Due to the constitutional division of powers in Canada, privacy legislation differs by jurisdiction. At the federal level, the government is constrained to regulate privacy only in situations where there are commercial activities. This has resulted in several provinces filling the gaps. So far, British Columbia, Alberta, and Quebec have passed their own privacy sector laws.
The four laws currently enacted are:
- The Personal Information Protection and Electronic Documents Act (PIPEDA) – the federal law;
- The Personal Information Protection Act (PIPA) – the British Columbia law;
- The Personal Information Protection Act (PIPA) – the Alberta law;
- The Act respecting the protection of personal information in the private sector – the Quebec law
The idea is that these laws are supposed to be substantially similar to one another, making the question of compliance a bit easier to operationalize. That being said, there are some notable differences between each law.
They are similar in that they each encompass the ten privacy principles first enunciated by the Canadian Standards Association in the mid-1990s. The ten principles are 1. Accountability; 2. Identifying Purposes; 3. Consent; 4. Limiting Collection; 5. Limiting Use, Disclosure, and Retention; 6. Accuracy; 7. Safeguards; 8. Openness; 9. Individual Access; and, 10. Challenging Compliance.
Another way to think about these laws is that they are generally seen as creating three broad obligations (in addition to or as part of complying with the ten principles). The three broad obligations are:
- To act in a manner that the reasonable person would consider is appropriate in the circumstance;
- To obtain consent (or fit within one of the prescribed exceptions to the need for consent);
- To provide access.
The laws in Canada are considered first-generation laws, and there is significant momentum to modernize them much the way the Europeans did back in 2018 with the passage of the GDPR. To this end, it seems likely that Quebec will have a new modern law sometime in 2021. The federal government also introduced a new law, and it is currently before Parliament. Also getting into the game is Ontario, which has indicated that it too is quite interested in passing its own private-sector privacy law.
Notably, these new laws create stronger enforcement mechanisms, including the possibility of severe monetary penalties – something that is not present in the current landscape.