Privacy, Data Protection, and Cybersecurity

( Disponible en anglais seulement )


The Personal Information Protection and Electronic Documents Act governs the collection, use and disclosure of personal information by private sector entities in Canada. Further, given Canada’s federalist system, some provinces have their own private sector privacy legislation which has been deemed “substantially similar” to PIPEDA, including British Columbia’s Personal Information Protection Act (BC PIPA), Alberta’s Personal Information Protection Act (AB PIPA) and Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector (QC Act). More than one law can apply to a single processing activity and organizations may need to deal with more than one privacy commissioner’s office. Notably, PIPEDA does not apply to personal employee information unless it is held by a federal work, undertaking, or business.  

PIPEDA requires the reporting to the Office of the Privacy Commissioner (the “OPC”) of all breaches of security safeguards that could lead to a “real risk of significant harm” for affected individuals. All impacted individuals must also be notified. Indirect notification is possible but only under certain circumstances. Alberta has a similar notification requirement but the primary obligation is to notify the Commissioner, who may then order individual notification. However, Quebec’s recently enacted Bill 64 (now Law 25) has amended Quebec’s private sector privacy legislation to include mandatory breach notification to the Commission d’accès à l’information for breaches of security safeguards that could lead to a “risk of serious injury”. Currently, notification in British Columbia is encouraged but not legally required. 

The general process for enforcing PIPEDA tracks the following stages: (1) a complaint is made or an issue is identified by a regulator; (2) the OPC conducts an investigation; (3) enforcement steps are taken either through obtaining a court order, disclosing information to the public, auditing the personal information management practices of an organization, entering into a compliance agreement, or reporting offences to relevant authorities. The OPC is also able to pursue fines for non-compliance with data breach notification requirements but not for other violations of PIPEDA. At this stage, the OPC does not have order-making authority. However, all the other regulators with substantially similar legislation are empowered to make orders with respect to breaches of the legislation.  

PIPEDA has been undergoing reform efforts since 2020. PIPEDA is currently under review and Bill C-27 is before Parliament, passing on second reading in April 2023. Bill C-27 enacts the Consumer Privacy Protection Act (the “CPPA”), which would replace PIPEDA’s personal information protection aspects, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Once and if enacted, the CPPA will provide for more prescriptive data protection obligations and greater enforcement powers, among other things. 

The Office of the Superintendent of Financial Institutions of Canada (“OSFI”) also establishes rules and responsibilities with respect to privacy that apply to federally regulated financial institutions, including banks, federal credit unions, and loan and trust companies. Notably, in 2019 OSFI issued an Advisory with requires the obligation to report technology and cyber incidents within 72 hours. The threshold for reporting is a “high” or “critical” severity level. The assessment is to be made by the institution itself. It is important to note that reportable cyber incidents under this OSFI Advisory go beyond those breaches that involve personal information.  


As mentioned above, Bill C-27, if passed, would enact the Artificial Intelligence and Data Act (the “AIDA”). This is Canada’s first attempt in regulating AI, in particular “high impact AI systems.”  However, it is the AIDA Regulations that would define what these systems are as well as specific requirements. It is unclear what this would entail at this point. The AIDA was written with reference to the proposed EU AI Act, the Organization of Economic Co-operation and Development (OECD) AI Principles, and the US National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).  

3. BILL C-26  

Canada’s Minister of Public Safety introduced Bill C-26 (alongside Bill C-27) on June 14, 2022. Bill C-26 would amend Canada’s Telecommunications Act and introduces the Critical Cyber Systems Protection Act (the “CCSPA”) in an effort to bolster cyber security across federally regulated essential infrastructure (telecommunications, finance, energy and transportation sectors). These cyber security programs must implement reasonable steps in detecting and minimizing cyber security incidents, in addition to managing organizational risks, such as risks associated with the supply chain and the use of third-party products and services. While not directly applicable to other sectors, implementation of such programs is important for almost any organization. The CCSPA would also introduce mandatory breach notification requirements whenever there was a cyber-security incident, regardless of whether any personal information is involved and the risk of harm to individuals. 


Canada’s anti-spam law (“CASL”) regulates, among other things, the transmission of “commercial electronic messages” (“CEMs”) by any person to a recipient in Canada. CASL is enforced by the Competition Bureau, the Canadian Radio-television and Telecommunications Commission, and the OPC. CASL applies to all CEMs, with some exceptions. If CASL is found to apply, the legislation contains three major obligations: (i) consent has been obtained by the recipient; (ii) the sender has been identified; and (iii) there is an unsubscribe feature included in the electronic message that is prominent and can be readily performed. There are significant fines for violations of CASL, which is arguably one of the strictest and most complicated anti-spam laws of its kind.