Law and the regulatory authority
Legislative framework
Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?
In Canada, four private sector privacy enactments provide the framework for the protection of PI. These are:
- Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA);
- the province of Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector (Private Sector Act (QC));
- the province of Alberta’s Personal Information Protection Act (PIPA (AB)); and
- the province of British Columbia’s Personal Information Protection Act (PIPA (BC)).
PIPEDA governs the interprovincial and international collection, use or disclosure of PI by private sector organisations in the course of carrying out commercial activities for profit. It also has application to employee PI in federally regulated organisations (such as banks, airlines, railways and telecommunication companies).
PIPEDA also applies within all provinces and territories in Canada, except Quebec, Alberta and British Columbia. The Private Sector Act (QC), PIPA (AB) and PIPA (BC) have been deemed substantially similar to PIPEDA and, as such, PIPEDA does not apply to private sector organisations carrying out commercial activities wholly within those provinces.
While the Private Sector Act (QC), PIPA (AB) and PIPA (BC) have each been deemed substantially similar to PIPEDA, there are differences in the details of each. These provincial laws apply, generally speaking, to all private sector organisations with respect to the collection, use and disclosure of PI in the course of carrying out commercial activities and to employees’ PI.
The Private Sector Act (QC) has recently been amended by Bill 64, which introduced significant changes that will come into effect in 2022, 2023 and 2024. While it does not address territorial scope, it is drafted broadly and includes new obligations that suggest it may be applied to organisations outside of Quebec that deal with the PI of Quebec residents. For example, a new requirement to conduct a privacy impact assessment when PI of Quebec residents is being transferred outside of Quebec, or where an organisation has entrusted a third party located outside Quebec with the collecting, using, disclosing or retaining PI on its behalf.
Health information privacy legislation in the provinces of Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have been deemed substantially similar to PIPEDA and apply to health PI within those provinces. In those provinces and territories where health information privacy legislation has not been deemed substantially similar, PIPEDA may also apply.
Privacy matters involving public sector institutions are governed by a variety of federal, provincial and territorial public sector privacy legislative enactments.
Certain provinces have enacted legislation recognising the invasion of privacy as statutory tort, while there are also various offences within the Criminal Code (Canada) regarding the invasion of privacy.
Data protection authority
Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?
There is no single regulatory authority dedicated to governing data protection laws in Canada. The applicable authority varies based upon whether the matter is covered by federal or provincial privacy laws.
While the Office of the Privacy Commissioner of Canada (OPC) enforces PIPEDA, each province and territory of Canada has a commissioner or ombudsperson responsible for its own provincial or territorial privacy legislation. In the case of Quebec, Alberta and British Columbia, their privacy legislation is overseen and enforced by the Commission d’accès à l’information du Québec (CAI), the Office of the Information & Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia, respectively.
Under PIPEDA, the OPC has the power to investigate complaints made by individuals or initiate an investigation itself based on reasonable grounds to believe that a matter warrants it. The OPC has the power to summon witnesses to give oral or written evidence, inspect documents and compel the production thereof, and inspect premises other than a dwelling house. The OPC, upon having reasonable grounds to believe that an organisation is contravening PIPEDA, can audit the organisation’s personal information practices, including examining their policies, procedures and practices, exploring their physical and security controls, and inspecting an organisation’s incident response management protocols.
The CAI, under the Private Sector Act (QC), and the commissioners under PIPA (AB) and PIPA (BC) each have similar investigatory powers and, where necessary, the power to conduct an inquiry. Following an inquiry, each also has the power to issue orders.
Cooperation with other data protection authorities
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
There are no legal obligations on Canadian data protection authorities to cooperate with other data protection authorities. However, the OPC and the commissioners in the three provinces that have substantially similar legislation (Quebec, BC and Alberta) have entered into a memorandum of understanding intended to create a framework for greater collaboration between the offices, streamline investigations and promote greater harmonisation in the application of the laws. The OPC may also share information with a foreign data protection counterpart pursuant to a written information sharing arrangement.
Breaches of data protection law
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?…
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…