A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 September 2022
Canadian privacy law may soon undergo an overhaul. In June, Canadian legislators tabled Bills C-26 and C-27 in an attempt to supplement and replace Canada’s existing federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition to these developments, we also examine recent trends in Canadian privacy litigation.
PIPEDA was originally passed in 2000 and is due for an update to keep pace with more stringent privacy and data security regulations in other jurisdictions. Bills C-26 and C-27 are a second attempt at reform of PIPEDA after Bill C-11 was abandoned in 2021 when the most recent federal election was called.
(a) Bill C-26
Bill C-26 would enact the Critical Cyber Systems Protection Act (“CCSPA”), which provides a framework for the protection of the critical cyber systems that are vital to national security or public safety. Cyber systems are considered “critical” if their compromise could affect the continuity or security of a vital service or system, including: telecommunications; interprovincial and international pipelines and powerlines; nuclear energy; federal transportation systems; and banking.
Under the proposed CCSPA, designated “operators” in respect of a vital service must:
Failures to meet these and other CCSPA requirements constitute offences punishable by up to five years imprisonment or fines in amounts in the discretion of the court. Directors and officers of a designated operator would themselves be liable to penalties of up to $1 million for each day that a violation is committed or continued should they be found to have directed, authorized, assented to, acquiesced in, or participated in the designated operator’s commission of a CCSPA violation.
(b) Bill C-27
Bill C-27 would enact the Consumer Privacy Protection Act (“CPPA”). The CPPA would significantly increase administrative penalties and fines compared to those available under PIPEDA:
Offences would include, among other things, failures to properly report breaches or comply with orders of the Office of the Privacy Commissioner (“OPC”). Fines for offences may be as high as the higher of $25 million or 5% of an organization’s gross global revenue.
The proposed CPPA will also require organizations to implement privacy management programs, which account for the volume and sensitivity of personal information and ensure protection of personal information transferred to service providers.
The OPC would oversee compliance with the CPPA. Unlike PIPEDA which required the OPC to apply to Federal Court to enforce orders against organizations, the OPC’s orders under the CPPA would be enforceable without application to the Federal Court.
However, the OPC would not be able to render and enforce penalties under the CPPA. Rather, it would only be able to recommend penalties to the Personal Information and Data Protection Tribunal, a new administrative body created by Bill C-27 to consider appeals of OPC decisions and impose penalties under the CPPA. Like PIPEDA, the CPPA creates a private right of action in relation to contraventions of the CPPA.
(a) Statutory vs. Common Law Torts
Canada’s provincial jurisdictions have taken different approaches to establishing a tort of breach of privacy. While several provinces have established statutory torts, actionable without proof of damage (e.g. British Columbia, Saskatchewan, and Manitoba), other provinces such as Ontario and Nova Scotia have recognized other common law torts, including public disclosure of private facts and intrusion upon seclusion, and have not enacted statutory torts. Elements of the tort of intrusion upon seclusion include that:
This tort continues to evolve, as indicated by the recent Ontario decision of Owsianik v. Equifax Canada Co., 2021 ONSC 4112, which held that a claim for intrusion upon seclusion must be brought against the entity that committed the intrusion. Thus, such a claim cannot be brought against an organization that collects or stores personal information if a third-party steals or accesses that information without authorization.
(b) Class Actions
Canada continues to see an increase in privacy class actions involving cyber events and other privacy infringements. However, the availability of different torts for invasion of privacy in different provincial jurisdictions can both complicate and assist in opposing certification of proceedings seeking potential class members from various provincial jurisdictions.
The Supreme Court of British Columbia recently confirmed in the data breach class certification decision of Campbell v. Capital One Financial Corporation, 2022 BCSC 928, that no tort of intrusion upon seclusion currently exists in British Columbia. In that case, the class’s claims in breach of contract, breach of privacy legislation, negligence, and breach of consumer protection legislation were certified. However, British Columbia’s Court of Appeal appeared to express interest in considering recognition of a common law tort in Tucci v. Peoples Trust Company, 2020 BCCA 246 at para. 68. More provinces’ recognition of a common law tort of invasion of privacy akin to Ontario would serve to streamline the privacy class action process across Canada.
London - Walbrook
+44 (0)20 7894 6930
+44 (0) 20 7894 6925
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Julian Miller, Tom Evans
Hans Allnutt, Camilla Elliot
Jade Kowalski, Astrid Hardy
Louise Gallagher, Katie Anderson
Hans Allnutt, Astrid Hardy
Aidan Healy, Alexander Dimitrov
Patrick Hill, Stuart Hunt
Astrid Hardy, Alexander Dimitrov
Patrick Hill, Sonali Malhotra