Developments in Canadian Privacy Law

Published 30 September 2022

1. Introduction

Canadian privacy law may soon undergo an overhaul. In June, Canadian legislators tabled Bills C-26 and C-27 in an attempt to supplement and replace Canada’s existing federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition to these developments, we also examine recent trends in Canadian privacy litigation.

2. Proposed Federal Legislation

PIPEDA was originally passed in 2000 and is due for an update to keep pace with more stringent privacy and data security regulations in other jurisdictions. Bills C-26 and C-27 are a second attempt at reform of PIPEDA after Bill C-11 was abandoned in 2021 when the most recent federal election was called.

(a) Bill C-26

Bill C-26 would enact the Critical Cyber Systems Protection Act (“CCSPA”), which provides a framework for the protection of the critical cyber systems that are vital to national security or public safety. Cyber systems are considered “critical” if their compromise could affect the continuity or security of a vital service or system, including: telecommunications; interprovincial and international pipelines and powerlines; nuclear energy; federal transportation systems; and banking.

Under the proposed CCSPA, designated “operators” in respect of a vital service must:

• establish a CCSPA-compliant cyber security program within 90 days;
• report all “cyber security incidents” to the Communications Security Establishment (an agency within Canada’s Department of National Defence) and their industry regulator;
• take reasonable steps to mitigate any identified risks associated with its supply chain or use of third-party products; and
• comply with orders, such as ceasing to use certain high-risk third-party products.

Failures to meet these and other CCSPA requirements constitute offences punishable by up to five years imprisonment or fines in amounts in the discretion of the court. Directors and officers of a designated operator would themselves be liable to penalties of up to $1 million for each day that a violation is committed or continued should they be found to have directed, authorized, assented to, acquiesced in, or participated in the designated operator’s commission of a CCSPA violation.

(b) Bill C-27

Bill C-27 would enact the Consumer Privacy Protection Act (“CPPA”). The CPPA would significantly increase administrative penalties and fines compared to those available under PIPEDA:

• Administrative penalties would apply to contravention of several key provisions, including those regarding implementation of privacy management programs and protection of personal information.
• Administrative penalties may be as high as the higher of $10 million and 3% of an organization’s gross global revenue.

Offences would include, among other things, failures to properly report breaches or comply with orders of the Office of the Privacy Commissioner (“OPC”). Fines for offences may be as high as the higher of $25 million or 5% of an organization’s gross global revenue.

The proposed CPPA will also require organizations to implement privacy management programs, which account for the volume and sensitivity of personal information and ensure protection of personal information transferred to service providers.

The OPC would oversee compliance with the CPPA. Unlike PIPEDA which required the OPC to apply to Federal Court to enforce orders against organizations, the OPC’s orders under the CPPA would be enforceable without application to the Federal Court.

However, the OPC would not be able to render and enforce penalties under the CPPA. Rather, it would only be able to recommend penalties to the Personal Information and Data Protection Tribunal, a new administrative body created by Bill C-27 to consider appeals of OPC decisions and impose penalties under the CPPA. Like PIPEDA, the CPPA creates a private right of action in relation to contraventions of the CPPA.

3. Trends in Privacy Litigation

(a) Statutory vs. Common Law Torts

Canada’s provincial jurisdictions have taken different approaches to establishing a tort of breach of privacy. While several provinces have established statutory torts, actionable without proof of damage (e.g. British Columbia, Saskatchewan, and Manitoba), other provinces such as Ontario and Nova Scotia have recognized other common law torts, including public disclosure of private facts and intrusion upon seclusion, and have not enacted statutory torts. Elements of the tort of intrusion upon seclusion include that:

• (i) the defendant's conduct must be intentional or reckless;
• (ii) the defendant must have invaded the plaintiff's private affairs or concerns without lawful justification; and
• (iii) a reasonable person would regard the invasion as highly offensive, resulting in distress, humiliation or anguish to the plaintiff.

This tort continues to evolve, as indicated by the recent Ontario decision of Owsianik v. Equifax Canada Co., 2021 ONSC 4112, which held that a claim for intrusion upon seclusion must be brought against the entity that committed the intrusion. Thus, such a claim cannot be brought against an organization that collects or stores personal information if a third-party steals or accesses that information without authorization.

(b) Class Actions

Canada continues to see an increase in privacy class actions involving cyber events and other privacy infringements. However, the availability of different torts for invasion of privacy in different provincial jurisdictions can both complicate and assist in opposing certification of proceedings seeking potential class members from various provincial jurisdictions.

The Supreme Court of British Columbia recently confirmed in the data breach class certification decision of Campbell v. Capital One Financial Corporation, 2022 BCSC 928, that no tort of intrusion upon seclusion currently exists in British Columbia. In that case, the class’s claims in breach of contract, breach of privacy legislation, negligence, and breach of consumer protection legislation were certified. However, British Columbia’s Court of Appeal appeared to express interest in considering recognition of a common law tort in Tucci v. Peoples Trust Company, 2020 BCCA 246 at para. 68. More provinces’ recognition of a common law tort of invasion of privacy akin to Ontario would serve to streamline the privacy class action process across Canada.

	Nicholas Russell Associate T: (604) 643-2451 E: nrussell@ahbl.ca
	Brianne Kingston Associate E: bkingston@ahbl.ca T: 604 484 1703