In Canada, the cybersecurity legal landscape is governed by various laws including privacy, anti-spam, criminal liability, and intellectual property:
Cybersecurity Legal Landscape in Canada
- Generally, federal and provincial privacy laws in Canada regulate the way in which personal information can be collected, used or disclosed. On the federal level, PIPEDA requires an organization to notify affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Similarly, on a provincial level, the Alberta PIPA and recently amended Quebec Act include data breach reporting and notification requirements for private sector organizations.
- Canada’s anti-spam legislation, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (CASL) protects consumers and businesses from spam and other electronic threats. CASL prohibits the following in the course of commercial activity: the alteration of transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender; the installation of a computer program on any other person’s computer system without express consent or court order; and the sending of a commercial electronic message to an electronic address in order to induce or aid any of the above prohibitions.
- The Criminal Code prohibits the unauthorized use of a computer, the possession of a device to obtain unauthorized use of a computer system or to commit mischief and mischief in relation to computer data.
- The Copyright Act includes civil and criminal remedies for the circumvention of technological protection measures and rights management information.
Privacy Laws
Federal
- the Privacy Act, which covers how the federal government handles personal information;
- the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers how businesses handle personal information.
-
PIPEDA does not generally apply to:
- not-for-profit and charity groups
- political parties and associations.
-
PIPEDA does not apply to organizations that operate entirely within:
- Alberta
- British Columbia
- Quebec.
-
Provincial Privacy Laws
- Every province and territory has its own laws that apply to provincial government agencies and their handling of personal information.
-
Some provinces have private-sector privacy laws that may apply instead of PIPEDA. This means that those laws apply instead of PIPEDA in some cases. These provinces are:
- Alberta – Personal Information Protection Act, SA 2003, c P-6.5 (Alberta PIPA)
- British Columbia – Personal Information Protection Act, SBC 2003, c 63 (BC PIPA)
- Quebec – Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (Quebec Act)
Health Related
The following provinces have health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information:
Employment related
Some provinces have passed privacy laws that apply to employee information. Examples include:
NIST Privacy Framework
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management
The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build beneficial products and services while protecting individuals’ privacy.
-
Visit the new Privacy Framework Resource Repository to explore crosswalks, common Profiles, guidance, and tools to support implementation.
- Whether you’re new to the Framework or seeking more information about adoption, see our hypothetical use case Profiles and updated frequently asked questions.
- Check out the companion roadmap to promote collaboration to address key privacy challenges for organizations and improve future versions of the Framework.
PIPEDA
There are a number of requirements to comply with the law. Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.
Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.
Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA.
By following these principles, you will contribute to building trust in your business and in the digital economy.
The principles are:
Understanding Canadian Privacy Law
Understanding Canadian Privacy Law: Key Principles, Scope, Enforcement, and Recent Developments with Implications for Individuals and Businesses
Processing Personal Data Across Borders
There are different approaches to protecting personal information that is being transferred for processing. European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers “adequate” protection for personal information.
In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organizations.
As the principle suggests, the primary means by which an organization may protect personal information that is sent to a third party for processing is through a contract.
Regardless of where the information is being processed – whether in Canada or in a foreign country – the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. It should also have the right to audit and inspect how the third party handles and stores personal information, and exercise the right to audit and inspect when warranted.
The OPC recognizes the complexity of the electronic world and understands that it is often impossible for an organization to know precisely where information is flowing while in transit. But that being said, the law is clear on where accountability lies and organizations must in their own best interests, as well as those of their customers, do what they can to protect the information.
Key Findings
- PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.
- PIPEDA does establish rules governing transfers for processing.
- A transfer for processing is a “use” of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
- The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.
- Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.
- No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.
- It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.
- Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
- Typically, companies enter into an agreement when transferring data outside of Canada for processing purposes to ensure that the data transferred is afforded a comparable level of protection to that under Canadian Privacy Statutes. Depending on the size and the context of the data transfer arrangement in question, there are a number of measures that companies take to establish an appropriate vendor management framework, including:
(i) due diligence, in particular with respect to security safeguards;
(ii) contractual arrangements setting out requisite controls and conditions;
(iii) appropriate notice to employees or consumers; and
(iv) appropriate monitoring of the service provider arrangement. While consent per se is not required, notification is.
- Transfers of personal data to other jurisdictions do not require registration/notification or prior approval from the relevant data protection authorities.
Retention
In keeping with the Data Minimisation principle above, Canadian Privacy Statutes generally require organisations to retain personal information for only as long as necessary to fulfil the purposes for which it was collected, subject to a valid legal requirement.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous.
Organisations should develop guidelines and implement procedures for retention of personal data, including minimum and maximum retention periods and procedures governing the destruction of data.
Safeguarding
NOTE: PIPEDA does not specify particular security safeguards that must be used. Your organization must continually ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.
New Evolving
CPPA – Consumer Privacy Protection Act – Developing – Bill C-11
Bill C-11 is not yet law. It must be passed by both Houses of Parliament and receive Royal Assent. It is still in the legislative process for second reading and debate.
If passed, Bill C-11 would replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates how the private sector handles consumer data, by introducing the CPPA. The CPPA would impact any business collecting personal data in Canada by taking the broad data privacy principles of PIPEDA and creating new guidelines and a framework for enforcement.
Under the CPPA, the federal privacy commissioner would have the power to investigate and prosecute any organization that violates the framework imposed by the CPPA. The penalties would also be more severe than those imposed by PIPEDA.
This would be one of the strictest privacy laws in the world, comparable to the GDPR or the California Consumer Privacy Act.
Note: Bill C-first introduced in 2020 and failed on the order paper as a result of the federal election in 2021.
Bill C-26 on cybersecurity
In June 2022, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced to provide new cybersecurity protections for telecommunications service providers in Canada as well as to ensure that they take certain measures to mitigate or remedy cybersecurity risks. This bill also introduces the Critical Cyber Systems Protection Act (CCSPA), which if passed, would require operators of any “critical cyber system” in Canada, to create a cybersecurity program that meets a number of prescribed safeguards and to notify their respective regulators of their programs. These operators would also have new breach reporting obligations where a cybersecurity incident could interfere with the continuity of a vital system or service.
Bill-C-27 (Digital Charter Implementation Act, 2022)
- Reintroduction and an improvement of Bill C-11
- Bill C-27 is undergoing legislative review in Parliament and if passed, would introduce the following legislative updates:
The new statutory framework in Bill C-27 governs private sector personal information protection practices and, if passed, would enact the following three new statutes:
- The Consumer Privacy Protection Act would repeal and replace Part 1 of the Personal Information Protection and Electronic Document Act. Part 2 of PIPEDA will be renamed to “An Act to provide for the use of electronic means to communicate or record information or transactions,” or the Electronic Documents Act.
- The Personal Information and Data Protection Tribunal Act would establish an administrative tribunal to review certain decisions made by the Privacy Commissioner of Canada and make orders for contraventions of the CPPA.
- The Artificial Intelligence and Data Act, which is new and perhaps unanticipated by many, will regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of these systems.
Other Related Laws
- An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act
- the Competition Act,
- the Personal Information Protection and Electronic Documents Act a
- the Telecommunications Act, S.C. 2010, c. 23 (“Canada’s anti-spam legislation” or “CASL”).
- In general, under CASL, it is a violation to send, or cause or permit to be sent, a commercial electronic message (defined broadly to include text, sound, voice or image messages) to an electronic address unless the recipient has provided express or implied consent (as defined in the Act) and the message complies with the prescribed form and content requirements, including an unsubscribe mechanism.
Videos
References
- Privacy and the COVID-19 Outbreak;
- Preventing and Responding to a Privacy Breach;
- Guidelines for Obtaining Meaningful Consent;
- Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3);
- Recording of Customer Telephone Calls;
- Guidelines for Identification and Authentication;
- Guidelines on Privacy and Online Behavioural Advertising;
- PIPEDA Self-Assessment Tool;
- Getting Accountability Right with a Privacy Management Program (‘the PMP Guide’);
- PIPEDA Fair Information Principle 1 – Accountability Guidance; and
- PIPEDA Fair Information Principle 10 – Challenging Compliance Guidance.
- Key Data Privacy and Security Laws