 15).
Generally, any transfer of personal information within Canada or to another jurisdiction will only be permitted if:
- The disclosure is for a reasonable purpose and limited to the
extent necessary to meet this purpose.
- The individual has consented to, or been notified of, the
disclosure of his personal information, in the manner required by
the applicable law.
- All other requirements for disclosure specified in the
applicable legislation have been met.
19. Does the relevant national regulator need to approve the data transfer agreement? If so, please provide brief details.
Data transfer agreements do not need to be approved by privacy commissioners.
ENFORCEMENT AND SANCTIONS
20. What are the enforcement powers of the national regulator?
Individuals can submit written complaints to the Federal Privacy Commissioner about any activity that they believe contravenes PIPEDA. The Federal Privacy Commissioner can also initiate a review.
When conducting an investigation, the Federal Privacy Commissioner can:
- Summon and compel a witness to give evidence under oath, and to
produce records and things, in the same manner as a superior
- Administer oaths.
- Accept evidence that would not be admissible in a court.
- Enter premises other than a dwelling house, provided any
security requirements of the organisation are met.
- Converse in private with anyone on any premises that is entered
- Examine or obtain copies of, or extracts from, records held on
Within one year of receiving a complaint or initiating an investigation, the Privacy Commissioner must prepare a report unless she determines any of the following:
- Other grievance procedures need to be exhausted first.
- Another legal procedure would be more appropriate to deal with
- A report would not be useful.
- The complaint is frivolous.
The report includes:
- Findings and recommendations.
- A description of any settlement.
- If appropriate, a request that the Privacy Commissioner be
given notice of any action taken to implement the recommendations
or reasons why action is not taken.
After a report is issued, a complainant can then apply to the relevant court for a hearing in respect of any matter relating to the complaint.
The Privacy Commissioner can also audit the privacy practices of an organisation subject to her jurisdiction on reasonable notice.
The provincial privacy commissioners generally have the same or stronger powers of enforcement as the federal Privacy Commissioner. In particular, they can:
- Conduct investigations to ensure compliance with their
- Initiate investigations of their own accord.
- Receive, investigate and resolve complaints.
- Mediate settlements.
- Make binding orders.
- Give advice to organisations on compliance.
- Give advance rulings on issues arising under the
- Conduct a formal inquiry.
21. What are the sanctions and remedies for non-compliance with the data protection laws? To what extent are the laws actively enforced?
Fines of up to Can$10,000 (about US$10,000) on summary conviction or Can$100,000 (about US$100,000) on indictment can be issued for:
- Obstructing an investigation or audit by the Privacy
- Unlawfully destroying evidence.
- Retaliating against an employee for initiating a complaint or
The Federal Court can order an organisation to:
- Correct its practices.
- Publish a notice of any action taken, or proposed to be taken,
to correct its practices.
- Pay civil damages to a complainant, including damages for any
In addition to the various Commissioners' broad order-making powers, fines can be imposed, the amount of which vary depending on the province:
- Alberta. Individuals can be fined up to
Can$10,000 and entities can be fined up to Can$100,000.
- British Columbia. Individuals can be fined up
to Can$10,000 and entities can be fined up to Can$100,000.
- Québec. The maximum fine is Can$20,000
Organisations can also face civil liability for the breach of provincial privacy legislation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.