Canada's Privacy Laws: A Comprehensive Overview

how many privacy laws are in canada

Canada has several privacy laws that apply in different contexts. The country's legal conceptualization of privacy can be traced back to Warren and Brandeis's The Right to Privacy, published in the Harvard Law Review in 1890. The first instance of a formal law came in 1977 when the Canadian government introduced data protection provisions into the Canadian Human Rights Act. The Personal Information Protection and Electronic Documents Act (PIPEDA), which went into effect in 2000, is one of the country's federal privacy laws, enforced by the Office of the Privacy Commissioner of Canada. Another federal privacy law is the Privacy Act, which covers how the federal government handles personal information. Quebec's privacy law, Law 25, came into force in three phases, with most provisions taking effect in September 2023.

Characteristics Values
Number of federal privacy laws 2
Privacy laws that are enforced by the Office of the Privacy Commissioner of Canada The Privacy Act, the Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy laws that apply in different contexts PIPEDA, Quebec's privacy law (Law 25)
Privacy laws that apply to provincial government agencies and their handling of personal information Each province and territory has its own laws
Provinces with health-related privacy laws that are similar to PIPEDA Alberta, Ontario, New Brunswick, Newfoundland and Labrador
Provinces with private-sector privacy laws that may apply instead of PIPEDA British Columbia, Alberta, Ontario, Quebec
Provinces with health privacy laws that are not similar to PIPEDA Saskatchewan, Manitoba, Nova Scotia, Prince Edward Island, Yukon, Northwest Territories
Privacy laws that apply to federally-regulated organizations PIPEDA
Privacy law that applies to Quebec Law 25
Year the first instance of a formal privacy law was introduced 1977
Year the Canadian Charter of Rights and Freedoms outlined the right to privacy 1982
Year the Access to Information Act was introduced 1985
Year the Ontario Court of Appeal recognized a right to personal privacy 2012
Year Quebec's privacy law, Law 25, came into force 2023
Year of proposed amendments to PIPEDA 2023

lawshun

Quebec's Law 25

Canada has several privacy laws, including PIPEDA (the Personal Information Protection and Electronic Documents Act) and Quebec's Law 25 (formerly Bill 64). Most of the provisions of Quebec's Law 25 came into effect in 2023, and it may set a precedent for federal and/or other provincial privacy laws.

Law 25 also requires organizations to make data breach notifications to Le Commission d’accès à l’information du Quebec, as well as to any affected individuals. A breach notification is required when the unauthorized access of personal information is likely to cause a "risk of serious injury" to the individual. Additionally, organizations must report a breach as soon as possible and maintain a record of all security incidents.

Another key aspect of Law 25 is the appointment of a Data Protection Officer (DPO) or privacy officer. This individual is responsible for overseeing data subject requests, data breach reporting, and privacy impact assessments (PIAs). The contents of a PIA vary depending on factors such as the sector and the types of information involved. However, it generally includes an assessment of the risks associated with the processing of personal information and the measures in place to mitigate those risks.

Overall, Quebec's Law 25 is a significant step towards strengthening data protection and privacy rights for individuals in Quebec, while also imposing new obligations on organizations that handle personal information.

lawshun

PIPEDA

Canada has several privacy laws, two of which are PIPEDA and Quebec's privacy law, Law 25. This response will focus on PIPEDA, which stands for the Personal Information Protection and Electronic Documents Act.

Organizations that are subject to PIPEDA must follow the 10 fair information principles set out in Schedule 1 of the Act to protect personal information. By following these principles, organizations can contribute to building trust in their business and in the digital economy. PIPEDA also provides for fines of up to CAD 100,000 for organizations that violate the Act.

Alberta, British Columbia, and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to these laws are generally exempt from PIPEDA regarding the collection, use, or disclosure of personal information within that province. However, all businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based.

lawshun

Consumer Privacy Protection Act

Canada has various privacy laws that apply in different contexts. One notable piece of legislation is the Consumer Privacy Protection Act (CPPA), which is a part of the Digital Charter Implementation Act, 2022. The CPPA is a significant change to Canada's private sector privacy law, aiming to protect the privacy of Canadians while allowing them to benefit from new technologies.

The CPPA establishes clear rules for handling personal information, requiring businesses to obtain consent before collecting, using, or disclosing personal information. It grants the Privacy Commissioner of Canada the authority to issue orders and recommend penalties for non-compliant organizations, with fines of up to 5% of revenue or $25 million, whichever is greater. The CPPA also introduces a new Personal Information and Data Protection Tribunal to handle privacy complaints and appeals of orders issued by the Privacy Commissioner.

The Act enhances the Privacy Commissioner's powers, including the ability to compel record production and enter private places for investigations. It allows for the sharing of information with other federal regulatory bodies and provincial and foreign counterparts under specific conditions. The CPPA provides flexibility for businesses in collecting and using personal information for delivering products or services, as long as it is reasonably anticipated by individuals.

Additionally, the CPPA facilitates the use of de-identified information for research and development, allowing businesses to disclose such information to public entities for socially beneficial purposes. It aligns Canada with international trading partners' privacy laws and underscores the importance of privacy law in protecting human rights. Overall, the CPPA strengthens privacy protections and provides clear consequences for organizations that fail to comply with the law.

lawshun

Personal Information Protection and Electronic Documents Act

Canada has various privacy laws, two of which are the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's privacy law, Law 25. This response will focus on PIPEDA.

The Personal Information Protection and Electronic Documents Act is Canada’s national private sector data privacy law, enforced by the Officer of the Privacy Commissioner (OPC). It seeks to protect internet users' privacy rights by requiring that organizations inform users of their data handling practices and obtain consent from users to collect, use, and disclose personal information. Personal information refers to any subjective or factual information about an identifiable individual.

PIPEDA applies to any private sector organization in Canada that collects, uses, or shares personal information when conducting commercial activities. This includes federally regulated organizations such as banks, airlines and airports, telecommunications companies, and interprovincial and international transportation companies. However, it does not apply to charity groups, political parties, and non-profit organizations unless they engage in commercial activities outside their core operations.

When there is a data breach that poses a real risk or threat of significant harm to individuals, organizations need to report the breach to the OPC by submitting a PIPEDA breach report form. Examples of significant harm under a data breach include reputational damage, financial loss, employment loss, and physical injury. Organizations must also notify affected individuals about the data breach as soon as possible and keep records of all data breaches for two years. Not following these data breach notification procedures is considered a violation of PIPEDA.

Businesses in violation of PIPEDA can face fines of up to $80,000 if the government decides to prosecute. PIPEDA has undergone occasional amendments, with the most significant being the addition of breach notification obligations in 2015. However, there has been a recent push for a more comprehensive overhaul to modernize Canada's privacy laws and bring them in line with the evolving landscape of digital marketing and advertising.

lawshun

Provincial privacy laws

Canada's privacy laws are derived from the common law, statutes of the Parliament of Canada, the Canadian Charter of Rights and Freedoms, and the various provincial legislatures. The first instance of a formal privacy law was introduced in 1977 when the Canadian government included data protection provisions in the Canadian Human Rights Act. In 1982, the Canadian Charter of Rights and Freedoms outlined that everyone has "the right to life, liberty and security of the person" and "the right to be free from unreasonable search or seizure". In 1985, the Access to Information Act was passed, marking another significant change in Canadian privacy laws.

Each province and territory in Canada has a commissioner or ombudsman responsible for overseeing provincial and territorial privacy legislation. While PIPEDA (Personal Information Protection and Electronic Documents Act) is a federal legislation that applies to federally regulated businesses operating in Canada, some provinces have their own privacy laws that may apply instead of or in conjunction with PIPEDA. For example, Quebec's privacy law, Law 25, came into force in three phases, with most provisions taking effect in September 2023. It introduces new requirements that align with GDPR, particularly regarding transparency and consent.

  • British Columbia: The Information and Privacy Commissioner for British Columbia oversees the Freedom of Information and Protection of Privacy Act (public sector privacy law), the Personal Information Protection Act (private sector privacy law), and the E-Health (Personal Health Information Access and Protection of Privacy) Act (health records privacy law).
  • Manitoba: The Office of the Ombudsman enforces Manitoba's Freedom of Information and Protection of Privacy Act (public sector privacy law) and the Personal Health Information Act (health records privacy law).
  • New Brunswick: The Office of the Ombud for New Brunswick is responsible for the Right to Information and Protection of Privacy Act (public sector privacy law) and the Personal Health Information Privacy and Access Act (health records privacy law).
  • Newfoundland and Labrador: The Information and Privacy Commissioner of this province oversees the Access to Information and Protection of Privacy Act (public sector privacy law) and the Personal Health Information Act and Pharmacy Network Regulations (health records privacy laws).
  • Nova Scotia: The Information and Privacy Commissioner of Nova Scotia enforces the Freedom of Information and Protection of Privacy Act, the Privacy Review Officer Act (public sector privacy laws), and the Personal Health Information Act (health records privacy law).
  • Ontario: The common law in Canada recognizes a right to personal privacy, specifically a "tort of intrusion upon seclusion".
  • Nunavut: The Information and Privacy Commissioner of Nunavut oversees the Access to Information and Protection of Privacy Act, which is Nunavut's public sector privacy law.

Frequently asked questions

Canada has two federal privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Act covers how the federal government handles personal information. It also relates to an individual's right to access and correct personal information held by the Government of Canada.

PIPEDA covers how businesses handle personal information. It also applies to federally-regulated organisations conducting business in Canada and their employees' personal information.

Yes, each province and territory in Canada has its own privacy laws that apply to provincial government agencies and their handling of personal information. Quebec's privacy law, Law 25, came into force in 2023 and is considered to be more closely aligned with the EU's GDPR.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment