Last review date: 18 December 2025

In Canada, data privacy and cybersecurity laws have been enacted at the federal and provincial/territorial levels. These laws apply to private sector entities, public sector entities, and prescribed persons or entities that collect, use, or disclose personal health information (e.g., "health information custodians" or “health and social services bodies,” depending on the jurisdiction). This chapter covers the data privacy and cybersecurity laws applicable to the collection, use, and disclosure of personal information in a commercial context by private sector entities only.

• Federal - Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA) and regulations thereunder, including the Breach of Security Safeguards Regulations, SOR 2018-64 and the Regulations Specifying Publicly Available Information, SOR 2001-7
• Alberta - Personal Information Protection Act, SA 2003, c P-6.5 (Alberta PIPA) and the Personal Information Protection Act Regulations, 366/2003
• British Columbia - Personal Information Protection Act, SBC 2003, c 63 (BC PIPA) and the Personal Information Protection Act Regulations, B.C. Reg. 473/2003

Quebec - Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (Quebec Act), the Regulation respecting confidentiality incidents, CQLR c A-2.1, r 3.1, and the Regulation respecting the anonymization of personal information, CQLR c A-2.1, r 0.1

Last review date: 18 December 2025

In Canada, the cybersecurity legal landscape is governed by various laws including privacy, anti-spam, criminal liability, and intellectual property:

• Generally, federal and provincial privacy laws in Canada regulate the way in which personal information can be collected, used or disclosed. On the federal level, PIPEDA requires an organization to notify affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, which is a factual assessment that requires weighing the “sensitivity” of the personal information involved and the “probability” of its misuse. Similarly, on a provincial level, the Alberta PIPA and the Quebec Act include data breach reporting and notification requirements for private sector organizations. Data breaches may be reported to British Columbia’s private sector privacy regulator on a proactive and voluntary basis.
• Canada's anti-spam legislation, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (CASL) protects consumers and businesses from spam and other electronic threats. CASL prohibits the following in the course of commercial activity: the alteration of transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender; the installation of a computer program on any other person's computer system without express consent or court order; and the sending of a commercial electronic message to an electronic address in order to induce or aid any of the above prohibitions, unless a valid exception prescribed under CASL permits such an activity.
• The Criminal Code prohibits the unauthorized use of a computer, the possession of a device to obtain unauthorized use of a computer system or to commit mischief and mischief in relation to computer data.
• The Copyright Act includes civil and criminal remedies for the circumvention of technological protection measures and rights management information.