Canadian regulations are generally stricter than US regulations; Canadian regulations are on par with EU regulations. Two sets of Canadian laws govern the collection, storage, and use of data, the Personal Information and Electronic Documents Act (“PIPEDA”) and the Privacy Act (the “Privacy Act”). While the Privacy Act applies only to federal government departments, PIPEDA applies to private sector companies. In addition to federal regulations, each territory and province also has its own data security regulations. Companies may be exempted from PIPEDA if the province in which they operate has substantially similar data security regulations. Currently, British Columbia, Alberta, and Quebec are the only three provinces where a company may obtain a federal exemption.
Federal Regulations – PIPEDA
PIPEDA applies to all companies that collects, uses, or discloses personal information. PIPEDA is a federal act and individual provinces may have stricter regulations that impose additional data protection requirements. Under PIPEDA, personally identifiable information includes age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, and medical records (“PII”). PIPEDA sets forth five requirements for companies that collect or use PII: (1) PII must be collected with consent and for a reasonable purpose; (2) PII must be used and disclosed for the limited purpose for which it was collected; (3) PII must be accurate; (4) PII must be accessible for inspection and correction; and (5) PII must be securely stored. Companies that collect PII are fully accountable and responsible for the protection of collected PII. PIPEDA does not require data to be stored on servers physically located in Canada, however, regulations based on Province and/or industry may require that data be stored within Canadian borders.
PIPEDA defines “personal information” very broadly. Section 2(1) states personal information is “information about an identifiable individual.” Information “about” an individual includes any information that relates or concerns the individual. Further, Canadian courts have concluded that information is “personal information” if there is a high likelihood that the individual’s identity could be revealed through the use of the information, independently or in combination with other information. Personal information under PIPEDA does not include personal information that is collected and used for the sole purpose of communicating with the individual.
Specific PIPEDA Requirements
PIPEDA requires businesses to deploy security measures that protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
In the event of a breach, PIPEDA requires businesses to report any breach to the Office of the Privacy Commissioner of Canada (“Commissioner”) as well as notify impacted individuals as soon as possible. PIPEDA does permit a notice exception when law enforcement or other legal prohibitions prevent the business from making the required notices.
Individual Provincial Regulations
PIPEDA will not apply if a business operates solely in a province with its own legislation, as long as the legislation has been classified as substantially similar to PIPEDA. Alberta, British Columbia, and Quebec have legislation that has been deemed substantially similar, therefore, businesses operating in any of those three provinces will be required to comply with provincial data regulations. Businesses that do not have operations in any of those three provinces must comply with PIPEDA. If the commercial activities result in personal information crossing borders, provincial or national, then PIPEDA will apply regardless.
Alberta & British Columbia
Data regulations in Alberta and British Columbia are known as the Personal Information Protection Act (“PIPA”). PIPA requires businesses to use reasonable mechanisms to protect personal information against risks including unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction. In the event of a breach, PIPA requires businesses to provide notice to the Commissioner of any breach without undue delay. PIPA grants the Commissioner the power to require a business to provide notice to an individual when there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. Reasonableness under PIPA is what a reasonable person would consider appropriate in the context of the situation.
Data regulations in Quebec are known as the Act Respecting the Protection of Personal Information in the Private Sector (“QPA”). Personal information under the QPA is any information that relates to a natural person and allows that person to be identified. QPA has similar notification requirements as PIPEDA and PIPA.
Liabilities and Legal Remedies
In the event of a data breach, businesses may be liable under PIPEDA and PIPA. PIPEDA requires that any complaints relating to a data breach be filed with the Commissioner. The Commissioner is then required to investigate and provide the parties with a report. The Commissioner’s report is not binding on the business or the complainant and only under select situations may the complainant bring a claim against the business in the Federal Court of Canada. The Commissioner cannot order a business to comply and has no power to award damages or fines in relation to a complaint submitted by an individual. The Commissioner can, however, fine a business for failure to comply with the notice requirements. Individuals can sue a business only after the Commissioner has issued its report against the business. If an individual is successful in bringing a claim against a business, the courts may award damages and require the business to correct its security practices such that they will comply with PIPEDA.