Cyber Law in Canada

Overview

Cyber law in Canada comprises the regulation of privacy, data protection, electronic commerce, antispan, cybersecurity, and computer-related criminal offences. The legal framework is fragmented across federal and provincial statutes, common law, and constitutional protections under the Canadian Charter of Rights and Freedoms. The federal Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA) serves as the principal private-sector data protection law, while the Privacy Act, RSC 1985, c P-21 governs the federal public sector. Canada’s constitutional division of powers means that privacy and cyber law are shaped by both federal commercial power (s. 91(2)) and provincial property and civil rights jurisdiction (s. 92(13)).

PIPEDA and Private-Sector Data Protection

PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activities, and to federally regulated works, undertakings, and businesses (s. 4(1)). Personal information is defined broadly as “information about an identifiable individual” (s. 2(1)). The statute is founded on the CSA Model Code (Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96), incorporated as Schedule 1, which establishes ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

Consent is the cornerstone of PIPEDA. An organization must obtain meaningful consent — knowledge of the nature, purpose, and consequences of the collection, use, or disclosure — and consent must be appropriate to the circumstances (s. 6.1). The 2018 PIPEDA guidance on consent requires organizations to adopt a proportional approach: more sensitive information requires express opt-in consent, while less sensitive information may permit implied consent.

PIPEDA was substantially amended by the Digital Charter Implementation Act, 2022 (Bill C-27), which, if proclaimed, will replace Part 1 of PIPEDA with the Consumer Privacy Protection Act (CPPA). The CPPA introduces a private right of action for certain violations (with a court’s leave), enhances penalties (the greater of $25 million or 5% of global revenue), creates a new tribunal (the Personal Information and Data Protection Tribunal), and imposes obligations relating to automated decision-making (Schedule 2 transparency requirements for systems that make predictions, recommendations, or decisions about individuals). At the time of writing, Bill C-27 had received second reading in the House of Commons but had not been enacted.

Provincial Privacy Laws

Three provinces have enacted substantially similar private-sector privacy legislation that receives an exemption from PIPEDA (s. 26(2)(b)): Quebec’s Act respecting the protection of personal information in the private sector, CQLR c P-39.1; Alberta’s Personal Information Protection Act, SA 2003, c P-6.5 (PIPA); and British Columbia’s Personal Information Protection Act, SBC 2003, c 63. Quebec’s Law 25 (SQ 2021, c 25), which came into force in phases between 2022 and 2024, introduced the most stringent provincial regime: mandatory privacy impact assessments, the right to data portability, enhanced consent requirements, a private right of action (art. 98), and administrative monetary penalties of up to the greater of $25 million or 4% of global revenue.

Ontario has introduced Bill 194, the Strengthening Cyber Security and Building Consumer Confidence Act, 2024, which proposes a new private-sector privacy law and enhanced cybersecurity obligations for public-sector entities, though Ontario remains without a substantially similar law as of 2026.

Anti-Spam Legislation

Canada’s Anti-Spam Legislation, SC 2010, c 23 (CASL), regulates the sending of commercial electronic messages (CEMs), the installation of computer programs (including malware), the alteration of transmission data, and the collection of electronic addresses. CASL prohibits the sending of a CEM without the recipient’s express consent or an existing business or non-business relationship giving rise to implied consent (s. 6). Each CEM must identify the sender and provide a functioning unsubscribe mechanism (s. 6(2)).

CASL is enforced by three agencies: the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner (OPC). Administrative monetary penalties reach $10 million per violation for organizations (s. 20(4)). A private right of action for actual damages and statutory damages of up to $200 per violation (maximum $1 million per day) was initially enacted (s. 47) but was struck down by the Supreme Court of Canada in R v. TELUS Communications Inc [2023] 2 SCR 110, which held that it exceeded Parliament’s criminal law power and could not be sustained as a matter of federal jurisdiction pending further analysis.

Cybersecurity Regulation

Canada lacks a comprehensive cybersecurity statute but regulates critical infrastructure cybersecurity through sectoral legislation. The Critical Cyber Systems Protection Act (proposed under Bill C-26An Act respecting cybersecurity, currently before Parliament) would amend the Telecommunications Act and create a new Critical Cyber Systems Protection Act requiring operators of designated critical infrastructure (finance, telecommunications, energy, transportation, and nuclear) to establish a cybersecurity program, report cyber incidents, and comply with cybersecurity directives from the federal government.

The Communications Security Establishment Act, SC 2019, c 13, s 76, empowers the Communications Security Establishment (CSE) to conduct active cyber operations to defend Canadian systems, including “active cyber defence” measures (s. 25). The CSE also operates the Canadian Centre for Cyber Security (the “Cyber Centre”), which provides guidance, threat assessments, and incident response coordination.

Provincial cybersecurity laws are emerging: Quebec’s Law 25 requires organizations to implement security measures and report privacy breaches to the Commission d’accès à l’information and affected individuals, with fines for non-compliance.

Data Breach Notification

PIPEDA (ss. 10.1–10.3, added by the Digital Privacy Act, SC 2015, c 32) requires organizations to report breaches of security safeguards to the OPC where the breach creates a real risk of significant harm to an individual. The organization must also notify affected individuals and record all breaches (regardless of risk). Significant harm includes bodily harm, humiliation, damage to reputation, financial loss, identity theft, and damage to credit. The OPC may require production of breach records (s. 10.3). Failure to report is an offence (s. 28).

Computer Crime

The Criminal Code criminalizes computer-related offences. Section 342.1 addresses unauthorized access (hacking) — knowingly obtaining, directly or indirectly, any computer service; intercepting a computer function; using a computer system with intent to commit an offence; or causing a computer system to be used beyond authorized limits. Section 342.2 criminalizes possession of devices for hacking. Section 430(1.1) addresses mischief to data — destroying, altering, or rendering meaningless data with intent to interfere with lawful use, or to obstruct, interrupt, or interfere with the lawful use of data.

Identity theft (s. 402.2) and identity fraud (s. 403) apply to misuse of digital identity information. Fraud (s. 380) applies to cyber fraud schemes. The Supreme Court of Canada in R v. Vasic (2024) (currently pending at time of writing) is expected to address the scope of s. 342.1 in relation to authorized access for unauthorized purposes.

Privacy Act and Public Sector

The Privacy Act, RSC 1985, c P-21, governs the collection, use, and disclosure of personal information by federal government institutions. It limits collection to information directly related to operating programs or activities (s. 4), requires collection from the individual directly where possible (s. 5), and restricts use and disclosure (s. 7–8). Individuals have a right of access to personal information held by government (s. 12). The OPC investigates complaints under both the Privacy Act and PIPEDA.

AI and Automated Decision-Making

The proposed Artificial Intelligence and Data Act (AIDA), introduced as Part 3 of Bill C-27, would regulate the design, development, and deployment of high-impact AI systems in the course of international and interprovincial commerce. AIDA would require organizations to assess and mitigate risks of harm and bias, maintain transparency and documentation, and report incidents. The proposed CPPA (Part 1 of Bill C-27) would also require disclosure of automated decision-making systems that make predictions, recommendations, or decisions about individuals (Schedule 2).

Pending the enactment of these federal reforms, Quebec’s Law 25 has already introduced the right to be informed of the use of automated decision-making and the right to request human intervention in decisions based exclusively on automated processing. The OPC has also issued guidance on the application of PIPEDA to AI, machine learning, and algorithmic decision-making, emphasizing the need for meaningful consent, transparency, and fairness.

Jurisdictional Overlap and Harmonization

The fragmentation of Canadian cyber law — across federal PIPEDA (or its proposed replacement), provincial substantially similar laws, CASL, sectoral regulation, criminal law, and emerging AI regulation — creates significant jurisdictional overlap. The Supreme Court in R v. TELUS Communications Inc confirmed that the criminal law power (s. 91(27)) supports certain cyber regulation, particularly in addressing harmful conduct, but that privacy and data protection sit at the intersection of federal trade and commerce and provincial property and civil rights. The trend toward harmonization through the CSA Model Code and substantially similar provincial laws reflects a cooperative federalism approach, but significant gaps and inconsistencies remain, particularly as Quebec’s Law 25 sets a regulatory benchmark that diverges from the federal model.