1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
Data privacy is regulated both federally and provincially in Canada. At the federal level, there are two legislative regimes. Public sector institutions are governed by the Privacy Act, which sets out the rules on how the federal government collects, stores and uses personal information. These include rules on individuals' rights to access and correct their information, as well as rules on how that information is handled when providing government services.
Private sector institutions are currently governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to all federally regulated organisations, such as financial institutions, inter-provincial transportation providers and telecommunications providers. It also applies to provincially regulated businesses in the absence of ‘substantially similar' provincial legislation.
At the provincial level, British Columbia, Alberta and Quebec all have privacy laws that are substantially similar to PIPEDA and thus operate in place of it. Notably, PIPEDA still applies to federally regulated businesses in these provinces. This means, for example, that airlines in Alberta (inter-provincial transport) are governed by PIPEDA, whereas airport shuttle services (intra-provincial transport) are governed by the provincial law.
In November 2020, the federal government introduced Bill C-11. The bill proposes new legislation which would replace PIPEDA: the Consumer Privacy Protection Act (CPPA). The CPPA would introduce several procedural and substantive changes, including:
- larger penalties;
- a more robust enforcement regime;
- a new cause of action; and
- more rights for data subjects.
These proposed changes are discussed in further detail in questions 1.4, 7.1 and 13.1.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Healthcare and employee information are the most widely regulated areas. Ontario, Nova Scotia, Newfoundland and New Brunswick all have legislation governing the collection, use and disclosure of medical information. Notably, PIPEDA applies only to employee information in federally regulated businesses. Alberta and British Columbia have thus incorporated provisions governing employment relationships into their privacy laws.
Privacy provisions can also be found in other legislation. For example, the Bank Act includes provisions addressing how personal financial information is handled by financial institutions.
Biometric data falls within the subject matter governed by the Privacy Act and PIPEDA, although neither makes special provision for it. Rather, biometric data is treated the same as any other personal information about an identifiable individual. The Office of the Privacy Commissioner has recognised the unique challenges posed by biometrics and provides some guidance. The absence of a provision dealing with biometric data will likely not change because, Bill C-11 does not distinguish between biometric information and other types of information.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
Canada is not a party to any bilateral or multilateral data privacy agreements. However, the Canadian courts have held that PIPEDA applies to businesses in other jurisdictions whose operations have a ‘real and substantial connection' to Canada. This is discussed further in question 2.3.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with Canadian privacy law. However, the OPC has limited powers of enforcement and operates as something of an ombudsman. Currently, OPC will investigate complaints and, if a violation is found, make recommendations on what steps the organisation should take to rectify it. Importantly, the OPC's recommendations are just that; it has virtually no powers of enforcement and cannot levy fines. It can, however, ask the non-compliant organisation to enter into a compliance agreement whose terms will be legally enforceable. If the organisation does not voluntarily agree to comply with the OPC's recommendation and refuses to enter into a compliance agreement, the OPC may refer the matter to the Federal Court.
This is one of the main changes proposed in Bill C-11. The CPPA would substantially broaden the powers of the OPC by allowing it to make orders demanding that an organisation do something, stop doing something and even make public any measures taken to correct the deficient policies. Concerns have arisen over the effect that these expanded powers will have on procedural fairness (discussed further in question 13.1).
In addition to giving the OPC more teeth, Bill C-11 would establish the Personal Information and Data Privacy Tribunal. The tribunal would have the power to levy fines and penalties at the request of the OPC and hear appeals by non-compliant organisations. The aim would be to streamline the process and keep disputes out of the courts.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Interestingly, Schedule 1 of PIPEDA, which lays out the 10 principles that guide Canadian privacy law, was originally a guide written by the Canadian Standards Association in 1996. Discussed further in question 5.2, these principles are the backbone of Canadian privacy law and serve as an excellent best practices guide.
Another resource for businesses is a guide published by the OPC, appropriately entitled "Privacy Guide for Businesses". While this guide largely tracks PIPEDA's 10 principles, it also includes many specific recommendations, such as the following:
- Conduct an impact assessment and threat analysis on information handling practices;
- Make privacy policies readily available to both customers and employees;
- Ensure that means of obtaining consent are user friendly and generally understandable;
- Institute maximum and minimum data retention periods;
- Establish policies that govern the updating of information;
- Ensure that employees are aware of the importance of maintaining data security; and
- Ensure that frontline staff are trained in responding to complaints and inquiries of data subjects.
Organisations often refer to a guide published by the Chartered Professional Accountants called "Generally Accepted Privacy Principles (GAPP). With the guiding premise that "good privacy is good business", GAAP provides a more practical guide from a business perspective.
Finally, if the CPPA passes into law, it will contain a provision that would permit the creation of codes of practice and certification programmes. While these are not expressly prohibited under the current law, very few are currently in place. This new provision may therefore encourage organisations such as industry associations to self-regulate. Codes of practice and certification programmes would require approval by the OPC and would need to provide substantially the same or greater protection of personal information as that provided in CPPA.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
Any organisation that collects, uses or discloses personal information in the course of commercial activities is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). This applies equally to for-profit and non-profit organisations. Depending on the circumstances, PIPEDA may or may not apply to professional associations and clubs. Government institutions are governed by the Privacy Act.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
The collection, use and disclosure of personal information purely for personal, journalistic, artistic or literary purposes are exempt from PIPEDA.
PIPEDA also contains an express exemption for business contact information if the information is used solely for the purposes of communicating with the individual in relation to his or her employment or business. This is an area of overlap between PIPEDA and Canada's anti-spam legislation. Organisations that use business contact information for the purposes of e-marketing campaigns should ensure that:
- the recipients or their employers have not provided any non-solicitation statements in respect to the business contact information;
- the communications are relevant to the recipient's professional activities;
- the communications are not generic; and
- the communications specify the person or the person's role.
2.3 Does the data privacy regime have extra-territorial application?
Canadian privacy law does not have extra-territorial application. However, this does not mean that only Canadian organisations are subject to PIPEDA. PIPEDA will apply to non-Canadian organisations if there is a ‘real and substantial connection' to Canada. In the context of a website, key connecting factors include:
- the content at issue;
- the website's target audience; and
- the impact it has on Canadians.
One particularly important factor for determining the application of PIPEDA is where the data was collected. In one case, the Office of the Privacy Commissioner determined that a US corporation (which did not do business in Canada) was nevertheless subject to the requirements of PIPEDA in respect to information that it collected from a Canadian source about Canadians.
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
Not defined. Practically speaking, any collection, use, or disclosure of personal information will be the equivalent of ‘data processing'.
(b) Data processor
Not defined. The Personal Information Protection and Electronic Documents Act (PIPEDA) s 4.1.3 provides that an organisation remains responsible for personal information that has been transferred to a third-party data processor. This means that there is no meaningful distinction between ‘data processor' and ‘data controller'. Alberta's privacy legislation, on the other hand, distinguishes between ‘custody' and ‘control', imposing somewhat different obligations on each.
(c) Data controller
Not defined. See above question 3.1(b)
(d) Data subject
The equivalent term used in Canadian privacy law is ‘individual', which refers to anyone whose personal information is collected, used or disclosed.
(e) Personal data
‘Personal information' is any information about an identifiable individual. This includes information such as name, email address, phone number, age, income, identification number and even blood type.
(f) Sensitive personal data
Not defined. However, PIPEDA provides that the form of consent sought by organisations may vary depending on the sensitivity of the information. Medical records and tax information will typically be considered sensitive, whereas postal codes and email addresses will not.
With some exceptions, any collection, use or disclosure of personal information requires valid consent. Valid consent can be implied or express. Express consent is required for sensitive information, whereas implied consent will generally suffice for less sensitive information.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
PIPEDA contains an interesting mix of prescriptive language and recommendatory language. For example, the same provision that categorically prohibits organisations from retaining data for longer than is necessary merely recommends its disposal or anonymisation. While this provision is something of an outlier, organisations should pay close attention to the use of ‘shall' and ‘should' in Canadian privacy legislation.
Canadian privacy law also makes extensive use of the concept of reasonableness. While not expressly defined, reasonableness in Canadian law is an objective standard. Organisations should therefore consider how their actions would be perceived by the ‘reasonable person'.
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
There is no specific legislative requirement for registration. However, if an organisation wants to use data without consent for research purposes, it must inform the Office of the Privacy Commissioner.
4.2 What is the process for registration?
4.3 Is registered information publicly accessible?
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Generally speaking, if an organisation obtains valid consent, it can collect, use and disclose information within the boundaries of that consent. This is subject to the requirement that personal information be collected only by ‘fair and lawful means'. Organisations cannot use deceptive or illegal methods to obtain consent.
Additionally, organisations cannot collect information indiscriminately. The purposes for collection must be identified and the collection of information must be necessary to fulfil those purposes. These requirements do not vary depending on the type of data being processed.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out 10 principles that businesses must follow when collecting, using or disclosing personal information. The principles apply regardless of the type of data being processed; however, the specific requirements may vary depending on factors such as the sensitivity of the information.
- Accountability: Organisations are held accountable not only for information under their control, but also for information transferred to third-party processors. To ensure accountability, organisations must appoint an induvial to be responsible for compliance with PIPEDA.
- Identifying purposes: Organisations must identify and document the purposes for which information is collected.
- Consent: As a general rule, valid consent is always required for the collection, use or disclosure of personal information. However, consent is not required where it is impractical or impossible to obtain – for example, in the context of law enforcement or where the individual is a minor or mentally incapacitated. Consent can be either implied or express, depending on the nature of the information and the reasonable expectations of the data subject. Finally, individuals can withdraw their consent at any time, subject to any legal/contractual restrictions.
- Limiting collection: Organisations may collect only personal information needed to fulfil the identified purpose. Information cannot be obtained through unlawful, fraudulent or coercive means.
- Limiting use, disclosure and retention: Information may be used or disclosed only for the purposes for which it was collected and cannot be retained longer than is necessary to fulfil those purposes. PIPEDA recommends that information that is no longer necessary to fulfil its purpose be destroyed or anonymised.
- Accuracy: Organisations must ensure that personal information is accurate, complete and up to date.
- Safeguards: Organisations must implement data security measures to protect personal information. Methods of protection include physical, organisational and technological measures. Like consent, the degree of safeguard required varies depending on the sensitivity of the information. Broadly speaking, security safeguards must protect data against loss, theft and unauthorised use.
- Openness: Organisations must be open about their data policies. Information such as the name of the individual accountable for the organisation's data policies should be made readily available. A description of the data and information on how to access it should also be available to data subjects. It is up to the organisation to decide how it wants to make this information available, as long as it is in a form that is ‘generally understandable'.
- Individual access: Organisations must provide data subjects with information regarding how and where the data was obtained and the purposes for which it was collected. This information must be provided at minimal or no cost. Organisations must also correct information if it is out of date or inaccurate.
- Challenging compliance: Organisations must provide data subjects with a means to challenge their compliance with any of the above principles. This requires businesses to develop policies and procedures for handling and investigating complaints and make this information available to data subjects.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Proportionality plays an important role in data protection in Canada. An organisation's duties vary significantly depending on the sensitivity of the information and the reasonable expectations of the data subjects. This is meant to balance the legitimate business interests of organisations and the privacy expectations of individuals.
Preparedness is also an essential element of data processing in Canada. A robust incident response plan that includes regular penetration tests and audits ensures not only that personal information is secure, but also that the organisation will be perceived favourably in case of a data security breach.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
Organisations are generally permitted to transfer information to third parties for processing without the consent of the data subjects. The transferring organisation remains responsible for the personal information and must ensure that the third party provides a comparable level of protection.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
The Personal Information Protection and Electronic Documents Act imposes no express restrictions on international data transfers. The requirement that third-party processors provide a comparable level of protection ensures that information receives adequate protection regardless of where it is processed. Additionally, the fact that organisations remain responsible for transferred information provides an incentive against offloading responsibility to a foreign entity.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Whether transferring data within Canada or abroad, organisations should be cognisant of their continued responsibility for the transferred information. This means ensuring that sub-processors have proper security measures in place. One way in which organisations maintain oversight of transferred information and ensure that sub-processors are providing adequate protection is by including provisions in their data processing agreements which allow them to perform periodic penetration tests and audits.
Organisations should also consider the effect of the privacy laws in the receiving jurisdiction. For example, information processed in Haiti may be subject to different requirements from information processed in the United States in ways that could affect not only how the information is handled, but also in some cases the enforceability of sub-processing agreements.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
This is an area of Canadian privacy law that will be significantly affected by the changes proposed in the Consumer Privacy Protection Act (CPPA). Currently, data subjects can file complaints with organisations in respect to the accuracy and currency of their personal information. Organisations must investigate the complaints and, if need be, update or remove the information. Data subjects can also request that their data be deleted or anonymised if it is no longer being used for the purposes for which it was collected. While this does provide data subjects with some degree of power over the retention of their data, the power is exercisable only if the organisation is doing something wrong.
The CPPA would strengthen data subjects' ‘right to be forgotten' by giving individuals an express right to have their information permanently deleted (regardless of the organisation's compliance with the act) unless doing so would violate a law or the reasonable terms of a contract.
Other rights include:
- the right to withdraw consent;
- the right to access and correct information; and
- the right to make complaints to the organisation and to the Office of the Privacy Commissioner (OPC).
These rights will not be affected by the proposed changes in the CPPA.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
Data subjects can bring complaints directly to the organisation, which is in turn responsible for investigating and taking any remedial steps necessary. Data subjects can also file complaints with the OPC, which must investigate any complaint pertaining to the inappropriate collection, use, or disclosure of personal information. As mentioned in question 1.4, although the OPC has limited enforcement powers, it can refer the matter to the Federal Court if organisations fail to comply with its recommendations. If the legislation proposed in Bill C-11 passes into law in its current form, disputes will be dealt with primarily by a new Personal Information and Data Protection Tribunal.
7.3 What remedies are available to data subjects in case of breach of their rights?
Remedies depend largely on the nature of the wrongdoing. If, for example, an individual complains to an organisation about the accuracy or currency of his or her information, the organisation can remedy the matter by simply correcting or updating the data. In more serious cases, such as data breaches affecting hundreds of data subjects, the OPC may require the organisation to enter into compliance agreements whose breach could result in legal action. Finally, if the matter ends up in court, the Federal Court has broad remedial powers and can issue injunctions and award damages.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
The appointment of a data protection officer – often called a ‘privacy officer' – is mandatory under the Personal Information Protection and Electronic Documents Act, as well as under British Columbia and Alberta privacy legislation. The privacy officer is accountable for ensuring that the organisation is compliant with its privacy obligations.
8.2 What qualifications or other criteria must the data protection officer meet?
There are no specific qualifications that the privacy officer must meet. However, as these individuals are responsible for the organisation's data protection obligations, they are typically experts in the field – in many cases privacy lawyers with decades of experience.
8.3 What are the key responsibilities of the data protection officer?
Broadly speaking, the privacy officer is accountable for the organisation's compliance with the 10 principles laid out in question 5.2; or to put it simply, everything privacy related. Practically, this means:
- creating and maintaining privacy protection policies;
- managing information requests; and
- handling complaints from the Office of the Privacy Commissioner (OPC).
To facilitate accountability, organisations are required to make the identity of the privacy officer available upon request.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Yes. It is not prohibited under Canadian privacy law to outsource the role of privacy officer. In fact, it is common for organisations to outsource the role to professionals such as privacy lawyers.
The legal requirements of the privacy officer are the same whether he or she is an employee of the organisation or an independent contractor. However, where the privacy officer is not an employee of the company, it is important for him or her to be mindful of the fact that he or she is responsible for the organisation's privacy obligations. Likewise, organisations hoping to outsource the role should be careful to pick someone who is not only qualified, but will also dedicate sufficient time to the organisation's privacy matters.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Organisations must keep records of all data security breaches and, upon request, provide the records to the OPC. Additionally, as briefly discussed in question 5.2(2), organisations must document the purposes for which any personal information is collected. Organisations should also document and keep records of:
- their data protection policies;
- any communications with data subjects; and
- any other relevant information that could assist with a data subject's request or an inquiry from the OPC.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Many aspects of Canadian privacy law are general by nature. This means that there is not always black-letter law to which an organisation can refer to determine questions of compliance. Therefore, organisations should be general in their approach to data privacy too. For example, instead of asking what is required to be compliant in a specific situation, organisations should incorporate principles of accountability, consent and openness as cornerstones of their approach to data protection.
Organisations should also be proactive in their approach to privacy protection and should consider not only what is required for compliance now, but also what might be required in the future. While this is especially relevant at this moment, with the pending changes to Canadian privacy legislation, it is also important to consider how changes in technology and shifts in public attitude might affect an organisation's privacy obligations.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
As discussed briefly in question 5.2(7), organisations must have security safeguards in place to protect against the unauthorised access, disclosure, copying, use or modification of personal information. Specific methods of protection will vary depending on the sensitivity, quantity and format of the information, but should include:
- physical measures, such as locks and security cameras;
- organisational measures, such as policies and practices which limit access based on a ‘need-to-know' basis; and
- technological measures, such as data encryption and multi-level authentication systems –especially for mobile devices and for employees working from home.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Organisations must report to the Office of the Privacy Commissioner (OPC) any security breach where it is reasonable to believe that the breach creates a real risk of significant harm. Breach notifications must be made in the prescribed form and must be provided as soon as feasible after the organisation becomes aware of the breach. Breach reports should include:
- a description of the circumstances and cause of the breach;
- when the breach occurred;
- a description of the information affected by the breach;
- the number of individuals affected by the breach;
- a description of the steps that the organisation has taken or will take to reduce the harm of the breach; and
- a description of the steps that the organisation has taken or will take to notify data subjects.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Organisations must notify data subjects of any data breach where it is reasonable to believe that the breach creates a real risk of significant harm. The notification must contain most of the information contained in the report to the OPC (see question 9.2), as well as enough information to allow data subjects to understand the significance of the breach and to take steps to mitigate the harmful effects of the breach.
In cases where the organisation does not believe that the breach creates a real risk of significant harm, the organisation should consider notifying the data subjects anyway. First, organisations which are open and transparent are viewed far more favourably than those which are not. Second, the ‘risk of significant harm' test is one of reasonableness and, as mentioned in question 3.2, reasonableness is an objective standard. This means that even if an organisation does not believe that there is a risk of significant harm, it may nevertheless be found liable if it was reasonable to believe that there was a risk of significant harm. Factors that establish a risk of significant harm include the sensitivity of the information and the probability of misuse.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
In addition to notifying data subjects and the OPC in case of a data breach, organisations must notify any organisation or government institution that they believe may be able to reduce or mitigate the risk of harm. Importantly, this does not require an organisation to actually be aware of each and every organisation or government institution that could help mitigate harm; only that it notify those of which it is aware.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Employee information is treated differently depending on whether the business is federally regulated or provincially regulated. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to employee information in federally regulated industries, but not to employee information in provincially regulated industries. Examples of federally regulated industries include:
- inter-provincial transportation;
- telecommunications; and
- nuclear energy.
Quebec, Alberta, and British Columbia are the only provinces that have privacy legislation governing employee information. However, this is not to say that employers in the remaining seven provinces are under no obligation to consider the privacy of their employees. Employment relationships in those provinces are still governed by the relevant employment and labour statutes.
Like other aspects of data protection, consent is central to the collection, use and disclosure of employee information. While PIPEDA permits either express or implied consent, the Quebec legislation requires express consent in respect to employee information. Conversely, consent is not required in Alberta and British Columbia if the information is being collected, used or disclosed for the purposes of managing the employment relationship.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Employee surveillance is permitted in Canada. However, it must be conducted in a manner that is consistent with the principles found in Canadian privacy legislation. Employers must ensure that:
- the surveillance is demonstrably necessary for a legitimate need;
- the proposed surveillance programme is likely to fulfil that need;
- any loss of privacy resulting from surveillance is proportionate to the benefits gained; and
- there are no less invasive means of fulfilling the need.
In addition to these legal requirements, employers should:
- be open and accountable to employees in respect of their surveillance activities;
- identify, document and inform employees of the purposes of surveillance;
- obtain the informed consent of employees; and
- limit surveillance to what is necessary to fulfil the legitimate identified purposes.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
As with many areas of Canadian law, reasonableness always plays an important role. In the context of surveillance, courts have held that even if an employer has a legitimate purpose for collecting, using or disclosing employee information, it must still be reasonable to do so. Employers should therefore always ask themselves whether a particular action would be perceived as reasonable. Related to this, employers should be cognisant of how their actions would be perceived in the case of a dispute. Employers which are transparent regarding their policies will be viewed favourably by both courts and employees.
11 Online issues
Cookies are not specifically regulated by Canadian privacy laws. Rather, the same requirements and restrictions apply to cookies as apply to other types of personal information. This means that websites must obtain valid consent before collecting information for the purposes of behaviour advertising. However, as mentioned in question 5.2, the degree of consent required depends on the sensitivity of the information. The Office of the Privacy Commissioner (OPC) has stated that implied consent (opt-out consent) is appropriate in the context of online behavioural advertising, provided that the following conditions are met:
- Users are made aware of the purposes for which the information is being collected in a manner that is clear, understandable and transparent;
- Users are informed of the purposes for collection at or before the time collection takes place;
- Users are provided with information about the parties involved in the online behaviour advertising;
- Users can opt out of the collection of information and their option is immediate and persistent;
- To the extent practicable, only non-sensitive information is collected; and
- The information is destroyed or anonymised as soon as possible.
As for restrictions, organisations cannot structure their technology in a way that makes their services unusable if a user opts out of behavioural advertising data collection. For this reason, the OPC warns against the use of zombie cookies, super cookies and device fingerprinting technologies.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Like cookies (see question 11.1), while not specifically regulated, cloud computing services are governed by the general requirements of Canadian privacy legislation. While the same general requirements discussed above apply to cloud-based services, unique privacy challenges arise due to the fact that data is stored in a remote (often foreign) location, making frequent trips over the Internet, often travelling through several intermediaries. Given the resulting increased likelihood and severity of data breaches, organisations should implement technological safeguards and ensure that adequate procedures are in place to deal with breaches and outages.
Another risk that is commonly associated with cloud-based services is the temptation for service providers to repurpose old information without obtaining consent. This is known as ‘function creep' and is a consequence of how inexpensive it is to store large of amounts of data that can be used for many purposes. To guard against this, organisations should:
- establish clear limitations regarding what the cloud provider can and cannot do with the information;
- secure data subjects' consent for new uses of their personal information; and
- consider the reasonable expectations of the data subject.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
As always, transparency is essential. It ensures that data subjects are adequately informed of the relevant risks and that the organisation is viewed favourably in the event of a data breach.
Accountability is also key in the online and networked context. It is important to remember that cloud providers are essentially third-party data processors; and, as discussed in questions 5.2 and 11.3, organisations remain responsible for information transferred to third parties. Therefore, when it comes to cloud services, organisations should take extra care to draft agreements that ensure a comparable level data protection.
Finally, online data collection usually crosses international borders. Although Canadian privacy law still applies to the organisation in respect to the transferred information, foreign laws may also apply to the information. Furthermore, the cloud provider might use many different servers in many different jurisdictions, making it difficult or impossible for organisations to know where the data is physically located at any given time. Organisations should therefore consider the risks associated with transferring personal information to jurisdictions that may not be subject to the same data protection requirements or where their data protection agreements may not be enforceable.
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
The Office of the Privacy Commissioner (OPC) encourages parties to resolve disputes among themselves and will typically provide the organisation with an opportunity to remedy the complaint before opening an investigation. Early resolution is common because even if the organisation does not believe that it did anything wrong, the prospect of facing a lengthy investigation by the OPC is often not worth the fight.
If the allegations are such that an informal resolution is not possible or if the parties are unable to come to an agreement, the OPC will decide whether to investigate the matter. It may decline to investigate if:
- there are other means of resolving the dispute that should be exhausted first;
- the dispute would be better adjudicated by a different procedural mechanism, such as a court or tribunal; or
- some other procedural aspect prevents an investigation, such as late filing or jurisdictional issues.
If the OPC decides to investigate, an investigator will be assigned to the case and the organisation will be informed of what is required of it during the investigation, including what documents are required and whether the OPC will be making a site visit. When the investigation is complete, the OPC will issue a report to both parties which will include the results of the investigation, as well as any recommendations made to the organisation and any steps that the organisation has taken or will take to implement the recommendations. Additionally, the OPC may enter into a compliance agreement with the organisation whose breach could result in legal action.
As noted in question 1.4, the OPC's recommendations are not legally enforceable. However, if the organisation does not implement the OPC's recommendations or fails to adhere to the terms of the compliance agreement, the matter may be referred to the Federal Court. As discussed in the responses to questions 1.4 and 7.2, if the legislation proposed in Bill C-11 passes in in its current form, the Personal Information and Data Privacy Tribunal will effectively replace the Federal Court as the administrative body for enforcement and handling appeals; although the Federal Court will still have jurisdiction to handle appeals.
12.2 What issues do such disputes typically involve? How are they typically resolved?
Disputes range from simple data correction requests to full-scale data breach investigations. Typically, less serious issues involving only one individual are resolved informally using alternative dispute resolution methods. However, regardless of the seriousness and scale of the dispute, resolution mechanisms can involve recommendations by the OPC, compliance agreements, injunctions and damages. Equitable remedies are also available to courts where appropriate.
12.3 Have there been any recent cases of note?
A recent case involving a data breach at Equifax Inc demonstrates the operation of many of the principles discussed in question 12. In 2017, Equifax announced that it had been the subject of a data breach affecting over 143 million individuals. An estimated 19,000 Canadians had sensitive personal information compromised, including their social insurance numbers. In 2019, the OPC issued a report of findings of its investigation into the matter. At the forefront of the OPC's report were issues of accountability, consent and security safeguards.
In respect to security safeguards, the OPC found that Equifax had several deficiencies in its security system, including:
- inadequate vulnerability management;
- inadequate network segregation; and
- inadequate implementation of basic information security practices.
The investigation also revealed deficiencies in Equifax's data retention policies. In particular, the OPC found that although Equifax had a data retention policy in place, the policy was not being followed and information was being kept for longer than necessary.
There was also an issue regarding the processing of data by a third party. Equifax argued that it was not responsible because the breach occurred at its US affiliate's location. Applying the principle of accountability (see question 5.2), the OPC found that Equifax remained responsible for the data despite the fact that it was being used and stored by a third party. It also noted that monitoring systems were inadequate and that Equifax had failed to ensure that the third party was fulfilling its data protection obligations.
Ultimately, the OPC found all complaints to be well founded and issued several recommendations, including:
- the implementation of a robust monitoring programme for Equifax's third-party processing arrangement;
- the deletion of personal information whose retention was no longer necessary;
- the filing of periodic reports with the OPC detailing its monitoring for compliance; and
- the filing of periodic audit reports, certifications and a third-party assessment of its retention practices.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Canadian privacy law is in a state of flux. The technological landscape has changed significantly in the 21 years since the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect, which has led to a push for legislative reform. Lawmakers have answered calls to modernise Canada's privacy law with Bill C-11 – the Digital Charter Implementation Act. The bill proposes two pieces of legislation that would bring about substantial changes to Canada's privacy landscape (see question 1.1).
The first is the Consumer Privacy Protection Act (CPPA). The CPPA would replace PIPEDA and would apply to any organisation that collects, uses or discloses personal information in the course of commercial activity. While many of the provisions from PIPEDA would be carried over to the new law, the CPPA would contain several notable changes, including:
- an express right for data subjects to have their information permanently deleted;
- a new administrative appeal process;
- more significant penalties – up to C$10 million or 3% of the organisation's revenue;
- expanded powers of the Office of the Privacy Commissioner (OPC);
- more stringent standards of consent; and
- provisions taking account of automated decision systems such as machine learning.
Second, the Digital Charter would enact the Personal Information and Data Protection Tribunal Act, which, as its name suggests, would create a tribunal to handle data protection disputes. The tribunal would adjudicate on matters referred to it by the OPC. It would also hear appeals from organisations regarding the OPC's orders.
The upcoming changes have created a great deal of uncertainty in Canadian privacy law. First, as with any new legislation, nobody knows how the courts will interpret it and, until they do, answering legal questions is a matter of guesswork. Organisations should thus ensure that they have good lawyers doing the guessing.
Second, many have expressed procedural fairness concerns about the OPC's new powers. The CPPA would give the OPC the power to make orders and recommend substantial penalties, but it would not afford any new procedural protections to organisations. Fuelling this concern is the fact that the OPC would not be bound by any legal or technical rules of evidence. The OPC would be able to determine its own procedure for conducting an inquiry.
Ironically, in a recent submission to the Standing Committee on Access to Information, Privacy and Ethics, the OPC took the opposite position, complaining that the new appeal process – which would allow organisations to appeal its decisions to the tribunal – would be a procedural nuisance because it would "unnecessarily stand in the way of quick and effective remedies for consumers". Organisations likely perceive this attitude as further justification for their procedural fairness concerns.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
At the risk of oversimplifying Canadian privacy law, effective data protection can be distilled down to two top tips:
- Know your responsibilities: In many cases, such as that described in question 12.3, organisations can avoid significant grief by simply knowing what their obligations under Canadian privacy law are:
- If you are transferring data to a sub-processor, know that you are still responsible for that data.
- If you are handling sensitive information, know that you need a higher standard of protection.
- If you are storing personal information, know that you cannot store it forever.
- If you are collecting information for behavioural advertising, know that valid consent is required and that children cannot give it.
- Be open and transparent: This cannot be stressed enough. First, transparency builds and maintains trust with data subjects. Second, if openness and transparency are endorsed as guiding principles in the organisation's data protection polices, it becomes very difficult to draft non-compliant policies. Finally, the unfortunate reality is that even the most sophisticated security measures fail. When they do, organisations which can demonstrate that they were open and transparent throughout the process fair far better than those who cannot.
One of the main sticking points in the current state of Canadian privacy law was discussed in question 13.1 – that is, things are somewhat uncertain right now. Organisations which collect, use or disclose the personal information of Canadians would therefore be well advised to review their data protection agreements and privacy policies in anticipation of the upcoming changes.
Another challenge is that Canadian privacy law is general by design. While the Personal Information Protection and Electronic Documents Act contains many express requirements, the law is meant to apply to a broad range of behaviours and must therefore be worded broadly. This is illustrated by the fact that the legislature chose to use ‘principles' instead of ‘prescriptions'. As a consequence, there will always be room for interpretation. Organisations must be aware of not only how courts have interpreted certain issues in the past, but also how courts are likely to interpret novel issues in the future. This is where the role of privacy officer is most valuable – in anticipating future issues and planning for them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.