Canadian courts have relied on rights contained in the Canadian Charter of Rights and Freedoms to protect citizens against unreasonable invasions of privacy. Personal data protection is primarily regulated on the federal level by the Personal Information Protection and Electronic Documents Act (PIPEDA), but existing provincial-level statutes may take precedence over the federal law.
PIPEDA has adopted ten privacy principles, which include obligations as well as recommended practices. These principles regulate privacy issues in respect to consent, transparency, security measures, and data retention. Though there are no specific rules for regulating social networks, smartphone apps, and other online activities, PIPEDA applies to the online activities of companies such as Facebook and Google.
PIPEDA doesn’t offer any specific provisions on protecting the personal data of minors. However, new reform proposals are being considered to strengthen the law in this area.
Oversight and enforcement of PIPEDA is shared between the Privacy Commissioner of Canada and the Federal Court of Canada. The Privacy Commissioner has authority to (1) investigate complaints filed by individual citizens, (2) mediate privacy disputes, (3) audit personal information practices of organizations, (4) report on abuses or violations of PIPEDA, (5) seek remedies in Federal Court, and (6) publish research and promote public awareness on privacy issues. The Federal Court of Canada, on the other hand, can order organizations to comply with PIPEDA, publish notices or corrections, and award damages.
PIPEDA has predominantly attracted criticism from scholars and other commentators over its weak oversight and enforcement mechanisms. The general nature of the Act’s provisions has also been criticized. Public surveys prior to and after the passing of PIPEDA reveal that Canadians have consistently shown a high level of interest and concern over privacy issues.
Canadian courts have interpreted various sections of the Canadian Charter of Rights and Freedoms, including the right to life, liberty, and security, and the protection against unreasonable search and seizure, as protecting against unreasonable invasions of privacy. Moreover, the Supreme Court of Canada has recognized the essential role of privacy in a democratic state, stating that
society has come to realize that privacy is at the heart of liberty in a modern state. . . . Grounded in a man’s physical and moral autonomy, privacy is essential for the well- being of the individual. . . . The restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state.
On the federal level, Canada has two major pieces of data protection legislation. The Privacy Act 1980 was the first law adopted to regulate the collection, use, and disclosure of personal information by public or government bodies. However, as noted by the PRIVIREAL (Privacy in Research Ethics & Law) project, “rapid advances in information technology and the pressure to conform to European standards to facilitate cross-continental trade meant that new legislation was soon required.”
The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the private sector. PIPEDA provisions are general in nature, and are not limited to online-related activities. PIPEDA does not apply to “organizations” subject to the federal Privacy Act or that are regulated by the public sector at a provincial level, nor to non-profit organizations and charitable activities, unless they are of a “commercial” nature, as defined by PIPEDA (see section II, “Current Law”). Similarly, it does not cover employment data used for noncommercial purposes other than that relating to employees in the federally regulated private sector.
The Act was passed by Parliament in 2000, but was implemented in three stages before it fully came into force on January 1, 2004. PIPEDA seeks to “support and promote electronic commerce by protecting personal information that is collected, used or disclosed” in the course of commercial transactions in the private sector. According to an assistant professor of law, TinaPiper, “[t]he Act was promulgated as a result of the inadequacy of the [prior] privacy regime in Canada to protect personal information in the private sector.” Another principal aim of the law was to bring Canada’s privacy legislation into conformity with the European Union’s directive on data protection, Council Directive 95/46/EC. The Directive prohibits EU member states from trading personal data with countries that do not ensure an “adequate level” of privacy protection, “protection equal to or greater than provided by the Directive.” In 2002, the European Commission confirmed that “Canada is considered as providing an adequate level of protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents Act” in accordance with Council Directive 95/46.
The provinces of British Columbia, Alberta, and Quebec have their own privacy legislation regulating the private sector. Moreover, Alberta, Saskatchewan, Manitoba, Ontario, and New Brunswick have private sector laws relating specifically to health information.
Pursuant to section 26(2) of the Act, the federal cabinet has the power to grant organizations an exemption for activities covered by provincial privacy legislation: the Governor in Council can issue an order,
if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt[ing] the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.
However, organizations or activities would only be exempted for transactions occurring within the province, and PIPEDA would still apply for interprovincial and cross-border activities.
PIPEDA is divided into two parts. The first part regulates the collection, use, and disclosure of personal information in the private sector. The second part deals with electronic documents and evidence.
Under PIPEDA “‘personal information’ may not be collected, used or disclosed in the context of a ‘commercial activity’ without the consent of the individual to whom the information relates.”  The Act defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization” commercial activity as “any particular transaction, act or conductor any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”; and organization as “a termthat includes persons, associations, partnerships and trade unions.”  According to the Industry Canada website, maintained by the Canadian Minister of Industry, “[t]he term ‘persons’ includes corporations as well as individuals.”
Schedule 1 of the Personal Information Protection and Electronic Documents Act sets out a list of ten principles that organizations “must follow when collecting, using and disclosing personal information in the course of commercial activity.” These principles were originally laid down in the Canadian Standards Association Model Code for the Protection of Personal Information. The principles “contain both mandatory obligations that must be complied with as well as recommended practices that should be adopted.” The PIPEDA principles, as summarized in an Industry Canada FAQ, are as follows:
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
- Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
Principle 3 stipulates that “knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.” The organization must “make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.” Consent must be obtained before or at the
time of collection, as well as when a new use of the personal information is identified. Both the way in which an organization seeks consent and the form of the consent sought by the organization “may vary, depending on the circumstances and the type of information collected.” If the information is considered sensitive, the organization should seek express consent from the individual;“[i]mplied consent would generally be appropriate when the information is less sensitive.” Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Individuals can give consent in many ways. For example,
- (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
- (c) consent may be given orally when information is collected over the telephone; or
- (d) consent may be given at the time that individuals use a product or service.
The Act also stipulates certain specific circumstances or exceptions in which a private sector organization may collect, use, or disclose personal information where knowledge or consent is not required. According to section 5(3), “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
Principle 8 requires organizations to be open about their management of personal information: “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.” Organizations should be “open about their policies and practices” and individuals should be “able to acquire information about an organization’s policies and practices without unreasonable effort.” Moreover, the information must be made “available in a form that is generally understandable” and must include
- (a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
- (b) the means of gaining access to personal information held by the organization;
- (c) a description of the type of personal information held by the organization, including a general account of its use;
- (d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
- (e) what personal information is made available to related organizations (e.g., subsidiaries).
No particular method is prescribed for how an organization should make its policies and practices available. Instead, the principle stipulates that it can be “available in a variety of ways,” depending on the “nature of its business and other considerations.” For example, principle 8 advises that “an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.”
In addition, principle 2 requires that the “purpose for which personal information is collected” is identified by the organization “at or before the time the information is collected.” The purpose has to be documented in order to comply with the above openness principle. Moreover, “[w]hen personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use.” The principle also requires that the identified purposes should be specified to the person from whom the personal information is being collected, either “orally or in writing.”
C. Safeguards and Security Measures
Principle 7 requires that personal information must be “protected by security safeguards appropriate to the sensitivity of the information.” The measures must protect against “loss or theft, as well as unauthorized access, disclosure, complying, use or modification” and “regardless of the format in which [the information] is held.” Principle 7 states:
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
The principle requires due care in the process of “disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information,” and stipulates certain methods of protection, which should include
- (a) physical measures, for example, locked filing cabinets and restricted access to offices;
- (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
- (c) technological measures, for example, the use of passwords and encryption.
Organizations are also required to “make their employees aware of the importance of maintaining the confidentiality of personal information.”
D. Anonymity and Data Retention
The implementation of guidelines and procedures for retention of personal information appears to be a recommendation rather then a statutory requirement. According to principle 5,
[o]rganizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
Furthermore, personal information “that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.” The only requirement appears to be that “[o]rganizations shall develop guidelines and implement procedures to govern the destruction of personal information.”
E. Protection Related to Social Networking and Other Online Activities
Besides the general obligations and guidelines stipulated in Schedule 1 of PIPEDA, there do not appear to be specific regulations on data protection in respect to social networking, smartphone applications, or geographic data. However, according to a report by the current Privacy Commissioner, Jennifer Stoddart (more on the role of the Privacy Commission can be found in section III of this report), “PIPEDA would apply to the personal information handling practices of private sector organizations engaged in online tracking, profiling and targeting, and cloud computing.” The Privacy Commissioner has been particularly critical of the role of social media websites. While testifying before a House of Commons committee, she stated, “I have become very concerned about the apparent disregard that some of these social media companies have shown for Canadian privacy laws.” She also said, “We have very limited power in that regard, and I believe more respect would be shown to Canada’s laws if we did have that power.”
In 2010, an investigation by the Office of the Privacy Commissioner found that Facebook violated Canadian privacy law, and this led to significant changes in the social networking company’s privacy policies. More recently, Stoddart has released additional findings of three complaint investigations involving Facebook and stated that Facebook “has shown greater awareness of users’ privacy rights.” However, she affirms that the company “still needs to do a better job of considering privacy issues before rolling out new features.”
Google has also faced investigations in respect to its former social networking feature Google Buzz and its Street View feature. The Privacy Commission found Google in breach of Canada’s privacy laws “after being made aware that Google Street View cars had been collecting payload data from unencrypted WiFi networks during their collection of publicly broadcast WiFi signals.” Google was also chastised by the Privacy Commissioner when it automatically integrated its Google Buzz feature with its email service. According to a letter cosponsored by the Privacy Commissioner, concern was raised that the personal information of Google’s email users “was being disclosed.” According to the letter, “Google automatically assigned users a network of ‘followers’ from among people with whom they corresponded most often on Gmail, without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions.”
F. Data Protection and Minors
In Canada, there is no legislation that deals specifically with children’s privacy or data protection, nor are there specific provisions in PIPEDA that address this issue. A report by the Office of the Privacy Commissioner has noted that the “average age of children who use the Internet appears to be dropping, and the implications on their privacy need careful attention from public policy makers. . . . Many experts have stated that ensuring children’s personal information is protected is an area that needs more attention.”
According to the Office of the Privacy Commissioner, consent for a minor, for the purposes of PIPEDA, may be obtained from a legal guardian.
Currently, proposed amendments to PIPEDA “include measures to better protect the privacy of minors online.” There is a proposal to expand the requirements for consent by placing “an additional onus on the organization collecting, using or disclosing information to ensure that the person providing the information ‘understands’ that he or she is providing the information and the manner in which it may be used.” The provision is expected “to provide increased protection to minors due to the fact that it is . . . expected that an individual’s capacity to understand will vary with age.”
In 2011, Canada’s Privacy Commissioner unveiled a series of new guidelines “for advertisers designed to restrict how marketers can track users, including children, on the Internet.”
The Federal Court of Canada can only provide civil remedies or damages for violations of PIPEDA provisions. There are no criminal sanctions or offenses under the Act.
H. Anti-Spam Legislation
Anti-spam legislation was recently passed that targets spam, unwanted commercial email, spyware, malware, and phishing. Bill C-12 also provides for a private right of action, which would allow individuals to take civil action against violators. Moreover, under the new law, the Canadian Radio-television and Telecommunications Commission (CRTC) and Competition Bureau can impose penalties on individuals and businesses.
III. Role of Data Protection Agencies
Enforcement of data protection laws is the responsibility of the Privacy Commissioner and the Federal Court of Canada. The Privacy Commissioner of Canada is a federal ombudsman established to investigate privacy complaints against both public and private bodies. The Privacy Commissioner was established under the Privacy Act, which came into force on July 1, 1983. With the enactment of PIPEDA, the Privacy Commissioner was given authority to investigate complaints against private organizations.
The Commissioner’s powers to further the privacy rights of Canadians include
- investigating complaints, conducting audits and pursuing court action under two federal laws;
- publicly reporting on the personal information-handling practices of public and private sector organizations;
- supporting, undertaking and publishing research into privacy issues; and
- promoting public awareness and understanding of privacy issues.
PIPEDA does not give complainants the automatic right to sue for violations of the obligations stipulated under the Act. Under Section 11(1) of PIPEDA, “[a]n individual may file with the Commissioner a written complaint against an organization for contravening” a provision or obligation under the Act. Moreover, “[i]f the Commissioner is satisfied that there are reasonable grounds to investigate a matter,” he or she may initiate the complaint.
According to PIPEDA,
[t]he Commissioner shall conduct an investigation in respect of a complaint, unless the Commissioner is of the opinion that
- (a) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
- (b) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province; or
- (c) the complaint was not filed within a reasonable period after the day on which the subject matter of the complaint arose.
A decision to not review a complaint can be reconsidered if the complainant provides compelling reasons to do so. Also, the Commissioner may discontinue an investigation for a number of reasons, for example if there is insufficient evidence to pursue the investigation or if the complaint is trivial or frivolous.
After concluding the investigation, the Commissioner is required to produce a report of findings and recommendations, which must be sent to the complainant and the organization. It should be noted that the Commissioner has no authority to order compliance, award damages, or impose penalties. However, under section 14 of the Act, “[a] complainant may, after receiving the Commissioner’s report or being notified . . . that the investigation of the complaint has been discontinued, apply to the Court [Federal Court of Canada] for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report.” The Act furthermore provides the Federal Court of Canada the authority to order an organization to “correct its practices”; “publish a notice of any action taken or proposed to be taken to correct practices”; and “award damages to the complainant, including damages for any humiliation that the complainant has suffered.”
In testimony referred to earlier in the report, Privacy Commissioner Stoddart informed the House of Commons committee that Canada’s Personal Information Protection and Electronic Documents Act is far too weak and reforms are necessary to provide stricter penalties and fines.
IV. Court Decisions
The first time the Federal Court of Canada awarded damages under PIPEDA was in the case of Nammo v. TransUnion.  The landmark decision signaled “the court’s willingness to  award damages for privacy violations in certain egregious circumstances.”85
Canadian courts have noted that PIPEDA “was not intended to apply extra- territorially,” with the Federal Court holding that “Parliament cannot have intended that PIPEDA govern the collection and use of personal information worldwide.” However, the Court held that PIPEDA “could still cover foreign entities that either receive or transmit communications to and from Canada, and that collect and disclose personal information about individuals in Canada.”
In another significant ruling, State Farm Mutual v. Privacy Commissioner, the Federal Court of Canada held, as summarized by the Office of the Privacy Commissioner, that “State Farm was not engaged in ‘commercial activities’ when it collect[ed], use[d] or disclose[d] personal information in the course of defending its insured against litigation,” and hence is not subject to PIPEDA.
V. Scholarly Opinion and Commentary
According to legal scholar Jeremy Warner, PIPEDA has “attracted criticism over its level of generality and over ineffective oversight and enforcement mechanisms.” Other criticisms include the lack of a reporting mechanism that would require a company to report a privacy breach to the Privacy Commissioner’s Office or to consumers. The Privacy Commissioner has noted that “with barely any penalties for breaching provisions in PIPEDA, there is little incentive for companies to invest in better data protection systems.”
Commentators have criticized the overlap between the role of Privacy Commissioners at the federal and provincial level, since “this apparent overlap is likely to create a degree of confusion over which body—federal or provincial—has jurisdiction where data flows outside a province are concerned.”
Certain scholars have also shown disapproval of Canada’s approach to data protection, and PIPEDA in particular, for putting business interests ahead of privacy rights. According to Tina Piper, the serious concerns of Canadians in respect to the “proliferation and commercial importance of personal information” was not adequately addressed by PIPEDA. Business interests and “the characterization of privacy in market terms rather than in the language of human rights and long-term policy objectives” prevented Canadians’ concerns from being adequately addressed.
Other scholars have assessed Canada’s data protection laws by looking at how they embody different personal rights. The Canadian legal framework for privacy, in comparison to the ones in the US and Europe, takes the middle ground between conceptualizing privacy protection as protecting personal autonomy and protecting personal dignity (the individual’s right to control access to personal identifiable information).
VI. Public Opinion
According to Tina Piper, “[p]ublic surveys of Canadians have consistently revealed a remarkably high level of concern over the issue of privacy.” Prior to the enactment of PIPEDA in 2000, several reports, surveys, and polls indicated serious apprehension over the issue of privacy and data protection. A 1992 Canadian Privacy Survey by Ekos Research found that 92% of the three thousand Canadians interviewed “believed privacy to be an important issue and that 60 percent believed they have less personal privacy now than a decade ago.” A 1994 Gallup Canada survey conducted by Andersen Consulting showed that “over 80 percent of the Canadians polled expressed concern about the personal information about them that might be collected by companies through the information highway.” Another study by Ekos in 1998 revealed that “94 percent of Canadians believe it is increasingly important to have safeguards for personal information on the Internet. Canadians, moreover, are becoming much more knowledgeable about privacy issues.” Piper notes that “[t]hese studies suggest a pervasive belief that personal privacy is under siege from a range of technological, commercial and social threats and that something must be done about it.”
A 1997 study, conducted by the House of Commons Standing Committee on Human Rights, attempted to gauge public opinion of privacy by having surveyors travel across the country and hold meetings with citizens. According to the study,
Canadians see privacy . . . not just as an individual right, but as part of our social or collective value system. As we struggled with the impact of new technologies on our understanding of privacy, we realized that, ultimately, we were talking about what kind of society we want for our future. Canadians view privacy as far more than the right to be left alone, or to control who knows what about us. It is an essential part of the consensus that enables us not only to define what we do in our own space, but also to determine how we interact with others—either with trust, openness and a sense of freedom, or with distrust, fear and a sense of insecurity.
The study concluded that “we could not but be amazed by the degree of consensus that emerged in each of our meetings . . . they [citizens] all believe that privacy matters.”
According to a more recent survey, published in a 2011 report issued by the Office of the Privacy Commissioner of Canada, “[p]rivacy protection is seen as important but perhaps not an issue Canadians feel they have control over.” According to the report,
[a]lmost two thirds of Canadians (65%) agreed that protecting the personal information of Canadians will be one of the most important issues facing the country in the next ten years. . . . Six in ten Canadians agreed that they felt they had less protection of their personal information in their daily lives than they did ten years ago. . . . Most Canadians did not feel confident that they had enough information to know how new technologies might affect their personal privacy: While 43% said they did have enough information about this, three in ten (31%) said they did not, while a quarter (24%) neither agreed nor disagreed with this premise.
According to the same report, “[t]he awareness of federal privacy institutions and privacy laws remains steady. . . . Most felt that their knowledge of personal privacy rights under the laws protecting their personal information was either poor (36%) or somewhere in neutral territory— neither good nor bad (33%).” Moreover, “[t]hree in ten Canadians were aware of a federal institution that helps them with privacy and the protection of personal information from inappropriate collection, use and disclosure.”
VII. Pending Reforms
On September 29, 2011, the federal government of Canada reintroduced a bill amending PIPEDA. Proposed changes in Bill C-12 include the following:
- Redefining “personal information” to remove the provision that business contact information is not personal information.
- Inserting a provision “that would expand the requirements for consent under the legislation. The provision would provide that consent will be valid only if it is reasonable to expect that the individual providing it understands ‘the nature, purpose and consequences of the collection, use or disclosure of personal information’ to which they are consenting.”
- Imposing “important new mandatory reporting obligations on organizations subject to PIPEDA, requiring them to report any ‘material breach of security safeguards involving personal information under its control’ to the federal Privacy Commissioner as soon ‘as feasible after the organization determines that a material breach of its security safeguards’ has occurred.”
- Adding new exceptions, including “business transactions” and “employment relationship” exceptions, to the requirement for informed consent to use and disclose personal information.
Legal Research Analyst
 Id. § 7.
 Id. § 8.
 R. v. Dyment,  2 S.C.R. 417, http://scc.lexum.org/en/1988/1988scr2-417/1988scr2-417.html.
 Privacy Act, R.S.C. 1985, c. P-21, http://laws-lois.justice.gc.ca/eng/acts/P-21/index.html.
 Id., preamble.
 Tina Piper, Personal Information Protection and Electronic Documents Act: A Lost Opportunity to Democratize Canada’s Technological Society, 23 DALHOUSIE L.J. 253 (2000).
 Council Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 25(6), 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:
 Juliana M. Spaeth, Mark J. Plotkin, & Sandra C. Sheets, Privacy, Eh!: The Impact of Canada’s Personal Information Protection and Electronic Documents Act on Transnational Business, 4 VAND. J. ENT. L. & PRAC. 28, 30 (2002).
 Commission Decision 2002/2/EC, of 20 December 2001 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided by the Canadian Personal Information Protection and Electronic Documents Act, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do ?uri=CELEX:32002D0002:EN:NOT.
 Personal Information Protection Act, S.A. 2003, c. P-6.5, http://www.qp.alberta.ca/574.cfm?page =P06P5.cfm&leg_type=Acts&isbncln=9780779748938
 An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1, http://www2.publicationsduquebec.gouv.qc.ca/dynamic
 Health Information Act, R.S.A. 2000, c. H-5, available at http://www.canlii.org/en/ab/laws/stat/rsa-2000-c-h-5/latest/rsa-2000-c-h-5.html.
 Health Information Protection Act, S.S. 1999, c. H-0.021, available at http://www.canlii.org/en/sk/laws/stat/ss-1999-c-h-0.021/latest/ss-1999-c-h-0.021.html.
 Personal Health Information Act, C.C.S.M., c. P33.5, http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php-
 Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p
 Personal Health Information Privacy and Access Act, S.N.B. 2009, c. P-7.05, available at http://www.canlii.org/en/nb/laws/stat/snb-2009-c-p-7.05/latest/snb-2009-c-p-7.05.html.
 Megan Evans, A Primer on the Personal Information Protection and Electronic Documents Act (“PIPEDA”) for Pharmaceutical and Medical Device/Technology Companies That Conduct Business in Canada, LONGWOODS.COM (2003), http://www.longwoods.com/content/16404.
 PIPEDA § 2(1), S.C. 2000, c. 5, http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html.
 Electronic Commerce in Canada: Frequently Asked Questions, INDUSTRY CANADA, http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00466.html#question2 (last modified July 20, 2009).
 Canadian Standards Association, Model Code for the Protection of Personal Information, http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code (last visited on June 28, 2012).
 Spaeth, Plotkin, & Sheets, supra note 12, at 33.
 INDUSTRY CANADA, supra note 24.
 PIPEDA, Sch. 1, cl. 4.3, S.C. 2000, c. 5, http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html.
 Id. cl. 4.3.2.
 Id. cl. 4.3.1.
 Id. cl. 4.3.4, 4.3.6.
 Id. cl. 4.3.6.
 Id. cl. 4.3.7.
 See id. § 7(1) for collection of personal information without knowledge or consent, § 7(2) for use without knowledge or consent, § 7(3) for disclosure without knowledge or consent, and § 7(4) for use without consent and disclosure without consent. See also Sch. 1, cl. 4.3, which states, “In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.”
 Id. cl. 4.8.
 Id. cl. 4.8.1.
 Id. cl. 4.8.2.
 Id. cl. 4.8.3.
 Id. cl. 4.2.
 Id. cl. 4.2.1.
 Id. cl. 4.2.4.
 Id. cl. 4.2.3.
 Id. cl. 4.7.
 Id. cl. 4.7.1.
 Id. cl. 4.7.2.
 Id. cl. 4.7.5.
 Id. cl. 4.7.3.
 Id. cl. 4.7.4.
 Id. cl. 4.5.2.
 Id. cl. 4.5.3.
 OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, REPORT ON THE 2010 OFFICE OF THE PRIVACY COMMISSIONER OF CANADA’S CONSULTATIONS ON ONLINE TRACKING, PROFILING AND TARGETING, AND CLOUD COMPUTING (May 2011), http://www.priv.gc.ca/resource/consultations/report_20
 Kristy Kirkup, Privacy Watchdog Pushes Penalties for Non-compliant Social Media Sites, THE OBSERVER (May 29, 2012), http://www.theobserver.ca/2012/05/29/privacy-watchdog-pushes-penalties-for-non-compliant-social-media-sites.
 Privacy Commissioner: Facebook Shows Improvement in Some Areas, But Should Be More Proactive on Privacy When Introducing New [Features], BLOOMBERG (Apr. 4, 2012), http://www.bloomberg.com/apps/news?pid=conewsstory
 Preliminary Letter of Findings: Complaints Under the Personal Information Protection and Electronic Documents Act (the Act), OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, http://www.priv.gc.ca/media/nr-c/2010/let_101019_e.asp?cnn=yes(last modified Oct. 19, 2010).
 News Release, Office of the Privacy Commissioner of Canada, Letter to Google Inc. Chief Executive Officer (April 19, 2010), http://www.priv.gc.ca/media/nr-c/2010/let_100420_e.asp.
 REPORT ON THE 2010 OFFICE OF THE PRIVACY COMMISSIONER OF CANADA’S CONSULTATIONS ON ONLINE TRACKING, PROFILING AND TARGETING, AND CLOUD COMPUTING, supra note 58, at 7.
 Valerie Steeves, It’s Not Child’s Play: The Online Invasion of Children’s Privacy, 3 UNIV. OTT. L. & TECH. J. 169, 181 (2006), http://www.uoltj.ca/articles/vol3.1/2006.3.1.uoltj.Stee
 Government of Canada Moves to Enhance Privacy of Individuals During Commercial Transactions, INDUSTRY CANADA (Sept. 29, 2011), http://www.ic.gc.ca/eic/site/ic1.nsf/eng/06802.html.
 Ameena Sultan, PIPEDA: Privacy and Consent Legislation, WHALEY ESTATE LITIGATION (Feb. 15, 2011), http://whaleyestatelitigation.com/blog/2011/02/pipeda-privacy-and-consent-legislation/.
 Lisa R. Lifshitz, Chris Oates, & Rene Bissonnette, Government Introduces Amendments to PIPEDA, GOWLINGS 1, http://www.gowlings.com/knowledgeCentre/publication
PDFs/Government-Introduces-Amendments-to-PIPEDA.pdf. (last visited June 12, 2012)
 Matt Hartley, Privacy Commissioner Lays Out New Rules for Online Advertising, FINANCIAL POST (Dec. 6, 2011), http://business.financialpost.com/2011/12/06/privacy-commissioner-lays-out-new-rules-for-online-e-advertising/.
 PIPEDA § 16(c).
 An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities That Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-Television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, C. 23, http://Laws-Lois.Justice.Gc.Ca/Eng/Acts/E-1.6/Page-1.Html.
 PIPEDA § 11(1), S.C. 2000, c. 5, http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html.
 Id. § 11(2).
 Id. § 12(1).
 Id. § 12(4).
 Id. § 12.2(1).
 Id. §§ 13(1), 13(3).
 Id. § 14(1).
 Id. § 16.
 Kirkup, supra note 60.
 Nammo v. TransUnion of Canada,  F.C. 1284, http://decisions.fct-cf.gc.ca/en/2010/2010fc1284/2010fc1284.html.
 OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, LEADING BY EXAMPLE: KEY DEVELOPMENTS IN THE FIRST SEVEN YEARS OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT(PIPEDA), 14 (2008), http://publications.gc.ca/collections/collection_2008/pri
 Lawson v. Accusearch,  F.C. 125, available at http://www.canlii.org/en/ca/fct/doc/2007/2007fc125/200
 OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, supra note 74, at 14.
 State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada,  F.C. 736, available at http://www.canlii.org/en/ca/fct/doc/2010/2010fc736/20
10fc736.html. See also Charles S. Morgan, Federal Court Rules on Scope of “Commercial Activity” under PIPEDA, MCCARTHY TÉTRAULT LLP (Nov. 11, 2010), http://www.mccarthy.ca/article_detail.aspx?id=5170. This article notes that “many had hoped that this decision would resolve the issue of the constitutionality of PIPEDA as regards its application to the intra-provincial activities of provincially regulated entities. As the court declined to determine this question, the status quo has been maintained in this respect, at least for now.”
 Recent Court Activity: State Farm v. Privacy Commissioner and AG of Can., OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, http://www.priv.gc.ca/leg_c/court_p_03_e.asp (last modified July 12, 2010).
 Jeremy Warner, The Right to Oblivion: Data Retention from Canada to Europe in Three Backward Steps, 2 U. OTTAWA L. & TECH. J. 75, 92 (2005), http://www.uoltj.ca/articles/vol2.1/2005.2.1.uoltj.War
 See Meagan Fitzpatrick, Social Media Websites Ignoring Privacy Laws, Watchdog Says, CBC NEWS (May 29, 2012), http://www.cbc.ca/news/politics/story/2012/05/29/pol-social-media-privacy.html.
 Micheal Fekete & Patricia Wilson, PIPEDA: A Clearly Canadian Approach to Privacy Protection, PRIVACY REG. 4, 7 (Spring 2004), http://www.wiggin.com/files/Privacy%20Regulation%
 Piper, supra note 9, at 1.
 AVNER LEVIN & MARY JO NICHOLSON, Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground, 2 OTTAWA L. & TECH. J. 357, 381 (2005).
 Piper, supra note 9, at 10.
 HOUSE OF COMMONS STANDING COMMITTEE ON HUMAN RIGHTS AND THE STATUS OF PERSONS WITH DISABILITIES, PRIVACY: WHERE DO WE DRAW THE LINE? 6 (Apr. 1997), http://www.priv.gc.ca/information/02_06_03d_e.pdf.
 Id.at 7.
 PRIVACY COMMISSIONER OF CANADA, 2011 CANADIANS AND PRIVACY SURVEY: FINAL REPORT (Mar. 31, 2011), http://www.priv.gc.ca/information/por-rop/2011/por_2011_01_e.asp.
 An Act to amend the Personal Information Protection and Electronic Documents Act, Bill C-12, 41st Parl., 1st Sess. (Can. 2011), available at http://www.parl.gc.ca/HousePublications/Publication.
 Lifshitz, Oates, & Bissonnette, supra note 70.
Last Updated: 06/05/2015