Privacy in Canada is regulated by private and public sector legislation both federally and provincially. The scope of the privacy laws encompasses personal information collected and maintained for any commercial purpose, including contact databases, advertising and marketing, financial accounts and transactions as well as the full scope of digital/online/mobile functionalities, and in the public sector, for non-commercial purposes.
Although differently worded, the federal private sector privacy law of general application (Personal Information Protection and Electronic Documents Act or “PIPEDA”) and the applicable provincial private sector laws address the same key concepts and rules:
- Consent to collection, use or disclosure of personal information in the course of commercial activities, for identified purposes, subject to specific exceptions including litigation, law enforcement and other statutory authority
- Personal information is defined broadly – essentially any information about an identifiable individual, although limitations to this scope are being tested (see recent Alberta UFCW case)
- An obligation to protect personal information with appropriate security safeguards and to take appropriate breach-response actions.
The public sector privacy laws address similar concepts as the private sector laws but adopt an alternative framework in place of the private sector consent-based regime, stipulating a requirement for statutory authority for the relevant activities (collection, use, disclosure) which are then enabled by notice to, as opposed to consent of, an individual. A further distinction is that application of the laws extends to non-commercial as well as commercial uses. Consent is required for any use or disclosure for any purposes not included in the initial notice.
Most provinces have enacted personal health information laws which apply to both public and private sector organizations and other entities (including medical professionals). These laws broadly follow the general private sector privacy frameworks but contain provisions for implied consent within a “circle of care” as well as more extensive exceptions reflecting a breadth of acceptable health-related uses that are understood to not require consent, such as for urgent care, disclosure within a health system and as otherwise required or permitted by law.
Oversight of the privacy laws is carried out by independent regulators: federally, the Privacy Commissioner and, in many provinces, the Information and Privacy Commissioner. These regulators have the power of investigation and report, the power to make orders, and in certain cases the power to impose penalties and other remedies. In most jurisdictions, private individuals have a right of civil remedy in addition to regulatory-imposed sanctions.