November 25, 2022
What is Canadian Data Privacy Law?
Oh, Canada! While some countries are happy with just one or two data privacy laws, Canada has two major ones at the national level, with one more in consideration…plus nearly ten provincial laws that sometimes supersede their national counterparts. The sheer number of laws, plus the complex ways in which they interact, mean that compliance in Canada can be a significant challenge for businesses of all sizes. This article covers the major data privacy laws in Canada and the basics you need to know to get started with regulatory compliance.
What is Considered Personal Information in Canada?
Different data laws define personal information differently, which can make compliance challenging. While Canada’s two major privacy laws—The Privacy Act, and The Personal Information Protection and Electronic Documents Act (PIPEDA)—differ somewhat in the specific definition, the Canadian government generally defines personal information as the following:
“Personal information is data about an ‘identifiable individual.’ It is information that on its own or combined with other pieces of data, can identify you as an individual.”
This may include information about:
- race, national, or ethnic origin
- marital status
- medical history
- education or employment history,
- financial information
- identifying numbers such as social insurance numbers or driver’s licenses
- views or opinions about an employee
Information that can’t be tied to a specific individual is not personal information in Canada. Examples of information that isn’t personal information include nonspecific information like Zip Codes that could apply to any number of people, anonymized information, information required for business communication, and information about public servants such as name, position, or title.
Compared to other countries’ laws, Canada’s national laws are both more and less specific than other approaches. Compared to many recent laws, there are fewer specifically listed types of personal information. However, because information that can “be used to identify individuals” is personal information, the law ultimately casts a very broad net over what counts as personal data.
Current Privacy Laws in Canada
The Privacy Act
The Privacy Act is different from many data privacy laws in that it limits the government’s instead of private businesses’ use of data. It grants Canadians the right to access and correct personal information held by the government. It also regulates how the government can use or disclose data to provide services, including tax collection and refunds, border security, employment insurance, old age security pensions, federal policing, and public safety.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act, or PIPEDA for short, regulates personal data use by private enterprises and the personal information of employees in the banking, airline, telecommunication, and other federally regulated businesses. It also applies to private companies in the following provinces:
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Prince Edward Island
Note that PIPEDA also applies when data crosses provincial or national borders, regardless of the specific provinces involved. Businesses subject to the provisions of the law must adhere to the ten fair information principles outlined in the legislation:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Provincial Data Laws
Many provinces have personal data laws that supersede PIPEDA. Alberta’s Personal Information Protection Act (PIPA), British Columbia’s Personal Information Protection Act, and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector all fall into this category and have restrictions that differ from those at the national level.
Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia also have health privacy laws that have data privacy-like restrictions in them, similar to HIPAA in the United States. Furthermore, Alberta and British Columbia also have laws that control how businesses use employee information.
Consequently, data privacy compliance in Canada can be quite complex. Data generated in one province that crosses provincial borders is stored in a different province and is processed in a third could be subject to four different data privacy laws without crossing international borders. And that’s without considering the additional complexity of dealing with employment or health-related data.
What Changes with the Consumer Privacy Protection Act
One of the lingering issues with PIPEDA is that it talks about principles instead of specifically allowed and disallowed actions. Bill C-11, known as An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, as well as the Digital Charter Implementation Act, 2020, or simply “CPPA,” was introduced in 2020 to better address data privacy in Canada.
While it goes by many names, it has a singular focus: strengthening data privacy rights. The CPPA would require positive consent, increase the requirements for disclosure on data collection and use, and how individuals can contact organizations with data-related concerns. It also expands the situations in which companies would be required to perform privacy audits and increases requirements around breach reporting.
Penalties would also increase under the legislation. Administrative violations can result in fines of 3 percent of an organization’s worldwide annual revenues, or 10 million Canadian dollars. For more severe offenses, such as a failure to report a breach, fines can reach 5 percent of worldwide revenue or 25 million Canadian dollars. At this time, the law has not yet been passed, though it remains a strong possibility that it will eventually become law.
How Mage Can Help Manage Privacy in Canada
Canada’s approach to data privacy is unusually complex and presents difficult challenges for companies that want to comply with the country’s myriad laws. It’s tempting to try and meet the requirements of all these laws for all data and thus keep the organization safe from legal action. Unfortunately, this approach often results in higher costs and business slowdowns.
Thankfully, there’s a better way. Mage’s approach to data is granular and flexible, allowing businesses to detect sensitive data, even in unorthodox places, to ensure that it can be handled properly. Static and dynamic data masking, combined with a powerful rules engine, database activity monitoring, and data subject access rights automation, allows companies to deal with data at scale in a nuanced manner. Mage’s powerful, flexible, and automated tools can help businesses grapple with the complexities of Canada’s data privacy laws while maintaining the efficiency they need to be effective. Contact us today to learn about what Mage can do for your business.