PIPEDA Compliance Programs
Privacy governance, layered notices, consent design, PIAs, breach playbooks, and training for private sector organizations. Jump to section
The right to control access to one’s personal information and to be free from unreasonable intrusion, with remedies and obligations arising from legislation, common law, and regulatory frameworks.
Grigoras Law acts for clients across Ontario in privacy and data matters, including access-to-information requests, breach response, and disputes involving the collection, use, and disclosure of personal information. We advise on compliance and investigations, act on intrusion-upon-seclusion and related claims, and pursue targeted remedies – injunctions, takedown or de-indexing requests, and regulatory engagement – aimed at efficient, practical outcomes.
Privacy governance, layered notices, consent design, PIAs, breach playbooks, and training for private sector organizations. Jump to section
Requests and corrections for personal health information, complaints to the IPC, and custodian safeguards and retention. Jump to section
Incident assessment, notification strategy, regulator engagement, and evidence preservation following a breach. Jump to section
Transfer impact assessments, contractual safeguards, and vendor diligence for processing outside Canada. Jump to section
Representation in privacy and access complaints, mediation, and appeals before provincial or federal commissioners. Jump to section
Intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of personality. Jump to section
Canada’s privacy regime is built on a hybrid statutory and common-law model, combining federal and provincial data protection laws with judge-made torts that protect personal dignity and autonomy. The principal statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), governs private-sector organizations engaged in commercial activities across Canada, except in provinces with substantially similar legislation, namely Alberta, British Columbia, and Québec.
Each law embodies the Fair Information Principles (FIPs): accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance. These principles shape how organizations collect, use, and disclose personal information in a manner consistent with what a reasonable person would consider appropriate under the circumstances.
Violations of these statutes can result in regulatory investigations, civil suits, and fines of up to $100,000 under PIPEDA. In addition to statutory enforcement, courts have recognized a suite of privacy torts, such as intrusion upon seclusion and public disclosure of private facts, that provide recourse even where no legislation applies.
The notion of meaningful consent sits at the heart of Canadian privacy law. Originally designed for an era of paper records, the traditional “notice and choice” model struggles in today’s complex data environment. Modern technologies, from cloud services and the Internet of Things (IoT) to algorithmic profiling, require consent mechanisms that are comprehensible, prominent, and ongoing.
The Office of the Privacy Commissioner of Canada (OPC) has issued extensive guidance, including its Guidelines for Processing Personal Data Across Borders and its 2018 Guidelines for Meaningful Consent. These emphasize layered privacy notices, context-sensitive consent, and proactive communication about data uses involving profiling or automated decision-making.
Recent modernization proposals to PIPEDA, set to become the Consumer Privacy Protection Act, seek to strengthen consent by requiring disclosure of automated decision logic and ensuring that individuals have real control over their personal information.
Canadian law allows personal data to be transferred abroad for processing, provided the transferring organization ensures a comparable level of protection through contractual, technical, and procedural safeguards. While Parliament chose not to impose EU-style restrictions, the OPC expects organizations to notify individuals if their data may be processed outside Canada and to identify applicable foreign laws.
Alberta’s PIPA mandates explicit notice where service providers operate outside the country, whereas Québec’s reformed privacy law (Law 25) requires a written assessment of privacy risks before any cross-border communication. In practice, privacy lawyers advise clients to incorporate cross-border transfer clauses, breach notification triggers, and audit rights into service agreements to ensure defensible compliance and mitigate liability exposure.
Under the FIPs and PIPEDA’s Division 1, individuals have the right to access personal information held about them, challenge its accuracy, and withdraw consent. Organizations must respond within 30 days, subject to limited exceptions. Refusals can be reviewed by the OPC or the relevant provincial commissioner.
The OPC’s online resources provide templates for access requests and complaints, emphasizing transparency and accountability. Repeated non-compliance can lead to naming and shaming reports, compliance agreements, or Federal Court orders compelling compliance and awarding damages.
Parallel to the statutory regime, Canadian courts have recognized a suite of common-law privacy torts, following the taxonomy first proposed by William Prosser and adapted to Canadian jurisprudence. These torts fill gaps left by legislation and offer remedies for intentional intrusions and disclosures that violate personal dignity
Recognized in Jones v. Tsige, 2012 ONCA 32, this tort applies where a defendant intentionally or recklessly intrudes upon another’s private affairs in a way that a reasonable person would find highly offensive. No proof of economic harm is required – damages up to $20,000 are typical for non-pecuniary loss. It cannot be used to sidestep defamation defences like qualified privilege.
In Jane Doe 464533 v. D., 2018 ONSC 6607, the Ontario Superior Court formally recognized this tort. Liability arises when a defendant publicizes truthful but intimate and non-newsworthy information that would be highly offensive to a reasonable person. The plaintiff in Jane Doe received $100,000 in combined damages for the unauthorized publication of intimate images.
Adopted in Y. (V.M.) v. G. (S.H.), 2019 ONSC 7279, this tort protects individuals from misleading portrayals that damage reputation and dignity, even where the statements are not strictly defamatory.
This longstanding tort prohibits the unauthorized commercial exploitation of an individual’s name, likeness, or image, protecting both economic and personal interests. It has been applied in Ontario, Québec (under civil law), and Nova Scotia to cases involving endorsements and image use.
Several provinces, Manitoba, Saskatchewan, Newfoundland and Labrador, and British Columbia, codify privacy torts under their respective Privacy Acts. Plaintiffs must show a wilful and unjustified violation of privacy, and defendants may rely on good-faith or legal authority defences. Remedies include damages, injunctions, and orders for the delivery or destruction of unlawfully obtained information.
Courts routinely tailor remedies to the seriousness of the invasion, awarding aggravated and punitive damages where conduct is malicious or repeated. In Nova Scotia’s Cyber-safety Act and successor legislation, courts also consider factors such as the content of the image, the age of victims, and the scope of distribution when assessing harm
Canadian courts assert jurisdiction over privacy claims with a real and substantial connection to Canada, even against foreign defendants. The Supreme Court’s ruling in Douez v. Facebook Inc., 2017 SCC 33 refused to enforce a forum-selection clause favouring California, citing privacy’s quasi-constitutional character.
Similarly, Québec courts have permitted local actions against foreign corporations such as Target following major data breaches. The OPC encourages technical measures like geo-fencing to balance global data flows with Canadian jurisdictional expectations.
Under both statute and common law, damages for privacy violations may include:
General damages for emotional distress and loss of dignity.
Aggravated damages for humiliation or reputational harm.
Punitive damages for malicious or high-handed conduct.
Courts may also issue injunctions to prevent further disclosure or order the destruction of misused data. In Jane Doe 464533, the court emphasized deterrence and expressive harm, signalling that privacy violations are not merely technical breaches but affronts to human dignity.
Businesses operating in Canada must treat privacy compliance as a core governance issue. Recommended measures include:
Mapping personal data flows and identifying lawful bases for processing.
Drafting layered privacy notices in plain language and updating them annually.
Implementing breach response protocols aligned with the Breach of Security Safeguards Regulations (SOR/2018-64).
Conducting privacy impact assessments for cross-border transfers and new technologies.
Engaging with the OPC’s Interpretation Bulletins on consent and accountability.
A privacy lawyer in Ontario or other provinces can help organizations navigate enforcement risks and align practices with evolving statutory reforms.
Individuals can enhance their privacy protection by:
Exercising their right to access and correct personal information.
Filing complaints with privacy commissioners when consent or access rights are denied.
Being vigilant about social-media privacy settings and public disclosures.
Seeking legal advice if facing online harassment, non-consensual image sharing, or data misuse.
For those affected by data breaches or privacy torts, Canadian courts recognize both compensatory and symbolic damages. The OPC’s consumer guidance pages provide tools to lodge complaints and request the removal of harmful online content.
Canada’s privacy framework is built on a layered and cooperative system of federal, provincial, and sector-specific privacy laws that govern how personal information is collected, used, and disclosed across the country. Together, these laws form one of the most comprehensive systems of personal information protection in the world.
While the Canadian Charter of Rights and Freedoms guarantees basic expectations of privacy under sections 7 and 8, the Charter mainly protects against state intrusion. The modern body of privacy legislation, on the other hand, establishes clear statutory rights and obligations for private organizations, health custodians, and public institutions that handle personal information.
Canada’s privacy statutes can be grouped into three main categories:
Public-Sector Privacy Laws regulate how government bodies collect, use, and disclose personal information. Examples include the Privacy Act (R.S.C. 1985, c. P-21) at the federal level and provincial laws such as Ontario’s Freedom of Information and Protection of Privacy Act.
Private-Sector Privacy Laws govern organizations engaged in commercial activity. The cornerstone is the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies across most of Canada. Alberta, British Columbia, and Québec have enacted substantially similar private-sector laws that operate within their jurisdictions.
Health Information Privacy Laws protect patient data and other health information. Ontario’s Personal Health Information Protection Act (PHIPA) and Alberta’s Health Information Act are prominent examples. These laws govern the obligations of health information custodians, such as hospitals, clinics, and healthcare professionals.
Each of these frameworks sets out key requirements for collection, consent, disclosure, safeguards, accuracy, retention, and access. They also establish independent oversight bodies (Privacy Commissioners) that investigate complaints and issue recommendations or binding orders.
Canada’s privacy legislation reflects its federal constitutional structure. The federal government’s authority to legislate privacy arises under its trade and commerce power, while the provinces regulate under property and civil rights. This overlap allows both levels of government to enact privacy laws that coexist.
For example, PIPEDA applies to private-sector organizations engaged in commercial activity, while Alberta’s and British Columbia’s Personal Information Protection Acts cover businesses operating solely within those provinces. Québec’s Act Respecting the Protection of Personal Information in the Private Sector provides a similar regime under civil law principles.
This cooperative framework ensures that all Canadians benefit from privacy protection, regardless of jurisdiction, while minimizing duplication through mutual recognition of substantially similar laws.
Unlike the sector-based approach found in the United States, Canadian privacy law follows a comprehensive, principles-based model. Federal and provincial statutes share core features, but their form and terminology differ.
PIPEDA is structured around ten Fair Information Principles that include accountability, consent, accuracy, and safeguards.
Provincial statutes typically convert these principles into enforceable statutory obligations.
The result is a harmonized system of rules designed to ensure reasonable, transparent, and accountable handling of personal information across sectors.
Emerging provincial reforms, such as Québec’s Law 25 and Ontario’s modernization efforts, continue to align Canadian privacy protection with international standards like the EU’s General Data Protection Regulation (GDPR).
Canadian privacy laws strive to balance individual privacy with legitimate organizational and societal interests such as fraud prevention, security, and business operations. Statutes include specific exceptions for law enforcement, contractual necessity, emergencies, and legal proceedings.
The guiding standard is reasonableness: organizations must collect and use personal information only for purposes that a reasonable person would consider appropriate. This test ensures that privacy rights remain adaptable and contextual rather than absolute.
Disclaimer: The answers provided in this FAQ section are general in nature and should not be relied upon as formal legal advice. Each individual case is unique, and a separate analysis is required to address specific context and fact situations. For comprehensive guidance tailored to your situation, we welcome you to contact our expert team.
Based on Canadian law and legal precedents, specifically cases Jane Doe 464533 v. D. (N.) (“Jane Doe 2016) and Jane Doe 72511 v. N.M. (“Jane Doe 2018”), it is highly possible for you to sue someone who recorded a sexually explicit video of you without your consent, especially if it was then distributed on a large scale (such as on the internet). This could be a violation of your privacy rights, and it can potentially qualify as the tort of “Public Disclosure of Private Facts.”
According to the Restatement (Second) of Torts (2010) at 652D, this tort is defined as:
“One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.”
The key to this tort is the concept of publicity, meaning that the violation has been communicated on a large scale, such as through media to the public at large, rather than just to a small number of individuals.
According to the judgments in both Jane Doe 2016 and Jane Doe 2018 cases, the courts recognized this tort and found the defendants liable for the non-consensual recording and public distribution of intimate, sexually explicit videos. The judges emphasized that what is offensive is not the recording of sexual acts per se, but the non-consensual publication or sharing of such recordings, especially if the person in the video did not want to share it with others.
To establish liability for this tort, a plaintiff must prove the following:
In both Jane Doe 2016 and Jane Doe 2018, the courts awarded the plaintiffs substantial damages: $50,000 for general damages, $25,000 for aggravated damages, and $25,000 in punitive damages.
It’s important to consult with a legal professional who can assess your situation based on the specifics of your case. However, given the recent precedents in Canadian law, it seems that you may have a strong case for suing someone who recorded and distributed a sexually explicit video of you without your consent.
While it can be unsettling to learn that you have been secretly recorded by your employer, the legality of this act depends on a number of factors, including jurisdiction, the employer’s intent, and the reason for the recording.
Under certain circumstances, it may be legally permissible for an employer to secretly record an employee, particularly if there is a reasonable suspicion of misconduct. This is especially the case in civil proceedings where the results of such surveillance can be considered relevant and admissible evidence unless there’s an application of another rule of evidence that excludes it. In other words, if an employer has a good reason to believe that an employee is engaged in prohibited conduct, such as sleeping on the job, video surveillance may be seen as justified.
The case of Richardson v. Davis Wire Industries Ltd. provides an important precedent in this context. In this wrongful dismissal action, the employer had received reports that an employee was sleeping at work and used surreptitious video surveillance to investigate these allegations. At trial, the plaintiff’s lawyer sought to bar the admission of the videotape, citing an invasion of privacy. The court, however, rejected the privacy argument, ruling that the video was admissible as evidence. This case indicates that even covertly obtained video surveillance can be considered evidence, depending on the circumstances.
That being said, it’s important to note that in the Richardson case, the judge expressed regret about the employer’s choice to secretly videotape the employee rather than confronting him directly. This suggests that while such secret recordings might sometimes be legally permissible, they may not always be seen as the best or most ethical approach to addressing workplace issues.
However, the circumstances of each case can differ significantly, and laws can also vary by jurisdiction. Therefore, this information should not be considered definitive legal advice, but rather a general understanding of how such situations can potentially be handled in a legal context. If you find yourself in such a situation, it would be beneficial to consult with a qualified lawyer who can provide advice based on the specific facts of your case and your local jurisdiction’s laws.
Under Canadian law, the simple answer to whether a prospective employer is allowed to Google you is “Yes.” This includes Google searching, viewing your Facebook or Twitter feed, or any other form of online search about potential candidates. This is the modern equivalent of the longstanding accepted practice of asking a job candidate for letters of reference. In essence, employers are generally free to learn as much about a candidate as possible.
However, it’s important to note that there are privacy-related considerations that may limit these kinds of inquiries. For instance, using British Columbia as an example, the collection, use, and disclosure of personal information retrieved from social media about a job candidate is subject to the province’s privacy legislation. This includes the Freedom of Information and Protection of Privacy Act for public bodies, and the Personal Information Protection Act for private employers. Under these types of provincial legislation, employers are only entitled to collect information that a reasonable person would consider appropriate in the circumstances, and they must ensure it is accurate.
While there is no legal obligation for the employer to advise the candidate of how a search might be conducted, or how the results were used, shared, or interpreted upon hiring, there are significant privacy-specific constraints that employers need to heed.
Prospective employers can legally review publicly available information about you on the internet, including your social media profiles (Facebook, Twitter, Instagram, Snapchat, etc.), photos, written material, and other media, personal websites, including blogs and visual media. This information can provide a detailed glimpse into a candidate’s non-work life and may influence hiring decisions. However, employers should keep in mind that this information, while publicly available, tends to be personal or semi-private and may not necessarily be geared toward demonstrating job suitability.
Employers may glean certain characteristics about a candidate from their social media profiles, such as their community participation, creativity, good judgment, compassion towards public-interest, and social justice issues, to name a few. Conversely, employers may also find reasons not to hire a candidate based on their social media content, such as inappropriate photos, negative comments about previous employers, illegal drug use or excessive drinking, discriminatory language or affiliations, and others. As long as these considerations are not influenced by factors that form prohibited grounds of discrimination, an employer is entitled to consider them when making a hiring decision.
However, employers should not demand access to a job candidate’s social media accounts as part of the interview process. The Ontario Human Rights Commission has issued a statement warning employers that asking candidates for social media passwords may contravene the Human Rights Code provisions that prohibit discrimination arising from a written or oral form of employment application or inquiry. Furthermore, Facebook’s Terms of Service expressly prohibit users from sharing their passwords or accessing someone else’s account.
In conclusion, while prospective employers are allowed to conduct independent online searches for information about potential candidates, they must ensure that these searches abide by the legal requirements and respect the privacy of the candidates. They should also be careful not to use any information found on social media to discriminate against a candidate based on the prohibited grounds outlined in human rights legislation.
Yes, Canada has laws that can protect your child against cyberbullying and potentially help prosecute individuals responsible for this behaviour. These laws encompass privacy torts, defamation, and specific anti-cyberbullying and “revenge porn” regulations.
1. Privacy Laws and Torts
Several Canadian provinces have legislation or case law that explicitly recognizes the existence of a tort of violation of privacy. This includes Ontario, British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador, each of which have Privacy Acts stating that it’s a tort to willfully violate another’s privacy without a claim of right. This can include eavesdropping or surveillance, which could apply to cyberbullying in certain contexts.
The notion of “public interest” often guides these cases, helping courts strike a balance between privacy rights and freedom of expression. In instances of conflict, public interest may enable courts to assess whether the public has a genuine stake in the disclosed private information.
2. Defamation
Defamation can be another avenue to address cyberbullying, especially when false injurious statements are made online. Even if the harmful information published is true, the Ontario Privacy Commissioner (OPC) has raised concerns about these laws’ limitations as a tool to address reputational harm. For example, in common law jurisdictions, recovery for defamation is barred if the statements are true, regardless of their potential to cause embarrassment or the level of malice intended.
In Quebec, the legal framework is a little different. The information revealed to the public must not only be true or accurate; it must also be necessary to convey the content in which the public has a “legitimate interest.” This additional layer of protection further enhances the safeguarding of individuals’ reputations.
3. Anti-Cyberbullying and “Revenge Porn” Laws
Canadian laws have evolved to address the increasing prevalence of cyberbullying and “revenge porn.” Both Parliament and provincial legislatures have enacted measures to address these issues, and courts have recognized the existence of new common law torts.
One landmark case in this area is B. (A.) v. Bragg Communications Inc., in which the Supreme Court of Canada acknowledged the importance of protecting young people’s privacy rights due to the extensive, direct, and harmful consequences of cyberbullying.
The Protecting Canadians from Online Crime Act, in force since 2014, amended the Criminal Code to introduce a new offence of non-consensual distribution of intimate images, along with complementary amendments that allow for the removal of such images from the Internet.
Several provinces have also enacted specific laws against “revenge porn” and cyberbullying, including Manitoba, Nova Scotia, Newfoundland, and Alberta. Additionally, courts have recognized the existence of other privacy-related common law torts in the context of “revenge porn.” You can read our Blog Post on the topic.
Search engines like Google, Microsoft, and Yahoo have also taken action against revenge porn by allowing victims to have it removed from search results associated with their names.
In summary, while there’s no specific “cyberbullying” law in Canada, various elements of the Canadian legal system can be used to protect individuals, including minors, from online harassment, defamation, and violation of privacy. The nature of the case, evidence available, and jurisdiction involved would determine which laws are most relevant. Always consult with a legal professional for specific guidance related to your situation.
Often, no. Consent is typically limited to the specific purpose disclosed at the time of collection. If, for example, you agreed to let a company store your data for membership verification, that does not necessarily allow them to sell or share it for targeted advertising. Courts and Privacy Commissioners examine the scope of consent carefully. If usage deviates from what you agreed to, you may have grounds for a privacy complaint or lawsuit.
Yes, organizations in Ontario can be held liable for privacy breaches committed by their employees under certain circumstances. This liability is typically addressed through the doctrine of vicarious liability, where an employer is held responsible for the actions of its employees if those actions occur in the course of their employment.
For an organization to be vicariously liable for a privacy breach, the following conditions generally need to be met:
Employee-Employer Relationship: There must be a clear employee-employer relationship. This includes situations where the employee was acting within the scope of their employment when the breach occurred.
Connection to Employment: The privacy breach must be sufficiently connected to the employee's duties or tasks as assigned by the employer. This means the employee’s actions were related to their job responsibilities, even if those actions were unauthorized or contrary to the employer's instructions.
Reasonable Foreseeability: It must be reasonably foreseeable that the employee’s actions could result in a privacy breach. If an organization fails to implement adequate safeguards or oversight, it may increase its risk of liability.
Organizations can mitigate potential liability by implementing strong privacy policies, training employees on data protection practices, and establishing procedures for monitoring and auditing access to personal information. If a breach occurs, promptly addressing the issue and taking corrective measures can also influence the extent of liability.
If an individual believes their privacy was breached by an organization’s employee, they should document the incident and consult with legal counsel to explore potential claims against the organization for intrusion upon seclusion or any other applicable legal remedies.
Generally, privacy torts are designed to protect individual interests—like personal autonomy or emotional well-being—rather than corporate identity. However, businesses sometimes pursue related claims under trademark, passing off, or breach of confidence if their brand or proprietary information is misused. In rare scenarios, a corporate representative’s personal likeness might be at stake, and if so, a combined approach using privacy torts and business torts may be warranted.
Ontario courts often evaluate if the disclosed information contributes meaningfully to public understanding of a significant issue—like political corruption or public health crises. If so, news outlets might invoke the public interest defence, arguing they only revealed essential personal details and avoided sensational or irrelevant material. The threshold involves balancing the article’s societal importance against the intrusion’s severity. Sensational or prurient revelations with negligible public value usually fail under this defence.
Defamation generally requires a false statement harming someone’s reputation. False light can involve inaccuracies or omissions that misrepresent a person’s private life, causing distress or humiliation, even if it does not directly harm their standing in the community. A defamation claim focuses on reputational damage, whereas false light zeroes in on the personal affront of being portrayed in a misleading manner—even if the statements do not strictly slander or libel the plaintiff.
If the defendant disregards a court order to remove private material or stop disclosure, they risk being found in contempt of court. This can result in fines or imprisonment. Plaintiffs can return to court to report ongoing violations, potentially receiving further remedial orders. In an online context, plaintiffs may also seek assistance from platforms, hosting services, or domain registrars to remove content or block certain webpages, leveraging the court’s injunctive authority.
Whether you are building a compliant privacy program, responding to a data breach, or defending a privacy claim, Grigoras Law can help. Get practical, tailored advice for PIPEDA, PHIPA, and common law privacy issues.
our team of experienced lawyers are at your service
