Law Library Stacks

Back to Online Privacy Law

*A 2017 updated version of this report is available

Canadian courts have relied on rights contained in the Canadian Charter of Rights and Freedoms to protect citizens against unreasonable invasions of privacy. Personal data protection is primarily regulated on the federal level by the Personal Information Protection and Electronic Documents Act (PIPEDA), but existing provincial-level statutes may take precedence over the federal law.

PIPEDA has adopted ten privacy principles, which include obligations as well as recommended practices. These principles regulate privacy issues in respect to consent, transparency, security measures, and data retention. Though there are no specific rules for regulating social networks, smartphone apps, and other online activities, PIPEDA applies to the online activities of companies such as Facebook and Google.

PIPEDA doesn’t offer any specific provisions on protecting the personal data of minors. However, new reform proposals are being considered to strengthen the law in this area.

Oversight and enforcement of PIPEDA is shared between the Privacy Commissioner of Canada and the Federal Court of Canada. The Privacy Commissioner has authority to (1) investigate complaints filed by individual citizens, (2) mediate privacy disputes, (3) audit personal information practices of organizations, (4) report on abuses or violations of PIPEDA, (5) seek remedies in Federal Court, and (6) publish research and promote public awareness on privacy issues. The Federal Court of Canada, on the other hand, can order organizations to comply with PIPEDA, publish notices or corrections, and award damages.

PIPEDA has predominantly attracted criticism from scholars and other commentators over its weak oversight and enforcement mechanisms. The general nature of the Act’s provisions has also been criticized. Public surveys prior to and after the passing of PIPEDA reveal that Canadians have consistently shown a high level of interest and concern over privacy issues.

Legal Framework

Canadian courts have interpreted various sections of the Canadian Charter of Rights and Freedoms,[1] including the right to life, liberty, and security,[2] and the protection against unreasonable search and seizure,[3] as protecting against unreasonable invasions of privacy. Moreover, the Supreme Court of Canada has recognized the essential role of privacy in a democratic state, stating that

society has come to realize that privacy is at the heart of liberty in a modern state. . . . Grounded in a man’s physical and moral autonomy, privacy is essential for the well- being of the individual. . . . The restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state.[4]

On the federal level, Canada has two major pieces of data protection legislation. The Privacy Act 1980[5] was the first law adopted to regulate the collection, use, and disclosure of personal information by public or government bodies. However, as noted by the PRIVIREAL (Privacy in Research Ethics & Law) project, “rapid advances in information technology and the pressure to conform to European standards to facilitate cross-continental trade meant that new legislation was soon required.”[6]

The Personal Information Protection and Electronic Documents Act (PIPEDA)[7] regulates the private sector. PIPEDA provisions are general in nature, and are not limited to online-related activities. PIPEDA does not apply to “organizations” subject to the federal Privacy Act or that are regulated by the public sector at a provincial level, nor to non-profit organizations and charitable activities, unless they are of a “commercial” nature, as defined by PIPEDA (see section II, “Current Law”). Similarly, it does not cover employment data used for noncommercial purposes other than that relating to employees in the federally  regulated private sector.

The Act was passed by Parliament in 2000, but was implemented in three stages before it fully came into force on January 1, 2004. PIPEDA seeks to “support and promote electronic commerce by protecting personal information that is collected, used or disclosed”[8] in the course of commercial transactions in the private sector. According to an assistant professor of law, TinaPiper, “[t]he Act was promulgated as a result of the inadequacy of the [prior] privacy regime in Canada to protect personal information in the private sector.”[9] Another principal aim of the law was to bring Canada’s privacy legislation into conformity with the European Union’s directive on data protection, Council Directive 95/46/EC.[10] The Directive prohibits EU member states from trading personal data with countries that do not ensure an “adequate level”[11] of privacy protection, “protection equal to or greater than provided by the Directive.”[12] In 2002, the European Commission confirmed that “Canada is considered as providing an adequate level of protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents  Act”[13] in  accordance  with  Council Directive 95/46.

The provinces of British Columbia,[14] Alberta,[15] and Quebec[16] have their own privacy legislation regulating the private sector. Moreover, Alberta,[17] Saskatchewan,[18] Manitoba,[19]  Ontario,[20] and  New  Brunswick[21] have  private  sector  laws   relating   specifically   to health information.

Pursuant to section 26(2) of the Act, the federal cabinet has the power to grant organizations an exemption for activities covered by provincial privacy legislation: the Governor in Council can issue an order,

if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt[ing] the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.

However, organizations or activities would only be exempted for transactions occurring within the province, and PIPEDA would still apply for interprovincial and cross-border activities.

Back to Top

Current Law

PIPEDA is divided into two parts. The first part regulates the collection, use, and disclosure of personal information in the private sector. The second part deals with electronic documents and evidence.

Under PIPEDA “‘personal information’ may not be collected, used or disclosed in the context of a ‘commercial activity’ without the consent of the individual to whom the information relates.” [22] The Act defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization” commercial activity as “any particular transaction, act or conductor any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”; and organization as “a termthat includes persons, associations, partnerships and trade unions.” [23] According to the Industry Canada website, maintained by the Canadian Minister of Industry, “[t]he term ‘persons’ includes corporations as well as individuals.”[24]

Schedule 1 of the Personal Information Protection and Electronic Documents Act sets out a list of ten principles that organizations “must follow when collecting, using and disclosing personal information in the course of commercial activity.”[25] These principles were originally laid down in the Canadian Standards Association Model Code for the Protection of Personal Information.[26] The principles “contain both mandatory obligations that must be complied with as  well  as  recommended  practices  that  should  be  adopted.”[27] The  PIPEDA  principles,  as summarized in an Industry Canada FAQ, are as follows:

  • Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
  • Identifying Purposes: The purposes for which personal information is collected shall be  identified  by  the  organization  at  or  before  the  time  the  information is collected.
  • Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
  • Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  • Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  • Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  • Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  • Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  • Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  • Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.[28]

A. Consent

Principle 3 stipulates that “knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”[29] The organization must “make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.”[30] Consent must be obtained before or at the

time of collection, as well as when a new use of the personal information is identified.[31] Both the way in which an organization seeks consent and the form of the consent sought by the organization “may vary, depending on the circumstances and the type of information collected.”[32] If the information is considered sensitive, the organization should seek express consent from the individual;[33]“[i]mplied consent would generally be appropriate when the information is less sensitive.”[34] Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).[35]

Individuals can give consent in many ways. For example,

  • (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
  • (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
  • (c) consent may be given orally when information is collected over the telephone; or
  • (d) consent may be given at the time that individuals use a product or service.[36]

The Act also stipulates certain specific circumstances or exceptions in which a private sector organization may collect, use, or disclose personal information where knowledge or consent is not required.[37] According to section 5(3), “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”

B. Transparency

Principle 8 requires organizations to be open about their management of personal information: “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”[38] Organizations should be “open about their policies and practices”[39] and individuals should be “able to acquire information about an organization’s policies and practices without unreasonable effort.”[40] Moreover, the information must be made “available in a form that is  generally understandable”[41] and must include

  • (a) the name or title, and the address, of the person who is accountable for the organization’s policies and  practices  and  to  whom  complaints  or  inquiries  can be forwarded;
  • (b) the means of gaining access to personal information held by the organization;
  • (c) a description of the type of personal information held by the organization, including a general account of its use;
  • (d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
  • (e) what personal  information  is  made available  to  related  organizations (e.g., subsidiaries).[42]

No particular method is prescribed for how an organization should make its policies and practices available. Instead, the principle stipulates that it can be “available in a variety of ways,” depending on the “nature of its business and other considerations.”[43] For example, principle 8 advises that “an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.”[44]

In addition, principle 2 requires that the “purpose for which personal information is collected” is identified by the organization “at or before the time the information is collected.”[45] The purpose has to be documented in order to comply with the above openness principle.[46] Moreover, “[w]hen personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use.”[47] The principle also requires that the identified purposes should be specified to the person from whom the personal information is being collected, either “orally or in writing.”[48]

C. Safeguards and Security Measures

Principle 7 requires that personal information must be “protected by security safeguards appropriate to the sensitivity of the information.”[49] The measures must protect against “loss or theft, as well as unauthorized access, disclosure, complying, use or modification” and “regardless of the format in which [the information] is held.”[50] Principle 7 states:

The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.[51]

The principle requires due care in the process of “disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information,”[52] and stipulates certain methods of protection, which should include

  • (a) physical  measures,  for  example,  locked  filing  cabinets  and  restricted  access to offices;
  • (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
  • (c) technological measures, for example, the use of passwords and encryption.[53]

Organizations are also required to “make their employees aware of the importance of maintaining the confidentiality of personal information.”[54]

D. Anonymity and Data Retention

The implementation of guidelines and procedures for retention of personal information appears to be a recommendation rather then a statutory requirement. According to principle 5,

[o]rganizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision  has been made.  An organization may be subject to legislative requirements with respect to retention periods.[55]

Furthermore, personal information “that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.”[56] The only requirement appears to be that “[o]rganizations shall develop guidelines and implement procedures to govern the destruction of personal information.”[57]

E. Protection Related to Social Networking and Other Online Activities

Besides the general obligations and guidelines stipulated in Schedule 1 of PIPEDA, there do not appear to be specific regulations on data protection in respect to social networking, smartphone applications, or geographic data. However, according to a report by the current Privacy Commissioner, Jennifer Stoddart (more on the role of the Privacy Commission can be found in section III of this report), “PIPEDA would apply to the personal information handling practices of private sector organizations engaged in online tracking, profiling and targeting, and cloud computing.”[58] The Privacy Commissioner has been particularly critical of the role of social media websites. While testifying before a House of Commons committee, she stated, “I have become very concerned about the apparent disregard that some of these social media companies have shown for Canadian privacy laws.”[59] She also said, “We have very limited power in that regard, and I believe more respect would be shown to Canada’s laws if we did have that power.”[60]

In 2010, an investigation by the Office of the Privacy Commissioner found that Facebook violated Canadian privacy law, and this led to significant changes in the social networking company’s privacy policies. More recently, Stoddart has released additional findings of three complaint  investigations  involving  Facebook  and  stated  that  Facebook  “has  shown  greater awareness of users’ privacy rights.”[61] However, she affirms that the company “still needs to do a better job of considering privacy issues before rolling out new features.”[62]

Google has also faced investigations in respect to its former social networking feature Google Buzz and its Street View feature. The Privacy Commission found Google in breach of Canada’s privacy laws “after being made aware that Google Street View cars had been collecting payload data from unencrypted WiFi networks during their collection of publicly broadcast WiFi signals.”[63] Google was also chastised by the Privacy Commissioner when it automatically integrated its Google Buzz feature with its email service. According to a letter cosponsored by the Privacy Commissioner, concern was raised that the personal information of Google’s email users “was being disclosed.”[64] According to the letter, “Google automatically assigned users a network of ‘followers’ from among people with whom they corresponded most often on Gmail, without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions.”[65]

F. Data Protection and Minors

In Canada, there is no legislation that deals specifically with children’s privacy or data protection, nor are there specific provisions in PIPEDA that address this issue. A report by the Office of the Privacy Commissioner has noted that the “average age of children who use the Internet appears to be dropping, and the implications on their privacy need careful attention from public policy makers. . . . Many experts have stated that ensuring children’s personal information is protected is an area that needs more attention.”[66]

According to the Office of the Privacy Commissioner, consent for a minor, for the purposes of PIPEDA, may be obtained from a legal guardian.[67]

Currently, proposed amendments to PIPEDA “include measures to better protect the privacy of minors online.”[68] There is a proposal to expand the requirements for consent by placing “an additional onus on the organization collecting, using or disclosing information to ensure that the person providing the information ‘understands’ that he or she is providing the information and the manner in which it may be used.”[69] The provision is expected “to provide increased protection to minors due to the fact that it is . . . expected that an individual’s capacity to understand will vary with age.”[70]

In 2011, Canada’s Privacy Commissioner unveiled a series of new guidelines “for advertisers designed to restrict how  marketers  can  track  users,  including  children,  on the Internet.”[71]

G. Enforcement

The Federal Court of Canada can only provide civil remedies or damages for violations of PIPEDA provisions.[72] There are no criminal sanctions or offenses under the Act.

H. Anti-Spam Legislation

Anti-spam legislation[73] was recently passed that targets spam, unwanted commercial email, spyware, malware, and phishing. Bill C-12 also provides for a private right of action, which would allow individuals to take civil action against violators. Moreover, under the new law, the Canadian Radio-television and Telecommunications Commission (CRTC) and Competition Bureau can impose penalties on individuals and businesses.

Back to Top

III. Role of Data Protection Agencies


Enforcement of data protection laws is the responsibility of the Privacy Commissioner and the Federal Court of Canada. The Privacy Commissioner of Canada is a federal ombudsman established to investigate privacy complaints against both public and private bodies. The Privacy Commissioner was established under the Privacy Act, which came into force on July 1, 1983. With the enactment of PIPEDA, the Privacy Commissioner was given authority to investigate complaints against private organizations.

The Commissioner’s powers to further the privacy rights of Canadians include

  • investigating complaints, conducting audits and pursuing court action under two federal laws;
  • publicly  reporting  on  the  personal  information-handling  practices  of  public  and private sector organizations;
  • supporting, undertaking and publishing research into privacy issues; and
  • promoting public awareness and understanding of privacy issues.[74]

PIPEDA does not give complainants the automatic right to sue for violations of the obligations stipulated under the Act. Under Section 11(1) of PIPEDA, “[a]n individual may file with the Commissioner a written complaint against an organization for contravening” a provision or obligation under the Act.[75] Moreover, “[i]f the Commissioner is satisfied that there are reasonable grounds to investigate a matter,”[76] he or she may initiate the complaint.

According to PIPEDA,

[t]he Commissioner shall conduct an investigation in respect of a complaint, unless the Commissioner is of the opinion that

  • (a) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
  • (b) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province; or
  • (c) the complaint was not filed within a reasonable period after the day on which the subject matter of the complaint arose.[77]

A decision to not review a complaint can be reconsidered if the complainant provides compelling reasons to do so.[78] Also, the Commissioner may discontinue an investigation for a number of reasons, for example if there is insufficient evidence to pursue the investigation or if the complaint is trivial or frivolous.[79]

After concluding the investigation, the Commissioner is required to produce a report of findings and recommendations, which must be sent to the complainant and the organization. It should be noted that the Commissioner has no authority to order compliance, award damages, or impose penalties.[80] However, under section 14 of the Act, “[a] complainant may, after receiving the Commissioner’s report or being notified . . . that the investigation of the complaint has been discontinued, apply to the Court [Federal Court of Canada] for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report.”[81] The Act furthermore provides the Federal Court of Canada the authority to order an organization to “correct its practices”; “publish a notice of any action taken or proposed to be taken to correct practices”; and “award damages to the complainant, including damages for any humiliation that the complainant has suffered.”[82]

In testimony referred to earlier in the report, Privacy Commissioner Stoddart informed the House of Commons committee that Canada’s Personal Information Protection and Electronic Documents Act is far too weak  and  reforms  are  necessary  to  provide  stricter  penalties and fines.[83]

Back to Top

IV. Court Decisions

The first time the Federal Court of Canada awarded damages under PIPEDA was in the case of Nammo v. TransUnion. [84] The landmark decision signaled “the court’s willingness to [85] award damages for privacy violations in certain egregious circumstances.”85

Canadian courts have noted that PIPEDA “was not intended to apply extra- territorially,”[86] with the Federal Court holding that “Parliament cannot have intended that PIPEDA govern the collection and use of personal information worldwide.”[87] However, the Court held that PIPEDA “could still cover foreign entities that either receive or transmit communications to and from Canada, and that collect and disclose personal information about individuals in Canada.”[88]

In another significant ruling, State Farm Mutual v. Privacy Commissioner,[89] the Federal Court of Canada held, as summarized by the Office of the Privacy Commissioner, that “State Farm was not engaged in ‘commercial activities’ when it collect[ed], use[d] or disclose[d] personal information in the course of defending its insured against litigation,”[90] and hence is not subject to PIPEDA.

Back to Top

V. Scholarly Opinion and Commentary

According to legal scholar Jeremy Warner, PIPEDA has “attracted criticism over its level of generality and over ineffective oversight and enforcement mechanisms.”[91] Other criticisms include the lack of a reporting mechanism that would require a company to report a privacy breach to the Privacy Commissioner’s Office or to consumers. The Privacy Commissioner has noted that “with barely any penalties for breaching provisions in PIPEDA, there is little incentive for companies to invest in better data protection systems.”[92]

Commentators have criticized the overlap between the role of Privacy Commissioners at the federal and provincial level, since “this apparent overlap is likely to create a degree of confusion over which body—federal or provincial—has jurisdiction where data flows outside a province are concerned.”[93]

Certain scholars have also shown disapproval of Canada’s approach to data protection, and PIPEDA in particular, for putting business interests ahead of privacy rights. According to Tina Piper, the serious concerns of Canadians in respect to the “proliferation and commercial importance of personal information” was not adequately addressed by PIPEDA. Business interests and “the characterization of privacy in market terms rather than in the language of human  rights  and  long-term  policy  objectives”  prevented  Canadians’  concerns  from  being adequately addressed.[94]

Other scholars have assessed Canada’s data protection laws by looking at how they embody different personal rights.  The Canadian legal framework for privacy, in comparison to the ones in the US and Europe, takes the middle ground between conceptualizing privacy protection as protecting personal autonomy and protecting personal dignity (the individual’s right to control access to personal identifiable information).[95]

Back to Top

VI. Public Opinion

According to Tina Piper, “[p]ublic surveys of Canadians have consistently revealed a remarkably high level of concern over the issue of privacy.”[96] Prior to the enactment of PIPEDA in 2000, several reports, surveys, and polls indicated serious apprehension over the issue of privacy and data protection.[97] A 1992 Canadian Privacy Survey by Ekos Research found that 92% of the three thousand Canadians interviewed “believed privacy to be an important issue and that 60 percent believed they have less personal privacy now than a decade ago.”[98] A 1994 Gallup Canada survey conducted by Andersen Consulting showed that “over 80 percent of the Canadians polled expressed concern about the personal information about them that might be collected by companies through the information highway.”[99] Another study by Ekos in 1998 revealed that “94 percent of Canadians believe it is increasingly important to have safeguards for personal information on the Internet. Canadians, moreover, are becoming much more knowledgeable about privacy issues.”[100] Piper notes that “[t]hese studies suggest a pervasive belief that personal privacy is under siege from a range of technological, commercial and social threats and that something must be done about it.”[101]

A 1997 study, conducted by the House of Commons Standing Committee on Human Rights, attempted to gauge public opinion of privacy by having surveyors travel across the country and hold meetings with citizens. According to the study,

Canadians see privacy . . . not just as an individual right, but as part of our social or collective value system. As we struggled with the impact of new technologies on our understanding of privacy, we realized that, ultimately, we were talking about what kind of society we want for our future. Canadians view privacy as far more than the right to be left alone, or to control who knows what about us. It is an essential part of the consensus that enables us not only to define what we do in our own space, but also to determine how  we  interact  with  others—either with  trust, openness  and  a sense  of freedom, or with distrust, fear and a sense of insecurity.[102]

The study concluded that “we could not but be amazed by the degree of consensus that emerged in each of our meetings . . . they [citizens] all believe that privacy matters.”[103]

According to a more recent survey, published in a 2011 report issued by the Office of the Privacy Commissioner of Canada,[104] “[p]rivacy protection is seen as important but perhaps not an issue Canadians feel they have control over.” According to the report,

[a]lmost two thirds of Canadians (65%) agreed that protecting the personal information of Canadians will be one of the most important issues facing the country in the next ten years. . . . Six in ten Canadians agreed that they felt they had less protection of their personal information in their daily lives than they did ten years ago. . . . Most Canadians did not feel confident that they had enough information to know how new technologies might affect their personal privacy: While 43% said they did have enough information about this, three in ten (31%) said they did not, while a quarter (24%) neither agreed nor disagreed with this premise.[105]

According to the same report, “[t]he awareness of federal privacy institutions and privacy laws remains steady. . . . Most felt that their knowledge of personal privacy rights under the laws protecting their personal information was either poor (36%) or somewhere in neutral territory— neither good nor bad (33%).”[106] Moreover, “[t]hree in ten Canadians were aware of a federal institution that helps them with privacy and the protection of personal information from inappropriate collection, use and disclosure.”[107]

Back to Top

VII. Pending Reforms

On September 29, 2011, the federal government of Canada reintroduced a bill amending PIPEDA.[108] Proposed changes in Bill C-12 include the following:

  • Redefining “personal information” to remove the provision that business contact information is not personal information.[109]
  • Inserting a provision “that would expand the requirements for consent under the legislation. The provision would provide that consent will be valid only if it is reasonable to expect that the individual providing it understands ‘the nature, purpose and consequences of the collection, use or disclosure of personal information’ to which they are consenting.”[110]
  • Imposing “important new mandatory reporting obligations on organizations subject to PIPEDA, requiring them to report any ‘material breach of security safeguards involving personal information under its control’ to the federal Privacy Commissioner as soon ‘as feasible after the organization determines that a material breach of its security safeguards’ has occurred.”[111]
  • Adding new exceptions, including “business transactions” and “employment relationship” exceptions, to the requirement for informed consent to use and disclose personal information.[112]

Back to Top

Tariq Ahmad
Legal Research Analyst
June 2012

[1] 1 Canadian Charter of Rights and Freedoms, Part I of the Constitution Act, 1982, being Schedule B to the Canada Act, 1982, c. 11 (U.K.),

[2] Id. § 7.

[3] Id. § 8.

[4] R. v. Dyment, [1988] 2 S.C.R. 417,

[5] Privacy Act, R.S.C. 1985, c. P-21,

[6] Canada: Data Protection, PRIVIREAL (PRIVACY IN RESEARCH ETHICS & LAW), http://www.privireal .org/content/dp/canada.php (last modified Nov. 29, 2005).

[7] Personal Information Protection and Electronic Documents Act [PIPEDA], S.C. 2000, c. 5, http://laws-

[8] Id., preamble.

[9] Tina Piper, Personal Information Protection and Electronic Documents Act: A Lost Opportunity to Democratize Canada’s Technological Society, 23 DALHOUSIE L.J. 253 (2000).

[10] Council Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 25(6), 1995 O.J. (L 281) 31,

[11] Id.

[12] Juliana M. Spaeth, Mark J. Plotkin, & Sandra C. Sheets, Privacy, Eh!: The Impact of Canada’s Personal Information Protection and Electronic Documents Act on Transnational Business, 4 VAND. J. ENT. L. & PRAC. 28, 30 (2002).

[13] Commission Decision 2002/2/EC, of 20 December 2001 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided by the Canadian Personal Information Protection and Electronic Documents Act, ?uri=CELEX:32002D0002:EN:NOT.

[14] Personal Information Protection Act, S.B.C. 2003, c. 63, new/document/ID/freeside/00_03063_01.

[15] Personal Information Protection Act, S.A. 2003, c. P-6.5, =P06P5.cfm&leg_type=Acts&isbncln=9780779748938

[16] An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1,

[17] Health Information Act, R.S.A. 2000, c. H-5, available at

[18] Health Information Protection Act, S.S. 1999, c. H-0.021, available at

[19] Personal Health Information Act, C.C.S.M., c. P33.5,

[20] Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A,

[21] Personal Health Information Privacy and Access Act, S.N.B. 2009, c. P-7.05, available at

[22] Megan Evans, A Primer on the Personal Information Protection and Electronic Documents Act (“PIPEDA”) for Pharmaceutical and Medical Device/Technology Companies That Conduct Business in Canada, LONGWOODS.COM (2003),

[23] PIPEDA § 2(1), S.C. 2000, c. 5,

[24] Electronic Commerce in Canada: Frequently Asked Questions, INDUSTRY CANADA, (last modified July 20, 2009).

[25] Id.

[26] Canadian Standards Association, Model Code for the Protection of Personal Information, (last visited on June 28, 2012).

[27] Spaeth, Plotkin, & Sheets, supra note 12, at 33.

[28] INDUSTRY CANADA, supra note 24.

[29] PIPEDA, Sch. 1, cl. 4.3, S.C. 2000, c. 5,

[30] Id. cl. 4.3.2.

[31] Id. cl. 4.3.1.

[32] Id. cl. 4.3.4, 4.3.6.

[33] Id. cl. 4.3.6.

[34] Id.

[35] Id.

[36] Id. cl. 4.3.7.

[37] See id. § 7(1) for collection of personal information without knowledge or consent, § 7(2) for use without knowledge or consent, § 7(3) for disclosure without knowledge or consent, and § 7(4) for use without consent and disclosure without consent. See also Sch. 1, cl. 4.3, which states, “In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical,   or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.  Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.”

[38] Id. cl. 4.8.

[39] Id. cl. 4.8.1.

[40] Id.

[41] Id.

[42] Id. cl. 4.8.2.

[43] Id. cl. 4.8.3.

[44] Id.

[45] Id. cl. 4.2.

[46] Id. cl. 4.2.1.

[47] Id. cl. 4.2.4.

[48] Id. cl. 4.2.3.

[49] Id. cl. 4.7.

[50] Id. cl. 4.7.1.

[51] Id. cl. 4.7.2.

[52] Id. cl. 4.7.5.

[53] Id. cl. 4.7.3.

[54] Id. cl. 4.7.4.

[55] Id. cl. 4.5.2.

[56] Id. cl. 4.5.3.

[57] Id.


[59] Kristy Kirkup, Privacy Watchdog Pushes Penalties for Non-compliant Social Media Sites, THE OBSERVER (May 29, 2012),

[60] Id.

[61] Privacy Commissioner: Facebook Shows Improvement in Some Areas, But Should Be More Proactive on Privacy When Introducing New [Features], BLOOMBERG (Apr. 4, 2012),

[62] Id.

[63] Preliminary Letter of Findings: Complaints Under the Personal Information Protection and Electronic Documents Act (the Act), OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, modified Oct. 19, 2010).

[64] News Release, Office of the Privacy Commissioner of Canada, Letter to Google Inc. Chief Executive Officer (April 19, 2010),

[65] Id.


[67] Valerie Steeves, It’s Not Child’s Play: The Online Invasion of Children’s Privacy, 3 UNIV. OTT. L. & TECH. J. 169, 181 (2006),

[68] Government of Canada Moves to Enhance Privacy of Individuals During Commercial Transactions, INDUSTRY CANADA (Sept. 29, 2011),

[69] Ameena Sultan, PIPEDA: Privacy and Consent Legislation, WHALEY ESTATE LITIGATION (Feb. 15, 2011),

[70] Lisa R. Lifshitz, Chris Oates, & Rene Bissonnette, Government Introduces Amendments to PIPEDA, GOWLINGS 1,
. (last visited June 12, 2012)

[71] Matt Hartley, Privacy Commissioner Lays Out New Rules for Online Advertising, FINANCIAL POST (Dec. 6, 2011),

[72] PIPEDA § 16(c).

[73] An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities That Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-Television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, C. 23, http://Laws-Lois.Justice.Gc.Ca/Eng/Acts/E-1.6/Page-1.Html.

[74] About the Office of the Privacy Commissioner, OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, (last modified July 19, 2010).

[75] PIPEDA § 11(1), S.C. 2000, c. 5,

[76] Id. § 11(2).

[77] Id. § 12(1).

[78] Id. § 12(4).

[79] Id. § 12.2(1).

[80] Id. §§ 13(1), 13(3).

[81] Id. § 14(1).

[82] Id. § 16.

[83] Kirkup, supra note 60.

[84] Nammo v. TransUnion of Canada, [2010] F.C. 1284,

[85] PIPEDA Case Law Update: Federal Court Issues a Landmark Decision on Damages, ACCESS PRIVACY (Feb. 1, 2011),


[87] Lawson v. Accusearch, [2007] F.C. 125, available at


[89] State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, [2010] F.C. 736, available at
.  See also Charles S. Morgan, Federal Court Rules on Scope of “Commercial Activity” under PIPEDA, MCCARTHY TÉTRAULT LLP (Nov. 11, 2010), This article notes that “many had hoped that this decision would resolve the issue of the constitutionality of PIPEDA as regards its application to the intra-provincial activities of provincially regulated entities. As the court declined to determine this question, the status quo has been maintained in this respect, at least for now.”

[90] Recent Court Activity: State Farm v. Privacy Commissioner and AG of Can., OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, (last modified July 12, 2010).

[91] Jeremy Warner, The Right to Oblivion: Data Retention from Canada to Europe in Three Backward Steps, 2 U. OTTAWA L. & TECH. J. 75, 92 (2005),

[92] See Meagan Fitzpatrick, Social Media Websites Ignoring Privacy Laws, Watchdog Says, CBC NEWS (May 29, 2012),

[93] Micheal Fekete & Patricia Wilson, PIPEDA: A Clearly Canadian Approach to Privacy Protection, PRIVACY REG. 4, 7 (Spring 2004),

[94] Piper, supra note 9, at 1.

[95] AVNER LEVIN & MARY JO NICHOLSON, Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground, 2 OTTAWA L. & TECH. J. 357, 381 (2005).

[96] Piper, supra note 9, at 10.

[97] Id.

[98] Id.

[99] Id.

[100] Id.

[101] Id.


[103] 7.


[105] Id.

[106] Id.

[107] Id.

[108] An Act to amend the Personal Information Protection and Electronic Documents Act, Bill C-12, 41st Parl., 1st Sess. (Can. 2011), available at

[109] Lifshitz, Oates, & Bissonnette, supra note 70.

[110] Id.

[111] Id

[112] Id

Back to Top



Last Updated: 04/02/2018