[Last updated: 27 January 2020]
☒ omnibus – all personal data
e.g., healthcare, banking/finance, consumer credit reporting
[Last updated: 30 September 2021]
In Canada, data privacy and security laws have been enacted at the federal and provincial/territorial level, which apply to private sector entities, public sector entities and "health information custodians". In the following, only the data privacy and security laws applicable to private sector entities are covered.
[Last updated: 30 December 2022]
In Canada, the cybersecurity legal landscape is governed by various laws including privacy, anti-spam, criminal liability, and intellectual property:
[Last updated: 30 December 2022 ]
In June 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Digital Charter Implementation Act, 2022), was introduced to overhaul PIPEDA and modernize the framework for the protection of personal information in the private sector. Bill C-27 is undergoing legislative review in Parliament and if passed, would introduce the following legislative updates:
In June 2022, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced to provide new cybersecurity protections for telecommunications service providers in Canada as well as to ensure that they take certain measures to mitigate or remedy cybersecurity risks. This bill also introduces the Critical Cyber Systems Protection Act (CCSPA), which if passed, would require operators of any "critical cyber system" in Canada, to create a cybersecurity program that meets a number of prescribed safeguards and to notify their respective regulators of their programs. These operators would also have new breach reporting obligations where a cybersecurity incident could interfere with the continuity of a vital system or service.
On 22 September 2021, Quebec's Bill 64, Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Act"), received royal assent. This Act enters into force in phases over a period of three years from the date of assent. This Act increases monetary administrative penalties for violations and creates the following obligations for private sector entities through amendments to the Quebec Act: