Last review date: 18 December 2024
Federal – Office of the Privacy Commissioner of Canada (OPC)
Federal – Office of the Superintendent of Financial Institutions (OSFI)
Federal – Canadian Radio-television and Telecommunications Commission (CRTC)
Alberta – Information and Privacy Commissioner of Alberta (Alberta OIPC)
British Columbia – Information and Privacy Commissioner for British Columbia (BC OIPC)
Quebec – Commission d'accès à l'information du Québec (Quebec CAI)
Last review date: 18 December 2024
As the OPC continues to advocate strongly for the enhancement of its enforcement powers through the proposed privacy modernization legislation, it is expected to continue to make full use of the mechanisms already at its disposal, especially investigations into complaints involving businesses subject to PIPEDA to help ensure commercial organizations' digital practices respect the privacy rights of Canadians. If passed, the new federal privacy laws will provide the OPC with strengthened enforcement abilities, including broad order-making powers and authority to impose higher financial penalties for violations.
The OPC launched a secure portal to allow organizations to submit their data breach reports and facilitate future communications regarding the breach. This updated process aims to allow for a more efficient and timely resolution of data breaches by the OPC. The recent OPC investigations into alleged PIPEDA violations by private sector organizations have focused on data breaches, the use of audio and video surveillance, location tracking through applications, and obtaining customer consent. In particular, the OPC has focused on breaches resulting from cyber incidents involving compromised credentials (i.e., hacking, malware and phishing scams) and the unauthorized disclosure of personal information. In the near future, the OPC will be completing and implementing a transition plan for the effective implementation of new federal privacy laws, once they are in effect. Additionally, the OPC will focus on the privacy impacts of artificial intelligence and generative AI. The OPC will enhance its internal capacity and capabilities and create a strong foundation for collaborative decision-making to effectively tackle privacy challenges posed by emerging technologies.
The recent investigations and decisions by the Alberta OIPC, in relation to alleged violations of the Alberta PIPA, focused primarily on data breaches, including unauthorized access to personal information, unauthorized disclosure of personal information, and loss of personal information. The Alberta OIPC, through its investigations, found that the most common cause of breaches is compromised electronic information systems. The Alberta OIPC aims to enhance its internal processes for more timely and efficient work and will continue advocating for the modernization of Alberta's access and privacy laws. The recent investigations and decisions by the BC OIPC, in relation to alleged violations of the BC PIPA, focused primarily on the right to access personal information and collection of information through video surveillance systems and facial recognition systems. The BC OIPC also intends to focus on enhancing the protection of personal information through rigorous compliance audits and investigations, particularly in the health sector.
Under the amended Quebec Act, organizations must now appoint an internal privacy officer and comply with mandatory incident reporting requirements where there is a "risk of serious injury" to an impacted individual. Effective 22 September 2023, organizations are required to: (i) implement data governance policies; (ii) perform privacy impact assessments before transferring personal information outside of the Province of Quebec; (iii) inform data subjects when automated decision-making and profiling technologies are being used; (iv) comply with enhanced consent requirements; (v) develop an external privacy policy in clear and plain language; (vi) implement "privacy by default" to products and services offered to the public; and (vii) comply with personal information anonymization and destruction requirements. Effective 22 September 2024, organizations must comply with data subject rights to data portability. Under the amended private sector privacy regime, the Quebec CAI is also able to impose significant administrative penalties. It is anticipated that the Quebec CAI will continue to focus on enforcement activities related to the implementation of the amended and new requirements under the Quebec Act.
The CRTC has a wide range of investigative and enforcement powers under CASL, including the ability to issue monetary fines, execute search warrants, seize items, and obtain judicially authorized injunctions against suspected offenders. The CRTC will continue to enforce compliance with regulations such as the Unsolicited Telecommunications Rules (UTR), CASL, and the Voter Contact Registry (VCR) by issuing notices of violation, preservation demands, and warning letters. Additionally, the CRTC will focus on combating scam communications by setting requirements for reporting major service outages and enhancing the reliability and safety of telecommunications networks.
OSFI will implement the final Integrity and Security Guideline, which sets out expectations for financial institutions to protect against security threats, including foreign interference. Additionally, OSFI will continue to develop new guidance for the sound management of technology and cyber risk, ensuring that institutions are resilient against evolving cyber threats. The regulator has released an updated advisory on Technology and Cyber Security Incident Reporting, which promotes a coordinated and integrated approach to how OSFI monitors and responds to technology and cybersecurity incidents at Federally Regulated Financial Institutions (FRFIs). OSFI has also developed its Cyber Security Self-Assessment tool to assist FRFIs in further assessing and improving their cyber preparedness.
Last review date: 18 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Staying the same
Last review date: 18 December 2024
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
The OPC, Alberta OIPC, BC OIPC and Quebec CAI have the power to investigate complaints from individuals or initiate investigations on their own accord and publish public reports of findings. The OPC cannot make enforceable orders, but the Alberta OIPC, BC OIPC and Quebec CAI can. The OPC can however, after an investigation, make an application to the Federal Court, which has broad order-making powers. The OPC can also enter into compliance agreements with organizations.
☒ criminal penalties from regulators and law enforcement
PIPEDA: Organizations that commit offenses may be subject to fines of up to CAD 100,000.
Alberta PIPA: Organizations that commit offenses may be subject to fines of up to CAD 100,000.
BC PIPA: Organizations that commit offenses may be subject to fines of up to CAD 100,000.
Quebec Act: Following significant increases to monetary penalties effective September 2023, a failure to comply with the Quebec Act's requirements for the collection, storage, communication or use of personal data may result in a fine of up to a maximum amount of CAD 50,000 (approximately USD 40,000) in the case of a natural person and, in all other cases, CAD 10 million (approximately USD 8 million) or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
CASL: Organizations that fail to comply with certain direct marketing provisions of CASL may be subject to administrative monetary penalties of up to CAD 10 million (approximately USD 8 million).
☒ private remedies
PIPEDA: While PIPEDA does not establish a specific private right of action, failure to comply with PIPEDA may result in civil actions, class actions, or private rights of action. A complainant may also, after filing a complaint with the OPC and after receiving the OPC's report of findings or being notified that the complaint has been discontinued, apply to the Federal Court for a hearing. The Federal Court may, in addition to other remedies, order an organization to correct its practices to comply with PIPEDA or award damages to a complainant, including damages for any humiliation that the complainant has suffered.
Alberta PIPA: Where the right of appeal for an order made or conviction issued for a breach of Alberta PIPA has been exhausted, an individual affected by the breach has a cause of action for damages for loss or injury they suffered as a result of the breach or conduct.
BC PIPA: Where the right of appeal for an order made or conviction issued for a breach of BC PIPA has been exhausted, an individual affected by the breach has a cause of action for damages for the actual harm they suffered as a result of the breach or conduct.
Quebec Act: Failure to comply with the Quebec Act may result in civil actions, class actions, or private rights of action. An individual may appeal a final decision of the Quebec CAI and may also apply for leave to appeal from an interlocutory decision of the regulator. Effective from 22 September 2023, individuals can sue private sector organizations for damages pursuant to a new private right of action provision under the amended Quebec Act or under articles 35 to 40 of the Civil Code of Quebec. If the infringement is intentional or results from gross negligence, the court can also award punitive damages of at least CAD 1,000 (approximately USD 799).
