Privacy in Canada is regulated through a mix of constitutional, statutory and common law. The most fundamental protection is provided by Section 8 of the Charter of Rights and Freedoms, which states that 'everyone has the right to be secure against unreasonable search or seizure'. This ensures a reasonable expectation of privacy for citizens in relation to the state.
There are also laws that apply to the collection, use and disclosure of personal information by organisations in the public and private sectors at the federal, provincial and territorial levels. Finally, organisations in both sectors are increasingly required to defend privacy-related lawsuits based on statutory and common law torts.
This chapter focuses on the aspects of Canadian privacy law that apply to private sector organisations.
II THE YEAR IN REVIEW
Privacy breach notification requirements under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on 1 November 2018.2 Private sector organisations subject to the law are now required to notify affected individuals and report to the Privacy Commissioner of Canada any breach of security safeguards resulting in a real risk of significant harm to individuals.3
In May, 2019, the government of Canada published a discussion document entitled 'Proposals to modernize the Personal Information Protection and Electronic Documents Act', which describes options, considerations and questions addressing such things as: providing consumers with more meaningful controls and transparency; data mobility rights; online reputation and de-Indexing; encouraging innovation with data trusts for enhanced data sharing; and enhancing oversight and enforcement. The government, which published this document as a follow up to the Standing Committee on Access to Information, Privacy and Ethics (ETHI) review of PIPEDA completed in February 2018,4 is still in the relatively early stages of considering PIPEDA amendments. It will likely be several years before any legislative amendments are made.
Finally, in June 2019, the Office of the Privacy Commissioner of Canada (OPC) published a consultation document on transborder data flows that, among other things, revisits a long-standing OPC Interpretation of PIPEDA that transfers of personal information to third-party organisations for 'processing' are not 'disclosures', and therefore not subject to consent requirements.5
III REGULATORY FRAMEWORK
i Overview of privacy and data protection legislation and standards
Private-sector organisations are subject to privacy legislation that governs the collection, use and disclosure of personal information in the course of commercial activities throughout Canada. Organisations must be cognisant of the various laws that exist at the federal and provincial levels due to shared jurisdiction over the regulation of privacy.
The federal PIPEDA, which began to come into force on 1 January 2001, applies to organisations that are federally regulated, including telecommunications service providers, railways, banks and airlines. It also applies to provincially and territorially regulated organisations in provinces and territories that have not passed their own private sector privacy legislation deemed 'substantially similar' to PIPEDA. Only three provinces currently have such substantially similar private-sector privacy legislation in force: Alberta, British Columbia and Quebec.6
Although there are some differences between these laws, they are generally quite similar in application. Most importantly, these laws are all based on fair information practice principles established under the Canadian Standards Association Model Code for the Protection of Personal Information7 (CSA Model Code), which is incorporated directly into the text of PIPEDA. The CSA Model Code, which was developed through a collaborative effort involving industry, government and consumer groups and adopted in 1996, establishes the following 10 principles:
- identifying purposes;
- limiting collection;
- limiting use, disclosure and retention;
- individual access; and
- challenging compliance.
ii Definition of personal information
The most important concept in privacy legislation is 'personal information'. Personal information is defined broadly as 'any information about an identifiable individual'. The Supreme Court of Canada has held that this definition must be given a broad and expansive interpretation.8
Personal information includes such things as a person's name, race, ethnic origin, religion, marital status, educational level, email addresses and messages, internet protocol (IP) address, age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint, income, purchases, spending habits, banking information, credit or debit card data, loan or credit reports, tax returns, social insurance number or other identification numbers.
Information does not need to be recorded for it to be personal. For example, information could be in the form of an oral conversation, or real-time video that is not recorded.9
Information must be about a person who is 'identifiable' to be 'personal'. The Federal Court of Canada has held that: 'information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information'.10
The Privacy Commissioner of Canada (Commissioner), who is responsible for oversight of PIPEDA, has taken an expansive approach to this question in the past. For example, in one investigation involving the use of deep packet inspection technologies by an internet service provider (ISP), the Commissioner held that the IP addresses collected by the ISP were personal information even though they were not linked to individuals, because the ISP had the ability to make such a link.11
Perhaps even more notable is the Commissioner's approach to online behavioural advertising (OBA). The Commissioner has taken the position that much of the information used to track and target individuals with interest-based advertisements online – including such things as IP addresses, browser settings, internet behaviour – is personal information even where individuals are not personally identified. The Commissioner explained that:
In the context of OBA, given the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; given the powerful means available for gathering and analysing disparate bits of data and the serious possibility of identifying affected individuals; and given the potentially highly personalised nature of the resulting advertising, it is reasonable to take the view that the information at issue in behavioural advertising not only implicates privacy but also should generally be considered 'identifiable' in the circumstances. While such an evaluation will need to be undertaken on a case-by-case basis, it is not unreasonable to generally consider this information to be 'personal information'.12
There are few precedents in Canadian law that have restrained this expansive approach to interpreting personal information.
To varying degrees, privacy laws contain exceptions for business contact information, including the name, title and contact information for a person in a business context. As of June 2015, 'business contact information', including the 'position name or title, work address, work telephone number, work fax number or work electronic address' of an individual was excluded from PIPEDA.
iii General obligations for data handlers
As described above, privacy legislation is based on 10 fair information practice principles. This section provides a brief description of the primary obligations for data handlers arising under each of these principles.
Principle 1 – accountability
'An organisation is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organisation's compliance with the following principles.'
Accountability speaks to the obligations of organisations to establish privacy-related policies and procedures, and to designate staff who are responsible for ensuring that an organisation is compliant with privacy legislation. Organisations are also expected to provide employees with privacy training.
The accountability principle imposes obligations on organisations to ensure that personal information is adequately protected when transferred to a third party for processing. Accordingly, organisations that rely on service providers to process personal information on their behalf (e.g., payroll services) must, through contractual means, ensure that personal information will be handled and protected in accordance with privacy legislation. This requirement applies regardless of whether personal information is transferred to an organisation within or outside Canada.
Principle 2 – identifying purposes
'The purposes for which personal information is collected shall be identified by the organisation at or before the time the information is collected.'
Often referred to as providing 'notice', organisations are required to document and identify the purposes for collecting personal information. This principle is closely related to the requirement to obtain consent as well as the openness principle.
Notice must be properly targeted to the intended audience. This can pose a challenge as the Commissioner expects organisations to fully explain sometimes complicated technical issues (e.g., OBA) in a manner that can be easily understood by any person who may use the organisation's product or service. It is for this reason that the Commissioner often recommends the use of 'layered' privacy notices to explain more technical issues.
Principle 3 – consent
'The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except when inappropriate.'
Of the 10 principles, consent is possibly the single most important and complex requirement. As a general rule, organisations are required to have consent before collecting, using or disclosing personal information. For consent to be valid under PIPEDA, it must be reasonable to expect that the individual would understand the nature, purposes and consequences of the collection, use or disclosure of his or her personal information.
Consent can either be express or implied. Although the concept is somewhat flexible, 'express consent' generally means that a person provides some form of affirmative indication of their consent. It is for this reason that express consent is often equated with 'opt-in' consent. Alternatively, as stated in the CSA Model Code, 'implied consent arises where consent may be reasonably inferred based on the action or inaction of the individual'.
Whether consent can be express or implied depends on a few factors. Express consent is almost always required whenever 'sensitive' personal information is involved. This includes, for example, information pertaining to a person's race or ethnicity, health or medical condition, or financial information (e.g., income, payment information).
The concept of 'primary purpose and secondary purposes' is also relevant to the form of consent required. A primary purpose is one that is reasonably necessary to provide a product or service; for example, the collection and use of an individual's address may be necessary to deliver a product ordered online. In this case, consent would be implied to collect and disclose an individual's mailing address to a delivery company.
However, marketing or advertising is almost always considered a secondary purpose. For example, an organisation would require express consent to collect and disclose an individual's mailing address to a third party for the purpose of sending marketing materials.13
Note that organisations are prohibited from requiring an individual to consent to the collection, use or disclosure of personal information for a secondary purpose as a condition of providing a product or service.14
A third form of consent, which is sometimes viewed as falling between express and implied consent, is 'opt-out' consent. Opt-out consent means that an individual is provided with notice and the opportunity to express non-agreement to a given collection, use or disclosure. Otherwise, consent will be assumed. The Privacy Commissioner has held that it is acceptable to rely on opt-out consent so long as the following conditions are met:
- the personal information is demonstrably non-sensitive in nature and context;
- the context in which information is shared is limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure;
- the organisation's purposes are limited and well defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected;
- the organisation obtains consent for the use or disclosure at the time of collection, or informs individuals of the proposed use or disclosure, and offers the opportunity to opt out, at the earliest opportunity; and
- the organisation establishes a convenient procedure for opting out of or withdrawing consent to secondary purposes, with the opt-out taking effect immediately and before any use or disclosure of personal information for the proposed new purposes.15
There are a number of exceptions to the need to obtain consent for the collection, use or disclosure of personal information, including the following:
- for a purpose that is clearly in the interest of the individual and consent cannot be obtained in a timely way (e.g., emergencies);
- for purposes related to law enforcement activities, or to comply with warrants or court orders;
- where personal information is 'publicly available' as defined under privacy legislation;16 and
- in business transactions (e.g., sale of a business), provided that the parties agree to only use and disclose personal information for purposes related to the transaction, protect the information with appropriate security safeguards, and return or destroy the information where the transaction does not go through.
Principle 4 – limiting collection
'The collection of personal information shall be limited to that which is necessary for the purposes identified by the organisation. Information shall be collected by fair and lawful means.'
This principle is relatively simple and self-explanatory: organisations must not collect more information than is required for a stated purpose.
Principle 5 – limiting use, disclosure and retention
'Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.'
Related to the previous principle, organisations must not use or disclose personal information for purposes beyond those for which the information was originally collected. If an organisation seeks to use or disclose personal information for a new purpose, then consent must be obtained.
Organisations are required to establish clear retention policies and securely destroy information that is no longer necessary. Although it may be tempting for organisations to retain information indefinitely given the low cost of data storage, a failure to establish retention policies risks a violation of this principle. Moreover, not having retention policies can substantially increase an organisation's risks and costs in the event of a data breach.
Principle 6 – accuracy
'Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used.'
Organisations have an obligation to ensure that personal information is accurate and up to date; however the degree of accuracy may depend on the purpose for which the information is used. For example, there may be a heightened obligation to ensure the accuracy of credit information given that this information forms the basis of significant financial decisions about an individual.17
Despite this general obligation, organisations are prohibited from routinely updating personal information where it is unnecessary to do so.
Principle 7 – safeguards
'Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.'
Organisations are required to implement physical, administrative and technical measures to prevent the loss, theft, and unauthorised access, disclosure, copying, use or modification of personal information.
Canadian law is not prescriptive with respect to safeguards. Moreover, specific measures can depend on certain factors, such as the sensitivity of information involved, foreseeable risks and harms, and the costs of security safeguards. That said, the Privacy Commissioner expects that organisations implement certain measures – such as: the use of encryption technologies whenever possible, and especially where sensitive personal information is involved; limiting access to personal information to those employees who require access and who are required to sign an oath of confidentiality; and maintaining audit logs of databases containing personal information.
Principle 8 – openness
'An organisation shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.'
As stated above, the openness principle is closely related to Principle 2 – identifying purposes. Essentially, this Principle requires organisations to provide privacy policies (or notices). Privacy policies are expected to meet the following requirements:
- provide a full description of what information is collected, used and disclosed, and for what purposes;
- be easily accessible, accurate and easily understood by the average person;
- inform an individual of his or her right to access and to request corrections of his or her personal information, and how to do so;
- generally describe the security measures in place to protect personal information;
- inform individuals if personal information is transferred to foreign jurisdictions; and
- provide contact information for the organisation's privacy officer or other person who can respond to inquiries about the organisation's information handling practices.
The Privacy Commissioner also emphasises the value of augmenting privacy notices with other forms of notice, including 'just in time' notices (e.g., through pop-ups and interstitial pages) and layering notices to provide further information about more complex issues for those who seek such information and icons where applicable (e.g., the 'Ad Choices' icon for OBA).
In 2013, the Privacy Commissioner participated in the Global Privacy Enforcement Network Internet Privacy Sweep, which looked at privacy policies on 326 websites in Canada and 2,186 websites worldwide. The Commissioner noted concerns in almost half of the Canadian websites.18 In an example of 'naming and shaming', the Commissioner called out specific examples of privacy policies that he considered constituted the 'good, the bad and the ugly of privacy policies'.19
Principle 9 – individual access
'Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.'
Organisations are obliged to provide individuals with access to their personal information within a reasonable time frame. This obligation is subject to limited exceptions; for example, organisations may either be allowed or obliged to refuse access where disclosure would reveal personal information about another person; the information is subject to privilege, trade secrets or is confidential information; or the information pertains to law enforcement activity.
Organisations must also allow individuals to request corrections to their personal information. Where such corrections are refused (e.g., information is accurate), an organisation must make a notation on the individual's file that a correction was requested as well as the reason for refusing the correction.
Organisations may charge a fee; however, fees must be reasonable.
Principle 10 – challenging compliance
'An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organisation's compliance.'
Organisations are required to designate a person who can respond to questions and complaints, and establish a process for responding to questions and complaints.
iv Technological innovation and privacy law
Privacy laws are intended to be 'technologically neutral', meaning the principles upon which they are based apply equally to all technologies.
However, one technology that has proven particularly challenging is OBA. After years of uncertainty about how Canadian privacy law applies to OBA,20 the Privacy Commissioner decided to address the issue by publishing its Policy Position on Online Behavioural Advertising (Policy Position).21
As described above, the Privacy Commissioner considers much of the information used for OBA purposes to be personal information. Thus, according to the Privacy Commissioner, PIPEDA (and other privacy legislation) applies to OBA.
The Policy Position is generally positive – it signals that the Privacy Commissioner is willing to accept some form of opt-out consent as sufficient for organisations that use OBA. This position is more lenient towards business interests in comparison to the strict opt-in approach adopted by the European Union.
The Office of the Privacy Commissioner (OPC) has adapted its opt-out consent framework to OBA, defining the following as a list of conditions:
- individuals are informed about OBA in a clear and understandable manner at or before the time of collection;
- organisations should rely on online banners, layered policies and interactive tools. Purposes must be obvious and cannot be 'buried' in privacy policies. This includes information about various parties involved in OBA (e.g., networks, exchanges, publishers and advertisers);
- individuals can easily opt out, ideally at or before the time of collection;
- the opt-out takes effect immediately and is persistent;
- information is limited to non-sensitive information, to the extent practicable;22 and
- information is destroyed as soon as possible or effectively de-identified.
Consistent with past guidance on the issue, the OPC emphasises the need for clear and understandable descriptions of OBA, given the challenges of clearly explaining such a complex issue.
The OPC has published research and guidance in recent years that considers the application of privacy law to other technologies and issues, including facial recognition,23 wearable computing,24 drones25 and genetic information.26
v Specific regulatory areas
The implementation of CASL in 2014 was one of the most significant privacy-related developments in years. The law establishes rules for sending commercial electronic messages (CEMs) as well as the installation of computer programs, and prohibits the unauthorised alteration of transmission data.
CASL applies to most forms of electronic messaging, including email, SMS text messages and certain forms of messages sent via social networks. Voice and fax messages are excluded, as they are covered by the Unsolicited Telecommunications Rules. The law applies broadly to any CEM that is sent from or accessed by a computer system located in Canada.
A CEM is defined broadly to include any message that has as one of its purposes the encouragement of participation in a commercial activity. This includes advertisements and information about promotions, offers, business opportunities, etc.
CASL creates a permission-based regime, meaning that, subject to a number of specific exclusions, consent is required before sending a CEM. Consent can either be express or implied.
With respect to computer programs, CASL requires any person installing a computer program onto another person's computer system to obtain express consent from the owner or authorised user of the computer system.
CASL is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has the power to impose administrative monetary penalties for violations of CASL of up to C$10 million per violation.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
There are no restrictions on transfers of data outside Canada in private sector privacy legislation.27 PIPEDA requires organisations that transfer data to third parties for processing – whether inside or outside Canada – to ensure through contract that the protection provided is 'generally equivalent' to the protection that would be provided by the transferring organisation.28 With respect to the potential access to personal information by foreign governments and law enforcement agencies, the Privacy Commissioner has stated that while organisations cannot override or prevent such access through agreements, the law 'does require organisations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.'29
The Privacy Commissioner has, since at least 2009, interpreted PIPEDA such that consent is not required for transfers to foreign jurisdictions, although organisations are required to advise customers (e.g., through privacy policies) that information may be transferred to foreign jurisdictions, and could therefore be accessed by government agencies there.30 However, according to a recently published discussion document, the Privacy Commissioner is considering revising its interpretation of PIPEDA to require consent for transfers in some cases.31
The Alberta Personal Information Privacy Act has more explicit requirements when transferring data to service providers outside Canada. Organisations that use service providers to process personal information outside Canada must:
- develop policies that describe the countries to which information is or may be transferred as well as the purposes for which the service provider may collect, use or disclose personal information, and make policies available upon request;32 and
- provide notice to individuals that a service provider outside Canada will collect, use or disclose personal information, and provide information about who can answer questions and where the individual can obtain written information about policies with respect to transfers outside Canada.33
V COMPANY POLICIES AND PRACTICES
Companies that do business in Canada are generally expected to have in place the following policies.
- establish detailed internal privacy policies for ensuring compliance with privacy legislation that address things such as who is responsible for compliance with privacy legislation;
- establish the various types of personal information collected, used and disclosed, and for what purposes;
- provide training for employees;
- establish administrative, physical and technical security measures for the protection of personal information;
- record transfers of personal information;
- record retention periods and the destruction of personal information;
- record the outsourcing of and third-party access to personal information;
- respond to requests for access to personal information;
- respond to inquiries and complaints about information handling practices; and
- identify and respond to security breaches.
ii Privacy notices
iii Chief privacy officer
Organisations must establish a person who is responsible for compliance with privacy legislation. Further, privacy notices must provide contact information for a person who can respond to inquiries and complaints about information handling practices.
VI DISCOVERY AND DISCLOSURE
Privacy laws contain broad exceptions that allow organisations to respond to requests from government agencies for law enforcement purposes, such as in response to a subpoena or warrant, or in response to a court order in a civil proceeding. In addition, private sector organisations can disclose personal information on their own initiative in some circumstances.
There are also several laws that allow government agencies to collect and share information – including personal information – with foreign agencies. For example, the federal government has established bilateral and multilateral conventions for mutual legal assistance with several countries under the federal Mutual Legal Assistance in Criminal Matters Act.34 Pursuant to these agreements, foreign governments can request information about a specific person, following which the Department of Justice Canada can apply to a court for a warrant compelling disclosure of the information.
There are also other laws that permit transfers to foreign agencies for specific purposes, including the Proceeds of Crime (Money Laundering) and Terrorist Financing Act,35 the Department of Immigration and Citizenship Act,36 and the Canadian Security Intelligence Service Act.37
Foreign governments cannot directly compel an organisation located in Canada to disclose information. However, personal information about Canadians can be accessed by foreign governments once transferred to those jurisdictions. Canada does not have any 'blocking statutes' or specific procedures for resisting access by foreign governments to personal information about Canadians.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Privacy Commissioner of Canada is responsible for the oversight and enforcement of PIPEDA. The Privacy Commissioner is an 'ombudsman', meaning that he or she can make recommendations to organisations, but cannot make orders or impose fines. Enforcement is primarily complaint-driven, although the Privacy Commissioner also has the authority to conduct investigations or audits on his or her own initiative. Either a complainant or the Privacy Commissioner can apply to the Federal Court seeking an order, an award of damages, or both. The Privacy Commissioner can also enter into compliance agreements with organisations if the Commissioner believes there has been, or is about to be, a contravention of PIPEDA. The Commissioner can also make public any information obtained in the course of his or her duties if doing so would be in the public interest.
Data protection authorities in Alberta, British Columbia and Quebec have the power to make enforceable orders, which are subject to appeal by provincial courts. Authorities in all jurisdictions (both federal and provincial) have powers to compel evidence.
Although damages are possible under private sector privacy legislation, damage awards are not common. One of the largest damage awards to date is C$20,000, which was awarded against Bell Canada for violating PIPEDA in 2013.38
ii Private litigation
Privacy-related litigation has become more common in recent years, as courts are increasingly willing to recognise privacy as a compensable cause of action.
The following four provinces have established a statutory tort for invasion of privacy: British Columbia,39 Manitoba,40 Newfoundland and Labrador,41 and Saskatchewan.42 A common law tort for invasion of privacy was explicitly recognised for the first time in Ontario in 2012 in Jones v. Tsige.43 The court awarded relatively modest damages at C$10,000 in that case, stating that damages for privacy invasions should be generally limited to a maximum of C$20,000. In a controversial 2017 decision, a small claims court in Ontario rewarded a plaintiff C$4,000 for intrusion upon seclusion.44 In 2016, the Ontario Superior Court cited a new tort referred to as the 'public disclosure of embarrassing facts' in a case arising out of the non-consensual publication of intimate images on the internet.45 The Court awarded damages of C$100,000, which is by far the largest award in a privacy-related case involving a single plaintiff to date.
There have been a growing number of data breach-related class actions in the past few years, involving defendants such as:
- Home Depot;46
- Bank of Nova Scotia;47
- Human Resources and Skills Development Canada;48
- Health Canada;49
- Durham Region Health;50 and
- Rouge Valley Health System.51
Although case law involving privacy breach class actions remains limited, precedents arising from class certification and settlement approval proceedings suggest that some courts are sceptical of class actions based on vague allegations of potential harm. For example, in the class action against Home Depot, the court reduced the fees to class counsel previously agreed by the parties, with the court stating that: 'The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak.'52 However, settlements may be much higher where plaintiffs can provide more specific evidence of harm resulting from a breach.53
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Organisations that collect, use or disclose personal information about Canadians are likely subject to Canadian law, regardless of their location. The Federal Court of Canada most recently affirmed in 2017 that PIPEDA applies to organisations that collect, use and disclose personal information about Canadians in the course of commercial activity, even where those organisations have no physical presence in Canada.54
IX CYBERSECURITY AND DATA BREACHES
Canada signed up to the Council of Europe's Convention on Cybercrime in 2001, but is yet to ratify the treaty. Although there have been repeated attempts over the past decade to pass 'lawful access' legislation that would enable Canada to ratify the treaty, legislative proposals have been met with significant opposition. The key aspects of these proposals include new powers for production orders and preservation notices, and requirements that telecommunications service providers (TSPs) make their networks intercept-capable. In addition, proposals have included provisions that would allow law enforcement agencies to compel TSPs to provide customer name and address information without a warrant or court order, which have been most controversial. Mandatory data retention by TSPs has not been a feature of legislative proposals to date.
The Alberta Personal Information Protection Act was the first private sector law in Canada with an explicit requirement to notify individuals in the case of a security breach.55 As of 1 November 2018, PIPEDA requires organisations to provide a report to the Privacy Commissioner and notify affected individuals of any breach of safeguards resulting in a real risk of significant harm (RROSH). Significant harm includes bodily harm, humiliation, damage to personal relationships or reputation, loss of employment or opportunity, financial loss and identity theft. In assessing a RROSH, an organisation must consider the sensitivity of the information involved and the probability that the information will be misused. Any breach of safeguards if it is reasonable to believe in the circumstances that the breach poses a real risk of significant harm.56 Failure to comply with the new notification requirements could result in a penalty of up to C$100,000.
Organisations doing business in Canada should pay close attention to the Privacy Commissioner's evolving views on transborder data flows, as the Commissioner may begin Interpreting PIPEDA to require consent for at least some transfers of personal information to third-party data processors.
Also, while a relatively slow-moving process, it will be important to watch as the government moves to amend PIPEDA in ways that could make the law more closely aligned with the European Union General Data Protection Regulation in some respects.
1 Shaun Brown is a partner at nNovation LLP.
2 SC 2000, c 5.
3 Guidance on data breach notification requirements can be found here: Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards, https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/.
4 House of Commons Standing Committee on Access to Information, Privacy and Ethics, 'Towards Privacy by Design: Review of the personal information protection and electronic documents act' (Report) (Ottawa: February 2018), online: https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/.
5 Office of the Privacy Commissioner of Canada, Consultation on transfers for processing – Reframed discussion document, 11 June 2019, https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-on-transfers-for-processing/.
6 Alberta: Personal Information Protection Act, SA 2003, c P-6.5; British Columbia: Personal Information Protection Act, SBC 2003, c 63; Quebec: An Act respecting the Protection of Personal Information in the Private Sector, RSQ, c P-39.1. PIPEDA also does not apply to the collection, use and disclosure of personal health information by personal health information custodians that are subject to the New Brunswick Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05, the Newfoundland and Labrador Personal Health Information Act, SNL 2008, c P-7.01 or the Ontario Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A. Manitoba has passed private-sector privacy legislation – the Personal Information Protection and Identity Theft Prevention Act, CCSM c P33.7) – that is generally similar to the laws in Alberta and British Columbia; however, it has neither been proclaimed in force nor deemed substantially similar to PIPEDA.
7 CAN/CSA-Q830-96; published March 1996; reaffirmed 2001.
8 Dagg v. Canada (Minister of Finance)  2 SCR, dissenting, 403 at Paragraph 68.
9 Morgan v. Alta Flights Inc (2006) FCA 121, affirming (2005) FC 421.
10 Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157, Paragraph 34.
11 PIPEDA Case Summary #2009-010 – Report of Findings: Assistant Commissioner recommends Bell Canada inform customers about Deep Packet Inspection.
12 Office of the Privacy Commissioner of Canada, 'Policy Position on Online Behavioural Advertising', 6 June 2012, www.priv.gc.ca/en/privacy-topics/advertising-and-marketing/behaviouraltargeted-advertising/bg_ba 1206.
13 An exception to this rule is PIPEDA Case Summary #2009-008 – Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc under the Personal Information Protection and Electronic Documents Act, in which the Assistant Privacy Commissioner of Canada held that because revenues from advertising allow Facebook to offer a free service, the collection, use and disclosure of personal information for advertising is therefore a 'primary purpose', and 'persons who wish to use the service must be willing to receive a certain amount of advertising'. As such, it is acceptable for Facebook to require users to consent to certain forms of adverts as a condition of using the site.
14 This is often referred to as 'refusal to deal'.
15 Privacy Commissioner Canada, 'Interpretation Bulletin: Form of Consent', online: www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_07_consent.
16 The definition of 'publicly available' is relatively limited under Canadian law. For example, according to the Regulations Specifying Publicly Available Information SOR/2001-7 under PIPEDA, personal information is publicly available if it appears in a telephone directory, business directory, a court or judicial document, or a magazine or newspaper. In its response to a 2018 review of PIPEDA (see note 23), the government stated that it needs to closely study the potential impacts of redefining 'publicly available' information for the purpose of PIPEDA.
17 The Federal Court emphasised this obligation in Nammo v. TransUnion of Canada Inc, 2010 FC 1284, in which the applicant was denied a loan as a result of information provided by TransUnion that was described as 'grossly inaccurate'. The Court awarded damages of C$5,000.
19 Office of the Privacy Commissioner of Canada, 'Initial Results from our internet privacy sweep: the good, the bad, the ugly' (Ottawa: 13 August, 2013), online: https://blog.priv.gc.ca/index.php/2013/08/13/initial-results-from-our-internet-privacy-sweep-the-good-the-bad-and-the-ugly/.
20 For the purposes of this chapter, OBA refers generally to the delivery of advertisements to web browsers that are targeted based on a user's behaviour online, and the collection, use and disclosure of data for those purposes.
21 Office of the Privacy Commissioner of Canada, 'Policy Position on Online Behavioural Advertising', 6 June 2012, www.priv.gc.ca/en/privacy-topics/advertising-and-marketing/behaviouraltargeted-advertising/bg_ba_1206.
22 In early 2014, the Privacy Commissioner found that Google had violated PIPEDA by using sensitive personal information to target and serve through its AdSense service. Google had allowed its customers to serve targeted adverts for Continuous Positive Airway Pressure devices to internet users identified as suffering from sleep apnoea. Although the Privacy Commissioner has stated that companies can rely on a form of opt-out, implied consent for OBA, adverts targeted at sleep apnoea suffers did not qualify for this approach given that this involves the collection and use of sensitive, health-related personal information. See Privacy Commissioner of Canada, PIPEDA Report of Findings #2014-001 – Report of Findings: Use of sensitive health information for targeting of Google ads raises privacy concerns, 14 January 2014, www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2014/pipeda-2014-001.
23 Office of the Privacy Commissioner of Canada, 'Automated Facial Recognition in the Public and Private Sectors: Report prepared by the Research Group of the Office of the Privacy Commissioner of Canada', March 2013, www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2013/fr_201303.
24 Office of the Privacy Commissioner of Canada, 'Wearable Computing – Challenges and opportunities for privacy protection: Report prepared by the Research Group of the Office of the Privacy Commissioner of Canada', January 2014, www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2014/wc_201401.
25 Office of the Privacy Commissioner of Canada, 'Will the proliferation of domestic drone use in Canada raise new concerns for privacy?': Report prepared by the Research Group of the Office of the Privacy Commissioner of Canada, March 2013, www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2013/drones_201303.
26 Office of the Privacy Commissioner of Canada, 'Genetic Information, the Life and Health Insurance Industry and the Protection of Personal Information: Framing the Debate', December 2012, www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2012/gi_intro.
27 Subject to limited exceptions, public-sector bodies in British Columbia and Nova Scotia are required to ensure that personal information in their custody or control is only stored or accessed in Canada; see the Freedom of Information and Protection of Privacy Act, RSBC 1996, Chapter 165, s 30.1, and the Personal Information International Disclosure Protection Act, SNS 2006, c 3, s 5. These laws can pose challenges for service providers located outside Canada that seek to do business with public sector bodies in those jurisdictions.
31 Office of the Privacy Commissioner of Canada, Consultation on transfers for processing – Reframed discussion document, 11 June 2019, https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-on-transfers-for-processing/.
32 Personal Information Protection Act, SA 2003, c P-6.5, s 6(1).
33 ibid., s 13.1(1).
34 RSC, 1985, c 30.
35 SC 2000, c 17.
36 SC 1994, c 31.
37 RSC, 1985, c C-23.
38 Chitrakar v. Bell TV, 2013 FC 1103.
39 Privacy Act, RSBC 1996, c 373.
40 Privacy Act, RSM 1987, c P125.
41 Privacy Act, RSN 1990, c P-22.
42 Privacy Act, RSS 1978, c P-24.
43 2012 ONCA 32.
44 Vanderveen v. Waterbridge Media, 2017 ON SCSM 77435 (CanLii).
45 Jane Doe 464533 v. ND, 2016 ONSC 541.
46 No citations: Knuth v. Home Depot, Statement of Claim, QBC 2006-14, Lozanski v. Home Depot, Statement of Claim, CV-14-51262400CP.
47 Evans v. The Bank of Nova Scotia, 2014 ONSC 2135.
48 Condon v. Canada, 2014 FC 250.
49 John Doe v. Her Majesty the Queen, 2015 FC 916.
50 Rowlands v. Durham Region Health, et al., 2012 ONSC 394.
51 No citations: Elia Broutzas and Meagan Ware v. Rouge Valley Health System, Jane Doe 'A', Jane Doe 'B', John Doe Registered Savings Plan Corporation and Jane Doe 'C', Statement of Claim, CV-14-507026-00CP.
52 Lozanski v. The Home Depot, Inc., 2016 ONSC 5447, para. 100.
53 For example, in Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 (CanLII), the defendant bank settled for approximately C$1.5 million as some class members suffered identity theft as a result of a data breach.
54 A.T. v. Globe24h.com, 2017 FC 114 (CanLII).
55 See Personal Information Protection Act, SA 2003, Sections 34.1 and 37.1.
56 See Division 1.1 of PIPEDA.