Latest Posts

Canadian Cybersecurity and Privacy Framework

In Canada, the cybersecurity legal landscape is governed by various laws including privacy, anti-spam, criminal liability, and intellectual property:

Cybersecurity Legal Landscape in Canada

  • Generally, federal and provincial privacy laws in Canada regulate the way in which personal information can be collected, used or disclosed. On the federal level, PIPEDA requires an organization to notify affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Similarly, on a provincial level, the Alberta PIPA and recently amended Quebec Act include data breach reporting and notification requirements for private sector organizations.
  • Canada's anti-spam legislation, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (CASL) protects consumers and businesses from spam and other electronic threats. CASL prohibits the following in the course of commercial activity: the alteration of transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender; the installation of a computer program on any other person's computer system without express consent or court order; and the sending of a commercial electronic message to an electronic address in order to induce or aid any of the above prohibitions.
  • The Criminal Code prohibits the unauthorized use of a computer, the possession of a device to obtain unauthorized use of a computer system or to commit mischief and mischief in relation to computer data.
  • The Copyright Act includes civil and criminal remedies for the circumvention of technological protection measures and rights management information.

Privacy Laws



Provincial Privacy Laws

Health Related 

While other provinces and territories have also passed their own health privacy laws, these have not been declared substantially similar to PIPEDA. In some of those cases, PIPEDA may still apply.

Employment related

Some provinces have passed privacy laws that apply to employee information. Examples include:

NIST Privacy Framework

NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management

The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build beneficial products and services while protecting individuals’ privacy.


There are a number of requirements to comply with the law. Organizations covered by PIPEDA must generally obtain an individual's consent when they collect, use or disclose that individual's personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.


AlbertaBritish Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.

Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA.

By following these principles, you will contribute to building trust in your business and in the digital economy.

The principles are:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

Understanding Canadian Privacy Law

Understanding Canadian Privacy Law: Key Principles, Scope, Enforcement, and Recent Developments with Implications for Individuals and Businesses

1. Introduction to Canadian Privacy Law

In today's digital age, privacy has become a major concern for individuals and businesses alike. Canada is no exception to this trend, with its own set of privacy laws designed to protect personal information. Canadian privacy law governs the collection, use, and disclosure of personal information by private sector organizations, as well as federal government institutions. The purpose of these laws is to ensure that individuals have control over their personal information and that it is used only for legitimate purposes. Understanding Canadian privacy law is crucial for anyone who handles personal information, whether they are an individual or a business. In this article, we will explore the key principles of Canadian privacy law, its scope, enforcement, recent developments, and the implications for individuals and businesses.

2. Key Principles of Canadian Privacy Law

2.1 Canadian privacy law is based on several key principles that are designed to protect the personal information of individuals. These principles include accountability, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

2.2 Accountability requires organizations to take responsibility for the personal information they collect, use, and disclose. This includes appointing a privacy officer, implementing policies and procedures, and training employees on privacy practices.

2.3 Consent means that individuals must give their permission for their personal information to be collected, used, or disclosed. Organizations must obtain clear and informed consent before collecting personal information, and individuals have the right to withdraw their consent at any time.

2.4 Limiting collection means that organizations should only collect personal information that is necessary for the purposes identified by the organization. They must also collect this information by fair and lawful means.

2.5 Limiting use, disclosure, and retention means that personal information should only be used or disclosed for the purposes for which it was collected, unless an individual gives their consent or the law permits it. Personal information should also be retained only as long as necessary to fulfill these purposes.

2. 6 Accuracy means that organizations must take reasonable steps to ensure that personal information is accurate, complete, and up-to-date.

2.7 Safeguards require organizations to protect personal information against unauthorized access, disclosure, copying, use, or modification. This includes physical, organizational, and technological measures.

2.8 Openness means that organizations must make their privacy policies and practices readily available to individuals.

2.9 Individual access means that individuals have the right to access their personal information held by an organization and to request corrections if necessary.

2.10 Challenging compliance means that individuals have the right to challenge an organization's compliance with privacy laws and to seek recourse if necessary.

3. Scope of Canadian Privacy Law

3.1 Canadian Privacy Law applies to the collection, use, and disclosure of personal information by organizations in Canada. This law governs how businesses and other organizations handle personal information, including sensitive information such as health records, financial information, and other personal data. It also regulates how organizations can use personal information for marketing and advertising purposes. 

3.2 The scope of Canadian Privacy Law extends to both private and public sector organizations, including federal and provincial government agencies, non-profit organizations, and private businesses. The law applies to all types of personal information, regardless of the format in which it is stored, including electronic and paper records. 

3.3 Canadian Privacy Law also has extraterritorial application, meaning that it can apply to organizations outside of Canada if they collect, use, or disclose personal information of Canadians. This means that foreign companies doing business in Canada must comply with Canadian Privacy Law. 

3.4 Overall, the scope of Canadian Privacy Law is broad and comprehensive, covering a wide range of organizations and personal information. It is important for individuals and businesses to understand their obligations under this law to ensure compliance and protect personal information.

4. Enforcement and Penalties for Violations

4.1 Canadian privacy laws are enforced by various government agencies, including the Office of the Privacy Commissioner of Canada (OPC) and the Canadian Radio-television and Telecommunications Commission (CRTC). These agencies have the power to investigate complaints, conduct audits, and issue fines for violations of privacy laws.

4.2 Penalties for violating Canadian privacy laws can be severe. Individuals and businesses found guilty of violating these laws may face fines of up to $100,000 per violation. In some cases, individuals may also face imprisonment for up to five years.

4.3 In addition to financial penalties, organizations that violate Canadian privacy laws may also suffer damage to their reputation and loss of customer trust. This can have significant long-term consequences for businesses, particularly those that rely on the collection and use of personal information to operate.

4.4 To avoid penalties and maintain compliance with Canadian privacy laws, individuals and businesses must take steps to protect personal information, including implementing appropriate security measures, obtaining consent for the collection and use of personal information, and ensuring that personal information is only used for legitimate purposes.

5. Recent Developments in Canadian Privacy Law

5.1 In recent years, Canadian privacy law has undergone significant changes and updates. One of the most notable developments is the introduction of the Digital Privacy Act in 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). The amendments included new breach notification requirements, mandatory reporting to the Office of the Privacy Commissioner of Canada (OPC), and increased fines for non-compliance.

5.2 More recently, in November 2020, the federal government introduced Bill C-11, also known as the Digital Charter Implementation Act. If passed, this bill would replace PIPEDA with a new privacy law called the Consumer Privacy Protection Act (CPPA). The CPPA would introduce new rights for individuals, such as the right to data mobility and the right to request that their personal information be destroyed. It would also increase the OPC's enforcement powers and allow for higher fines for non-compliance.

5.3 Another significant development is the increasing focus on privacy issues related to artificial intelligence (AI) and machine learning (ML). In 2019, the OPC released guidelines for AI and ML, outlining best practices for organizations using these technologies while ensuring compliance with privacy laws. The guidelines emphasize the importance of transparency, accountability, and meaningful consent when collecting and using personal information.

5.4 Overall, these recent developments reflect the evolving landscape of privacy law in Canada and highlight the need for individuals and businesses to stay informed and compliant with the latest regulations.

6. Implications for Individuals and Businesses

6.1 As individuals and businesses navigate the digital landscape, understanding Canadian privacy law is crucial. Failure to comply with the law can result in significant penalties and reputational damage. For individuals, it means being aware of your rights and how to exercise them. For businesses, it means taking proactive steps to protect personal information and ensure compliance with the law.

6.2 For individuals, Canadian privacy law provides a framework for protecting personal information. This includes the right to know what personal information is being collected, how it will be used, and who it will be shared with. It also includes the right to access and correct personal information, as well as the right to withdraw consent for its use or disclosure.

6.3 For businesses, Canadian privacy law requires a proactive approach to protecting personal information. This includes implementing policies and procedures for the collection, use, and disclosure of personal information. It also requires businesses to obtain consent for the collection, use, and disclosure of personal information, and to limit the collection of personal information to what is necessary for the purposes identified.

6.4 Recent developments in Canadian privacy law have increased the obligations on businesses. The Digital Privacy Act introduced mandatory breach reporting requirements for businesses, which means that businesses must report any breaches of personal information to affected individuals and the Privacy Commissioner of Canada. The European Union's General Data Protection Regulation (GDPR) has also had implications for Canadian businesses, as it applies to any business that processes personal information of EU residents.

7. In summary, understanding Canadian privacy law is essential for both individuals and businesses. Individuals need to be aware of their rights and how to exercise them, while businesses need to take proactive steps to protect personal information and ensure compliance with the law. Recent developments have increased the obligations on businesses, making it even more important to stay up-to-date with changes in the law.

Processing Personal Data Across Borders


There are different approaches to protecting personal information that is being transferred for processing. European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information.

In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organizations.

As the principle suggests, the primary means by which an organization may protect personal information that is sent to a third party for processing is through a contract.

Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. It should also have the right to audit and inspect how the third party handles and stores personal information, and exercise the right to audit and inspect when warranted.

The OPC recognizes the complexity of the electronic world and understands that it is often impossible for an organization to know precisely where information is flowing while in transit. But that being said, the law is clear on where accountability lies and organizations must in their own best interests, as well as those of their customers, do what they can to protect the information.

Key Findings
  • PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.
  • PIPEDA does establish rules governing transfers for processing.
  • A transfer for processing is a "use" of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
  • The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.
  • Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.
  • No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.
  • It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.
  • Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.

Please describe the mechanisms companies typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions (e.g., consent of the data subject, performance of a contract with the data subject, approved contractual clauses, compliance with legal obligations, etc.).
  • Typically, companies enter into an agreement when transferring data outside of Canada for processing purposes to ensure that the data transferred is afforded a comparable level of protection to that under Canadian Privacy Statutes. Depending on the size and the context of the data transfer arrangement in question, there are a number of measures that companies take to establish an appropriate vendor management framework, including: 
(i) due diligence, in particular with respect to security safeguards;
(ii) contractual arrangements setting out requisite controls and conditions;
(iii) appropriate notice to employees or consumers; and
(iv) appropriate monitoring of the service provider arrangement. While consent per se is not required, notification is.

Do transfers of personal data to other jurisdictions require registration/notification or prior approval from the relevant data protection authority(ies)? Please describe which types of transfers require approval or notification, what those steps involve, and how long they typically take.
  • Transfers of personal data to other jurisdictions do not require registration/notification or prior approval from the relevant data protection authorities.


In keeping with the Data Minimisation principle above, Canadian Privacy Statutes generally require organisations to retain personal information for only as long as necessary to fulfil the purposes for which it was collected, subject to a valid legal requirement.

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous.

Organisations should develop guidelines and implement procedures for retention of personal data, including minimum and maximum retention periods and procedures governing the destruction of data.


Safeguarding – Each of the Canadian Privacy Statutes contains specific provisions relating to the safeguarding of personal information. In essence, these provisions require organisations to implement reasonable technical, physical and administrative measures to protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use, modification or destruction.

NOTE: PIPEDA does not specify particular security safeguards that must be used. Your organization must continually ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.

Canadian Privacy Statutes contain specific provisions relating to the safeguarding of personal information. In essence, these provisions require organisations to implement reasonable technical, physical and administrative measures to protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use, modification or destruction. The security safeguards must be appropriate to the sensitivity of the information, such that, the more sensitive the information, the higher the level of protection that will be required.

An organisation is responsible for protecting personal information in its possession or custody, including information that has been transferred to a third party for processing. They must ensure a
comparable level of protection through contractual or other means.

New Evolving

CPPA - Consumer Privacy Protection Act - Developing - Bill C-11

In 2020, Canada’s federal Minister of Innovation, Science and Industry submitted Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, more simply referred to as the Digital Charter Implementation Act, 2020, for consideration in the House of Commons.

Bill C-11 is not yet law. It must be passed by both Houses of Parliament and receive Royal Assent. It is still in the legislative process for second reading and debate.

If passed, Bill C-11 would replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates how the private sector handles consumer data, by introducing the CPPA. The CPPA would impact any business collecting personal data in Canada by taking the broad data privacy principles of PIPEDA and creating new guidelines and a framework for enforcement.

Under the CPPA, the federal privacy commissioner would have the power to investigate and prosecute any organization that violates the framework imposed by the CPPA. The penalties would also be more severe than those imposed by PIPEDA.

This would be one of the strictest privacy laws in the world, comparable to the GDPR or the California Consumer Privacy Act.

Note: Bill C-first introduced in 2020 and failed on the order paper as a result of the federal election in 2021.

Bill C-26 on cybersecurity

In June 2022, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced to provide new cybersecurity protections for telecommunications service providers in Canada as well as to ensure that they take certain measures to mitigate or remedy cybersecurity risks. This bill also introduces the Critical Cyber Systems Protection Act (CCSPA), which if passed, would require operators of any "critical cyber system" in Canada, to create a cybersecurity program that meets a number of prescribed safeguards and to notify their respective regulators of their programs. These operators would also have new breach reporting obligations where a cybersecurity incident could interfere with the continuity of a vital system or service.

Bill-C-27 (Digital Charter Implementation Act, 2022) 

  • Reintroduction and an improvement of Bill C-11
  • Bill C-27 is undergoing legislative review in Parliament and if passed, would introduce the following legislative updates:


The new statutory framework in Bill C-27 governs private sector personal information protection practices and, if passed, would enact the following three new statutes:
  1. The Consumer Privacy Protection Act would repeal and replace Part 1 of the Personal Information Protection and Electronic Document Act. Part 2 of PIPEDA will be renamed to "An Act to provide for the use of electronic means to communicate or record information or transactions," or the Electronic Documents Act.
  2. The Personal Information and Data Protection Tribunal Act would establish an administrative tribunal to review certain decisions made by the Privacy Commissioner of Canada and make orders for contraventions of the CPPA.
  3. The Artificial Intelligence and Data Act, which is new and perhaps unanticipated by many, will regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of these systems.

Other Related Laws

  • An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act
  • the Competition Act, 
  • the Personal Information Protection and Electronic Documents Act a
  • the Telecommunications Act, S.C. 2010, c. 23 (“Canada’s anti-spam legislation” or “CASL”).
    • In general, under CASL, it is a violation to send, or cause or permit to be sent, a commercial electronic message (defined broadly to include text, sound, voice or image messages) to an electronic address unless the recipient has provided express or implied consent (as defined in the Act) and the message complies with the prescribed form and content requirements, including an unsubscribe mechanism.


    No comments