A Primer on Canadian Privacy Law for American Organizations
Date: May 10, 2018
Looking to understand the Canadian privacy legislative landscape? In this video, Dan Michaluk discusses the governing statutes, the concept of consent, and mandatory breach notification.
Hi. I’m Dan Michaluk, Chair of Hicks Morley’s data security and privacy practice group. Thanks for watching this short video on the basics of Canadian privacy law. My plan is to answer four questions that will give you a basic sense of the legislative landscape.
What privacy legislation applies to our clients?
We have coast-to-coast commercial privacy legislation. That legislation however, is embedded in four different statutes.
The federal government has enacted the Personal Information Protection and Electronic Documents Act. This act applies in all provinces except those who have not passed their own privacy legislation. PIPEDA – we call it – is enforced by the federal Privacy Commissioner then, British Columbia, Alberta and Quebec have each passed their own privacy statutes. If you do business in any of these provinces, you’ll need to comply with local provincial law.
What does commercial privacy regulation do?
Fortunately, all four Canadian commercial privacy statutes are similar in principle. In fact, they are all governed by the Fair Information Practice Principles that have been endorsed by the Federal Trade Commission in the United States.
Consent is certainly the key concept that governs the processing of customer personal information, but there is also an over arching reasonableness requirement in all Canadian privacy statutes. This gives our Canadian privacy commissioners a fairly broad power to look into what you are doing with personal information and make findings about whether or not it is reasonable.
Do you have mandatory breach notification in the commercial sector?
So far only Alberta has mandatory breach notification. It applies if you’ve lost personal information or if there has been unauthorized access or disclosure personal information AND if there has been “real risk of significant harm.” If you hit that standard for “harm”, you are to notify the Alberta Commissioner, who will in turn order you to notify affected individuals in certain cases. In practice, the notification to the Commissioner is often done at around the same time as notification to individuals, or even shortly after notifying affected individuals. In other words, the potential obligation to notify the commissioner is enough impetus for many organizations to notify affected individuals voluntarily.
PIPEDA, importantly has been amended to incorporate mandatory breach notification but, today at least, that amendment is not yet in force. When it comes into force notice will be required to be given to the Federal Commissioner and to affected individuals based on the same standard that now applies in Alberta – real risk of significant harm. PIPEDA will also require third-parties to be notified when such notification could mitigate the risk of harm. That’s different than in Alberta today, and will soon become a regular part of Canadian incident response practice.
What about employees?
Most private-sector employers in Canada are provincially regulated, and we only have employee privacy legislation for those employers in BC, Alberta and Quebec. Federally regulated employers – interprovincial transportation companies for example – are subject to PIPEDA.
Well I hope that overview of the landscape here in Canada has been helpful. We invite you to ask questions any time and welcome the opportunity to help. Thank you.