Canadian Privacy Law Blog

Sunday, March 15, 2026

Lawful Access is back: Part 1 is much improved but Part 2 is deeply problematic

The latest attempt at so-called “lawful access” has just dropped in the Parliament of Canada. I have a few things to say about it. It’s better than the government’s last attempt, but take a moment and consider this:

If Bill C-22, the Lawful Access Act 2026 becomes the law, the government of Canada will be able to secretly order Apple to build in a capability into its infrastructure to allow Canadian law enforcement and national security folks to track every iPhone, every iPad, every Apple watch, every Apple AirPod and every AirTag in real time.

Then they’ll be able to require Apple to confirm whether they provide you any services.

Then they can go to a justice of the peace and get an order – without actually believing that a crime has been or will be committed – requiring Apple to hand over EVERY device identifier for every device you use with their services. That’s the digital ID for your iPhone, iPad, Apple watch, Apple AirPod, Apple TV and AirTag.

With that information, they can go back to the judge and get an order – again without actually believing that a crime has been or will be committed – requiring Apple to give them the moment-by-moment locations of all your devices.

Oh, and that secret order also required Apple to keep your location history for a full year, so cops can get that too. Is that a power we want Canadian police and law enforcement to have?

For literal decades, Canadian law enforcement and national security folks – working through both liberal and conservative governments – have tried to give cops and spies easier access to information about Canadians, and to plug directly into our digital infrastructure to get access to data.

You might be thinking … “Didn’t we just do this?”

Yes, that’s true. [A summary of the previous attempts at “lawful access”: https://blog.privacylawyer.ca/2025/06/past-canadian-lawful-access-attempts.html.]

In 2005 Liberal PM Paul Martin’s Justice Minister Anne Maclellan introduced Bill C-74, called the “Modernization of Investigative Techniques Act”. It didn’t pass.

In 2009, Conservative prime minister Stephen Harper’s Minister Peter Van Loan introduced Bill C-47, renamed the “Technical Assistance for Law Enforcement in the 21st Century Act”. It also did not pass.

A couple of years later, in 2011 Conservative Stephen Harper’s Minister of Public Safety Vic Toews tabled Bill C-52 in Parliament. This attempt was called the “Investigating and Preventing Criminal Electronic Communications Act”. Shocker – It did not pass.

Apparently a sucker for punishment, Minister Vic Toews then tried another kick at the can the next year with Bill C-30, which was branded as the “Protecting Children from Internet Predators Act”. Yup, you guessed it – this did not pass.

Fast forward to 2025 … The very first substantial bill of the Prime Minister Mark Carney government was tabled by Public Safety Minister Gary Anandasangaree. That was Bill C-2 called the Strong Borders Act. Almost ten years dead, “lawful access” was pulled from its grave, crammed into Parts 14 and 15 of a border bill, only to be thrown back on the trash-heap. It never made it to committee because of the backlash over privacy.

I did a couple of episodes on how problematic Bill C-2 was. (Part 14 and Part 15.) It was universally panned and it was clear that it would not make it through the minority liberal parliament. Not to be deterred – but to his credit — the Minister of Public Safety went back to the drawing board to try to find a way to make it minimally palatable for it to make it through Parliament. Notably, the current parliament is not as “minority” as it was when Bill C-2 was introduced.

I’m going to go through the Bill to let you know what it contains and what it is supposed to do. I’ll try to highlight the differences between what was attempted earlier in Bill C-2 and the changes they’ve made for Bill C-22, and I’ll also talk about what’s different from the current status quo.

The bill is in two parts, which parallel Parts 14 and Parts 15 of Bill C-2, the Strong Borders Act. In going back to the drawing board, I think the government has largely fixed the big problems with what was Part 14 related to warrantless information demands and new production order powers. But I think that Part 2 is still a HUGE issue.

Part 1 is called “timely access to data and information”.

It contains some amendments to the general search warrant provisions of the criminal code to permit the examination of computer data in conjunction with the execution of a warrant when it's authorized by a judge. The status quo, as I understand it, would require the seizure of the computer, returning to court and then getting further authorization to search it. This creates a bit of a One-Stop shop. Criminal law practitioners may have more to say about this provision.

The rest of Part 1 largely deals with new information demands and production orders. I should note at the outset that all the new information demands and production orders are equally available to the Canadian Security Intelligence Service as they are to the police. I’m just going to go through each of them once, rather than dealing with the Criminal Code and CSIS Act amendments separately.

The first significant new power that the bill conveys on law enforcement and CSIS is something called a “confirmation of service demand”. Something similar was in Bill C-2, but this has been significantly scaled back. Essentially the new section 487.0121 will allow any police officer or any public officer to make a demand to a telecommunication service provider requiring them to confirm whether or not they provide or have provided telecommunication services to any subscriber or client. This could be done using the person's name, account identifier, IP address or telephone number.

Confirmation of service demand

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a telecommunications service provider requiring them to confirm, within the time and in the manner specified in the demand, whether or not they provide or have provided telecommunication services to any subscriber or client, or to any account or identifier, specified in the demand.

The conditions for making the demand are actually quite low, being “reasonable grounds to suspect” that a federal offense has taken place and that the confirmation that is demanded will assist inthe investigation of the offense.

Conditions for making demand

(2) The peace officer or public officer may make the demand only if they have reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the confirmation that is demanded will assist in the investigation of the offence.

The telecommunication service provider simply has to provide a yes or no answer. Do they or do they not provide services to that person or in relation to that identifier. This is MUCH better than what was in Bill C-2. The revised demand can only be presented to a telecommunications service provider. The Bill C-2 version could have been made to anyone who provides services to the public, including a doctor’s office or a law firm. The previous version would have required – without a warrant – producing information about the nature of the services and anybody else that the service provider knew who might also provide services to that person.

In Bill C-22, this is much more tailored and focused only on telecommunication service providers or TSPs.

I'm actually surprised that it doesn't include a requirement to confirm the municipality or location where the services are provided, because it's my understanding that a large part of the justification for this in the first place was so that not only would the police be able to determine whether this service provider is the right person to send a production order to, but also who is the local police of jurisdiction. On a daily basis, the RCMP in Ottawa receive international reports related to criminal activity in Canada, such as dissemination of child abuse imagery and that report only includes an IP address or account identifier. That information does not necessarily tell them who is the local police of jurisdiction to refer the file to. I guess the government was so sensitive to the pushback they received on Bill C-2, that they removed what seemed to be pretty innocuous information, which had a compelling justification.

While I think this is much improved, I am still very concerned that any peace officer or public officer who makes a demand is able to impose a non-disclosure condition for up to one year. That is a significant period of time. I would much prefer it if it was something short like 30 days, and the officer could go to court to get it extended.

Non-disclosure

(6) The peace officer or public officer who makes the demand may impose conditions in the demand prohibiting the disclosure of its existence or some or all of its contents for a period not greater than one year after the day on which the demand is made. The peace officer or public officer may impose the conditions only if they have reasonable grounds to believe that the disclosure during that period would jeopardize the conduct of the investigation of the offence to which the demand relates.

Not surprisingly, they have included in subsection (12), a provision that says a peace officer public officer can just ask a telecommunications service provider to voluntarily provide the confirmation, and this confirmation can be provided as long as the TSP is not prohibited by law from providing it. Then it goes on to say that the TSP that provides a confirmation in these circumstances does not incur any liability for doing so. The Bill has other, similar Safe Harbors for voluntary disclosure, but related to much more sensitive information.

Request for confirmation

(12) Despite subsection (1), no demand under that subsection is necessary for a peace officer or public officer to ask a telecommunications service provider to voluntarily provide the confirmation referred to in that subsection if the telecommunications service provider is not prohibited by law from providing it. A telecommunications service provider that provides a confirmation in those circumstances does not incur any criminal or civil liability for doing so.

The main feature in my view of Part 1 is a new “production order for subscriber information”.

Before we get into it, it's really important to note that the Criminal Code currently provides for something called a general production order by which a cop can go to a judge and if they have reasonable grounds to believe a crime has been committed or will be committed, they can get an order requiring a third party to produce records that are listed in the production order. On a daily basis, police seek and obtain subscriber information using these production orders. What is different here, mainly, is significantly lowering the threshold so that the officer only has to have reasonable grounds to suspect an offense has been committed. They don't even have to have reasonable grounds to believe it has been committed. They don’t even have to believe that a crime has been or will be committed.

Reasonable grounds to suspect doesn’t mean that they actually have to suspect a crime, it just means they have reasonable grounds that could make someone suspect a crime. This is extremely low.

So the new section 487.0142 says that on an ex parte application made by a peace officer or a public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Production order — subscriber information

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Unlike the confirmation of service demand, this is not limited to telcos. This can involve anyone who provides services to the public. So this does include doctors offices, hotels, grocery stores and banks.

You will see that in subsection (2), it says that before making the order the Justice or judge must be satisfied by information on oath that there are reasonable grounds to suspect an offence has been or will be committed under the Criminal Code or any other Act of Parliament and the subscriber information is in the person's possession of control and will assist in the investigation of the offense.

Conditions for making order

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

You should also note that this is not limited to serious crimes. These powers can be used for any offence under federal law, such as offences under the National Parks Act, like sleeping outside of a campground.

It is also important to understand what is included in “subscriber information”, and I will note some of the differences from Bill C-2 to Bill C-22. The bill says:

subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means

(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.

In Bill C-2, subscriber information included any information provided by the customer to the service provider in order to obtain the services. This could have included banking information and passwords. It could have included medical information. Remember, such an order can be directed to a medical clinic. When you go to a clinic for the first time, you fill out a pretty detailed form related to your medical history, and that would be in the category of “information provided by the customer in order to receive the services”. Thankfully, that has been removed. The definition of subscriber information is much more scaled-back in Bill C-22, but information about the “types of services provided” along with device and equipment identifiers can be sensitive information that goes beyond mere identifying a possible suspect. For many people, their internet service provider is also their cable TV provider. Do those “services” include premium pay-per-view access? Hmm? Scaled back but still a bit too far.

This new bill also includes quirky “foreign entity information requests”. These are kind of weird because what it amounts to is an application to court to get permission to make a request, which is voluntary, to a foreign entity that provides telecommunications services.

So what they end up with is a piece of paper asking an entity to voluntarily provide subscriber information. It is not an order requiring the entity to produce the information, but it does have judicial approval in Canada. This is intended to address the question of whether Canadian orders can be enforced outside of Canada, or more accurately avoid that question entirely. It should be applicable where voluntary disclosure can be obtained and where the service provider wants to be sure that there is some third-party judicial approval. It also should mean that whatever information is obtained can be used in a Canadian court, because Canadian police have been authorized by a judge to obtain it. Personally, I think this is a really clever solution for a real issue.

Subsection 4 of this provision says that the production request can be required to include information required by the foreign entity, the foreign state or any magic words that are required by an international agreement or arrangement to which Canada and the foreign state are parties.

Earlier I mentioned the gag orders that can accompany a confirmation of service demand. Part 1 also amends the existing section 487.0191 of the Criminal Code to authorize a judge, on an ex parte application, to issue a gag order related to confirmation of service demands.

Part 1 of Bill C-22 also affects the scheme for judicial review of production orders generally, not just this new production order for subscriber information. It compresses the timeline during which the recipient of a production order is able to seek judicial review, in order to have it modified or revoked. That deadline will be “within 10 business days after the day on which the order was received”. In Bill C-2, it was way shorter – five days after the order was issued – and actually seemed to be designed to prevent the judicial review of production orders. I have seen production orders served more than five days after they are issued, so it would be too late by the time you received it. Ten business days is still pretty short, but much more reasonable than what was in the Strong Borders Act.

Part 1 of Bill C-22 also tweaks the existing provisions in the Criminal Code related to voluntary disclosure of information from any person to the police or a public officer. It says that documents or information can be provided voluntarily and it also says that no person incurs any criminal or civil liability for doing so.

For greater certainty

487.‍0195 (1) For greater certainty, no preservation demand, preservation order, keep account open or active order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving, to voluntarily keep an account open or active that the person is not prohibited by law from keeping open or active or to voluntarily provide a document or information to the officer that the person is not prohibited by law from disclosing.

No civil or criminal liability

(2) A person who preserves data, keeps an account open or active or provides a document or information in those circumstances does not incur any criminal or civil liability for doing so.

It's kind of extra weird because subsection (1) says “hey you can voluntarily provide it if a law doesn't prohibit you from voluntarily providing it”. Then subsection (2) says if you provide it, you will have no criminal or civil liability. If no law prevented them from providing it, why do they need immunity from criminal or civil liability?

This actually does NOT fix the issue that arose in the Supreme Court of Canada case of R v. Bycovets. In that case, a payment service processor voluntarily provided IP address information related to suspected fraudulent transactions, and the Supreme Court of Canada said that the police were not able to use that information or even obtain it without a production order. This does nothing to address that issue. The Bykovets issue is still there.

We then have a new subsection (3) that says:

For greater certainty, no production order or warrant, or confirmation of service demand made under section 487.‍0121, is necessary for a peace officer or public officer to receive any information from a person or a telecommunications service provider, as the case may be, who is lawfully in possession of it, and to act on the information, if the person, without being asked for it, provides it voluntarily or is required by law, including a law of a foreign state, to provide it.

There’s also a new subsection (4), which says:

This seems pretty similar to what was included in Bill C-2, and received a lot of criticism. A number of smart folks were very concerned that hacked information and data leaks are included in what would be considered information that is available to the public. Should the police have the ability to exploit data that became public unlawfully? But here they can use it willy-nilly. I share this concern.

Bill C-22 also amends the current provision in the Criminal Code related to what are called “exigent circumstances”. Police can search and demand a whole range of data without a warrant or a court order if the conditions for obtaining an order exist, but by reason of exigent circumstances it would be impracticable to obtain an order. It is not all that new, but just extends the authorities to include the new production order powers.

487.‍11 A peace officer or public officer may, in the course of their duties,

(a) exercise any of the powers described in section 487 [search warrants], 492.‍1 [tracking warrants] or 492.‍2 [transmission data recorder] without a warrant if the conditions for obtaining a warrant exist but by reason of exigent circumstances it would be impracticable to obtain a warrant; or

(b) seize any subscriber information that may be the subject of an order made under subsection 487.‍0142(1) [subscriber information] or any data that may be the subject of an order made under subsection 487.‍016(1) [transmission data] or 487.‍017(1) [tracking data] if the conditions for obtaining an order exist but by reason of exigent circumstances it would be impracticable to obtain an order.

We will see that tracking things and tracking people is a theme of this bill. Bill C-22 adds a new subsection to section 492.1 related to tracking orders. These are orders that are obtained from a judge authorizing a police officer or a public officer to obtain tracking data related to a person or a thing. Subsection (2.1) is being added to permit an authorization to track other things that might be associated with a person where that thing might not have been known to the officer at the time.

Tracking similar things

(2.‍1) A justice or judge who authorizes a peace officer or public officer to obtain tracking data that relates to the location of a thing that a person uses, carries or wears may, in the warrant, authorize the peace officer or public officer to obtain tracking data that relates to the location of any similar thing that is unknown at the time the warrant is issued if the justice or judge is satisfied that there are reasonable grounds to suspect that the person will use, carry or wear that similar thing.

Scope of warrant

(3) The warrant authorizes the peace officer or public officer, or a person acting under their direction, to install, activate, use, maintain, monitor and remove the tracking device, including covertly. The warrant also authorizes a person acting under the direction of the peace officer or public officer to obtain the tracking data that is authorized to be obtained under the warrant.

I can imagine this would include getting an order to track somebody's vehicle, and to add on authority to track their phone and maybe their smartwatch. Subsection (3) is also amended to say that an officer can authorize somebody else to obtain the tracking data authorized to be obtained under the warrant.

Parallel amendments are made to the similar Criminal Code provisions related to transmission data warrants.

So that's largely what is in Part 1 of the new Lawful Access Act, 2026. As you can see, while there are some things to quibble over, it is a significant improvement from what was in Part 14 of the Strong Borders Act.

Now we are going to look at Part 2, which I think is and remains a huge problem. The outcry associated with the Strong Borders Act was principally focused on warrantless information demands and overbroad subscriber information orders. In a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I really hope that the equivalent of that Part in Bill C-22 gets as much attention as it deserves.

In a nutshell, Part 2 will require a huge range of service providers – well beyond traditional telecommunications service providers – to build in real-time interception and monitoring capabilities so that cops and national security folks can just plug into the systems to access data when “authorized” to do so.

Currently the cops can go to a judge and get a wiretap order to intercept the communications of a suspect in real time. They can go to a judge to get an order for just about any data that currently exists.

What the cops are generally complaining about is that there isn’t a consistent interface for them to plug into and get the data among all the telcos out there. I can see that kind of sucks.

But what they’re not emphasizing is that Part 2 of Bill C-22 will likely require telcos, AND cloud providers, AND social media companies, AND ai chatbots, AND VPN services, AND chat services and the like to build in not only the capability for Canadian police to plug directly in, but Part 2 will also require them to build in additional surveillance tools and collection capabilities that go well beyond what data the company actually needs to provide you with services.

I lived in Romania just after the fall of the Iron Curtain. It was purported that the state security police had the capability to turn any landline telephone into a room bug with the flip of a remote switch. Part 2 of Bill C-22 could permit a secret order directed at telcos to create this capability. The Minister of Public Safety could order Samsung to turn your smart fridge into a listening device. The same with your Smart TV or Smart speakers. I find that worrisome.

So let’s talk about specifically what is in Part 2 of Bill C-22.

Part 2 creates a new standalone statute called the Supporting Authorized Access to Information Act or SAAIA. Section 3 sets out its purpose:

3 The purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.

So it talks about authorities that are conferred on authorized persons to access information. It doesn't say “lawful authorities”, nor does it say “judicially authorized authorities”. It just says authorities. From the discussion about Part 1, it’s clear that the police and CSIS are authorized to obtain data without a warrant by just asking for it.

The Supporting Authorized Access to Information Act has “electronic service providers” in its crosshairs. It is therefore really important to understand what an electronic service provider is. ESP is defined in the bill, as is an electronic service.

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍

You will note that it says it provides an electronic service, “including for the purpose of enabling communications”. The use of the word “including” clearly signals that it is not limited to those providers who are strictly engaged in communications. It goes broader than that. We can see from the very broad definition of electronic service:

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.‍

Hey, I am in the business of creating information in digital form. What is a YouTube video, or podcast? Or emails to my clients. My law firm is in the business of creating information in digital form. The Canadian Broadcasting Corporation, the Globe and Mail and the Canadian Press are in the business of creating information in digital form. I am not sure that any business exists in Canada that is not some way or somehow creating, processing or storing digital information. This is dramatically broad. In conversations I have had with people from Public Safety, it is clearly their intent to cover traditional telcos, internet service providers and ALSO cloud computing providers, social media providers and online game services. Again, this is dramatically broad.

The Bill is going to deal with two broad categories of electronic service providers. The first is something called a “core provider”, and there will be subcategories of core providers. The second group is the rest of the universe that could fit into the category or definition of “electronic service provider”.

The categories of core providers are to listed in the schedule to the Act, which is currently blank, not surprisingly. So these core providers are going to be subject to a number of obligations that will be set out in the regulations. Subsection (2) describes these obligations, but note the use of the word “including” which means that the regulations and the obligations can go well beyond what is listed in subsections (a) through (d).

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

This is essentially a requirement to build in the operational and technical capabilities to enable access to information on the core provider’s infrastructure or within their systems.

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information;

This can require core providers to install particular devices or equipment on their infrastructure.

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b); and

It’s not yet clear what these notices are all about ….

(d) the retention of categories of metadata — including transmission data, as defined in section 487.‍011 of the Criminal Code — for reasonable periods of time not exceeding one year.

The requirement to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is very concerning. There are some small protections about this, in subsection (4). That says:

(4) Paragraph (2)‍(d) does not authorize the making of regulations that require core providers to retain information that would reveal

(a) the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service;

(b) a person’s web browsing history; or

Ok. That’s some protection. But it does not put location information out of scope, which is concerning. The government clearly wants all cellphones to be trackable, and under this authority they can be required to save your detailed location history for a full year.

Subsection (3) lists a number of factors that the government must take into account in creating and drafting the regulations which place the specific obligations on the core providers. These include …

(a) the benefits of the regulation to the administration of justice, in particular to investigations under the Criminal Code, and to the exercise of powers and the performance of duties and functions under the Canadian Security Intelligence Service Act;

(b) the feasibility of compliance with the regulation for the core providers;

(d) the potential impact of the regulation on the persons to whom the core providers provide services;

(e) the potential impact of the regulation on privacy protection and cybersecurity; and

(f) any other factor that the Governor in Council considers relevant.

I am glad that they have included the potential impact on privacy and cybersecurity. I would like it if it required the government to release their analysis of all these considerations along with the regulatory impact analysis statement that will accompany the regulations when they are first published.

The only good news when dealing with core providers is that these requirements will be in a regulation that will be public. We will be able to understand, at least in general terms, what obligations are being imposed on these core providers.

There is another bit of small comfort in subsection (5) which says

(5) A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Of course, this turns on what is a “systemic vulnerability”, which is defined in the bill:

systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.‍

electronic protection means authentication, encryption and any other prescribed type of data protection.‍

Note that it is limited to systemic vulnerabilities in “services”. It does not include devices or processes. Just the services themselves. Professor Robert Diab has pointed out that there’s enough wiggle room in this for the Minister to say that an operating system, such as Windows or iOS is not a “service”. Firmware is a part of the device, so please root them all. (The use of the word “please” is only because we’re Canadian … it would actually be an order.)

Also, what this does NOT say is that the government is prohibited from requiring an ESP to circumvent or undermine encryption. We have been told by the government that they would never do that, but they do not seem willing to put it in the law.

The second significant power contained in the Supporting Authorized Access to Information Act are ministerial orders, set out in Section 7. Essentially, the minister of Public Safety can issue secret orders directed at any one or more electronic service providers to implement measures that could have been contained in a regulation for a core provider, but these are secret and would be limited to a defined time period. Of course this time can be extended at the discretion of the minister. These orders can also be directed at ESPs that are already core providers. Bonus requirements!

The only real protection introduced since the Strong Borders Act is in subsection (2), which says that these secret orders must be approved by the Commissioner designated under the Intelligence Commissioner Act. I think this is a real protection, principally because the intelligence commissioner has to be a former Superior Court judge who would have spent a career dealing with criminal law matters and Charter rights. He is currently entrusted with approving certain National Security orders as a form of semi-judicial oversight. This is, in my view, real progress.

Subsection (3) of Section 7 sets out the sorts of considerations that the Minister has to take into account before issuing a secret ministerial order. This parallels the considerations that the government would have to take into account in issuing regulations affecting core providers.

And subsection (5) has a parallel provision saying that

(5) The electronic service provider is not required to comply with a provision of the order, with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Section 14 creates an obligation for all electronic service providers to assist a range of people to do a range of things on the Minister’s request. Remember, while we review this, that my law firm, your doctor’s office and Apple are all “electronic service providers”. It reads:

14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.

Persons to be assisted

(2) Only the following persons or classes of persons may receive assistance:

(a) the Minister;

(b) an employee of the Canadian Security Intelligence Service;

(c) a person appointed or employed under Part I of the Royal Canadian Mounted Police Act or a civilian employee referred to in section 10 of that Act;

(d) a civilian employee of another police force;

(e) a peace officer, as defined in section 2 of the Criminal Code.

There is some protection in subsection (4) so that “the assessment or testing must not have the effect of granting access to personal information.”

One of the huge problems I have with these Ministerial Orders is the mandatory secrecy that surrounds them. Without exception, under section 15, an ESP is prohibited by law from revealing that they are subject to an order, the substance or contents of an order, any dialogue they’ve had with the Minister in connection with any order.

This is draconian, overbroad and frankly offensive. There’s no requirement that the Minister be satisfied that disclosure of this information would be harmful to law enforcement or to national security. There is no sunset and no means by which an ESP can challenge the gag order if they think it’s in the public interest to disclose the information. I am not sure that this provision, on its own, would survive a Charter challenge. It also means that a foreign company can’t advise their own government that they are subject to an order.

I can’t help but think of the fact that under the UK equivalent of this law, Apple was issued with a secret order to circumvent or turn off encryption on iCloud. Apple couldn’t tell anyone, yet it somehow leaked. The United States government was of the view that this was contrary to an agreement between the UK and the US, but Apple was prohibited by UK law from letting their own government know what shenanigans the US’ own ally was engaging in.

The bill does anticipate at section 17 that ESPs may seek judicial review of a Minister’s order, but the cards are again stacked in favour of secrecy, and conducting its business outside of public scrutiny.

Section 18 allows the government to make a range of regulations related to confidentiality and security. These are scaled back from the absurd scope anticipated in the Strong Borders Act. There are security and confidentiality rules for judicial proceedings provided for in subsection (b). Subsections (c) and (d) authorize regulations related to ESP employees and contractors involved with law enforcement and national security access to information, including security clearances and where they are located, and where facilities are located. As I understand it, most American service providers run this function from the US and I’m sure they will not be interested in moving that to Canada or having their employees subject to Canadian security clearances. I would imagine that some companies will just decide to not do business in Canada.

Part 2 also contains a whole regulatory oversight structure, with inspections, audits and penalties. I’m not going to get into that today.

Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws for some time, and the mandated intercept capabilities were used by Chinese hackers to get access to data.

The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major US telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.

A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage.

This is what’s coming to Canada …

So let’s bring this down to earth and make it more concrete. At a technical briefing this week, the government offered only two examples for why they think we need the Supporting Authorized Access to Information Act:

CSIS cannot track a cellphone

CSIS is trying to determine the movements of a terrorist group and has received a warrant to track a person of interest’s cellphone. The electronic service provider did not have the necessary capabilities to track the device because they are not required to. As a result, CSIS had to resort to costly and risky in-person surveillance.

With C-22: The GIC will have the authority to make regulations requiring that ESPs develop and maintain location tracking capabilities that are standard in Europe and among the Five Eyes.

First of all, I don’t really care what they are doing in the other Five Eyes. Essentially, the UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms and their surveillance laws reflect that. And the law doesn’t we’ll just do what they do in “Europe and among the Five Eyes.” I bet the Chinese security services have this capability.

Let’s take a moment to ponder this scenario and what it means. CSIS wants to be able to track any cellphone in real-time, with a warrant. That means that they want every cellphone in Canada to be a tracking device. And they want historical metadata – which includes location data – retained for one year.

The second example is equally sympathetic, but shows that the government wants everyone to be carrying a tracking device:

Police cannot consistently obtain location information

An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call. The telecommunications provider was able to confirm the call and the tower used to make the call but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.

With C-22: Core providers would be required to maintain accurate and consistent localization capabilities across the country.

That device in your pocket will be a tracking device. And the law doesn’t say that this data can only be accessed if you’re a suspected terrorist or a missing teenaged girl. It can be tracked by ANY police agency in Canada with an order issued merely on “reasonable grounds to suspect.” Judicial authorization isn’t even required in a whole bunch of cases: There are dozens of laws that permit regulators and others to access this data without judicial authorization.

“If you build it, they will come.” And the government wants ESPs to build the surveillance infrastructure for them, to which the police and others will almost certainly come. And this is even without considering that the backdoors will be a HUGE target for cybercriminals and threat actors.

I don’t think that the government has come close to making any sort of compelling case for Part 2 of Bill C-22, and certainly not one that convinces me that the public safety interest in building all of this surveillance infrastructure outweighs the privacy and cybersecurity risk of doing so.

We should also be looking at this through the lens of what we have now. If the police or CSIS get a production order, a wiretap order or a tracking order, they can also ask the judge to issue an “assistance order”. This is an order, directed at the service provider, ordering them to give all reasonable assistance, reasonably required to give effect to the production order, wiretap order or tracking order. On every occasion when I have brought this up with “lawful access” supporters, nobody has been able to point me to any problems with this. Assistance orders are like one-off ministerial orders that are appropriately tailored to the case and circumstances, and are signed off by a judge. And they’re subject to judicial review. I’m not sure the current system is broken. It just doesn’t give the police friction-free access to the universe of data that they want collected on their behalf.

I expect I’ll probably have more to say about this as Bill C-22 works its way through Parliament. I will reiterate that I’m glad the government largely went back to the drawing board and largely fixed Part 1. Part 2 is better than it was before, but I don’t think it should be passed in its current form. It is wildly problematic.

Wednesday, March 04, 2026

PIPEDA: Canadian Privacy Law 101 - a primer on the privacy law that regulates businesses in Canada

An overview of privacy law that regulates private sector businesses in Canada (or those outside of the country who deal with personal information of Canadians): the Personal Information Protection and Electronic Documents Act (PIPEDA).

Introduction

Today I'm going to be talking about Canadian privacy law—a bit of a primer on the subject that will hopefully be useful for a range of folks.

This is intended to be general information, an overview, and a primer. This is a complicated area of the law, and it's one that is changing regularly and one that is really primed to change again in a significant way.

Look at the date on this; the information may become out of date relatively quickly. We expect that there will be a new bill presented in Parliament to completely replace our current federal privacy law. So you might ask “why do an overview of a law that’s on its way out?” Well, even if we do get a new privacy bill in the spring of 2026 and it passes, I expect it’ll be years before it is fully implemented.

And any new law will likely be very similar, a least in many significant ways.

So, what I'm going to talk about is why Canada has so many privacy laws to begin with. Then I'm going to focus specifically on Canada's federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Within that, I'm going to talk about some key concepts that are contained in the legislation. I'll talk about the 10 principles that PIPEDA, the federal privacy law, includes. I'm going to talk about how the legislation is enforced, and then I'm going to finally talk about data breach notification as it exists in the Personal Information Protection and Electronic Documents Act. Throughout, I’ll touch on some of the similarities and differences between our various privacy laws.

The Canadian Privacy Landscape

So, what's the current privacy law landscape in Canada? Well, we have a mosaic of privacy laws, or you could even say we have a mess of privacy laws. Canada is a federal country, and unfortunately, I’ll have to talk a bit about federalism.

But across the country from coast to coast to coast, pretty well all government activity is subject to one form of privacy law or another. All private businesses operating in Canada are subject to a variety of privacy laws. The healthcare sector is subject to privacy laws in varying ways in different provinces. And the private sector workplace is really not subject to much regulation other than what's called a federal work undertaking (your business within federal jurisdiction) or private sector workplaces in British Columbia, Alberta, and Quebec.

Canada is a federal country. We have a federal government, and we have provinces and we have territories. And the Canadian Constitution gives certain jurisdictions, or certain forms of jurisdictions, certain powers. So it's divided between the federal government and the provinces. The territories are within federal jurisdiction.

Within our constitution, provinces have exclusive jurisdiction to legislate over what's called "property and civil rights," and this generally includes privacy. And so the provincial governments have exclusive jurisdiction over privacy when it's a matter of property or civil rights. The federal government has jurisdiction over something called "general trade and commerce," which is actually less general than you might think it is. And the federal parliament also has jurisdiction over federal works, undertakings, or businesses. Those are telecommunications companies, federally chartered banks, airlines, inter-provincial works, and things like that.

Only the provinces can pass “true” privacy laws, but the federal government can regulate how businesses manage personal information. So what we end up with is overlapping or potentially overlapping jurisdiction for privacy.

In Canada, we don't have federal supremacy where the existence of a federal law will automatically override a similar or identical provincial law. So we have a situation where the federal government has jurisdiction over certain things, and privacy can be characterized as a matter of regulating the general trade and commerce in Canada, and provinces have jurisdiction over privacy as a matter of property and civil rights. And so the two have to find a way to co-exist. It's not that elegant, but generally, it works in Canada.

Each provincial and federal government can clearly regulate themselves—there's no doubt about that under the Canadian Constitution. And the provincial public sector also includes what we sometimes call the MUSH sector: Municipalities, Universities, Schools, and Hospitals. So provincial and federal governments and their Crown corporations, for example, and their agencies are subject to federal or provincial public sector privacy laws.

Some provinces have specific statutes for the health sector, and I'm not going to get into that too much.

At least in the private sector, we have a possibility of overlapping and contradictory jurisdiction since the provinces can regulate privacy as a matter of civil rights, and the federal government can regulate how businesses collect, use and disclose personal information. When the federal Personal Information Protection and Electronic Documents Act was passed, only one province – Quebec – already had a private sector privacy law. Quebec is very protective of its jurisdiction, so to try to avoid fights, the federal parliament built in a mechanism by which the federal government could cede jurisdiction for privacy in a province that has a substantially similar law.

Currently, Quebec, Alberta and British Columbia have general private sector privacy laws that are deemed to be substantially similar, so the federal law does not apply in those provinces where the provincial law applies. The same has been done for a number of health privacy laws, like the ones in Ontario, Nova Scotia, New Brunswick, Prince Edward Island, and Newfoundland and Labrador.

Development of PIPEDA and the CSA Model Code

Though we could have just looked at the European Data Protection Directive that was enacted in 1995, Canada did its own "made in Canada" solution. In the 1990s, the Canadian Standards Association (CSA), which sets standards for electrical devices and business processes, did a very broad consultation and came up with what was intended to be a self-regulatory code for privacy in Canada. It’s called the Canadian Standards Association Model Code for the Protection of Personal Information. This was adopted in 1996 as a national standard of Canada.

Importantly, it was developed with a wide range of consultations across a large number of industries. There was also general consensus that it was pretty good. If you have an international background in privacy, you'll see that it has a significant kind of overlap and echoes of the OECD guidelines from the Organization for Economic Cooperation and Development. Now the OECD guidelines have eight guidelines; the CSA model code has 10 general principles. I'm going to go through each of those 10 principles and talk about how they're implemented within Canada.

So how was PIPEDA developed? In the 1990s, when the government of Canada wanted to use the general trade and commerce power to implement a privacy law. Rather than coming up with one from scratch or poaching the European Data Protection Directive, the then federal government just decided to implement the CSA model code. We have this great code, there’s a lot of consensus around it and we want to come with a privacy law. Why look further afield?

And so PIPEDA is an unusual statute in a bunch of ways. It has two parts: one part related to personal information protection, the second part related to electronic documents. Essentially, the “Personal Information Protection Act” and the “Electronic Documents Act”, but they jammed them both into one Act. Part one covers privacy, but they slapped the CAS Model Code for the Protection of Personal Information onto the back of it, and says that those organizations that are subject to these rules have to follow the CSA model code.

Now there are quite a few exceptions. The legislation has also been updated a couple of times. The most significant revamp was with the Digital Privacy Act a number of years ago, which put in place data breach notification requirements that I'm going to talk about later on, and also implemented an exception to the consent rule related to certain kinds of business transactions.

Now PIPEDA was designed to be adequate for the purposes of the European Data Protection Directive for cross-border data transfers out of Europe. Even though PIPEDA is really, really old, its adequacy was just renewed in January of 2024.

Key Concepts: Commercial Activity and Personal Information

So how does PIPEDA work? What organizations and activities does it apply to?

A key concept that one needs to understand in order to understand PIPEDA and how it works is the concept of "commercial activity". PIPEDA is based on the general trade and commerce power that the federal government has over within the Canadian Constitution. And PIPEDA was designed to go as far as federal jurisdiction would permit it to do. So PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activity. It also applies to workplaces and employee personal information but only for federal works, undertakings, and businesses. Those are the kinds of enterprises that are within exclusive federal jurisdiction. (Think airlines, federally chartered banks, telecommunications and the like.)

We also have to talk about a key concept called "personal information". The statute is all about personal information. If you're not talking about personal information, this statute does not regulate it. And personal information, in short, means any information about an identifiable individual, excluding certain business contact information when that business contact information is used to contact an individual in their business role. But it's a very broad definition, so it's any information related to an identifiable individual. So if you can identify the individual from that information, it is going to be personal information.

If it's reasonable that you could identify an individual from that information, or you could correlate that information to an individual, it will also be considered to be personal information. And so that clearly includes somebody's name, their address, their income, health information, demographics, Social Insurance Number, their image, their photograph, biometrics, and things like that. So it's quite a broad definition. If information is adequately anonymized so there's no reasonable possibility of connecting it to an individual, then it would be out of scope of the legislation and the law would not apply to it.

Now an important thing—and this mainly comes up with dealing with American companies and American lawyers—is that whether information is personal information and therefore subject to regulation doesn't matter whether it's "private" information. It doesn't matter whether that information is publicly known or publicly shared. It really has nothing to do with your expectation of privacy in that information. If it is information about an identifiable individual, it is in scope of the legislation and regulated. There may be some consent exceptions related to publicly available information, but those actually seldom come into play because they’re so narrowly tailored.

PIPEDA also has a baseline "reasonableness" requirement. So an organization can only collect, use, or disclose personal information for purposes that a reasonable person would consider are appropriate in the circumstances. And that’s regardless of whether there’s consent.

This provision was seldom used until recent Privacy Commissioners started to look more closely at whether or not the purposes for which certain businesses collect, use, or disclose personal information are reasonable. They sometimes call these “no go zones”. Again, if the purposes are not reasonable, it does not matter whether you have the individual's consent; this is an absolute kind of guardrail sort of provision. Now of course, what is reasonable in the circumstances could differ significantly from one person's point of view to another, and I draw the line in a different place than the Commissioner often does, but this has to be understood as a baseline principle.

The 10 Principles of the CSA Model Code

Recall that the law essentially says: “Behold the CSA Model Code! If you’re engaged in commercial activity, thou shalt follow it!”

Now all 10 principles can be found to greater or lesser degrees in all privacy laws in Canada. Also in the Privacy Act, which regulates the federal government and its agencies. So the CSA model code has 10 principles, and I'm going to walk through all 10 and talk about how they are implemented within the Canadian PIPEDA framework.

Principle 1: Accountability

The first principle is called accountability.

This says an organization is responsible for personal information under its control and has to designate an individual or individuals who are accountable for the organization's compliance with the 10 principles of the CSA model code. That doesn't mean that that individual or those individuals are personally liable. They’re not the folks who get arrested by the privacy cops in dawn raids.

But what it means is that an organization has to appoint a privacy officer. There has to be somebody or a group of somebodies who are responsible within the organization for making sure that these rules are followed, so there's internal accountability. The Code doesn’t say they have to have a particular title, but they’re generally also the privacy spokesperson for the organization, the liaison for customers, and the person who deals with our privacy regulators if necessary.

What it also means is that the organization remains accountable for personal information that it has collected, used, or disclosed, even if it transfers that information to another party to handle it on its behalf.

This is similar to the notion of "controllers" and "processors" in Europe. We do not use the exact same language, but the principle is applicable. If you are the organization that is facing the customer and you have collected personal information from that customer for your purposes, and then you give it to a contractor to manage on your behalf, the first organization remains legally responsible for it and has to make sure that there are contracts in place with their service providers so that the contractors will handle it only on their behalf and will do all the necessary things to remain compliant with the law.

If the contractor screws up, the responsibility remains with the original organization. You can’t contract out of ultimate responsibility under Canadian privacy law.

There is a very important distinction between a "transfer" and a "disclosure". An organization can transfer personal information to a contractor without consent where the contractor is only going to use it as a processor on behalf of the original organization. If it is shared with another organization so that the recipient organization can use it for their own purposes, then that’s a disclosure. A disclosure requires consent, and the company that gets the personal information becomes legally responsible for managing it and protecting it.

Principle 2: Identifying Purposes

The second principle is called identifying purposes. I think this is one of the most important of the ten principles.

The CSA model code says the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. This has two parts:

(1) the organization has to identify – and hopefully document – what it proposes to do with the personal information; and
(2) the organization has to communicate those purposes to the individual before it collects their personal information.

And it really should be noted that privacy policies seldom satisfy this requirement. Because the purposes have to be identified to the individual at or before the time the information is collected, just having a privacy policy on your website does not provide any assurance that the customer or the individual has read, understands, or knows what those purposes are.

One exception may be, for example, on account creation where an individual is required to flip through the privacy statement prior to creating an account and then clicks "I agree".

So what this means in practice is that every organization has to document internally what are all the purposes for which they collect, use, or disclose personal information. Those documented purposes have to be communicated to the individual at or before the time the personal information is collected. Now that can be done orally or it can be done in writing, but the important thing is that it has to be done.

And employees who collect personal information on behalf of a company need to be able to explain the purposes to individuals. This information needs to be provided in a manner that you could have some reasonable confidence that they understand what those purposes are, they understand what it is that they're agreeing to.

Principle 3: Consent

Principle 2 is linked very closely with Principle 3. Principle 3 is the consent principle, and this says the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Now notice that I've struck that out—"except where inappropriate" no longer applies. The only exceptions to the consent rule are contained in the statute itself in Section 7.

That may have made some sense when the CSA Model Code was designed to be a voluntary code and the organization could determine when it was not appropriate. But under PIPEDA, organizations don't get to choose whether or not it's inappropriate to seek consent. Consent is the only basis upon which personal information is collected, used, or disclosed, unless those exceptions apply. And those exceptions are significant outliers.

So unlike in Europe where there are other grounds for processing personal information in the private sector, consent is the principle that is at play in Canada.

This consent has to be informed consent; that’s why Principle 2 (identifying purposes) is so important. The individual has to be told at or before the time the information is collected what the purposes are for the collection, use, or disclosure of personal information. And those “purposes” are the parameters for the consent obtained.

The principle also says that the form of the consent is going to be dependent upon the sensitivity of the information. So the more sensitive the information, the greater the burden of consent. Expectations also come into play. If the consumer expects you to use it for the obvious purposes, consent can be implied.

So you can have opt-out consent where the information is really not sensitive. Opt-in consent would be preferred in most cases. If you're dealing with sensitive information—health information, information about somebody's intimate life or family life or things like that—you would want to make sure that they expressly agree that their information can be collected, used, or disclosed for that purpose.

Written consent should be used in a range of cases, particularly where you’re going to want a record of the consent and a clear record of what was consented to.

This principle also says you cannot require that an individual consent to a collection, use, or disclosure of personal information that's not necessary to fulfill the explicitly stated and legitimate purposes.

Individuals can withdraw consent. This is similar to the European "right of erasure" but not identical. So an individual can withdraw consent at any time, but the organization has the obligation of telling the individual what are the consequences of that withdrawal of consent. For example, the organization might not be able to provide services to the individual if the individual does not consent to the collection, use, and disclosure of personal information that's necessary for the provision of those services.

And the consent of an individual is only valid if it is reasonable to expect that the individual would understand the nature, purposes, and consequences of the collection, use, or disclosure of the personal information to which they're consenting. This highlights the importance of being clear to the individual what those purposes are and having confidence that the individual does in fact understand what those purposes are.

Principle 4: Limiting Collection

Principle 4 is closely aligned with Principle 5, and both of them link back to Principle 2 of identifying the purposes. So Principle 4 says the collection of personal information shall be limited by that which is necessary for the purposes identified by the organization.

So you can only collect personal information that's reasonably necessary for the purposes that you've identified. You cannot collect any more personal information if it's not reasonably necessary for those purposes. And information shall be collected by fair and lawful means, so no use of deceit or trickery or anything else like that.

Note again, this loops back to the purposes identified in Principle 2. Those purposes set the guardrails.

Principle 5: Limiting Use, Disclosure, and Retention

And then Principle 5 leads us to: “you can only use personal information or disclose personal information for the purposes that have been identified.” Again, so much of this comes back to clearly identifying the purposes to the individual. And those purposes create significant guardrails around that information. That information cannot be used for any other purpose unless you go back to the individual, you identify the new purposes, and you get new consent for that.

There's also a requirement to limit the retention of personal information. Personal information shall only be retained as long as is necessary for the fulfillment of those purposes. So the organization needs to clearly document what the purposes are and what the lifecycle of the data is.

The law doesn’t specifically say you need a written document retention plan, but you really should have one. When it is no longer necessary for the purposes that are identified, that information has to be destroyed. Notably, it also says it can be made anonymous; if it's made anonymous, then it's no longer personal information and no longer subject to the legislation.

Principle 6: Accuracy

Principle 6 is the accuracy principle, and this says that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. And so again, it ties back to the purposes that have been identified to the individual.

This principle really only comes into play when personal information is used to make a decision about somebody. And so an organization needs to make sure that the information is as accurate as it needs to be for those purposes, probably taking into account what are the consequences of that decision to the individual. But information should not routinely be updated "just because".

Principle 7: Safeguards

Principle 7 is a key principle, it's entitled "Safeguards". Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. And it goes on to say that personal information must be protected from many threats: loss, theft, unauthorized access, unauthorized disclosure, copying, use, modification. And this obligation exists regardless of the format in which it is held.

Now you'll note that this is principles-based. This requires an organization to use safeguards that are reasonable and appropriate in light of the sensitivity of the information. So we don't have prescriptive rules that say this sort of information must be encrypted or this sort of information must be kept under lock and key.

This is designed to be technologically neutral and so that it would survive over time. So this was written in the late 1990s, became law in 2001, and so what are “reasonable safeguards” now would differ substantially from what would be reasonable safeguards in 2001. It's intended to be flexible and fluid.

What I generally tell my clients is that you need to implement at least the "state of the art" of security safeguards that are prevalent in your industry—not just in Canada, but also look internationally. And try to do one better than that.

This doesn't require a standard of perfection. The safeguards need to be reasonable and appropriate in the circumstances. A company is NOT expected to spend a million dollars to protect a hundred dollars worth of personal information. And as information technology systems get more complicated, safeguarding that information gets more complicated and more difficult.

Principle 8: Openness

Principle 8 is called openness. An organization shall make readily available to individuals specific information about its policies and practices related to its management of personal information. So this essentially means the organization has to have a privacy policy. The privacy policy is not about identifying the purposes in order to get consent; the privacy policy is in order for the organization to be open and transparent.

That privacy policy has to have contact information for the privacy officer—doesn't have to name them, but has to have the contact information. It has to tell the individual how they can exercise their access rights.

It has to educate the individual with the general account of what personal information the organization routinely collects, uses, and discloses, and how it is used. This can be done through brochures or through the website or other things like that. And the organization also has to let the consumer know what personal information is made available to related organizations.

The Privacy Commissioner Canada has also said the privacy statement should include information about what personal information may be stored outside of Canada, transferred outside of Canada, or accessed from outside of Canada. That is not in the statute, but that certainly is a best practice. The Alberta and Quebec privacy laws make those disclosures mandatory.

Principle 9: Individual Access

Principle 9 is individual access. So upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. In that process, an individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. So this is a data subject access right. The organization has to respond within 30 days.

And the organization needs to let the individual know to whom their information may have been disclosed. So organizations effectively have to keep a record of how they use personal information and to whom it's been disclosed.

This access should be at minimal or at no charge, and the information provided needs to be comprehensible to the individual, so abbreviations and technical terms may need to be explained.

There are some limitations and some exceptions to this access right, such as confidential business information, third party personal information and information that is privileged.

What is interesting is that this right is not exercised as often as you think it might be in Canada.

Principle 10: Challenging Compliance

The final principle is called challenging compliance. And this says an individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals who are accountable for the organization's compliance.

This is just common sense. The organization will want to hear complaints first before the individual goes to the regulator. The organization will probably want to have an opportunity to address them and to fix them before an individual chooses a more formal path of recourse. And must have a method to receive complaints, address them properly, and need to let the individual know that they have a right to complain to the appropriate authority.

Enforcement Powers

So now I'm going to talk about enforcement powers under Canadian privacy laws. The Personal Information Protection and Electronic Documents Act is overseen by the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Canada, sometimes referred to as the OPC.

The Privacy Commissioner of Canada is an ombudsman. The Commissioner doesn't have the ability to levy fines or issue orders. Only the Federal Court of Canada can issue orders or award damages. What the Commissioner does is the Commissioner deals with complaints first and foremost. Any individual can send a written complaint to the Privacy Commissioner of Canada. The Commissioner can also initiate complaints of his own accord.

I should note that the Alberta, British Columbia and Quebec Privacy Commissioners can issue orders, and the Quebec commissioner also has considerable financial penalty powers.

But back to the federal Commissioner: After a complaint is received, the Commissioner investigates the complaint, and there's minimal involvement on the part of the complainant in most cases.

During that investigation, the Commissioner has very strong powers. So for example, the Commissioner can compel evidence, can issue essentially subpoenas, can administer oaths, and accept evidence under oath. The Commissioner can also accept and review evidence that ordinarily would not be admissible in court. The Commissioner can also enter any premises other than a dwelling and review any documents in there.

So far we've never had any "dawn raids" by the Privacy Commissioner of Canada. I don't think that any of these particularly intrusive powers have ever been used until relatively recently. It's always been my experience in speaking for myself and speaking with colleagues that those who are the subject of the complaint tend to cooperate, at least in the course of the investigation.

The end product of the investigation is a report. It's called a Report of Findings. The Commissioner has to issue a Report of Findings with respect to an investigation within one year from the day the complaint is filed. Now in my experience, that's seldom the case; they usually take more than a year. But that may reflect the complexity of cases that I generally deal with.

The finding says here’s what the Commissioner found, essentially. Here's what the person complained about, here is what I investigated, here is what I found.

If the Commissioner found non-compliance, the report will include recommendations, and those recommendations will generally be communicated to the organization in the course of the investigation, so the organization can implement those prior to the conclusion of the investigation.

Though the Commissioner does not have order making powers nor can he levy penalties, the "naming and shaming" is a significant incentive for businesses to cooperate. Some of the findings are published—but not all. And for high-profile investigations, particularly those involving large American tech companies, there tends to be a lot of fanfare that goes along with the issuance of a report of findings, including press conferences and things like that.

Many organizations do not want to be the subject of naming and shaming like this, so will do what they can to be compliant to ultimately resolve the complaint to the satisfaction of the complainant and the Commissioner.

Those findings will fit into a number of categories:

Not well-founded: which means that the complaint was not made out, the Commissioner did not find any violations of Canadian privacy laws.
Well-founded and resolved: meaning that ultimately there was an issue, but it was resolved in the course of the investigation.
Well-founded and conditionally resolved: so the organization has been asked to report back with changes that it has made over a medium-term or longer-term.
Well-founded and unresolved: and those are relatively rare.

Organizations tend to want to resolve the matter during the investigation stage. And if it's unresolved, then the Commissioner can in fact take the organization to court, or the complainant can.

Court Hearings

Court hearings are essentially where the enforcement rubber hits the road. Some people suggest that the Commissioner's lack of an ability to issue fines or issue orders is a bug with the legislation, and the process of going to court is somewhat cumbersome. I tend to think it's more of a feature that, when it comes to these sorts of measures, it's best reserved to a court, particularly where the resolution turns on the interpretation of the statute.

In these court hearings, a complainant—but not the organization—can start an application in our federal court for a hearing. And it is notable that the organization does not have any automatic ability to take the Commissioner to court to have the Commissioner’s report reviewed or appealed or overturned.

In fact, what happens in court is not an appeal at all; it's what's called a de novo proceeding. The court starts from scratch. The Commissioner might be a party with the cooperation of the complainant. It may in fact be the Commissioner who's carrying the bag on all of it in going to court, but it's not a review of the Commissioner's finding; they start from scratch. And this can only be done once the report from the Privacy Commissioner has been finalized and delivered.

There is a way to get into court in the course of an investigation on something called a "judicial review" if there are jurisdictional issues or other things that might need to be considered by the court, but generally, it's only after the report of findings is issued.

Perhaps not surprisingly, the court has pretty broad remedial powers—that's what courts do. The courts are empowered to order the organization to correct their practices in order to comply with the provisions of the act. Can also require the organization to publish a notice of actions that they have taken in order to correct their practices—so, I guess, a "double naming and shaming". And finally, the court can award damages, including damages for humiliation that the complainant might have suffered.

It should be noted that there is no mechanism through PIPEDA for a class action to be brought within this process. You have an individual complainant, you have the Privacy Commissioner, and you have a case before a judge.

Commissioner Audits

The Commissioner also has the power to audit organizations.

The Commissioner can initiate one of these if, on reasonable grounds, the Commissioner believes the organization is contravening a provision of Division 1 or Schedule 1 of the act. And during the course of an audit, the Commissioner has pretty well the same powers that the Commissioner has in an investigation: take evidence, enforce attendance, and have the powers of a superior court of record. He can enter any premises other than a dwelling house, examine any records or extracts of records.

To my knowledge, the federal Privacy Commissioner of Canada has not initiated any audits of any private businesses. The Commissioner has, at least on one occasion, requested that the organization obtain a third-party audit and provide the report of that audit to the Commissioner. But the Commissioner would not be able to order that.

As I understand it, the Commissioner doesn't feel that their office has sufficient resources in order to go about auditing organizations. One thing that they have asked Parliament for is a power to order audits of organizations and their information handling practices.

So the key “stick” that the Commissioner actually has is this power of publicity. Because within the act, the Commissioner is specifically empowered to make public any information related to the personal information management practices of an organization if the Commissioner considers that it's in the public interest to do so.

Data Breach Notification

In 2015, Parliament amended PIPEDA to bring in data breach notification requirements.

We now have data breach reporting to the Commissioner, data breach notification to the affected individuals, and a record-keeping requirement embedded in these amendments.

It should also be noted that there may be a common law duty to notify affected individuals if their personal information has been compromised in a way that could affect them, particularly if giving them notice and warning would give them an opportunity to mitigate harm that could happen to them.

But we're going to focus on the statutory requirements.

As with any data breach law, you always have to be very careful about the definition of what is a "breach". So what triggers this whole process? In PIPEDA, it is a "breach of security safeguards", which means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in Clause 4.7 of Schedule 1 (so that's Principle 7) or from a failure to establish those safeguards.

The notice and reporting obligations become triggered if there is a breach of security safeguards where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. This particular provision talks about the personal information being under the control of an organization. So this says to me that the obligation to report to the Commissioner is only on the part of a data controller, not a data processor.

As between any data processor and the controller, there should be a clear contract that says the processor will notify the controller so that the controller can report any data breach that they have to the Privacy Commissioner, and so that they can notify affected individuals.

Subsection 2 talks about what has to be in the report, and I'll get into that in just a moment. And Subsection 3 talks about notification to affected individuals.

Again, the definition—what is a breach of security safeguards—refers back to Principle 7, “Safeguards”. And so what this principle requires is that an organization implement reasonable security safeguards to protect against a list of risks that is appropriate and commensurate with the sensitivity of the information at issue. So it's not unduly prescriptive; it's what's reasonable in the circumstances.

And again, this comes back to the concept of sensitivity. So we don't have strictly defined categories of what is sensitive personal information. Personal information can be more sensitive or it could be less sensitive depending upon the circumstances, depending upon the context in which the information is collected.

We do have some helpful guidance or wording in the CSA model code to help determine what information is more sensitive or less sensitive. Certainly information about somebody's private life, their intimate life, their family life, information about their race, ethnicity, religion, those sorts of things, financial information, health information would all be considered to be at the more sensitive end of the spectrum.

But somebody's name can be less sensitive or more sensitive depending upon the circumstances. So if your name appears on a list of people who attended a hockey game, for example, that's not particularly sensitive. If your name appears on a list of people who have upcoming appointments with a psychiatrist, that would be sensitive information, because the context in which that information appears tells you information about that person's private life, their mental life, their health conditions, or things like that.

Real Risk of Significant Harm

The triggers of notification and reporting relate to "real risk of significant harm".

This is a two-part test: you look at the real risk and then you look at the possible significant harm. And real risk depends upon the sensitivity of the personal information involved and the probability that the personal information has been, is being, or will be misused. And there may also be other prescribed factors, but we haven't seen new factors to consider.

So you're looking at what's the likelihood that mischief will take place; what are the circumstances in which the breach took place?

One example may be a lost hard drive and there's no information to suggest that it was stolen by a bad guy. It was just misplaced. You don't have any real sense that mischief is afoot. That seems low risk of harm.

But if somebody breaks into your network and exfiltrates information, you already know that there's a bad guy involved, or a "threat actor" as the cool kids say. That tells you there’s a high risk that bad things are likely to happen. Or at least bad things are more likely to happen in a scenario like that.

The second part of the analysis is “significant harm”, and that requires you to ask “what could go wrong?” You ask “What could this information be used for? How could this information be abused?”

The legislation specifically talks about certain kinds of harm being significant: “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on the person's credit record, and damage to our loss of property.”

It ties pretty closely to the concept of sensitivity.

In some jurisdictions, reporting is based simply on the type of data involved – more often tied to risk of fraud and impersonation.

The significant harms that are at play and have to be considered in Canadian privacy legislation are much broader than that, and relate to kind of “softer elements” of privacy and personal life.

Reporting Requirements

For a report to the Commissioner, the legislation prescribes what has to be contained in that report. Not surprisingly, the Privacy Commissioner of Canada has a form on his website that contains this information to fill out and report.

They generally want to know:

who was the organization,
what was the nature of the information,
what were the circumstances of the breach,
when was it discovered,
how many people are affected,
what steps have you done to mitigate, to stop the breach and to mitigate the risk of harm, and
who is able to be a point of contact for the Privacy Commissioner.

The Commissioner can initiate an investigation based on a report, but most of these are just received with thanks and that's largely the end of it. The notice to individuals is generally quite similar to the information that has to be provided to the Commissioner, though the organization is also required to tell the individual if there are steps that that individual could take to mitigate any harm to themselves.

Record-Keeping Requirements

Now one additional thing that's notable is there's also a “record-keeping” requirement. This says, regardless of whether or not there's a real risk of significant harm to the individual, every organization must create a record related to every breach of security safeguards, regardless of how trivial.

That record has to contain essentially the same sort of information that you would include in a report to the Commissioner. It should also include information to substantiate the conclusion that there was not a real risk of significant harm to the affected individuals, so that no report was required.

These reports have to be kept by the organization for two years. And they have to be provided to the Privacy Commissioner of Canada on request. So this does create a discoverable paper trail in the event of litigation.

It should also be noted that the Privacy Commissioner has in fact, on his own accord, conducted surveys of organizations requiring them to provide to his office and his investigators all of these breach records in order to make sure that they are being created and maintained appropriately.

Importantly, it's an offense to not create these records, and to not maintain them for the period of two years. It’s also an offense to not provide them to the Commissioner.

Conclusion

So, I hope this has been a useful, informative overview about Canadian privacy law. As I said, it was mainly intended for a general audience of folks who may have a need to know the basics of Canadian privacy laws.