Canadian data privacy laws: Everything you need to know

Know more about Canada’s data privacy laws, such as the PIPEDA and the CPPA, and its effect to individuals and businesses with this article
Canadian data privacy laws: Everything you need to know

Does Canada have data privacy laws? 

As an individual, business, company, or corporation, it is important to know about Canadian data privacy laws which may affect your personal information or your business’s data, who can view such information, and how it may be used by other parties. 

Canadian data privacy laws fall under the purview of both federal and provincial or territorial governments. Both levels of government have enacted laws that govern different aspects of protecting information handled by public or private organizations. 

Provincial Data Privacy Laws 

Some of the data privacy laws at the provincial level are: 

  • Alberta’s Personal Information Protection Act 
  • British Columbia’s Personal Information Protection Act 
  • Quebec’s Private Sector Act 

There are other provincial laws in Canada which require that personal data remain in the country and not be disclosed overseas. One such law is the Personal Health Information Protection Act (PHIPA) of Ontario which governs the collection, handling, and protection of personal healthcare information. 

Federal Data Privacy Laws 

On the other hand, the two main Canadian data privacy laws enacted at the federal level are the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).  

Other regulations such as the Digital Privacy Act support these two laws through amendments and other methods for protecting personal data.  

Privacy Act 

The Privacy Act applies to information collected and stored by the Government of Canada from private individuals and from its federal employees through its government institutions.  

The Act states that personal data may only be collected by the government when it is related to its programs (Section 4).  Such details protected from being disclosed without the consent from the individual (Section 8(1)) except for the purposes for which it was collected (Section 7). 

The Act has also established a person’s right to access their information upon their request (Sections 12 and 13). When any of these rights have been violated, the Privacy Commissioner is empowered to receive and investigate complaints (Section 29). These may include allegations that an individual’s personal information was used and disclosed without their consent, or when they have been refused access to their personal data. 

Personal Information Protection and Electronic Documents Act (PIPEDA) 

This Canadian data privacy law governs the collection, use, handling, and disclosure of personal information during the commercial activities (Section 4) of private organizations. 

Canadian Digital Privacy Act 

The Canadian Digital Privacy Act introduced numerous amendments to the PIPEDA. One of these changed the definition of “personal information” to “information about an identifiable individual” as now found in Section 2(1) of the PIPEDA.  

Another change was specifying what constituted a “valid consent”. Section 6.1 of the PIPEDA now states that consent is valid only if an individual is reasonably expected to understand why their personal details are being collected.  This includes an understanding of the consequences for any breach or violation. 

Personal Information 

The PIPEDA, as amended by the Canadian Digital Privacy Act, now has a large scope when defining “personal information” (Section 2(1)). Since it now means all information “about an identifiable individual”, it may include a person’s: 

  • ID numbers 
  • financial information (e.g., salaries, wages, credit or banking records) 
  • employment history 
  • ethnic or Indigenous origin 
  • medical records (e.g., blood type, medical history) 
  • personal views and opinions 
  • digital footprints (e.g., sites you visited, information given to websites) 
  • usual information such as name, age, address, sex, and gender 

Protection of Personal Information 

As a rule, the collection, use, and disclosure of personal data cannot be done without the express consent of the person whose information is being collected.  

Private companies are responsible for their storage and protection against third party intrusions. These organizations may designate an individual or individuals for this purpose (Schedule 1, 4.1). 

The collection, use, and disclosure of personal data by private companies must also be for the appropriate purpose/s of that company and those which an individual may assume to be appropriate in each circumstance (Section 5(1)(3)).  

Private companies must exert all efforts to inform individuals what information will be collected, how it will be stored and used, whether it will be passed on to third parties, and for what purpose. 

Breaches and Complaints 

When there is a data breach under the control of a private company, that company should report the breach to the Privacy Commissioner. The company will also notify the affected individuals (Division 1.1).  

The PIPEDA grants remedies to individuals whose rights may have been violated, such as the filing of a complaint before the Privacy Commissioner (Section 11). This will then trigger an investigation into the complaint (Section 12).  

If such an investigation has been discontinued, the complainant may ask the court for a hearing (Section 14). 

Consumer Privacy Protection Act (CPPA) 

Bill C-27 or the Consumer Privacy Protection Act (CPPA) is a proposed law in Canada to amend certain provisions of the PIPEDA. Introduced in 2022, the Bill is currently for consideration in the House of Commons. It has yet to undergo other processes before it is passed into law.  

If enacted in its current form, the CPPA will amend PIPEDA’s specific provisions on consent requirements and penalties for non-compliance on data protection. 

Does Canada have to comply with GDPR? 

Canadian organizations in the EU would have to comply with the General Data Protection Regulation (GDPR). Under this law, those not previously covered by European data protection legislation are now included under the GDPR.  

GDPR now governs organizations that control or process data or information, including those that collect, use, disclose, and store personal data for the purchase of goods or services in the EU. The GDPR also covers entities that monitor the behaviour of individuals in the EU in connection to these purchases. 

Do you have more questions regarding Canadian data privacy laws? Get in touch with the best data protection and privacy lawyers in Canada for more information.