In recent years, Canadian federal and provincial governments have introduced new legislation and regulations aimed at protecting personal information. These measures also strengthened the duty of businesses to notify individuals impacted by privacy breaches ("breaches"), to report such incidents to regulators, and to mitigate risk of resulting harm. In this section, we highlight certain key legislative and regulatory developments in Canadian privacy laws from the past year, with a focus on those that impact breach response within the private sector.
Note that these recent developments are in addition to the existing breach response obligations applicable to private sector organizations, including those under the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"), Alberta's Personal Information Protection Act ("Alberta PIPA") and Quebec's Law 25, An Act to modernize legislative provisions as regards the protection of personal information.
Federal Legislative Developments
(A) Parliament's prorogation puts an end to Bill C-27
As a result of the prorogation of the Canadian Parliament in January 2025, Bill C-27, the Digital Charter Implementation Act, 2022, which represented Parliament's second attempt at reforming Canadian federal privacy law, died on the order paper. Had Bill C-27 been passed, it would have created the Consumer Privacy Protection Act ("CPPA"), which, among other things, sought to strengthen the existing rules regarding notification and reporting of "breaches of security safeguards" set out in PIPEDA (Canada's current federal privacy law) by:
- introducing an obligation for service providers who become aware of breaches of security safeguards to notify the organizations that control the personal information;
- granting a new tribunal the power to impose administrative monetary penalties ("AMPs") for non-compliance of up to the greater of $10,000,000 and 3% of an organization's gross global revenue;
- increasing the maximum penal fines (reserved for intentional contraventions) to the greater of $25,000,000 and 5% of an organization's gross global revenue – a significant step up from the current $100,000 maximum under PIPEDA; and
- introducing a private right of action for individuals affected by a contravention of the CPPA subject to certain conditions, including a finding made by the federal privacy commissioner.1
As a result of the prorogation and looming federal elections, the likelihood of Bill C-27 being reinstated or reintroduced in the future currently remains highly uncertain.
(B) A New National Cyber Security Strategy
In February 2025, the federal government released a new "National Cyber Security Strategy" policy document, which aims to focus on a "whole-of-society approach to cyber security" and improve partnerships across all levels of government, law enforcement, industry, and businesses. In this policy, the federal government declared its intention to "explore legislation, regulation, and incentives to foster the adoption of secure technologies and practices." The policy also states that the government is strengthening privacy regulations in the private sector, and that it will consider methods to incentivize organizations to better protect the privacy of consumers, such as by granting preferred contractor status to trusted companies and establishing a labelling scheme that allows consumers to identify and compare a product's cybersecurity protections.2
Quebec legislative and regulatory developments
(A) Quebec passes Law 5 to strengthen privacy protections in the healthcare sector
In July 2024, the Government of Quebec's Act respecting health and social services information ("Law 5") came into force. Law 5 introduced a new privacy framework for "health and social services bodies" ("HSSBs") that handle "health and social services information" ("HSSI").3 The definition of HSSB captures a broad range of both public and private organizations, including health and social services institutions (e.g., hospital centres and CLSCs), private health facilities, specialized medical centres, medical laboratories, operators of ambulance services, private seniors' residence, etc.4 The definition of HSSB also encompasses third party service providers, but solely to the extent that they provide health or social services on an HSSB's behalf.
Law 5 adopts breach notification and reporting requirements that closely align with those established in Quebec's landmark privacy legislation, Law 25, which overhauled the Act respecting the protection of personal information in the private sector.
Mirroring Law 25, Law 5 mandates HSSBs to "take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature" if there is cause to believe that a "confidentiality incident" has occurred.5 However, Law 5 also goes a step further by imposing these obligations even when there is only a "risk of such incident occurring"—a stipulation not found in Law 25. This seems to indicate a heightened duty under Law 5 to proactively prevent potential incidents affecting HSSI. This could also suggest that the obligations to notify and report confidentiality incidents (described in the following paragraph) are triggered by unconfirmed future incidents. Further guidance from Quebec's privacy commissioner, the Commission d'accès à l'information ("CAI"), would likely be required to clarify the practical significance of this additional wording.
Consistent with Law 25, Law 5 requires HSSBs to notify individuals affected by confidentiality incidents that pose a "serious risk of injury" and to report them to the CAI.6 Unique to Law 5, however, is the additional requirement to report such incidents to the Minister of Health and Social Services. In line with Law 25, Law 5 also requires HSSBs to maintain a register of confidentiality incidents for a minimum of five years after an incident occurs. The required contents of the notifications, reports, and registers under Law 5 are nearly identical to those set forth by Law 25.7
Furthermore, Law 5 provides maximum penal fines of $30,000 for failures to report incidents to the Minister of Health and Social Services or the CAI.8 Interestingly, unlike Law 25, Law 5 does not contemplate penal fines for failures to notify affected individuals. Moreover, the maximum amount of the fine seems much lower than under Law 25, which introduced a maximum penal fine of the greater of $25,000,000 or 4 % of an organization's worldwide turnover for the preceding fiscal year.9 However, a provision exclusive to Law 5 specifies that an offence which lasts for more than one day constitutes a separate offence for each day it continues.10 This provision could permit the imposition of separate fines (subject to separate caps) for each day that a failure to report an incident persists.
Lastly, Law 5 does not contain AMP provisions, unlike Law 25, which empowered the CAI to impose AMPs of up to the greater of $10 million or 2% of an organization's worldwide turnover for the preceding fiscal year.11
(B) Quebec creates new reporting obligations for financial institutions and credit assessment agents for information security incidents
In October 2024, the Quebec government introduced the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents, whose provisions will come into force on April 23, 2025. This sector-specific regulation targets credit assessment agents and certain financial institutions in Quebec, specifically insurers, certain federations and credit unions, deposit institutions, and trust companies.12 The regulation creates a number of new obligations for these entities in the event of a "information security incident" which it defines as "an attack on the availability, integrity or confidentiality of information systems or the information they contain."13 This definition is broader than the notion of "confidentiality incident" under Law 25, since personal information does not need to be targeted for an attack to constitute an information security incident.
Entities subject to the regulation must develop an information security incident management policy which sets out (i) procedures and mechanisms for detecting, assessing, and responding to information security incidents; (ii) a procedure for reporting information security incidents to officers and managers; and (iii) a procedure for reporting information security incidents to any other stakeholders, including clients, consumers, third parties to which the entity has entrusted the performance of any part of an activity, the Autorité des marches financiers ("AMF"), and any other regulatory bodies.14 There is also a requirement to assign in writing to an officer or manager the responsibility for monitoring the management and reporting of information security incidents.15
Furthermore, the regulation requires financial institutions and credit assessment agents to report information security incidents with potentially adverse impacts to the AMF within 24 hours of management becoming aware of them.16 Within the same period, the AMF must also be notified of any information security incident that has been reported to a regulatory body, law enforcement, or contractually responsible for providing compensation for injury that may have been caused by the incident (e.g., cyber-insurers).17 In addition, the AMF must simultaneously be notified whenever a confidentiality incident is reported to the CAI pursuant to Law 25.18 Continuous updates regarding the development of the situation must then be provided to the AMF every three days until the financial institution or credit assessment agent confirms that the incident is under control and that operations have returned to normal.19 Following such confirmation, a final report containing prescribed information must be provided to the AMF within 30 days.20
Lastly, financial institutions and credit assessment agents must maintain an incident register containing specific fields of information for a period of 5 years.21
AMPs for non-compliance with the regulation range from $1,000 to $2,500, depending on the nature of the contravention.
Alberta Legislative Developments
(A) Ongoing legislative efforts to update Alberta's Personal Information Protection Act
In January 2024, the Standing Committee on Resource Stewardship formed by the Legislative Assembly of Alberta (the "Assembly") commenced a comprehensive review of Alberta PIPA, which is more than two decades old. The committee issued its final report in February 2025, with formal recommendations to update various provisions of Alberta PIPA.22 The next step will be for the Assembly to consider these recommendations and decide whether to proceed with legislative amendments.
Among other things, the committee recommended amending Alberta PIPA to define the notion of "significant harm" and to include factors for determining whether a "real risk of significant harm" exists, which is the threshold that triggers organizations' duty to notify individuals of the loss, unauthorized access, or disclosure of their personal information and to report the same to the Alberta privacy commissioner.23 The committee did not propose a specific definition or factors for assessing risk, but invited the legislature to harmonize Alberta PIPA with other Canadian privacy laws. Should the Assembly decide to amend Alberta PIPA, it is thus conceivable that the definition of significant harm and the factors for assessing risk would mirror analogous provisions found in PIPEDA, CPPA (to the extent reinstated or reintroduced and progresses), or Law 25.
In addition, the committee recommended amending Alberta PIPA to authorize the Alberta privacy commissioner to impose AMPs, which currently does not have such powers. The committee noted that AMPs can effectively deter privacy violations and be more efficient than penalties imposed by courts, but did not further comment on the appropriate amount of such AMPs.24 The committee also recommended increasing the penal fines that can be levied by courts for offences under Alberta PIPA (including for failures to notify or report breaches) to ensure that the penalties are the same or higher than those of similar Canadian privacy laws, expressly citing Quebec's Law 25 as an example.25
Footnotes
1 CPPA, s. 61, 95(4), 107(1), and 128(a); PIPEDA, s. 28(b). CPPA, s. 2(1) defines a "breach of security safeguard" as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in section 57 or from a failure to establish those safeguards", preserving the same definition as the one found under PIPEDA, s. 2(1).
2 See Canada's National Cyber Security Strategy, available at: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg-2025/index-en.aspx
3 Law 5, s. defines HSSI as "any information that allows a person to be identified, even indirectly, and that has any of the following characteristics: (1) it concerns the person's state of physical or mental health and his or her health determinants, including the person's medical or family history; (2) it concerns any material taken from the person, including biological material, collected in the context of an assessment or treatment, or any implants, ortheses, prostheses or other aids that compensate for a disability of the person; (3) it concerns the health services or social services provided to the person, including the nature of those services, their results, the location where they were provided and the identity of the persons or groups that provided them; (4) it was obtained in the exercise of a function under the Public Health Act (chapter S-2.2); or (5) any other characteristic determined by government regulation."
4 Law 5, s. 4.
5 Law 5, s. 108. Law 5, s. 3 defines a "confidentiality incident" as "access to information or any other use or communication of information not authorized by law, the loss of information or any other breach of its protection".
6 Law 5, s. 108 and 109; Law 25, s. 3.5 and 3.7.
7 Law 5, s. 110 and the Regulation respecting the application of certain provisions of the Act respecting health and social services information; Law 25, s. 3.8 and Regulation respecting confidentiality incidents.
8 Law 5 s. 159(4).
9 Law 25, s. 91.
10 Law 5, s. 163.
11 Law 25, s. 90.12.
12 Regulation, s. 1.
13 Regulation, s. 2.
14 Regulation, s. 3.
15 Regulation, s. 4.
16 Regulation, s. 5.
17 Ibid.
18 Regulation, s. 6.
19 Regulation, s. 8.
20 Regulation, s. 9.
21 Regulation, s. 10 and 11.
22 See Final Report – Review of the Personal Information Protection Act, available at: https://www.assembly.ab.ca/docs/default-source/committees/rs/final-pipa-report---web.pdf?sfvrsn=c291fdde_3.
23 Final Report, s. 6.10.
24 Final Report, s. 6.3.
25 Final Report, s. 6.9.
To view the original article click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.