Last review date: 18 December 2024

☒ omnibus – all personal data

☒ sector-specific — e.g., financial institutions, governmental bodies

☒ constitutional

☒ jurisprudence / case law

Last review date: 18 December 2024

In Canada, data privacy and cybersecurity laws have been enacted at the federal and provincial/territorial levels. These laws apply to private sector entities, public sector entities, and "health information custodians." This chapter covers the data privacy and cybersecurity laws applicable to private sector entities only.

• Federal - Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA)
• Alberta - Personal Information Protection Act, SA 2003, c P-6.5 (Alberta PIPA)
• British Columbia - Personal Information Protection Act, SBC 2003, c 63 (BC PIPA)
• Quebec - Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (Quebec Act)

Last review date: 18 December 2024

In Canada, the cybersecurity legal landscape is governed by various laws including privacy, anti-spam, criminal liability, and intellectual property:

• Generally, federal and provincial privacy laws in Canada regulate the way in which personal information can be collected, used or disclosed. On the federal level, PIPEDA requires an organization to notify affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Similarly, on a provincial level, the Alberta PIPA and  the Quebec Act include data breach reporting and notification requirements for private sector organizations.
• Canada's anti-spam legislation, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (CASL) protects consumers and businesses from spam and other electronic threats. CASL prohibits the following in the course of commercial activity: the alteration of transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender; the installation of a computer program on any other person's computer system without express consent or court order; and the sending of a commercial electronic message to an electronic address in order to induce or aid any of the above prohibitions.
• The Criminal Code prohibits the unauthorized use of a computer, the possession of a device to obtain unauthorized use of a computer system or to commit mischief and mischief in relation to computer data.

The Copyright Act includes civil and criminal remedies for the circumvention of technological protection measures and rights management information.

Last review date: 18 December 2024

Canada does not have a comprehensive framework of laws and regulations relating to non-personal data as compared to the European Union. However, proposed legislation Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, if passed, would enact the Critical Cyber Systems Protection Act (CCSPA). The CCSPA would introduce obligations on operators of any critical cyber system, which is any cyber system that, if compromised, could affect the continuity or security of a "vital system" or service. Banks and telecommunications systems would be considered "vital systems." The CCSPA would authorize the exchange of information, including confidential information, between certain parties in relation to the making, amending or revoking of a cyber security direction. Confidential information refers to information relating to a critical cyber system that concerns vulnerability, method of protection, and risks from disclosure that could lead to financial or competitive harm or interference with contractual or other negotiations. There would also be rules for the handling and protection of confidential information under the CCSPA.

Last review date: 18 December 2024

Yes.

In June 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Digital Charter Implementation Act, 2022), was introduced to overhaul PIPEDA and modernize the framework for the protection of personal information in the private sector. Bill C-27 is undergoing legislative review in Parliament and if passed, would introduce the following legislative updates:

• The new Consumer Privacy Protection Act ("Act") would repeal parts of the PIPEDA and replace them with a new legislative regime governing the collection, use, and disclosure of personal information for commercial activity in Canada. This includes updated breach reporting, breach notification, and security safeguard requirements. The Act would also enhance the role of the Office of the Privacy Commissioner of Canada in overseeing compliance with these measures.
• The new Personal Information and Data Protection Tribunal Act would create a new administrative tribunal to hear appeals of orders issued by the federal Privacy Commissioner and apply a new administrative monetary penalty regime created under the Consumer Privacy Protection Act.
• The Artificial Intelligence and Data Act (AIDA) outlines new measures to regulate international and interprovincial trade and commerce in artificial intelligence systems. AIDA would establish common requirements for the design, development, and use of artificial intelligence systems, including measures to mitigate risks of harm and biased output. AIDA would also prohibit specific practices with data and artificial intelligence systems that may result in serious harm to individuals or their interests.

In June 2022, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced to provide new cybersecurity protections for telecommunications service providers in Canada as well as to ensure that they take certain measures to mitigate or remedy cybersecurity risks. This bill also introduces the CCSPA, which if passed, would require operators of any "critical cyber system" in Canada to create a cybersecurity program that meets a number of prescribed safeguards and to notify their respective regulators of their programs. These operators would also have new breach reporting obligations where a cybersecurity incident could interfere with the continuity of a vital system or service. While not yet in force, Bill C-26 has passed the third and final reading in the Senate in order to become law.

On 22 September 2021, Quebec's Bill 64, Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Act"), received royal assent. This Act entered into force in phases over a period of three years from the date of assent, with the final set of amendments entering into force on 22 September 2024. This Act increases monetary administrative penalties for violations and creates the following obligations for private sector entities through amendments to the Quebec Act:

• Designate a person to be in charge of the protection of personal information within the organization (i.e., privacy officer); mandatory confidentiality incident reporting where there is "risk of serious injury" to an individual and maintenance of a confidentiality incident register
• Mandatory privacy impact assessments before transferring personal information outside of Quebec
• Inform data subjects when automated decision-making and profiling technologies are being used
• Establish and implement governance policies and practices regarding personal information that ensure the protection of such information
• Ensure that the parameters of the technological products or services used to collect personal information, by default, provide the highest level of confidentiality, and
• Ensure rights of data subjects to data portability