As we are entering into autumn, most people are traveling the world again. Some prefer a few quiet weeks at the beach, while others are seeking adventures climbing mountains and jumping off cliffs. Nerds like me however, like to discover the curiously wild landscape of Canada’s data protection laws. It keeps us lawyers constantly on our feet due to the many exciting changes, planned bills and innovations popping up left, right and center. Intrigued? Then buckle up. You are in for a ride!
Overview
When talking about Canadian data protection law, there are several aspects to keep in mind. We are navigating through a complex symbiosis of acts, regulations, directives and bills. At first glance, it might seem wild and demanding like the great Canadian outdoors themselves. But there is a method to the madness – I promise!
First things first: certain laws only apply to public bodies, while others deal with the private sector. Please note that today we will only be focusing on the latter. Then there are federal and provincial statutes governing the general application of data protection. In addition to that we have a series of sector-specific rules. Those include e.g. personal health information or monitoring employees. Also very important are related laws like anti-spam and other consumer protection regulations, which need to be considered at all times as well.
Last, but not least, there is a large and constantly growing list of court decisions and guidance like the ones by the OPC (Office of the Privacy Commissioner of Canada) in place to help us navigate and implement it all in real life.
To put it in a nutshell, these are the most important privacy statutes everybody needs to know when doing business in Canada:
PIPEDA
PIPEDA is the primary federal privacy law dealing with the processing of personal information by private sector organizations. So, pretty much any company conducting business involving personal information of Canadians must comply with it. PIPEDA has been grandfathered over time and went through several adaptations along the way.
Some provinces, however, came up with their very own privacy laws. Deemed substantially similar to PIPEDA the respective provincial law then generally applies instead of PIPEDA. However, exceptions to this rule do exist of course. So, at the end of the day, a careful case-by-case evaluation is always necessary to make sure all legal requirements are met.
Fun fact: Unlike the GDPR, PIPEDA does not define what constitutes ‘sensitive personal information’. It could literally be anything depending on the context of each case. However, it is safe to say that financial information is pretty much always considered to be sensitive.
Quebec: where the Stakes are high
Outdoorsy as so many Canadians are, they, of course, have a dog, too. The scruffier the better. Supposedly, the furry friends and their owners tend to look alike, especially, over time. I think it is safe to say, that the same goes for provinces and their privacy laws! The francophone Québec for example, is truly special in so many ways. It is not just the only province that is bilingual with the largest French-speaking population in all of northern America, but it is also one of a kind when it comes to its detailed privacy framework; making the area more versatile and exciting, not only when it comes to data protection!
Québec is extremely popular for all kinds of winter sports due to its picturesque mountain range, wildlife and breathtaking forests. Just like the great Mont D’Iberville (a.k.a. Quebec’s highest mountain), the requirements of this Province’s Private Secor Act are peaking just as well. What do I mean by that? Well, so far Quebec has the strictest data protection laws in all of northern America. In many ways it seems to resemble the European GDPR, but don’t be fooled in believing it’s the same. It has its fair share of differences and particularities!
One of the most important areas in this context are data transfers. They can be a touchy topic to say the least. Before disclosing personal data outside of the province’s borders, a company must conduct a rather detailed privacy impact assessment, taking the following points into account:
- the degree of sensitivity regarding the personal data at hand,
- the purpose for which the data is supposed to be processed,
- the safeguards that are in place, including contractual measures and
- the legal framework applicable in the state /country where the data is transferred to, including an assessment of adequacy compared to Quebec’s framework.
Only if the assessment then concludes that the process at hand would in fact provide an adequate level of protection, the data transfer may take place. While consent is not needed to disclose personal data across borders, the data subject still has to be informed in advance that their information is or at least may be transferred outside of the province of Quebec.
Additionally, it is possible that more than only one privacy law applies to a single process. One part of an activity, may be subject to a provincial privacy law, while another part, may be subject to PIPEDA. When more than one law applies, all of them must be complied with.
Very important to know: there is no such thing as an ‚adequacy decision‘ as the GDPR provides, making things so much more demanding on the other side of the pond.
‚Ok, but why is Quebec so important, though? Can’t we just circumvent them with their strict rules?‘, you might wonder. Well, we have to keep in mind that in terms of area, Quebec is the largest of all Canadian provinces and the second most densely populated one. But more importantly, a great number of businesses are located there as well. The biggest sectors currently include: aerospace, information technology, software and multimedia, making it an important business partner not only for the USA, but also for an array of European and even Asian companies.
Future Endeavors
Just like forest mushrooms in fall, new laws and regulations are popping up left right and center, aiming to modernize Canada’s legal landscape once more. Currently, not a day goes by without another article about the European AI Act. This is of course an omnipresent topic. Also, Canadian lawmakers are concerned about artificial intelligence. Canada’s very own ‚AI Act‘, called AIDA, is also on its way. It is part of the so called ‚Bill C-27‘, which has been introduced in the House of Commons. It consists of three parts, each one enacting a new Act: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA).
As it is so often the case, it is highly unclear when this new Bill will actually come into effect. At its current stage it is still under consideration in the Canadian Parliament and needs to be voted out of committee. There is some doubt whether this will happen any time soon, to say the least. Many have even called for AIDA to be overhauled completely! So, currently there is no regulatory framework in Canada concerning AI in general. There are however, a few regulations in health and finance, which govern specific uses of AI.
In addition to that, several AI laws on a provincial level, are also in the works and could potentially be implemented shortly. In any case, I am excited to see what’s next. But one thing is for sure: we will keep you updated!
Outlook
So, when embarking on an adventurous trip across Canada’s exciting, albeit sometimes steep and rough data protection trails, please be prepared. At first glance their privacy laws might seem like they mirror our all too familiar GDPR perfectly. But as always, the devil is in the details. Case-by-case evaluations by legal experts are necessary when assessing compliance in privacy matters across the pond.
What about you? Do let us know what you think about all of these new laws – necessary or nonsense?