Additional News and Resources
Privacy Commissioner of Canada – Annual Reports
The Office of the Privacy Commissioner of Canada released its "2022–2023 Annual Report." The report outlines the the departments private-sector investigations and advisory work. View 2022-23 Report View Previous Reports ... Read More
Canadian government issues guidelines for employee AI use
The Canadian government issued new guidelines for employees using artificial intelligence tools on the job, CBC News reports. Treasury Board President Anita Anand said the guidelines, based on existing legislation including the Privacy Act, will "ensure responsible use of generative AI" and confirm "bias does not creep in if employees do go down the road to use generative AI."Full story... Read More
Canada rolls out generative AI code of practice
The Government of Canada published a code of practice for generative artificial intelligence development and use. In anticipation of lawmakers passing the proposed Artificial Intelligence and Data Act, the government's voluntary code will help potential covered entities "avoid harmful impacts, build trust in their systems, and transition smoothly to compliance with Canada's forthcoming regulatory regime." The code includes principles for safety, fairness, transparency and human oversight. Editor... Read More
Survey of Canadians on Privacy-Related Issues
The Office of the Privacy Commissioner of Canada publishes this annual survey to better understand Canadians awareness and attitude towards their privacy rights and issues. Read More
An update of C-27 since its reintroduction in Parliament
Since its introduction in Canadian Parliament last year, Bill C-27, the Digital Charter Implementation Act, has been front and center in regulatory conversations among privacy professionals in Canada. The omnibus legislation passed the House of Commons on second reading 24 April and contains three separate pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Despite privacy legislati... Read More
OPC releases 2023-2024 strategy
The Office of the Privacy Commissioner of Canada published its 2023-2024 departmental plan. Commissioner Philippe Dufresne said the office is "preparing to be ready to deliver on its new mandate" if federal privacy law reforms under Bill C-27 pass. He also alluded to his office needing to be "properly resourced" for "necessary operational and structural changes" the office will assume under Bill C-27. Advising toward Bill C-27's finalization and establishing a "fair, accessible and timely compli... Read More
Canadian government releases AIDA companion document
The Canadian government published a companion document with key information about the proposed Artificial Intelligence and Data Act. The AIDA is contained within the proposed omnibus Bill C-27, the Digital Charter Implementation Act, which was tabled last year. The "new regulatory system" the AIDA establishes represents "the first step" toward guiding "AI innovation in a positive direction, and to encourage the responsible adoption of AI technologies by Canadians and Canadian businesses."Full St... Read More
OPC publishes organizational tips for conducting PIAs
The Office of the Privacy Commissioner of Canada published a guide with five tips for improving privacy impact assessments. The OPC found the missteps organizations take when conducting PIAs include not understanding their legal authority to collect certain personal data, defining the scope of a PIA for “clear analysis,” and creating and implementing an action plan based on the PIA.Full Story... Read More
Quebec information commission releases children's privacy report
Quebec’s data protection authority, Le Commission d’accès à l’information du Quebec, published a report regarding potential children's privacy amendments to provincial privacy legislation. The goal of the report was to examine enhanced protections for children under the age of 14. Themes reviewed in the report include going beyond parental consent for children's data use, improved privacy awareness for parents and children, and proposals for prohibited data collection practices.Full Story... Read More
Synthetic data a key to privacy by design practices in new Canadian smart city partnership
Toronto-based nonprofit Innovate Cities and synthetic data generation provider Replica Analytics joined forces in a new effort to help Canadian cities transition away from using personal data and instead utilize synthetic data. The basis of the partnership entails providing municipalities with synthetic data based on real-life data points to achieve smarter solutions for each given city. IAPP Staff Writer Alex LaCasse has the details.Full Story... Read More
Expanding the scope of privacy legislation under Canada's Consumer Privacy Protection Act
In 2020, I wrote about what I considered a significant flaw under the proposed Consumer Privacy Protection Act in Bill C-11, which was tabled in November 2020, and then died when the federal election was called in 2021. Bill C-11 retained the definition of personal information — information about an identifiable individual — but introduced a new concept of “deidentify.” This seemed to, by implication, alter the concept of personal information, expanding the scope of federal privacy legislation ... Read More
Parting thoughts: A Canadian privacy one-on-one with Daniel Therrien
Canada's federal privacy regime is on the cusp of an overhaul with the recent introduction of Bill C-27, an omnibus legislative package for data protection and artificial intelligence. Many have called for this reform in recent years to address growing privacy issues. Former Privacy Commissioner of Canada Daniel Therrien was one who saw the need and strongly advocated for change during the final years of his eight-year term. Therrien completed his tenure as commissioner June 3, spending some ti... Read More
A look at Canada's new federal privacy legislation, Bill C-27
Last week, while privacy professionals in Canada were still contemplating Bill C-26 on cybersecurity, the much-anticipated Digital Charter Implementation Act, 2022 — Bill C-27 — was introduced by the federal government. It is a reintroduction and, some may agree, an improvement of Bill C-11, first introduced in 2020 and failed on the order paper as a result of the federal election in 2021. The new statutory framework in Bill C-27 governs private sector personal information protection practices ... Read More
Tim Hortons app investigation highlights ‘urgent need’ for ‘stronger privacy laws’
Fast-food chain Tim Hortons’ mobile application tracked and recorded users’ movements every few minutes of every day, everywhere they went, even when the app was not in use. This according to a joint investigation by federal and provincial Canadian privacy authorities, which they said points to the need for privacy reform in the country. The Office of the Privacy Commissioner of Canada, Commission d'accès à l'information du Québec, Office of the Information and Privacy Commissioner for Britis... Read More
Canada introduces new federal privacy and AI legislation
Canada took a step toward updating its privacy regime June 16, as Minister of Innovation, Science and Industry François-Philippe Champagne and Minister of Justice and Attorney General of Canada David Lametti introduced Bill C-27. The Digital Charter Implementation Act, 2022 features three pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. The three-pronged legislation aims to stren... Read More
PIPEDA rights for consumers
This article from Termageddon discusses the Personal Information Protection and Electronic Documents Act rights for consumers and how these rights affect your business and privacy policy. Click To View ... Read More
Therrien says 'uncertainty' clouds Canadian privacy, urges thoughtful reform
After eight years at the helm of Canada's privacy regime, the time has arrived for Privacy Commissioner of Canada Daniel Therrien to pass the reins. The longtime civil servant will leave his post June 3, allowing him the opportunity to speak candidly for the first time about the state of Canadian privacy during his keynote speech at the IAPP Canada Privacy Symposium 2022. Instead of reflecting on what was or could have been during his tenure, Therrien provided unfiltered thoughts on the gray ar... Read More
Report: Canadians unaware of how their data is collected, used
A report by the Surveillance Studies Centre found Canadians are unaware of what information is being collected about them or how it is used, The Globe and Mail reports. Read More
OPC publishes report examining strategic privacy priorities
The Office of the Privacy Commissioner of Canada published a report that recounted the strategic privacy priorities over the last seven years. The report titled “Strategic Privacy Priorities and the Themes and Observations that Emerged: 2015-2022” examined the OPC’s work in the fields of economics of personal information, government surveillance, and reputation and privacy as an effort to help restore Canadians’ trust in government and the digital economy. These selected priorities reflected the... Read More
OPC releases 2022-2023 departmental plan
Privacy Commissioner of Canada Daniel Therrien announced details of his office's 2022-2023 departmental plan. He said the plan will focus on continuing "to build on our efforts to contribute to the adoption of new federal privacy laws and prepare the Office for changes stemming from these reforms." Noting how federal privacy law updates are "building trust among Canadians" and "fostering innovation," Therrien explained the office is "reviewing potential operational and structural changes as well... Read More
Algorithmic Awareness: Conversations with young Canadians about Artificial Intelligence and Privacy
This report, published by MediaSmarts, details a Canadian youth research study involving game-based learning and reflection for the purposes of gaining insight into young Canadians’ understanding of the relationship between AI, algorithms, privacy and data protection. Read More
Quebec’s Bill 64: The first of many privacy modernization bills in Canada?
Privacy in Quebec is about to get a major makeover. Passed in September, Quebec’s Bill 64 revamps and modernizes much of the province’s current privacy laws, including the Private Sector Act, Quebec’s main statute that regulates the collection, use and disclosure of personal information by private organizations. IAPP Westin Research Fellow Samuel Adams analyzes the proposed changes to consent, data protection officers, notice, individuals’ rights and more, and the ripple effect this could cause ... Read More
A deep dive into Canadians' privacy concerns
On June 15, the Office of the Privacy Commissioner of Canada released the results of the “2020-21 Survey of Canadians on Privacy-Related Issues.” Between November and December 2020, a 14-minute random digit dialing telephone survey was administered to 1,502 Canadian residents 16 years or older. The goal of the research was to better understand the extent to which Canadians were aware, understood and perceived privacy-related issues. In the report, the results were expressed as a percentage. Kno... Read More
What you need to know about mandatory reporting of breaches of security safeguards (Canada)
This guidance page from the Office of the Privacy Commissioner of Canada looks at the Canadian privacy breach regulations and how they affect organizations subject to the legislation. Read More
Facial recognition pilot caught millions of travelers at Toronto airport
The Globe and Mail reports a 2016 facial recognition pilot at Toronto Pearson International Airport was the largest government deployment of biometric technology in Canada to date. The six-month trial sought to help Canada's Border Services Agency detect travelers using fake identities. CBSA indicated it "takes the issue of personal information and privacy seriously," noting it performed a privacy impact assessment before launch. University of Ottawa’s Tamir Israel said the revelations were "rea... Read More
OIPC publishes review of private liquor, cannabis retailers
The Office of the Information and Privacy Commissioner for British Columbia published its review of private liquor and cannabis retailers. The report covers the personal information collected by the retailers as well as a review of their privacy management programs, their websites and how they address video surveillance. The commissioner also included recommendations for retailers to better understand their obligations under the province's Personal Information Protection Act.Full Story... Read More
OPC survey finds 87% of Canadians concerned about their privacy
A survey authorized by the Office of the Privacy Commissioner of Canada found 87% of Canadians expressed concern about the protection of their privacy. Of the 1,502 respondents polled, 89% said they are worried data collection could lead to identity theft and 88% said they are concerned companies could use the information to make a decision about them regarding a job or an insurance claim. The survey also found seven in 10 Canadians refused to provide data to an organization over privacy concern... Read More
OPC: Royal Canadian Mounted Police use of Clearview AI violates Privacy Act
Ever since The New York Times first reported on Clearview AI in January 2020, the world has grappled with the reach of the controversial company, which offered facial recognition services used by more than 600 law enforcement agencies. Canada has been no different, and the fallout from the revelation of Clearview AI continues 18 months from the Times' initial report. The Office of the Privacy Commissioner found the Royal Canadian Mounted Police violated the Privacy Act through its use of Clearv... Read More
On the virtual Symposium stage, Therrien keeps his eyes toward the future
Before giving his annual keynote at this year's virtual IAPP Canada Privacy Symposium, Privacy Commissioner of Canada Daniel Therrien briefly considered retrospection. Therrien is nearing the end of his seventh year as privacy commissioner and thought it might be time to look back at what has been accomplished during his tenure. Therrien ultimately decided against it, feeling it was far more imperative to focus on the future, and there's no shortage of reasons why he wouldn't. Therrien recently... Read More
British Columbia's RCMP breaks own facial recognition rules
The Royal Canadian Mounted Police of British Columbia broke its own standards on facial recognition by partnering with U.S.-based biometrics service IntelCenter, The Tyee reports. The deal, signed in 2016, allowed RCMP to access the 700,000-image database, which was created by lifting facial images from social media and other online sources. RCMP Sgt. Kris Clark indicated the deal was only signed to trial IntelCenter's database.Full Story... Read More
OPC breaks down privacy-enhancing technologies
The Office of Privacy Commissioner of Canada published a blog post outlining how certain privacy-enhancing technologies can support businesses' data privacy efforts. The OPC explained the benefits of federated learning and differential privacy, outlining how both employ respective anonymization practices that keep datasets protected. However, the OPC notes both technologies have received mostly "theoretical development" because there have been "few use-cases in businesses."Full Story... Read More
Op-ed: Remote learning brings privacy pitfalls for Canadian students
In an op-ed for The Conversation, the University of Toronto's Claudiu Popa discusses privacy issues stemming from another return to remote learning in Ontario. Popa lists the mass data collection, student tracking via education technologies and an inability to opt out of said collection or tracking as the dilemmas facing children and their parents. Popa said parents should "take a stand and protect their families by requiring school boards to supply sufficient information to be comfortable with ... Read More
Canadian authorities determine facial recognition firm violated privacy laws
The Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta have found Clearview AI violated federal and provincial privacy laws. Following its joint investigation, the commissioners determined Clearview's collection of more than three billion images, millions of which belong to Canadians, took place without the... Read More
The rise of co-regulation, from GDPR to Canada’s Bill C-11
Codes of practice and certification programs are among some of the new regulatory tools referenced in the Consumer Privacy Protection Act, which proposes to reshape Canada’s federal framework for privacy protection and is introduced by the recent Bill C-11. Under the provisions (ss 76-81), organizations could voluntarily set and enforce norms of practice to establish compliance with the CPPA, effectively giving them a say in defining what compliance entails at the level of implementation and pr... Read More
'Schrems II' déjà vu: What new EDPB guidance means for Canadian businesses
On July 16, 2020, the Court of Justice of the European Union issued the now-famous "Schrems II" decision that invalidated the EU-U.S. Privacy Shield and threw the legality of transfers of EU personal data to non-adequate third countries into question. The CJEU upheld the validity of standard contractual clauses with the caveat that data exporters must assess whether laws and practices in the data importer’s country could undermine their data protection obligations, and if so, either implement su... Read More
Federal privacy reform in Canada: The Consumer Privacy Protection Act
The federal minority government released draft legislation to update and modernize Canada’s federal private sector privacy legislation. The present law, the Personal Information and Electronic Documents Act, was initially passed in 2001 and fully came into effect in 2004. We will not go into a detailed explanation of Canada’s federal division of powers or the application of PIPEDA but will instead focus on the proposed changes. It is important to remember that a key goal of PIPEDA was to allow ... Read More
Big fines included in Canada's newly proposed national privacy bill
The Canadian government proposed new legislation Tuesday that would reshape the nation's privacy framework. Bill C-11, which was introduced by Minister of Information Science and Economic Development Navdeep Bains, includes steep fines for companies — up to 5% of revenue or C$25 million, whichever is the higher sum. In a fact sheet, the proposed Digital Charter Implementation Act, 2020, which includes the Consumer Privacy Protection Act, "would significantly increase protections to Canadians' ... Read More
OPC – Privacy Guide for Businesses
The Office of the Privacy Commissioner of Canada developed a privacy guide to help organizations adhere to the Personal Information Protection and Electronic Documents Act. The guide contains a summary of principals within PIPEDA organizations should follow, as well as the meaningful consent and privacy breach requirements they must meet. Read More
OIPC — Securing personal information: A self-assessment tool for public bodies, organizations
This resource, published by the OIPC, is a self-assessment tool and step-by-step checklist for public bodies and organizations to ensure they are adhering to personal security requirements. Read More
In annual report, Therrien makes familiar call for legislative reform
Privacy Commissioner of Canada Daniel Therrien has called for an update to the country's federal privacy laws for years. It was a main talking point of the Office of the Privacy Commissioner of Canada's "2018–2019 Annual Report," and a year later, Therrien found himself making the same plea to the federal government. But the world is nowhere near the same place it was when the OPC published its annual report last December. The COVID-19 pandemic has upended just about every aspect of everyday li... Read More
A Comparison of Canada’s Private-Sector Privacy Legislation
This resource, published by the British Columbia FIPA, compares BC’s personal information act with the personal information acts of Alberta and Quebec. Read More
Privacy and Smart Cities: A Canadian Survey
This report from the Office of the Privacy Commissioner of Canada presents the findings of a national survey of Canadians about smart-city privacy conducted in October and November 2018. Click To View (PDF) ... Read More
MediaSmarts — Young Canadians speak out: A qualitative research project on privacy and consent
The report from Media Smarts looks at how young Canadians think their consent should be obtained online. Click To View (PDF) ... Read More
OPC: Privacy guidance for manufacturers of Internet of Things devices
The Office of the Privacy Commissioner of Canada published guidance for manufacturers of Internet of Things devices. The OPC explains the guidance is specific to companies that "produce, design or are tasked with ensuring legal compliance for devices with embedded sensors that collect personal information." Read More
'Schrems II': Impact on Data Flows with Canada
On July 16, the Court of Justice of the European Union decision sent a shockwave through the privacy, tech and business communities with its determination that the EU-U.S. Privacy Shield is no longer a valid basis for transferring EU personal data to the U.S. Though focused on the U.S., this decision has the potential to impact Canadian businesses in a number of ways. We will not reiterate what has already been described in numerous articles available through the IAPP about the decision itself... Read More
Canada’s Supreme Court upholds Genetic Non-Discrimination Act
On July 10, Canada’s Supreme Court issued its Reference re Genetic Non‑Discrimination Act decision, surprising many by upholding the Genetic Non-Discrimination Act’s constitutionality in a 5–4 decision. This is consequential for Canadian privacy in many ways, and I will attempt to provide some context for both Canadians and non-Canadians to understand how this decision came about and why it is consequential. (As my colleague Dustin Moores pointed out, recent news analysis has been more focused o... Read More
A quick comparative survey of Quebec’s proposed privacy legislation
On June 12, 2020, Quebec tabled its proposed update to its public and private sector privacy laws, and it lives up to the promise of the “GDPR-style legislation” first announced this spring. There are a number of elements that echo other federal and provincial privacy laws in Canada, but there is a very strong European flavor. (Please note that Quebec follows a civil code legal system as opposed to its common law counterparts in the rest of Canada, and forthcoming guidance from Quebec lawyers wi... Read More
The Inaugural Ian Kerr Memorial Lecture
We are honored to introduce the Ian Kerr Memorial Lecture. Kerr’s legacy advancing the growth and visibility of the privacy profession will live on in forward-thinking discourse presented by keynote speakers each year at the IAPP Canada Privacy Symposium. This year, we are pleased to feature University of Ottawa Faculty of Law Professor Michael Geist as the inaugural Ian Kerr Memorial lecturer, presented here virtually. Read More
How Facebook's settlement with Canada’s Competition Bureau may impact OPC's recommendations
Now that Facebook’s settlement with the Competition Bureau Canada has been published, it is interesting to consider how this could impact other regulatory actions Facebook is dealing with in Canada with the Office of the Privacy Commissioner of Canada. The settlement is quite short but has some interesting implications. First, it expressly states that Facebook’s agreement does not constitute an admission of guilt under the Competition Act or any other law, so this settlement doesn’t preclude F... Read More
Canadian police agencies grapple with facial recognition use
Police agencies in Canada are grappling with the use of facial-recognition technology, a tool that law enforcement officials say could aid in identifying criminals but that privacy advocates argue raises concerns. Two Canadian police services have said they used the controversial technology, one calling for a review by Ontario's privacy commissioner, while a third expressed plans to move forward with implementation. The Office of the Privacy Commissioner of Canada is now prepared to step in an... Read More
Is Canada’s proposed consent requirement for cross-border transfers worth the risk?
The Office of the Privacy Commissioner of Canada took the unusual step of reopening a previously suspended, controversial consultation on cross-border transfers under the Personal Information Protection and Electronic Documents Act — signaling it remains determined to move toward a consent-based model for such transfers under current and possibly future PIPEDA rules. The OPC’s proposal to impose consent rules on cross-border transfers runs counter to the growing consensus that obtaining the indi... Read More
Therrien speaks on Digital Charter, trans-border data flow consultation at CPS19
Privacy Commissioner of Canada Daniel Therrien believes the question about whether privacy legislation should be amended is in the past. It is no longer should the country's privacy laws be amended, but what is the best way to do so, and with the announcement of the country's Digital Charter, the commissioner said the federal government seems to agree. Therrien covered the latest development during his keynote speech at the IAPP Canada Privacy Symposium here in Toronto. The commissioner also an... Read More
The Evolution of Canada’s Data Broker Industry
This report from Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic follows up on CIPPIC’s 2006 study of the Canadian data brokerage industry. It looks specifically at the changes and impact they have had on the shape, practices and products of the data broker industry in Canada. Click To View (PDF) ... Read More
A 'reasonable' discussion about PIAs in Canada
Looking at Canada’s Personal Information Protection and Electronic Documents Act, the word “reasonable” pops up quite often. Companies have an obligation to ensure they always act in a way a reasonable person would consider appropriate in a given circumstance. Almaga Consulting President Gilles Fourchet, CIPP/C, CIPT, FIP, said one area where reasonableness should play a role for privacy professionals is conducting privacy impact assessments. He compared performing a PIA to how encryption was... Read More
OPC, OIPC find AIQ violated federal, provincial privacy laws
For the second time this year, the Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner for British Columbia announced an organization had violated federal and provincial privacy laws through its use of data. Privacy Commissioner of Canada Daniel Therrien and British Columbia Information and Privacy Commissioner Michael McEvoy revealed the findings of their investigation into data analytics firm AggregateIQ. The commissioners concluded the British ... Read More
Working with Canadian regulators requires communications, transparency
Communication is a fundamental building block for any relationship. This is not a new discovery. As a matter of fact, it is about as far from a hot take as you will get. For privacy professionals in Canada, however, it may become more important than ever. Canadian Innovation Minister Navdeep Bains recently unveiled the Digital Charter, which contains principals that will reform the country's privacy laws. The charter could change the dynamic for both privacy professionals and regulators, hence t... Read More
Smart City Privacy in Canada
This report from CIPPIC and the Office of the Privacy Commissioner of Canada examines the interaction between privacy legislation and smart cities, specifically looking at Canadian privacy legislation and how that applies within the context of smart cities, as well as how municipalities aiming to incorporate smart city technologies can navigate applicable laws. Click To View ... Read More
OPC, OIPC find AIQ violated Canadian privacy laws
The Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner for British Columbia announced data analytics firm AggregateIQ violated federal and provincial privacy laws through its use of data. Privacy Commissioner of Canada Daniel Therrien and British Columbia Information and Privacy Commissioner Michael McEvoy revealed the findings of their investigation into AIQ and why they believe the case highlights a need for privacy law reform within the country... Read More
PwC Canada rolls out IAPP training
With privacy and data protection taking the helm of headline news with increasing regularity, it has become much easier for privacy pros to explain what exactly their job entails. As more turn to a career in privacy, others have chosen to distinguish themselves from crowd. One example of late: PwC Canada. To prove a privacy commitment to its staff and clients, the firm made the decision to roll out IAPP training to staff, and eventually, has plans to introduce training to clients. Director of P... Read More
How to operate under Canada's new breach notification landscape
Last year was a big year for Canadian privacy professionals handling data breach notifications. That's because new requirements came into effect in August under Alberta's Health Information Act, and federal requirements under the Personal Information Protection and Electronic Documents Act came into effect a few months after that in November. These new mandates have made waves in the Great White North, and privacy professionals and regulators have used this new legal landscape as an opportunit... Read More
White Paper – Getting Started with Privacy in Canada
(January 2018) – Many employees, especially at medium-sized firms, get approached by their superiors asking them to wear “different hats.” Lately, a lot of people have been trying privacy hats on for size. Although this may not necessarily be a problem for those of us wishing to acquire new skills, it could pose challenges for others. Particularly for individuals with limited privacy knowledge, they may not know where and/or how to start figuring out what privacy is and how it impacts their organization. In this white paper, get an overview of the questions you should ask, the regulations you should know about and some ways forward when addressing organizational privacy needs in Canada. Read More