Defense Counsel Journal
A Look at Canadian Privacy and Anti-Spam Laws
Volume 84, No. 4
February 07, 2020
Junior Sirivar is a partner in McCarthy Tétrault’s
Litigation Group and Co-Chair of the Firm’s International
Arbitration Practice Group. He advises domestic and
international clients in complex commercial disputes
across a variety of industries including mining, banking,
Shana Wolch is a partner in McCarthy Tétrault's National
Labour and Employment Group in Calgary. She assists
clients with their daily human resources matters (including
privacy and occupational health and safety), across the full
spectrum of industries, including oil and gas, utilities, banking,
retail, forestry, transportation, hospitality, and education. She
has also been a lead investigator in workplace and OHS
investigation matters and frequently provides support and
training for clients to conduct their own investigations.
CANADA’S comprehensive federal and provincial privacy laws regulate how organizations collect, use, and disclose personal information in the course of conducting or operating their businesses. These laws are intended to protect individual privacy rights and, in doing so, require that organizations take reasonable steps to ensure that such rights are sufficiently protected. Canadian privacy laws can have a significant impact on organizations’ policies and practices while operating in Canada.
Organizations must establish reasonable security measures to protect personal information that crosses international borders. The obligations imposed by privacy laws supplement existing obligations respecting transparency, consent and safeguarding. Moreover, organizations need to provide assurances that the foreign third- party service provider’s privacy practices provide a comparable level of protection as to that which is required under Canadian law, recognizing that the laws of the foreign jurisdiction cannot be overridden.
Canadian privacy laws provide a mechanism that is intended to facilitate more streamlined transactions where such transactions involve the collection, use or disclosure of personal information. Corporations operating, or looking to operate, in Canada must be aware of the obligations imposed on them by these laws as a failure to do so can have significant repercussions.
This paper will aid those that are operating or seeking to do business in Canada by promoting compliance with Canada’s privacy and anti-spam laws, which will in turn prompt strong and effective business activities. Specifically, we discuss the obligations imposed by Canada’s anti-spam legislation, more commonly referred to as “CASL,”1An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23. as well as the other federal and provincial privacy laws that outline the framework and rules for the collection, use and disclosure of personal information by federally-regulated private-sector organizations operating across Canada.
These laws are not intended to restrict businesses from operating in Canada. Rather, they seek to support commerce, including electronic commerce, and promote the adaptability of the Canadian economy and market by clarifying expectations and rights for protecting an individual’s privacy while in the process. Public confidence in the integrity of a business’s operations is of key importance to operating successfully. By developing appropriate policies and corporate strategies, organizations can comply with the applicable privacy law requirements while mitigating risks associated with improperly collecting, using or disclosing personal information in potentially damaging manners.
I. CASL: Canada’s Anti-Spam Law
CASL is a comprehensive legislative regime created to combat spam. It is aimed at preventing organizations, including foreign ones, from sending unsolicited or misleading commercial electronic messages (“CEM”) or programs to consumers without their consent. In particular, CASL introduces the requirement to obtain the consent of a recipient before an organization sends a CEM. This requirement extends to email messages, messages to social networking accounts and text messages to smart phones.
CASL came into force on July 1, 2014 and is widely considered to be among the most comprehensive, and to an extent onerous, commercial electronic messaging statutes in the world. It has significant implications for Canadian businesses, not-for-profit organizations, and individuals using electronic communications. CASL also applies to foreign organizations that operate or do business in Canada, or that send commercial electronic messages to Canada.
CASL’s provisions regarding CEMs extend far beyond typical “spam” emails. A CEM is an electronic message that is intended to encourage participation in a commercial activity. When determining if an electronic message encourages a commercial activity, the content of the message, the hyperlinks in the message or the contact information contained in the message may all be considered. Further, the types of commercial activities that would be considered to constitute a CEM include but are not limited to:
(i) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(ii) offers to provide a business, investment or gaming opportunity;
(iii) advertisements or pro-motions of anything referred to in (i) or (ii); or
(iv) promoting a person, including the public image of a person, as being a person who does
anything referred to in any of (i), (ii) or (iii), or who intends to do so.2CASL, s. 1(2).
Organizations must therefore carefully scrutinize their use of email and other electronic messaging systems, including SMS, social networks and online portals.
On January 15, 2015, provisions of CASL relating to unsolicited installation of computer programs or software came into force. These provisions prevent the installation of computer programs without an individual’s consent.3
Government of Canada, Canada’s Anti-Spam Legislation, 2013, available at http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00039.html.
CASL’s computer programs provisions affect a wide range of platforms, from applications on personal computers, tablets and mobile devices, to programs embedded in consumer products, such as automobiles, TV sets, and home audio systems. CASL’s computer program provisions apply only to programs that automatically install software on someone’s computer; they do not apply to individuals installing software on their own devices.
Consent, as interpreted by CASL, can either refer to express consent, or under certain circumstances, implied consent. Express consent means that a person has clearly agreed to receive a CEM, prior to a CEM being sent to him or her. By requiring consent first, CASL has enabled an “opt-in” regime in relation to spam, unlike some other countries that have enabled “opt-out” regimes, like the United States. CASL’s “opt-in” regime applies to both Canadian organizations and non-Canadian organizations so long as these organizations are sending commercial electronic messages to recipients within Canada.4CASL, s. 12(1).
Under certain circumstances, such as an existing business relationship between an organization and a recipient of a CEM, an organization may be able to rely on implied consent in sending CEMs. Other circumstances where implied consent may be relied upon are described in section 10(9) of CASL.
The onus of proving consent is always on the sender. As a result, it is prudent for the sender of a CEM to employ good record-keeping practices, which may help the sender establish a due diligence defense in the case of an alleged violation of CASL.5
Government of Canada, Enforcement Advisory – Notice for businesses and individuals on how to keep records of consent July 27, 2016, available at https://www.canada.ca/en/radio-television-telecommunications/news/2016/07/enforcement-advisory-notice-for-businesses-and-individuals-on-how-to-keep-records-of-consent.html.
Good record-keeping may include retaining hard copies or preferably electronic records of:
- all evidence of express and implied consent (e.g. audio recordings, copies of signed consent forms, completed electronic forms) from consumers who agree to receive CEMs;
- documented methods through which consent was collected;
- policies and procedures regarding CASL compliance; and
- all unsubscribe requests and resulting actions.6
Government of Canada: Canadian Radio-television and Telecommunications Commission, from Canada’s Anti‑Spam Legislation (CASL) Guidance on Implied Consent, September 4, 2015, available at http://www.crtc.gc.ca/eng/com500/guide.htm.
Diligent record keeping is of critical importance. Anything not in writing will be difficult to prove later in the event of a complaint. Moreover, lack of documentation makes it complicated – even impossible – to allow for internal management purposes such as tracking implied and express consents that have been previously obtained or even withdrawn.
Three federal agencies are responsible for the enforcement of CASL: (i) The Canadian Radio-television and Telecommunications Commission (“CRTC”), (ii) the Competition Bureau, and (iii) the Office of the Privacy Commissioner of Canada (the “Privacy Commissioner”).
The CTRC has the primary enforcement responsibility for CASL and is able to investigate, take action against, and set administrative monetary penalties for violations of CASL. For the most part, CASL is enforced by undertakings of the sender to remedy his/her actions,7CASL, s. 21. and notices of violation.8CASL, s. 22.
CASL provides for significant administrative monetary penalties of up to CAD$1,000,000 per violation for individuals, and CAD$10,000,000 for organizations. In 2016, 22 notices of violation were issued by the CTRC for violations of CASL with associated penalties ranging from $5,000 to $650,000,9
Government of Canada, Canadian Radio-Television and Telecommunications Commission: Notices of Violation 2016, August 30, 2017, available at http://www.crtc.gc.ca/eng/DNCL/dnclc_2016.htm.
and in 2015 the CTRC issued a notice of violation for CAD$1,100,000 for sending CEMs to individuals without their consent, along with other violations of CASL.10
Government of Canada, Canadian Radio-Television and Telecommunications Commission: Notices of Violation 2015, October 28, 2015, available at http://www.crtc.gc.ca/eng/DNCL/dnclc_2015.htm.
The Competition Bureau is also enabled to enforce the law under CASL through more effectively addressing false and misleading representations and deceptive marketing practices. CASL enables the Privacy Commissioner to enforce the law regarding the collection of personal information through access to computer systems, as well as electronic address harvesting.11
Government of Canada, Canada’s Anti-Spam Legislation: Enforcement, June 13, 2017, available at http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00026.html.
E. CASL’s Private Right of Action
It is anticipated that CASL will allow individuals and organizations to bring a private right of action (“PRA”) in court against persons they allege to have violated the law.12
CASL, s. 47; Government of Canada, Canada’s Anti-Span Legislation, June 13, 2017, available at http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00039.html. This section was intended to take effect July 1, 2017 however was suspended and is under review.
The PRA will allow individuals and organizations to seek compensatory damages in an amount equal to the loss or damages suffered, or expenses incurred, as a result of the contravention.13CASL, s. 51(1)(a). There may be statutory damages imposed by the court in addition to the compensatory damages under this PRA.14CASL, s. 51(1)(b). An individual could claim for breaches of CASL including the improper transmission or rerouting of CEMs to other destinations than those intended by the sender, unauthorized installation of computer programs, or participating or promoting any of these activities. They can also bring claims for being the target of false or misleading CEMS under the Competition Act, that their electronic address has been obtained without their consent or that their personal information has been obtained through accessing a computer system without authorization in breach of the federal Personal Information Protection and Electronic Documents Act.15CASL, s. 47.
In the case of unsolicited emails, these statutory damages may reach a maximum of $200 per contravention of CASL, not exceeding CAD$1,000,000 for each day on which a contravention occurred.16CASL, s. 51(1)(b)(i). Considering that a single email sent to a recipient, without his or her consent would be considered a violation of CASL, if even a small company sent out 1,000 unsolicited emails, they could face up to $20,000 in fines, in addition to any compensatory damages to the recipients of those emails.
II. Private Sector Privacy Laws in Canada
A. Basic Principles
In addition to CASL, which regulates specific electronic commercial activities, such as emailing individuals, other Canadian legislation is more generally aimed at regulating how private-sector organizations collect, use, and disclose personal information in the course of their business operations. Owing to Canada’s federal framework, these laws may be federal or provincial.
Federally, Canada has enacted the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA is comprehensive federal legislation that outlines the framework and rules for the collection, use and disclosure of personal information by federally-regulated private-sector organizations operating across Canada.17That is, federally-regulated works, undertakings, or businesses including banks, airlines, and telecommunications companies. It also governs the collection, use and disclosure of personal information in the course of commercial activities by non-federally regulated private sector organizations operating across Canada.
PIPEDA does not, however, govern private-sector organizations operating in provinces that have comprehensive privacy legislation deemed substantially similar to PIPEDA. To this end, there are only three provinces that have been found to have privacy legislation which is substantially similar to PIPEDA: Québec, British Columbia, and Alberta.18Manitoba has also enacted similar legislation, which has not yet come into force, the Personal Information Protection and Identity Theft Prevention Act, SM 2013, c 17. The privacy legislation applicable to each of these provinces are:
- Québec’s Act Respecting the Protection of Personal Information in the Private Sector,19RSQ, c P-39.1 [Québec Act]. (the “Québec Act”);
- British Columbia’s Personal Information Protection Act (the “BC PIPA”);20SBC 2003, c 52 [BC PIPA]. and
- Alberta’s Personal Inform-ation Protection Act (the “AB PIPA”).21SA 2003, c P-6.5 [AB PIPA].
B. Federal Law
PIPEDA applies to “every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities”.22PIPEDA, s. 4(1)(a). Organizations must first determine what personal information is collected, used, or disclosed as part of their operations in Canada. They must then determine whether such personal information is collected, used, or disclosed in the “course of commercial activities” and in which jurisdictions. The Federal Privacy Commissioner23The Federal Privacy Commissioner is responsible for investigating alleged violations of PIPEDA. has expressed the opinion that information created (as opposed to collected) by an organization as part of commercial activity may also be subject to PIPEDA. For instance, the Federal Privacy Commissioner determined that an individual’s credit score is information subject to PIPEDA because it was created by an organization in the course of its commercial activities.24
The Privacy Commissioner of Canada, PIPEDA Case Summary #2002-39, 2002, available at https://www.priv.gc.ca/en/opc-actions-and-decisions/investi-gations/investigations-into-businesses/2002/PIPEDA-2002-039/.
PIPEDA protects “information about an identifiable individual”.25PIPEDA, s. 2(1). Canadian courts have deemed “identifiable individual” to be someone who it is reasonable to expect can be identified from the information at issue when combined with information from sources otherwise available, including sources publicly available.26
Canada (Information Commissioner) v. Canada (Canadian Transportation Accident Investigation and Safety Board), 2006 FCA 157, at para. 43; Gordon v. Canada (Minister of Health), 2008 FC 258, at paras. 31-34.
Business contact information is excluded from this definition because it is collected by organizations for the purpose of communicating or facilitating communication with an individual in relation to his/her employment, business or profession.27PIPEDA, s. 4.01.
Schedule 1 of PIPEDA sets out the ten principles of fair information practices (the “Fair Information Principles”) for organizations to observe. These Fair Information Principles form ground rules for the collection, use, and disclosure of personal information,28
Office of the Privacy Commissioner of Canada, Privacy Toolkit for Businesses, 2015, available at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-PIPEDA/PIPEDA-compliance-help/guide_org/.
and underscore basic privacy obligations and practices for organizations to implement and maintain. Corporations would be well-served by ensuring that their internal policies adhere to these 10 principles:
- identifying the purposes;
- limiting collection;
- limiting use, disclosure, and retention;
- individual access; and
- challenging compliance.
Additionally, in June 2015, the federal government amended PIPEDA through the enactment of the Digital Privacy Act29
SC 2015, c. 32. All amendments under the Digital Privacy Act are now in force, except for the data breach requirements, which have not yet come into force, pending the formulation and passage of regulations. No timeline has been publicly set for completion the formulation of the regulations.
in six respects of significance to organizations. The amendments:
- addressed the issue of consent and what constitutes valid consent;
- introduced additional exceptions to obtaining consent including in the exchange of personal information for business transactions;
- addressed employment relationships and the exchange of personal information produced in the course of employment;
- introduced mandatory breach notification to be provided to both the privacy commissioner and affected individuals where there has been a breach of security safeguards that poses a real risk of significant harm to the affected individuals;
- introduced penalties including compliance agreements; and
- introduced broader public interest disclosure powers.
1. Key Obligations under PIPEDA
a) Limitation on the Collection of Personal Information
PIPEDA recognizes “the right of privacy of individuals with respect to their personal information” while accepting “the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”30PIPEDA, s. 3. An organization’s ability to collect, use or disclose personal information is accordingly framed in the following terms under Section 5(3) of PIPEDA: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
Collection, use or disclosure of personal information is considered “appropriate in the circumstances” if:
(i) the collection, use or disclosure of personal information is necessary to meet a specific need;
(ii) the collection, use or disclosure of personal information is likely to be effective in meeting that need;
(iii) the loss of privacy is proportional to the benefit gained; and
(iv) there is no less invasive way of achieving the same end.31
Mountain Province Diamonds, Inc. v. De Beers Canada, Inc., 2014 ONSC 2026, at para. 47.
Schedule 1 to PIPEDA also contains “The Model Code” which limits an organization’s collection of personal information to that which is necessary for the purposes identified by the organization.32PIPEDA, Schedule 1, s. 4.4. Organizations shall not collect personal information indiscriminately. All aspects of the collection of information must correlate to the identified purpose. Where collection of information is found to be unnecessary, the result will be non-compliance with PIPEDA,33
The Federal Privacy Commissioner, PIPEDA Case Summary #2010-006, 2010, available at https://www.priv.gc.ca/ en/opc-actions-and-decisions/investigations/investigations-into-businesses/2010/PIPEDA-2010-006/.
and may be taken to Federal Court to enforce compliance.34PIPEDA, s. 14.1.
For example, the Federal Privacy Commissioner has found that it was unreasonable for an automobile business to scan customers’ vehicle registration documents in relation to simple automobile maintenance services. The automobile business could collect sufficient technical information about a vehicle (i.e. make, model, year) to service the vehicle from scanning the vehicle identification number. Scanning the vehicle registration document, which disclosed more personal information (i.e. the owner’s address, drivers’ license number), was not necessary for the purpose of changing motor oil in vehicles.
b) Limitation on the Use, Disclosure, and Retention of Personal Information
Organizations are required to limit the use, disclosure, and retention of personal data to the purpose(s) for which the data was collected. Any other use or disclosure of personal information requires the consent of the individual or must either fall under a PIPEDA exception or be required by law. Moreover, such information is to be retained only as long as is necessary for the fulfillment of those purposes.35PIPEDA, Schedule 1, s. 4.5.
Organizations are encouraged to develop policies and procedures with respect to the retention of personal information, including minimum and maximum retention periods. Personal information that has been used to make a decision about an individual is to be retained long enough to allow the individual access to the information after the decision has been made.36PIPEDA, Schedule 1, s. 4.5.2.
c) Ensuring the Accuracy of Personal Information
Organizations are required to ensure that the personal data they collect and store is as accurate, complete, and up-to-date as is necessary for the purposes for which the data are to be used. The extent to which an organization must meet these requirements will depend upon the use of the information, taking into account the interests of the individual.37PIPEDA, Schedule 1, s. 4.6.
2. Rights of the Individual
a) Identification of Purpose
In order for individuals to give informed consent to the collection, use, or disclosure of personal information, organizations must identify the purpose for the collection of personal information.38PIPEDA, Schedule 1, s. 4.2. The purposes must be legitimate and explicitly specified.39PIPEDA, Schedule 1, s. 4.3.3.
b) Informed Consent
Consent is required prior to the collection, use, or disclosure of personal information under PIPEDA. Consent may be implicit or explicit and, depending on the circumstances, in oral form or in writing. An organization should generally seek express consent when the information is likely to be considered sensitive, while implied consent is more appropriate when the information is less sensitive. In all cases, the consent must be “informed”.40PIPEDA, Schedule 1, s. 4.3. The Digital Privacy Act sets out parameters for determining whether consent is valid, which is only where it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. This amendment to PIPEDA arguably creates an obligation on organizations to ascertain the degree of sophistication of the individual when obtaining consent.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization is required to inform the individual of the implications of such withdrawal.41PIPEDA, Schedule 1, s. 4.3.8.
The general approach privacy commissioners in Canada have taken on the issue of informed consent has been outlined in guidance issued by the Federal, Alberta and British Columbia privacy commissioners on the specific issue of best practices for privacy in mobile apps.42
The Federal, Alberta and British Columbia privacy commissioners, Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps, 2012, available at https://www.oipc.bc.ca/guidance-documents/1426.
Consent to collection of personal information is not necessary in certain situations specified under the Act, including when the collection is clearly in the interest of the individual and consent cannot be obtained in a timely way, when it is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province, and when the information is publicly available. PIPEDA provides a list of exceptions to the consent requirements, subject to specific conditions, including in the context of prospective or completed business transactions.43PIPEDA, s. 7.
1. Right to Information
For example, the Federal Privacy Commissioner conducted a review of privacy policies on websites. The report published following the review identifies observed best practices, as well as unsatisfactory manners in which privacy policies were handled.The Federal Privacy Commissioner, Privacy enforcement authorities launch first-ever international Internet Privacy Sweep, May 6, 2013, available at https://www.priv.gc.ca/en/opc-news/news-and-announcements/2013/nr-c_130506/.
In addition, organizations ought to go beyond that which is expressly required in the legislation to include, for example, additional uses and disclosures such as personal information that is being transferred and stored internationally.
2. Right of Access and Correction
Individuals are entitled to be informed of the existence, use, and disclosure of their personal information and must be given access to that information. Exceptions to the access requirement should be limited and specific, and any reasons for denying access should be provided to the individual upon request.46PIPEDA, Schedule 1, s. 4.9.
3. Right to Challenge Compliance
Organizations must also facilitate complaints or inquiries regarding personal information within their control, including procedures to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.47PIPEDA, Schedule 1, s. 4.10. In order to comply with this requirement, an organization must design an effective and accessible process to address inquiries from time of receipt, through internal review and, ultimately, to resolution and/or communication with the individual. In most instances, the organization’s privacy officer should control this process.
4. Security and Protection of the Data
Appropriate security protocols to protect personal information against loss or theft, unauthorized access, disclosure, copying, use, or modification must also be established.48PIPEDA, Schedule 1, s. 4.7. The extent to which an organization must establish security protocols will depend on the sensitivity of the information at issue. The more sensitive the information, the higher the level of protection required.49
Businesses should consider the regulatory framework set out by the Office of the Superintendent of Financial Institutions (OSFI), which imposes specific obligations on federally regulated financial institutions in respect of informationtechnology outsourcing arrangements. Cloud-based outsourcing contracts must comply with the requirements of OSFI Guideline B-10, Outsourcing of Business Activities, Functions and Processes, revised in March 2009, available at http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b10.aspx.
It is important to ensure that employees are aware of the need to maintain the confidentiality of personal information and destroy or render anonymous the personal information upon completion of the retention period. In this electronic era, safeguarding will often entail the use of encryption software.50
The Federal Privacy Commission recently emphasizes the need to use encryption of date in its recent investigation into the personal information handling priorities of WhatsApp Inc. See The Federal Privacy Commissioner, PIPEDA Report of Findings #2013-001 - Investigation into the personal information handling practices of WhatsApp Inc., 2013, available at https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2013/ PIPEDA-2013-001/.
5. Transfer of Information to a Third Party
The organization must also use contractual or other means to provide a comparable level of protection for information to be processed by the third party.
Organizations that transfer personal information across Canadian borders should consider the guidelines issued by the Federal Privacy Commissioner in this regard.51
The Federal Privacy Commissioner,Guidelines for Processing Personal Data Across Borders, 2009, available at https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_ 090127/. See also joint publication of the Federal, B.C. and Alberta Privacy Commissioners, Cloud Computing for Small and Medium-sized Enterprises, June 2012, available at https://www.priv.gc.ca/en/ privacy-topics/technology-and-privacy/online-privacy/cloud-computing/gd_cc_201206/. AB PIPA has express provisions relating to the transfer of personal information outside of Canada.
The guidelines require organizations to consider the legal requirements of the jurisdiction to which data will be transferred, and to take into account “potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider's ability to provide the service, as well as any additional risk factors that may require adjustment to the risk management program.” The sensitivity of the information is a factor in the assessment of risk to the security of the information as a result of the transfer.
6. Transparency, Notification, and Registration with Local Authorities
Registration with, or notification to, data protection supervisory authorities is not required under PIPEDA. However, in Québec, there is a requirement for “personal information agents” to register with the provincial Commission d’accès à l’information.52Québec Act, s. 70. A personal information agent is “any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files.”
C. Provincial Law
Québec, British Columbia, and Alberta have in force provincial privacy protection laws that are substantially similar to PIPEDA. These laws apply to private-sector businesses that collect, use and disclose personal information while carrying on business in those provinces.
The Québec Act enables the protection of rights that are prescribed under the Québec Civil Code53CQLR c C-1991, ss. 35-41. (the “Civil Code”). The rights prescribed under the Civil Code are intended to recognize and protect individual reputation and privacy, including through restrictions on retention of certain private data. In addition, the Québec Charter of Human Rights and Freedoms grants every person the right to safeguard his/her dignity, honor, and reputation, the right to respect for his/her private life, and the right that their confidential information not be disclosed.54CQLR c C-12, s 5.
The BC PIPA and AB PIPA both govern the collection, use and disclosure of personal information by private sector entities in their respective jurisdictions.
Regulatory and enforcement oversight under the applicable privacy legislation falls to “Privacy Commissioners” appointed in the various jurisdictions. While each Privacy Commissioner is independent, there is cooperation among the offices on various initiatives including joint investigations.55
See, for example, joint publication of the Federal, B.C. and Alberta Privacy Commissioners,Guidelines for OnlineConsent, 2014, available at https://www.priv.gc.ca/media/2105/gl_oc_201405_e.pdf.
The BC PIPA and AB PIPA protect information that can identify an individual and information about an individual, defined as “personal information.” Both of these Acts also exclude business contact information from the definition of personal information.
The Québec Act defines personal information as any information that “relates to a natural person and allows that person to be identified;”56Québec Act, s. 2. business contact information is not excluded from the definition of personal information in Québec. Non-Québec businesses may be subject to the application of the Québec Act if there is a sufficient connection to Québec, such as business operations, storage of data, or by virtue of the data subject being resident of Québec.
1. Federal Enforcement
The Federal Privacy Commissioner’s principal responsibility is to act as an ombudsman in disputes between organizations and individuals,57PIPEDA, s. 12.1. but it has investigative powers in relation to complaints regarding the use or misuse of personal information. Importantly, the Federal Privacy Commissioner has asserted jurisdiction against foreign service providers with operations in Canada.58
The Federal Privacy Commissioner, PIPEDA Case Summary #2009-008 - Report of Findings into the Complaint Filed by the Canadian Internet Policy against Facebook Inc., July 16, 2009, available at https://www.priv.gc.ca/media/1033/2009_008_0716_e.pdf; The Federal Privacy Commissioner, PIPEDA Report of Findings #2014-001 - Use of sensitive health information for targeting of Google ads, January 14, 2014, available at https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/ investigations-into-businesses/2014/ PIPEDA-2014-001/.
While the Federal Privacy Commissioner is not empowered to impose fines, the Commissioner’s report or findings may be used as basis for private legal proceedings in which provincial courts are empowered to issue orders and award monetary damages.59
PIPEDA, s. 14. See also Randall v Nubodys Fitness Centres, 2010 FC 681; Nammo v. TransUnion of Canada Inc., 2010 FC 1284; Biron v. RBC Royal Bank, 2012 FC 1095; Stevens v SNF Maritime Metal Inc., 2010 FC 1137.
2. Provincial Enforcement
The Privacy Commissioners in the various provinces also have similar powers. However, unlike their federal counterpart, British Columbia and Alberta’s Privacy Commissioners are empowered to impose significant fines for breaches of their respective statutes: up to CAD$10,000 for individuals and up to CAD$100,000 for businesses.60AB PIPA, s. 59; BC PIPA, s. 56. The Québec Privacy Commissioner can impose fines from CAD$1,000 to $50,000 for a first offence, and from CAD$10,000 to $100,000 for a subsequent offence.61Québec Act, ss. 91-93. Further, a contravention under the AB PIPA or BC PIPA may give an individual a cause of action in court for damages the individual has suffered as a result of a breach of an obligation by an organization under either Act.62AB PIPA, s. 60; BC PIPA, s. 57.
Individuals may initiate claims for breach of privacy in Manitoba, Newfoundland and Labrador, Nova Scotia, Saskatchewan and Ontario.63
See, for example, Jones v. Tsige, 2012 ONCA 32.
As well, Québec civil law provides remedies for invasions of privacy.64Civil Code of Québec, S.Q. 1991, c. 64, s. 3 and ss. 35-41. The common law tort of invasion of privacy may impose additional liability, although the availability and elements of the tort can differ from province to province.
III. Privacy Considerations in Business Transactions
A. Disclosure of Personal Information in Business Transactions
PIPEDA, the AB PIPA, and the BC PIPA provide certain exceptions to the requirement to obtain consent before the collection, use or disclosure of personal information. For organizations looking to do business in Canada, the most important exception allows the transfer of personal information to another organization, without the consent of the individual, in the context of a business transaction.65
PIPEDA, s. 7.2; AB PIPA, s. 22; BC PIPA, s. 20. Note that both PIPEDA and the AB PIPA allow for the disclosure of an “identifiable individual” without their consent in the context of a business transaction, while the BC PIPA allows for the disclosure of personal information about an organization’s employees, customers, directors, officers or shareholders.
This exception allows a business transaction to proceed confidentially and without needing to disrupt the workplace prematurely and potentially unnecessarily, also recognizing that obtaining consent from every employee in a timely fashion might be impractical (if not impossible).
The provisions relating to business transactions in PIPEDA, the AB PIPA, and the BC PIPA are substantially similar. Under all three Acts the exception to consent applies to proposed and completed business transactions, and the primary purpose of the business transaction must not be for the purchase, sale, or transfer of the personal information itself.66PIPEDA, s. 7.2(4); AB PIPA, s. 22(6); BC PIPA, s. 20(7).
For a proposed transaction, the parties must enter into an agreement that protects the personal information that they intend to transfer.67PIPEDA, ss. 7.2(1)(a), 7.2(2)(a); AB PIPA, s 22(3)(a)(i); BC PIPA, s. 20(2)(b). Under section 7.2(a)(ii) PIPEDA states that this agreement requires the organization that receives the personal information to protect that information by “security safeguards appropriate to the sensitivity of the information.” The AB PIPA and BC PIPA do not have this requirement. The agreement must require that the personal information will only be used for the purpose of the proposed business transaction and determining whether to proceed.
In the case of PIPEDA and the AB PIPA, there is a further requirement that the information also be necessary in order to complete the transaction.68PIPEDA, s. 7.2(1)(b); AB PIPA, s. 22(3)(a)(ii); BC PIPA, s. 20(2)(a). The BC PIPA only requires that the information be necessary for determining whether to proceed with a proposed transaction.
For a completed transaction, the parties must enter into an agreement that requires that the personal information will only be used for the purpose for which it was previously collected (i.e., by the vendor organization and unrelated to the transaction).
These agreements are important not only for complying with the law and protecting information but can also be effective for establishing liability in the event that the agreement is breached.
Where a business transaction has been completed, both the BC PIPA and PIPEDA require that an individual be notified that the transaction took place and that his/her personal information was disclosed;69BC PIPA, s. 20(3)(c); PIPEDA, s. 7.2(2)(c). however, there is no such requirement under the AB PIPA.
Where a business transaction is not completed, all three Acts require that the prospective organization destroy any personal information that was collected under this exception, or return the personal information to the organization from which it originated.70PIPEDA, s. 7.2(1)(a)(iii); AB PIPA, s. 22(4); BC PIPA, s. 20(6).
B. Cross-border transactions
The transfer of personal information outside of Canada is often undertaken by sending physical files or digital copies, or storing information on remote servers. Storing information on remote servers has become increasingly frequent, and the acquirers of this information can gain access to that server during the transaction. Both the provider and acquirer need to be cautious of the implications of transferring personal information outside of Canada.
Under PIPEDA, an organization is responsible for personal information in its possession, including information that has been transferred to a third party for processing, such as a remote server.71PIPEDA, Schedule 1, s. 4.1.3. While information is being processed by a remote server, the organization is required to use contractual or other means to provide a comparable level of protection as the information would receive in Canada.72
However, the Federal Privacy Commissioner has observed that where personal information is transferred to a foreign third party that information is subject to the laws of the foreign country and those laws cannot be overridden by contractual provisions.73
The Federal Privacy Commissioner, Guidelines for Processing Personal Data Across Borders, January 2009, available at https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_090127/. See also joint publication of the Federal, B.C. and Alberta Privacy Commissioners, Cloud Computing for Small and Medium-sized Enterprises, June 2012, available at: https://www.priv.gc.ca/en/privacy-topics/technology-and-privacy/online-privacy/cloud-computing/gd_cc_201206/.
As a result, the Privacy Commissioner has stated that, while consent is not required in order to transfer information across borders, an organization in Canada that transfers personal information to a foreign third party should at least notify affected individuals that their information may be stored or accessed outside Canada. This notification will depend on the sensitivity of the personal information and should address the potential impact that the storage of their information outside of Canada may have on their privacy rights.74
The Federal Privacy Commissioner, Guidelines for Processing Personal Data Across Borders, supra note 73. See also joint publication of the Federal, B.C. and Alberta Privacy Commissioners, Cloud Computing for Small and Medium-sized Enterprises, June 2012, available at https://www.priv.gc.ca/en/privacy-topics/technology-and-privacy/online-privacy/cloud-computing/gd_cc_201206/.
There are no specific provisions in PIPEDA regarding notification to individuals in the case of cross-border transfers. However, the AB PIPA includes a mandatory requirement for organizations to notify individuals before transferring personal information to a foreign service provider.75AB PIPA, s. 13.1. Further, while Québec’s privacy legislation does not require notification to an individual in cross-border transfers, it does require organizations to take all reasonable steps to ensure that cross-border transfers of personal information will not be used for collateral purposes, nor communicated to third parties without the consent of the individuals concerned.
While the BC PIPA does not address cross-border transfers or the storage of information on remote servers, the BC Privacy Commissioner may still assess whether reasonable security measures were implemented in such transfers and consider whether individuals should be notified that their personal information was moved across borders.76BC PIPA, s. 34.
C. Representations and warranties
The failure to satisfy privacy obligations is a potential liability, and an acquirer should evaluate the remedial measures that would be required to bring operations into compliance. The acquirer should also consider the types of data the target collects and stores, and look at the manner in which information is collected and stored and the process through which consents to use that information are obtained. If a third-party service provider is employed to manage the data, the service agreement and practices of the service provider should also be reviewed.
Acquirers often view the personal information collected by a target as an asset. However, it will need to be determined whether or not the acquirer will be able to use the information in the manner it intends to or whether they may be limited in the ways they can use and disclose this information.
D. Reducing transactional related privacy risks
Suggested measures that could be taken by organizations in order to reduce privacy related risks include:
- making information anonymous by removing any identifying information such as a person’s name or address. Anonymous information is not “personal information;”
- only exchanging personal information that is necessary for carrying out the business transaction (e.g., there will likely never be a reason to provide a social insurance number);
- if relying on implied consent under PIPEDA, ensuring that personal information is not sensitive;
- increasing protection through the use of confidentiality or non-disclosure agreements. Include provisions outlining procedures for destruction/return of personal information in the event the transaction is no longer pursued and address liability, notification and cooperation in the event of a data breach;
- ensuring adequate contractual provisions are in place to protect personal information;
- ensuring the necessary representations and warranties are provided. Indemnification clauses should be included in respect of representations or warranties relating to the protection of personal information; and
- outlining the process for transfer of personal information in the purchase and sale agreement.
IV. Data Breach
1. Federal Law
PIPEDA and other Federal laws do not explicitly provide notification requirements in the event of data breach. However, the Digital Privacy Act includes an amendment to PIPEDA that, upon coming into effect, will bring about mandatory data breach notification requirements.77
The Government of Canada, For Discussion — Data Breach Notification and Reporting Regulations, March 4, 2016, available at http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf11177.html.
Once these regulations are promulgated, the notification requirements will come into effect.
Organizations will be required to report any breach of security safeguards involving personal information under their control to the Federal Privacy Commissioner and the affected individuals. This notification will be required where it is reasonable to believe the breach creates a real risk of significant harm to an individual. Such a report must be made “as soon as feasible after the organization determines that the breach has occurred.”78PIPEDA, s. 10.1(2). Organizations will also be required to notify a potentially affected individual of such breach, using a similar threshold.
An organization experiencing a breach will have additional reporting obligations to other organizations and government institutions if the breached organization believes the other organizations may be able to reduce their risk of harm as a result.
The Digital Privacy Act introduces liability for knowingly violating the notification requirements. An organization may be liable for fines up to CAD$100,000 per violation. It is unclear at this time whether a “violation” will include a single incident (e.g. a single failure to notify all individuals) or each incident (e.g. each failure to notify each individual).
Until statutory requirements come into force, organizations should follow the Federal Privacy Commissioner’s guidelines.79
The Federal Privacy Commissioner, Key Steps for Organizations in Responding to Privacy Breaches, 2007, available at https://www.priv.gc.ca/media/2086/gl_070801_02_e.pdf. See also Office of the Information and Privacy Commissioner, Alberta, How to Report a Privacy Breach, available at https://www.oipc.ab.ca/action-items/how-to-report-a-privacy-breach.aspx.
These guidelines encourage organizations to report material privacy breaches to the appropriate privacy commissioner(s), and to notify affected individuals, as part of the efforts to mitigate the impact of the breach. The guidelines identify four key steps in responding to a breach of security:
(a) breach containment and preliminary assessment;
(b) evaluation of the risks associated with the breach;
(c) notification; and
(d) prevention of future breaches.
2. Provincial Law
In Alberta, organizations must notify the Commissioner in the case of a loss, unauthorized access, or disclosure.80The AB PIPA, s. 34.1(1). Such notification to the Commissioner should occur without unreasonable delay. The Commissioner may require the organization to notify the affected individuals within a specified period of time.81The AB PIPA, s. 37.1. Failure to notify the Commissioner may result in a fine of up to CAD$10,000, and in the case of an organization, a fine of up to CAD$100,000.82The AB PIPA, s. 59. Neither BC PIPA nor the Québec Act make breach reporting mandatory.
B. An organization’s obligations to non-Canadians
The Federal Privacy Commissioner observes that organizations subject to PIPEDA may collect personal information that pertains to individuals who reside outside of Canada (for instance, residents of the United States). The Federal Privacy Commissioner is of the view that notification and reporting obligations require a consideration of the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. At a minimum, the Federal Privacy Commissioner suggests that regulations should require organizations to consider the breach notification laws of those jurisdictions, as well as any local notification requirements.
The combination of federal and provincial privacy laws and CASL regulate the manner in which organizations collect, use, and disclose personal information in the course of their business operations and are intended to protect personal information in the course of commercial activities. These laws can have a significant impact on organizations operating in Canada. The legislation includes robust enforcement mechanisms and authorizes governmental agencies to impose significant financial penalties, which can bring scrutiny and negative publicity to organizations found to be in breach of their obligations. Organizations would be well served by implementing policies and strategies that ensure compliance with these laws.