Cybersecurity, Privacy and Data Protection VI – Privacy Protection

In this blog series, we will be sharing sections Business Transactions, Personal Health Information, Penalties, Canadian Anti-Spam Legislation and Policy Initiatives in Canada of a Privacy Program from one of the chapters, Cybersecurity, Privacy and data protection of our publications: Cross-Border Retailers Guide to Doing Business in Canada 2021.

We hope you find it informative. For more information, please contact Joyce Lee, Michael Scherman and Jade Buchanan.

Business transactions

Brands that acquire or invest in other businesses, or that may be acquired or are seeking investment, have an increased need to consider privacy. Potential buyers and investors may carefully review the target organization’s privacy policies and practices, increasing the need for a robust compliance program. As a potential buyer, an organization must ensure that it does not acquire an organization that has bad practices, an unknown data breach, or unusable personal information due to a lack of consent.

The transaction itself may involve the disclosure of personal information from the buyer to the seller, including in the due diligence phase. Although disclosure generally requires consent, there are legal exemptions to the consent requirement for disclosure for the purposes of due diligence and completion of the transaction. However, the exceptions are conditional on meeting certain requirements, which may include notifying persons after closing and including certain provisions in the transaction documents.

Personal Health Information

Due to its sensitive nature, personal health information may be subject to different or additional standards or laws. Some provinces (namely Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador) have medical information legislation that supersedes (and applies in place of) general privacy legislation. applicable in the province with respect to personal health information. Some other provinces have also enacted personal health information protection laws, except that they operate alongside the general personal information protection law applicable in the province (and in those provinces, the two laws may apply to personal health information in the province). The personal health information landscape in Canada is more complex than in other regions. Brands must therefore consider whether the information they process constitutes personal health information and determine which laws apply to their particular situation.


Failure to comply with privacy laws may result in orders and fines issued by the applicable provincial or federal privacy commissioner. Privacy Commissioners can choose to investigate a matter on their own initiative or because of a complaint filed. Depending on the industry, other regulators may be involved in privacy matters, including securities, financial institutions, and public health regulators.

In addition to regulatory enforcement, those affected by privacy breaches can pursue legal action as individuals or as members of class actions. The cause of action available to injured parties will depend on the laws of the applicable province. British Columbia, for example, has a tort for invasion of privacy that requires deliberate intent but does not require proof of harm, while Ontario has a common law tort for invasion of life privacy that applies to general personal information.

Several consumer class action lawsuits have been filed in Canada over a data incident, including specific claims against consumer product manufacturers related to excessive collection by their internet-connected devices and by employees whose personal information has been lost or stolen. These actions have not yet been fully considered by Canadian courts and therefore questions regarding the legal validity of the causes of action advanced and the scope of possible damages remain wide open. It’s also possible that a breach of an organization’s data could lead to legal action by its shareholders alleging that the organization’s ongoing public disclosure about the state of its cybersecurity systems was misleading. Such a shareholder class action has not yet been brought in Canada.

Consumer and shareholder class actions will almost always be brought in provincial courts (as opposed to federal courts), and it’s possible that a trademark data incident could result in multiple Canadian class action lawsuits spanning different provinces where people have been affected. In light of the complexity of privacy laws and the differences between the various laws that may apply to a particular organization or business unit, ensuring privacy compliance in an organization’s services can be challenging, especially for organizations that operate globally. Organizations should also keep in mind that in addition to fines, orders, and private actions, a data incident due to deficient privacy practices can risk reputational damage that results in additional financial loss.

Canadian anti-spam law1

Canada has legislation that specifically addresses the sending of commercial electronic messages. This also applies to the installation of computer programs, which can be a trap for unwary device manufacturers.

See E-commerce. For a detailed explanation of CASL, see our Anti-Spam Toolkit available on our website.

Privacy Law Reform Initiatives in Canada Several very significant legislative initiatives are underway in Canada to amend or replace key privacy laws, including:

  • Federal Bill C-11, introduced in November 2020, which would replace PIPEDA with a new “Consumer Privacy Actand “Personal Information and Data Protection Tribunal Act”; and

  • Quebec Bill 64, introduced in June 2020, which would overhaul current Quebec law on the protection of personal information in the private sector.

There are also other reform initiatives that are being discussed by various governments in Canada. The ultimate fate of these bills and initiatives remains to be determined, but it seems likely that Canada’s privacy legislative framework will change significantly in the months and years to come.

Brands operating or selling or considering operating or selling in Canada can visit McCarthy Tétrault’s Cybersecurity, Privacy and Data Protection Legislation blog to keep up to date with new developments and advancements in policies:


1 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage the use of electronic means for carrying on commercial activities and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23

To see the original article click here

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

About Sandra A. Powell

Check Also

Data Security – The Growing Danger of Vishing Attacks – Data Protection

If you own a phone, you’ve probably received a suspicious call from an unknown number …