Law Library Stacks

Back to Online Privacy Law

*This report updates a report from 2012

The Digital Privacy Act, which received Royal Assent in June 2015, brought a number of changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)—the federal privacy law applicable to the private sector. PIPEDA was amended to specify what constitutes valid consent for the collection, use, or disclosure of personal information. Moreover, the scope of application of the Act was changed in a number of ways by introducing a several new definitions and exemptions that allow personal information to be collected, used, or disclosed without consent, such as for business transactions. The Digital Privacy Act also amended PIPEDA to introduce mandatory data breach notification requirements. In addition, the Act included a number of provisions that enhance the powers of the Privacy Commissioner, including a new provision that allows the Privacy Commissioner to enter into compliance agreements aimed at ensuring organizations comply with PIPEDA.

I. Recent Reforms and Amendments to Canada’s Privacy Laws

Canada has a number of laws at the federal and provincial levels that relate to the protection of personal information. The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law applicable to the private sector.[1] Section 29 of PIPEDA requires Parliament to review Part 1 of the Act, which deals with data protection, every five years.[2] In May 2010, the Government introduced Bill C-29,[3] which contained a number of amendments to the Act “flowing from the first PIPEDA review.”[4] This legislation died on the order paper, but was reintroduced in September 2011 as Bill C-12.[5] This Bill also was not passed.

The federal government’s most recent, and ultimately successful, attempt to amend PIPEDA was by way of Bill S-4. This measure incorporated a number of provisions from Bill C-12 and included recommendations made by witnesses during the 2012 privacy and social media study conducted by the House of Commons Standing Committee on Access to Information, Privacy and Ethics, and a position paper by the Office of the Privacy Commissioner entitled The Case for Reforming the Personal Information Protection and Electronic Documents Act.[6]

Bill S-4 was passed as the Digital Privacy Act[7] and received Royal Assent on June 2015.[8] The Act made a number of significant amendments to PIPEDA.[9]

Back to Top

II. Changes Made by the Digital Privacy Act

A.    Consent Requirements

The Digital Privacy Act amended PIPEDA to specify what constitutes valid consent for the collection, use, or disclosure of personal information by adding the following section:

Valid consent

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting[10]

Industry Canada under the Harper Government explained the purpose the inclusion of this new consent requirement as follows: “The new measures also establish stronger rules to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences when companies ask to collect and use their personal information. Companies will need to communicate these requests in clear and simple language for the target audience.”[11]

According to lawyer Bradley J. Freedman,

[t]he “valid consent” requirement is an extension of the fundamental principle of “meaningful” consent, which requires that consent be reasonably informed. Organizations should critically assess and adjust their privacy explanations (e.g. privacy policies, notifications and reminders) to adequately and accurately explain, in ways that members of the organization’s target market can reasonably be expected to understand, the nature, purpose and consequences of the organization’s collection, use and disclosure of personal information.[12]

B.  Scope of Application

1.  Business Contact Information

Prior to the amending legislation, PIPEDA had “excluded an employee’s ‘name, title or business address or telephone number’ from the definition of “personal information’ ”.[13] According to the Office of the Privacy Commissioner of Canada, the Digital Privacy Act (DPA) introduces changes to make clear that “PIPEDA does not apply in respect of business contact information.”  The DPA replaces the definition of “personal information” in section 2(1) of PIPEDA to mean “information about an identifiable individual.”[14] Moreover section 2(1) also adds a separate definition of the term “business contact information,” as follows:

“business contact information” means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.[15]

In addition, section 4 of the DPA also then “uses this newly defined term in a specific ‘business contact’ exemption provision,” which excludes from PIPEDA use of “business contact information” for the purpose of communicating or facilitating communications with an individual in relation to their employment, business or profession.”[16]

2.  Business Transaction Exemption

The Act also created a number of new exemptions under which “personal information can be collected, used or disclosed without consent.”[17]  One of the aims of the amending legislation is to “permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions.”[18] This can only be done provided that certain conditions are met. PIPEDA was amended to add the following definition of a “business transaction,” which includes

(a) the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;
(b) the merger or amalgamation of two or more organizations;
(c) the making of a loan or provision of other financing to an organization or a part of an organization;
(d) the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;
(e) the lease or licensing of any of an organization’s assets; and
(f) any other prescribed arrangement between two or more organizations to conduct a business activity.[19]

The Digital Privacy Act also adds section 7.2 to PIPEDA, which establishes an exemption to nondisclosure absent consent for prospective and completed business transactions.[20] The Office of the Privacy Commissioner of Canada has described the scope of this exemption as follows:

  • Organizations that are parties to a prospective business transaction can only use and disclose the personal information if it is necessary to decide whether to proceed with or complete the transaction. In addition, the organization receiving personal information must enter into an agreement to use or disclose the information for the sole purpose of the transaction, to protect it, and to return or destroy the information if the transaction does not proceed.
  • If the transaction is completed, the parties have to enter into an agreement to limit the use or disclosure of the information to the purposes for which it was collected, to protect it, and give effect to any withdrawals of consent. In addition, the information must be necessary for carrying on the activity that was the object of the transaction and individuals must be notified their personal information has been transferred to a new owner.
  • These provisions do not apply to a business transaction which primarily involves the sale or lease of personal information.[21]

C.  Other Exceptions

The Digital Privacy Act also allows organizations to disclose personal information without consent to another organization when the disclosure is for reasonable purposes of “investigating a breach of an agreement or contravention of a law that has been, is being or is about to be committed” or “detecting or suppressing fraud or . . . preventing fraud that is likely to be committed.”[22] The Act also allows for “the collection, use and disclosure of personal information in witness statements without consent where ‘necessary to assess, process, or settle an insurance claim.’ ”[23] Disclosures without consent are also allowed “to a government institution, individual’s next of kin, or authorized representative . . . if necessary to identify an individual who is injured, ill or deceased.”[24] Moreover, organizations such as banks now have “the authority to disclose personal information without consent to a government institution or an individual’s next of kin or authorized representative when they have reasonable grounds to believe the individual ‘has been, is or may be the victim of financial abuse.’ ”[25]

D.  Data Breach Notification

The Digital Privacy Act amends PIPEDA to introduce mandatory data breach notification requirements. Section 10.1 of PIPEDA requires an organization to report to the Commissioner and to notify individuals if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the person.[26] PIPEDA provides a definition of “significant harm,” which includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”[27] PIPEDA also includes a number of factors that are used to determine whether something amounts to a “real risk,” including consideration of the sensitivity of the personal information involved in the breach, the probability that the personal information has been, is being or will be misused, and any other prescribed factor.[28]

These provisions are not yet in force due to a lack of subsidiary regulations, but in early September 2017 draft privacy breach regulations were published to allow for open comment for thirty days.[29]

E.  Enhanced Powers of the Commissioner

The Digital Privacy Act also includes a number of provisions that enhance the powers of the Privacy Commissioner. The Office of the Privacy Commissioner of Canada outlines some of these changes as follows:

Compliance Agreements

·        A new provision allows the Privacy Commissioner to enter into compliance agreements aimed at ensuring organizations comply with PIPEDA where the Commissioner believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of PIPEDA or a failure to follow a recommendation in Schedule I to the Act.

·        Under a compliance agreement, an organization agrees to take certain actions to bring itself into compliance with PIPEDA.  Entering into a compliance agreement would preclude the Privacy Commissioner from commencing or continuing a court application under PIPEDA in respect of any matter covered by the agreement.

·        However, if an organization ultimately fails to live up to commitments in an agreement, the OPC could, after notifying the organization, either apply to the court for an order requiring the organization to comply with the terms of the agreement, or commence or reinstate court proceedings under PIPEDA as appropriate.[30]

Public Interest Disclosures

·        PIPEDA’s confidentiality provisions continue to apply, but the scope of what can be disclosed in the public interest has been broadened.  The Commissioner may now make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act if he deems that doing so is in the public interest. Previously, this discretion applied only to information “relating to the personal information management practices of an organization.”[31]

Back to Top

Prepared by Tariq Ahmad
Legal Research Specialist
December 2017


[1] Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html, archived at https://perma.cc/474H-3BTQ.

[3] Bill C-29, Third Session, Fortieth Parliament, 59 Elizabeth II, 2010, http://www.parl.ca/DocumentViewer/en/40-3/bill/C-29/first-reading, archived at https://perma.cc/ZW54-WFXP.

[4] PIPEDA Review, supra note 2.

[5] Bill C-12 First Session, Forty-first Parliament, 60 Elizabeth II, 2011, http://www.parl.ca/DocumentViewer/en/41-1/bill/C-12/first-reading, archived at https://perma.cc/62YS-R332.

[6] Dara Lithwick, Legal and Social Affairs Division, Parliamentary Information & Research Service, Legislative Summary of Bill S-4: An Act to Amend the Personal Information Protection and Electronic Documents Act and to Make a Consequential Amendment to Another Act (June 11, 2014), https://lop.parl.ca/Content/LOP/Legislative Summaries/41/2/s4-e.pdf, archived at https://perma.cc/V59E-E23C.

[9] Id.

[10] Digital Privacy Act (adding § 6.1 to PIPEDA).

[11] Harper Government Introduces New Law to Protect the Personal Information of Canadians Online, Government of Canada (Apr. 8, 2014), https://www.canada.ca/en/news/archive/2014/04/harper-government-introduces-new-law-protect-personal-information-canadians-online.html, archived at https://perma.cc/547A-973N.

[12] Bradley J. Freedman, Borden Ladner Gervais LLP, Digital Privacy Act – New Requirement for Valid Consent to Use Personal Information, Lexology (June 25 2015), https://www.lexology.com/library/detail.aspx?g=fd17bab4-03da-4647-8a3c-2a5d96bbb2f5, archived at https://perma.cc/5EHV-D6B3.

[13] Dan Cooper, Highlights of the Canada Digital Privacy Act 2015, Inside Privacy (Covington & Burling LLP, June 24, 2015), https://www.insideprivacy.com/international/canada/highlights-of-the-canada-digital-privacy-act-2015/, archived at https://perma.cc/FR8L-K5N4.

[14] Digital Privacy Act § 2(1) (replacing the definition of  “personal information” in subsec. 2(1) of PIPEDA).

[15] Id. § 2(3) (adding definition of “business contact information” in subsec. 2(1) of PIPEDA).

[16] Cooper, supra note 13. 

[17] The Digital Privacy Act and PIPEDA, supra note 8.

[18] Digital Privacy Act, summary.

[19] Id. § 2(3) (adding definition of “business transaction” in subsec. 2(1) of PIPEDA).

[20] Digital Privacy Act § 7 (amended by adding § 7.2 before § 8 of PIPEDA).

[21] The Digital Privacy Act and PIPEDA, supra note 8.

[22] Id.

[23] Id.

[24] Id.

[25] Id.

[26] Digital Privacy Act § 10 (amended by adding section 10.1 of PIPEDA).

[27] Id.

[28] Karl Schober & Timothy M. Banks, Dentons, Data Security and Breach Notification in Canada, Lexology(Apr. 4, 2017), https://www.lexology.com/library/detail.aspx?g=a7378410-72cb-4d48-9f3f-4e4d1e748d7e, archived at https://perma.cc/MKH6-EWKT; Alex Cameron, Fasken Martineau DuMoulin LLP, Digital Privacy Act: Mandatory Breach Notification and Other Important Changes to Canadian Privacy Law, Lexology(June 24, 2015), https://www.lexology.com/library/detail.aspx?g=8129199e-9c0e-4837-ad15-233db6bcf442, archived at https://perma.cc/MVF2-DADV.

[29] Department of Industry, Breach of Security Safeguards Regulations, Canada Gazette pt. I, vol. 151, no. 35 (Sept. 2, 2017), http://www.gazette.gc.ca/rp-pr/p1/2017/2017-09-02/html/reg1-eng.php, archived at https://perma.cc/H2L6-ADZE.

[30] The Digital Privacy Act and PIPEDA, supra note 8.

[31] Id.

Back to Top

Last Updated: 04/05/2018