Canada's cybersecurity laws: an overview

Discover the cybersecurity law of Canada, such as the different statutes governing cybersecurity and how it protects consumers and businesses alike
Canada's cybersecurity laws: an overview

Due to the influx of transactions done online, the possibility that your personal files, or your organization or your institution’s system, may be subject to a data breach or cyberattacks. Canada’s cybersecurity law is here to protect you and reduce the risk of financial loss and workplace disruption. 

What is the cybersecurity law in Canada? 

Cybersecurity law goes by different names such as internet law, cybercrime law, or IT law. Its purpose is to protect individuals, organizations, and institutions against cybercrimes and cyberattacks. 

This collection of laws, which depends on each country or state, aims to: 

Recent Articles

New corporate transparency requirements: What Canadian companies need to know
BlueCat Network’s GC Alex Ghita on managing local compliance in a global organization
Report highlights cybersecurity concerns and investment challenges faced by businesses

  • Define the specific acts which are considered as online criminal activities 

  • Prosecute violators and impose appropriate penalties 

  • Protect consumers’ privacy in online transactions 

  • Outline ways to legally access information or how to use such information online 

In Canada, cybersecurity law is a shared jurisdiction between the federal and provincial governments. 

Federal cybersecurity laws 

At the federal level, while there is no specific law governing cybersecurity. Other laws cover certain aspects of cybersecurity.  

These statutes forming Canada’s cybersecurity law include: 

  1. Canada’s Anti-Spam Law (CASL

  2. Criminal Code 

  3. Personal Information Protection and Electronic Documents Act (PIPEDA

There also other federal cybersecurity laws that apply to specific industries, such as: 

  • Health Information Protection Act of the different provinces 

  • Privacy Act 

Watch this video to learn how health information is protected by a provincial Health Information Protection Act: 

 

Find out how a computer and IT lawyer can protect you – read our article on what a cybercrime lawyer does

Here’s a summary of Canada’s cybersecurity laws: 

1. CASL 

CASL has three main prohibitions that revolve around:  

  1. Section 6: sending of unsolicited commercial electronic messages (CEMs) 

  1. Section 7: alteration of transmission data  

  1. Section 8: installing computer programs without consent 

Under the CASL, businesses should get prior consent before any CEMs can be sent to their customers. This consent may either be express or implied, as with any other cybersecurity law. 

CEMs must also comply with other requirements, such as: 

  • necessary information must be provided about the CEM’s sender  

  • the CEM must have an unsubscribe mechanism for its receiver 

The CASL provides for exceptions to these above-mentioned requirements. 

The law states that it is unlawful to alter the transmission data of a CEM that will cause it to be sent to an electronic address not specified by the sender.  

It may only be done when: 

  • the alteration is with express consent of the sender and the receiver of the CEM, or 

  • the alteration is done to comply with a court order 

The CASL also enumerates the requirements before software can be installed for any commercial activity: 

  • the installer must have the express consent of the owner of the computer where the software will be installed, or the installer must be acting upon a court order 

  • the installer must inform the computer’s owner of the function and purpose of the computer program being installed. 

2. Criminal Code  

While other cybersecurity laws provide for ways to implement or ensure cybersecurity, the Criminal Code’s provisions prescribe what cybercrimes are. 

These cybercrime provisions of the Criminal Code are: 

  • Section 83.18: Cyberterrorism 

  • Section 184: Interception of communications 

  • Section 342.1: Unauthorized use of computer 

  • Section 342.2 (1): Possession of hacking devices 

  • Section 402.2 (1): Identity theft 

  • Section 403: Identity fraud 

  • Section 430 (1.1): Mischief and denial-of-service attacks 

3. PIPEDA 

PIPEDA is an important cybersecurity law pertaining to the personal information gathered, used, and disclosed by businesses and organizations. 

This law requires that organizations protect the personal information they gather or control in the course of their commercial activities. 

PIPEDA covers the private sector and federally regulated organizations. 

Provinces like Alberta, British Columbia and Québec have their own PIPEDA-like laws, so these provinces are not covered by PIPEDA. 

To ensure the security of the personal information that these organizations hold, the PIPEDA provides for the principles that organizations must follow. 

The general concepts of these principles are: 

  • Accountability: appoint or designate a person who is responsible for the organization’s compliance with PIPEDA and create internal policies in protecting personal information. 

  • Identifying Purposes: ensure that individuals understand the purpose of collecting their personal information, and that the collection of information is limited to this purpose. 

  • Consent: obtain meaningful consent for integral collection, use, and disclosure; the form of consent obtained must be appropriate (e.g., when should it be express consent). 

  • Limiting Collection: collection must only be limited to lawful purpose and must only be done through fair and lawful means. 

  • Limiting Use, Disclosure, and Retention: access to the collected personal information must be limited and a retention period should be in place. 

  • Accuracy: updating of collected personal information to keep its accuracy according to the purpose of its collection. 

  • Safeguards: create internal security policies (e.g., physical, IT, organizational control) which must be appropriate to the information’s sensitivity. 

  • Openness: an organization’s personal information policies must be easily understood and must be readily available. 

  • Individual Access: an individual’s right to access the information collected from them must be readily accessible, which they can amend at any time. 

  • Challenging Compliance: organizations must have a simple procedure in handling and investigating complaints filed by individuals. 

As to consent, express consent must be obtained in these circumstances: 

  • when collecting sensitive information, or  

  • when it is outside of the reasonable expectations of the individual, or  

  • when it creates risk of significant harm to the individual 

Who investigates cybercrime in Canada? 

If you’re a victim of any scam, fraud, or cybercrime, it’s best to consult a lawyer to know your legal options and the proper steps to take. 

Alternatively, you can report a violation of cybersecurity law to the Canadian Anti-Fraud Centre (CAFC). Reporting to the CAFC can be done online or through their telephone number. 

You can also file a formal privacy complaint with the Office of the Privacy Commissioner of Canada (OPC). 

Aside from reporting to the CAFC and OPC, cybercrimes can also be reported to your local police. 

Know more about Canada’s cybersecurity laws – get in touch with the best computer & IT lawyers as ranked by Lexpert.