Privacy in Canada is regulated by private and public sector legislation both federally and provincially. The scope of the privacy laws encompasses personal information collected and maintained for any commercial purpose, including contact databases, advertising and marketing, financial accounts and transactions as well as the full scope of digital/online/mobile functionalities, and in the public sector, for non-commercial purposes.
Although differently worded, the federal private sector privacy law of general application (Personal Information Protection and Electronic Documents Act or “PIPEDA”) and the applicable provincial private sector laws address the same key concepts and rules:
- Consent to collection, use or disclosure of personal information in the course of commercial activities, for identified purposes, subject to specific exceptions including litigation, law enforcement and other statutory authority
- Personal information is defined broadly – essentially any information about an identifiable individual, although limitations to this scope are being tested (see Alberta UFCW case)
- An obligation to protect personal information with appropriate security safeguards and to take appropriate breach-response actions.
- An obligation to report breaches to the regulator and notify affected individuals.
The public sector privacy laws address similar concepts as the private sector laws but adopt an alternative framework in place of the private sector consent-based regime, stipulating a requirement for statutory authority for the relevant activities (collection, use, disclosure) which are then enabled by notice to, as opposed to consent of, an individual. A further distinction is that application of the laws extends to non-commercial as well as commercial uses. Consent is required for any use or disclosure for any purposes not included in the initial notice.
Most provinces have enacted personal health information laws which apply to both public and private sector organizations and other entities (including medical professionals). These laws broadly follow the general private sector privacy frameworks but contain provisions for implied consent within a “circle of care” as well as more extensive exceptions reflecting a breadth of acceptable health-related uses that are understood to not require consent, such as for urgent care, disclosure within a health system and as otherwise required or permitted by law.
Oversight of the privacy laws is carried out by independent regulators: federally, the Privacy Commissioner and, in many provinces, the Information and Privacy Commissioner. These regulators have the power of investigation and report, the power to make orders, and in certain cases the power to impose penalties and other remedies. In most jurisdictions, private individuals have a right of civil remedy in addition to regulatory-imposed sanctions.
Recent years have seen developments advancing the focus of privacy laws towards digital data. Most importantly, initiatives for reform at both the federal and provincial levels have progressed, with significant potential impacts on technology and data – both strengthening the levers for protection of personal information, as well as facilitating its uses for innovation.
These reform initiatives may be characterized as “second-generation” privacy laws – which in large part take their inspiration from the EU’s General Data Protection Regulation (GDPR). The GDPR, which became law in 2018, chronicled a more rigorous and potentially far-reaching level of mandatory privacy law than the “first-generation” laws of which the EU’s 1995 Data Protection Directive and Canada’s PIPEDA were representative. The laws are anchored in a user “rights” framework which articulates strong protections for individuals’ information processed by automated decision systems such as artificial intelligence and machine learning, requiring organizations using such systems to proactively notify individuals of such processing and to provide them with the ability object.