1. GOVERNING TEXTS

1.1. Legislation

Federal legislation

• The Personal Information Protection and Electronic Documents Act, SC 2000 c 5 ('PIPEDA') is the federal private sector privacy legislation in Canada. It applies to the collection, use, and disclosure of personal information by private sector organisations in the course of their commercial activities. PIPEDA is primarily a privacy statute, but establishes two central cybersecurity obligations for private sector organisations in Canada. The PIPEDA requires that organisations notify the regulator and affected individuals of certain cybersecurity incidents (see section 6 below) and that organisations adopt appropriate security safeguards (see section 5 below). Given that PIPEDA is primarily a privacy statute, its cybersecurity obligations apply only when individuals' personal information is involved. Therefore, for example, if a breach occurs and individuals' personal information is not affected, PIPEDA's breach notification requirements will not apply.
• The Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') applies to corporations in the course of their commercial activities. CASL generally prohibits sending unsolicited commercial electronic messages, and thus prohibits the sending of phishing or spear phishing messages. The maximum penalty for contravention of CASL requirements is CAD 1,000,000 (approx. €698,745) in the case of an individual, and CAD 10,000,000 (approx. €6,987,380) in the case of an organisation, partnership, corporation, or an individual acting in certain fiduciary roles.
• The Criminal Code of Canada, RSC 1985 c C-46 ('the Criminal Code') is the legislation governing crimes in Canada. The Criminal Code has designated certain cyber activities to be criminal offences, including hacking (fraudulently obtaining access to a computer system), DDoSing (distributed denial of service attacks and otherwise obstructing or interfering with computer systems), and using malware or ransomware (wilfully destroying, interfering with the use of, or rendering useless a computer system or computer data).
• The Office of the Superintendent of Financial Institutions Act, , RSC 1985 c 18 ('the OSFI Act') sets out the powers, duties, and functions of the Office of the Superintendent of Financial Institutions ('OSFI'). The OSFI requires federally-regulated financial institutions to report certain cybersecurity incidents, as outlined in its Advisory on Technology and Cybersecurity Incident Reporting ('the Cybersecurity Incident Reporting Advisory').
• The Communications Security Establishment Act, SC 2019 c 13 s 76 ('the CSE Act), that came into force on 1 August 2019, and which furthers and supports the activities of the Communications Security Establishment ('CSE'), a Canadian intelligence and cyber defence agency. The CSE is mandated to advise, guide, and protect private and public sector organisations deemed critical to Canada's information infrastructure.

Provincial legislation

British Columbia, Alberta, and Quebec private sector privacy laws

PIPEDA does not apply to private sector organisations operating only within Alberta, British Columbia, and Quebec. Instead, these three provinces are governed by provincial privacy laws that have been recognised as 'substantially similar' to PIPEDA.

Therefore, the following provincial statutes operate in place of PIPEDA if the collection, use, and disclosure of personal information takes place entirely within the borders of each respective province. If information is disclosed or otherwise transferred outside of these provinces, PIPEDA will apply.

• Alberta: the Personal Information Protection Act, SA 2003 c P-6.5 ('the Alberta PIPA') applies broadly to 'every organisation' and in respect of all personal information, except those organisations or types of information exempted under Section 4(3) of the Alberta PIPA. The statute's application is broader than PIPEDA, capturing information processed outside of a commercial or customer relationship, such as employee personal information.
• British Columbia: the Personal Information Protection Act, SBC 2003 c 63 ('the BC PIPA') also applies broadly to 'every organisation,' except those organisations listed in Section 3(2) of the BC PIPA. The statute applies more broadly than both PIPEDA and the Alberta PIPA and is the only private sector legislation in Canada applicable to the collection, use, and disclosure of personal information by political parties.
• Quebec: the Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 ('the Quebec Private Sector Act') applies to personal information collected, used, and communicated to third parties in the course of 'carrying on an enterprise,' as defined in Article 1525 of the Civil Code of Quebec, CQLR c CCQ-1991.

As a note, while PIPEDA does apply to private sector organisations operating within Ontario, there are additional privacy legislations in place for matters relating to healthcare (see the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ('Ontario PHIPA')).

1.2. Regulatory authority 

Organisational compliance with PIPEDA is overseen by the Office of the Privacy Commissioner of Canada ('OPC'). The provincial privacy commissioners administer the relevant provincial statutes in each respective province:

• Alberta: Office of the Information and Privacy Commissioner of Alberta ('Alberta OIPC');
• British Columbia: Office of the Information and Privacy Commissioner for British Columbia ('BC OIPC');
• Manitoba: The Manitoba Ombudsman ('the Ombudsman');
• New Brunswick: The Office of the Ombud;
• Newfoundland and Labrador: Office of the Information and Privacy Commissioner for Newfoundland and Labrador ('Newfoundland and Labrador OIPC');
• Nova Scotia: Office of the Information and Privacy Commissioner of Nova Scotia ('Nova Scotia OIPC');
• Nanavut: The Office of the Nunavut Information and Privacy Commissioner ('Nanavut OIPC');
• Northwest Territories: Office of the Information and Privacy Commissioner Northwest Territories ('Northwest Territories OIPC');
• Ontario: The Information and Privacy Commissioner of Ontario ('Ontario IPC');
• Prince Edward Island: Information and Privacy Commissioner of Prince Edward Island ('Prince Edward Island IPC');
• Quebec: The Quebec Commission on Access to Information ('CAI');
• Saskatchewan: Office of the Saskatchewan Information and Privacy Commissioner ('Saskatchewan OIPC'); and
• Yukon: Yukon Information and Privacy Commissioner ('Yukon IPC').

CASL is jointly administered by the OPC, the Canadian Radio-television and Telecommunications Commission ('CRTC'), and the Competition Bureau Canada.

The OSFI oversees compliance with the Cybersecurity Incident Reporting Advisory.

Function and powers

Privacy commissioners in Canada do not have the same rule-making and enforcement powers as their counterparts in Europe. Rather, most privacy commissioners make submissions to the federal and provincial legislatures to influence changes in the law and promote organisational compliance by conducting investigations and audits and by issuing guidance that sets out their expectations for how organisations should comply with the applicable law. As an exception to the above, the CAI and the Alberta OIPC have the power to issue binding orders, though neither they, nor any other commissioner in Canada, has the power to independently levy fines or to administer monetary penalties.

The OPC

The mandate of the OPC is to oversee compliance with the public-sector legislation, the Privacy Act, RSC 1985 c P-21, and the private sector legislation, PIPEDA. To do so, in addition to its role as a public advocate, the OPC conducts investigations of privacy practices and conducts audits to ensure organisational compliance.

The OPC conducts investigations into privacy practices after receiving a complaint from an individual or by initiating an investigation on its own accord. In both cases, the OPC must be satisfied that there are reasonable grounds to investigate the matter. During an investigation, the OPC can summon witnesses, administer oaths, and compel the production of evidence. The OPC does not have order-making power, however. If an organisation does not voluntarily resolve the issue with the OPC, the OPC may take the matter to federal court and seek a court order to enforce a resolution.

Similarly, the OPC requires reasonable grounds to believe an organisation has contravened PIPEDA before it can conduct an audit. During the course of an audit, the OPC may summon and enforce appearance of persons, administer oaths, receive evidence, and enter an organisations' premises.

Under PIPEDA, the OPC may choose to publish certain findings from their investigation if it is in the public interest. Under the Privacy Act, the OPC may only publish findings through an annual or special report to Parliament.

The Alberta OIPC

The Alberta OIPC has substantially the same mandate and role as the OPC. However, an important difference is the Alberta OIPC's power to make binding orders. Where an investigation is not referred to mediation, or not otherwise settled or resolved, the Alberta OIPC may conduct an inquiry and decide all questions of fact and law during the inquiry. At the end of the inquiry, the Alberta OIPC may make an order that will be binding on the subject of the inquiry.

The BC OIPC

The BC OIPC has substantially the same mandate and powers as the OPC. One notable difference is that the BC OIPC may initiate an investigation or audit if the investigation or audit is in the public interest, rather than only based on reasonable grounds to believe there is non-compliance. The BC OIPC does not have order making powers – its orders can only be enforced by a court of law.

The Quebec CAI

The role of the Quebec CAI is to adjudicate complaints as an administrative tribunal, to supervise organisational compliance with the Quebec private sector privacy legislation, and advise and educate organisations by issuing guidance. Like the Alberta OIPC, the Quebec CAI has the power to make any order it considers appropriate to adjudicate the rights of the parties and has the power to rule on any issue of fact or law.

1.3. Regulatory authority guidance

Reference to applicable guidance is made throughout this Guidance Note.

2. SCOPE OF APPLICATION

The statutory framework related to cybersecurity law is PIPEDA (or the provincially-equivalent legislation mentioned above) and CASL. In addition, the Criminal Code sets out the following offences:

• using a device wilfully to intercept a private communication without the express or implied consent of the originators or intended recipient; and
• intercepting fraudulently and without colour of right any function of a computer system.

Furthermore, OSFI and the Canadian Securities Administrators ('CSA') each provide guidance to address the cybersecurity risks for organisations subject to their regulation.

3. DEFINITIONS

• Commercial activity: any particular transaction, act or conduct, or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act, or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs, or the defence of Canada (Section 1(1) of CASL).
• Data: signs, signals, symbols, or concepts that are being prepared or have been prepared in a form suitable for use in a computer system (Section 1(1) of CASL).

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

Not applicable.

4.2. Cybersecurity risk assessments

Not applicable.

4.3. Vendor management

Not applicable.

4.4. Accountability/record keeping

Not applicable.

5. DATA SECURITY

Federal requirements

PIPEDA requires organisations to protect personal information against loss or theft, unauthorised access, use, or modification by implementing security safeguards appropriate to the sensitivity of the information. PIPEDA does not outline specific steps that organisations must take to comply with its requirement. Rather, Principle 7 of Schedule I of PIPEDA broadly requires that organisations design their security safeguards in response to the type and sensitivity of personal information being protected, and the manner in which the information is stored and retained by the organisation. These methods of protection should include physical measures (restricted access to offices and storage spaces), organisational and administrative measures (security clearances, limiting access on a need-to-know basis), and technical measures (passwords, encryption, etc).

Provincial requirements

The personal health information statutes listed in section 1.1 above require organisations to implement measures to protect against unauthorised access, theft, loss, damage, and disclosure of personal health information. Like PIPEDA, the provincial statutes do not set out detailed requirements for specific security measures that organisations must implement. Rather, the provincial statutes generally require organisations to maintain physical, technical, and administrative safeguards to protect personal health information.

The personal health information statutes in Ontario, New Brunswick, Nova Scotia, and Newfoundland, and Labrador have been deemed 'substantially similar' to PIPEDA, for the purpose of health information. Accordingly, organisations acting as health information custodians in those provinces need only comply with the security measure requirements in their respective provincial legislation. Organisations in all other provinces must comply with both PIPEDA and their respective provincial legislation.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

PIPEDA includes breach of security safeguard regulations and if the real risk of significant harm test is met, it would require:

• a report to the OPC;
• notification to affected individuals about the breach; and
• to keep a record of the breach.

Furthermore, the Investment Industry Regulatory Organization of Canada ('IIROC') has amended its Dealer Member Rules to require mandatory reporting by dealer members in the event of a cybersecurity incident. The amendments are accompanied by guidance on the new requirements. IIROC expects dealer members to issue an initial report within three days of discovery of an incident, and to submit a detailed incident investigation report within 30 days of the incident.

Federal requirements

PIPEDA

Under PIPEDA, and its associated Breach and Security Safeguards Regulations (SOR/2018-64), which came into force on 1 November 2018, organisations are required to notify the OPC and affected individuals of 'a breach of security safeguards' involving personal information under the organisation's control where it is reasonable in the circumstances to believe that the breach creates a 'real risk of significant harm' (known as the 'RROSH' test) to affected individuals. Other organisations and government institutions must also be notified where such organisation or institution may be able to mitigate or reduce the risk of harm to affected individuals.

Organisations must also keep and maintain records of all breaches of security safeguards regardless of whether they meet the harm threshold for reporting. Failure to report a breach or to maintain records as required is an offence under PIPEDA, punishable by a fine of up to CAD 100,000 (approx. €69,830) per offence.

When making a report, organisations should use the prescribed breach report, which is available on the OPC's website. The OPC has published guidance to assist organisations in reporting a breach.

The OSFI requires federally-regulated financial institutions ('FRFIs') to report certain technology or cybersecurity incidents to OSFI. An 'Incident' is defined as having the ability to 'materially impact the normal operations of an FRFI, including confidentiality, integrity or availability of its systems and information.' An Incident should be reported to OSFI if it is assessed as having a 'high or critical severity level.' The responsibility to assess an Incident's severity level rests with the FRFI, though FRFIs can obtain guidance from OSFI when assessing severity levels. FRFIs must provide a written report to OSFI as well as the FRFI’s lead supervisor within 24 hours, or sooner if possible. After the initial report, OSFI expects FRFIs to provide regular updates until all details about the Incident have been provided.

A failure to report may result in increased supervisory oversight (i.e. enhanced monitoring activities, watch-listing, or staging of the FRFI).

Provincial requirements

Notification of breaches involving personal information

As noted above, the private sector privacy legislation in British Columbia, Alberta, and Quebec are deemed to be 'substantially similar' to the federal private sector legislation, PIPEDA. However, while Alberta adopted breach notification requirements similar to those under PIPEDA in 2010, British Columbia and Quebec have yet to adopt breach notification requirements. That said, there is a general obligation for data breach notification in Quebec where an incident involves a risk of serious injury. It is expected that these two provinces will adopt breach notification requirements at some point in the near future, for failure to do so may trigger a review of the similarity between their respective provincial statutes and PIPEDA.

The Alberta PIPA

An organisation must, without unreasonable delay, provide notice to the Alberta OIPC of any incident involving the loss of or unauthorised access to or disclosure of personal information, where there exists a 'real risk of significant harm' to an individual as a result of the loss or unauthorised access or disclosure. The Alberta OIPC may then require the organisation to notify affected individuals. The organisation must use the Alberta OIPC's Privacy Breach Report Form. The Alberta OIPC has published guidance on Reporting a Breach to the Commissioner to assist organisations.

Notification of breaches involving personal health information

The Alberta HIA

The Health Information Act, RSA 2000 c H-5 ('the Alberta HIA') requires health information custodians to notify the Minister of Health and the Alberta OIPC, as soon as practicable, if there is a risk of harm to an individual as a result of a privacy breach. It also requires the health information custodian to notify the affected individual. Lastly, the Alberta HIA establishes penalties for health information custodians that do not report breaches or take reasonable steps to maintain safeguards to protect health information.

The Manitoba PHIA

Under the Personal Health Information Act, CCSM c P-33.5 ('the Manitoba PHIA'), there is currently no requirement to notify the Ombudsman of any breaches of security safeguards.

The Newfoundland and Labrador PHIA

Under the Personal Health Information Act, SNL 2008 c P-7.01 ('the Newfoundland and Labrador PHIA'), where a custodian reasonably believes that there has been a 'material breach' of security safeguards, the health information custodian must inform affected individuals and the Newfoundland and Labrador OIPC of the breach. When assessing whether a breach is material, health information custodians must assess the sensitivity of the health information involved, the number of people whose information was breached, whether the breach indicates a systemic problem, and whether there is a reasonable belief that the breached information may be misused. The Newfoundland and Labrador OIPC is available to assist with determining whether or not a breach might be considered a material breach.

The Nova Scotia PHIA

Under the Personal Health Information Act, SNS 2010 c 41 ('the Nova Scotia PHIA'), health information custodians must inform affected individuals of a breach of these security safeguards if there is a potential for harm or embarrassment to the person as a result of the loss, theft, or damage of the individual's personal health information. Where a custodian decides not to inform an individual, they must notify the provincial Nova Scotia OIPC as soon as possible. Custodians must maintain a record of every breach of security safeguards that is likely to pose a risk to individuals' personal health information, and maintain records of all corrective procedures taken to diminish the likelihood of future breaches.

The Northwest Territories HIA

Under the Health Information Act, SNWT 2014 c 2 ('the Northwest Territories HIA'), health information custodians must inform the Northwest Territories OIPC and law enforcement officials when personal health information is lost, stolen, altered, destroyed, or disposed of in an unauthorised manner, if that loss or unauthorised use presents a reasonable risk of harm to affected individuals. Custodians must also take reasonable steps to investigate breaches and keep records of breaches and of any corrective measures taken.

The Ontario PHIPA

Under the Personal Health Information Protection Act, SO 2004 c 3, Sched. A ('the Ontario PHIPA'), when a breach occurs, the health information custodian is required to inform the affected individuals and the Ontario IPC in seven different circumstances:

• the health information custodian has reasonable grounds to believe that personal health information in the custodian's custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority;
• the health information custodian has reasonable grounds to believe that personal health information in the custodian's custody or control was stolen;
• the health information custodian has reasonable grounds to believe that, after an initial loss or unauthorised use or disclosure of personal health information in the custodian's custody or control, the personal health information was or will be further used or disclosed without authority;
• the loss or unauthorised use or disclosure of personal health information is part of a pattern of similar losses or unauthorised uses or disclosures of personal health information in the custody or control of the health information custodian;
• the health information custodian is required to give notice to a College of an event described in Section 17.1 of the Ontario PHIPA that relates to a loss or unauthorised use or disclosure of personal health information;
• the health information custodian would be required to give notice to a College, if an agent of the health information custodian were a member of the College, of an event described in Section 17.1 of the legislation that relates to a loss or unauthorised use or disclosure of personal health information;
• the health information custodian determines that the loss or unauthorised use or disclosure of personal health information is significant after considering all relevant circumstances, including the following:
  • whether the personal health information that was lost or used or disclosed without authority is sensitive;
  • whether the loss or unauthorised use or disclosure involved a large volume of personal health information;
  • whether the loss or unauthorised use or disclosure involved many individuals' personal health information; and
  • whether more than one health information custodian or agent was responsible for the loss or unauthorised use or disclosure of the personal health information.

The Ontario CYFSA

Under the Child, Youth and Family Service Act of 2017('CYFSA') service providers must notify the Ontario IPC of privacy breaches under certain circumstances. Service providers must submit annual reports to the Ontario IPC detailing the number of times personal information was stolen, lost, used, or disclosed without authority, and used in a manner outside the scope of its information practices.

7. REGISTRATION WITH AUTHORITY

Not applicable.

8. APPOINTMENT OF A SECURITY OFFICER

Under PIPEDA, organisations are required to designate an individual who is accountable for compliance with the obligations contained in the legislation. This individual may be called the 'Privacy Officer.' Privacy Officers provide advice and guidance to senior management and other employees with respect to the treatment of personal information and act as a point of contact for individuals and for the OPC in the context of complaints, access requests, and investigations.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services 

Provincial health information privacy legislation

The Canadian provinces listed below have enacted privacy laws specifically addressing personal health information. The following provincial health information statutes require organisations acting as health information custodians to implement reasonable security safeguards and/or to notify regulators and affected individuals of certain breaches:

• Alberta - the Alberta HIA;
• Manitoba - the Manitoba PHIA;
• New Brunswick - Personal Health Information Privacy and Access Act, SNB 2009 c P-7.05;
• Newfoundland and Labrador - the Newfoundland and Labrador PHIA;
• Nova Scotia - the Nova Scotia PHIA;
• Northwest Territories - the Northwest Territories HIA;
• Ontario - the Ontario PHIPA;
• Saskatchewan- Health Information Protection Act, SS 1999 c H-0.021; and
• Quebec – An Act Respecting the Sharing of Certain Health Information, CQLR c P-9.0001.

As personal health information falls into many categories, and may be collected, used, and disclosed by several organisations and institutions for various purposes, it may be subject to different privacy laws across various jurisdictions, such as:

• PIPEDA, at the federal level;
• in some cases, private-sector privacy legislation at the provincial level (i.e. the Alberta PIPA, the BC PIPA, and the Quebec Private Sector Act);
• privacy legislation applicable to the federal, provincial, and territorial public-sector; and
• in some provinces and territories, legislation dealing specifically with health information protection.

See sections 1.1, 5, and 6 for summaries of most of these requirements.

It is possible that in certain situations, there may be more than one law that applies and in others, there may not be any applicable privacy law.

Publicly-funded hospital, long-term care facility, or home-care service

Hospitals, long-term care facilities, and home care services that are publicly funded are not considered to be engaged in commercial activities nor are they federal government institutions. As such, Canada's federal privacy laws do not apply to their core activities, namely, the provision of health care services. Personal information handling practices of such provincial and territorial public sector institutions will therefore be subject to privacy legislation applicable to the provincial and territorial public sector.

Private medical clinics, long-term care facility, nursing home, retirement residence, or home-care service

Privately funded medical clinics, long-term care facilities, nursing homes, retirement residences, and home care services are generally considered to be conducting commercial activities and therefore PIPEDA would likely apply to their personal information handling practices unless substantially similar legislation exists within the province or territory.

In British Columbia, Alberta, Quebec, Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador, there are specific private sector and/or health sector laws that have been deemed substantially similar to PIPEDA which apply to private health organisations instead of PIPEDA.

Saskatchewan, Manitoba, Yukon, and the Northwest Territories have enacted personal health information legislation that could apply to private health organisations operating in those jurisdictions. However, because these health laws have not been declared substantially similar to PIPEDA, and they do not replace PIPEDA obligations. PIPEDA continues to apply concurrently (at the same time) as these other laws.

There is no specific private sector or health sector legislation in place in Prince Edward Island or Nunavut. Accordingly, PIPEDA will apply to privately funded health care facilities.

Employment

Cybersecurity practices applicable to employees are subject to the privacy laws applicable to their employer:

• if the employer is a federal government institution, the Privacy Act would apply;
• if the employer is a provincial, territorial, or municipal government institutions, the employees will be subject to the personal information handling practices set forth in applicable provincial or territorial laws;
• if the employer is a federally regulated institution, PIPEDA will cover employees and potential employees of federally regulated businesses, including employees of federally-regulated works, undertakings or businesses, such as banks, airlines, and telecommunications companies; and
• if the employer operates in the private sector in British Columbia, Alberta, or Quebec, private-sector privacy legislation at the provincial level will govern the cybersecurity practices for employees.

Education

There are no Canadian privacy laws specifically addressing cybersecurity practices in the educational sector.

Private educational institutions and day-care facilities that are more clearly engaged in commercial activities may be subject to PIPEDA. The OPC will also oversee the personal health information handling practices of a private school or private day-care facility in any province or territory outside British Columbia, Alberta, or Quebec. However, private educational institutions or day-care centres in British Columbia, Alberta, or Quebec are subject to the applicable private sector privacy laws in such jurisdictions.

Educational institutions that are publicly funded are not considered to be engaged in commercial activities nor are they federal government institutions. As such, Canada's federal privacy laws do not apply to their core activities, namely, the provision of educational services. Personal information handling practices of such provincial and territorial public sector institutions will therefore be subject to privacy legislation applicable to the provincial and territorial public sector.

10. PENALTIES

As noted in section 1.2, no privacy commissioner in Canada, at either the federal or provincial level, has the power to independently levy fines or administer monetary penalties.

Rather, commissioners rely on courts of law to administer statutory fines and penalties. The following fines may be enforced by the Federal Court of Canada ('the Federal Court') or a provincial court.

Award of damages arising from non-compliance with a statutory obligation

At the federal level, PIPEDA authorises courts to award damages for a breach of statutory obligations. An individual complainant or the OPC may apply to the Federal Court for a hearing before the Federal Court in respect of any matter referred to in the OPC's report of findings from an investigation.

Failure to report a breach or maintain records as required

Under PIPEDA, failure to properly report a breach of security safeguards can result in a fine of up to CAD 100,000 (approx. €69,830) for each time an individual is affected by a breach. The OPC does not issue the fine. Rather, the OPC refers information relating to the possible commission of the offence to the Attorney General of Canada, who is then responsible for any ultimate prosecution.

11. OTHER AREAS OF INTEREST

OPC on AI

On 28 January 2020, the OPC published its Consultation on the OPC's Proposals for ensuring appropriate regulation of artificial intelligence ('the Consultation Paper'). The Consultation Paper set out several proposals for how PIPEDA could be reformed in order to bolster privacy protection and achieve responsible innovation in a digital era that involves artificial intelligence ('AI') systems.

Accordingly, in the Consultation Paper, the OPC described 11 Proposals for Consideration ('the Proposals'), as follows:

• Proposal 1: Incorporate a definition of AI within the law that would serve to clarify which legal rules would apply only to it, while other rules would apply to all processing, including AI;
• Proposal 2: Adopt a rights-based approach in the law, whereby data protection principles are implemented as a means to protect a broader right to privacy - recognised as a fundamental human right and as foundational to the exercise of other human rights;
• Proposal 3: Create a right in the law to object to automated decision-making and not to be subject to decisions based solely on automated processing, subject to certain exceptions;
• Proposal 4: Provide individuals with a right to explanation and increased transparency when they interact with, or are subject to, automated processing;
• Proposal 5: Require the application of Privacy by Design and Human Rights by Design in all phases of processing, including data collection;
• Proposal 6: Make compliance with purpose specification and data minimisation principles in the AI context both realistic and effective;
• Proposal 7: Include in the law alternative grounds for processing and solutions to protect privacy when obtaining meaningful consent is not practicable;
• Proposal 8: Establish rules that allow for flexibility in using information that has been rendered non-identifiable, while ensuring there are enhanced measures to protect against re-identification;
• Proposal 9: Require organisations to ensure data and algorithmic traceability, including in relation to datasets, processes, and decisions made during the AI system lifecycle;
• Proposal 10: Mandate demonstrable accountability for the development and implementation of AI processing; and
• Proposal 11: Empower the OPC to issue binding orders and financial penalties to organisations for non-compliance with the law.

After the consultation ended in March 2020 and based on the feedback, the OPC published ,on 12 November 2020, the following documents:

• the Regulatory Framework for AI: Recommendations for PIPEDA Reform; and
• the Consultation on Artificial intelligence.

Critical Information Infrastructure Operators

There are currently no cybersecurity requirements specific to critical information infrastructure operators. The CSE Act tasks the newly formed CSE with protecting the information infrastructure of federal institutions and critical non-federal institutions.

Additionally, the federal Ministry of Public Safety and Emergency Preparedness has identified the ten industries/sectors listed below as being part of Canada's 'critical infrastructure:

• health;
• food;
• finance;
• water;
• ICT;
• safety;
• energy and utilities;
• manufacturing;
• government; and
• transportation.

It expects organisations operating in these sectors to implement and maintain robust cybersecurity measures.

Operator of Essential Services

Not applicable.

Cloud Computing Services

There are currently no cybersecurity requirements specific to cloud computing services. However, the OPC has published guidance on the privacy risks arising from cloud computing services. While non-binding, the OPC's guidance on cloud computing services sets out the OPC's views on the risks inherent in the use of cloud computing services. Organisations should review the OPC guidance because the OPC's stated view of the risks inherent in the use of cloud computing services will guide its assessment of organisations' privacy practices during any potential investigation.

Digital Service Providers

The term 'digital service provider' is not defined under Canadian privacy or data protection laws. Digital service providers are treated the same way as any other third-party service providers. PIPEDA requires organisations to use contractual or other means, when using third party service providers, to ensure a comparable level of protection of personal information.

Imran Ahmad Senior Partner
[email protected]
Norton Rose Fulbright Canada LLP, Toronto