1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Legal Guide

Currently, Alberta, British Columbia and Quebec are the only provinces in Canada that have enacted general private sector privacy legislation that is “substantially similar” to PIPEDA. Most provinces have enacted legislation to regulate personal health information, although only the personal health information protection legislations of Ontario, New Brunswick and Newfoundland and Labrador have been declared substantially similar.

Alberta and British Columbia

The privacy principles of PIPEDA are reflected in both the British Columbia Personal Information Protection Act (“British Columbia PIPA”) and the Alberta Personal Information Protection Act (“Alberta PIPA”), but there are some notable differences.

In both the British Columbia PIPA and the Alberta PIPA, a “grandfathering” provision permits organizations that collected information prior to January 1, 2004, to continue to use or disclose the information without obtaining new consent, provided that the use or disclosure is consistent with the original purpose for which the personal information was collected.

Both the Alberta PIPA and British Columbia PIPA differ from PIPEDA, with the inclusion of a business transaction exception to the need for consent. The parties to a business transaction, such as a purchase, sale, lease, merger or amalgamation, may collect, use and disclose personal information about certain stakeholders without their consent, when the parties involved require the information in their decision to purchase or sell a business. However, if the transaction is not completed, the information must be returned or destroyed. If it is completed, the person to whom the personal information relates must be given notice that their Personal Information was disclosed pursuant to the British Columbia PIPA. In Alberta, the parties do not have to provide this notice and may continue to use the personal information without consent as long as the parties to the transaction have entered into an agreement under which they undertake to use and disclose the information only for the purposes for which the information was initially collected from or in respect of the individuals and the information relates solely to the carrying on of the business or activity or the carrying out of activities for which the business transaction took place.

Another important exemption pertains to employee personal information, which may be collected, used or disclosed without the employee’s consent, provided that the personal information is necessary for establishing, managing or terminating the employment relationship. An employee must, however, be given advanced reasonable notice that his or her personal information will be collected, used or disclosed if the employee is a current employee of the organization.


Quebec’s private sector privacy law, An Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Act”) predates PIPEDA and reflects Quebec's unique legal and cultural heritage. The Quebec Act governs the Quebec private sector’s collection, use and disclosure of personal information, and provides individuals with the right to access such information. There is still debate as to whether provisions of PIPEDA that exceed the scope of the Quebec Act will apply in Quebec (for example, the collection of information outside the Province of Quebec by a Quebec-based entity).

Breach notification

Outside of the personal health information context, currently Alberta is the only jurisdiction in which there is mandatory data breach reporting to an oversight authority (the Information and Privacy Commissioner of Alberta).

A report must be made, without unreasonable delay, of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure. The Alberta Commissioner may then order individual breach notification containing prescribed information. There are potential fines of up to CA$100,000 for failure by a corporation to provide such a notice to the Alberta Commissioner.

Even though Alberta is currently the only province with mandatory private sector data breach reporting, organizations will frequently make voluntary reports and notification to individuals in order to manage and limit exposure and assist individuals in mitigating harm. Even if an organization is not under a mandatory notification obligation an individual may, if the individual learns of the breach, make a complaint regarding the safeguards of the organization and the organization’s transparency with respect to its practices.

Oversight and enforcement

The Federal data protection regulator (the Office of the Privacy Commissioner of Canada (OPC)) may investigate a formal complaint under PIPEDA, or initiate a Commissioner-led investigation. The OPC may then issue a report of the findings of the investigation, which may include recommendations for compliance. The findings may be made public by the OPC. Under PIPEDA, a complainant may appeal to Federal Court. The Federal Court has authority to make orders, including orders to correct an organization’s practices and award damages to the complainant for any “humiliation that the complainant has suffered.”

Regulatory oversight is similar under the BC PIPA, Alberta PIPA and the Quebec Act. However, in these provinces there are circumstances where organizations can be subject to fines for non-compliance with obligations in their respective legislation (e.g., see above Alberta PIPA fines for failure to provide notice to the Alberta Commissioner of a specified breach).

Future privacy law developments

In 2013, Manitoba passed its own private sector privacy legislation. This statute is not yet in force and contains a number of legislative gaps that will require regulations before the legislation could come into force. The timing of when the legislation might come into force and whether it would be declared substantially similar to PIPEDA is uncertain.

Also in 2013, the Alberta PIPA was declared unconstitutional the Supreme Court of Canada concluded that it constituted an unjustified infringement on the collection, use and disclosure of personal information in the context of union picketing. The declaration of invalidity was suspended for 12 months to permit the Alberta Legislature to amend Alberta PIPA.

The Government of Canada has also proposed a number of amendments to PIPEDA in Bill S-4, which was still before Parliament as of the date of this writing. Bill S-4 introduces mandatory breach reporting obligations under PIPEDA and would require organizations to maintain records of any breaches. Among other amendments, Bill S-4 would also introduce additional powers for the Privacy Commissioner of Canada to enter into enforceable compliance agreements with organizations. These compliance agreements may include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfill the terms of the compliance agreement to the satisfaction of the Commissioner, the Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement.

Anti-spam and telemarketing rules

On July 1, 2014, most of Canada’s Anti-Spam Legislation (CASL) came into force. CASL governs the sending of commercial electronic messages and the installation of computer programs. The law applies to business-to-business communications as well as business-to-consumer communications.

Global organizations may already be aware of and compliant with the US Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). However, CASL differs in important respects. These differences are important in designing a compliance program.

  • Opt-in is the default: The default in CASL is express consent for commercial electronic messages and the installation of computer programs.
  • Applies to more than just email: CASL applies to all forms of electronic messaging, including email, instant messages, and messages over social media platforms.
  • Broader range of messages: The definition of what constitutes a commercial electronic message is very broad. CAN-SPAM’s exceptions for transactional or relational messages were not replicated in CASL. There is no “primary purpose” rule in CASL.
  • Unsubscribe functions: CASL contains similar (but not identical) rules for unsubscribe functions. One difference is that an unsubscribe feature may need to be included even where consent may be implied or not required for certain types of transactional or relational message.
  • Higher penalties: The administrative monetary penalties for an organization violating CASL are up to CA$10 million per violation.
  • Computer programs: CASL will also apply to the installation of computer programs.

CASL has extraterritorial effect. If an organization sends email, text messages, or direct messages over social media to electronic addresses in Canada or from Canada to anywhere in the world, CASL applies to the organization.

CASL’s provisions for a private right of action will be delayed for three additional years and come into force on July 1, 2017. CASL’s provisions requiring consent to the installation of computer programs will come into force on January 15, 2014.

Although there are a number of enforcement options for the principal regulator, the Canadian Radio-television Telecommunications Commission (CRTC), CASL does contain provisions allowing for administrative monetary penalties against organizations of up to CA$10 million per non-compliance that take effect immediately.

Canada also has rules relating to telemarketing. The Unsolicited Telecommunications Rules apply to all persons who make calls or send faxes to sell or promote a product or service and consist of: the Telemarketing Rules; the National Do-Not-Call List Rules; and the Automatic Dialing and Announcing Device Rules.

All telemarketers are required to register with the CRTC. A “telemarketer” is a person that conducts telemarketing either on its own behalf or on behalf of one or more other persons. “Telemarketing” means the use of telecommunications facilities to make unsolicited telecommunications for the purpose of solicitation.

There are two types of telemarketers: (i) regular and (ii) exempt. A regular telemarketer uses telecommunication technologies to make telemarketing calls or send faxes to consumers for the purpose of selling or promoting a product or service. A consumer is a person who does uses the telecommunications line primarily for personal or household purposes. Regular telemarketers must subscribe to and screen telephone numbers against the National Do-Not-Call- List and maintain an internal do not call list. Exempt telemarketers are companies who (a) only make telemarketing calls and send faxes to businesses, or (b) make telemarketing calls or send faxes only to consumers with whom they have an existing business relationship. Exempt telemarketers only need to maintain an internal do not call list.

The CRTC has also created rules related to equipment that store and dial telephone numbers automatically.

These devices may be used alone or with other devices to deliver a pre-recorded or synthesized voice message to the telephone number called. These are known as Automatic Dialing-Announcing Devices (ADAD) and their use is subject to the ADAD Rules. The ADAD Rules apply whether or not the telemarketing telecommunication is exempt from the National Do-Not-Call List Rules. ADADs may not be used for telemarketing unless the consumer has given express consent to accept an ADAD telemarketing call. ADADs are permitted for calls when there is no attempt to sell, such as calls made for public service reasons, including calls made for emergency and administration purposes by police and fire departments, schools, hospitals, or for calls to schedule appointments. ADADs must contain prescribed information.

Sequential dialing for the purpose of making a telemarketing telecommunication is prohibited. Predictive dialing using technology that automatically initiates outgoing telecommunications from a pre-determined list of telecommunications numbers to initiate telemarketing telecommunications is permitted provided that the use of predictive dialing (a) does not exceed, in any calendar month, a five percent  abandonment rate and (b) the telemarketer maintains records, on a calendar month basis, with respect to the actual telemarketing telecommunication abandonment rates for a period of three years from the date each monthly record is created.

An abandoned call is defined as a telecommunication that, when answered by the consumer, has no live telemarketer available to speak to the consumer within two seconds.

The CRTC’s enforcement process for violations of the Unsolicited Telecommunications Rules includes the authority to issue warnings and citations, conduct inspections and issue notices of violation. The CRTC may also impose administrative monetary penalties of up to CA$15,000 for each violation by a corporation and for each day that the violation is continued.

If found guilty of an offense punishable on summary conviction, a person that contravenes any prohibition or requirement of the CRTC related to the Unsolicited Telecommunications Rules, may be liable, in the case of a corporation, to a fine not exceeding CA$100,000 for a first offense or CA$250,000 for a subsequent offense.

Additional posts from the blog



Canada’s Anti-Spam Law – New Guidance on Offering Apps, Software

by Margot Patterson

CASL also prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements. The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.



Environment Canada issues Hydrofluorocarbon reporting requirement

by Nalin Sahni

On April 7, 2014, the Minister of the Environment issued a Notice with respect to hydrofluorocarbons (the “Notice”), pursuant to the Canadian Environmental Protection Act, 1999. The Notice imposes reporting requirements on those who imported, exported, or manufactured certain hydrofluorocarbons (“HFCs”) from 2008 and 2012. A non-exhaustive list of HFCs subject to these reporting requirements can be found in Schedule 1 of the Notice.



“Oh, what a tangled web we weave when first we practice to deceive.”

by Andy Pushalik

In an interesting decision, the Human Rights Tribunal of Ontario has ruled that an employer is not liable for discriminatory and harassing texts sent by a rogue employee to another of its workers.

Privacy Policy | Terms of Use

© 2018 Dentons