Canada's Privacy Laws: What You Need To Know

what are the privacy laws in canada

Canada has two federal privacy laws enforced by the Office of the Privacy Commissioner of Canada: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act, passed in 1983, covers how the federal government handles personal information, while PIPEDA, which came into effect in 2000, covers how businesses handle personal information. Each province and territory in Canada has its own laws that apply to provincial government agencies and their handling of personal information.

Characteristics Values
First instance of a formal law In 1977, the Canadian government introduced data protection provisions into the Canadian Human Rights Act
Confirmation of constitutional right to privacy In the 1984 Supreme Court case, Hunter v. Southam
Privacy laws PIPEDA, Law 25 (Quebec), Personal Health Information Protection Act (PHIPA) in Ontario, Health Information Act (HIA) in Alberta, Personal Information Protection Act (PIPA), Personal Information Protection Act (PIPA BC), Privacy Act
PIPEDA applicability Businesses that operate in Canada and handle personal information that is transferred across provincial or national borders, or within certain sectors, such as banking, telecommunications or transportation
PIPEDA requirements Protect personal information using security measures, report personal information breach to the Privacy Commissioner of Canada, notify the affected individuals and keep a record of the breach
Law 25 applicability Provides individuals with more control over their information and the ability to request and access their information from organizations
Law 25 requirements Organizations must provide information to individuals upon collection of their personal information, including the categories of third parties to which it is necessary to communicate the information
Law 25 unique characteristic Provides a private right of action; if the court finds that the violation was done on purpose or due to a major mistake, the court must order the violator to pay the consumer at least CAD 1,000 in punitive damages

lawshun

The Privacy Act

Canada's Privacy Act is a federal law that came into effect on July 1, 1983, and protects the personal information of Canadians in the hands of the federal government. It is a key piece of Canada's framework for protecting privacy interests. The Act contains a set of rules for the government's treatment of personal information. It sets out the basic framework for how federal institutions collect, use, retain, and disclose personal information. For example, a government institution may only collect personal information that is directly related to one of their ongoing programs or activities.

There have been several important court decisions concerning the Privacy Act. For example, in Ruby v Canada (Solicitor General), the Supreme Court of Canada held that a specific section of the Privacy Act was unconstitutional because it required that certain applications to Federal Court be held in camera. In another case, H.J. Heinz Co. of Canada Ltd. v Canada (Attorney General), the Court affirmed that a third party could object to the disclosure of information under the Access to Information Act if it would disclose personal information about another individual.

In recent years, there has been a push to modernize Canada's privacy laws, including PIPEDA and Quebec's privacy law, Law 25, to better align with the realities of today's digital ecosystem. Additionally, the federal government introduced a bill in 2022 to strengthen data privacy requirements and regulations for organizations.

lawshun

PIPEDA

Canada's privacy laws vary depending on the context, but one notable piece of legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA, which came into effect in 2000, sets out the ground rules for how private sector organisations may collect, use, or disclose personal information in the course of commercial activities. It applies to organisations' commercial activities in all provinces, except those that have their own privacy laws deemed "substantially similar" to the federal law.

The implementation of PIPEDA occurred in three stages. Initially, in 2001, the law applied to federally regulated industries such as airlines, banking, and broadcasting. In 2002, it was expanded to include the health sector, and in 2004, it covered any organisation collecting personal information in commercial activities, except in provinces with substantially similar privacy laws. As of October 2018, seven provinces have privacy laws deemed substantially similar to PIPEDA.

In 2015, the Digital Privacy Act amended PIPEDA to include a business transaction exemption, mandatory breach notification requirements, and enhanced powers for the Privacy Commissioner. PIPEDA does not create an automatic right to sue for violations but follows an ombudsman model where complaints are investigated by the Office of the Privacy Commissioner of Canada. Organisations may be liable for fines of up to CAD 100,000 for non-compliance.

In recent years, there have been calls for a significant overhaul of PIPEDA to address modern challenges, especially with the rise of artificial intelligence (AI). In 2022, the federal government introduced Bill C-27, the Digital Charter Implementation Act, which included the Artificial Intelligence and Data Act (AIDA). This law aims to regulate AI technologies and hold businesses accountable for their use and development.

lawshun

Provincial privacy laws

Canada's privacy laws are derived from the common law, statutes of the Parliament of Canada, the various provincial legislatures, and the Canadian Charter of Rights and Freedoms. Each province and territory in Canada has a commissioner or ombudsman responsible for overseeing provincial and territorial privacy legislation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that applies to federally regulated businesses operating in Canada. It also applies to organizations in the Northwest Territories, Yukon, and Nunavut. PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities. Municipalities, universities, schools, and hospitals are generally covered by provincial laws.

Some provinces have their own privacy legislation that applies to organizations within their jurisdiction. Here are some examples of provincial privacy laws:

  • British Columbia: Freedom of Information and Protection of Privacy Act, Personal Information Protection Act, and E-Health (Personal Health Information Access and Protection of Privacy) Act.
  • New Brunswick: Right to Information and Protection of Privacy Act and Personal Health Information Privacy and Access Act.
  • Newfoundland and Labrador: Access to Information and Protection of Privacy Act, Personal Health Information Act, and Pharmacy Network Regulations.
  • Nova Scotia: Freedom of Information and Protection of Privacy Act, Privacy Review Officer Act, Personal Health Information Act, and Personal Information International Disclosure Protection Act.
  • Ontario: Personal Health Information Protection Act (PHIPA).
  • Quebec: Law 25, which came into force in three phases, with most provisions coming into effect in September 2023. It introduces new requirements that align with the EU's GDPR, particularly regarding transparency and consent.
  • Alberta: Health Information Act (HIA).

lawshun

Consumer Privacy Protection Act (CPPA)

Canada is working on its own bill, the Consumer Privacy Protection Act (CPPA), which would be one of the world's most ambitious laws on personal data protection. The CPPA, implemented through the broader Digital Charter Implementation Act, would aim to give consumers control over their data and promote greater transparency about how organizations use personal data.

The CPPA would replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA) and establish a new Personal Information and Data Protection Tribunal. It would raise the bar for privacy protection in Canada by providing clear rules for handling personal information in accordance with the principles of Canada's Digital Charter. Organizations will have to provide information in plain language about the handling of personal information and allow individuals to give meaningful consent.

The CPPA will empower the Privacy Commissioner of Canada to issue orders to non-compliant organizations and recommend penalties for non-compliance. Consent is a fundamental principle, meaning that businesses need consent to collect, use or disclose personal information, with only limited and specific exceptions. Businesses can only use personal information for appropriate activities and must be transparent about the use of automated systems, such as artificial intelligence. They must also notify individuals when their information is at risk from a data breach.

The CPPA will grant the Privacy Commissioner the ability to require a business to cease or undertake an action and recommend non-compliance penalties of up to 3% of global revenue, or $10 million. The CPPA recognizes the importance of privacy law in protecting human rights and will regulate the protection of personal information within the context of commercial conduct. Individuals will have their privacy rights safeguarded through the broad range of powers held by the Office of the Privacy Commissioner of Canada (OPC), which is responsible for receiving complaints, settling matters and conducting investigations.

Martial Law: Trump's Power Grab?

You may want to see also

lawshun

Health sector privacy laws

Canada's health sector is subject to specific privacy laws that govern the handling of health-related information. These laws ensure that individuals have the right to access and control their personal health information, and that this information is protected from unauthorized use and disclosure.

The Personal Health Information Protection Act (PHIPA) in Ontario and the Health Information Act (HIA) in Alberta are examples of health-related privacy laws that have been declared substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to health information. PIPEDA, which came into effect in 2000, sets the rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activities across Canada. It is currently undergoing significant updates to better protect individuals and strengthen the regulation of organizational data privacy practices.

Other provinces and territories have also passed their own health privacy laws, which may differ in their specific provisions. For example, Quebec's privacy law, Law 25, came into force in three phases, with most provisions taking effect in September 2023. Law 25 provides individuals with more control over their information and introduces new requirements for organizations, bringing it closer to the General Data Protection Regulation (GDPR). It mandates express consent for sensitive personal information, including medical data, and offers a private right of action for violations.

In addition to federal and provincial laws, municipal laws may also impact the handling of personal health information. Furthermore, international data transfer regulations, such as GDPR, must be considered by businesses that transfer personal data across borders, especially when dealing with data from jurisdictions with strict data protection laws.

To assist individuals with disabilities in understanding their rights, Canada has developed the Privacy Laws + Your Personal Health Information Toolkit, which provides tools, resources, and support for locating, accessing, and comprehending medical information privacy rights. This toolkit includes information on applicable legislation, the legal definition of "personal health information," and questions to consider asking healthcare providers about personal health information access and usage.

Frequently asked questions

Canada has two federal privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Act covers how the federal government handles personal information. It also provides individuals with a right of access to information held about them by the federal government and a right to request correction of any erroneous information.

PIPEDA governs the collection, use, and disclosure of personal information by private sector organisations. It applies to businesses engaged in commercial activities across provincial and national borders.

The health sector in Canada is subject to specific privacy laws such as the Personal Health Information Protection Act (PHIPA) in Ontario and the Health Information Act (HIA) in Alberta, which regulate the handling of health-related information.

Businesses that transfer personal data across borders should be aware of international data transfer regulations like GDPR, especially if they deal with data from the European Union (EU) or other jurisdictions with strict data protection laws.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment