In this series of blogs, we will share one of the chapters, Cybersecurity, Privacy and Data Protection of our publications: Cross Border Retailers Guide To Doing Business in Canada 2021.

We hope you will find it informative. For more information, please contact Joyce Lee, Michael Scherman and Jade Buchanan.

CYBERSECURITY, PRIVACY AND DATA PROTECTION

With limited exceptions, all businesses engaged in commercial, for-profit activity in Canada are subject to privacy legislation that regulates the collection, use and disclosure of personal information. Data will constitute “personal information” when it can be used to identify an individual, whether on its own or in combination with other pieces of data.  Personal information can include “indirect” or “inferred” information, such as a customer’s spending patterns or shopping habits, and can be in any format, including voice recordings and video surveillance records.

A Patchwork of Legislation

There are several laws in Canada that relate to privacy rights and the collection, use, and disclosure of personal information. By default the handling of personal information by retailers is governed by the Personal Information Protection and Electronic Documents Act¹ (PIPEDA), a federal act enforced by the Office of the Privacy Commissioner of Canada (OPC). However, PIPEDA will not apply where a province has enacted privacy legislation that is deemed substantially similar to PIPEDA, in which case the province’s legislation will apply instead of PIPEDA for actions that take place entirely within its borders (with some exceptions). This is the case in British Columbia, Alberta, and Québec.

PIPEDA compliance will likely be a cross-border retailer’s first step in adapting their privacy framework to Canada, but provincial laws may apply, particularly for brick and mortar stores in British Columbia, Alberta, and Québec.

1.  Personal Information Protection and Electronic Documents Act, SC 2000, c 5