Canada Federal

Summary

Law: Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA') and Privacy Act 1985 ('the Privacy Act')

Regulator: Office of the Privacy Commissioner of Canada ('OPC')

Summary: PIPEDA and the Privacy Act 1985 (the Privacy Act) are the main statutes regulating privacy and data protection at a federal level in Canada. PIPEDA only applies to organizations that conduct commercial activities whilst the Privacy Act applies to federal government bodies. PIPEDA sets out ten principles to which organizations must abide, including principles of accountability, consent, accuracy, and safeguards, as well as limiting collection, use, disclosure, and retention. In addition, individuals have the right to submit complaints to organizations and the OPC and can also withdraw their consent regarding certain processing activities. The OPC is a very active regulator, often issuing guidelines, public consultations and advice regarding current and future legislation; however, it cannot issue fines or take any other type of binding enforcement action against organizations. Other relevant laws include the Bank Act 1991, Canada's Anti-Spam Legislation, 2010, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2000. Data protection requirements also vary between the provinces and territories.

Please note that after Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') failed to pass on August 15, 2021, a new bill to reform Canada's private sector privacy law was introduced, on June 16, 2022, in the House of Commons. Bill C-27 for the Digital Charter Implementation Act 2022 is divided into three parts, with each aimed at enacting a new Act, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Bill C-27 is now under consideration in the Canadian Parliament.

Browse more content in Canada Federal

All Guidance Notes

All News

All Insights

News

14 November 2024

Canada: Canadian privacy regulators pass resolution on privacy-related harms from deceptive design patterns

14 November 2024

Canada: OPC announces investigation into World Anti-Doping Agency on handling of biological samples

14 November 2024

International: OPC signs MoUs with NDPC and ANPD

13 November 2024

Canada: Government launches AI Safety Institute

13 November 2024

International: NCSC and international agencies publish advisory on top vulnerabilities exploited by cyberattackers in 2023

12 November 2024

Canada: Minister to announce launch of AI safety institute

07 November 2024

Canada: Government orders windup of TikTok following national security review

06 November 2024

International: ANPD and OPC sign MoU on data protection

04 November 2024

International: Authorities participate in GPA conference

31 October 2024

Canada: Cybersecurity bill proceeds to committee consideration stage

30 October 2024

Canada: OPC launches investigation into Canada Revenue Agency data breaches

28 October 2024

International: DPAs release statements on data scraping

Insights

October 2024

International: Regulating AI in Canada and abroad - comparing the proposed AIDA with the EU AI Act

Laws governing technology have historically focused on the regulation of information privacy and digital communications. However, governments and regulators around the globe have increasingly turned their attention to artificial intelligence (AI) systems. As the use of AI becomes more widespread and AI changes how business is conducted across industries, there are signs that existing declarations of principles and ethical frameworks for AI, and the first AI regulations (including those established in the EU), may soon be followed by other AI-specific legal frameworks in other jurisdictions¹.

On June 16, 2022, the Canadian Government tabled Bill C-27, the Digital Charter Implementation Act, 2022. Bill C-27 proposes to enact, among other things, the Artificial Intelligence and Data Act (AIDA). In this Insight, Christopher Ferguson, Summer Lewis, and Dongwoo Kim, from Fasken Martineau DuMoulin LLP, provide a comparison between AIDA and the EU's Artificial Intelligence Act (the EU AI Act), looking specifically at both laws' approach to key definitions, the use of data, requirements for AI systems, and penalties, among other things².

July 2024

Canada: Third-Party Risk Management Guideline for Canadian Financial Institutions: OFSI's Guideline B-10

Dustin Moores, Counsel at nNovation LLP, explores the updated Third-Party Risk Management Guideline (the Guideline) for Canadian financial institutions. The Guideline addresses increasing supply chain vulnerabilities and sets out best practices for Federally Regulated Financial Institutions (FRFIs) to manage third-party risks effectively.

June 2024

Canada: Bill C-26 - the proposed cybersecurity law

If passed into law, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26), would enact the Critical Cyber Systems Protection Act (CCSPA), amend the Telecommunications Act, and make consequential amendments to several other laws. Dustin Moores, Counsel at nNovation LLP, discusses these amendments and its enforcement.

November 2023

Canada: Code of Conduct on the development and management advanced generative AI systems

On September 27, 2023, Innovation, Science and Economic Development Canada (ISED) published a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems (the Code). In this Insight article, Christopher Ferguson and Anagha Nandakumaran, from Fasken, discuss the different measures of the Code and what this would mean for organizations.

November 2023

International: Regulating AI in Canada and the EU - AIDA versus the AI Act

Artificial intelligence (AI) is transforming the way we work, learn, and communicate. The rapid development and adoption of new AI-based technologies have prompted regulators around the world to create policies and regulations governing its use, in an effort to ensure that AI is used in a responsible and ethical manner. Canada and the EU are among the many jurisdictions that have recently recognized the need for AI-specific regulation.

In April 2021, the European Commission published its proposed Artificial Intelligence Act (AI Act) as a framework for a coordinated European approach to addressing the challenges and concerns raised by the increasing use of AI. The following year, in June 2022, the Canadian government introduced Bill C-27 for the Digital Charter Implementation Act 2022 (Bill C-27), which aims to update existing federal private-sector privacy laws. In addition to privacy law reform, Bill C-27 also includes the Artificial Intelligence and Data Act (AIDA), Canada's first attempt to regulate AI through standalone legislation.

Both AIDA and the AI Act seek to encourage the responsible development and use of AI systems through a single regulatory framework. In this Insight article, Heather Whiteside, from Fasken, examines the similarities and differences between these legislative proposals, as currently drafted, in Canada and the EU.

September 2023

Canada: A comprehensive overview of AI Regulation

In this Insight article, Sarah Nasrullah, from Norton Rose Fulbright LLP, delves into Canada's AI regulatory landscape, examining key aspects of the AI Act, enforcement mechanisms, penalties, and implications for organizations and individuals. It provides valuable insights into the evolving governance of AI technologies in the Canadian context.

April 2023

Canada: AI and Data Act - Key takeaways

On 16 June 2022, the Government of Canada introduced in the House of Commons the Artificial Intelligence and Data Act ('AIDA') as part of Bill C-27, for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022').

In this Insight article, OneTrust DataGuidance Research provides an overview of the AIDA, which is currently undergoing second reading in the House of Commons, and the wider perceptions of artificial intelligence ('AI') at a federal level in Canada. For an analysis of the DCIA 2022, you may read our Insight article Canada: Digital Charter Implementation Act 2022 - What you need to know.

January 2023

Canada: An overview of Bill C-27 and its proposed changes to PIPEDA

Canada has an existing comprehensive federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), which became law in 2000. Recently, changes to PIPEDA have been proposed via the draft language of Bill C-27 for the Digital Charter Implementation Act 2022¹ ('Bill C-27'). Kirsten Thompson, Partner at Dentons, takes a look into the proposed changes, and what impact Bill C-27 would have in areas such as penalties, artificial intelligence ('AI'), and data portability.

December 2022

Canada: Organisational accountability under the CPPA and Québec's Law 25

Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance. Jasmine Samra and Antoine Guilmain, from Gowling WLG, focus on the accountability of organisations under both privacy regimes.

June 2022

Canada: Digital Charter Implementation Act 2022 - What you need to know

On 16 June 2022, Bill C-27 for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022'), was introduced in the House of Commons, where it passed first reading. This comes after a similar bill, Bill C-11 for the Digital Charter Implementation Act, 2020, failed to pass in 2021. The DCIA 2022 is divided into three main parts, with the aim of enacting three new Acts, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.

In this article, OneTrust DataGuidance Research provides an overview of each part of the DCIA 2022 and its main provisions, focusing on the key developments and considerations for businesses.

March 2022

International: Understanding data residency - Part one: Americas perspective

Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data. In this three-part series, OneTrust DataGuidance provides an overview of key trends in data localisation and data residency, outlining underlining approaches to the same, as well as common trends associated with sector and categories of data.

February 2022

Canada: Understanding bias in AI for marketing – a comprehensive guide to avoiding negative consequences with AI

The Interactive Advertising Bureau of Canada ('IAB Canada') released, on 24 November 2021, a guide on Understanding Bias in AI for Marketing: A Comprehensive Guide to Avoiding Negative Consequences with Artificial Intelligence¹. In particular, IAB Canada stated that the guide provides an excellent starting point for organisations to develop frameworks for better artificial intelligence ('AI') solutions. OneTrust DataGuidance discusses the guide in this article.

Canada Federal

Summary

Browse more content in Canada Federal

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us