Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.

20 Facts About Canadian Data Privacy You Should Know


Ludovic Rembert —

Last Updated on

Data privacy is something that no one can afford to ignore.

From the electronic data that people store at home or in a cloud to the information that is found in business networks, making sure that only those who need to see the data matters. So, it is also recommended to get the best home security system for further protection.

Data protection system character conceptWhile much of the responsibility for protecting your data must be managed by you, Canada has laws that also provide many forms of protection and redress.

Have you ever wondered how data privacy is managed in Canada? What laws or provisions are made to protect data from being stolen, altered, or otherwise used in a way that the individual or business owner never intended?

Here are some basic facts about data privacy in Canada that will help you understand what’s being done to provide protection and in some cases deal with those who would seek to steal, corrupt, or use data for their own purposes.

1. There are Two Federal Privacy Acts in Canada

While there are a number of laws designed to protect privacy in general, there are two in particular that you should know.

The Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act are both administered by the Office of the Privacy Commissioner of Canada.

pipeda and implications

Between the two acts, they cover a wide range of privacy concerns related to the management of data, including data collected or stored by telecommunications, health care, banking, and internet service providers of all types.

2. PIPEDA Protects Data on National and International Levels

PIPEDA includes provisions for protecting data related to many types of business transactions (Read more about it here). That includes transactions conducted on an international as well as a domestic level. This means that companies not based in the country but have significant presence are required to comply with the provisions found in this law.

3. The Privacy Act and Federal Use of Personal Information

The Privacy Act identifies how a government entity can utilize the personal information of a Canadian resident. There are also provisions related to what steps the entity must take in order to protect the data once it’s obtained. This includes taking reasonable precautions about data breaches that could impact any resident residing in any province.

privacy complaint diagram

Consider the type of data that is found about you in federal databases. Financial data, work history, addresses, and even data about your health is kept on file. (Read more)

The Privacy Act ensures the proper measures are taken to prevent anyone who would seek to use that data for their own purposes from being able to obtain it.

4. PIPEDA Was Amended in 2015

Since originally becoming law on 1 January, 2004, PIPEDA has undergone some changes. What’s known as the Digital Privacy Act of 2015 amended PIPEDA to cover the growth of Internet commerce, communication options, and other tasks that would of necessity involve collecting and sharing data. Those provisions went into full effect in 2018.

The amendments did not weaken any of the protections already provided by PIPEDA. Instead, they broadened the range of protections afforded under this Act. Both individuals as well as business entities ultimately benefit from these additional provisions.

5. Canada Participates in the Five Eyes Agreement

five eyes nationThe Five Eyes Agreement is a reciprocal alliance between five nations to share information in the event some sort of major security issue arises. This includes information collected from individuals as well as businesses and other types of entities.

The five nations who participate in this alliance are Australia, Canada, the USA, the United Kingdom, and New Zealand.

Keep in mind that the Five Eyes Agreement does not prohibit the establishment of similar alliances by Canada or the other four nations with other countries around the world. What it does establish is a working agreement that data can be shared for security purposes among any and all of these five nations.

6. Canada and Mandatory Breach Notifications

One of the amendments spelled out in the newer Digital Privacy Act has to do with notifying residents when their personal data is compromised. That includes data theft as well as altering the data for purposes of incrimination or other illegal actions. In years past, there were provisions that protected consumers up to a point, but not as thoroughly as the new law that went into effect in 2018.

Prompt notification by businesses, financial institutions, and even non-profit organizations that personal data has been breached allows the consumer to take action sooner rather than later. The timely notifications make it possible to close accounts, prevent new ones from being opened by unauthorized parties, and in general minimize the damage done by the breach.

7. Provinces Also Have Data Privacy Laws

All Canadian provinces have enacted laws related to data privacy. These laws operate in conjunction with federal legislation and are periodically updated. With the amendments to PIPEDA that went into effect in 2018, the combination of provincial and federal protections for citizens and business entities is greater than at any time in the past. (Read more about it)

8. International Companies May be Subject to PIPEDA

compliance with pipeda

Companies that are headquartered in other countries but operate facilities or transact what is considered significant business volume in Canada may be required to comply with all or at least portions of current data privacy laws. The specific provisions or the degree of compliance may vary based on the nature of the business and/or services provided to Canadian residents.

Consumers who are concerned about how Canadian laws apply to any international company they supply with personal data can read the texts of those laws online. Doing so provides a better idea of what can and can’t be done in the event of some sort of breach of privacy.

9. PIPEDA Applies to Private as Well as Public Companies

Canada’s primary laws related to data protection and privacy apply to all sorts of business entities as well as most non-profit agencies. That means everything from a private enterprise to a publicly traded corporation would be subject to those laws.

10. The Privacy Act Does Not Apply to Data Collected by Individuals for Personal Use

Data that individuals collect for use in the home or in the conduct of their private affairs is not typically covered under the provisions of federal or provincial law. There are some exceptions, especially if the data is ultimately used for actions that are considered criminal.

Legal experts can help individuals understand how current laws relate to their personal data that they maintain in home networks, cloud storage, and other venues.

11. Employers Can Review Activity on Company-Owned Devices

While employees are under no obligation to allow employers access to data on their personal devices, the same is not true when it comes to devices issued to employees for the purpose of conducting business and evaluating employee productivity.

productivity loss chart

As the legal owners of those devices, employers are free to inspect them at any time. That includes downloading histories and reviewing other types of online activity.

12. That Includes Email and Text Messages

Employers are free to monitor and read any email communications that are sent or received using a company-issued email address. The same is true for any text messages that are sent and received on a company-owned smartphone.

Current laws consider those communications to be the property of the employer and not the property of the employee.

13. As Well as Browser Activity

browser activity vector imageEmployers also have the right to review all Internet browsing activity that is conducted using company-owned devices. Along with activity logs found on the individual devices, all logged activity that’s recorded on company servers may be reviewed at any time.

When activity is found that is not connected with an employee carrying out his or her assigned duties, the employer has the right to suspend or take other punitive action against the employee, up to and including terminating his or her employment.

14. That Includes Activity Conducted on the Company’s VPN

The right of the employer to monitor activity conducted using company devices is not limited to the office. If an employee works remotely and connects to the company’s primary server using the employer’s Virtual Private Network, all communications, browsing activity, and other types of actions are subject to review by the employer.

The better VPNs offering services in Canada make it easier for employers to monitor all activity while still protecting the data from unauthorized access. Unauthorized use of company data or any any customer data that is considered proprietary can be used as a basis for ending the employment arrangement.

15. Penalties for Data Theft or Manipulation Vary

The penalties associated with accessing unauthorized data, copying or otherwise stealing the data, or manipulating it in any way can incur a wide range of penalties.

That’s partially because of the severe consequences that result from being the victim of a data theft or a breach.

consequences of data breach

Potential penalties include a termination of Internet services, fines, arrest, or other legal ramifications. Employees who misuse proprietary data may be demoted or lose their jobs.

16. VPN Usage is Lower in Canada

While interest in Virtual Private Networks as a way to strengthen protections from data theft and abuse has grown, the actual use of VPN as part of a company’s online strategy remains comparatively low in Canada. Businesses in other nations are also not expanding their use of VPNs in great numbers. That includes business owners in Australia, Japan, and Poland.

There is some perception that VPNs are illegal in Canada. That’s not the case. In fact, Canada is one of the nations where any VPN service that is properly licensed to operate in the country and complies with current laws about data protection and privacy is welcome.

17. Personal and Business Use of VPN is Growing

While it’s true that the use of personal and business VPNs is not at the same pace as in other nations, there is small but consistent growth in the number of consumers and businesses choosing to make use of VPN services. This is expected to continue in the next couple of years as threats to online data privacy increase and may see a year over year growth depending on how successfully can VPN services market themselves as a means of protecting data and the identities of users.

18. Theft of Data Can Result in Civil as Well as Criminal Charges

canada cybersecurity

While some instances of data breaches, theft, or misuse may be managed as an in-company issue, there are times when criminal charges are filed. This is especially likely when proprietary data like customer lists, research and development documents, and similar information is copied, altered, or stolen. Along with the criminal charges, the victims of the criminal activity may choose to pursue civil charges against the responsible parties.

19. More Regulations are on the Horizon

While Canada’s efforts to provide greater protections for personal and corporate data are commendable, politicians continue to propose new legislation on a provincial as well as a federal level. This is partly due to the continued evolution of online communications and the increasing use of multiple approaches to storing sensitive data.

20. Even as Older Laws are Refined to Account for Emerging Technology

New laws are not the only way that officials are seeking to increase the level of protection from data abuse and theft. Current laws are considered to be excellent as far as they go, but may or may not have provisions that keep up with developing technology. For this reason, there’s a good chance that new amendments to existing laws are going to be proposed and eventually adopted.

Residents can remain abreast of any pending legislation by visiting provincial as well as government sites. This provides the opportunity to read the text of those proposed laws and get an idea of what they would accomplish if signed into law.

Understanding the Protections That are In Place Today

Would you like to know more about data privacy laws and regulations that apply throughout the country or perhaps in a particular province? There are a number of governmental agencies that have the information you seek as well as authoritative sites that help you compare laws that apply in multiple nations.

data protection laws by country

Take some time getting to know more about what those laws mean for you, how to go about protecting your own data, and why implementing reasonable safeguards now will make a difference tomorrow. Getting the best free VPN may even be a temporarily better option than having no VPN.

Don’t assume that no one is interested in your online data or that your small business will not attract attention from a hacker. Take the time to learn more about the protections offered to Canada residents as well as the software options for the best in Internet security.

Test the strength of your VPN in terms of performance and protecting your data. Knowing your rights and taking the proper steps to protect your data will go a long way toward preventing you from becoming another statistic.