The data privacy landscape is constantly changing. Keeping up with shifting and emerging regulations is challenging, especially if compliance represents just one piece of your day-to-day responsibilities. However, non-compliance isn’t worth the risk; most data privacy laws define several penalties and consequences. If you live in the United States, we also have a guide to US Data Protection laws you can read.
In the spirit of cybersecurity awareness month, we’ve pulled together this Canadian data privacy laws roundup to recap current federal, provincial, and industry laws, and what you need to know to ensure compliance.
Federal data privacy laws
The Privacy Act
This Act applies to the Canadian government’s collection, use, and disclosure of citizen data for federal services purposes. It applies only to federal government institutions and covers all personal information that the government handles, including federal employees.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is the primary federal privacy law in Canada that governs the collection, use, and disclosure of personal information by private sector organizations. It applies to businesses engaged in commercial activities across provincial and national borders. The law has been grandfathered over time and gone through a few revisions along the way. Any company engaged in commercial and transactional activities involving the personal information of Canadian citizens must comply with PIPEDA.
Digital Privacy Act
This is an amendment to PIPEDA that came into effect in 2015. It introduced several changes, including mandatory breach notification requirements and increased fines for non-compliance and/or failure to report breaches (up to $100,000).
Anti-Spam Legislation (CASL)
Canada's Anti-Spam Legislation (CASL) governs electronic communications and commercial messages. While not strictly a data privacy law, it imposes requirements on obtaining consent for sending electronic messages, including email and text messages, and contains provisions related to the installation of computer programs. In the event of a violation, offenders may have to pay an administrative monetary penalty (AMP), which can cost up to a maximum of $1 million for an individual, or $10 million for a business.
Federal Health Sector Laws
The health sector in Canada is subject to specific privacy laws, such as the Personal Health Information Protection Act (PHIPA) in Ontario and the Health Information Act (HIA) in Alberta, which regulate the handling of health-related information.
Public Sector Privacy Laws
Federal and provincial government organizations are subject to their own privacy laws, such as the federal Privacy Act and any provincial equivalents, which govern the handling of personal information in the public sector.
Not-for-Profit Organizations
Not-for-profit organizations may be subject to PIPEDA or provincial privacy laws depending on their activities and location.
Cross-Border Data Transfers
Businesses that transfer personal data across borders should also be aware of international data transfer regulations like GDPR, especially if they deal with data from the European Union (EU) or other jurisdictions with strict data protection laws.
What’s new:
In June 2022, the federal government introduced a bill intended to overhaul private sector data privacy requirements for better protection (for individuals) and stronger regulation of organizational data privacy and protection practices. Bill C-27 – Digital Charter Implementation Act 2022 passed on its second reading earlier this year and repeals Part 1 of PIPEDA.
What’s coming:
The Artificial Intelligence and Data Act (AIDA) was introduced as part of the Digital Charter Implementation Act, 2022. Its intent is to set the foundation for the responsible design, development, and deployment of AI systems that impact the lives of Canadians and their data. The law will also hold businesses accountable for how new AI technologies are used and developed. When passed, this law will make Canada one of the first countries to introduce a law that would regulate AI.
Until the law is passed, Canadians can expect to see the introduction of a voluntary AI code of conduct. The AI development guidelines pertain to businesses that are developing and applying AI technologies and are intended to support responsible AI development and use.
Provincial data privacy laws
In addition to PIPEDA, some provinces have their own privacy legislation that applies to organizations within their jurisdiction.
Alberta
Personal Information Protection Act (PIPA) — This law applies to provincially regulated private sector organizations and non-profit organizations. Non-compliance carries fines ranging up to $100,000.
British Columbia
Personal Information Protection Act (PIPA BC) — This law requires organizations to protect personal information in their custody or control and demonstrate that they have the appropriate security controls in place to do so. Organizations may face fines of up to $100,000 if found non-compliant.
Quebec
Law 25 — Effective September 2023, Law 25 is designed to provide individuals with more control over their information and the ability to request and access their information for from organizations who have it. If an individual requests specific information, organizations must provide it within 30 days or risk penalties and fines of up to $25 million.
Achieving data privacy law compliance
The data privacy laws that align to your business may vary based on the industry and province you operate in. Regardless, having the ability to understand the types of data you have on your network, in your environment, and the types of data you’re accumulating underpins every data privacy and security regulation. Simply put, if you don’t know what data you have, you can’t protect it.
Check out our Guide to Data Discovery for Regulatory Compliance to learn more about global industry data protection and data privacy laws, and what you need to demonstrate to ensure alignment — and compliance.
