Key Data Privacy and Security Laws
Jump to
Key Data Privacy and Security Laws Start Comparison
How are data privacy and security laws/regulations implemented?

[Last updated: 27 January 2020]

☒ omnibus – all personal data

☒ sector-specific

e.g., healthcare, banking/finance, consumer credit reporting

☒ constitutional

What are the key data privacy laws and regulations?

[Last updated: 30 September 2021]

In Canada, data privacy and security laws have been enacted at the federal and provincial/territorial level, which apply to private sector entities, public sector entities and "health information custodians". In the following, only the data privacy and security laws applicable to private sector entities are covered.

What are the key cybersecurity laws and regulations?

[Last updated:  30 December 2022]

In Canada, the cybersecurity legal landscape is governed by various laws including privacy, anti-spam, criminal liability, and intellectual property:

  • Generally, federal and provincial privacy laws in Canada regulate the way in which personal information can be collected, used or disclosed. On the federal level, PIPEDA requires an organization to notify affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Similarly, on a provincial level, the Alberta PIPA and recently amended Quebec Act include data breach reporting and notification requirements for private sector organizations.
  • Canada's anti-spam legislation, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (CASL) protects consumers and businesses from spam and other electronic threats. CASL prohibits the following in the course of commercial activity: the alteration of transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender; the installation of a computer program on any other person's computer system without express consent or court order; and the sending of a commercial electronic message to an electronic address in order to induce or aid any of the above prohibitions.
  • The Criminal Code prohibits the unauthorized use of a computer, the possession of a device to obtain unauthorized use of a computer system or to commit mischief and mischief in relation to computer data.
  • The Copyright Act includes civil and criminal remedies for the circumvention of technological protection measures and rights management information.
Are new or material changes to those key data privacy and security laws anticipated in the near future?

[Last updated:  30 December 2022 ]


In June 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Digital Charter Implementation Act, 2022), was introduced to overhaul PIPEDA and modernize the framework for the protection of personal information in the private sector. Bill C-27 is undergoing legislative review in Parliament and if passed, would introduce the following legislative updates:

  • The new Consumer Privacy Protection Act ("Act") would repeal parts of the PIPEDA and replace them with a new legislative regime governing the collection, use, and disclosure of personal information for commercial activity in Canada. This includes updated breach reporting, breach notification, and security safeguard requirements. The Act would also enhance the role of the Office of the Privacy Commissioner of Canada in overseeing compliance with these measures.
  • The new Personal Information and Data Protection Tribunal Act would create a new administrative tribunal to hear appeals of orders issued by the federal Privacy Commissioner and apply a new administrative monetary penalty regime created under the Consumer Privacy Protection Act.
  • The Artificial Intelligence and Data Act (AIDA), outlines new measures to regulate international and interprovincial trade and commerce in artificial intelligence systems. AIDA would establish common requirements for the design, development, and use of artificial intelligence systems, including measures to mitigate risks of harm and biased output. AIDA would also prohibit specific practices with data and artificial intelligence systems that may result in serious harm to individuals or their interests.

In June 2022, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced to provide new cybersecurity protections for telecommunications service providers in Canada as well as to ensure that they take certain measures to mitigate or remedy cybersecurity risks. This bill also introduces the Critical Cyber Systems Protection Act (CCSPA), which if passed, would require operators of any "critical cyber system" in Canada, to create a cybersecurity program that meets a number of prescribed safeguards and to notify their respective regulators of their programs. These operators would also have new breach reporting obligations where a cybersecurity incident could interfere with the continuity of a vital system or service.

On 22 September 2021, Quebec's Bill 64, Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Act"), received royal assent. This Act enters into force in phases over a period of three years from the date of assent. This Act increases monetary administrative penalties for violations and creates the following obligations for private sector entities through amendments to the Quebec Act:

  • Designate a person to be in charge of the protection of personal information within the organization (i.e., privacy officer); mandatory confidentiality incident reporting where there is "risk of serious injury" to an individual and maintenance of a confidentiality incident register.
  • Mandatory privacy impact assessments before transferring personal information outside of Quebec.
  • Inform data subjects when automated decision-making and profiling technologies are being used.
  • Establish and implement governance policies and practices regarding personal information that ensure the protection of such information.
  • Ensure that the parameters of the technological products or services used to collect personal information, by default, provides the highest level of confidentiality. 
  • Ensure rights of data subjects to data portability.