Skip to main content
SpringerLink
Log in

Data Protection and the Internet: Canada

  • Chapter
  • First Online:
Data Protection in the Internet

Part of the book series: Ius Comparatum - Global Studies in Comparative Law ((GSCL,volume 38))

  • 1045 Accesses

Abstract

Canada’s federal system has led to a patchwork of legislation governing the protection of personal information and privacy. The principal private sector data protection statute is the federal Personal Information Protection and Electronic Documents Act. First enacted in the early days of electronic commerce, this statute has been the subject of repeated calls for reform, particularly with respect to the new challenges of the digital and big data era. In the absence of needed reform, the Privacy Commissioner has worked to adapt the existing principles to new contexts. In the meantime, private lawsuits for breach of privacy rights, as well as class action lawsuits over data security breaches are increasing. Concerns over access Canadians’ personal information in the hands of the private sector by law enforcement and national security agents have generated litigation that has explored the boundaries of privacy rights in the context of the constitutional right to be free from unreasonable search or seizure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Freedom of Information and Protection of Privacy Act, SA, RSA 2000, c. F-25; Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165; The Freedom of Information and Protection of Privacy Act, SM 1997, c 50; Personal Health Information Privacy and Access Act, SNB 2009, c. P-7.05; Freedom of Information Act, RSN 1990, c F-25; Freedom of Information and Protection of Privacy Act, SNS 1993, c 5; Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31; An Act respecting access to documents held by public bodies and the Protection of personal information, RSQ, c A-2.1; The Freedom of Information and Protection of Privacy Act, SS 1990-1991, c F-22.01; Access to Information and Protection of Privacy Act, SNWT.1994, c 20; Access to Information and Protection of Privacy Act, SNWT 1994, c 20; Access to Information and Protection of Privacy Act, RSY 2002, c 1.

  2. 2.

    Privacy Act, RSC 1985, c P-21.

  3. 3.

    See, e.g. Personal Health Information Act 2008 SNL c P-7.01; Personal Health Information Protection Act SO 2004, c 3 Sch. A; Health Information Act RSA 2000, c H-5; and Personal Health Information Act CCSM c P33.5; E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c 38; Health Information Protection Act, SS 1999 c H-0.021; An Act respecting the sharing of certain health information, SQ 2012, c 23; Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05; Personal Health Information Act, SNS 2010, c 41; Health Information Act, RSPEI 1988, c H-1.41; Health Information Privacy And Management Act, SY 2013, c 16; Health Information Act, SNWT 2014; Public Health Act, SNu 2016, c 13.

  4. 4.

    S.C. 2001, c. 5 [PIPEDA].

  5. 5.

    PIPEDA, s. 26(2)(b).

  6. 6.

    Act respecting the protection of personal information in the private sector, CQLR c P-39.1.

  7. 7.

    Personal Information Protection Act, SA 2003, c P-6.5.

  8. 8.

    Personal Information Protection Act, SBC 2003, c 63.

  9. 9.

    Civil Code of Québec, CQLR c CCQ-1991, ss. 3, 35–41.

  10. 10.

    Privacy Act, RSBC 1996, c 373; The Privacy Act, RSM 1987, c P125; The Privacy Act, RSS 1978, c P-24; Privacy Act, RSN 1990, c P-22.

  11. 11.

    See, e.g. Jones v. Tsige, 2012 ONCA 32; Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245. The threshold for the statutory or common law torts is relatively high. For example, the tort of intrusion upon seclusion requires not only an unjustified intrusion upon someone’s seclusion but that it also be of a kind that would be “highly offensive to the reasonable person” (Jones, at para 70).

  12. 12.

    Charter of Human Rights and Freedoms, CQLR c C-12.

  13. 13.

    The Constitution Act, 1982, Schedule B to the Canada Act 1982 (UK), 1982, c 11.

  14. 14.

    See, e.g.; Cheskes v. Ontario (Attorney General), 2007 CanLII 38387 (ON SC); R. v. Hebert, [1990] 2 S.C.R. 151, and M. (A). v. Ryan, [1997] 1 S.C.R. 157.

  15. 15.

    See, e.g. Nammo v. TransUnion of Canada Inc., 2010 FC 1284; Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, [2013] 3 SCR 733, 2013 SCC 62.

  16. 16.

    See, e.g. Gordon v. Canada (Minister of Health), 2008 FC 258; Ontario (Attorney General) v. Pascoe, (2002) 22 CPR (4th) 447 (Ont CA), aff’g Ontario (Attorney General) v. Ontario (Information and Privacy Commissioner) [2001] OJ No 4987, 16 CPR (4th) 460 (OntDiv Ct).

  17. 17.

    Privacy Commissioner of Canada (2013a) Interpretation Bulletin.

  18. 18.

    PIPEDA Case Summary #2009-002, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2009/pipeda-2009-002/.

  19. 19.

    R. v. Spencer, [2014] 2 SCR 212, 2014 SCC 43.

  20. 20.

    See, e.g. PIPEDA, Schedule I, Clause 4.3.6. New guidelines on consent note that sensitivity can vary depending on the circumstances. See: Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent.

  21. 21.

    Royal Bank of Canada v. Trang, [2016] 2 SCR 412, 2016 SCC 50, at para 36. See also PIPEDA, clause 4.3.4.

  22. 22.

    See Trang, Ibid., at para 46; Toronto Real Estate Board v. Commissioner of Competition, 2017 FCA 236, at para 174.

  23. 23.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent, “Risk of Harm”.

  24. 24.

    PIPA (B.C.), ss. 52–53; PIPA (Alberta), ss. 52–54; PPIPS, ss. 55 and 56.

  25. 25.

    PIPEDA, s. 13.

  26. 26.

    See, e.g. Privacy Commissioner of Canada (2017) Real fears, real solutions, p. 4; Privacy Commissioner of Canada (2013b) The Case for Reforming.

  27. 27.

    Privacy Commissioner of Canada (2018a) 2017-18 Departmental Plan.

  28. 28.

    See, e.g. PIPEDA Report of Findings #2018-002, “Company’s re-use of millions of Canadian Facebook user profiles violated privacy law”, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2018/pipeda-2018-002/; PIPEDA Report of Findings #2012-001, “Social networking site for youth, Nexopia, breached Canadian privacy law”, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2012/pipeda-2012-001/; PIPEDA Report of Findings #2018-002, “Company’s re-use of millions of Canadian Facebook user profiles violated privacy law”, available at: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2018/pipeda-2018-002/.

  29. 29.

    See, e.g. A.T. v. Globe24h.com, 2017 FC 114.

  30. 30.

    See, e.g. PIPEDA Report of Findings #2018-002, at para 12.

  31. 31.

    Privacy Commissioner of Canada (2012) Seizing Opportunity.

  32. 32.

    Privacy Commissioner of Canada (2014) Ten Tips for Communicating Privacy Practices to Your App’s Users.

  33. 33.

    Privacy Commissioner of Canada (2011) Guidelines on Privacy and Online Behavioural Advertising.

  34. 34.

    Privacy Commissioner of Canada (2016) Consent and Privacy.

  35. 35.

    Privacy Commissioner of Canada (2017) 2016-2017 Annual Report, Report on Consent.

  36. 36.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent.

  37. 37.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent, Clause 1. Additional emphasis on four key elements is prescribed. These elements are: what personal information is collected, with whom the information will be shared, for what purposes the information is collected, used or disclosed, and the risks of harm or other consequences from sharing personal information.

  38. 38.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent, Clause 4.

  39. 39.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent, Clause 4.

  40. 40.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent, Clause 5.

  41. 41.

    Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent, Clause 6.

  42. 42.

    Privacy Commissioner of Canada (2015a) Collecting from kids. The topic of consent and children is also addressed in Privacy Commissioner of Canada (2018c) Guidelines for obtaining meaningful consent.

  43. 43.

    Privacy Commissioner of Canada (2017) 2016-2017 Annual Report, Report on Consent.

  44. 44.

    House of Commons (2018) Towards Privacy by Design, p. 2.

  45. 45.

    Privacy Commissioner of Canada (2018b) Draft OPC Position on Online Reputation.

  46. 46.

    2017 FC 114.

  47. 47.

    Privacy Commissioner of Canada (2018d) Trust but Verify, pp. 13–14.

  48. 48.

    An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23. (“Canada’s Anti-Spam Legislation” or “CASL”). Note that the law was enacted in 2010, but its coming into effect was delayed in part to ensure that necessary regulations were in place.

  49. 49.

    SOR/2013-221.

  50. 50.

    Regulatory Impact Analysis Statement (2013) s. 3.

  51. 51.

    An electronic message is defined as: “a message sent by any means of telecommunication, including a text, sound, voice or image message” CASL, s. 1(1).

  52. 52.

    CASL, s. 6(1).

  53. 53.

    CASL, s. 10(8).

  54. 54.

    CASL, s. 10(9).

  55. 55.

    CASL, s. 10(9)(b).

  56. 56.

    CASL, s. 20(1). Penalties for an individual are set at a maximum of $1,000,000 CAD. For an organization, the maximum is $10,000,000 CAD.

  57. 57.

    PIPEDA, s. 2, definition of “business contact information”.

  58. 58.

    PIPEDA, s. 4(1)(b).

  59. 59.

    PIPEDA Case Summary #2003-198, “Employer accused of wrongful disclosure”, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2003/pipeda-2003-198/.

  60. 60.

    See, e.g. L’Ecuyer v. Aéroports de Montréal, 2003 FC 573, aff’d [2004] FCA 237.

  61. 61.

    Eastmond v. Canadian Pacific Railway, 2004 FC 852; PIPEDA Case Summary #2004-264, “Video cameras and swipe cards in the workplace”, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2004/pipeda-2004-264/.

  62. 62.

    PIPEDA Case Summary #2006-351, “Use of personal information collected by Global Positioning System considered”, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2006/pipeda-2006-351/.

  63. 63.

    PIPA (BC), s. 1. Note that some issue may exist as to whether executives can be considered “employees” for the purposes of this legislation. See: Re: Occupational Health and Safety Agency for Healthcare in BC, [2010] B.C.I.P.C.D. No 48, Order No P10-03.

  64. 64.

    PIPA (Alberta), s. 1(1)(j).

  65. 65.

    PIPA (Alberta), s. 1(1)(j). Note that the previous definition was interpreted to include information about former employees. See: Re: Clean Harbors Lodging Services, [2010] AIPCD No 57, Order No P2010-011.

  66. 66.

    PIPA (BC), s. 13(2)(b). A comparable provision can be found in PIPA (Alberta), s. 15(1)(a). Specific provision around the use and disclosure of employee personal information are found in PIPA (BC), ss. 16 and 19; PIPA (Alberta), ss. 18 and 21.

  67. 67.

    Privacy Commissioner of Canada (2015b) Social Networking in the Workplace.

  68. 68.

    Ibid.

  69. 69.

    Digital Privacy Act, S.C. 2015, c. 32.

  70. 70.

    PIPEDA, s. 10.1(3).

  71. 71.

    PIPA (Alberta), s.37.1(1).

  72. 72.

    PIPEDA, s. 10.3.

  73. 73.

    Breach of Security Safeguards Regulations, SOR/2018-64, s. 6.

  74. 74.

    Privacy Commissioner of Canada (2013a) Interpretation Bulletin.

  75. 75.

    PIPEDA, s. 7(3)(c.1)(ii).

  76. 76.

    PIPEDA, s. 7(3)(c.1)(iii).

  77. 77.

    Protecting Canadians from Online Crime Act, S.C. 2014, c. 31.

  78. 78.

    R. v. Spencer, [2014] 2 SCR 212, 2014 SCC 43.

  79. 79.

    See discussion by Penney (2014).

  80. 80.

    Privacy Commissioner of Canada (2015c) Submission to Standing Committee on Industry.

  81. 81.

    Innovation, Science and Economic Development Canada (2015) Transparency Reporting Guidelines.

  82. 82.

    Ibid.

  83. 83.

    Ibid. at 3.

  84. 84.

    Criminal Code, RSC 1985, c C-46, s. 487.013.

  85. 85.

    Criminal Code, s. 487.014.

  86. 86.

    Criminal Code, s. 487.014.

  87. 87.

    Criminal Code, s. 487.015.

  88. 88.

    Criminal Code, s. 487.016.

  89. 89.

    Criminal Code, s. 487.017.

  90. 90.

    Criminal Code, s. 487.018.

  91. 91.

    Criminal Code, s. 487.019.

  92. 92.

    Criminal Code, s. 487.0191.

  93. 93.

    Criminal Code, s. 487.0193.

  94. 94.

    Criminal Code, s. 487.0194.

  95. 95.

    This lack of guidance was criticized in R. v. Rogers Communication 2016 ONSC 70.

  96. 96.

    Criminal Code, ss. 185, 186.

  97. 97.

    [2017] SCJ No 60, 2017 SCC 60 [Jones].

  98. 98.

    Jones, ibid. at para 74.

  99. 99.

    Criminal Code, s. 492.1(1).

  100. 100.

    Criminal Code, s. 492.1(2).

  101. 101.

    PIPEDA, s. 7(3)(d.1).

  102. 102.

    RSC 1985, c C-23 [CSIS Act].

  103. 103.

    CSIS Act, s. 21.1(2).

  104. 104.

    Forcese (2018), p. 3.

  105. 105.

    Forcese (2018), p. 4.

  106. 106.

    RSC 1985, c. N-5.

  107. 107.

    Austin (2015), p. 107; Forcese (2015).

  108. 108.

    Forcese (2018), p. 8.

  109. 109.

    Bill C-59, An Act respecting national security matters, 41st Parl., 1st Sess., Part 3, Communications Security Establishment, s. 2.

  110. 110.

    SC 2000, c 17.

  111. 111.

    PIPEDA s. 19.

  112. 112.

    PIPEDA, s. 11.

  113. 113.

    PIPEDA, ss. 12, 13.

  114. 114.

    PIPEDA, s. 14.

  115. 115.

    PIPEDA, s. 15.

  116. 116.

    PIPEDA, s. 16.

  117. 117.

    See, e.g. Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII).

  118. 118.

    House of Commons (2018) Report of the Standing Committee on Access to Information, Privacy and Ethics.

  119. 119.

    PIPEDA, s. 17.1.

  120. 120.

    PIPEDA, s. 17.1(3).

  121. 121.

    PIPEDA, s. 17.2(2).

  122. 122.

    PIPEDA, s. 28.

  123. 123.

    Lawson v. Accusearch Inc., [2007] 4 FCR 314, 2007 FC 125.

  124. 124.

    Ibid. at para 51.

  125. 125.

    Ibid. at para 42.

  126. 126.

    See, e.g. PIPEDA Report of Findings #2018-002, at para 12.

  127. 127.

    Privacy Commissioner of Canada, Guidelines for Processing Personal Data Across Borders, January 2009, available at: https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_090127/.

  128. 128.

    Ibid.

  129. 129.

    Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, Pub L 107-56.

  130. 130.

    In British Columbia, s. 30.1 of the Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, prohibits transfers or storage outside of the country except in specified circumstances. In Nova Scotia, the Personal Information International Disclosure Protection Act, SNS 2006, c 3, performs a similar function.

References

Statutes and Regulations

  • Access to Information and Protection of Privacy Act, SNWT.1994, c 20

    Google Scholar 

  • Access to Information and Protection of Privacy Act, SNWT 1994, c 20

    Google Scholar 

  • Access to Information and Protection of Privacy Act, RSY 2002, c 1

    Google Scholar 

  • An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c 23

    Google Scholar 

  • An Act respecting access to documents held by public bodies and the Protection of personal information, RSQ,c A-2.1

    Google Scholar 

  • Act respecting the protection of personal information in the private sector, CQLR c P-39.1

    Google Scholar 

  • An Act respecting the sharing of certain health information, SQ 2012, c 23

    Google Scholar 

  • Bill C-59, An Act respecting national security matters, 41st Parl., 1st Sess

    Google Scholar 

  • Breach of Security Safeguards Regulations, SOR/2018-64

    Google Scholar 

  • Canadian Security Intelligence Service Act, RSC 1985, c C-23

    Google Scholar 

  • Charter of Human Rights and Freedoms, CQLR c C-12

    Google Scholar 

  • Civil Code of Québec, CQLR c CCQ-1991

    Google Scholar 

  • Constitution Act, 1982, Schedule B to the Canada Act 1982 (UK), 1982, c 11

    Google Scholar 

  • Criminal Code, RSC 1985, c C-46

    Google Scholar 

  • Digital Privacy Act, S.C. 2015, c. 32

    Google Scholar 

  • E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c 38

    Google Scholar 

  • Electronic Commerce Protection Regulations, SOR/2013-221

    Google Scholar 

  • Freedom of Information and Protection of Privacy Act, SA, RSA 2000, c. F-25

    Google Scholar 

  • Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165

    Google Scholar 

  • Freedom of Information and Protection of Privacy Act, SM 1997, c 50

    Google Scholar 

  • Freedom of Information Act, RSN 1990, c F-25

    Google Scholar 

  • Freedom of Information and Protection of Privacy Act, SNS 1993, c 5

    Google Scholar 

  • Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31

    Google Scholar 

  • Freedom of Information and Protection of Privacy Act, SS 1990-1991, c F-22.01

    Google Scholar 

  • Health Information Act, RSA 2000, c H-5

    Google Scholar 

  • Health Information Act, RSPEI 1988, c H-1.41

    Google Scholar 

  • Health Information Act, SNWT 2014

    Google Scholar 

  • Health Information Privacy and Management Act, SY 2013, c 16

    Google Scholar 

  • Health Information Protection Act, SS 1999 c H-0.021

    Google Scholar 

  • Personal Health Information Act, 2008 SNL c P-7.01

    Google Scholar 

  • Personal Health Information Act, SNS 2010, c 41

    Google Scholar 

  • Personal Health Information Protection Act, SO 2004, c 3 Sch. A

    Google Scholar 

  • Personal Health Information Act, CCSM c P33.5

    Google Scholar 

  • Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05

    Google Scholar 

  • Personal Health Information Privacy and Access Act, SNB 2009, c. P-7.05

    Google Scholar 

  • Personal Information and Electronic Documents Act, S.C. 2001, c. 5

    Google Scholar 

  • Personal Information International Disclosure Protection Act, SNS 2006, c 3

    Google Scholar 

  • Personal Information Protection Act, SA 2003, c P-6.5

    Google Scholar 

  • Personal Information Protection Act, SBC 2003, c 63

    Google Scholar 

  • Privacy Act, RSC 1985, c P-21

    Google Scholar 

  • Privacy Act, RSBC 1996, c 373

    Google Scholar 

  • Privacy Act, RSM 1987, c P125

    Google Scholar 

  • Privacy Act, RSS 1978, c P-24

    Google Scholar 

  • Privacy Act, RSN 1990, c P-22

    Google Scholar 

  • Proceeds of Crime (Money Laundering) and Terrorist Financing Act, SC 2000, c 17

    Google Scholar 

  • Protecting Canadians from Online Crime Act, S.C. 2014, c. 31

    Google Scholar 

  • Public Health Act, SNu 2016, c 13

    Google Scholar 

  • Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, Pub L 107-56

    Google Scholar 

Secondary Materials

Download references

Author information

Authors and Affiliations

  1. University of Ottawa, Faculty of Law, Ottawa, ON, Canada

    Teresa Scassa

Authors
  1. Teresa Scassa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Teresa Scassa .

Editor information

Editors and Affiliations

  1. Law School, University of Lisbon, Lisbon, Portugal

    Dário Moura Vicente  & Sofia de Vasconcelos Casimiro  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Scassa, T. (2020). Data Protection and the Internet: Canada. In: Moura Vicente, D., de Vasconcelos Casimiro, S. (eds) Data Protection in the Internet. Ius Comparatum - Global Studies in Comparative Law, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-28049-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-28049-9_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-28048-2

  • Online ISBN: 978-3-030-28049-9

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation